Essential Coding Theory

Venkatesan Guruswami Atri Rudra1 Madhu Sudan

January 31, 2022

1
Department of Computer Science and Engineering, University at Buffalo, SUNY. Work supported by
NSF CAREER grant CCF-0844796.
2
Foreword

This book is based on lecture notes from coding theory courses taught by Venkatesan Gu-
ruswami at University at Washington and CMU; by Atri Rudra at University at Buffalo, SUNY
and by Madhu Sudan at Harvard and MIT.
This version is dated January 31, 2022. For the latest version, please go to

http://www.cse.buffalo.edu/faculty/atri/courses/coding-theory/book/

The material in this book is supported in part by the National Science Foundation under CA-
REER grant CCF-0844796. Any opinions, findings and conclusions or recomendations expressed
in this material are those of the author(s) and do not necessarily reflect the views of the National
Science Foundation (NSF).

©Venkatesan Guruswami, Atri Rudra, Madhu Sudan, 2019.

This work is licensed under the Creative Commons Attribution-NonCommercial-
NoDerivs 3.0 Unported License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-nd/3.0/ or send a letter to Creative Commons, 444
Castro Street, Suite 900, Mountain View, California, 94041, USA.

3
4
Contents

I The Basics 17
1 The Fundamental Question 19
1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.2 Some definitions and codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.3 Error correction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
1.4 Distance of a code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1.5 Hamming Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
1.6 Hamming Bound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
1.7 Generalized Hamming Bound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
1.8 Family of codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
1.9 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
1.10 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

2 A Look at Some Nicely Behaved Codes: Linear Codes 43

2.1 Groups and Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
2.2 Vector Spaces and Linear Subspaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
2.3 Linear Codes and Basic Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
2.4 Hamming Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
2.5 Efficient Decoding of Hamming codes . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
2.6 Dual of a Linear Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
2.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.8 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

3 Probability as Fancy Counting and the q-ary Entropy Function 63

3.1 A Crash Course on Probability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.2 The Probabilistic Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.3 The q-ary Entropy Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
3.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
3.5 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

II The Combinatorics 79
4 What Can and Cannot Be Done-I 81

5
 4.1 Asymptotic Version of the Hamming Bound . . . . . . . . . . . . . . . . . . . . . . . 81
4.2 Gilbert-Varshamov Bound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.3 Singleton Bound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
4.4 Plotkin Bound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
4.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4.6 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

5 The Greatest Code of Them All: Reed-Solomon Codes 99

5.1 Polynomials and Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.2 Reed-Solomon Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
5.3 A Property of MDS Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
5.5 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

6 What Happens When the Noise is Stochastic: Shannon’s Theorem 115

6.1 Overview of Shannon’s Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
6.2 Shannon’s Noise Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
6.3 Shannon’s Result for BSCp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
6.4 Hamming vs. Shannon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
6.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.6 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

7 Bridging the Gap Between Shannon and Hamming: List Decoding 133
7.1 Hamming versus Shannon: part II . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
7.2 List Decoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
7.3 Johnson Bound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
7.4 List-Decoding Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
7.5 List Decoding from Random Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
7.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
7.7 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

8 What Cannot be Done-II 153

8.1 Elias-Bassalygo bound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
8.2 The MRRW bound: A better upper bound . . . . . . . . . . . . . . . . . . . . . . . . . 155
8.3 A Breather . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
8.4 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

III The Codes 157

9 When Polynomials Save the Day: Polynomial Based Codes 159
9.1 The generic construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
9.2 The low degree case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
9.3 The case of the binary field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

6
 9.4 The general case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
9.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
9.6 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

10 From Large to Small Alphabets: Code Concatenation 173

10.1 Code Concatenation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
10.2 Zyablov Bound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
10.3 Strongly Explicit Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
10.4 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

11 When Graphs Come to the Party: Expander Codes 181

11.1 Bipartite Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
11.2 Bipartite Vertex Expanders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
11.3 Expander Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
11.4 Codes from weaker expanders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
11.5 Optimizing the trade-off between rate and error fraction . . . . . . . . . . . . . . . . 195
11.6 Existence of lossless expanders: Proof of Theorem 11.2.6 . . . . . . . . . . . . . . . . 201
11.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
11.8 Bibliographic notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

12 Information Theory Strikes Back: Polar Codes 209

12.1 Achieving Gap to Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
12.2 Reduction to Linear Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
12.3 The Polarization Phenomenon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
12.4 Polar codes, Encoder and Decoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
12.5 Analysis: Speed of Polarization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
12.6 Entropic Calculations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
12.7 Summary and additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
12.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
12.9 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

IV The Algorithms 243

13 Decoding Concatenated Codes 245
13.1 A Natural Decoding Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
13.2 Decoding From Errors and Erasures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
13.3 Generalized Minimum Distance Decoding . . . . . . . . . . . . . . . . . . . . . . . . 249
13.4 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

14 Efficiently Achieving the Capacity of the BSCp 255

14.1 Achieving capacity of B SC p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
14.2 Decoding Error Probability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
14.3 The Inner Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

7
 14.4 The Outer Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
14.5 Discussion and Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

15 Decoding Reed-Muller Codes 263

15.1 A natural decoding algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
15.2 Majority Logic Decoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
15.3 Decoding by reduction to Reed-Solomon decoding . . . . . . . . . . . . . . . . . . . 272
15.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
15.5 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

16 Fast encoding: linear time encodable codes 283

16.1 Overview of the construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
16.2 Low-density Error-Reduction Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
16.3 The error-correcting code: Recursive construction . . . . . . . . . . . . . . . . . . . 287
16.4 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
16.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
16.6 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

17 Efficient Decoding of Reed-Solomon Codes 291

17.1 Unique decoding of Reed-Solomon codes . . . . . . . . . . . . . . . . . . . . . . . . 291
17.2 List Decoding Reed-Solomon Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
17.3 Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
17.4 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

18 Efficiently Achieving List Decoding Capacity 315

18.1 Folded Reed-Solomon Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
18.2 List Decoding Folded Reed-Solomon Codes: I . . . . . . . . . . . . . . . . . . . . . . 319
18.3 List Decoding Folded Reed-Solomon Codes: II . . . . . . . . . . . . . . . . . . . . . . 322
18.4 Bibliographic Notes and Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

19 Recovering very locally: Locally Recoverable Codes 337

19.1 Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
19.2 Definition of Locally Recoverable Codes . . . . . . . . . . . . . . . . . . . . . . . . . 338
19.3 A simple construction for message symbol LRCs . . . . . . . . . . . . . . . . . . . . . 339
19.4 A Singleton-type bound . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
19.5 An LRC meeting the Singleton type bound . . . . . . . . . . . . . . . . . . . . . . . . 342
19.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
19.7 Bibliographic notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

V The Applications 349

20 Cutting Data Down to Size: Hashing 351
20.1 Why Should You Care About Hashing? . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

8
 20.2 Avoiding Hash Collisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
20.3 Almost Universal Hash Function Families and Codes . . . . . . . . . . . . . . . . . . 356
20.4 Data Possession Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
20.5 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

21 Securing Your Fingerprints: Fuzzy Vaults 363

21.1 Some quick background on fingerprints . . . . . . . . . . . . . . . . . . . . . . . . . 363
21.2 The Fuzzy Vault Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
21.3 The Final Fuzzy Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
21.4 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

22 Finding Defectives: Group Testing 371

22.1 Formalization of the problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
22.2 Bounds on t a (d , N ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
22.3 Bounds on t (d , N ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
22.4 Coding Theory and Disjunct Matrices . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
22.5 An Application in Data Stream Algorithms . . . . . . . . . . . . . . . . . . . . . . . . 381
22.6 Summary of best known bounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
22.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
22.8 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

23 Complexity of Coding Problems 391

23.1 Nearest Codeword Problem (NCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
23.2 Decoding with Preprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
23.3 Approximate NCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
23.4 Distance bounded decoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
23.5 Minimum distance problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
23.6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
23.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
23.8 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

A Notation Table 421

B Some Useful Facts 423

B.1 Some Useful Inequalities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
B.2 Some Useful Identities and Bounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

C Background on Asymptotic notation, Algorithms and Complexity 427

C.1 Asymptotic Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
C.2 Bounding Algorithm run time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
C.3 Randomized Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
C.4 Efficient Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
C.5 More on intractability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
C.6 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

9
 C.7 Bibliographic Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

D Basic Algebraic Algorithms 447

D.1 Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
D.2 Groups, Rings, Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
D.3 Polynomials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
D.4 Vector Spaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
D.5 Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
D.6 Algorithmic aspects of Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
D.7 Algorithmic aspects of Polynomials . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
D.8 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

E Some Information Theory Essentials 467

E.1 Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
E.2 Joint and conditional entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
E.3 Mutual information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

10
List of Figures

1.1 Decoding for Akash English, one gets “I need little little (trail)mix." . . . . . . . . . 19
1.2 Coding process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
1.3 Bad example for unique decoding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
1.4 Illustration for proof of Hamming Bound . . . . . . . . . . . . . . . . . . . . . . . . . 34

3.1 The q-ary Entropy Function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

4.1 The Hamming and GV bounds for binary codes . . . . . . . . . . . . . . . . . . . . . 82

4.2 An illustration of Gilbert’s greedy algorithm (Algorithm 6) for the first five iterations. 84
4.3 Construction of a new code in the proof of the Singleton bound. . . . . . . . . . . . 87
4.4 The Hamming, GV and Singleton bound for binary codes. . . . . . . . . . . . . . . . 88
4.5 R vs δ tradeoffs for binary codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

6.1 The communication process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

6.2 Binary Symmetric Channel BSCp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
6.3 Binary Erasure Channel BECα . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
6.4 The sets D m partition the ambient space {0, 1}n . . . . . . . . . . . . . . . . . . . . . . 120
6.5 The shell S m of inner radius (1 − γ)pn and outer radius (1 + γ)pn. . . . . . . . . . . 121
6.6 Illustration of Proof of Shannon’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . 123

7.1 Bad example of unique decoding revisited . . . . . . . . . . . . . . . . . . . . . . . . 134

7.2 Comparing the Johnson Bound with Unique decoding and Singleton bounds . . . 140
7.3 An error pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
7.4 Illustration of notation used in the proof of Theorem 7.5.1 . . . . . . . . . . . . . . . 146
7.5 An error pattern in the middle of the proof . . . . . . . . . . . . . . . . . . . . . . . . 147

8.1 Bounds on R vs δ for binary codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

10.1 Concatenated code C out ◦C in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

10.2 The Zyablov bound for binary codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

11.1 A bipartite graph G H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

11.2 A bipartite expander graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
11.3 The ‘triangle’ graph G on the left, its edge vertex incidence graph (see Definition 11.4.4) in the middle
11.4 Code construction in proof of Theoremm 11.5.7. . . . . . . . . . . . . . . . . . . . . 200

11
12.1 The 2 × 2 Basic Polarizing Transform. Included in red are the conditional
³ entropies of´the variables, co
12.2 The n × n Basic Polarizing Transform defined as P n (Z) = P n (U, V) = P n (U + V), P n (V) . Acknowledgement
2 2
12.3 Block structure of the Basic Polarizing Transform. Circled are a block at the 2nd level and two 2nd leve

13.1 Encoding and Decoding of Concatenated Codes . . . . . . . . . . . . . . . . . . . . . 246

13.2 All values of θ ∈ [q i , q i +1 ) lead to the same outcome . . . . . . . . . . . . . . . . . . . 253

14.1 Efficiently achieving capacity of BSCp . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

14.2 Error Correction cannot decrease during “folding" . . . . . . . . . . . . . . . . . . . 260

16.1 The recursive construction of C k . The final code C̃ k is also shown. . . . . . . . . . . 288

17.1 A received word in 2-D space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

17.2 The closest polynomial to a received word . . . . . . . . . . . . . . . . . . . . . . . . 293
17.3 Error locator polynomial for a received word . . . . . . . . . . . . . . . . . . . . . . . 294
17.4 The tradeoff between rate R and the fraction of errors that can be corrected by Algorithm 24.300
17.5 A received word in 2-D space for the second Reed-Solomon . . . . . . . . . . . . . . 301
17.6 An interpolating polynomial Q(X , Y ) for the received word in Figure 17.5. . . . . . 302
17.7 The two polynomials that need to be output are shown in blue. . . . . . . . . . . . . 302
17.8 The tradeoff between rate R and the fraction of errors that can be corrected by Algorithm 24 and Algor
17.9 Multiplicity of 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
17.10Multiplicity of 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
17.11Multiplicity of 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
17.12A received word in 2-D space for the third Reed-Solomon . . . . . . . . . . . . . . . 307
17.13An interpolating polynomial Q(X , Y ) for the received word in Figure 17.12. . . . . . 307
17.14The five polynomials that need to be output are shown in blue. . . . . . . . . . . . . 308

18.1 Encoding for Reed-Solomon Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

18.2 Folded Reed-Solomon code for m = 2. . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
18.3 Folded Reed-Solomon code for general m ≥ 1. . . . . . . . . . . . . . . . . . . . . . . 316
18.4 Error pattern under unfolding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
18.5 Error pattern under folding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
18.6 Performance of Algorithm 28 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
18.7 An agreement in position i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
18.8 More agreement with a sliding window of size 2. . . . . . . . . . . . . . . . . . . . . . 323
18.9 Performance of Algorithm 29 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
18.10An upper triangular system of linear equations . . . . . . . . . . . . . . . . . . . . . 327

21.1 The minutiae are unordered and form a set, not a vector. . . . . . . . . . . . . . . . 365

22.1 Pick a subset S (not necessarily contiguous). Then pick a column j that is not present in S. There will
22.2 Construction of the final matrix MC ∗ from MC out and MC in from Example 22.4.3. The rows in MC ∗ that

E.1 Relationship between entropy, joint entropy, conditional entropy, and mutual information for two ran

12
List of Tables

3.1 Uniform distribution over F22×2 along with values of four random variables. . . . . . 64

8.1 High level summary of results seen so far. . . . . . . . . . . . . . . . . . . . . . . . . . 155

10.1 Strongly explicit binary codes that we have seen so far. . . . . . . . . . . . . . . . . . 173

14.1 An overview of the results seen so far . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

14.2 Summary of properties of C out and C in . . . . . . . . . . . . . . . . . . . . . . . . . . 257

13
14
List of Algorithms

1 Error Detector for Parity Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

2 Naive Maximum Likelihood Decoder . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3 Naive Decoder for Hamming Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4 Decoder for Any Linear Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
5 Efficient Decoder for Hamming Code . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
6 Gilbert’s Greedy Code Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
7 q O(k) time algorithm to compute a code on the GV bound . . . . . . . . . . . . . . . 96
8 Generating Irreducible Polynomial . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
9 P OLAR C OMPRESSOR(Z, S) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
10 Successive Cancellation Decompressor SCD(W, P, S) . . . . . . . . . . . . . . . . . . 215
11 B ASIC P OLAR E NCODER(Z; n, S) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
12 B ASIC P OLAR D ECODER : BPD(W; n, p) . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
13 Natural Decoder for C out ◦C in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
14 Generalized Minimum Decoder (ver 1) . . . . . . . . . . . . . . . . . . . . . . . . . . 250
15 Generalized Minimum Decoder (ver 2) . . . . . . . . . . . . . . . . . . . . . . . . . . 252
16 Deterministic Generalized Minimum Decoder‘ . . . . . . . . . . . . . . . . . . . . . 253
17 Decoder for efficiently achieving BSCp capacity . . . . . . . . . . . . . . . . . . . . . 257
18 S IMPLE R EED -M ULLER D ECODER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
19 Majority Logic Decoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
20 R EED -S OLOMON - BASED D ECODER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
21 G EN -FLIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
22 L INEAR-D ECODE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
23 Welch-Berlekamp Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
24 The First List Decoding Algorithm for Reed-Solomon Codes . . . . . . . . . . . . . . 299
25 The Second List Decoding Algorithm for Reed-Solomon Codes . . . . . . . . . . . . 303
26 The Third List Decoding Algorithm for Reed-Solomon Codes . . . . . . . . . . . . . 308
27 Decoding Folded Reed-Solomon Codes by Unfolding . . . . . . . . . . . . . . . . . . 317
28 The First List Decoding Algorithm for Folded Reed-Solomon Codes . . . . . . . . . 320
29 The Second List Decoding Algorithm for Folded Reed-Solomon Codes . . . . . . . 324
30 The Root Finding Algorithm for Algorithm 29 . . . . . . . . . . . . . . . . . . . . . . 331
31 Computing disjoint S and T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
32 Pre-Processing for Data Possession Verification . . . . . . . . . . . . . . . . . . . . . 357
33 Verification for Data Possession Verification . . . . . . . . . . . . . . . . . . . . . . . 358

15
34 Decompression Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
35 Decompression Algorithm Using List Decoding . . . . . . . . . . . . . . . . . . . . . 360
36 UNLOCK 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
37 LOCK 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
38 UNLOCK 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
39 Decoder for Separable Matrices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
40 Naive Decoder for Disjunct Matrices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
41 Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
42 Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
43 Report Heavy Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
44 Simple Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
45 Sampling algorithm for G AP H AMMING . . . . . . . . . . . . . . . . . . . . . . . . . . 435
46 An average-case algorithm for G AP H AMMING . . . . . . . . . . . . . . . . . . . . . . 436
47 Exponential time algorithm for M AX L INEAR E Q . . . . . . . . . . . . . . . . . . . . . 437
48 Reduction from M AXC UT to M AX L INEAR E Q . . . . . . . . . . . . . . . . . . . . . . . 440
49 R OOT-F IND (Fq , f ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
50 L INEAR-R OOT-F IND (Fq , g ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

16
 Part I

The Basics

17
Chapter 1

The Fundamental Question

1.1 Overview
Communication is a fundamental need of our modern lives. In fact, communication is some-
thing that humans have been doing for a long time. For simplicity, let us restrict ourselves to
English. It is quite remarkable that different people speaking English can be understood pretty
well: even if e.g. the speaker has an accent. This is because English has some built-in redun-
dancy, which allows for “errors" to be tolerated. We will pick an example from one of the au-
thor’s experiences conversing with his two year old son, Akash. When Akash started to speak
his own version of English, which we will dub “Akash English," we got examples such as the one
illustrated below:

Figure 1.1: Decoding for Akash English, one gets “I need little little (trail)mix."

19
 With some practice Akash’s parents were able to “decode" what Akash really meant. In fact,
Akash could communicate even if he did not say an entire word properly and gobbled up part(s)
of word(s).
The above example shows that having redundancy in a language allows for communication
even in the presence of (small amounts of) differences and errors. Of course in our modern
digital world, all kinds of entities communicate (and most of the entities do not communicate
in English or any natural language for that matter). Errors are also present in the digital world,
so these digital communications also use redundancy.
Error-correcting codes (henceforth, just codes) are clever ways of representing data so that
one can recover the original information even if parts of it are corrupted. The basic idea is to
judiciously introduce redundancy so that the original information can be recovered even when
parts of the (redundant) data have been corrupted.
For example, when packets are transmitted over the Internet, some of the packets get cor-
rupted or dropped. Packet drops are resolved by the TCP layer by a combination of sequence
numbers and ACKs. To deal with data corruption, multiple layers of the TCP/IP stack use a form
of error correction called CRC Checksum [102]. From a theoretical point of view, the checksum
is a terrible code (for that matter so is English). However, on the Internet, the current dominant
mode of operation is to detect errors and if errors have occurred, then ask for retransmission.
This is the reason why the use of checksum has been hugely successful in the Internet. However,
there are other communication applications where re-transmission is not an option. Codes are
used when transmitting data over the telephone line or via cell phones. They are also used in
deep space communication and in satellite broadcast (for example, TV signals are transmitted
via satellite). Indeed, asking the Mars Rover to re-send an image just because it got corrupted
during transmission is not an option–this is the reason that for such applications, the codes
used have always been very sophisticated.
Codes also have applications in areas not directly related to communication. In particu-
lar, in the applications above, we want to communicate over space. Codes can also be used to
communicate over time. For example, codes are used heavily in data storage. CDs and DVDs
work fine even in presence of scratches precisely because they use codes. Codes are used in Re-
dundant Array of Inexpensive Disks (RAID) [21] and error correcting memory [20]. Sometimes,
in the Blue Screen of Death displayed by Microsoft Windows family of operating systems, you
might see a line saying something along the lines of “parity check failed"–this happens when
the code used in the error-correcting memory cannot recover from error(s). Also, certain con-
sumers of memory, e.g. banks, do not want to suffer from even one bit flipping (this e.g. could
mean someone’s bank balance either got halved or doubled–neither of which are welcome1 ).
Codes are also deployed in other applications such as paper bar codes; for example, the bar
code used by UPS called MaxiCode [19]. Unlike the Internet example, in all of these applica-
tions, there is no scope for “re-transmission."
In this book, we will mainly think of codes in the communication scenario. In this frame-
work, there is a sender who wants to send (say) k message symbols over a noisy channel. The

1
This is a bit tongue-in-cheek: in real life banks have more mechanisms to prevent one bit flip from wreaking
havoc.

20
sender first encodes the k message symbols into n symbols (called a codeword) and then sends
it over the channel. The receiver gets a received word consisting of n symbols. The receiver then
tries to decode and recover the original k message symbols. Thus, encoding is the process of
adding redundancy and decoding is the process of removing errors.
Unless mentioned otherwise, in this book we will make the following assumption:

The sender and the receiver only communicate via the channel.a In other words, other than
some setup information about the code, the sender and the receiver do not have any other
information exchange (other than of course what was transmitted over the channel). In
particular, no message is more likely to be transmitted over another.
a
The scenario where the sender and receiver have a “side-channel" is an interesting topic that has been
studied but is outside the scope of this book.

The fundamental question that will occupy our attention for almost the entire book is the
tradeoff between the amount of redundancy used and the number of errors that can be cor-
rected by a code. In particular, we would like to understand:

Question 1.1.1. How much redundancy do we need to correct a given amount of errors? (We
would like to correct as many errors as possible with as little redundancy as possible.)

Intuitively, maximizing error correction and minimizing redundancy are contradictory goals:
a code with higher redundancy should be able to tolerate more number of errors. By the end of
this chapter, we will see a formalization of this question.
Once we determine the optimal tradeoff, we will be interested in achieving this optimal
tradeoff with codes that come equipped with efficient encoding and decoding. (A DVD player
that tells its consumer that it will recover from a scratch on a DVD by tomorrow is not exactly
going to be a best-seller.) In this book, we will primarily define efficient algorithms to be ones
that run in polynomial time.2

1.2 Some definitions and codes

To formalize Question 1.1.1, we begin with the definition of a code.

Definition 1.2.1 (Code). A code of block length n over an alphabet Σ is a subset of Σn . Typically,
we will use q to denote |Σ|.3

Remark 1.2.2. We note that the ambient space Σn can be viewed as a set of sequences, vectors or
functions. In other words, we can think of a vector (v 1 , . . . , v n ) ∈ Σn as just the sequence v 1 , . . . , v n
2
We are not claiming that this is the correct notion of efficiency in practice. However, we believe that it is a good
definition as the “first cut"– quadratic or cubic time algorithms are definitely more desirable than exponential time
algorithms: see Section C.4 for more on this.
3
Note that q need not be a constant and can depend on n: we’ll see codes in this book where this is true.

21
(in order) or a vector tuple (v 1 , . . . , v n ) or as the function f : [n] → Σ such that f (i ) = v i . Sequences
assume least structure on Σ and hence are most generic. Vectors work well when Σ has some struc-
ture (and in particular is what is known as a field, which we will see next chapter). Functional
representation will be convenient when the set of coordinates has structure (e.g., [n] may come
from a finite field of size n). For now, however, the exact representation does not matter and the
reader can work with representation as sequences.

We will also frequently use the following alternate way of looking at a code. Given a code
C ⊆ Σn , with |C | = M , we will think of C as a mapping of the following form:

C : [M ] → Σn .

In the above, we have used to notation [M ] for any integer M ≥ 1 to denote the set {1, 2, . . . , M }.
We will also need the notion of dimension of a code.

Definition 1.2.3 (Dimension of a code). Given a code C ⊆ Σn , its dimension is given by

def
k = logq |C |.

Let us begin by looking at two specific codes. Both codes are defined over Σ = {0, 1} (also
known as binary codes). In both cases |C | = 24 and we will think of each of the 16 messages as a
4 bit vector.
We first look at the so-called parity code, which we will denote by C ⊕ . Given a message
(x 1 , x 2 , x 3 , x 4 ) ∈ {0, 1}4 , its corresponding codeword is given by

C ⊕ (x 1 , x 2 , x 3 , x 4 ) = (x 1 , x 2 , x 3 , x 4 , x 1 ⊕ x 2 ⊕ x 3 ⊕ x 4 ),

where the ⊕ denotes the EXOR (also known as the XOR or Exclusive-OR) operator. In other
words, the parity code appends the parity of the message bits (or takes the remainder of the
sum of the message bits when divided by 2) at the end of the message. Note that such a code
uses the minimum amount of non-zero redundancy.
The second code we will look at is the so-called repetition code. This is a very natural code
(and perhaps the first code one might think of). The idea is to repeat every message bit a fixed
number of times. For example, we repeat each of the 4 message bits 3 times and we use C 3,r ep
to denote this code.
Let us now try to look at the tradeoff between the amount of redundancy and the number of
errors each of these codes can correct. Even before we begin to answer the question, we need
to define how we are going to measure the amount of redundancy. One natural way to define
redundancy for a code with dimension k and block length n is by their difference n − k. By this
definition, the parity code uses the least amount of redundancy. However, one “pitfall" of such
a definition is that it does not distinguish between a code with k = 100 and n = 102 and another
code with dimension and block length 2 and 4, respectively. Intuitively, the latter code is using
more redundancy. This motivates the following notion of measuring redundancy.

22
Definition 1.2.4 (Rate of a code). The rate of a code with dimension k and block length n is given
by
def k
R = .
n

Note that the higher the rate, the lesser the amount of redundancy in the code. Also note that
as k ≤ n, R ≤ 1.4 Intuitively, the rate of a code is the average amount of real information in each
of the n symbols transmitted over the channel. So, in some sense, rate captures the complement
of redundancy. However, for historical reasons, we will deal with the rate R (instead of the more
obvious 1−R) as our notion of redundancy. Given the above definition, C ⊕ and C 3,r ep have rates
of 54 and 13 . As was to be expected, the parity code has a higher rate than the repetition code.
We have formalized the notion of redundancy as the rate of a code as well as other param-
eters of a code. However, to formalize Question 1.1.1, we still need to formally define what it
means to correct errors. We do so next.

1.3 Error correction

Before we formally define error correction, we will first formally define the notion of encoding.

Definition 1.3.1 (Encoding function). Let C ⊆ Σn . An equivalent description of the code C is an

injective mapping E : [|C |] → Σn called the encoding function.

Next we move to error correction. Intuitively, we can correct a received word if we can re-
cover the transmitted codeword (or equivalently the corresponding message). This “reverse"
process is called decoding.

Definition 1.3.2 (Decoding function). Let C ⊆ Σn be a code. A mapping D : Σn → [|C |] is called a

decoding function for C .

The definition of a decoding function by itself does not give anything interesting. What we
really need from a decoding function is that it recovers the transmitted message. To understand
this notion, we first need to understand what is the nature of errors that we aim to tackle. In
particular, if a transmitter transmits u ∈ Σn and the receiver receives v ∈ Σn , how do we quantify
the amount of “error” that has happened during this transmission? While multiple notions are
possible, the most central one, and the one we will focus on for most of this book is based on
“Hamming distance”, a notion of distance that captures how close are two given sequences u
and v.

Definition 1.3.3 (Hamming distance). Given two vectors u, v ∈ Σn the Hamming distance be-
tween u and v, denoted by ∆(u, v), is the number of positions in which u and v differ.
4
Further, in this book, we will always consider the case k > 0 and n < ∞ and hence, we can also assume that
R > 0.

23
 The Hamming distance is a distance in a very formal mathematical sense: see Exercise 1.5.
Note that the definition of Hamming distance just depends on the number of differences and
not the nature of the difference. For example, consider the vectors u = 00000 and v = 10001.
One can see that their Hamming distance is ∆(u, v) = 2. Now consider the vector w = 01010.
Note that even though v 6= w, we have that the Hamming distance ∆(u, w) = 2.
To return to the quantification of errors, from now we will say that if u is transmitted and
v is received then ∆(u, v) errors occured during transmission. This allows us to quantify the
performance of an encoding/function, or equivalently the underlying code as we do next.

Definition 1.3.4 (t -Error Channel). An n-symbol t -Error Channel over the alphabet Σ is a func-
tion Ch : Σn → Σn that satisfies ∆(v, Ch(v)) ≤ t for every v ∈ Σn .

Definition 1.3.5 (Error Correcting Code). Let C ⊆ Σn be a code and let t ≥ 1 be an integer. C
is said to be a t -error-correcting code if there exists a decoding function D such that for every
message m ∈ [|C |] every t -error channel Ch we have D (Ch(C (m))) = m.

Thus a t -error-correcting code is one where there is a decoding function that corrects any
pattern of t errors.
Figure 1.3 illustrates how the definitions we have examined so far interact.

Channel Ch
m 7→ C (m) v = Ch (C (m)) 7→ m

Encoding function Decoding function

Figure 1.2: Coding process

We will also very briefly look at a weaker form of error recovery called error detection.

Definition 1.3.6 (Error detection code). Let C ⊆ Σn be a code and let t ≥ 1 be an integer. C is said
to be t -error-detecting code if there exists a detecting procedure D such that for every message m
and every received vector v ∈ Σn satisfying ∆(C (m), v) ≤ t , it hold that D outputs a 1 if v = C (m)
and 0 otherwise.

Thus a t -error-detecting code is one where if the transmission has at least one error and at
most t errors, then the decoding function detects the error (by outputting 0). Note that a t -error
correcting code is also a t -error detecting code (but not necessarily the other way round): see
Exercise 1.1. Although error detection might seem like a weak error recovery model, it is useful
in settings where the receiver can ask the sender to re-send the message. For example, error
detection is used quite heavily in the Internet.
Finally we also consider a more benign model of errors referred to as “erasures” where a
symbol is merely (and explicitly) omitted from the transmission (as opposed being replaced by
some other symbol). To define this model we use a special symbol “?” that is not a member of
the alphabet Σ.

24
Definition 1.3.7 (t -Erasure Channel). An n-symbol t -Erasure Channel over the alphabet Σ is a
function Ch : Σn → (Σ ∪ {?})n that satisfies ∆(v, Ch(v)) ≤ t for every v ∈ Σn (where both arguments
to ∆(·, ·) are viewed as elements of (Σ ∪ {?})n ) and for every i ∈ [n] such that vi 6= Ch(v)i we have
Ch(v)i =?.

A coordinate i such that Ch(v)i =? is called an erasure. We may now define erasure correct-
ing codes analogously to error-correcting codes.

Definition 1.3.8 (Erasure Correcting Code). Let C ⊆ Σn be a code and let t ≥ 1 be an integer. C
is said to be a t -erasure-correcting code if there exists a decoding function D such that for every
message m ∈ [|C |] every t -erasure channel Ch we have D (Ch(C (m))) = m.

With the above definitions in place, we are now ready to look at the error correcting capa-
bilities of the codes we looked at in the previous section.

1.3.1 Error-Correcting Capabilities of Parity and Repetition codes

In Section 1.2, we looked at examples of parity code and repetition code with the following
properties:

C ⊕ : q = 2, k = 4, n = 5, R = 4/5.

C 3,r ep : q = 2, k = 4, n = 12, R = 1/3.

We will start with the repetition code. To study its error-correcting capabilities, we will con-
sider the following natural decoding function. Given a received word y ∈ {0, 1}12 , divide it up
into four consecutive blocks (y 1 , y 2 , y 3 , y 4 ) where every block consists of three bits. Then, for
every block y i (1 ≤ i ≤ 4), output the majority bit as the message bit. We claim this decoding
function can correct any error pattern with at most 1 error. (See Exercise 1.2.) For example, if a
block of 010 is received, since there are two 0’s we know the original message bit was 0. In other
words, we have argued that

Proposition 1.3.9. C 3,r ep is a 1-error correcting code.

However, it is not too hard to see that C 3,r ep cannot correct two errors. For example, if both
of the errors happen in the same block and a block in the received word is 010, then the original
block in the codeword could have been either 111 or 000. Therefore in this case, no decoder can
successfully recover the transmitted message.5
Thus, we have pin-pointed the error-correcting capabilities of the C 3,r ep code: it can cor-
rect one error, but not two or more. However, note that the argument assumed that the error
positions can be located arbitrarily. In other words, we are assuming that the channel noise
behaves arbitrarily (subject to a bound on the total number of errors). Obviously, we can model
the noise differently. We now briefly digress to look at this issue in slightly more detail.
5
Recall we are assuming that the decoder has no side information about the transmitted message.

25
Digression: Channel Noise. As was mentioned above, until now we have been assuming the
following noise model, which was first studied by Hamming:

Any error pattern can occur during transmission as long as the total number of er-
rors is bounded. Note that this means that the location as well as the nature6 of the
errors is arbitrary.

We will frequently refer to Hamming’s model as the Adversarial Noise Model. It is important
to note that the atomic unit of error is a symbol from the alphabet. So for example, if the error
pattern is (1, 0, 1, 0, 0, 0) and we consider the alphabet to be {0, 1}, then the pattern has two errors.
However, if our alphabet is {0, 1}3 (i.e. we think of the vector above as ((1, 0, 1), (0, 0, 0)), with
(0, 0, 0) corresponding to the zero element in {0, 1}3 ), then the pattern has only one error. Thus,
by increasing the alphabet size we can also change the adversarial noise model. As the book
progresses, we will see how error correction over a larger alphabet is easier than error correction
over a smaller alphabet.
However, the above is not the only way to model noise. For example, we could also have
following error model:

No more than 1 error can happen in any contiguous three-bit block.

First note that, for the channel model above, no more than four errors can occur when a code-
word in C 3,r ep is transmitted. (Recall that in C 3,r ep , each of the four bits is repeated three times.)
Second, note that the decoding function that takes the majority vote of each block can suc-
cessfully recover the transmitted codeword for any error pattern, while in the worst-case noise
model it could only correct at most one error. This channel model is admittedly contrived, but
it illustrates the point that the error-correcting capabilities of a code (and a decoding function)
are crucially dependent on the noise model.
A popular alternate noise model is to model the channel as a stochastic process. As a con-
crete example, let us briefly mention the binary symmetric channel with crossover probability
0 ≤ p ≤ 1, denoted by BSCp , which was first studied by Shannon. In this model, when a (binary)
codeword is transferred through the channel, every bit flips independently with probability p.
Note that the two noise models proposed by Hamming and Shannon are in some sense two
extremes: Hamming’s model assumes no knowledge about the channel (except that a bound
on the total number of errors is known7 while Shannon’s noise model assumes complete knowl-
edge about how noise is produced. In this book, we will consider only these two extreme noise
models. In real life, the situation often is somewhere in between.
For real life applications, modeling the noise model correctly is an extremely important
task, as we can tailor our codes to the noise model at hand. However, in this book we will
not study this aspect of designing codes at all, and will instead mostly consider the worst-case
noise model. Intuitively, if one can communicate over the worst-case noise model, then one
6
For binary codes, there is only one kind of error: a bit flip. However, for codes over a larger alphabet, say {0, 1, 2},
0 being converted to a 1 and 0 being converted into a 2 are both errors, but are different kinds of errors.
7
A bound on the total number of errors is necessary; otherwise, error correction would be impossible: see
Exercise 1.3.

26
could use the same code to communicate over nearly every other noise model with the same
amount of noise.

We now return to C ⊕ and examine its error-correcting capabilities in the worst-case noise
model. We claim that C ⊕ cannot correct even one error. Suppose y = 10000 is the received word.
Then we know that an error has occurred, but we do not know which bit was flipped. This is
because the two codewords u = 00000 and v = 10001 differ from the received word y in exactly
one bit. As we are assuming that the receiver has no side information about the transmitted
codeword, no decoder can know what the transmitted codeword was.
Thus, from an error-correction point of view, C ⊕ is a terrible code (as it cannot correct even
1 error). However, we will now see that C ⊕ can detect one error. Consider Algorithm 1. Note that

Algorithm 1 Error Detector for Parity Code

I NPUT: Received word y = (y 1 , y 2 , y 3 , y 4 , y 5 )
O UTPUT: 1 if y ∈ C ⊕ and 0 otherwise

1: b ← y 1 ⊕ y 2 ⊕ y 3 ⊕ y 4 ⊕ y 5
2: RETURN 1 ⊕ b ⊲ If there is no error, then b = 0 and hence we need to "flip" the bit for the
answer

when no error has occurred during transmission, y i = x i for 1 ≤ i ≤ 4 and y 5 = x 1 ⊕ x 2 ⊕ x 3 ⊕ x 4 ,

in which case b = 0 and we output 1 ⊕ 0 = 1 as required. If there is a single error then either
y i = x i ⊕ 1 (for exactly one 1 ≤ i ≤ 4) or y 5 = x 1 ⊕ x 2 ⊕ x 3 ⊕ x 4 ⊕ 1. It is easy to check that in this
case, b = 1. In fact, one can extend this argument to obtain the following result (see Exercise 1.4).

Proposition 1.3.10. The parity code C ⊕ can detect an odd number of errors.

Let us now revisit the example that showed that one cannot correct one error using C ⊕ .
Recall, we considered two codewords in C ⊕ , u = 00000 and v = 10001 (which are codewords
corresponding to messages 0000 and 1000, respectively). Now consider the scenarios in which
u and v are each transmitted and a single error occurs resulting in the received word r = 10000.
Thus, given the received word r and the fact that at most one error can occur, the decoder has
no way of knowing whether the original transmitted codeword was u or v. Looking back at the
example, it is clear that the decoder is “confused" because the two codewords u and v do not
differ in many positions. This notion is formalized in the next section.

1.4 Distance of a code

We now turn to a new parameter associated with a code that we call the minimum distance of
a code. As we will see later, minimum distance is not completely new and easily connected to
the other parameters including the error-correction capacity of the code and error-detection
capacity of the code. But due to the cleanliness of the definition it will often be the first of the
parameters we will explore when studying a new error-correcting code.

27
Definition 1.4.1 (Minimum distance). Let C ⊆ Σn . The minimum distance (or just distance) of
C , denoted ∆(C ), is defined to be

∆(C ) = min ∆(c1 , c2 ).

c1 6=c2 ∈C

In other words, ∆(C ) is the minimum distance between two distinct codewords in C . It is
easy to check that the repetition code C 3,r ep has distance 3. Indeed, any two distinct messages
will differ in at least one of the message bits. After encoding, the difference in one message bit
will translate into a difference of three bits in the corresponding codewords. We now claim that
the distance of C ⊕ is 2. This is a consequence of the following observations. If two messages
m1 and m2 differ in at least two places then ∆(C ⊕ (m1 ),C ⊕ (m2 )) ≥ 2 (even if we just ignored the
parity bits). If two messages differ in exactly one place then the parity bits in the correspond-
ing codewords are different which implies a Hamming distance of 2 between the codewords.
Thus, C ⊕ has smaller distance than C 3,r ep and can correct less number of errors than C 3,r ep .
This suggests that a larger distance implies greater error-correcting capabilities. The next result
formalizes this intuition. Before we get to the result, we first introduce a milder notion of cor-
ruption called “erasures”. As we will see minimum distance exactly captures both the ability to
recover from errors as also this notion of erasures.

Proposition 1.4.2. Given a code C , the following are equivalent:

1. C has minimum distance d ≥ 2,

2. If d is odd, C can correct (d − 1)/2 errors.

3. C can detect d − 1 errors.

4. C can correct d − 1 erasures.

Remark 1.4.3. Property (2) above for even d is slightly different. In this case, one can correct up
to d2 − 1 errors but cannot correct d2 errors. (See Exercise 1.6.)

Before we prove Proposition 1.4.2, let us apply it to the codes C ⊕ and C 3,r ep which have
distances of 2 and 3 respectively. Proposition 1.4.2 implies the following facts that we have
already proved:

• C 3,r ep can correct 1 error (Proposition 1.3.9).

• C ⊕ can detect 1 error but cannot correct 1 error (Proposition 1.3.10).

The proof of Proposition 1.4.2 will need the following decoding function. Maximum like-
lihood decoding (MLD) is a well-studied decoding method for error correcting codes, which
outputs the codeword closest to the received word in Hamming distance (with ties broken arbi-
trarily). More formally, the MLD function denoted by D M LD : Σn → C is defined as follows. For
every y ∈ Σn ,
D M LD (y) = arg min ∆(c, y).
c∈C
Algorithm 2 is a naive implementation of the MLD.

28
Algorithm 2 Naive Maximum Likelihood Decoder
I NPUT: Received word y ∈ Σn
O UTPUT: D M LD (y)

1: Pick an arbitrary c ∈ C and assign z ← c

2: FOR every c′ ∈ C such that c 6= c′ DO
3: ∆(c′ , y) < ∆(z, y) THEN
IF
4: z ← c′
5: RETURN z

Proof of Proposition 1.4.2 We will complete the proof in two steps. First, we will show that if
property 1 is satisfied then so are properties 2,3 and 4. Then we show that if property 1 is not
satisfied then none of properties 2,3 or 4 hold.

1. implies 2. Assume C has distance d . We first prove 2 (for this case assume that d = 2t + 1).
We now need to show that there exists a decoding function such that for all error patterns with
at most t errors it always outputs the transmitted message. We claim that the MLD function
has this property. Assume this is not so and let c1 be the transmitted codeword and let y be the
received word. Note that
∆(y, c1 ) ≤ t . (1.1)
As we have assumed that MLD does not work, D M LD (y) = c2 6= c1 . Note that by the definition of
MLD,
∆(y, c2 ) ≤ ∆(y, c1 ). (1.2)
Consider the following set of inequalities:

∆(c1 , c2 ) ≤ ∆(c2 , y) + ∆(c1 , y) (1.3)

≤ 2∆(c1 , y) (1.4)
≤ 2t (1.5)
= d − 1, (1.6)

where (1.3) follows from the triangle inequality (see Exercise 1.5), (1.4) follows from (1.2) and
(1.5) follows from (1.1). (1.6) implies that the distance of C is at most d − 1, which is a contra-
diction.

1. implies 3. We now show that property 3 holds, that is, we need to describe an algorithm
that can successfully detect whether errors have occurred during transmission (as long as the
total number of errors is bounded by d − 1). Consider the following error detection algorithm:
check if the received word y = c for some c ∈ C (this can be done via an exhaustive check). If
no errors occurred during transmission, y = c1 , where c1 was the transmitted codeword and the
algorithm above will accept (as it should). On the other hand if 1 ≤ ∆(y, c1 ) ≤ d − 1, then by the
fact that the distance of C is d , y 6∈ C and hence the algorithm rejects, as required.

29
1. implies 4. Finally, we prove that property 4 holds. Let y ∈ (Σ ∪ {?})n be the received word.
First we claim that there is a unique c = (c 1 , . . . , c n ) ∈ C that agrees with y (i.e. y i = c i for ev-
ery i such that y i 6= ?). (For the sake of contradiction, assume that this is not true, i.e. there
exists two distinct codewords c1 , c2 ∈ C such that both c1 and c2 agree with y in the unerased
positions. Note that this implies that c1 and c2 agree in the positions i such that y i 6= ?. Thus,
∆(c1 , c2 ) ≤ |{i |y i = ?}| ≤ d − 1, which contradicts the assumption that C has distance d .) Given
the uniqueness of the codeword c ∈ C that agrees with y in the unerased position, an algorithm
to find c is as follows: go through all the codewords in C and output the desired codeword.

¬1. implies ¬2. For the other direction of the proof, assume that property 1 does not hold,
that is, C has distance d − 1. We now show that property 2 cannot hold: i.e., for every decoding
function there exists a transmitted codeword c1 and a received word y (where ∆(y, c1 ) ≤ (d −1)/2)
such that the decoding function cannot output c1 . Let c1 6= c2 ∈ C be codewords such that
∆(c1 , c2 ) = d − 1 (such a pair exists as C has distance d − 1). Now consider a vector y such that
∆(y, c1 ) = ∆(y, c2 ) = (d − 1)/2. Such a y exists as d is odd and by the choice of c1 and c2 . Below is
an illustration of such a y (matching color implies that the vectors agree on those positions):

d −1 d −1
n −d +1 2 2

c1

c2

Figure 1.3: Bad example for unique decoding.

Now, since y could have been generated if either of c1 or c2 were the transmitted codeword,
no decoding function can work in this case.8

¬1. implies ¬3. For the remainder of the proof, assume that the transmitted word is c1 and
there exists another codeword c2 such that ∆(c2 , c1 ) = d − 1. To see why property 3 is not true,
let y = c2 . In this case, either the error detecting algorithm detects no error, or it declares an
error when c2 is the transmitted codeword and no error takes place during transmission.

8
Note that this argument is just a generalization of the argument that C ⊕ cannot correct 1 error.

30
¬1. implies ¬4. We finally argue that property 4 does not hold. Let y be the received word in
which the positions that are erased are exactly those where c1 and c2 differ. Thus, given y both
c1 and c2 could have been the transmitted codeword, and no algorithm for correcting (at most
d − 1) erasures can work in this case. ■
Proposition 1.4.2 implies that Question 1.1.1 can be reframed as

Question 1.4.1. What is the largest rate R that a code with distance d can have?

We have seen that the repetition code C 3,r ep has distance 3 and rate 1/3. A natural follow-up
question (which is a special case of Question 1.4.1) is to ask

Question 1.4.2. Can we have a code with distance 3 and rate R > 31 ?

1.5 Hamming Code

With the above question in mind, let us consider the so-called Hamming code, which we will
denote by C H . Given a message (x 1 , x 2 , x 3 , x 4 ) ∈ {0, 1}4 , its corresponding codeword is given by

C H (x 1 , x 2 , x 3 , x 4 ) = (x 1 , x 2 , x 3 , x 4 , x 2 ⊕ x 3 ⊕ x 4 , x 1 ⊕ x 3 ⊕ x 4 , x 1 ⊕ x 2 ⊕ x 4 ).

It is easy to check that this code has the following parameters:

C H : q = 2, k = 4, n = 7, R = 4/7.

We will show shortly that C H has a distance of 3. We would like to point out that we could
have picked the three parities differently. The reason we mention the three particular parities
above is due to historical reasons. We leave it as an exercise to define an alternate set of parities
such that the resulting code still has a distance of 3: see Exercise 1.9.
Before we move on to determining the distance of C H , we will need another definition.

Definition 1.5.1 (Hamming Weight). Let q ≥ 2. Given any vector v ∈ {0, 1, 2, . . . , q − 1}n , its Ham-
ming weight, denoted by w t (v) is the number of non-zero symbols in v.

For example, if v = 01203400, then w t (v) = 4.

We now look at the distance of C H .

Proposition 1.5.2. C H has a distance of 3.

31
Proof. We will prove the claimed property by using two properties of C H :

min w t (c) = 3, (1.7)

c∈C H ,c6=0

and
min w t (c) = min ∆(c1 , c2 ) (1.8)
c∈C H ,c6=0 c1 6=c2 ∈C H

The proof of (1.7) follows from a case analysis on the Hamming weight of the message bits. Let
us use x = (x 1 , x 2 , x 3 , x 4 ) to denote the message vector.

• Case 0: If w t (x) = 0, then C H (x) = 0, which means we do not have to consider this code-
word.

• Case 1: If w t (x) = 1 then at least two parity check bits in (x 2 ⊕x 3 ⊕x 4 , x 1 ⊕x 2 ⊕x 4 , x 1 ⊕x 3 ⊕x 4 )

are 1 (see Exercise 1.10). So in this case, w t (C H (x)) ≥ 3.

• Case 2: If w t (x) = 2 then at least one parity check bit in (x 2 ⊕x 3 ⊕x 4 , x 1 ⊕x 2 ⊕x 4 , x 1 ⊕x 3 ⊕x 4 )

is 1 (see Exercise 1.11). So in this case, w t (C H (x)) ≥ 3.

• Case 3: If w t (x) ≥ 3 then obviously w t (C H (x)) ≥ 3.

Thus, we can conclude that min w t (c) ≥ 3. Further, note that w t (C H (1, 0, 0, 0)) = 3, which
c∈C H ,c6=0
along with the lower bound that we just obtained proves (1.7).
We now turn to the proof of (1.8). For the rest of the proof, let x = (x 1 , x 2 , x 3 , x 4 ) and y =
(y 1 , y 2 , y 3 , y 4 ) denote the two distinct messages. Using associativity and commutativity of the ⊕
operator, we obtain that
C H (x) +C H (y) = C H (x + y),

where the “+" operator is just the bit-wise ⊕ of the operand vectors9 . Further, it is easy to verify
that for two vectors u, v ∈ {0, 1}n , ∆(u, v) = w t (u + v) (see Exercise 1.12). Thus, we have

min ∆(C H (x),C H (y)) = min w t (C H (x + y))

x6=y∈{0,1}4 x6=y∈{0,1}4

= min w t (C H (x)),
x6=0∈{0,1}4

where the second equality follows from the observation that {x+y|x 6= y ∈ {0, 1}n } = {x ∈ {0, 1}n |x 6=
0}. Recall that w t (C H (x)) = 0 if and only if x = 0 and this completes the proof of (1.8). Combining
(1.7) and (1.8), we conclude that C H has a distance of 3.

The second part of the proof could also be shown in the following manner. It can be verified
easily that the Hamming code is the set {x · G H |x ∈ {0, 1}4 }, where G H is the following matrix
9
E.g. (0, 1, 1, 0) + (1, 1, 1, 0) = (1, 0, 0, 0).

32
(where we think x as a row vector).10
 
1 0 0 0 0 1 1
 
0 1 0 0 1 0 1
GH =  
0 0 1 0 1 1 0
0 0 0 1 1 1 1

In fact, any binary code (of dimension k and block length n) that is generated11 by a k × n
matrix is called a binary linear code. (Both C ⊕ and C 3,r ep are binary linear codes: see Exer-
cise 1.13.) This implies the following simple fact.

Lemma 1.5.3. For any binary linear code C and any two messages x and y, C (x)+C (y) = C (x+y).

Proof. For any binary linear code, we have a generator matrix G. The following sequence of
equalities (which follow from the distributivity and associativity properties of the Boolean EXOR
and AND operators) proves the lemma.

C (x) +C (y) = x · G + y · G
= (x + y) · G
= C (x + y)

We stress that in the lemma above, x and y need not be distinct. Note that due to the fact that
b ⊕b = 0 for every b ∈ {0, 1}, x+x = 0, which along with the lemma above implies that C (0) = 0.12
We can infer the following result from the above lemma and the arguments used to prove (1.8)
in the proof of Proposition 1.5.2.

Proposition 1.5.4. For any binary linear code, its minimum distance is equal to minimum Ham-
ming weight of any non-zero codeword.

Thus, we have seen that C H has distance d = 3 and rate R = 74 while C 3,r ep has distance d = 3
and rate R = 31 . Thus, the Hamming code is provably better than the repetition code (in terms
of the tradeoff between rate and distance) and thus, answers Question 1.4.2 in the affirmative.
The next natural question is

Question 1.5.1. Can we have a distance 3 code with a rate higher than that of C H ?

We will address this question in the next section.

10
Indeed (x 1 , x 2 , x 3 , x 4 ) · G H = (x 1 , x 2 , x 3 , x 4 , x 2 ⊕ x 3 ⊕ x 4 , x 1 ⊕ x 3 ⊕ x 4 , x 1 ⊕ x 2 ⊕ x 4 ), as desired.
11
That is, C = {x · G|x ∈ {0, 1}k }, where addition is the ⊕ operation and multiplication is the AND operation.
12
This of course should not be surprising as for any matrix G, we have 0 · G = 0.

33
1.6 Hamming Bound
Now we switch gears to present our first tradeoff between redundancy (in the form of the di-
mension of a code) and its error-correction capability (in the form of its distance). In particular,
we will first prove a special case of the so-called Hamming bound for a distance of 3.
We begin with another definition.

Definition 1.6.1 (Hamming Ball). For any vector x ∈ [q]n ,

B (x, e) = {y ∈ [q]n |∆(x, y) ≤ e}.

Next, we prove an upper bound on the dimension of every code with distance 3.

Theorem 1.6.2 (Hamming bound for d = 3). Every binary code with block length n, dimension
k, distance d = 3 satisfies
k ≤ n − log2 (n + 1).

Proof. Given any two codewords, c1 6= c2 ∈ C , the following is true (as C has distance13 3):

B (c1 , 1) ∩ B (c2 , 1) = ;. (1.9)

See Figure 1.4 for an illustration.

{0, 1}n

1 1 1

c1 c2

1 1 1

Figure 1.4: Hamming balls of radius 1 are disjoint. The figure is technically not correct: the balls
above are actually balls in the Euclidean space, which is easier to visualize than the Hamming
space.

Note that for all x ∈ {0, 1}n (see Exercise 1.16),

|B (x, 1)| = n + 1. (1.10)

13
Assume that y ∈ B (c1 , 1)∩B (c2 , 1), that is ∆(y, c1 ) ≤ 1 and ∆(y, c2 ) ≤ 1. Thus, by the triangle inequality ∆(c1 , c2 ) ≤
2 < 3, which is a contradiction.

34
Now consider the union of all Hamming balls centered around some codeword. Obviously, their
union is a subset of {0, 1}n . In other words,
¯ ¯
¯[ ¯
¯ B (c, 1)¯ ≤ 2n . (1.11)
¯ ¯
c∈C

As (1.9) holds for every pair of distinct codewords,

¯ ¯
¯[ ¯ X
¯ B (c, 1)¯ = |B (c, 1)|
¯ ¯
c∈C c∈C
X
= (n + 1) (1.12)
c∈C
k
= 2 · (n + 1), (1.13)

where (1.12) follows from (1.10) and (1.13)) the fact that C has dimension k. Combining (1.13)
and (1.11), we get
2k (n + 1) ≤ 2n ,
or equivalently
2n
2k ≤ .
n +1
Taking log2 of both sides we get the desired bound:

k ≤ n − log2 (n + 1).

Thus, Theorem 1.6.2 shows that for n = 7, C H has the largest possible dimension for any
binary code of block length 7 and distance 3 (as for n = 7, n − log2 (n + 1) = 4). In particular,
it also answers Question 1.5.1 for n = 7 in the negative. Next, will present the general form of
Hamming bound.

1.7 Generalized Hamming Bound

We start with a new notation.

Definition 1.7.1. A code C ⊆ Σn with dimension k and distance d will be called a (n, k, d )Σ code.
We will also refer it to as a (n, k, d )|Σ| code.

We now proceed to generalize Theorem 1.6.2 to any distance d .

Theorem 1.7.2 (Hamming Bound for any d ). For every (n, k, d )q code
j k
à !
(d −1)
2
 X n 
k ≤ n − logq  (q − 1)i  .
i =0 i

35
Proof. The proof is a straightforward
j k generalization of the proof of Theorem 1.6.2. For nota-
(d −1)
tional convenience, let e = 2 . Given any two codewords, c1 6= c2 ∈ C , the following is true
(as C has distance14 d ):
B (c1 , e) ∩ B (c2 , e) = ;. (1.14)
We claim that for all x ∈ [q]n , Ã !
X e n
|B (x, e)| = (q − 1)i . (1.15)
i =0 i
Indeed
¡n ¢ any vector in B (x, e) must differ from x in exactly 0 ≤ i ≤ e positions. In the summation
i is the number of ways of choosing the differing i positions and in each such position, a
vector can differ from x in q − 1 ways.
Now consider the union of all Hamming balls centered around some codeword. Obviously,
their union is a subset of [q]n . In other words,
¯ ¯
¯[ ¯
¯ B (c, e)¯ ≤ q n . (1.16)
¯ ¯
c∈C

As (1.14) holds for every pair of distinct codewords,

¯ ¯
¯[ ¯ X
¯ B (c, e)¯ = |B (c, e)|
¯ ¯
c∈C c∈C
à !
X e n
= qk (q − 1)i , (1.17)
i =0 i

where (1.17) follows from (1.15) and the fact that C has dimension k. Combining (1.17) and
(1.16) and taking logq of both sides we will get the desired bound:
à à ! !
X e n
k ≤ n − logq (q − 1)i .
i =0 i

Note that the Hamming bound gives a partial answer to Question 1.4.1. In particular, any
code of distance d can have rate R at most
¡P ¡ ¢ ¢
logq ei=0 ni (q − 1)i
1− .
n

Further, the Hamming bound also leads to the following definition:

Definition 1.7.3. Codes that meet Hamming bound are called perfect codes.
14
Assume that y ∈ B (c1 , e)∩B (c2 , e), that is ∆(y, c1 ) ≤ e and ∆(y, c2 ) ≤ e. Thus, by the triangle inequality, ∆(c1 , c2 ) ≤
2e ≤ d − 1, which is a contradiction.

36
 Intuitively, a perfect
j code
k leads to the following perfect “packing": if one constructs Ham-
ming balls of radius d −12 around all the codewords, then we would cover the entire ambient
space, i.e. every possible vector will lie in one of these Hamming balls.
One example of perfect code is the (7, 4, 3)2 Hamming code that we have seen in this chapter
(so is the family of general Hamming codes that we will see in the next chapter). A natural
question to ask is if

Question 1.7.1. Other than the Hamming codes, are there any other perfect (binary) codes?

We will see the answer in Section 2.4.

1.8 Family of codes

Until now, we have mostly studied specific codes, that is, codes with fixed block lengths and
dimension. However, when we perform an asymptotic study of codes, it makes more sense
to talk about a family of codes and study their asymptotic rate and distance. We define these
notions next.

Definition 1.8.1 (Code families, Rate and Distance). Let q ≥ 2. Let {n i }i ≥1 be an increasing se-
quence of block lengths and suppose there exists sequences {k i }i ≥1 and {d i }i ≥1 such that for all
i ≥ 1 there exists an (n i , k i , d i )q code C i . Then the sequence C = {C i }i ≥1 is a family of codes. The
rate of C is defined as ½ ¾
ki
R(C ) = lim ,
i →∞ n i

when the limit exists. The relative distance of C is defined as

½ ¾
di
δ(C ) = lim ,
i →∞ n i

when the limit exists.15

For instance, we will shortly see that Hamming code of Section 1.5 can be extended to an
entire family of codes C H = {C i }i ∈Z+ , with C i being an (n i .k i , d i )-code with n i = 2i − 1, k i = 2i −
i − 1, d i = 3 and thus,
i
R(C H ) = lim 1 − i = 1,
i →∞ 2 −1
and
3
δ(C H ) = lim i = 0.
i →∞ 2 − 1
15
In all codes we will study these limits will exist, but of course it is possible to construct families of codes where
the limits do not exist.

37
 A significant focus of this text from now on will be on families of codes. This is necessary
as we will study the asymptotic behavior of algorithms on codes, which does not make sense
for a fixed code. For example, when we say that a decoding algorithm for a code C takes O(n 2 )
time, we would be implicitly assuming that C is a family of codes and that the algorithm has
an O(n 2 ) running time when the block length is large enough. From now on, unless mentioned
otherwise, whenever we talk about a code, we will be implicitly assuming that we are talking
about a family of codes.
Given that we can only formally talk about asymptotic run time of algorithms, we now also
state our formal notion of efficient algorithms:

We’ll call an algorithm related to a code of block length n to be efficient, if it runs in time
polynomial in n.

For all the specific codes that we will study in this book, the corresponding family of codes
will be a “family" in a more natural sense. By this we mean that all the specific codes in a family
of codes will be the “same" code except with different parameters. A bit more formally, we will
consider families {C i }i ≥1 , where given only the ‘index’ i , one can compute a sufficient descrip-
tion of C i efficiently.16
Finally, the definition of a family of codes allows us to present the final version of the big
motivating question for the book. The last formal version of the main question we considered
was Question 1.4.1, where we were interested in the tradeoff of rate R and distance d . The
comparison was somewhat unfair because R was a ratio while d was an integer. A more appro-
priate comparison should be between rate R and the relative distance δ. Further, we would be
interested in tackling the main motivating question for families of codes, which results in the
following final version:

Question 1.8.1. What is the optimal tradeoff between R(C ) and δ(C ) that can be achieved by
some code family C ?

A natural special case of Question 1.8.1 is whether the rate and relative distance of a family
of codes can be simultaneously positive. We formulate this special case as a separate question
below.

Question 1.8.2. Does there exist a family of codes C such that R(C ) > 0 and δ(C ) > 0 hold
simultaneously?

16
We stress that this is not always going to be the case. In particular, we will consider “random" codes where this
efficient constructibility will not be true.

38
 Codes that have the above property are called asymptotically good. For the curious reader,
we will present many asymptotically good codes in the rest of this book, though a priori the
existence of these is not immediate.

1.9 Exercises
Exercise 1.1. Show that any t -error correcting code is also t -error detecting but not necessarily
the other way around.

Exercise 1.2. Prove Proposition 1.3.9.

Exercise 1.3. Show that for every integer n, there is no code with block length n that can handle
arbitrary number of errors.

Exercise 1.4. Prove Proposition 1.3.10.

Exercise 1.5. A distance function on Σn (i.e. d : Σn × Σn → R) is called a metric if the following

conditions are satisfied for every x, y, z ∈ Σn :

1. d (x, y) ≥ 0.

2. d (x, y) = 0 if and only if x = y.

3. d (x, y) = d (y, x).

4. d (x, z) ≤ d (x, y) + d (y, z). (This property is called the triangle inequality.)

Prove that the Hamming distance is a metric.

Exercise 1.6. Let C be a code with distance d for even d . Then argue that C can correct up to
d /2 − 1 many errors but cannot correct d /2 errors. Using this or otherwise, argue that if a code C
is t -error correctable then it either has a distance of 2t + 1 or 2t + 2.

Exercise 1.7. In this exercise, we will see that one can convert arbitrary codes into code with
slightly different parameters:

1. Let C be an (n, k, d )2 code with d odd. Then it can be converted into an (n + 1, k, d + 1)2
code.

2. Let C be an (n, k, d )Σ code. Then it can be converted into an (n − 1, k, d − 1)Σ code.

Note: Other than the parameters of the code C , you should not assume anything else about the
code. Also your conversion should work for every n, k, d ≥ 1.

39
Exercise 1.8. In this problem we will consider a noise model that has both errors and erasures. In
particular, let C be an (n, k, d )Σ code. As usual a codeword c ∈ C is transmitted over the channel
and the received word is a vector y ∈ (Σ ∪ {?})n , where as before a ? denotes an erasure. We will use
s to denote the number of erasures in y and e to denote the number of (non-erasure) errors that
occurred during transmission. To decode such a vector means to output a codeword c ∈ C such
that the number of positions where c disagree with y in the n − s non-erased positions is at most
e. For the rest of the problem assume that

2e + s < d . (1.18)

1. Argue that the output of the decoder for any C under (1.18) is unique.

2. Let C be a binary code (but not necessarily linear). Assume that there exists a decoder D
that can correct from < d /2 many errors in T (n) time. Then under (1.18) one can perform
decoding in time O(T (n)).
Exercise 1.9. Define codes other than C H with k = 4, n = 7 and d = 3.
Hint: Refer to the proof of Proposition 1.5.2 to figure out the properties needed from the three parities.

Exercise 1.10. Argue that if w t (x) = 1 then at least two parity check bits in (x 2 ⊕ x 3 ⊕ x 4 , x 1 ⊕ x 2 ⊕
x 4 , x 1 ⊕ x 3 ⊕ x 4 ) are 1.
Exercise 1.11. Argue that if w t (x) = 2 then at least one parity check bit in (x 2 ⊕ x 3 ⊕ x 4 , x 1 ⊕ x 2 ⊕
x 4 , x 1 ⊕ x 3 ⊕ x 4 ) is 1.
Exercise 1.12. Prove that for any u, v ∈ {0, 1}n , ∆(u, v) = w t (u + v).
Exercise 1.13. Argue that C ⊕ and C 3,r ep are binary linear codes.
Exercise 1.14. Let G be a generator matrix of an (n, k, d )2 binary linear code. Then G has at least
kd ones in it.
Exercise 1.15. Argue that in any binary linear code, either all all codewords begin with a 0 of
exactly half of the codewords begin with a 0.
Exercise 1.16. Prove (1.10).
Exercise 1.17. Show that there is no binary code with block length 4 that achieves the Hamming
bound.
Exercise 1.18. (∗) There are n people in a room, each of whom is given a black/white hat chosen
uniformly at random (and independent of the choices of all other people). Each person can see
the hat color of all other people, but not their own. Each person is asked if (s)he wishes to guess
their own hat color. They can either guess, or abstain. Each person makes their choice without
knowledge of what the other people are doing. They either win collectively, or lose collectively.
They win if all the people who don’t abstain guess their hat color correctly and at least one person
does not abstain. They lose if all people abstain, or if some person guesses their color incorrectly.
Your goal below is to come up with a strategy that will allow the n people to win with pretty high
probability. We begin with a simple warmup:

40
 (a) Argue that the n people can win with probability at least 12 .

Next we will see how one can really bump up the probability of success with some careful mod-
eling, and some knowledge of Hamming codes. (Below are assuming knowledge of the general
Hamming code (see Section 2.4). If you do not want to skip ahead, you can assume that n = 7 in
the last part of this problem.

(b) Lets say that a directed graph G is a subgraph of the n-dimensional hypercube if its vertex
set is {0, 1}n and if u → v is an edge in G, then u and v differ in at most one coordinate.
Let K (G) be the number of vertices of G with in-degree at least one, and out-degree zero.
Show that the probability of winning the hat problem equals the maximum, over directed
subgraphs G of the n-dimensional hypercube, of K (G)/2n .

(c) Using the fact that the out-degree of any vertex is at most n, show that K (G)/2n is at most
n
n+1
for any directed subgraph G of the n-dimensional hypercube.

(d) Show that if n = 2r − 1, then there exists a directed subgraph G of the n-dimensional hyper-
n
cube with K (G)/2n = n+1 .
Hint: This is where the Hamming code comes in.

1.10 Bibliographic Notes

Coding theory owes its origin to two remarkable papers: one by Shannon [115] and the other
by Hamming [70] both of which were published within a couple of years of each other. Shan-
non’s paper defined the BSCp channel (among others) and defined codes in terms of its encod-
ing function. Shannon’s paper also explicitly defined the decoding function. Hamming’s work
defined the notion of codes as in Definition 1.2.1 as well as the notion of Hamming distance.
Both the Hamming bound and the Hamming code are (not surprisingly) due to Hamming. The
specific definition of Hamming code that we used in this book was the one proposed by Ham-
ming and is also mentioned in Shannon’s paper (even though Shannon’s paper pre-dates Ham-
ming’s).
The notion of erasures was defined by Elias.
One hybrid model to account for the fact that in real life the noise channel is somewhere
in between the extremes of the channels proposed by Hamming and Shannon is the Arbitrary
Varying Channel (the reader is referred to the survey by Lapidoth and Narayan [85]).

41
42
Chapter 2

A Look at Some Nicely Behaved Codes:

Linear Codes

One motivation for the topic of this chapter is the following question: How we can represent
a code? Or more specifically, how many bits does it take to describe a code C : [q]k −→ [q]n ?
In general, a code C : [q]k −→ [q]n can be stored using nq k symbols from [q] (n symbols for
each of the q k codewords) or nq k log q bits. For constant rate codes, this is exponential space,
which is prohibitive even for modest values of k like k = 100. A natural question is whether we
can do better. Intuitively to facilitate a succinct representation the code must have some extra
structure. It turns out that one broad class of codes that do possess extra structure than general
codes, is what are called linear codes. We have already seen binary linear codes in Section 1.5,
that is: C ⊆ {0, 1}n is a linear code if for all c1 , c2 ∈ C , c1 + c2 ∈ C , where the “+" denotes bit-
wise XOR. In this chapter, we will see more general linear codes. We will see that they not only
offer enough structure to get succinct representations, but they also possess several other nice
properties.
To define general linear codes, we first need to introduce general finite fields and vector
spaces over such fields and we do so first before returning to codes.

2.1 Groups and Finite Fields

To define linear subspaces, we will need to work with (finite) fields. At a high level, we need
finite fields since when we talk about codes, we deal with finite symbols/numbers and we want
to endow these symbols with the same math that makes arithmetic over real numbers work.
Finite fields accomplish this precise task. We begin with a quick overview of fields. We start
with the more elementary notion of a group.
Definition 2.1.1. A group G is given by a pair (S, ◦), where S is the set of elements and ◦ is a
function S × S → S with the following properties:
• C LOSURE : For every a, b ∈ S, we have a ◦ b ∈ S.

• A SSOCIATIVITY: ◦ is associative: that is, for every a, b, c ∈ S, a ◦ (b ◦ c) = (a ◦ b) ◦ c.

43
 • I DENTITY: There exists distinct a special elements e ∈ S such that for every a ∈ S we have
a ◦ e = e ◦ a = a.

• I NVERSE : For every a ∈ S, there exists its unique inverse a −1 such that a ◦ a −1 = a −1 ◦ a = e.

If G = (S, ◦) satisfies all the properties except the existence of inverses then G is called a monoid.
We say G is commutative if for every a, b ∈ S, a ◦ b = b ◦ a.

We often use the same letter to denote the group (or other algebraic structures) and the set
of elements.
We now turn to the definition of a field. Informally speaking, a field is a set of elements on
which one can do addition, subtraction, multiplication and division and still stay in the set.

Definition 2.1.2. A field F is given by a triple (S, +, ·), where S is the set of elements and +, · are
functions S × S → S with the following properties:

• Addition: (S, +) form a commutative group with identity element denoted 0 ∈ S.

• Multiplication: (S \ {0}, ·) form a commutative group with identity element 1 ∈ S \ {0}.

• Distributivity: · distributes over +: that is, for every a, b, c ∈ S, a · (b + c) = a · b + a · c.

Again we typically use the same letter to denote the field and its set of elements. We also
use −a to denote the additive inverse of a ∈ F and a −1 to denote the multiplicative inverse of
a ∈ F \ {0}.
With the usual semantics for + and ·, R (set of real number) is a field, but Z (set of integers)
is not a field as division of two integers results in a rational number that need not be an inte-
ger (the set of rational numbers itself is a field though: see Exercise 2.1). In this course, we will
exclusively deal with finite fields. As the name suggests these are fields with a finite set of ele-
ments. (We will overload notation and denote the size of a field |F| = |S|.) The following is a well
known result.

Theorem 2.1.3 (Size of Finite Fields). Every finite field has size p s for some prime p and integer
s ≥ 1. Conversely for every prime p and integer s ≥ 1 there exists a field F of size p s .

One example of a finite field that we have seen is the field with S = {0, 1}, which we will
denote by F2 (we have seen this field in the context of binary linear codes). For F2 , addition
is the XOR operation, while multiplication is the AND operation. The additive inverse of an
element in F2 is the number itself while the multiplicative inverse of 1 is 1 itself.
Let p be a prime number. Then the integers modulo p form a field, denoted by Fp (and also
by Zp ), where the addition and multiplication are carried out modulo p. For example, consider
F7 , where the elements are {0, 1, 2, 3, 4, 5, 6}. We have (4 + 3) mod 7 = 0 and 4 · 4 mod 7 = 2.
Further, the additive inverse of 4 is 3 as (3 + 4) mod 7 = 0 and the multiplicative inverse of 4 is 2
as 4 · 2 mod 7 = 1.
More formally, we prove the following result.

44
Lemma 2.1.4. Let p be a prime. Then Fp = ({0, 1, . . . , p − 1}, +p , ·p ) is a field, where +p and ·p are
addition and multiplication modulo p.

Proof. The properties of associativity, commutativity, distributivity and identities hold for in-
tegers and hence, they hold for Fp . The closure property follows since both the “addition" and
“multiplication" are done modulo p, which implies that for any a, b ∈ {0, . . . , p −1}, a +p b, a ·p b ∈
{0, . . . , p −1}. Thus, to complete the proof, we need to prove the existence of unique additive and
multiplicative inverses.
Fix an arbitrary a ∈ {0, . . . , p − 1}. Then we claim that its additive inverse is p − a mod p. It is
easy to check that a + p − a = 0 mod p. Next we argue that this is the unique additive inverse.
To see this note that the sequence a, a + 1, a + 2, . . . , a + p − 1 are p consecutive numbers and
thus, exactly one of them is a multiple of p, which happens for b = p − a mod p, as desired.
Now fix an a ∈ {1, . . . , p − 1}. Next we argue for the existence of a unique multiplicative uni-
verse a −1 . Consider the set of numbers T = {a ·p b|b ∈ {1, . . . , p − 1}}. We claim that all these
numbers are unique. To see this, note that if this is not the case, then there exist b 1 6= b 2 ∈
{0, 1, . . . , p − 1} such that a · b 1 = a · b 2 mod p, which in turn implies that a · (b 1 − b 2 ) = 0 mod p.
Since a and b 1 −b 2 are non-zero numbers, this implies that p divides a · (b 1 −b 2 ). Further, since
a and |b 1 −b 2 | are both at most p −1, this implies that multiplying a and (b 1 −b 2 ) mod p results
in p, which is a contradiction since p is prime. Thus, we have argued that |T | = p − 1 and since
each number in T is in [p − 1], we have that T = [p − 1]. Thus, we can conclude that there exists
a unique element b such that a · b = 1 mod p and thus, b is the required a −1 .

One might think that there could be different finite fields with the same number of elements.
However, this is not the case:

Theorem 2.1.5. For every prime power q there is a unique finite field with q elements (up to
isomorphism1 ).

Thus, we are justified in just using Fq to denote a finite field on q elements.

2.2 Vector Spaces and Linear Subspaces

Definition 2.2.1 (Vector Space). A vector space V over a field F is given by a triple (T, +, ·) such
that (T, +) form a commutative group and ·, referred to as the scalar product, is a function F×T →
T such that for every a, b ∈ F and u, v ∈ T we have (a +b)·u = a ·u+b ·u and a ·(u+v) = a ·u+ a ·v.

The most common vector space we will focus on is Fn with + representing coordinatewise
addition in F and a · u representing the coordinatewise scaling of u by a.
We are finally ready to define the notion of linear subspaces of Fn .

Definition 2.2.2 (Linear Subspace). A non-empty subset S ⊆ Fn is a linear subspace if the follow-
ing properties hold:
1
An isomorphism φ : S → S ′ is a bijective map (such that F = (S, +, ·) and F′ = (S ′ , ⊕, ◦) are fields) where for every
a 1 , a 2 ∈ S, we have φ(a 1 + a 2 ) = φ(a 1 ) ⊕ φ(a 2 ) and φ(a 1 · a 2 ) = φ(a 1 ) ◦ φ(a 2 ).

45
 1. For every x, y ∈ S, x + y ∈ S, where the addition is vector addition over F (that is, do addition
component wise over F).

2. For every a ∈ F and x ∈ S, a · x ∈ S, where the multiplication is done component-wise over F.

Here is a (trivial) example of a linear subspace of F35 :

S 1 = {(0, 0, 0), (1, 1, 1), (2, 2, 2), (3, 3, 3), (4, 4, 4)}. (2.1)

Note that for example (1, 1, 1) + (3, 3, 3) = (4, 4, 4) ∈ S 1 and 2 · (4, 4, 4) = (3, 3, 3) ∈ S 1 as required
by the definition. Here is another somewhat less trivial example of a linear subspace over F33 :

S 2 = {(0, 0, 0), (1, 0, 1), (2, 0, 2), (0, 1, 1), (0, 2, 2), (1, 1, 2), (1, 2, 0), (2, 1, 0), (2, 2, 1). (2.2)
Note that (1, 0, 1) + (0, 2, 2) = (1, 2, 0) ∈ S 2 and 2 · (2, 0, 2) = (1, 0, 1) ∈ S 2 as required.

Remark 2.2.3. Note that the second property implies that 0 is contained in every linear subspace.
Further for any subspace over F2 , the second property is redundant: see Exercise 2.4.

Before we state some properties of linear subspaces, we state some relevant definitions.

Definition 2.2.4 (Span). Given a set B = {v1 , . . . , vℓ }. The span of B is the set of vectors
( )
Xℓ
a i · vi |a i ∈ Fq for every i ∈ [ℓ] .
i =1

Definition 2.2.5 (Linear (in)dependence of vectors). We say that v1 , v2 , . . . vk are linearly inde-
pendent if for every 1 ≤ i ≤ k and for every (k − 1)-tuple (a 1 , a 2 , . . . , a i −1 , a i +1 , . . . , a k ) ∈ Fk−1
q ,

vi 6= a 1 v1 + . . . + a i −1 vi −1 + a i +1 vi +1 + . . . + a k vk .

In other words, vi is not in the span of the set {v1 , . . . , vi −1 , vi +1 , . . . , vn } for every 1 ≤ i ≤ k. We say
that v1 , v2 , . . . vk are linearly dependent if they are not linearly independent.

For example the vectors (1, 0, 1), (1, 1, 1) ∈ S 2 are linearly independent.

Definition 2.2.6 (Rank of a matrix). The rank of matrix in Fk×k

q is the maximum number of lin-
k×n
early independent rows (or columns). A matrix in Fq with rank min(k, n) is said to have full
rank.

One can define the row (column) rank of a matrix as the maximum number of linearly in-
dependent rows (columns). However, it is a well-known theorem that the row rank of a matrix
is the same as its column rank. For example, the matrix below over F3 has full rank (see Exer-
cise 2.5): µ ¶
1 0 1
G2 = . (2.3)
0 1 1
Any linear subspace satisfies the following properties (the full proof can be found in any
standard linear algebra textbook).

46
Theorem 2.2.7. If S ⊆ Fq n is a linear subspace then

1. |S| = q k for some k ≥ 0. The parameter k is called the dimension of S.

2. There exists at least one set of vectors v1 , ..., vk ∈ S called basis elements such that every x ∈ S
can be expressed as x = a 1 v1 + a 2 v2 + ... + a n vn where a i ∈ Fq for 1 ≤ i ≤ k. In other words,
there exists a full rank k × n matrix G (also known as a generator matrix) with entries from
Fq such that every x ∈ S, x = (a 1 , a 2 , ...a k ) · G where
 
←− v1 −→
 ←− v2 −→ 
 
G = .. .
 . 
←− vk −→

3. There exists a full rank (n − k) × n matrix H (called a parity check matrix) such that for
every x ∈ S, H xT = 0.

4. G and H are orthogonal, that is, G · H T = 0.

Proof Sketch.
Property 1. We begin with the proof of the first property. For the sake of contradiction, let
us assume that q k < |S| < q k+1 , for some k ≥ 0. Iteratively, we will construct a set of linearly
independent vectors B ⊆ S such that |B | ≥ k + 1. Note that by the definition of a linear subspace
the span of B should be contained in S. However, this is a contradiction as the size of the span
of B is at least2 q k+1 > |S|.
To complete the proof, we show how to construct the set B in a greedy fashion. In the first
step pick v1 to be any non-zero vector in S and set B ← {v1 } (we can find such a vector as |S| >
q k ≥ 1). Now say after the step t (for some t ≤ k), |B | = t . Now the size of the span of the current
B is q t ≤ q k < |S|. Thus there exists a vector vt +1 ∈ S \ B that is linearly independent of vectors
in B . Set B ← B ∪ {vt +1 }. Thus, we can continue building B until |B | = k + 1, as desired.

Property 2. We first note that we can pick B = {v1 , . . . , vk } to be any set of k linearly indepen-
dent vectors– this just follows from the argument above for Property 1.1. This is because the
span of B is contained in S. However, since |S| = q k and the span of B has q k vectors, the two
have to be the same.

Property 3. Property 3 above follows from another fact that every linear subspace S has a null
space N ⊆ Fnq such that for every x ∈ S and y ∈ N , 〈x, y〉 = 0. Further, it is known that N itself is
a linear subspace of dimension n − k. (The claim that N is also a linear subspace follows from
the following two facts: for every x, y, z ∈ Fnq , (i) 〈x, y + z〉 = 〈x, y〉 + 〈x, z〉 and (ii) for any a ∈ Fq ,
〈x, ay〉 = a ·〈x, y〉.) In other words, there exists a generator matrix H for it. This matrix H is called
the parity check matrix of S.
2
See Exercise 2.7.

47
Property 4. See Exercise 2.8.

As examples, the linear subspace S 1 in (2.1) has as one of its generator matrices
¡ ¢
G1 = 1 1 1

and as one of its parity check matrices

µ ¶
1 2 2
H1 = .
2 2 1

Further, the linear subspace S 2 in (2.2) has G 2 as one of its generator matrices and has the fol-
lowing as one of its parity check matrices
¡ ¢
H2 = 1 1 2 .

Finally, we state another property of linear subspaces that is useful.

Lemma 2.2.8. Given matrix G of dimension k × n that is a generator matrix of subspace S 1 and
matrix H of dimension (n −k)×n that is a parity check matrix of subspace S 2 such that G H T = 0,
then S 1 = S 2 .

Proof. We first prove that S 1 ⊆ S 2 . Given any c ∈ S 1 , there exists x ∈ Fkq such that c = xG. Then,
¡ ¢T
H · cT = H · (xG)T = HG T xT = G H T xT = 0,

which implies that c ∈ S 2 , as desired.

To complete the proof note that as H has full rank, its null space (or S 2 ) has dimension
n − (n − k) = k (this follows from a well known fact from linear algebra called the rank-nullity
theorem). Now as G has full rank, the dimension of S 1 is also k. Thus, as S 1 ⊆ S 2 , it has to be the
case that S 1 = S 2 .3

2.3 Linear Codes and Basic Properties

We now return to the topic of codes and introduce the central concept for this chapter as well
as much of this text.

Definition 2.3.1 (Linear Codes). Let q be a prime power (i.e. q = p s for some prime p and integer
s ≥ 1). C ⊆ Fq is a linear code if it is a linear subspace of Fnq . If C has dimension k and distance d
then it will be referred to as an [n, k, d ]q or just an [n, k]q code.

Theorem 2.2.7 now gives two alternate characterizations of an [n, k]q linear code C : C is
generated by a k × n generator matrix G. Alternately C is characterized by a (n − k) × n parity
check matrix H . Since these are important concepts for us, we define these formally below
before giving examples and consequences.
3
If not, S 1 ⊂ S 2 which implies that that |S 2 | ≥ |S 1 | + 1. The latter is not possible if both S 1 and S 2 have the same
dimension.

48
Definition 2.3.2 (Generator and Parity Check Matrices). If C is an [n, k]q linear code then there
exists a matrix G ∈ Fk×n
q of rank k satisfying

C = {x · G|x ∈ Fkq }.

G is referred to as a generator matrix of C .

If C is an [n, k]q linear code then there exists a matrix H ∈ F(n−k)×n
q of rank n − k satisfying

C = {y ∈ Fnq |H · yT ∈ Fkq }.

H is referred to as a parity check matrix of C .

Note that we require G and H to have full row rank (i.e., the rows of G are linearly indepen-
dent and the same holds for H ). Sometimes we will consider matrices M ∈ Fm×n q that are not of
full row rank. These can still be used to generate a code C = {{x · G|x ∈ Fmq } though the code C
will not be an [n, m]q code. We will still refer to C as the code generated by M in such a case,
though the phrase “generator matrix” will be reserved for full rank matrices.
Note that neither the generator matrix nor the parity check matrix are unique for a given
code. However their dimensions are. We give examples of these matrices for the case of the
[7, 4, 3]2 Hamming code below.

• The [7, 4, 3]2 Hamming code has the following generator matrix:
 
1 0 0 0 0 1 1
 
 0 1 0 0 1 0 1
G = 
 0 0 1 0 1 1 0
0 0 0 1 1 1 1

• The following matrix is a parity check matrix of the [7, 4, 3]2 Hamming code:
 
0 0 0 1 1 1 1
H =  0 1 1 0 0 1 1
1 0 1 0 1 0 1

Indeed, it can be easily verified that G · H T = 0. Then Lemma 2.2.8 proves that H is indeed
a parity check matrix of the [7, 4, 3]2 Hamming code.

We now look at some consequences of the above characterizations of an [n, k]q linear code
C . We started this chapter with a quest for succinct representation of a code. Note that both the
generator matrix and the parity check matrix can be represented using O(n 2 ) symbols from Fq
(which is much smaller than the exponential representation of a general code). More precisely
we have the following (see also Exercise 2.10):

Proposition 2.3.3. Any [n, k]q linear code can be represented with min(nk, n(n − k)) symbols
from Fq .

49
 There is an encoding algorithm for C that runs in O(n 2 ) (in particular O(kn)) time– given a
message m ∈ Fkq , the corresponding codeword C (m) = m · G, where G is the generator matrix of
C . (See Exercise 2.11.)

Proposition 2.3.4. For any [n, k]q linear code, given its generator matrix, encoding can be done
with O(nk) operations over Fq .

There is an error-detecting algorithm for C that runs in O(n 2 ). This is a big improvement
over the naive brute force exponential time algorithm (that goes through all possible codewords
c ∈ C and checks if y = c). (See Exercise 2.12.)

Proposition 2.3.5. For any [n, k]q linear code, given its parity check matrix, error detection can
be performed in O(n(n − k)) operations over Fq .

Next, we look at some alternate characterizations of the distance of a linear code.

2.3.1 On the Distance of a Linear Code

Linear codes admit a nice characterization of minimum distance in terms of the Hamming
weight of non-zero codewords, which we have seen for the special case of binary linear codes
(Proposition 1.5.4). Recall that we use wt(x) to denote the Hamming weight of a vector x ∈ Σn ,
i.e., the number of non-zero coordinates in x.

Proposition 2.3.6. For every [n, k, d ]q code C , we have

d = min wt(c).
c∈C ,
c6=0

Proof. To show that d is the same as the minimum weight we show that d is no more than the
minimum weight and d is no less than the minimum weight.
First, we show that d is no more than the minimum weight. We can see this by considering
∆(0, c′ ) where c′ is the non-zero codeword in C with minimum weight; its distance from 0 is
equal to its weight. Thus, we have d ≤ w t (c′ ), as desired.
Now, to show that d is no less than the minimum weight, consider c1 6= c2 ∈ C such that
∆(c1 , c2 ) = d . Note that c1 − c2 ∈ C (this is because −c2 = −1 · c2 ∈ C , where −1 is the additive
inverse of 1 in Fq and c1 − c2 = c1 + (−c2 ), which in in C by the definition of linear codes). Now
note that w t (c1 − c2 ) = ∆(c1 , c2 ) = d , since the non-zero symbols in c1 − c2 occur exactly in the
positions where the two codewords differ. Further, since c1 6= c2 , c1 − c2 6= 0, which implies that
the minimum Hamming weight of any non-zero codeword in C is at most d .

Next, we look at another property implied by the parity check matrix of a linear code.

Proposition 2.3.7. For every [n, k, d ]q code C with parity check matrix H , d equals the size of the
smallest subset of columns of H that are linearly dependent.

50
Proof. By Proposition 2.3.6, we need to show that the minimum weight of a non-zero codeword
in C is the minimum number of linearly dependent columns. Let t be the minimum number of
linearly dependent columns in H . To prove the claim we will show that t ≤ d and t ≥ d .
For the first direction, Let c 6= 0 ∈ C be a codeword with w t (c) = d . Now note that, by the
definition of the parity check matrix, H ·cT = 0. Working through the matrix multiplication, this
P
gives us that ni=1 c i H i , where
 
↑ ↑ ↑ ↑
 1 2
H = H H ··· Hi ··· Hn 
↓ ↓ ↓ ↓

and c = (c 1 , . . . , c n ). Note that we can skip multiplication for those columns for which the corre-
sponding bit c i is zero, so for this to be zero, those H i with c i 6= 0 are linearly dependent. This
means that d ≥ t , as the columns corresponding to non-zero entries in c are one instance of
linearly dependent columns.
For the other direction, consider the minimum set of columns from H , H i 1 , H i 2 , . . . , H i t that
are linearly dependent. This implies that there exists non-zero elements c i′ , . . . , c i′ ∈ Fq such
1 t
that c i′ H i 1 + . . . + c i′ H i t = 0. (Note that all the c i′ are non-zero as no set of less than t columns
i t j
are linearly dependent.) Now extend c i′ , . . . , c i′ to the vector c′ such that c ′j = 0 for j 6∈ {i 1 , . . . , i t }.
1 t
¡ ′ ¢T
Note that we have H · c = 0 and thus, we have c′ ∈ C . This in turn implies that d ≤ w t (c′ ) = t
(where recall t is the minimum number of linearly independent columns in H ).

2.4 Hamming Codes

We now change gears and look at the general family of linear codes, which were discovered by
Hamming. So far we have seen the [7, 4, 3]2 Hamming code (in Section 1.5). In fact, for any r ≥ 2
there is a [2r − 1, 2r − r − 1, 3]2 Hamming code. Thus in Section 1.5, we have seen this code for
r = 3.
r
Definition 2.4.1 (Binary Hamming Codes). For positive integer r , define the matrix Hr ∈ F2r ×(2 −1)
to be the r ×(2r −1) matrix whose i th column Hir is the binary representation of i , for 1 ≤ i ≤ 2r −1.
(Note that such a representation is a vector in {0, 1}r .)
The [2r − 1, 2r − r − 1]2 Hamming code, denoted by C H ,r , is the code with parity check matrix
Hr .

In other words, the general [2r − 1, 2r − r − 1]2 Hamming code is the code
r
{c ∈ {0, 1}2 −1
|Hr · cT = 0}.

For example, for the case we have seen (r = 3),

 
0 0 0 1 1 1 1

H3 = 0 1 1 0 0 1 1 ,
1 0 1 0 1 0 1

51
and the resulting code was a [7, 4, 3]2 code.
Next we argue that the above Hamming code has distance 3 (in Proposition 1.5.2, we argued
this for r = 3).

Proposition 2.4.2. The Hamming code [2r − 1, 2r − r − 1, 3]2 has distance 3.

j
Proof. No two columns in Hr are linearly dependent. If they were, we would have Hir + Hr =
0, but this is impossible since they differ in at least one bit (being binary representations of
integers, i 6= j ). Thus, by Proposition 2.3.7, the distance is at least 3. It is at most 3, since (e.g.)
H1r + H2r + H3r = 0.

Now note that under the Hamming bound for d = 3 (Theorem 1.6.2), k ≤ n − log2 (n + 1), so
for n = 2r − 1, k ≤ 2r − r − 1. Hence, the Hamming code is a perfect code. (See Definition 1.7.3.)
In Question 1.7.1, we asked which codes are perfect codes. Interestingly, the only perfect
binary codes are the following:

• The Hamming codes which we just studied.

• The trivial [n, 1, n]2 codes for odd n (which have 0n and 1n as the only codewords): see
Exercise 2.22.

• Two codes due to Golay [50].

2.5 Efficient Decoding of Hamming codes

We have shown that the Hamming code has a distance of 3 and thus, by Proposition 1.4.2, can
correct one error. However, this is a combinatorial result and does not give us an efficient al-
gorithm. One obvious candidate for decoding is the MLD function. Unfortunately, the only
implementation of MLD that we know is the one in Algorithm 2, which will take time 2Θ(n) ,
where n is the block length of the Hamming code. However, we can do much better. Consider
the following simple algorithm: given the received word y, first check if it is indeed a valid code-
word. If it is, we are done. Otherwise, flip each of the n bits and check if the resulting vector is
a valid codeword. If so, we have successfully decoded from one error. (If none of the checks are
successful, then we declare a decoding failure.) Algorithm 3 formally presents this algorithm
(where C H ,r is the [2r − 1, 2r − r − 1, 3]2 Hamming code).4
It is easy to check that Algorithm 3 can correct up to 1 error. If each of the checks y′ ∈ C H ,r
can be done in T (n) time, then the time complexity of the proposed algorithm will be O(nT (n)).
Note that since C H ,r is a linear code (and dimension k = n − O(log n)) by Proposition 2.3.5, we
have T (n) = O(n log n). Thus, the proposed algorithm has running time O(n 2 log n).
Note that Algorithm 3 can be generalized to work for any linear code C with distance 2t +
1 (and hence, can correct up to t errors): go through all possible error vectors z ∈ [q]n (with
4
Formally speaking, a decoding algorithm should return the transmitted message x but Algorithm 3 actually
returns C H ,r (x). However, since C H ,r is a linear code, it is not too hard to see that one can obtain x from C H ,r (x) in
O(n 3 ) time: see Exercise 2.23. Further, for C H ,r one can do this in O(n) time: see Exercise 2.24.

52
Algorithm 3 Naive Decoder for Hamming Code
I NPUT: Received word y
O UTPUT: c if ∆(y, c) ≤ 1 else Fail

1: IF y ∈ C H ,r THEN
2: RETURN y
3: FOR i = 1 . . . n DO
4: y′ ← y + ei ⊲ ei is the i th standard basis vector
5: IF y′ ∈ C H ,r THEN
6: RETURN y′
7: RETURN Fail

w t (z) ≤ t ) and check if y − z is in the code or not. Algorithm 4 presents the formal algorithm
(where C is an [n, k, 2t + 1]q code).

Algorithm 4 Decoder for Any Linear Code

I NPUT: Received word y
O UTPUT: c ∈ C if ∆(y, c) ≤ t else Fail

1: FOR i = 0 . . . t DO
2: FOR S ⊆ [n] such that |S| = i DO
3: FOR z ∈ Fnq such that w t (zS ) = w t (z) = i DO
4: IF y − z ∈ C THEN
5: RETURN y − z
6: RETURN Fail
P ¡ ¢
The number of error patterns z considered by Algorithm 4 is5 it =0 ni (q − 1)i ≤ O((nq)t ).
Further by Proposition 2.3.5, Step 4 can be performed with O(n 2 ) operations over Fq . Thus, Al-
gorithm 4 runs with O(n t +2 q t ) operations over Fq , which for q being a small polynomial in n,
is n O(t ) operations. In other words, the algorithm will have polynomial running time for codes
with constant distance (though the running time would not be practical even for moderate val-
ues of t ).
However, it turns out that for Hamming codes there exists a decoding algorithm with an
O(n 2 ) running time. To see this, first note that if the received word y has no errors, then Hr ·yT =
0. If not, then y = c + ei , where c ∈ C and ei is the unit vector with the only nonzero element at
the i -th position. Thus, if Hir stands for the i -th column of Hr ,

Hr · yT = Hr · cT + Hr · (ei )T = Hr · (ei )T = Hir ,

where the second equality follows as Hr · cT = 0, which in turn follows from the fact that c ∈ C .
In other words, Hr · yT gives the location of the error. This leads to Algorithm 5.
5
Recall (1.15).

53
Algorithm 5 Efficient Decoder for Hamming Code
I NPUT: Received word y
O UTPUT: c if ∆(y, c) ≤ 1 else Fail

1: b ← Hr · yT .
2: Let i ∈ [n] be the number whose binary representation is b
3: IF y − ei ∈ C H THEN
4: RETURN y − ei
5: RETURN Fail

Note that Hr is an r × n matrix where n = 2r − 1 and thus, r = Θ(log n). This implies Step 1 in
Algorithm 5, which is a matrix vector multiplication can be done in time O(n log n). By a similar
argument and by Proposition 2.3.5 Step 3 can be performed in O(n log n) time, and therefore
Algorithm 5 overall runs in O(n log n) time. Thus,

Theorem 2.5.1. The [n = 2r −1, 2r −r −1, 3]2 Hamming code is 1-error correctable. Furthermore,
decoding can be performed in time O(n log n).

2.6 Dual of a Linear Code

Until now, we have thought of parity check matrix as defining a code via its null space. However,
we are not beholden to think of the parity check matrix in this way. A natural alternative is to use
the parity check matrix as a generator matrix. The following definition addresses this question.

Definition 2.6.1 (Dual of a code). Let H be a parity check matrix of a code C , then the code
generated by H is called the dual of C . The dual of a code C is denoted by C ⊥ .

It is obvious from the definition that if C is an [n, k]q code, then C ⊥ is an [n, n −k]q code. Ap-
plying duality to the Hamming codes and a close relative, we get two families of codes described
below.

Definition 2.6.2 (Simplex and Hadamard Codes). For positive integer r the Simplex Code C Si m,r
⊥
is the code generated by Hr . (Equivalently C Si m,r = C H ,r .) For positive integer r the Hadamard
Code C H ad ,r is the [2r , r ]2 code generated by the r × 2r matrix Hr′ obtained by adding the all zero
column to Hr .

We claim that C Si m,r and C H ad ,r are [2r − 1, r, 2r −1 ]2 and [2r , r, 2r −1 ]2 codes respectively. The
claimed block length and dimension follow from the definition of the codes, while the distance
follows from the following result.

Proposition 2.6.3. C Si m,r and C H ad ,r both have distances of 2r −1 .

54
Proof. We first show the result for C H ad ,r . In fact, we will show something stronger: every non-
zero codeword in C H ad ,r has weight exactly equal to 2r −1 (the claimed distance follows from
Proposition 2.3.6). Consider a message x 6= 0. Let its i th entry be x i = 1. x is encoded as
r
c = (x 1 , x 2 , . . . , x r )(Hr0 , Hr1 , . . . , Hr2 −1
),
j
where Hr is the binary representation of 0 ≤ j ≤ 2r − 1 (that is, it contains all the vectors in
j
{0, 1}r ). Further note that the j th bit of the codeword c is 〈x, Hr 〉. Group all the columns of the
generator matrix into pairs (u, v) such that v = u + ei (i.e. v and u are the same except in the i th
position). Notice that this partitions all the columns into 2r −1 disjoint pairs. Then,
〈x, v〉 = 〈x, u + ei 〉 = 〈x, u〉 + 〈x, ei 〉 = 〈x, u〉 + x i = 〈x, u〉 + 1.
Thus we have that exactly one of 〈x, v〉 and 〈x, u〉 is 1. As the choice of the pair (u, v) was arbitrary,
we have proved that for any non-zero codeword c such that c ∈ C H ad , w t (c) = 2r −1 .
For the simplex code, we observe that all codewords of C H ad ,3 are obtained by padding a 0 to
the beginning of the codewords in C Si m,r , which implies that all non-zero codewords in C Si m,r
also have a weight of 2r −1 , which completes the proof.
We remark that the family of Hamming code has a rate of 1 and a (relative) distance of 0
while the families of Simplex/Hadamard codes have a rate of 0 and a relative distance of 1/2.
Thus neither gives a positive answer to Question 1.8.2 and so the quest for an asymptotically
good code remains ongoing for now (and we will get to these in future chapters).

2.7 Exercises
Exercise 2.1. Prove that the set of rationals (i.e. the set of reals of the form ba , where both a and
b 6= 0 are integers), denoted by Q, is a field.
Exercise 2.2. Let q be a prime power. Let x ∈ Fq such that x 6∈ {0, 1}. Then prove that for any
n ≤ q − 1:
X n x n+1 − 1
xi = .
i =0 x −1
Exercise 2.3. The main aim of this exercise is to prove the following identity that is true for any
α ∈ Fq :
αq = α (2.4)
To make progress towards the above we will prove a sequence of properties of groups. A group G
is a pair (S, ◦) where the operator ◦ : G ×G → G such that ◦ is commutative6 and the elements of S
are closed under ◦. Further, there is a special element ι ∈ S that is the identity element and every
element a ∈ S has an inverse element b ∈ S such that a ◦ b = ι. Note that a finite field Fq consists
of an additive group with the + operator (and 0 as additive identity) and a multiplicative group
on the non-zero elements of Fq (which is also denoted by F∗q ) with the · operator (and 1 as the
multiplicative identity).7
6
Technically, G is an abelian group.
7
Recall Definition 2.1.2.

55
 For the rest of the problem let G = (S, ·) be a multiplicative group with |G| = m. Prove the
following statements.

1. For any β ∈ G, let o(β) be the smallest integer o such that βo = 1. Prove that such an o ≤ m
always exists. Further, argue that T = {1, β, . . . , βo−1 } also forms a group. (T, ·) is called a
sub-group of G and o(β) is called the order of β.

2. For any g ∈ G, define the coset (w.r.t. T ) as

g T = {g · β|β ∈ T }.

Prove that if h −1 · g ∈ T then g T = hT and g T ∩hT = ; otherwise. Further argue that these
cosets partition the group G into disjoint sets.

3. Argue that for any g ∈ G, we have |g T | = |T |.

4. Using the above results or otherwise, argue that for any β ∈ G, we have

βm = 1.

5. Prove (2.4).

Exercise 2.4. Prove that for q = 2, the second condition in Definition 2.2.2 is implied by the first
condition.

Exercise 2.5. Prove that G 2 from (2.3) has full rank.

Exercise 2.6. In this problem we will look at the problem of solving a system of linear equations
over Fq . That is, one needs to solve for unknowns x 1 , . . . , x n given the following m linear equations
(where a i , j , b i ∈ Fq for 1 ≤ i ≤ m and 1 ≤ j ≤ n):

a 1,1 x 1 + a 1,2 x 2 + · · · + a 1,n x n = b 1 .

a 2,1 x 1 + a 2,2 x 2 + · · · + a 2,n x n = b 2 .

..
.
a m,1 x 1 + a m,2 x 2 + · · · + a m,n x n = b m .

1. (Warm-up) Convince yourself that the above problem can be stated as A · xT = bT , where A
is an m × n matrix over Fq , x ∈ Fnq and b ∈ Fm
q .

2. (Upper Triangular Matrix) Assume n = m and that A is upper triangular, i.e. all diagonal
elements (a i ,i ) are non-zero and all lower triangular elements (a i , j , i > j ) are 0. Then
present an O(n 2 ) time8 algorithm to compute the unknown vector x.
8
For this problem, any basic operation over Fq takes unit time.

56
 3. (Gaussian Elimination) Assume that A has full rank (or equivalently a rank of n.)

(a) Prove that the following algorithm due to Gauss converts A into an upper triangular
matrix. By permuting the columns if necessary make sure that a 1,1 6= 0. (Why can one
a
assume w.l.o.g. that this can be done?) Multiply all rows 1 < i ≤ n with a1,1 and then
i ,1
subtract a 1, j from the (i , j )th entry 1 ≤ j ≤ n. Recurse with the same algorithm on the
(n −1)×(n −1) matrix A ′ obtained by removing the first row and column from A. (Stop
when n = 1.)
(b) What happens if A does not have full rank? Show how one can modify the algorithm
above to either upper triangulate a matrix or report that it does not have full rank.
(Convince yourself that your modification works.)
(c) Call a system of equations A · xT = bT consistent if there exists a solution to x ∈ Fnq .
Show that there exists an O(n 3 ) algorithm that finds the solution if the system of equa-
tions is consistent and A has full rank (and report “fail" otherwise).

4. (m < n case) Assume that A has full rank, i.e. has a rank of m. In this scenario either the
system of equations is inconsistent or there are q n−m solutions to x. Modify the algorithm
from above to design an O(m 2 n) time algorithm to output the solutions (or report that the
system is inconsistent).

• Note that in case the system is consistent there will be q n−m solutions, which might be
much bigger than O(m 2 n). Show that this is not a problem as one can represent the
solutions as system of linear equations. (I.e. one can have n − m “free" variables and
m “bound" variables.)

5. (m > n case) Assume that A has full rank, i.e. a rank of n. In this scenario either the system
of equations is inconsistent or there is a unique solution to x. Modify the algorithm from
above to design an O(m 2 n) time algorithm to output the solution (or report that the system
is inconsistent).

6. (Non-full rank case) Give an O(m 2 n) algorithm for the general case, i.e. the m × n matrix
A need not have full rank. (The algorithm should either report that the system of equations
is inconsistent or output the solution(s) to x.)

Exercise 2.7. Prove that the span of k linearly independent vectors over Fq has size exactly q k .

Exercise 2.8. Let G and H be a generator and parity check matrix of the same linear code of
dimension k and block length n. Then G · H T = 0.

Exercise 2.9. Let C be an [n, k]q linear code with a generator matrix with no all zeros columns.
Then for every position i ∈ [n] and α ∈ Fq , the number of codewords c ∈ C such that c i = α is
exactly q k−1 .

Exercise 2.10. Prove Proposition 2.3.3.

57
Exercise 2.11. Prove Proposition 2.3.4.

Exercise 2.12. Prove Proposition 2.3.5.

Exercise 2.13. A set of vector S ⊆ Fnq is called t -wise independent if for every set of positions I with
|I | = t , the set S projected to I has each of the vectors in Ftq appear the same number of times. (In
other words, if one picks a vector (s 1 , . . . , s n ) from S at random then any of the t random variables
are uniformly and independently random over Fq ).
Prove that any linear code C whose dual C ⊥ has distance d ⊥ is (d ⊥ − 1)-wise independent.

Exercise 2.14. A set of vectors S ⊆ Fk2 is called ε-biased sample space if the following property
holds. Pick a vector X = (x 1 , . . . , x k ) uniformly at random from S. Then X has bias at most ε, that
is, for every I ⊆ [k],
¯ Ã ! Ã !¯
¯ X X ¯
¯ ¯
¯Pr x i = 0 − Pr x i = 1 ¯ ≤ ε.
¯ i ∈I i ∈I
¯

We will look at some connections of such sets to codes.

be an¢ [n,¡k]2 ¢code

1. Let C £¡ ¤ such that all non-zero codewords have Hamming weight in the
range 1−ε2
n, 1+ε
2
n . Then there exists an ε-biased space of size n.

£¡ 1an [n,
2. Let C be ¢ k]
¡ 12 code
¢ such
¤ that all non-zero codewords have Hamming weight in the
range 2 − γ n, 2 + γ n for some constant 0 < γ < 1/2. Then there exists an ε-biased
−1
space of size n O(γ ·log(1/ε))
.

Exercise 2.15. Let C be an [n, k, d ]q code. Let y = (y 1 , . . . , y n ) ∈ (Fq ∪{?})n be a received word9 such
that y i =? for at most d − 1 values of i . Present an O(n 3 ) time algorithm that outputs a codeword
c = (c 1 , . . . , c n ) ∈ C that agrees with y in all un-erased positions (i.e., c i = y i if y i 6=?) or states that
no such c exists. (Recall that if such a c exists then it is unique.)

Exercise 2.16. In the chapter, we did not talk about how to obtain the parity check matrix of a
linear code from its generator matrix. In this problem, we will look at this “conversion" procedure.

(a) Prove that any generator matrix G of an [n, k]q code C (recall that G is a k × n matrix) can
be converted into another equivalent generator matrix of the form G′ = [Ik |A], where Ik is
the k × k identity matrix and A is some k × (n − k) matrix. By “equivalent," we mean that
the code generated by G′ has a linear bijective map to C .
Note that the code generated by G′ has the message symbols as its first k symbols in the cor-
responding codeword. Such codes are called systematic codes. In other words, every linear
code can be converted into a systematic code. Systematic codes are popular in practice as
they allow for immediate access to the message symbols.
9
A ? denotes an erasure.

58
 (b) Given an k × n generator matrix of the form [Ik |A], give a corresponding (n − k) × n parity
check matrix. Briefly justify why your construction of the parity check matrix is correct.

Hint: Try to think of a parity check matrix that can be decomposed into two submatrices: one will be closely
related to A and the other will be an identity matrix, though the latter might not be a k × k matrix).

(c) Use part (b) to present a generator matrix for the [2r − 1, 2r − r − 1, 3]2 Hamming code.

Exercise 2.17. So far in this book we have seen that one can modify one code to get another code
with interesting properties (for example, the construction of the Hadamard code from the Simplex
code from Section 2.6 and Exercise 1.7). In this problem you will need to come up with more ways
of constructing new codes from existing ones.
Prove the following statements (recall that the notation (n, k, d )q code is used for general codes
with q k codewords where k need not be an integer, whereas the notation [n, k, d ]q code stands for
a linear code of dimension k):

1. If there exists an (n, k, d )2m code, then there also exists an (nm, km, d ′ ≥ d )2 code.

2. If there exists an [n, k, d ]2m code, then there also exists an [nm, km, d ′ ≥ d ]2 code.

3. If there exists an [n, k, d ]q code, then there also exists an [n − d , k − 1, d ′ ≥ ⌈d /q⌉]q code.

m
¡ an [n, k,mδn]
4. ¡If there exists ¢ qmcode,
¢ then for every m ≥ 1, there also exists an
n , k/m, 1 − (1 − δ) · n q m code.

5. If
£ there
m
¡ an [n, k,m
exists
1
δn] ¤ then for every odd m ≥ 1, there also exists an
¢ 2 code,
m
n , k, 2 · 1 − (1 − 2δ) · n 2 code.

Note: In all the parts, the only things that you can assume about the original code are only the
parameters given by its definition– nothing else!

Exercise 2.18. Let C 1 be an [n, k 1 , d 1 ]q code and C 2 be an [n, k 2 , d 2 ]q code. Then define a new
code as follows:
C 1 ⊖C 2 = {(c1 , c1 + c2 )|c1 ∈ C 1 , c2 ∈ C 2 }.
Next we will prove interesting properties of this operations on codes:

1. If G i is the generator matrix for C i for i ∈ [2], what is a generator matrix for C 1 ⊖C 2 ?
def
2. Argue that C 1 ⊖C 2 is an [2n, k 1 + k 2 , d = min(2d 1 , d 2 )]q code.

3. Assume there exists algorithms Ai for code C i for i ∈ [2] such that: (i) A1 can decode from
e errors and s erasures such that 2e + s < d 1 and (ii) A2 can decode from ⌊(d 2 − 1)/2⌋ errors.
Then argue that one can correct ⌊(d − 1)/2⌋ errors for C 1 ⊖C 2 .
Hint: Given a received word (y1 , y2 ) ∈ Fnq × Fnq , first apply A2 on y2 − y1 . Then create an intermediate received
word for A1 .

59
 4. We will now consider a recursive construction of a binary linear code that uses the ⊖ oper-
ator. For integers 0 ≤ r ≤ m, we define the code C (r, m) as follows:

• C (r, r ) = Fr2 and C (0, r ) is the code with only two codewords: the all ones and all zeroes
vector in Fr2 .
• For 1 < r < m, C (r, m) = C (r, m − 1) ⊖C (r − 1, m − 1).

Determine the parameters of the code C (r, m).

Exercise 2.19. Let C 1 be an [n 1 , k 1 , d 1 ]2 binary linear code, and C 2 an [n 2 , k 2 , d 2 ] binary linear

n ×n
code. Let C ⊆ F2 1 2 be the subset of n 2 ×n 1 matrices whose rows belong to C 1 and whose columns
belong to C 2 . C is called the tensor of C 1 and C 2 and is denoted by C 1 ⊗C 2 .
Prove that C is an [n 1 n 2 , k 1 k 2 , d 1 d 2 ]2 binary linear code.
Further, if G1 and G2 are generator matrices of C 1 and C 2 , construct a genertor matrix of
C 1 ⊗ C 2 from G1 and G2 . In particular, argue that given G1 and G2 , a generator matrix of C 1 ⊗ C 2
can be computed in polynomimal time.
Hint: For the latter problem, it might be useful to think of the codewords and messages as vectors instead of matrices.

Exercise 2.20. In Section 2.4 we considered the binary Hamming code. In this problem we will
consider the more general q-ary Hamming code. In particular, let q be a prime power and r ≥ 1
be an integer. Define the following r × n matrix H q,r , where each column is an non-zero vector
from Frq such that the first non-zero entry is 1. For example,
µ ¶
0 1 1 1
H3,2 =
1 0 1 2

In this problem we will derive the parameters of the code. Define the generalized Hamming code
C H ,r,q to be the linear code whose parity check matrix is H q,r . Argue that
q r −1
1. The block length of C H ,r,q is n = q−1 .

2. C H ,q,r has dimension n − r .

3. C H ,q,r has distance 3.

Exercise 2.21. Design the best 6-ary code (family) with distance 3 that you can.

Hint: Start with a 7-ary Hamming code.

Exercise 2.22. Prove that the [n, 1, n]2 code for odd n (i.e. the code with the all zeros and all ones
vector as it only two codewords) attains the Hamming bound (Theorem 1.7.2).

Exercise 2.23. Let C be an [n, k]q code with generator matrix G. Then given a codeword c ∈ C
one can compute the corresponding message in time O(kn 2 ).

Exercise 2.24. Given a c ∈ C H ,r , one can compute the corresponding message in time O(n).

60
Exercise 2.25. Let C be an (n, k)q code. Prove that if C can be decoded from e errors in time T (n),
then it can be decoded from n + c errors in time O((nq)c · T (n)).

Exercise 2.26. Show that the bound of kd of the number of ones in the generator matrix of any
binary linear code (see Exercise 1.14) cannot be improved for every code.
¡ ¢⊥
Exercise 2.27. Let C be a linear code. Then prove that C ⊥ = C .

Exercise 2.28. Note that for any linear code C , the codewords 0 is in both C and C ⊥ . Show that
there exists a linear code C such that it shares a non-zero codeword with C ⊥ .

Exercise 2.29. We go into a bit of diversion and look at how finite fields are different from infinite
fields (e.g. R). Most of the properties of linear subspaces that we have used for linear codes (e.g.
notion of dimension, the existence of generator and parity check matrices, notion of duals) also
hold for linear subspaces over R.10 One trivial property that holds for linear subspaces over finite
fields that does not hold over R is that linear subspaces over Fq with dimension k has size q k
(though this is a trivial consequence that F q are finite field while R is an infinite field). Next, we
consider a more subtle distinction.
Let S ⊆ Rn be a linear subspace over R and let S ⊥ is the dual of S. Then show that

S ∩ S ⊥ = {0} .

By contrast, linear subspaces over finite fields can have non-trivial intersection with their duals
(see e.g. Exercise 2.28).

Exercise 2.30. A linear code C is called self-orthogonal if C ⊆ C ⊥ . Show that

1. The binary repetition code with even number of repetitions is self-orthogonal.

2. The Hadamard code C H ad ,r is self-orthogonal.

Exercise 2.31. A linear code C is called self dual if C = C ⊥ . Show that for

1. Any self dual code has dimension n/2.

2. Prove that the following code is self-dual

{(x, x)|x ∈ Fk2 }.

Exercise 2.32. Given a code C a puncturing of C is another code C ′ where the same set of positions
are dropped in all codewords of C . More precisely, if C ⊆ Σn and the set of punctured positions is
P ⊆ [n], then the punctured code is {(c i )i 6∈P |(c 1 , . . . , c n ) ∈ C }.
Prove that a linear code with no repetitions (i.e. there are no two positions i 6= j such that for
every codeword c ∈ C , c i = c i ) is a puncturing of the Hadamard code. Hence, Hadamard code is
the “longest" linear code that does not repeat.
10
A linear subspace S ⊆ Rn is the same as in Definition 2.2.2 where all occurrences of the finite field Fq is replaced
by R.

61
Exercise 2.33. In this problem we will consider the long code. For the definition, we will use
the functional way of looking at the ambient space as mentioned in Remark 1.2.2. A long code
of dimension k is a binary code such that the codeword corresponding to x = Fk2 , is the function
k k
f : {0, 1}2 → {0, 1} defined as follows. For any m ∈ {0, 1}F2 , we have f ((m α )α∈Fk ) = m x . Derive the
2
parameters of the long code.
Finally, argue that the long code is the code with the longest block length such that the code-
words do not have a repeated coordinate (i.e. there does not exists i 6= j such that for every code-
word c, c i = c j ). (Contrast this with the property of Hadamard code above.)

2.8 Bibliographic Notes

Finite fields are also called Galois fields (another common notation for Fq is GF (q)), named
after Évariste Galois, whose worked laid the foundations of their theory. (Galois led an extremely
short and interesting life, which ended in death from a duel.) For a more thorough treatment
refer to any standard text on algebra or the book on finite fields by Lidl and Niederreiter [88].
The answer to Question 1.7.1 was proved by van Lint [131] and Tietavainen [130].

62
Chapter 3

Probability as Fancy Counting and the q-ary

Entropy Function

In the chapters to come we will explore questions of the form: “Given n, k, d and q does an
(n, k, d )q code exist?” To answer such questions we will apply the “probabilistic method” — the
method that demonstrates the existence of an object with a given property by showing that a
randomly chosen object has the property with positive probability. To elaborate on this sen-
tence we need to introduce the basic language and tools of probability theory which we do in
Section 3.1.
We then introduce the probabilistic method in Section 3.2. We even apply the method to
answer a very simple question:

Question 3.0.1. Does there exist a [2, 2, 1]2 code?

We note that the answer to the above question is trivially yes: just pick the generator matrix
to be the 2 × 2 identity matrix. But our proof will have the advantage of generalizing to broader
settings, though we save the generalizations for later chapters.
Finally in Section 3.3 we introduce the “entropy function” which turns out to be central in
the understanding of limits of codes (both existence and non-existence).

3.1 A Crash Course on Probability

In this section we review basic concepts in probability theory, specialized to the needs of this
book. Specifically we introduce distributions, events and random variables, and give some tools
to analyze them.
In this book, we will only consider probability distributions defined over finite spaces. In
particular, given a finite domain D, a probability distribution is defined as a function
X
p : D → [0, 1] such that p(x) = 1,
x∈D

63
 G U (G) V00 V01 V10 V11 G U (G) V00 V01 V10 V11
µ ¶ µ ¶
0 0 1 1 0 1
16
0 0 0 0 16
0 0 1 1
0 0 0 0
µ ¶ µ ¶
0 0 1 1 0 1
16 0 1 0 1 16 0 1 1 2
0 1 0 1
µ ¶ µ ¶
0 0 1 1 0 1
16 0 1 0 1 16 0 1 1 0
1 0 1 0
µ ¶ µ ¶
0 0 1 1 0 1
16 0 2 0 2 16 0 2 1 1
1 1 1 1
µ ¶ µ ¶
0 1 1 1 1 1
16 0 0 1 1 16 0 0 2 2
0 0 0 0
µ ¶ µ ¶
0 1 1 1 1 1
16
0 1 1 0 16
0 1 2 1
0 1 0 1
µ ¶ µ ¶
0 1 1 1 1 1
16 0 1 1 2 16 0 1 2 1
1 0 1 0
µ ¶ µ ¶
0 1 1 1 1 1
16 0 2 1 1 16 0 2 2 0
1 1 1 1

Table 3.1: Uniform distribution over F22×2 along with values of four random variables.

where [0, 1] is shorthand for the interval of all real numbers between 0 and 1.
An event E is a predicate over the domain D, i.e. it maps every element of D to “true” or “false”.
Equivalently an event is a subset of the domain D, i.e., those elements that are mapped to true.
We switch between “logical” or ”set-theoretic” notation to denote combinations of events. So
the disjunction of events E1 and E2 may be denoted E1 ∨ E2 or E1 ∪ E2 . Similarly the conjunction
of E1 and E2 may be denoted E1 ∧ E2 or E1 ∩ E2 ; and the negation of E1 may be denote ¬E1 or E1 .
In this book, we will primarily deal with the following special distribution:

Definition 3.1.1 (Uniform Distribution). The uniform distribution over D, denoted by U D , is

given by
1
U D (x) = for every x ∈ D.
|D|
Typically we will drop the subscript when the domain D is clear from the context.

For example, consider the domain D = F22×2 , i.e. the set of all 2 × 2 matrices over F2 . (Note
that each such matrix is a generator matrix of some [2, 2]2 code.) The first two columns of Ta-
ble 3.1 list the elements of this D along with the corresponding probabilities for the uniform
distribution.
Typically, we will be interested in a real-valued function defined on D and how it behaves
under a probability distribution defined over D. This is captured by the notion of a random
variable1 :
1
We note that the literature on probability theory allows for more general random variables, but for our purposes
we restrict only to real-valued ones.

64
Definition 3.1.2 (Random Variable). Let D be a finite domain and I ⊂ R be a finite2 subset. Let p
be a probability distribution defined over D. A random variable is a function:

V : D → I.

The expectation of V is defined as

X
E[V ] = p(x) · V (x).
x∈D
¡ ¢
For example, given (i , j ) ∈ {0, 1}2 , let Vi j denote the random variable Vi j (G) = w t (i , j ) · G ,
for any G ∈ F22×2 . The last four columns of Table 3.1 list the values of these four random variables.
Of particular interest in this book will be binary random variables, i.e., with I = {0, 1}. In
particular, given an event E over D, we will define its indicator variable to be a function 1E : D →
{0, 1} such that for any x ∈ D: (
1 if x ∈ E
1E (x) =
0 otherwise.
For example, µµ ¶¶ µµ ¶¶
0 1 0 1
1V01 =0 = 1 and 1V01 =0 = 0.
0 0 1 1
In most cases we will shorten this notation to 1E (x) or simply 1E . Finally, sometimes we will
abuse notation and use E instead of 1E .
As a further use of indicator variables, consider the expectations of the four indicator vari-
ables:
£ ¤ 1
E 1V00 =0 = 16 · = 1.
16
£ ¤ 1 1
E 1V01 =0 = 4 · = . (3.1)
16 4
£ ¤ 1 1
E 1V10 =0 = 4 · = . (3.2)
16 4
£ ¤ 1 1
E 1V11 =0 = 4 · = . (3.3)
16 4

3.1.1 Some Useful Results

Before we proceed, we record a simple property of indicator variables that will be useful. (See
Exercise 3.1.)

Lemma 3.1.3. Let E be any event. Then

E [1E ] = Pr [E is true] .

Next, we state a simple yet useful property of expectation of a sum of random variables:
2
In general, I need not be finite. However, for this book this definition suffices.

65
Proposition 3.1.4 (Linearity of Expectation). Given random variables V1 , . . . ,Vm defined over the
same domain D and with the same probability distribution p, we have
" #
m
X Xm
E Vi = E [Vi ] .
i =1 i =1

Proof. For notational convenience, define V = V1 + · · · + Vm . Thus, we have

X
E[V ] = V (x) · p(x) (3.4)
x∈D
à !
X Xm
= Vi (x) · p(x) (3.5)
x∈D i =1
Xm X
= Vi (x) · p(x) (3.6)
i =1 x∈D
Xm
= E[Vi ]. (3.7)
i =1

In the equalities above, (3.4) and (3.7) follow from the definition of expectation of a random
variable. (3.5) follows from the definition of V and (3.6) follows by switching the order of the
two summations.

As an example, we have
£ ¤ 3
E 1V01 =0 + 1V10 =0 + 1V11 =0 = (3.8)
4
Frequently, we will need to deal with the probability of the union of events. We will use the
following result to upper bound such probabilities:
Proposition 3.1.5 (Union Bound). Given m binary random variables A 1 , . . . , A m , we have
"Ã ! #
m
_ m
X
Pr Ai = 1 ≤ Pr [A i = 1] .
i =1 i =1

Proof. For every i ∈ [m], define

S i = {x ∈ D|A i (x) = 1}.
Then we have
"Ã ! #
m
_ X
Pr Ai = 1 = p(x) (3.9)
i =1 x∈∪m S
i =1 i
m X
X
≤ p(x) (3.10)
i =1 x∈S i
Xm
= Pr[A i = 1]. (3.11)
i =1

In the above, (3.9) and (3.11) follow from the definition of S i . (3.10) follows from the fact that
some of the x ∈ ∪i S i get counted more than once.

66
 We remark that the union bound is tight when the events are disjoint. (In other words, using
the notation in the proof above, when S i ∩ S j = ; for every i 6= j .)
As an example, let A 1 = 1V01 =0 , A 2 = 1V10 =0 and A 3 = 1V11 =0 . Note that in this case the event
A 1 ∨ A 2 ∨ A 3 is the same as the event that there exists a non-zero m ∈ {0, 1}2 such that w t (m·G) =
0. Thus, the union bound implies (that under the uniform distribution over F22×2 )
£ ¤ 3
Pr There exists an m ∈ {0, 1}2 \ {(0, 0)}, such that w t (mG) = 0 ≤ . (3.12)
4
Finally, we present two bounds on the probability of a random variable deviating signifi-
cantly from its expectation. The first bound holds for any random variable:
Lemma 3.1.6 (Markov Bound). Let V be a non-zero random variable. Then for any t > 0,
E[V ]
Pr[V ≥ t ] ≤ .
t
In particular, for any a ≥ 1,
1
Pr[V ≥ a · E[V ]] ≤
.
a
Proof. The second bound follows from the first bound by substituting t = a · E[V ]. Thus, to
complete the proof, we argue the first bound. Consider the following sequence of relations:
X X
E[V ] = i · Pr[V = i ] + i · Pr[V = i ] (3.13)
i ∈[0,t ) i ∈[t ,∞)
X
≥ i · Pr[V = i ] (3.14)
i ≥t
X
≥t· Pr[V = i ] (3.15)
i ≥t
= t · Pr[V ≥ t ]. (3.16)
In the above relations, (3.13) follows from the definition of expectation of a random variable and
the fact that V is positive. (3.14) follows as we have dropped some non-negative terms. (3.15)
follows by noting that in the summands i ≥ t . (3.16) follows from the definition of Pr[V ≥ t ].
The proof is complete by noting that (3.16) implies the claimed bound.

The second bound works only for sums of independent random variables. We begin by
defining independent random variables:
Definition 3.1.7 (Independence). Two random variables A and B are called independent if for
every a and b in the ranges of A and B respectively, we have
Pr[A = a ∧ B = b] = Pr[A = a] · Pr[B = b].
For example, for the uniform distribution in Table 3.1, let A denote the bit G 0,0 and B denote
the bit G 0,1 . It can be verified that these two random variables are independent. In fact, it can be
verified all the random variables corresponding to the four bits in G are independent random
variables. (We’ll come to a related comment shortly.)
Another related concept that we will use is that of probability of an event happening condi-
tioned on another event happening:

67
Definition 3.1.8 (Conditional Probability). Given two events A and B defined over the same do-
main and probability distribution, we define the probability of A conditioned on B as

Pr[A and B ]
Pr[A|B ] = .
Pr[B ]
For example, note that
4/16 1
= .
Pr[1V01 =1 |G 0,0 = 0] =
1/2 2
The above definition implies that two events A and B are independent if and only if Pr[A] =
Pr[A|B ]. We will also use the following result later on in the book (see Exercise 3.2):

Lemma 3.1.9. For any two events A and B defined on the same domain and the probability
distribution:
Pr[A] = Pr[A|B ] · Pr[B ] + Pr[A|¬B ] · Pr[¬B ].

Next, we state a deviation bound that asserts that the sum of independent random variables
takes values close to its expectation with high probability. We only state it for sums of binary
random variables, which is the form that will be needed in the book. We refer to this bound as
the “Chernoff bound” though we note that this is part of a larger body of work and the biblio-
graphic notes give more details.

Theorem 3.1.10 (Chernoff Bound). Let X 1 , . . . , X m be independent binary random variables and
P
define X = X i . Then the multiplicative Chernoff bound sates that for 0 < ε ≤ 1,
2
E(X )/3
Pr [|X − E(X )| > εE(X )] < 2e −ε ,

and the additive Chernoff bound states that

2
m/2
Pr [|X − E(X )| > εm] < 2e −ε .

We omit the proof, which can be found in any standard textbook on randomized algorithms.
Finally, we present an alternate view of uniform distribution over product spaces and then
use that view to prove a result that we will use later in the book. Given probability distributions
p 1 and p 2 over domains D1 and D2 respectively, we define the product distribution p 1 × p 2 over
D1 × D2 as follows: every element (x, y) ∈ D1 × D2 under p 1 × p 2 is picked by choosing x from
D1 according to p 1 and y is picked independently from D2 under p 2 . This leads to the following
observation (see Exercise 3.4).

Lemma 3.1.11. For any m ≥ 1, the distribution U D1 ×D2 ×···×Dm is identical3 to the distribution
U D1 × U D2 × · · · × U Dm .

For example, the uniform distribution in Table 3.1 can be described equivalently as follows:
pick each of the four bits in G independently and uniformly at random from {0, 1}.
We conclude this section by proving the following result:
3
We say two distributions p 1 and p 2 on D are identical if for every x ∈ D, p 1 (x) = p 2 (x).

68
Lemma 3.1.12. Given a non-zero vector m ∈ Fkq and a uniformly random k × n matrix G over Fq ,
the vector m · G is uniformly distributed over Fnq .

Proof. Let the ( j , i )th entry in G (1 ≤ j ≤ k, 1 ≤ i ≤ n) be denoted by g j i . Note that as G is a ran-

dom k ×n matrix over Fq , by Lemma 3.1.11, each of the g j i is an independent uniformly random
element from Fq . Now, note that we would be done if we can show that for every 1 ≤ i ≤ n, the
i th entry in m · G (call it b i ) is an independent uniformly random element from Fq . To finish
P
the proof, we prove this latter fact. If we denote m = (m 1 , . . . , m k ), then b i = kj=1 m j g j i . Note
that the disjoint entries of G participate in the sums for b i and b j for i 6= j . Given our choice of
G, this implies that the random variables b i and b j are independent. Hence, to complete the
proof we need to prove that b i is a uniformly independent element of Fq . The rest of the proof
is a generalization of the argument we used in the proof of Proposition 2.6.3.
Note that to show that b i is uniformly distributed over Fq , it is sufficient to prove that b i
takes every value in Fq equally often over all the choices of values that can be assigned to
g 1i , g 2i , . . . , g ki . Now, as m is non-zero, at least one of the its element is non-zero. Without
P
loss of generality assume that m 1 6= 0. Thus, we can write b i = m 1 g 1i + kj=2 m j g j i . Now, for
every fixed assignment of values to g 2i , g 3i , . . . , g ki (note that there are q k−1 such assignments),
b i takes a different value for each of the q distinct possible assignments to g 1i (this is where we
use the assumption that m 1 6= 0). Thus, over all the possible assignments of g 1i , . . . , g ki , b i takes
each of the values in Fq exactly q k−1 times, which proves our claim.

3.2 The Probabilistic Method

The probabilistic method is a very powerful method in combinatorics which can be used to
show the existence of objects that satisfy certain properties. In this course, we will use the prob-
abilistic method to prove existence of a code C with certain property P . Towards that end, we
define a distribution D over all possible codes and prove that when C is chosen according to D:
£ ¤ £ ¤
Pr C has property P > 0 or equivalently Pr C doesn’t have property P < 1.

Note that the above inequality proves the existence of C with property P .
As an example consider Question 3.0.1. To answer this in the affirmative, we note that the
set of all [2, 2]2 linear codes is covered by the set of all 2 × 2 matrices over F2 . Then, we let D be
the uniform distribution over F22×2 . Then by Proposition 2.3.6 and (3.12), we get that

3
Pr [There is no [2, 2, 1]2 code] ≤ < 1,
U F2×2 4
2

which by the probabilistic method answers the Question 3.0.1 in the affirmative.
For the more general case, when we apply the probabilistic method, the typical approach
will be to define (sub-)properties P 1 , . . . , P m such that P = P 1 ∧P 2 ∧P 3 . . .∧P m and show that for
every 1 ≤ i ≤ m:
£ ¤ h i 1
Pr C doesn’t have property P i = Pr P i < .
m

69
 £ ¤
Finally, by the union bound, the above will prove that4 Pr C doesn’t have property P < 1, as
desired.
As an example, an alternate way to answer Question 3.0.1 in the affirmative is the following.
Define P 1 = 1V01 ≥1 , P 2 = 1V10 ≥1 and P 3 = 1V11 ≥1 . (Note that we want a [2, 2]2 code that satisfies
P 1 ∧ P 2 ∧ P 3 .) Then, by (3.1), (3.2) and (3.3), we have for i ∈ [3],
£ ¤ h i 1 1
Pr C doesn’t have property P i = Pr P i = < ,
4 3
as desired.
Finally, we mention a special case of the general probabilistic method that we outlined
above. In particular, let P denote the property that the randomly chosen C satisfies f (C ) ≤ b.
Then we claim (see Exercise 3.5) that E[ f (C )] ≤ b implies that Pr[C has property P ] > 0. Note
that this implies that E[ f (C )] ≤ b implies that there exists a code C such that f (C ) ≤ b.

3.3 The q-ary Entropy Function

Finally, in this chapter we introduce a fundamental function — the “entropy” function — that
plays a central role in the analysis of the limits of codes. For example, in Section 4.1 of Chapter 4
we will show how this function captures an upper bound on the rate of codes as a function of
the relative distance. Later in Section 4.2 of Chapter 4 we will see that this function captures the
a lower bound on the rate of codes obtained by the probabilistic method.
We begin with the definition of the entropy function.
Definition 3.3.1 (q-ary Entropy Function). Let q be an integer and x be a real number such that
q ≥ 2 and 0 ≤ x ≤ 1. Then the q-ary entropy function is defined as follows:
H q (x) = x logq (q − 1) − x logq (x) − (1 − x) logq (1 − x).
Figure 3.1 presents a pictorial representation of the H q function for the first few values of q.
For the special case of q = 2, we will drop the subscript from the entropy function and denote
H2 (x) by just H (x), that is, H (x) = −x log x − (1 − x) log(1 − x), where log x is defined as log2 (x)
(we are going to follow this convention for the rest of the book).
Under the lens of Shannon’s entropy function, H (x) denotes the entropy of the distribution
over {0, 1} that selects 1 with probability x and 0 with probability 1 − x. However, there is no
similar analogue for the more general H q (x). The reason why this quantity will turn out to be
so central in this book is that it is very closely related to the “volume" of a Hamming ball. We
make this connection precise in the next subsection.

3.3.1 Volume of Hamming Balls

It turns out that in many of our combinatorial results, we will need good upper and lower
bounds on the volume of a Hamming ball. Next we formalize the notion of the volume of a
Hamming ball:
4
Note that P = P 1 ∨ P 2 ∨ · · · ∨ P m .

70
 1
q=2
q=3
0.9 q=4

0.8

0.7

Hq(x) ---> 0.6

0.5

0.4

0.3

0.2

0.1

0
0 0.2 0.4 0.6 0.8 1
x --->

Figure 3.1: A plot of H q (x) for q = 2, 3 and 4. The maximum value of 1 is achieved at x = 1−1/q.

Definition 3.3.2 (Volume of a Hamming Ball). Let q ≥ 2 and n ≥ r ≥ 1 be integers. Then the
volume of a Hamming ball of radius r is given by
à !
X r n
V ol q (r, n) = |B q (0, r )| = (q − 1)i .
i =0 i

The choice of 0 as the center for the Hamming ball above was arbitrary: since the volume
of a Hamming ball is independent of its center (as is evident from the last equality above), we
could have picked any point as the center.
We will prove the following result:

Proposition 3.3.3. Let q ≥ 2 be an integer and 0 ≤ p ≤ 1 − q1 be a real number. Then:

(i) V ol q (pn, n) ≤ q Hq (p)n ; and

(ii) for large enough n, V ol q (pn, n) ≥ q Hq (p)n−o(n) .

Proof. We start with the proof of (i). Consider the following sequence of relations:

1 = (p + (1 − p))n
à !
X n n
= p i (1 − p)n−i (3.17)
i =0 i
à ! à !
Xpn Xn
n i n i
= p (1 − p)n−i + p (1 − p)n−i
i =0 i i =pn+1 i

71
 Ã !
Xpn
n i
≥ p (1 − p)n−i (3.18)
i =0 i
à ! µ ¶
pn
X n i p i
= (q − 1) (1 − p)n−i
i =0 i q −1
à ! µ ¶i
Xpn
n i n p
= (q − 1) (1 − p)
i =0 i (q − 1)(1 − p)
à ! µ ¶pn
Xpn
n i n p
≥ (q − 1) (1 − p) (3.19)
i =0 i (q − 1)(1 − p)
à ! µ ¶
pn
X n p pn
= (q − 1)i (1 − p)(1−p)n (3.20)
i =0 i q − 1
≥ V ol q (pn, n)q −Hq (p)n . (3.21)
In the above, (3.17) follows from the binomial expansion. (3.18) follows by dropping the second
p
sum and (3.19) follows from the facts that (q−1)(1−p) ≤ 1 (as5 p ≤ 1−1/q). Rest of the steps except
³ ´
−H q (p)n p pn
(3.21) follow from rearranging the terms. (3.21) follows as q = q−1 (1 − p)(1−p)n .
(3.21) implies that
1 ≥ V ol q (pn, n)q −Hq (p)n ,
which proves (i).
We now turn to the proof of part (ii). For this part, we will need Stirling’s approximation for
n! (Lemma B.1.2).
By the Stirling’s approximation, we have the following inequality:
à !
n n!
=
pn (pn)!((1 − p)n)!
(n/e)n 1
> ·p · e λ1 (n)−λ2 (pn)−λ2 ((1−p)n)
(pn/e)pn ((1 − p)n/e)(1−p)n 2πp(1 − p)n
1
= · ℓ(n), (3.22)
p pn (1 − p)(1−p)n
λ1 (n)−λ2 (pn)−λ2 ((1−p)n)
where ℓ(n) = e p .
2πp(1−p)n
Now consider the following sequence of relations that complete the proof:
à !
n
V ol q (pn, n) ≥ (q − 1)pn (3.23)
pn
(q − 1)pn
> · ℓ(n) (3.24)
p pn (1 − p)(1−p)n
≥ q Hq (p)n−o(n) . (3.25)
5 p p q−1 q−1
Indeed, note that (q−1)(1−p) ≤ 1 is true if 1−p ≤ 1 , which in turn is true if p ≤ q , where the last step follows
from Lemma B.2.1.

72
In the above (3.23) follows by only looking at one term. (3.24) follows from (3.22) while (3.25)
follows from the definition of H q (·) and the fact that for large enough n, ℓ(n) is q −o(n) .

Next, we consider how the q-ary entropy function behaves for various ranges of its parame-
ters.

3.3.2 Other Properties of the q-ary Entropy function

We begin by recording the behavior of q-ary entropy function for large q.

Proposition 3.3.4. For small enough ε, 1 − H q (ρ) ≥ 1 − ρ − ε for every 0 < ρ ≤ 1 − 1/q if and only
if q is 2Ω(1/ε) .

Proof. We first note that by definition of H q (ρ) and H (ρ),

H q (ρ) = ρ logq (q − 1) − ρ logq ρ − (1 − ρ) logq (1 − ρ)

= ρ logq (q − 1) + H (ρ)/ log2 q.

Now if q ≥ 21/ε , we get that

H q (ρ) ≤ ρ + ε
as logq (q − 1) ≤ 1 and H (ρ) ≤ 1. Thus, we have argued that for q ≥ 21/ε , we have 1 − H q (ρ) ≥
1 − ρ − ε, as desired.
Next, we consider the case when q = 2o(1/ε) . We begin by claiming that for small enough ε,

if q ≥ 1/ε2 then logq (q − 1) ≥ 1 − ε.

³ ´
1
Indeed, logq (q − 1) = 1 + (1/ ln q) ln(1 − 1/q) = 1 − O q ln q
,6 which is at least 1 − ε for q ≥ 1/ε2
(and small enough ¡ε).¢
1
Finally, if q = 2o ε , then for fixed ρ,

H (ρ)/ log q = ε · ω(1).

¡1¢
Then for q = 2o ε (but q ≥ 1/ε2 ) we have

ρ logq (q − 1) + H (ρ)/ log q ≥ ρ − ε + ε · ω(1) > ρ + ε,

which implies that

1 − H q (ρ) < 1 − ρ − ε,
as desired. For q ≤ 1/ε2 , Lemma 3.3.5 shows that 1 − H q (ρ) ≤ 1 − H1/ε2 (ρ) < 1 − ρ − ε, as desired.

We will also be interested in how H q (x) behaves for fixed x and increasing q:
6
The last equality follows from the fact that by Lemma B.2.2, for 0 < x < 1, ln(1 − x) = −O(x).

73
Lemma 3.3.5. Let q ≥ 2 be an integer and let 0 ≤ ρ ≤ 1 − 1/q, then for any real m ≥ 1 such that
µ ¶q−1
m−1 1
q ≥ 1+ , (3.26)
q −1

we have
H q (ρ) ≥ H q m (ρ).

Proof. Note that H q (0) = H q m (0) = 0. Thus, for the rest of the proof we will assume that ρ ∈
(0, 1 − 1/q].
As observed in the proof of Proposition 3.3.4, we have

log(q − 1) 1
H q (ρ) = ρ · + H (ρ) · .
log q log q

Using this, we obtain

µ ¶ µ ¶
log(q − 1) log(q m − 1) 1 1
H q (ρ) − H q m (ρ) = ρ − + H (ρ) − .
log q m log q log q m log q

The above in turn implies that

1 H (ρ)
· m log q · (H q (ρ) − H q m (ρ)) = log(q − 1)m − log(q m − 1) + (m − 1)
ρ ρ
H (1 − 1/q)
≥ log(q − 1)m − log(q m − 1) + (m − 1) (3.27)
1 − 1/q
µ ¶
m m q log q
= log(q − 1) − log(q − 1) + (m − 1) log +
q −1 q −1
µ µ ¶ ¶
(q − 1)m q m−1 m−1
= log · ·q q−1
qm − 1 q −1
à m−1 !
(q − 1) · q m−1 · q q−1
= log
qm − 1
≥0 (3.28)

In the above (3.27) follows from the fact that H (ρ)/ρ is decreasing7 in ρ and that ρ ≤ 1 − 1/q.
(3.28) follows from the claim that
m−1
(q − 1) · q q−1 ≥ q.

Indeed the above follows from (3.26).

Finally, note that (3.28) completes the proof.
7
Indeed, H (ρ)/ρ = log(1/ρ) − (1/ρ − 1) log(1 − ρ). Note that the first term is deceasing in ρ. We claim that the
second term is also decreasing in ρ– this e.g. follows from the observation that −(1/ρ − 1) ln(1 − ρ) = (1 − ρ)(1 +
ρ/2! + ρ 2 /3! + · · · ) = 1 − ρ/2 − ρ 2 (1/2 − 1/3!) − · · · is also decreasing in ρ.

74
 Since (1 + 1/x)x ≤ e (by Lemma B.2.5), we also have that (3.26) is also satisfied for m ≥ 1 +
1
ln q
. Further, we note that (3.26) is satisfied for every m ≥ 2 (for any q ≥ 3), which leads to the
following (also see Exercise 3.6):

Corollary 3.3.6. Let q ≥ 3 be an integer and let 0 ≤ ρ ≤ 1 − 1/q, then for any m ≥ 2, we have

H q (ρ) ≥ H q m (ρ).

Next, we look at the entropy function when its input is very close to 1.

Proposition 3.3.7. For small enough ε > 0,

µ ¶
1
H q 1 − − ε ≤ 1 − c q ε2 ,
q

where c q is a constant that only depends on q.

Proof. The intuition behind the proof is the following. Since the derivative of H q (x) is zero at
x = 1 − 1/q, in the Taylor expansion of H q (1 − 1/q − ε) the ε term will vanish. We will now make
this intuition more concrete. We will think of q as fixed and 1/ε as growing. In particular, we
will assume that ε < 1/q. Consider the following equalities:
µ ¶ µ ¶ µ ¶ µ ¶
1 1 − 1/q − ε 1 1
H q (1 − 1/q − ε) = − 1 − − ε logq − + ε logq +ε
q q −1 q q
µ µ ¶¶ µ ¶ µ ¶
1 εq 1 1 − (εq)/(q − 1)
= − logq 1− + + ε logq
q q −1 q 1 + εq
· µ ¶ µ ¶ µ ¶¸
1 εq 1 1 − (εq)/(q − 1)
= 1− ln 1 − − + ε ln
ln q q −1 q 1 + εq
· 2 2 µ ¶µ
2 1 εq ε q 1 εq
= 1 + o(ε ) − − − − + ε −
ln q q − 1 2(q − 1)2 q q −1
2 2 2 2 ¶¸
ε q ε q
− 2
− εq + (3.29)
2(q − 1) 2
·
2 1 εq ε2 q 2
= 1 + o(ε ) − − −
ln q q − 1 2(q − 1)2
µ ¶µ ¶¸
1 εq 2 ε2 q 3 (q − 2)
− +ε − +
q q −1 2(q − 1)2
· ¸
2 1 ε2 q 2 ε2 q 2 ε2 q 2 (q − 2)
= 1 + o(ε ) − − + − (3.30)
ln q 2(q − 1)2 q − 1 2(q − 1)2
ε2 q 2
= 1− + o(ε2 )
2 ln q(q − 1)
ε2 q 2
≤ 1−
4 ln q(q − 1)
(3.31)

75
 (3.29) follows from the fact that for |x| < 1, ln(1 + x) = x − x 2 /2 + x 3 /3 − . . . (Lemma B.2.2) and
by collecting the ε3 and smaller terms in o(ε2 ). (3.30) follows by rearranging the terms and by
absorbing the ε3 terms in o(ε2 ). The last step is true assuming ε is small enough.

Next, we look at the entropy function when its input is very close to 0.

Proposition 3.3.8. For small enough ε > 0,

µ µ ¶¶
1 1
H q (ε) = Θ · ε log .
log q ε

Proof. By definition

H q (ε) = ε logq (q − 1) + ε logq (1/ε) + (1 − ε) logq (1/(1 − ε)).

Since all the terms in the RHS are positive we have

H q (ε) ≥ ε log(1/ε)/ log q. (3.32)

Further, by Lemma B.2.2, (1 − ε) logq (1/(1 − ε)) ≤ 2ε/ ln q for small enough ε. Thus, this implies
that µ ¶
2 + ln(q − 1) 1 1
H q (ε) ≤ ·ε+ · ε ln . (3.33)
ln q ln q ε
(3.32) and (3.33) proves the claimed bound.

We will also work with the inverse of the q-ary entropy function. Note that H q (·) on the
domain [0, 1 − 1/q] is a bijective map into [0, 1]. Thus, we define H q−1 (y) = x such that H q (x) = y
and 0 ≤ x ≤ 1 − 1/q. Finally, we will need the following lower bound:

Lemma 3.3.9. For every 0 ≤ y ≤ 1 − 1/q and for every small enough ε > 0,

H q−1 (y − ε2 /c q′ ) ≥ H q−1 (y) − ε,

where c q′ ≥ 1 is a constant that depends only on q.

Proof. It is easy to check that H q−1 (y) is a strictly increasing convex function when y ∈ [0, 1]. This
implies that the derivative of H q−1 (y) increases with y. In particular, (H q−1 )′ (1) ≥ (H q−1 )′ (y) for
H q−1 (y)−H q−1 (y−δ)
every 0 ≤ y ≤ 1. In other words, for every 0 < y ≤ 1, and (small enough) δ > 0, δ ≤
H q−1 (1)−H q−1 (1−δ)
δ
Proposition 3.3.7 along with the facts that H q−1 (1) = 1−1/q
. and H q−1 is increasing
completes the proof if one picks c q′ = max(1, 1/c q ) and δ = ε2 /c q′ .

76
3.4 Exercises
Exercise 3.1. Prove Lemma 3.1.3.

Exercise 3.2. Prove Lemma 3.1.9.

Exercise 3.3. In this exercise, we will see a common use of the Chernoff bound (Theorem 3.1.10).
Say we are trying to determine an (unknown) value x ∈ F to which we have access to via a ran-
domized algorithm A that on input (random) input r ∈ {0, 1}m outputs an estimate A (r) of x
such that
1
Pr [A(r) = x] ≥ + γ,
r 2
³ ´
for some 0 < γ < 21 . Then show that for any t ≥ 1 with O γt2 calls to A one can determine x with
probability at least 1 − e −t .
Hint: Call A with independent random bits and take majority of the answer and then use the Chernoff bound.

Exercise 3.4. Prove Lemma 3.1.11.

Exercise 3.5. Let P denote the property that the randomly chosen C satisfies f (C ) ≤ b. Then
E[ f (C )] ≤ b implies that Pr[C has property P ] > 0.

Exercise 3.6. Show that for any Q ≥ q ≥ 2 and ρ ≤ 1 − 1/q, we have HQ (ρ) ≤ H q (ρ).

3.5 Bibliographic Notes

The Chernoff bounds of this chapter come from a family of bounds on the concentration of
sums of random variables around their expectation. They originate with the work of Cher-
noff [23] though Chernoff himself attributes the bound to personal communication with Ru-
bin [9, Page 340]. These bounds and variations are ubiquitous in information theory and com-
puter science — see for instance [28, 96, 94]. Proofs of various concentration bounds can e.g.
be found in [31].
The use of the probabilistic method in combinatorics seems to have originated in the early
40s and became especially well known after works of Erdös, notably [39]. Shannon’s adoption
of the method in [115] is one of the first applications in a broader setting. For more on the
probabilistic method, see the book by Alon and Spencer [3].
The entropy function also dates back to Shannon [115]. Shannon’s definition is more gen-
eral and applies to discrete random variables. Our specialization to a two parameter function
(namely a function of q and p) is a special case derived from applying the original definition to
some special random variables.

77
78
 Part II

The Combinatorics

79
Chapter 4

What Can and Cannot Be Done-I

In this chapter, we will try to tackle Question 1.8.1. We will approach this trade-off in the fol-
lowing way:
If we fix the relative distance of the code to be δ, what is the best rate R that we can
achieve?
While we will not be able to pin down the exact optimal relationship between R and δ, we will
start establishing some limits. Note that an upper bound on R is a negative result in that it
establishes that codes with certain parameters do not exist. Similarly, a lower bound on R is a
positive result.
In this chapter, we will consider only one positive result, i.e. a lower bound on R called the
Gilbert-Varshamov bound in Section 4.2. In Section 4.1, we recall a negative result that we have
already seen– Hamming bound and state its asymptotic version to obtain an upper bound on
R. We will consider two other upper bounds: the Singleton bound (Section 4.3), which gives
a tight upper bound for large enough alphabets (but not binary codes) and the Plotkin bound
(Section 4.4).

4.1 Asymptotic Version of the Hamming Bound

We have already seen an upper bound in Section 1.7 due to Hamming. However, we had stated
this as an upper bound on the dimension k in terms of n, q and d . In this section we convert
this into a relation on R versus δ.
Consider any (n, k, d )q code with rate R = k/n and relative distance δ = d /n. Recall that
Theorem 1.7.2 implies the following:
³j k ´
d −1
k log q V ol q 2 ,n
R = ≤ 1−
n n
Recall further that Proposition 3.3.3 states the following lower bound on the volume of a Ham-
ming ball: µ¹ º ¶ ³ ´
d −1 H q δ2 n−o(n)
V ol q ,n ≥ q .
2

81
Taking logarithms to base q of both sides above, and dividing by n yields that the second term
in the right had side of the inequality above is lower bounded by H q (δ/2) − o(1), and thus we
can get an asymptotic implication from Theorem 1.7.2. For a q-ary code C of rate R, relative
distance δ and block length n, we have:
µ ¶
δ
R ≤ 1 − Hq + o(1),
2
where the o(1) term tends to 0 as n → ∞. Thus for an infinite family of codes C , taking limits as
n → ∞, we get the following asymptotic Hamming bound.
Proposition 4.1.1 (Asymptotic Hamming Bound). Let C be an infinite family of q-ary codes with
rate R and relative distance δ. Then we have:
µ ¶
δ
R ≤ 1 − Hq .
2
Figure 4.1 gives a pictorial description of the asymptotic Hamming bound for binary codes.

1
Hamming bound
GV bound
0.9

0.8

0.7

0.6

0.5
R

0.4

0.3

0.2

0.1

0
0 0.2 0.4 0.6 0.8 1
δ

Figure 4.1: The Hamming and GV bounds for binary codes. Note that any point below the GV
bound is achievable by some code while no point above the Hamming bound is achievable by
any code. In this part of the book we would like to push the GV bound as much up as possible
while at the same time try and push down the Hamming bound as much as possible.

4.2 Gilbert-Varshamov Bound

Next, we will switch gears by proving our first non-trivial lower bound on R in terms of δ. (In
fact, this is the only positive result on the R vs δ tradeoff question that we will see in this book.)
In particular, we will prove the following result:

82
Theorem 4.2.1 (Gilbert-Varshamov Bound). Let q ≥ 2. For every 0 ≤ δ < 1 − q1 there exists a
(linear) code with rate R ≥ 1 − H q (δ) and relative distance δ. Furthermore, for every 0 ≤ ε ≤
1− H q (δ) and integer n, if the generator matrix of a code of block length n and rate 1− H q (δ)−ε is
picked uniformly at random, then the code has relative distance at least δ with probability strictly
greater than 1 − q −εn .

The bound is generally referred to as the GV bound. For a pictorial description of the GV
bound for binary codes, see Figure 4.1. We will present the proofs for general codes and linear
codes in Sections 4.2.1 and 4.2.2 respectively.
Note that the first part of the theorem follows from the second part by setting ε = 0. In what
follows we first prove the existence of a non-linear code of rate 1 − H q (δ) and relative distance
at least δ. Later we show how to get a linear code, and with high probability (when ε > 0).

4.2.1 Greedy Construction

We will prove Theorem 4.2.1 for general codes by the following greedy construction (where
d = δn): start with the empty code C and then keep on adding vectors not in C that are at Ham-
ming distance at least d from all the existing codewords in C . Algorithm 6 presents a formal
description of the algorithm and Figure 4.2 illustrates the first few executions of this algorithm.

Algorithm 6 Gilbert’s Greedy Code Construction

I NPUT: n, q, d
O UTPUT: A code C ⊆ [q]n of distance d ≥≥ 11

1: C ← ;
2: WHILE there exists a v ∈ [q]n such that ∆(v, c) ≥ d for every c ∈ C DO
3: Add v to C
4: RETURN C

We claim that Algorithm 6 terminates and the C that it outputs has distance d . The latter
is true by step 2, which makes sure that in Step 3 we never add a vector c that will make the
distance of C fall below d . For the former claim, note that, if we cannot add v at some point, we
cannot add it later. Indeed, since we only add vectors to C , if a vector v ∈ [q]n is ruled out in a
certain iteration of Step 2 because ∆(c, v) < d , then in all future iterations, we have ∆(v, c) < d
and thus, this v will never be added in Step 3 in any future iteration.
The running time of Algorithm 6 is q O(n) . To see this, note that Step 2 in the worst-case could
be repeated for every vector in [q]n , that is at most q n times. In a naive implementation, for each
iteration, we cycle through all vectors in [q]n and for each vector v ∈ [q]n , iterate through all (at
most q n ) vectors c ∈ C to check whether ∆(c, v) < d . If no such c exists, then we add v to C .
Otherwise, we move to the next v. However, note that we can do slightly better– since we know
that once a v is “rejected" in an iteration, it’ll keep on being rejected in the future iterations, we
can fix up an ordering of vectors in [q]n and for each vector v in this order, check whether it can

83
 c3
c2

c5

c1
c4
d −1

[q]n

Figure 4.2: An illustration of Gilbert’s greedy algorithm (Algorithm 6) for the first five iterations.

be added to C or not. If so, we add v to C , else we move to the next vector in the order. This
algorithm has time complexity O(nq 2n ), which is still q O(n) .
Further, we claim that after termination of Algorithm 6
[
B (c, d − 1) = [q]n .
c∈C

This is because if the above is not true, then there exists a vector v ∈ [q]n \C , such that ∆(v, c) ≥ d
and hence v can be added to C . However, this contradicts the fact that Algorithm 6 has termi-
nated. Therefore, ¯ ¯
¯[ ¯
¯ B (c, d − 1)¯ = q n . (4.1)
¯ ¯
c∈C
It is not too hard to see that
¯ ¯
X ¯[ ¯
|B (c, d − 1)| ≥ ¯¯ B (c, d − 1)¯¯ ,
c∈C c∈C

which by (4.1) implies that X

|B (c, d − 1)| ≥ q n
c∈C
or since the volume of a Hamming ball is translation invariant,
X
V ol q (d − 1, n) ≥ q n .
c∈C
P
Since c∈C V ol q (d − 1, n) = V ol q (d − 1, n) · |C |, we have
qn
|C | ≥
V ol q (d − 1, n)
qn
≥ (4.2)
q nHq (δ)
= q n(1−Hq (δ)) ,

84
as desired. In the above, (4.2) follows from the fact that

V ol q (d − 1, n) ≤ V ol q (δn, n)
≤ q nHq (δ) , (4.3)

where the second inequality follows from the upper bound on the volume of a Hamming ball in
Proposition 3.3.3.
We thus conclude that for every q, n and δ there exists a code of rate at least n(1 − H q (δ)).
We state this formally as a lemma below.

Lemma 4.2.2. For every pair of positive integers n, q and real δ ∈ [0, 1] there exists a code (n, k, δn)q
qn
code satisfying q k ≥ V ol q (d −1,n) .
In particular, for every positive integer q and real δ ∈ [0, 1] there exists an infinite family of
q-ary codes C of rate R and distance δ satisfying R ≥ 1 − H q (δ).

It is worth noting that the code from Algorithm 6 is not guaranteed to have any special struc-
ture. In particular, even storing the code can take exponential space. We have seen in Proposi-
tion 2.3.3 that linear codes have a much more succinct representation. Thus, a natural question
is:

Question 4.2.1. Do linear codes achieve the R ≥ 1 − H q (δ) tradeoff that the greedy construc-
tion achieves?

Next, we will answer the question in the affirmative.

4.2.2 Linear Code Construction

Now we will show that a random linear code, with high probability, lies on the GV bound. The
construction is a use of the probabilistic method (Section 3.2).

Proof of Theorem 4.2.1. By Proposition 2.3.6, we are done if we can show that there exists a k ×n
matrix G of full rank (for k = (1 − H q (δ) − ε)n) such that

For every m ∈ Fkq \ {0}, w t (mG) ≥ d .

We will prove the existence of such a G by the probabilistic method. Pick a random linear code
by picking a random k × n matrix G where each of kn entries is chosen uniformly and indepen-
dently at random from Fq . Fix m ∈ Fkq \ {0}. Recall that by Lemma 3.1.12, for a random G, mG is

85
a uniformly random vector from Fnq . Thus, for every non-zero vector m, we have

V ol q (d − 1, n)
Pr[w t (mG) < d ] =
G qn
q nHq (δ)
≤ (4.4)
qn
≤ q −k · q −εn , (4.5)

where (4.4) follows from (4.3) and (4.5) uses k ≤ n(1 − H q (δ) − ε). There are q k − 1 non-zero vec-
tors m and taking the union over all such vectors and applying the union bound (Lemma 3.1.5)
we have

Pr[There exists a non-zero m s.t. wt(mG) < d ] ≤ (q k − 1) · q k · q −εn

G
< q −ε·n .

Fix a matrix G ∈ Fk×n

q such that for every non-zero M we have wt(mG) ≥ d . The argument above
has shown that a random matrix has this property with probability strictly greater than 1−q −εn .
By Proposition ?? this implies that the code generated by G has distance at least d . To conclude
the theorem we only need to argue that the code has dimension k, i.e., that G has full rank. But
this also follows immediately from the property that for every Thus for every ε ≥ 0 we have that
the probability that the code generated by a uniformly random matrix has distance less than or
equal to d is strictly less than 1. Thus using the probabilistic method we conclude there exists
a matrix G such that the code it generates in an [n, k, d ]q code. Furthermore if ε > 0 then the
probability that the code does not have distance d is exponentially small, specifically at most
q εn .
To conclude we need to verify that the code generated by G has dimension k, i.e., that G
has full rank. But note that an equivalent definition of G not having full rank is that there ex-
ists a non-zero vector M such that mG = 0. But the existence of such a vector m would imply
wt(mG) = 0 < d contradicting the property that for every non-zero M we have wt(mG) ≥ d . We
thus conclude that G generates a code of rate k/n = 1 − H q (δ) − ε and relative distance δ. The
theorem follows.

Discussion. We now digress a bit to stress some aspects of the GV bound and its proof. First,
note that that proof by the probabilistic method shows something stronger than just the exis-
tence of a code, but rather gives a high probability result. Furthermore, as pointed out explicitly
for the non-linear setting in Lemma 4.2.2, the result gives a lower bound not only in the asymp-
totic case but also one for every choice of n and k. The proof of the GV bound in the non-linear
case gives a similar non-asymptotic bound in the linear setting also.
Note that we can also pick a random linear code by picking a random (n −k)×n parity check
matrix. This also leads to a alternate proof of the GV bound: see Exercise 4.1.
Finally, we note that Theorem 4.2.1 requires δ < 1 − q1 . An inspection of Gilbert and Var-
shamov’s proofs shows that the only reason the proof required that δ ≤ 1 − q1 is because it is

86
 c1

c2

ci c′i

cj c′i

cM

n −d +1 d −1

Figure 4.3: Construction of a new code in the proof of the Singleton bound.

needed for the volume bound (recall the bound in Proposition 3.3.3)– V ol q (δn, n) ≤ q Hq (δ)n – to
hold. It is natural to wonder if the above is just an artifact of the proof or if better codes exist.
This leads to the following question:

Question 4.2.2. Does there exists a code with R > 0 and δ > 1 − q1 ?

We will return to this question in Section 4.4.

4.3 Singleton Bound

We will now change gears again and prove an upper bound on R (for fixed δ). We start by proving
the Singleton bound.
Theorem 4.3.1 (Singleton Bound). For every (n, k, d )q code,

k ≤ n − d + 1.

Proof. Let c1 , c2 , . . . , cM be the codewords of an (n, k, d )q code C . Note that we need to show
M ≤ q n−d +1 . To this end, we define c′i to be the prefix of the codeword ci of length n − d + 1 for
every i ∈ [M ]. See Figure 4.3 for a pictorial description.
We now claim that for every i 6= j , c′i 6= c′j . For the sake of contradiction, assume that there
exits an i 6= j such that c′i = c′j . Notice this implies that ci and c j agree in all the first n − d +

87
 1
Hamming bound
GV bound
Singleton bound

0.8

R 0.6

0.4

0.2

0
0 0.2 0.4 0.6 0.8 1
δ

Figure 4.4: The Hamming, GV and Singleton bound for binary codes.

1 positions, which in turn implies that ∆(ci , c j ) ≤ d − 1. This contradicts the fact that C has
distance d . Thus, M is the number of prefixes of codewords in C of length n − d + 1, which
implies that M ≤ q n−d +1 as desired.

Note that the asymptotic version of the Singleton bound states that k/n ≤ 1 − d /n + 1/n. In
other words,
R ≤ 1 − δ + o(1).

Figure 4.4 presents a pictorial description of the asymptotic version of the Singleton bound.
It is worth noting that the bound is independent of the alphabet size. As is evident from Fig-
ure 4.4, the Singleton bound is worse than the Hamming bound for binary codes. However, this
bound is better for larger alphabet sizes. In fact, we will look at a family of codes called Reed-
Solomon codes in Chapter 5 that meets the Singleton bound. However, the alphabet size of the
Reed-Solomon codes increases with the block length n. Thus, a natural follow-up question is
the following:

Question 4.3.1. Given a fixed q ≥ 2, does there exist a q-ary code that meets the Singleton
bound?

We’ll see an answer to this question in the next section.

88
4.4 Plotkin Bound
In this section, we will study the Plotkin bound, which will answer Questions 4.2.2 and 4.3.1.
We start by stating the bound.

Theorem 4.4.1 (Plotkin bound). The following holds for any code C ⊆ [q]n with distance d :
³ ´
1. If d = 1 − q1 n, |C | ≤ 2qn.
³ ´
qd
2. If d > 1 − q1 n, |C | ≤ qd −(q−1)n .

Note that the Plotkin bound (Theorem 4.4.1) implies that a code with relative distance δ ≥
1 − q1 , must necessarily have R = 0, which answers Question 4.2.2 in the negative.
Before we prove Theorem 4.4.1, we make a few remarks. We first note that the upper bound
in the first part of Theorem 4.4.1 can be improved to 2n for q = 2. (See Exercise 4.12.) Second, it
can be shown that this bound is tight. (See Exercise 4.13.) Third, the statement of Theorem 4.4.1
gives a trade-off only for relative distance greater than 1 − 1/q. However, as the following corol-
lary shows, the result can be extended to work for 0 ≤ δ ≤ 1 − 1/q. (See Figure 4.5 for an illustra-
tion for binary codes.)

Corollary 4.4.2. For any q-ary code with relative distance 0 ≤ δ ≤ 1 − q1 ,

¶
µ
q
R ≤ 1− δ + o(1).
q −1

Proof. Define d = δn. The proof proceeds by shortening the codewords.

j k We group the code-
qd
words so that they agree on the first n − n ′ symbols, where n ′ = q−1 − 1. (We will see later why
′ n−n ′
this choice of n makes sense.) In particular, for any x ∈ [q] , define the ‘prefix code’

C x = {(c n−n ′ +1 , . . . c n ) | (c 1 . . . c N ) ∈ C , (c 1 . . . c n−n ′ ) = x} .

³ ´
q
For all x, C x has distance d as C has distance d .1 Additionally, it has block length n ′ < q−1 d
³ ´
and thus, d > 1 − q1 n ′ . By Theorem 4.4.1, this implies that

qd
|C x | ≤ ≤ qd , (4.6)
qd − (q − 1)n ′

where the second inequality follows from the fact that qd − (q − 1)n ′ is an integer.
Note that by the definition of C x :
X
|C | = |C x | ,
′
x∈[q]n−n

1
If for some x, c1 6= c2 ∈ C x , ∆(c1 , c2 ) < d , then ∆((x, c1 ), (x, c2 )) < d , which implies that the distance of C is less
than d (as by definition of C x , both (x, c1 ), (x, c2 ) ∈ C ), which in turn is a contradiction.

89
 1
Hamming bound
GV bound
Singleton bound
Plotkin bound

0.8

R 0.6

0.4

0.2

0
0 0.2 0.4 0.6 0.8 1
δ

Figure 4.5: The current bounds on the rate R vs. relative distance δ for binary codes. The GV
bound is a lower bound on R while the other three bounds are upper bounds on R.

which by (4.6) implies that

³ ´
X n−n ′
q
n− q−1 d +o(n)
q
n 1−δ· q−1 +o(1)
|C | ≤ qd = q · qd ≤ q =q .
′
x∈[q]n−n

³ ´
q
In other words, R ≤ 1 − q−1 δ + o(1) as desired.

Note that Corollary 4.4.2 implies that for any q-ary code of rate R and relative distance δ
(where q is a constant independent of the block length of the code), R < 1 − δ. In other words,
this answers Question 4.3.1 in the negative.
Let us pause for a bit at this point and recollect the bounds on R versus δ that we have proved
till now. Figure 4.5 depicts all the bounds we have seen till now (for q = 2). The GV bound is
the best known lower bound at the time of writing of this book. Better upper bounds are known
and we will see one such trade-off (called the Elias-Bassalygo bound) in Section 8.1.
Now, we turn to the proof of Theorem 4.4.1, for which we will need two more lemmas. The
first lemma deals with vectors over real spaces. We quickly recap the necessary definitions.
n
Considerq a vector v in R , that is, a tuple of n real numbers. This vector has (Euclidean) norm
kvk = v 12 + v 22 + . . . + v n2 , and is a unit vector if and only if its norm is 1. The inner product of
P
two vectors, u and v, is 〈u, v〉 = i u i · v i . The following lemma gives a bound on the number of
vectors that can exist such that every pair is at an obtuse angle with each other.

Lemma 4.4.3 (Geometric Lemma). Let v1 , v2 , . . . , vm ∈ RN be non-zero vectors.

90
 1. If 〈vi , v j 〉 ≤ 0 for all i 6= j , then m ≤ 2N .

2. Let vi be unit vectors for 1 ≤ i ≤ m. Further, if 〈vi , v j 〉 ≤ −ε < 0 for all i 6= j , then m ≤ 1 + 1ε .2

(Item 1 is tight: see Exercise 4.14.) The proof of the Plotkin bound will need the existence of a
map from codewords to real vectors with certain properties, which the next lemma guarantees.

Lemma 4.4.4 (Mapping Lemma). Let C ⊆ [q]n . Then there exists a function f : C −→ Rnq such
that

1. For every c ∈ C , k f (c)k = 1.

³ ´³ ´
q ∆(c1 ,c2 )
2. For every c1 6= c2 such that c1 , c2 ∈ C , 〈 f (c1 ), f (c2 )〉 = 1 − q−1 n .

We defer the proofs of the lemmas above to the end of the section. We are now in a position
to prove Theorem 4.4.1.
Proof of Theorem 4.4.1 Let C = {c1 , c2 , . . . , cm }. For all i 6= j ,
µ ¶ µ ¶
­ ® q ∆(ci , c j ) q d
f (ci ), f (c j ) ≤ 1 − ≤ 1− .
q −1 n q −1 n

The first inequality holds

³ by
´ Lemma 4.4.4, and the second holds as C has distance d .
(q−1)n
For part 1, if d = 1 − q1 n = q , then for all i 6= j ,

­ ®
f (ci ), f (c j ) ≤ 0

and so by the first part

³ ´of Lemma 4.4.3, m ≤ 2nq, as desired.
q−1
For part 2, d > q n and so for all i 6= j ,

µ ¶ µ ¶
q d qd − (q − 1)n
〈 f (ci ), f (c j )〉 ≤ 1 − =−
q −1 n (q − 1)n
³ ´
def qd −(q−1)n
and, since ε = (q−1)n > 0, we can apply the second part of Lemma 4.4.3. Thus, m ≤ 1 +
(q−1)n qd
qd −(q−1)n = qd −(q−1)n , as desired ✷

4.4.1 Proof of Geometric and Mapping Lemmas

Next, we prove Lemma 4.4.3.

2
Note that since vi and v j are both unit vectors, 〈vi , v j 〉 is the cosine of the angle between them.

91
Proof of Lemma 4.4.3. We begin with a proof of the first result. The proof is by induction on
n. Note that in the base case of N = 0, we have m = 0, which satisfies the claimed inequality
m ≤ 2N .
In the general case, we have m ≥ 1 non-zero vectors v1 , . . . , vm ∈ RN such that for every i 6= j ,

〈vi , v j 〉 ≤ 0. (4.7)

Since rotating all the vectors by the same amount does not change the sign of the inner
product (nor does scaling any of the vectors), w.l.o.g. we can assume that vm = 〈1, 0, . . . , 0〉. For
1 ≤ i ≤ m − 1, denote the vectors as vi = 〈αi , yi 〉, for some αi ∈ R and yi ∈ RN −1 . Now, for any
P
i 6= 1, 〈v1 , vi 〉 = 1·αi + m
i =2 0 = αi . However, note that (4.7) implies that 〈v1 , vi 〉 ≤ 0, which in turn
implies that
αi ≤ 0. (4.8)
Next, we claim that at most one of y1 , . . . , ym−1 can be the all zeroes vector, 0. If not, assume
w.l.o.g., that y1 = y2 = 0. This in turn implies that

〈v1 , v2 〉 = α1 · α2 + 〈y1 , y2 〉
= α1 · α2 + 0
= α1 · α2
> 0,

where the last inequality follows from the subsequent argument. As v1 = 〈α1 , 0〉 and v2 = 〈α2 , 0〉
are non-zero, this implies that α1 , α2 6= 0. (4.8) then implies that α1 , α2 < 0. However, 〈v1 , v2 〉 > 0
contradicts (4.7).
Thus, w.l.o.g., assume that v1 , . . . , vm−2 are all non-zero vectors. Further, note that for every
i 6= j ∈ [m − 2], 〈yi , y j 〉 = 〈vi , v j 〉 − αi · α j ≤ 〈vi , v j 〉 ≤ 0. Thus, we have reduced problem on m
vectors with dimension N to an equivalent problem on m−2 vectors with dimension dimension
N − 1. If we continue this process, we can conclude that every loss in dimension of the vector
results in twice in loss in the numbers of the vectors in the set. Induction then implies that
m ≤ 2N , as desired.
We now move on to the proof of the second part. Define z = v1 + . . . + vm . Now consider the
following sequence of relationships:
à !
Xm X m
2 2
kzk = kvi k + 2 〈vi , v j 〉 ≤ m + 2 · · (−ε) = m(1 − εm + ε).
i =1 i<j 2

The inequality follows from the facts that each vi is a unit vector and the assumption that for
every i 6= j , 〈vi .v j 〉 ≤ −ε. As kzk2 ≥ 0,

m(1 − εm + ε) ≥ 0.

Since m ≥ 1, we have that

1 − εm + ε ≥ 0

92
or
εm ≤ 1 + ε.
Thus, we have m ≤ 1 + 1ε , as desired. ✷
Finally, we prove Lemma 4.4.4.

Proof of Lemma 4.4.4. We begin by defining a map φ : [q] → Rq with certain properties. Then
we apply φ to all the coordinates of a codeword to define the map f : Rq → Rnq that satisfies the
claimed properties. We now fill in the details.
Define φ : [q] → Rq as follows. For every i ∈ [q], we define
* +
1 1 −(q − 1) 1
φ(i ) = , ,..., ,... .
q q q q
| {z }
i th position

That is, all but the i ’th position in φ(i ) ∈ Rq has a value of 1/q and the i th position has value
−(q − 1)/q.
Next, we record two properties of φ that follow immediately from its definition. For every
i ∈ [q],
(q − 1) (q − 1)2 (q − 1)
φ(i )2 = + = . (4.9)
q2 q2 q
Also for every i 6= j ∈ [q],

(q − 2) 2(q − 1) 1
〈φ(i ), φ( j )〉 = 2
− 2
=− . (4.10)
q q q

We are now ready to define our final map f : C → Rnq . For every c = (c 1 , . . . , c n ) ∈ C , define
s
q ¡ ¢
f (c) = · φ(c 1 ), φ(c 2 ), . . . , φ(c n ) .
n(q − 1)
q
q
(The multiplicative factor n(q−1) is to ensure that f (c) for any c ∈ C is a unit vector.)
To complete the proof, we will show that f satisfies the claimed properties. We begin with
condition 1. Note that
q Xn ¯ ¯
k f (c)k2 = · ¯φ(i )¯2 = 1,
(q − 1)n i =1
where the first equality follows from the definition of f and the second equality follows from
(4.9).
We now turn to the second condition. For notational convenience, define c1 = (x 1 , . . . , x n )
and c2 = (y 1 , . . . , y n ). Consider the following sequence of relations:

­ ® Xn ­ ®
f (c1 ), f (c2 ) = f (x ℓ ), f (y ℓ )
ℓ=1

93
 " # µ ¶
X ­ ® X ­ ® q
= φ(x ℓ ), φ(y ℓ ) + φ(x ℓ ), φ(y ℓ ) ·
ℓ:x ℓ 6= y ℓ ℓ:x ℓ =y ℓ n(q − 1)
" µ ¶ µ¶# µ ¶
X −1 X q −1 q
= + · (4.11)
ℓ:x ℓ 6= y ℓ q ℓ:x ℓ =y ℓ q n(q − 1)
· µ ¶ µ ¶¸ µ ¶
−1 q −1 q
= ∆(c1 , c2 ) + (n − ∆(c1 , c2 )) · (4.12)
q q n(q − 1)
µ ¶· ¸
q 1 q −1
= 1 − ∆(c1 , c2 ) +
n(q − 1) q q
µ ¶µ ¶
q ∆(c1 , c2 )
= 1− ,
q −1 n

as desired. In the above, (4.11) is obtained using (4.10) and (4.9) while (4.12) follows from the
definition of the Hamming distance. ✷

4.5 Exercises
Exercise 4.1. Pick a (n − k) × n matrix H over Fq at random. Show that with high probability the
code whose parity check matrix is H achieves the GV bound.

Exercise 4.2. Recall the definition of an ε-biased space from Exercise 2.14. Show that there exists
an ε-biased space of size O(k/ε2 ).

Hint: Recall part 1 of Exercise 2.14.

Exercise 4.3. Argue that a random linear code as well as its dual both lie on the corresponding
GV bound.

Exercise 4.4. In Section 4.2.2, we saw that random linear code meets the GV bound. It is natural
to ask the question for general random codes. (By a random (n, k)q code, we mean the follow-
ing: for each of the q k messages, pick a random vector from [q]n . Further, the choices for each
codeword is independent.) We will do so in this problem.

1. Prove that a random q-ary code with rate R > 0 with high probability has relative distance
δ ≥ H q−1 (1 − 2R − ε). Note that this is worse than the bound for random linear codes in
Theorem 4.2.1.

2. Prove that with high probability the relative distance of a random q-ary code of rate R is at
most H q−1 (1 − 2R) + ε. In other words, general random codes are worse than random linear
codes in terms of their distance.
Hint: Use Chebyshev’s inequality.

Exercise 4.5. We saw that Algorithm 6 can compute an (n, k)q code on the GV bound in time
q O(n) . Now the construction for linear codes is a randomized construction and it is natural to ask

94
how quickly can we compute an [n, k]q code that meets the GV bound. In this problem, we will
see that this can also be done in q O(n) deterministic time, though the deterministic algorithm is
not that straight-forward anymore.

1. Argue that Theorem 4.2.1 gives a q O(kn) time algorithm that constructs an [n, k]q code on
the GV bound. (Thus, the goal of this problem is to “shave" off a factor of k from the expo-
nent.)
,n
2. A k × n Toeplitz Matrix A = {A i , j }ki =1, j =1
satisfies the property that A i , j = A i −1, j −1 . In other
words, any diagonal has the same value. For example, the following is a 4 × 6 Toeplitz
matrix:  
1 2 3 4 5 6
 
 7 1 2 3 4 5 
 
 8 7 1 2 3 4 
9 8 7 1 2 3

A random k ×n Toeplitz matrix T ∈ Fk×n

q is chosen by picking the entries in the first row and
column uniformly (and independently) at random.
Prove the following claim: For any non-zero m ∈ Fkq , the vector m·T is uniformly distributed
£ ¤
over Fnq , that is for every y ∈ Fnq , Pr m · T = y = q −n .

Hint: Write down the expression for the value at each of the n positions in the vector m · T in terms of the
values in the first row and column of T . Think of the values in the first row and column as variables. Then
divide these variables into two sets (this “division" will depend on m) say S and S. Then argue the following:
for every fixed y ∈ Fnq and for every fixed assignment to variables in S, there is a unique assignment to variables
in S such that mT = y.

3. Briefly argue why the claim in part 2 implies that a random code defined by picking its
generator matrix as a random Toeplitz matrix with high probability lies on the GV bound.

4. Conclude that an [n, k]q code on the GV bound can be constructed in time q O(k+n) .

Exercise 4.6. Show that one can construct the parity check matrix of an [n, k]q code that lies on
the GV bound in time q O(n) .

Exercise 4.7. So far in Exercises 4.5 and 4.6, we have seen two constructions of [n, k]q code on the
GV bound that can be constructed in q O(n) time. For constant rate codes, at the time of writing of
this book, this is fastest known construction of any code that meets the GV bound. For k = o(n),
there is a better construction known, which we explore in this exercise.
We begin with some notation. For the rest of the exercise we will target a distance of d = δn.
Given a message m ∈ Fkq and an [n, k]q code C , define the indicator variable:
½
1 if w t (C (m)) < d
Wm (C ) =
0 otherwise.

95
Further, define X
D(C ) = Wm (C ).
m∈Fkq \{0}

We will also use D(G) and Wm (G) to denote the variables above for the code C generated by G.
Given an k × n matrix M , we will use M i to denote the i th column of M and M ≤i to denote
the column submatrix of M that contains the first i columns. Finally below we will use G to
denote a uniformly random k ×n generator matrix and G to denote a specific instantiation of the
generator matrix. We will arrive at the final construction in a sequence of steps. In what follows
define k < (1 − H q (δ))n for large enough n.
1. Argue that C has a distance d if and only if D(C ) < 1.

2. Argue that E [D(G )] < 1.

3. Argue that for any 1 ≤ i < n and fixed k × n matrix G,

h i h i
min E D(G )|G ≤i = G ≤i , G i +1 = v ≤ E D(G )|G ≤i = G ≤i .
v∈Fkq

4. We are now ready to define the algorithm to compute the final generator matrix G: see
Algorithm 7. Prove that Algorithm 7 outputs a matrix G such that the linear code generated

Algorithm 7 q O(k) time algorithm to compute a code on the GV bound

I NPUT: Integer parameters 1 ≤ k 6= n such that k < (1 − H q (δ)n)
O UTPUT: An k × n generator matrix G for a code with distance δn

1: Initialize G to be the all 0s matrix ⊲ This initialization is arbitrary

2: FOR every 1 ≤ i ≤ n DO
£ ¤
3: G i ← arg minv∈Fk E D(G )|G ≤i = G ≤i , G i +1 = v
q

4: RETURN G

by G is an [n, k, δn]q code. Conclude that this code lies on the GV bound.

5. Finally,¡we will
¢ analyze the run time of Algorithm 7. Argue that Step 2 can be¡implemented
¢
k
in poly n, q time. Conclude Algorithm 7 can be implemented in time poly n, q k .

Hint: It might be useful to maintain a data structure that keeps track of one number for every non-zero m ∈ Fkq
throughout the run of Algorithm 7.

Exercise 4.8. In this problem we will derive the GV bound using a graph-theoretic proof, which
is actually equivalent to the greedy proof we saw in Section 4.2.1. Let 1 ≤ d ≤ n and q ≥ 1 be
integers. Now consider the graph G n,d ,q = (V, E ), where the vertex set is the set of all vectors in
[q]n . Given two vertices u 6= v ∈ [q]n , we have the edge (u, v) ∈ E if and only if ∆(u, v) < d . An
independent set of a graph G = (V, E ) is a subset I ⊆ V such that for every u 6= v ∈ I , we have that
(u, v) is not an edge. We now consider the following sub-problems:

96
 1. Argue that any independent set C of G n,d ,q is a q-ary code of distance d .

2. The degree of a vertex in a graph G is the number of edges incident on that vertex. Let ∆ be
the maximum degree of any vertex in G = (V, E ).Then argue that G has an independent set
|V |
of size at least ∆+1 .

3. Using parts 1 and 2 argue the GV bound.

Exercise 4.9. In this problem we will improve slightly on the GV bound using a more sophisti-
cated graph-theoretic proof. Let G n,d ,q and N and ∆ be as in the previous exercise (Exercise 4.8).
So far we used the fact that G n,d ,q has many vertices and small degree to prove it has a large in-
dependent set, and thus to prove there is a large code of minimum distance d . In this exercise we
will see how a better result can be obtained by counting the number of “triangles” in the graph. A
triangle in a graph G = (V, E ) is a set {u, v, w} ⊂ V of three vertices such that all three vertices are
adjancent, i.e., (u, v), (v, w), (w, u) ∈ E . For simplicity we will focus on the case where q = 2 and
d = n/5, and consider the limit as n → ∞.

1. Prove that a graph on N vertices of maximum degree ∆ has at most O(N ∆2 ) triangles.

2. Prove that the number of triangle in graph G n,d ,2 is at most

à !
X n
2n · · 3e .
0≤e≤3d /2 e

Hint: Fix u and let e count the number of coordinates where at least one of v or w disagree
with u. Prove that e is at most 3d /2.

3. Simplify the expression in the case where d = n/5 to show that the number of triangles in
G n,n/5,2 is O(N · ∆2−η ) for some η > 0.

4. A famous result in the “probabilistic method” shows (and you don’t have to prove this), that
if a graph on N vertices of maximum degree ∆ has at most O(N ·∆2−η ) triangles, then it has
an independent set of size Ω( N
∆ log ∆). Use this result
¡ nto¢ conclude that there is a binary code
n
of block length n and distance n/5 of size Ω(n2 / n/5 ). (Note that this improves over the
GV-bound by an Ω(n) factor.)

Exercise 4.10. Use part 2 from Exercise 1.7 to prove the Singleton bound.

Exercise 4.11. Let C be an (n, k, d )q code. Then prove that fixing any n −d +1 positions uniquely
determines the corresponding codeword.

Exercise 4.12. Let C be a binary code of block length n and distance n/2. Then |C | ≤ 2n. (Note
that this is a factor 2 better than part 1 in Theorem 4.4.1.)

Exercise 4.13. Prove that the bound in Exercise 4.12 is tight– i.e. there exists binary codes C with
block length n and distance n/2 such that |C | = 2n.

97
Exercise 4.14. Prove that part 1 of Lemma 4.4.3 is tight.
Exercise 4.15. In this exercise we will prove the Plotkin bound (at least part 2 of Theorem 4.4.1)
via a purely combinatorial proof. ³ ´
Given an (n, k, d )q code C with d > 1 − q1 n define
X
S= ∆(c1 , c2 ).
c1 6=c2 ∈C

For the rest of the problem think of C has an |C | × n matrix where each row corresponds to a
codeword in C . Now consider the following:
1. Looking at the contribution of each column in the matrix above, argue that
µ ¶
1
S ≤ 1− · n|C |2 .
q

2. Look at the contribution of the rows in the matrix above, argue that

S ≥ |C | (|C | − 1) · d .

3. Conclude part 2 of Theorem 4.4.1.

Exercise 4.16. In this exercise, we will prove the so called Griesmer Bound. For any [n, k, d ]q ,
prove that
k−1 » ¼
X d
n≥ i
.
i =0 q

Hint: Recall Exercise 2.17.

Exercise 4.17. Use Exercise 4.16 to prove part 2 of Theorem 4.4.1 for linear codes.
Exercise 4.18. Use Exercise 4.16 to prove Theorem 4.3.1 for linear code.

4.6 Bibliographic Notes

Theorem 4.2.1 was proved for general codes by Edgar Gilbert ([49]) and for linear codes by Rom
Varshamov ([133]). Hence, the bound is called the Gilbert-Varshamov bound. The Singleton
bound (Theorem 4.3.1) is due to Richard C. Singleton [118]. For larger (but still constant) values
of q, better lower bounds than the GV bound are known. In particular, for any prime power
q ≥ 49, there exist linear codes, called algebraic geometric (or AG) codes that outperform the
corresponding GV bound3 . AG codes out of the scope of this book. One starting point could be
the following [74].
The proof method illustrated in Exercise 4.15has a name– double counting: in this specific
case this follows since we count S in two different ways.
3
The lower bound of 49 comes about as AG codes are only defined for q being a square (i.e. q = (q ′ )2 ) and it
turns out that q ′ = 7 is the smallest value where AG bound beats the GV bound.

98
Chapter 5

The Greatest Code of Them All:

Reed-Solomon Codes

In this chapter, we will study the Reed-Solomon codes. Reed-Solomon codes have been studied
a lot in coding theory. These codes are optimal in the sense that they meet the Singleton bound
(Theorem 4.3.1). We would like to emphasize that these codes meet the Singleton bound not
just asymptotically in terms of rate and relative distance but also in terms of the dimension,
block length and distance. As if this were not enough, Reed-Solomon codes turn out to be more
versatile: they have many applications outside of coding theory. (We will see some applications
later in the book.)
These codes are defined in terms of univariate polynomials (i.e. polynomials in one un-
known/variable) with coefficients from a finite field Fq . It turns out that polynomials over Fp ,
for prime p, also help us define finite fields Fp s , for s > 1. To kill two birds with one stone1 , we
first do a quick review of polynomials over finite fields. Then we will define and study some
properties of Reed-Solomon codes.

5.1 Polynomials and Finite Fields

We begin with the formal definition of a (univariate) polynomial.
P∞ i
Definition 5.1.1. Let Fq be a finite field with q elements. Then a function F (X ) = i =0 f i X , fi ∈
Fq is called a polynomial.
P
For our purposes, we will only consider the finite case; that is, F (X ) = di=0 f i X i for some
integer d > 0, with coefficients f i ∈ Fq , and f d 6= 0. For example, 2X 3 +X 2 +5X +6 is a polynomial
over F7 .
Next, we define some useful notions related to polynomials. We begin with the notion of
degree of a polynomial.
1
No birds will be harmed in this exercise.

99
 P
Definition 5.1.2. For F (X ) = di=0 f i X i with f d 6= 0, we call d the degree of F (X ). We denote the
degree of the polynomial F (X ) by deg(F ).

For example, 2X 3 + X 2 + 5X + 6 has degree 3.

Let Fq [X ] be the set of polynomials over Fq , that is, with coefficients from Fq . Let F (X ),G(X ) ∈
Fq [X ] be polynomials. Then Fq [X ] has the following natural operations defined on it:

Addition:
max(deg(F
X),deg(G))
F (X ) +G(X ) = ( f i + g i )X i ,
i =0

where the addition on the coefficients is done over Fq . For example, over F2 , X + (1 + X ) =
X · (1 + 1) + 1 · (0 + 1) = 1 (recall that over F2 , 1 + 1 = 0).2

Multiplication: Ã !
deg(F )+deg(G)
X min(iX
,deg(F ))
F (X ) · G(X ) = f j · gi −j X i ,
i =0 j =0

where all the operations on the coefficients are over Fq . For example, over F2 , X (1 + X ) =
X + X 2 ; (1+ X )2 = 1+2X + X 2 = 1+ X 2 , where the latter equality follows since 2 ≡ 0 mod 2.

Next, we define a root of a polynomial.

Definition 5.1.3. α ∈ Fq is a root of a polynomial F (X ), if F (α) = 0.

For instance, 1 is a root of 1 + X 2 over F2 .

We will also need the notion of a special class of polynomials, which are analogous to how
prime numbers are special for natural numbers.

Definition 5.1.4. A polynomial F (X ) is irreducible if for every G 1 (X ),G 2 (X ) such that F (X ) =

G 1 (X )G 2 (X ), we have min(deg(G 1 ), deg(G 2 )) = 0

For example, 1 + X 2 is not irreducible over F2 , as (1 + X )(1 + X ) = 1 + X 2 . However, 1 + X + X 2

is irreducible, since its non-trivial factors have to be from the linear terms X or X + 1. However,
it is easy to check that neither is a factor of 1 + X + X 2 . (In fact, one can show that 1 + X + X 2
is the only irreducible polynomial of degree 2 over F2 – see Exercise 5.1.) A word of caution: if
a polynomial E (X ) ∈ Fq [X ] has no root in Fq , it does not mean that E (X ) is irreducible. For
example consider the polynomial (1 + X + X 2 )2 over F2 – it does not have any root in F2 but it
obviously is not irreducible.
Just as the set of integers modulo a prime is a field, so is the set of polynomials modulo an
irreducible polynomial:

Theorem 5.1.5. Let E (X ) be an irreducible polynomial with degree at least 2 over Fp , p prime.
Then the set of polynomials in Fp [X ] modulo E (X ), denoted by Fp [X ]/E (X ), is a field.
2
This will be a good time to remember that operations over a finite field are much different from operations over
integers/reals. For example, over reals/integers X + (X + 1) = 2X + 1.

100
 The proof of the theorem above is similar to the proof of Lemma 2.1.4, so we only sketch the
proof here. In particular, we will explicitly state the basic tenets of Fp [X ]/E (X ).

• Elements are polynomials in Fp [X ] of degree at most s − 1. Note that there are p s such
polynomials.

• Addition: (F (X ) +G(X )) mod E (X ) = F (X ) mod E (X ) + G(X ) mod E (X ) = F (X ) + G(X ).

(Since F (X ) and G(X ) are of degree at most s − 1, addition modulo E (X ) is just plain poly-
nomial addition.)

• Multiplication: (F (X ) · G(X )) mod E (X ) is the unique polynomial R(X ) with degree at

most s − 1 such that for some A(X ), R(X ) + A(X )E (X ) = F (X ) · G(X )

• The additive identity is the zero polynomial, and the additive inverse of any element F (X )
is −F (X ).

• The multiplicative identity is the constant polynomial 1. It can be shown that for every
element F (X ), there exists a unique multiplicative inverse (F (X ))−1 .

For example, for p = 2 and E (X ) = 1+X +X 2 , F2 [X ]/(1+X +X 2 ) has as its elements {0, 1, X , 1+
X }. The additive inverse of any element in F2 [X ]/(1 + X + X 2 ) is the element itself while the
multiplicative inverses of 1, X and 1 + X in F2 [X ]/(1 + X + X 2 ) are 1, 1 + X and X respectively.
A natural question to ask is if irreducible polynomials exist for every degree. Indeed, they
do:

Theorem 5.1.6. For all s ≥ 2 and Fp , there exists an irreducible

µ s¶ polynomial of degree s over Fp . In
p
fact, the number of such irreducible polynomials is Θ .
s
The result is true even for general finite fields Fq and not just prime fields but we stated the
version over prime fields for simplicity. Given any monic 3 polynomial E (X ) of degree s, it can
s
be verified whether it is an irreducible polynomial by checking if gcd(E (X ), X q − X ) = E (X ).
This is true as every irreducible polynomial in Fq [X ] of degree exactly s divides the polynomial
s
X q − X (see Proposition D.5.14). Since Euclid’s algorithm for computing the gcd(F (X ),G(X ))
can be implemented in time polynomial in the minimum of deg(F ) and deg(G) and log q (see
Section D.7.2), this implies that checking whether a given polynomial of degree s over Fq [X ] is
irreducible can be done in time poly(s, log q).
This implies an efficient Las Vegas algorithm4 to generate an irreducible polynomial of de-
gree s over Fq . Note that the algorithm is to keep on generating random polynomials until it
comes
¡ ¢ across an irreducible polynomial (Theorem 5.1.6 implies that the algorithm will check
O p s polynomials in expectation). Algorithm 8 presents the formal algorithm.
The above discussion implies the following:
3
I.e. the coefficient of the highest degree term is 1. It is easy to check that if E (X ) = e s X s + e s−1 X s−1 + · · · + 1 is
irreducible, then e s−1 · E (X ) is also an irreducible polynomial.
4
A Las Vegas algorithm is a randomized algorithm which always succeeds and we consider its time complexity
to be its expected worst-case run time.

101
Algorithm 8 Generating Irreducible Polynomial
I NPUT: Prime power q and an integer s > 1
O UTPUT: A monic irreducible polynomial of degree s over Fq

1: b ← 0
2: WHILE b = 0 DO
P
3: F (X ) ← X s + is−1 i
=0 f i X , where each f i is chosen uniformly at random from Fq .
s
4: IF gcd(F (X ), X q − X ) = F (X ) THEN
5: b ← 1.
6: RETURN F (X )

Corollary 5.1.7. There is a Las Vegas algorithm to generate an irreducible polynomial of degree s
over any Fq in expected time poly(s, log q).
Now recall that Theorem 2.1.5 states that for every prime power p s , there a unique field Fp s .
This along with Theorems 5.1.5 and 5.1.6 imply that:
Corollary 5.1.8. The field Fp s is Fp [X ]/E (X ), where E (X ) is an irreducible polynomial of degree
s.

5.2 Reed-Solomon Codes

Recall that the Singleton bound (Theorem 4.3.1) states that for any (n, k, d )q code, k ≤ n − d + 1.
Next, we will study Reed-Solomon codes, which meet the Singleton bound, i.e. satisfy k = n −
d + 1 (but have the unfortunate property that q ≥ n). Note that this implies that the Singleton
bound is tight, at least for q ≥ n.
We begin with the definition of Reed-Solomon codes.
Definition 5.2.1 (Reed-Solomon code). Let Fq be a finite field. Let α1 , α2 , ...αn be distinct el-
ements (also called evaluation points) from Fq and choose n and k such that k ≤ n ≤ q. We
define an encoding function for Reed-Solomon code as RS : Fkq → Fnq as follows. A message m =
(m 0 , m 1 , ..., m k−1 ) with m i ∈ Fq is mapped to a degree k − 1 polynomial.
m 7→ f m (X ),
where
k−1
X
f m (X ) = mi X i . (5.1)
i =0
Note that f m (X ) ∈ Fq [X ] is a polynomial of degree at most k − 1. The encoding of m is the evalua-
tion of f m (X ) at all the αi ’s :
¡ ¢
RS(m) = f m (α1 ), f m (α2 ), ..., f m (αn ) .
We call this image Reed-Solomon code or RS code. A common special case is n = q − 1 with the
def
set of evaluation points being F∗ = F \ {0}.

102
 For example, the first row below are all the codewords in the [3, 2]3 Reed-Solomon codes
where the evaluation points are F3 (and the codewords are ordered by the corresponding mes-
sages from F23 in lexicographic order where for clarity the second row shows the polynomial
f m (X ) for the corresponding m ∈ F23 in gray):
(0,0,0), (1,1,1), (2,2,2), (0,1,2), (1,2,0), (2,0,1), (0,2,1), (1,0,2), (2,1,0)
0, 1, 2, X, X+1, X+2, 2X, 2X+1, 2X+2
Notice that by definition, the entries in {α1 , ..., αn } are distinct and thus, must have n ≤ q.
We now turn to some properties of Reed-Solomon codes.

Claim 5.2.2. RS codes are linear codes.

Proof. The proof follows from the fact that if a ∈ Fq and f (X ), g (X ) ∈ Fq [X ] are polynomials of
degree ≤ k −1, then a f (X ) and f (X )+ g (X ) are also polynomials of degree ≤ k −1. In particular,
let messages m1 and m2 be mapped to f m1 (X ) and f m2 (X ) where f m1 (X ), f m2 (X ) ∈ Fq [X ] are
polynomials of degree at most k − 1 and because of the mapping defined in (5.1), it is easy to
verify that:
f m1 (X ) + f m2 (X ) = f m1 +m2 (X ),
and
a f m1 (X ) = f am1 (X ).
In other words,
RS(m1 ) + RS(m2 ) = RS(m1 + m2 )

aRS(m1 ) = RS(am1 ).
Therefore RS is a [n, k]q linear code.

The second and more interesting claim is the following:

Claim 5.2.3. RS is a [n, k, n − k + 1]q code. That is, it matches the Singleton bound.

The claim on the distance follows from the fact that every non-zero polynomial of degree
k − 1 over Fq [X ] has at most k − 1 (not necessarily distinct) roots, which we prove first (see
Proposition 5.2.4 below). This implies that if two polynomials agree on more than k − 1 places
then they must be the same polynomial– note that this implies two polynomials when evaluated
at the same n points must differ in at least n−(k −1) = n−k +1 positions, which is what we want.

Proposition 5.2.4 (“Degree Mantra"). A nonzero polynomial f (X ) of degree t over a field Fq has
at most t roots in Fq

Proof. We will prove the theorem by induction on t . If t = 0, we are done. Now, consider f (X )
of degree t > 0. Let α ∈ Fq be a root such that f (α) = 0. If no such root α exists, we are done. If
there is a root α, then we can write

f (X ) = (X − α)g (X )

103
where deg(g ) = deg( f ) − 1 (i.e. X − α divides f (X )). Note that g (X ) is non-zero since f (X ) is
non-zero. This is because by the fundamental rule of division of polynomials:

f (X ) = (X − α)g (X ) + R(X )

where deg(R) ≤ 0 (as the degree cannot be negative this in turn implies that deg(R) = 0) and
since f (α) = 0,
f (α) = 0 + R(α),
which implies that R(α) = 0. Since R(X ) has degree zero (i.e. it is a constant polynomial), this
implies that R(X ) ≡ 0.
Finally, as g (X ) is non-zero and has degree t − 1, by induction, g (X ) has at most t − 1 roots,
which implies that f (X ) has at most t roots.

We are now ready to prove Claim 5.2.3

Proof of Claim 5.2.3. We start by proving the claim on the distance. Fix arbitrary m1 6= m2 ∈
Fkq . Note that f m1 (X ), f m2 (X ) ∈ Fq [X ] are distinct polynomials of degree at most k − 1 since
m1 6= m2 ∈ Fkq . Then f m1 (X ) − f m2 (X ) 6= 0 also has degree at most k − 1. Note that w t (RS(m2 ) −
RS(m1 )) = ∆(RS(m1 ), RS(m2 )). The weight of RS(m2 )−RS(m1 ) is n minus the number of zeroes
in RS(m2 ) − RS(m1 ), which is equal to n minus the number of roots that f m1 (X ) − f m2 (X ) has
among {α1 , ..., αn }. That is,

∆(RS(m1 ), RS(m2 )) = n − |{αi | f m1 (αi ) = f m2 (αi )}|.

By Proposition 5.2.4, f m1 (X ) − f m2 (X ) has at most k − 1 roots. Thus, the weight of RS(m2 ) −

RS(m1 ) is at least n − (k − 1) = n − k + 1. Therefore d ≥ n − k + 1, and since the Singleton bound
(Theorem 4.3.1) implies that d ≤ n−k+1, we have d = n−k+1.5 The argument above also shows
that distinct polynomials f m1 (X ), f m2 (X ) ∈ Fq [X ] are mapped to distinct codewords. (This is
because the Hamming distance between any two codewords is at least n − k + 1 ≥ 1, where the
last inequality follows as k ≤ n.) Therefore, the code contains q k codewords and has dimension
k. The claim on linearity of the code follows from Claim 5.2.2. ✷
Recall that the Plotkin bound (Corollary 4.4.2) implies that to achieve the Singleton bound,
the alphabet size cannot be a constant. Thus, some dependence of q on n in Reed-Solomon
codes is unavoidable.
Let us now find a generator matrix for RS codes (which exists by Claim 5.2.2). By Defi-
nition 5.2.1, any basis f m1 , ..., f mk of polynomial of degree at most k − 1 gives rise to a basis
RS(m1 ), ..., RS(mk ) of the code. A particularly nice polynomial basis is the set of monomials
1, X , ..., X i , ..., X k−1 . The corresponding generator matrix, whose i th row (numbering rows from
0 to k − 1 ) is
(αi1 , αi2 , ..., αij , ..., αin )
and this generator matrix is called the Vandermonde matrix of size k × n:
5
See Exercise 5.3 for an alternate direct argument.

104
  
1 1 1 1 1 1
 α α2 · · · αj · · · αn 
 1 
 2 
 α1 α22 · · · α2j · · · α2n 
 
 .. .. .. .. .. .. 
 . . . . . . 
 i 
 α α i
· · · αij · · · αin 
 1 2 
 . . .. .. .. .. 
 .. .. . . . . 


αk−1
1 αk−1
2
k−1
· · · αj · · · αk−1
n

The class of codes that match the Singleton bound have their own name, which we define
and study next.

5.3 A Property of MDS Codes

Definition 5.3.1 (MDS codes). An (n, k, d )q code is called Maximum Distance Separable (MDS)
if d = n − k + 1.

Thus, Reed-Solomon codes are MDS codes.

Next, we prove an interesting property of an MDS code C ⊆ Σn with integral dimension k.
We begin with the following notation.

Definition 5.3.2. For any subset of indices S ⊆ [n] of size exactly k and a code C ⊆ Σn , C S is the
set of all codewords in C projected onto the indices in S.

MDS codes have the following nice property that we shall prove for the special case of Reed-
Solomon codes first and subsequently for the general case as well.

Proposition 5.3.3. Let C ⊆ Σn of integral dimension k be an MDS code, then for all S ⊆ [n] such
that |S| = k, we have |C S | = Σk .

Before proving Proposition 5.3.3 in its full generality, we present its proof for the special case of
Reed-Solomon codes.
Consider any S ⊆ [n] of size k and fix an arbitrary v = (v 1 , . . . , v k ) ∈ Fkq , we need to show that
there exists a codeword c ∈ RS (assume that the RS code evaluates polynomials of degree at
most k − 1 over α1 , . . . , αn ⊆ Fq ) such that cS = v. Consider a generic degree k − 1 polynomial
P
F (X ) = k−1 i
i =0 f i X . Thus, we need to show that there exists F (X ) such that F (αi ) = v i for all i ∈
S, where |S| = k.

For notational simplicity, assume that S = [k]. We think of f i ’s as unknowns in the equations
that arise out of the relations F (αi ) = v i . Thus, we need to show that there is a solution to the
following system of linear equations:

105
    
1 1 1 v1
 α1 αi αk   v2 
   
¡ ¢   
p 0 p 1 · · · p k−1  α21 α2i α2k  =  v3 
 .. .. ..   .. 
   
 . . .   . 
αk−1
1 αk−1
i
αk−1
k
vk
The above constraint matrix is a Vandermonde matrix and is known to have full rank (see Ex-
ercise 5.7). Hence, by Exercise 2.6, there always exists a unique solution for (p 0 , . . . , p k−1 ). This
completes the proof for Reed-Solomon codes.

Next, we prove the property for the general case which is presented below

Proof of Proposition 5.3.3. Consider a |C | × n matrix where each row represents a codeword
in C . Hence, there are |C | = |Σ|k rows in the matrix. The number of columns is equal to the
block length n of the code. Since C is Maximum Distance Separable, its distance d = n − k + 1.

Let S ⊆ [n] be of size exactly k. It is easy to see that for any ci 6= c j ∈ C , the corresponding
j
projections ciS and cS ∈ C S are not the same. As otherwise △(ci , c j ) ≤ d −1, which is not possible
as the minimum distance of the code C is d . Therefore, every codeword in C gets mapped to a
distinct codeword in C S . As a result, |C S | = |C | = |Σ|k . As C S ⊆ Σk , this implies that C S = Σk , as
desired. ✷
Proposition 5.3.3 implies an important property in pseudorandomness: see Exercise 5.8 for
more.

5.4 Exercises
Exercise 5.1. Prove that X 2 + X + 1 is the unique irreducible polynomial of degree two over F2 .
Exercise 5.2. Argue that any function f : Fq → Fq is equivalent to a polynomial P (X ) ∈ Fq [X ] of
degree at most q − 1: that is, for every α ∈ Fq
f (α) = P (α).
Exercise 5.3. For any [n, k]q Reed-Solomon code, exhibit two codewords that are at Hamming
distance exactly n − k + 1.
Exercise 5.4. Let RSF∗q [n, k] denote the Reed-Solomon code over Fq where the evaluation points
is Fq (i.e. n = q). Prove that
³ ´⊥
RSFq [n, k] = RSFq [n, n − k],
that is, the dual of these Reed-Solomon codes are Reed-Solomon codes themselves. Conclude that
Reed-Solomon codes contain self-dual codes (see Exercise 2.31 for a definition).

Hint: Exercise 2.2 might be useful.

106
Exercise 5.5. Since Reed-Solomon codes are linear codes, by Proposition 2.3.5, one can do error
detection for Reed-Solomon codes in quadratic time. In this problem, we will see that one can
design even more efficient error detection algorithm for Reed-Solomon codes. In particular, we
will consider data streaming algorithms (see Section 22.5 for more motivation on this class of al-
gorithms). A data stream algorithm makes a sequential pass on the input, uses poly-logarithmic
space and spend only poly-logarithmic time on each location in the input. In this problem we
show that there exists a randomized data stream algorithm to solve the error detection problem
for Reed-Solomon codes.

1. Give a randomized data stream algorithm that given as input a sequence (i 1 , α1 ), . . . , (i n , αn ) ∈

P
[m] × Fq that implicitly defines y ∈ Fm
q , where for any ℓ ∈ [m], y ℓ = j ∈[n]|i j =ℓ αℓ , decides
whether y = 0 with probability at least 2/3. Your algorithm should use O(log q(m + n))
space and polylog(q(m + n)) time per position of y. For simplicity, you can assume that
given an integer t ≥ 1 and prime power q, the algorithm has oracle access to an irreducible
polynomial of degree t over Fq .
Hint: Use Reed-Solomon codes.

2. Given [q, k]q Reed-Solomon code C (i.e. with the evaluation points being Fq ), present a
data stream algorithm for error detection of C with O(log q) space and polylogq time per
position of the received word. The algorithm should work correctly with probability at least
2/3. You should assume that the data stream algorithm has access to the values of k and q
(and knows that C has Fq as its evaluation points).
Hint: Part 1 and Exercise 5.4 should be helpful.

Exercise 5.6. We have defined Reed-Solomon in this chapter and Hadamard codes in Section 2.6.
In this problem we will prove that certain alternate definitions also suffice.

1. Consider the Reed-Solomon code over a field Fq and block length n = q − 1 defined as

RSF∗q [n, k, n − k + 1] = {(p(1), p(α), . . . , p(αn−1 )) | p(X ) ∈ F[X ] has degree ≤ k − 1}

where α is the generator of the multiplicative group F∗ of F.6

Prove that

RSF∗q [n, k, n − k + 1] = {(c 0 , c 1 , . . . , c n−1 ) ∈ Fn | c(αℓ ) = 0 for 1 ≤ ℓ ≤ n − k ,

where c(X ) = c 0 + c 1 X + · · · + c n−1 X n−1 } . (5.2)

Hint: Exercise 2.2 might be useful.

2. Recall that the [2r , r, 2r −1 ]2 Hadamard code is generated by the r × 2r matrix whose i th (for
0 ≤ i ≤ 2r − 1) column is the binary representation of i . Briefly argue that the Hadamard
6
This means that F∗q = {1, α, . . . , αn−1 }. Further, αn = 1.

107
 codeword for the message (m 1 , m 2 , . . . , m r ) ∈ {0, 1}r is the evaluation of the (multivariate)
polynomial m 1 X 1 + m 2 X 2 + · · · + m r X r (where X 1 , . . . , X r are the r variables) over all the
possible assignments to the variables (X 1 , . . . , X r ) from {0, 1}r .
Using the definition of Hadamard codes above (re)prove the fact that the code has distance
2r −1 .
Exercise 5.7. Prove that the k × k Vandermonde matrix (where the (i , j )th entry is αij ) has full
rank (where α1 , . . . , αk are distinct).
Exercise 5.8. A set S ⊆ Fnq is said to be a t -wise independent source (for some 1 ≤ t ≤ n) if given
a uniformly random sample (X 1 , . . . , X n ) from S, the n random variables are t -wise independent:
i.e. any subset of t variables are uniformly independent random variables over Fq . We will explore
properties of these objects in this exercise.
1. Argue that the definition of t -wise independent source is equivalent to the definition in
Exercise 2.13.

2. Argue that for any k ≥ 1, any [n, k]q code C is a 1-wise independent source.

3. Prove that any [n, k]q MDS code is a k-wise independent source.

4. Using part 3 or otherwise prove that there exists a k-wise independent source over F2 of
size at most (2n)k . Conclude that k(log2 n + 1) uniformly and independent random bits
are enough to compute n random bits that are k-wise independent. Improve the bound
slightly to show that k(log2 n − log2 log2 n + O(1))-random bits are enough to generate k-
wise independent source over F2 .

5. For 0 < p ≤ 1/2, we say the n binary random variables X 1 , . . . , X n are p-biased and t -
wise independent if any of the t random variables are independent and Pr [X i = 1] = p
for every i ∈ [n]. For the rest of the problem, let p be a power of 1/2. Then show that
any t · log2 (1/p)-wise independent random variables can be converted into t -wise inde-
pendent p-biased random
¡ variables.
¢ Conclude that one can construct such sources with
t log2 (1/p)(1+log2 n log2 (1/p) ) uniformly random bits. Then improve this bound to t (1+
max(log2 (1/p), log2 n)) uniformly random bits.
Exercise 5.9. In many applications, errors occur in “bursts"– i.e. all the error locations are con-
tained in a contiguous region (think of a scratch on a DVD or disk). In this problem we will use
how one can use Reed-Solomon codes to correct bursty errors.
An error vector e ∈ {0, 1}n is called a t -single burst error pattern if all the non-zero bits in e
occur in the range [i , i + t − 1] for some 1 ≤ i ≤ n = t + 1. Further, a vector e ∈ {0, 1}n is called a
(s, t )-burst error pattern if it is the union of at most s t -single burst error pattern (i.e. all non-zero
bits in e are contained in one of at most s contiguous ranges in [n]).
We call a binary code C ⊆ {0, 1}n to be (s, t )-burst error correcting if one can uniquely decode
from any (s, t )-burst error pattern. More precisely, given an (s, t )-burst error pattern e and any
codeword c ∈ C , the only codeword c′ ∈ C such that (c + e) − c′ is an (s, t )-burst error pattern
satisfies c′ = c.

108
 1. Argue that if C is (st )-error correcting (in the sense of Definition 1.3.5), then it is also (s, t )-
2
burst error correcting. Conclude that for any ε > 0, there exists code with rate ¢ ) and
¡ 1 Ω(ε
block length n that is (s, t )-burst error correcting for any s, t such that s · t ≤ 4 − ε · n.

2. Argue that for any rate R > 0 and for³large´ enough n, there exist (s, t )-burst error correcting
¡ ¢ log n
as long as s ·t ≤ 1−R−ε
2
·n and t ≥ Ω ε . In particular, one can correct from 12 −ε fraction
of burst-errors (as long as each burst is “long enough") with rate Ω(ε) (compare this with
item 1).
Hint: Use Reed-Solomon codes.

Exercise 5.10. In this problem we will look at a very important class of codes called BCH codes7 .
Let F = F2m . Consider the binary code C BCH defined as RSF [n, k, n − k + 1] ∩ Fn2 .

1. Prove that C BCH is a binary linear code of distance at least d = n − k + 1 and dimension at
least n − (d − 1) log2 (n + 1).

Hint: Use the characterization (5.2) of the Reed-Solomon code from Exercise 5.6.
l m
d −1
2. Prove a better lower bound of n − 2 log2 (n + 1) on the dimension of C BCH .

Hint: Try to find redundant checks among the “natural” parity checks defining C BCH ).

3. For d = 3, C BCH is the same as another code we have seen. What is that code?

4. For constant d (and growing n), prove that C BCH have nearly optimal dimension for dis-
tance d , in that the dimension cannot be n − t log2 (n + 1) for t < d −1
2 .
l m
Exercise 5.11. Show that for 1 ≤ k ≤ n, k2 log2 (n +1) random bits are enough to compute n-bits
that are k-wise independent. Note that this is an improvement of almost a factor of 2 from the
bound from Exercise 5.8 part 4 (and this new bound is known to be optimal).
Hint: Use Exercises 2.13 and 5.10.

Exercise 5.12. In this exercise, we continue in the theme of Exercise 5.10 and look at the inter-
section of a Reed-Solomon code with Fn2 to get a binary code. Let F = F2m . Fix positive integers
d , n with (d − 1)m < n < 2m , and a set S = {α1 , α2 , . . . , αn } of n distinct nonzero elements of F. For
a vector v = (v 1 , . . . , v n ) ∈ (F∗ )n of n not necessarily distinct nonzero elements from F, define the
Generalized Reed-Solomon code GRSS,v,d as follows:

GRSS,v,d = {(v 1 p(α1 ), v 2 p(α2 ), . . . , v n p(αn )) | p(X ) ∈ F[X ] has degree ≤ n − d } .

1. Prove that GRSS,v,d is an [n, n − d + 1, d ]F linear code.

2. Argue that GRSS,v,d ∩ Fn2 is a binary linear code of rate at least 1 − (d −1)m
n .
7
The acronym BCH stands for Bose-Chaudhuri-Hocquenghem, the discoverers of this family of codes.

109
 3. Let c ∈ Fn2 be a nonzero binary vector. Prove that (for every choice of d , S) there are at most
(2m − 1)n−d +1 choices of the vector v for which c ∈ GRSS,v,d .

4. Using the above, prove that if the integer D satisfies Vol2 (n, D − 1) < (2m − 1)d −1 (where
PD−1 ¡n ¢
Vol2 (n, D − 1) = i =0 i ), then there exists a vector v ∈ (F∗ )n such that the minimum dis-
tance of the binary code GRSS,v,d ∩ Fn2 is at least D.

5. Using parts 2 and 4 above (or otherwise), argue that the family of codes GRSS,v,d ∩ Fn2 con-
tains binary linear codes that meet the Gilbert-Varshamov bound.

Exercise 5.13. In this exercise we will show that the dual of a GRS code is a GRS itself with differ-
ent parameters. First, we state the obvious definition of GRS codes over a general finite field Fq (as
opposed to the definition over fields of characteristic two in Exercise 5.12). In particular, define
the code GRSS,v,d ,q as follows:

GRSS,v,d ,q = {(v 1 p(α1 ), v 2 p(α2 ), . . . , v n p(αn )) | p(X ) ∈ Fq [X ] has degree ≤ n − d } .

Then show that ¡ ¢⊥

GRSS,v,d ,q = GRSS,v′ ,n−d +2,q ,
where v′ ∈ Fnq is a vector with all non-zero components.

Exercise 5.14. In Exercise 2.16, we saw that any linear code can be converted in to a systematic
code. In other words, there is a map to convert Reed-Solomon codes into a systematic one. In
this exercise the goal is to come up with an explicit encoding function that results in a systematic
Reed-Solomon code.
In particular, given the set of evaluation points α1 , . . . , αn , design an explicit map f from Fkq
to a polynomial of degree at most k −1 such that the following holds. For every message m ∈ Fkq , if
¡ ¢
the corresponding polynomial is f m (X ), then the vector f m (αi ) i ∈[n] has the message m appear
in the corresponding codeword (say in its first k positions). Further, argue that this map results in
an [n, k, n − k + 1]q code.

Exercise 5.15. In this problem, we will consider the number-theoretic counterpart of Reed-Solomon
Q
codes. Let 1 ≤ k < n be integers and let p 1 < p 2 < · · · < p n be n distinct primes. Denote K = ki=1 p i
Q
and N = ni=1 p i . The notation ZM stands for integers modulo M , i.e., the set {0, 1, . . . , M −1}. Con-
sider the Chinese Remainder code defined by the encoding map E : ZK → Zp 1 × Zp 2 × · · · × Zp n
defined by:
E (m) = (m mod p 1 , m mod p 2 , · · · , m mod p n ) .
(Note that this is not a code in the usual sense we have been studying since the symbols at different
positions belong to different alphabets. Still notions such as distance of this code make sense and
are studied in the question below.)
Suppose that m 1 6= m 2 . For 1 ≤ i ≤ n, define the indicator variable b i = 1 if E (m 1 )i 6= E (m 2 )i
Q b
and b i = 0 otherwise. Prove that ni=1 p i i > N /K .
Use the above to deduce that when m 1 6= m 2 , the encodings E (m 1 ) and E (m 2 ) differ in at least
n − k + 1 locations.

110
Exercise 5.16. In this problem, we will consider derivatives over a finite field Fq . Unlike the
case of derivatives over reals, derivatives over finite fields do not have any physical interpretation
but as we shall see shortly, the notion of derivatives over finite fields is still a useful concept. In
P
particular, given a polynomial f (X ) = it =0 f i X i over Fq , we define its derivative as

tX
−1
f ′ (X ) = (i + 1) · f i +1 · X i .
i =0

Further, we will denote by f (i ) (X ), the result of applying the derivative on f i times. In this prob-
lem, we record some useful facts about derivatives.
Pt i
1. Define R(X , Z ) = f (X + Z ) = i =0 r i (X ) · Z . Then for any j ≥ 1,

f ( j ) (X ) = j ! · r j (X ).

2. Using part 1 or otherwise, show that for any j ≥ char(Fq ),8 f ( j ) (X ) ≡ 0.

3. Let j ≤ char(Fq ). Further, assume that for every 0 ≤ i < j , f (i ) (α) = 0 for some α ∈ Fq . Then
prove that (X − α) j divides f (X ).

4. Finally, we will prove the following generalization of the degree mantra (Proposition 5.2.4).
¥Let
t
¦f (X ) be a non-zero polynomial of degree
(j)
t and m ≤ char(Fq ). Then there exists at most
m distinct elements α ∈ Fq such that f (α) = 0 for every 0 ≤ j < m.

Exercise 5.17. In this exercise, we will consider a code that is related to Reed-Solomon codes and
uses derivatives from Exercise 5.16. These codes are called derivative codes.
Let m ≥ 1 be an integer parameter and consider parameters k < char(Fq ) and n such that
m < k < nm. Then the derivative code with parameters (n, k, m) is defined as follow. Consider
any message m ∈ Fkq and let f m (X ) be the message polynomial as defined for the Reed-Solomon
code. Let α1 , . . . , αn ∈ Fq be distinct elements. Then the codeword for m is given by
 
f m (α1 ) f m (α2 ) ··· f m (αn )
 (1) (1) (1) 
 fm (α1 ) fm (α2 ) ··· fm (αn ) 
 .. .. .. .. .
 
 . . . . 
(m−1) (m−1) (m−1)
fm (α1 ) fm (α2 ) · · · fm (αn )
h j ki
k
Prove that the above code is an n, m , n − k−1
m -code (and is thus MDS).
qm

Exercise 5.18. In this exercise, we will consider another code related to Reed-Solomon codes that
are called Folded Reed-Solomon codes. We will see a lot more of these codes in Chapter 18.
8
char(Fq ) denotes the characteristic of Fq . That is, if q = p s for some prime p, then char(Fq ) = p. Any natural
number i in Fq is equivalent to i mod char(Fq ).

111
 Let m ≥ 1 be an integer parameter and let α1 , . . . , αn ∈ Fq are distinct elements such that for
some element γ ∈ F∗q , the sets
{αi , αi γ, αi γ2 , . . . , αi γm−1 }, (5.3)
are pair-wise disjoint for different i ∈ [n]. Then the folded Reed-Solomon code with parameters
(m, k, n, γ, α1 , . . . , αn ) is defined as follows. Consider any message m ∈ Fkq and let f m (X ) be the
message polynomial as defined for the Reed-Solomon code. Then the codeword for m is given by:
 
f m (α1 ) f m (α2 ) ··· f m (αn )
 f m (α1 · γ) f m (α2 · γ) ··· f m (αn · γ) 
 
 .. .. .. .. .
 . . . . 
f m (α1 · γm−1 ) f m (α2 · γm−1 ) · · · f m (αn · γm−1 )
h j ki
k
Prove that the above code is an n, m , n − k−1m m
-code (and is thus, MDS).
q

Exercise 5.19. In this problem we will see that Reed-Solomon codes, derivative codes (Exer-
cise 5.17) and folded Reed-Solomon codes (Exercise 5.18) are all essentially special cases of a large
family of codes that are based on polynomials. We begin with the definition of these codes.
Let m ≥ 1 be an integer parameter and define m < k ≤ n. Further, let E 1 (X ), . . . , E n (X ) be
n polynomials over Fq , each of degree m. Further, these polynomials pair-wise do not have any
non-trivial factors (i.e. gcd(E i (X ), E j (X )) has degree 0 for every i 6= j ∈ [n].) Consider any message
m ∈ Fkq and let f m (X ) be the message polynomial as defined for the Reed-Solomon code. Then the
codeword for m is given by:
¡ ¢
f m (X ) mod E 1 (X ), f m (X ) mod E 2 (X ), . . . , f m (X ) mod E n (X ) .

In the above we think of f m (X ) mod E i (X ) as an element of Fq m . In particular, given given a

polynomial of degree at most m − 1, we will consider any bijection between the q m such poly-
nomials and Fq m . We will first see that this code is MDS and then we will see why it contains
Reed-Solomon and related codes as special cases.
h j ki
k
1. Prove that the above code is an n, m , n − k−1
m m
-code (and is thus, MDS).
q

2. Let α1 , . . . , αn ∈ Fq be distinct elements. Define E i (X ) = X − αi . Argue that for this special

case the above code (with m = 1) is the Reed-Solomon code.

3. Let α1 , . . . , αn ∈ Fq be distinct elements. Define E i (X ) = (X −αi )m . Argue that for this special
case the above code is the derivative code (with an appropriate mapping from polynomials
of degree at most m − 1 and Fm q , where the mapping could be different for each i ∈ [n] and
can depend on E i (X )).

4. Let α1 , . . . , αn ∈ Fq be distinct elements and γ ∈ F∗q such that (5.3) is satisfied. Define E i (X ) =
Qm−1 j
j =0 (X −αi ·γ ). Argue that for this special case the above code is the folded Reed-Solomon
code (with an appropriate mapping from polynomials of degree at most m − 1 and Fm q ,
where the mapping could be different for each i ∈ [n] and can depend on E i (X )).

112
Exercise 5.20. In this exercise we will develop a sufficient condition to determine the irreducibil-
ity of certain polynomials called the Eisenstein’s criterion.
Let F (X , Y ) be a polynomial of Fq . Think of this polynomial as over X with coefficients as
polynomials in Y over Fq . Technically, we think of the coefficients as coming from the ring of
polynomials in Y over Fq . We will denote the ring of polynomials in Y over Fq as Fq (Y ) and we
will denote the polynomials in X with coefficients from Fq (Y ) as Fq (Y )[X ].
In particular, let
F (X , Y ) = X t + f t −1 (Y ) · X t −1 + · · · + f 0 (Y ),

where each f i (Y ) ∈ Fq (Y ). Let P (Y ) be a prime for Fq (Y ) (i.e. P (Y ) has degree at least one and if
P (Y ) divides A(Y ) · B (Y ) then P (Y ) divides at least one of A(Y ) or B (Y )). If the following condi-
tions hold:

(i) P (Y ) divides f i (Y ) for every 0 ≤ i < t ; but

(ii) P 2 (Y ) does not divide f 0 (Y )

then F (X , Y ) does not have any non-trivial factors over Fq (Y )[X ] (i.e. all factors have either degree
t or 0 in X ).
In the rest of the problem, we will prove this result in a sequence of steps:

1. For the sake of contradiction assume that F (X , Y ) = G(X , Y ) · H (X , Y ) where

t1
X t2
X
G(X , Y ) = g i (Y ) · X I and H (X , Y ) = h i (Y ) · X i ,
i =0 i =0

where 0 < t 1 , t 2 < t . Then argue that P (Y ) does not divide both of g 0 (Y ) and h 0 (Y ).
For the rest of the problem WLOG assume that P (Y ) divides g 0 (Y ) (and hence does not
divide h 0 (Y )).

2. Argue that there exists an i ∗ such that P (Y ) divide g i (Y ) for every 0 ≤ i < i ∗ but P (Y ) does
not divide g i ∗ (Y ) (define g t (Y ) = 1).

3. Argue that P (Y ) does not divide f i (Y ). Conclude that F (X , Y ) does not have any non-trivial
factors, as desired.

Exercise 5.21. We have mentioned objects called algebraic-geometric (AG) codes, that generalize
Reed-Solomon codes and have some amazing properties: see for example, Section 4.6. The objec-
tive of this exercise is to construct one such AG code, and establish its rate vs distance trade-off.
Let p be a prime and q = p 2 . Consider the equation

Y p + Y = X p+1 (5.4)

over Fq .

113
 1. Prove that there are exactly p 3 solutions in Fq × Fq to (5.4). That is, if S ⊆ F2q is defined as
n o
S = (α, β) ∈ F2q | βp + β = αp+1

then |S| = p 3 .

2. Prove that the polynomial F (X , Y ) = Y p + Y − X p+1 is irreducible over Fq .

Hint: Exercise 5.20 could be useful.

3. Let n = p 3 . Consider the evaluation map ev : Fq [X , Y ] → Fnq defined by

ev( f ) = ( f (α, β) : (α, β) ∈ S) .
Argue that if f 6= 0 and is not divisible by Y p + Y − X p+1 , then ev( f ) has Hamming weight
at least n − deg( f )(p + 1), where deg( f ) denotes the total degree of f .
Hint: You are allowed to make use of Bézout’s theorem, which states that if f , g ∈ Fq [X , Y ] are nonzero
polynomials with no common factors, then they have at most deg( f )deg(g ) common zeroes.

4. For an integer parameter ℓ ≥ 1, consider the set Fℓ of bivariate polynomials

© ª
Fℓ = f ∈ Fq [X , Y ] | deg( f ) ≤ ℓ, deg X ( f ) ≤ p
where deg X ( f ) denotes the degree of f in X .
p(p+1)
Argue that Fℓ is an Fq -linear space of dimension (ℓ + 1)(p + 1) − 2
.

5. Consider the code C ⊆ Fnq for n = p 3 defined by

© ª
C = ev( f ) | f ∈ Fℓ .
Prove that C is a linear code with minimum distance at least n − ℓ(p + 1).

6. Deduce a construction of an [n, k]q code with distance d ≥ n − k + 1 − p(p − 1)/2.

(Note that Reed-Solomon codes have d = n −k +1, whereas these codes are off by p(p −1)/2
from the Singleton bound. However they are much longer than Reed-Solomon codes, with
a block length of n = q 3/2 , and the deficiency from the Singleton bound is only o(n).)

5.5 Bibliographic Notes

Reed-Solomon codes were invented by Irving Reed and Gus Solomon [108]. Even though Reed-
Solomon codes need q ≥ n, they are used widely in practice. For example, Reed-Solomon codes
are used in storage of information in CDs and DVDs. This is because they are robust against
burst-errors that come in contiguous manner. In this scenario, a large alphabet is then a good
thing since bursty errors will tend to corrupt the entire symbol in Fq unlike partial errors, e.g.
errors over bits. (See Exercise 5.9.)
It is a big open question to present a deterministic algorithm to compute an irreducible
polynomial of a given degree with the same time complexity as in Corollary 5.1.7. Such results
are known in general if one is happy with polynomial dependence on q instead of log q. See the
book by Shoup [117] for more details.

114
Chapter 6

What Happens When the Noise is Stochastic:

Shannon’s Theorem

Shannon was the first to present a rigorous mathematical framework for communication, which
(as we have already seen) is the problem of reproducing at one point (typically called the “re-
ceiver" of the channel) a message selected at another point (called the “sender" to the channel).
Unlike Hamming, Shannon modeled the noise stochastically, i.e. as a well defined random pro-
cess. He proved a result that pin-pointed the best possible rate of transmission of information
over a very wide range of stochastic channels. In fact, Shannon looked at the communication
problem at a higher level, where he allowed for compressing the data first (before applying any
error-correcting code), so as to minimize the amount of symbols transmitted over the channel.
In this chapter, we will study some stochastic noise models most of which were proposed
by Shannon. We then prove an optimal tradeoff between the rate and fraction of errors that are
correctable for a specific stochastic noise model called the Binary Symmetric Channel.

6.1 Overview of Shannon’s Result

Shannon introduced the notion of reliable communication1 over noisy channels. Broadly, there
are two types of channels that were studied by Shannon:

• (Noisy Channel) This type of channel introduces errors during transmission, which result
in an incorrect reception of the transmitted signal by the receiver. Redundancy is added
at the transmitter to increase reliability of the transmitted data. The redundancy is taken
off at the receiver. This process is termed as Channel Coding.

• (Noise-free Channel) As the name suggests, this channel does not introduce any type of
error in transmission. Redundancy in source data is used to compress the source data at
the transmitter. The data is decompressed at the receiver. The process is popularly known
as Source Coding.
1
That is, the ability to successfully send the required information over a channel that can lose or corrupt data.

115
Figure 6.1 presents a generic model of a communication system, which combines the two con-
cepts we discussed above.

Source Channel
Message
Encoder Encoder

Channel
Source Channel
(Decoded) Message
Decoder Decoder

Figure 6.1: The communication process

In Figure 6.1, source coding and channel coding are coupled. In general, to get the optimal
performance, it makes sense to design both the source and channel coding schemes simultane-
ously. However, Shannon’s source coding theorem allows us to decouple both these parts of the
communication setup and study each of these parts separately. Intuitively, this makes sense:
if one can have reliable communication over the channel using channel coding, then for the
source coding the resulting channel effectively has no noise.
For source coding, Shannon proved a theorem that precisely identifies the amount by which
the message can be compressed: this amount is related to the entropy of the message. We will
not talk much more about source coding in in this book. (However, see Exercises 6.10, 6.11
and 6.12.) From now on, we will exclusively focus on the channel coding part of the commu-
nication setup. Note that one aspect of channel coding is how we model the channel noise. So
far we have seen Hamming’s worst case noise model in some detail. Next, we will study some
specific stochastic channels.

6.2 Shannon’s Noise Model

Shannon proposed a stochastic way of modeling noise. The input symbols to the channel are
assumed to belong to some input alphabet X , while the channel outputs symbols from its out-
put alphabet Y . The following diagram shows this relationship:

X ∋ x → channel → y ∈ Y

The channels considered by Shannon are also memoryless, that is, noise acts independently
on each transmitted symbol. In this book, we will only study discrete channels where both the
alphabets X and Y are finite. For the sake of variety, we will define one channel that is contin-
uous, though we will not study it in any detail later on.

116
 The final piece in specification of a channel is the transition matrix M that governs the pro-
cess of how the channel introduces error. In particular, the channel is described in the form of
a matrix with entries as the crossover probability over all combination of the input and output
alphabets. For any pair (x, y) ∈ X × Y , let Pr(y|x) denote the probability that y is output by the
channel when x is input to the channel. Then the transition matrix is given by M(x, y) = Pr(y|x).
The specific structure of the matrix is shown below.
 
..
 . 

M = · · · Pr(y|x) · · ·

..
.

Next, we look at some specific instances of channels.

Binary Symmetric Channel (BSC). Let 0 ≤ p ≤ 1. The Binary Symmetric Channel with crossover
probability p or BSCp is defined as follows. X = Y = {0, 1}. The 2 × 2 transition matrix can nat-
urally be represented as a bipartite graph where the left vertices correspond to the rows and
the right vertices correspond to the columns of the matrix, where M(x, y) is represented as the
weight of the corresponding (x, y) edge. For BSCp , the graph is illustrated in Figure 6.2.
1−p
0 0
p

p
1 1
1−p
Figure 6.2: Binary Symmetric Channel BSCp

The corresponding transition matrix would look like this:

0 1
µ ¶
0 1−p p
.
1 p 1−p

In other words, every bit is flipped with probability p. We claim that we need to only con-
sider the case when p ≤ 21 , i.e. if we know how to ensure reliable communication over BSCp for
p ≤ 21 , then we can also handle the case of p > 12 . (See Exercise 6.1.)

q-ary Symmetric Channel (qSC). We now look at the generalization of BSCp to alphabets of
size q ≥ 2. Let 0 ≤ p ≤ 1 − q1 . (As with the case of BSCp , we can assume that p ≤ 1 − q1 – see
Exercise 6.2.) The q-ary Symmetric Channel with crossover probability p, or qSCp , is defined
as follows. X = Y = [q]. The transition matrix M for qSCp is defined as follows.
½
1 − p if y = x
M (x, y) = p
q−1 if y 6= x

117
In other words, every symbol is retained as is at the output with probability 1−p and is distorted
p
to each of the q − 1 possible different symbols with equal probability of q−1 .

Binary Erasure Channel (BEC) In the previous two examples that we saw, X = Y . However,
this might not always be the case.
Let 0 ≤ α ≤ 1. The Binary Erasure Channel with erasure probability α (denoted by BECα ) is
defined as follows. X = {0, 1} and Y = {0, 1, ?}, where ? denotes an erasure. The transition matrix
is as follows:
1−α
0 0

α
?
α

1 1
1−α
Figure 6.3: Binary Erasure Channel BECα

In Figure 6.3 any missing edge represents a transition that occurs with 0 probability. In other
words, every bit in BECα is erased with probability α (and is left unchanged with probability
1 − α).

Binary Input Additive Gaussian White Noise Channel (BIAGWN). We now look at a channel
that is continuous. Let σ ≥ 0. The Binary Input Additive Gaussian White Noise Channel with
standard deviation σ or BIAGWNσ is defined as follows. X = {−1, 1} and Y = R. The noise is
modeled by the continuous Gaussian probability distribution function. The Gaussian distribu-
tion has lots of nice properties and is a popular choice for modeling noise continuous in nature.
Given (x, y) ∈ {−1, 1} × R, the noise y − x is distributed according to the Gaussian distribution of
mean of zero and standard deviation of σ. In other words,
µ µ ¶¶
¡ ¢ 1 (y − x)2
Pr y | x = p · exp −
σ 2π 2σ2

6.2.1 Error Correction in Stochastic Noise Models

We now need to revisit the notion of error correction from Section 1.3. Note that unlike Ham-
ming’s noise model, we cannot hope to always recover the transmitted codeword. As an ex-
ample, in BSCp there is always some positive probability that a codeword can be distorted into
another codeword during transmission. In such a scenario no decoding algorithm can hope
to recover the transmitted codeword. Thus, in some stochastic channels there is always some
decoding error probability (where the randomness is from the channel noise): see Exercise 6.14
for example channels where one can have zero decoding error probability. However, we would

118
like this error probability to be small for every possible transmitted codeword. More precisely,
for every message, we would like the decoding algorithm to recover the transmitted message
with probability 1 − f (n), where limn→∞ f (n) → 0; that is, f (n) is o(1). Ideally, we would like to
have f (n) = 2−Ω(n) . We will refer to f (n) as the decoding error probability.

6.2.2 Shannon’s General Theorem

Recall that the big question of interest in this book is the tradeoff between the rate of the code
and the fraction of errors that can be corrected. For stochastic noise models that we have seen,
it is natural to think of the fraction of errors to be the parameter that governs the amount of
error that is introduced by the channel. For example, for BSCp , we will think of p as the fraction
of errors.
Shannon’s remarkable theorem on channel coding was to precisely identify when reliable
transmission is possible over the stochastic noise models that he considered. In particular, for
the general framework of noise models, Shannon defined the notion of capacity, which is a
real number such that reliable communication is possible if and only if the rate is less than the
capacity of the channel. In other words, given a noisy channel with capacity C , if information is
transmitted at rate R for any R < C , then there exists a coding scheme that guarantees negligible
probability of miscommunication. On the other hand if R > C , then regardless of the chosen
coding scheme there will be some message for which the decoding error probability is bounded
from below by some constant.
In this chapter, we are going to state (and prove) Shannon’s general result for the special case
of BSCp .

6.3 Shannon’s Result for BSCp

For the rest of the chapter, we will use the notation e ∼ BSCp to denote an error pattern e that
is drawn according to the error distribution induced by BSCp . We are now ready to state the
theorem.

Theorem 6.3.1 (Shannon’s Capacity Theorem for BSC). For real numbers p, ε such that 0 ≤ p < 21
and 0 ≤ ε ≤ 21 − p, the following statements are true for large enough n:

1. There exists a real δ > 0, an encoding

¥¡ function¢ E¦: {0, 1}k → {0, 1}n and a decoding function
n k
D : {0, 1} → {0, 1} where k ≤ 1 − H (p + ε) n , such that the following holds for every
m ∈ {0, 1}k :
Pr [D(E (m) + e)) 6= m] ≤ 2−δn .
e∼BSCp

2. If k ≥ ⌈(1 − H (p) + ε)n⌉ then for every pair of encoding and decoding functions, E : {0, 1}k →
{0, 1}n and D : {0, 1}n → {0, 1}k , there exists m ∈ {0, 1}k such that
1
Pr [D(E (m) + e)) 6= m] ≥ .
e∼BSCp 2

119
 Note that Theorem 6.3.1 implies that the capacity of BSCp is 1 − H (p). It can also be shown
that the capacity of qSCp and BECα are 1 − H q (p) and 1 − α respectively. (See Exercises 6.6
and 6.7.)
The entropy function appears in Theorem 6.3.1 due to the same technical reason that it
appears in the GV bound: the entropy function allows us to use sufficiently tight bounds on the
volume of a Hamming ball (Proposition 3.3.3).

6.3.1 Proof of Converse of Shannon’s Capacity Theorem for BSC

We start with the proof of part (2) of Theorem 6.3.1. (Proof of part (1) follows in the next section.)
For the proof we will assume that p > 0 (since when p = 0, 1 − H (p) + ε > 1 and so we have
nothing to prove). For the sake of contradiction, assume that the following holds for every m ∈
{0, 1}k :
1
Pr [D(E (m) + e) 6= m] ≤ .
e∼BSCp 2
Define D m to be the set of received words y that are decoded to m by D, that is,
© ª
D m = y|D(y) = m .

The main idea behind the proof is the following: first note that the sets D m partition the
entire space of received words {0, 1}n (see Figure 6.4 for an illustration) since D is a function.

Dm

{0, 1}n

Figure 6.4: The sets D m partition the ambient space {0, 1}n .

Next we will argue that since the decoding error probability is at most a 1/2, then D m for
every m ∈ {0, 1}k is “large." Then by a simple packing argument, it follows that we cannot have
too many distinct m, which we will show implies that k < (1−H (p)+ε)n: a contradiction. Before
we present the details, we outline how we will argue that D m is large. Let S m be the shell of radius
[(1 − γ)pn, (1 + γ)pn] around E (m), that is,
¡ ¢ ¡ ¢
S m = B E (m), (1 + γ)pn \ B E (m), (1 − γ)pn .

We will set γ > 0 in terms of ε and p at the end of the proof. (See Figure 6.5 for an illustra-
tion.) Then we argue that because the decoding error probability is bounded by 1/2, most of

120
 (1 − γ)pn

E (m)

(1 + γ)pn

Figure 6.5: The shell S m of inner radius (1 − γ)pn and outer radius (1 + γ)pn.

the received words in the shell S m are decoded correctly, i.e. they fall in D m . To complete the
argument, we show that the number of such received words is indeed large enough.
Fix an arbitrary message m ∈ {0, 1}k . Note that by our assumption, the following is true
(where from now on we omit the explicit dependence of the probability on the BSCp noise for
clarity):
1
Pr [E (m) + e 6∈ D m ] ≤ . (6.1)
2
Further, by the (multiplicative) Chernoff bound (Theorem 3.1.10),
2
n)
Pr [E (m) + e 6∈ S m ] ≤ 2−Ω(γ . (6.2)

(6.1) and (6.2) along with the union bound (Proposition 3.1.5) imply the following:

1 2
Pr [E (m) + e 6∈ D m ∩ S m ] ≤ + 2−Ω(γ n) .
2
The above in turn implies that

1 2 1
Pr [E (m) + e ∈ D m ∩ S m ] ≥ − 2−Ω(γ n) ≥ , (6.3)
2 4
where the last inequality holds for large enough n. Next we upper bound the probability above
to obtain a lower bound on |D m ∩ S m |.
It is easy to see that

Pr [E (m) + e ∈ D m ∩ S m ] ≤ |D m ∩ S m | · p max ,

where £ ¤
p max = max Pr E (m) + e = y = max p d (1 − p)n−d .
y∈S m d ∈[(1−γ)pn,(1+γ)pn]

In the above, the second equality follows from the fact that all error patterns with the same
Hamming weight appear with the same probability when chosen according to BSCp . Next, note

121
that p d (1 − p)n−d is decreasing in d for p ≤ 21 .2 Thus, we have
µ ¶ µ ¶
(1−γ)pn n−(1−γ)pn 1 − p γpn pn (1−p)n 1 − p γpn −nH (p)
p max = p (1 − p) = · p (1 − p) = 2 .
p p
Thus, we have shown that
µ ¶γpn
1−p
Pr [E (m) + e ∈ D m ∩ S m ] ≤ |D m ∩ S m | · 2−nH (p) ,
p
which, by (6.3), implies that
µ ¶
1 1 − p −γpn nH (p)
|D m ∩ S| ≥ · 2 . (6.4)
4 p
Next, we consider the following sequence of relations:
X
2n = |D m | (6.5)
m∈{0,1}k
X
≥ |D m ∩ S m |
m∈{0,1}k
µ ¶−γpn
1 1 X
≥ −1 2H (p)n (6.6)
4 p m∈{0,1}k

= 2k−2 · 2H (p)n−γp log(1/p−1)n

> 2k+H (p)n−εn . (6.7)
In the above, (6.5) follows from the fact that for m1 6= m2 , D m1 and D m2 are disjoint. (6.6) follows
from (6.4). (6.7) follows for large enough n and if we pick γ = ε³ ´ . (Note that as 0 < p < 1 ,
1
2p log 2
p −1
γ = Θ(ε).)
(6.7) implies that k < (1 − H (p) + ε)n, which is a contradiction. The proof of part (2) of The-
orem 6.3.1 is complete.
Remark 6.3.2. It can be verified that the proof above can also work if the decoding error prob-
ability is bounded by 1 − 2−βn (instead of the 1/2 in part (2) of Theorem 6.3.1) for small enough
β = β(ε) > 0.
Next, we will prove part (1) of Theorem 6.3.1.

6.3.2 Proof of Positive Part of Shannon’s Theorem

Proof Overview. The proof of part (1) of Theorem 6.3.1 will be done by the probabilistic
method (Section 3.2). In particular, we randomly select an encoding function E : {0, 1}k →
{0, 1}n . That is, for every m ∈ {0, 1}k pick E (m) uniformly and independently at random from
{0, 1}n . D will be the maximum likelihood decoding (MLD) function. The proof will have the
following two steps:
2 1
Indeed p d (1 − p)n−d = (p/(1 − p))d (1 − p)n and the bound p ≤ 2 implies that the first exponent is at most 1,
which implies that the expression is decreasing in d .

122
 • (Step 1) For any arbitrary m ∈ {0, 1}k , we will show that for a random choice of E, the prob-
ability of failure, over BSCp noise, is small. This implies the existence of a good encoding
function for any arbitrary message.

• (Step 2) We will show a similar result for all m. This involves dropping half of the code
words.

Note that there are two sources of randomness in the proof:

1. Randomness in the choice of encoding function E and

2. Randomness in the noise.

We stress that the first kind of randomness is for the probabilistic method while the second
kind of randomness will contribute to the decoding error probability.

“Proof by picture" of Step 1. Before proving part (1) of Theorem 6.3.1, we will provide a pic-
torial proof of Step 1. We begin by fixing m ∈ {0, 1}k . In Step 1, we need to estimate the following
quantity:
· ¸
EE Pr [D (E (m) + e) 6= m] .
e∼BSCp

By the additive Chernoff bound (Theorem 3.1.10), with all but an exponentially
¡ ¢ small proba-
bility, the received word will be contained in a Hamming ball of radius p + ε′ n (for some ε′ > 0
that we will choose appropriately). So one can assume that the received word y with high prob-
ability satisfies ∆(E (m), y) ≤ (p +ε′ )n. Given this, pretty much the only thing to do is to estimate
the decoding error probability for such a y. Note that by the fact that D is MLD, an error can
happen only if there exists another message m′ such that ∆(E (m′ ), y) ≤ ∆(E (m), y). The latter
event implies that ∆(E (m′ ), y) ≤ (p + ε′ )n (see Figure 6.6).

(p + ε′ )n

E (m′ ) E (m)
y

(p + ε′ )n

¡ ¢
Figure 6.6: Hamming balls of radius p + ε′ n and centers E (m) and y) illustrates Step 1 in the
proof of part (1) of Shannon’s capacity theorem for the BSC.

123
 Thus, the decoding error probability is upper bounded by
¡¡ ¢ ¢
£ ¡ ′¢ ¡ ¡ ′
¢ ¢¤ V ol 2 p + ε′ n, n 2H (p )n
Pr E m ∈ B y, p + ε n = ≈ ,
e∼BSCp 2n 2n
where the last step follows from Proposition 3.3.3. Finally, by the union bound (Proposition 3.1.5),
k nH (p)
the existence of such a “bad" m′ is upper bounded by ≈ 2 22n , which by our choice of k is
2−Ω(n) , as desired.

The Details. For notational convenience, we will use y and E (m) + e interchangeably:

y = E (m) + e.
That is, y is the received word when E (m) is transmitted and e is the error pattern.
We start the proof by restating the decoding error probability in part (1) of Shannon’s capac-
ity theorem for BSCp (Theorem 6.3.1) by breaking up the quantity into two sums:

X £ ¤
Pr [D (E (m) + e) 6= m] = Pr y|E (m) · 1D(y)6=m
e∼BSCp y∈B (E (m),(p+ε′ )n)
X £ ¤
+ Pr y|E (m) · 1D(y)6=m ,
y6∈B (E (m),(p+ε′ )n)

where 1D(y)6=m is the indicator function for the event that D(y) 6= m given that E (m) was the
transmitted codeword and we use y|E (m) as a shorthand for “y is the received word given that
E (m) was the transmitted codeword." As 1D(y)6=m ≤ 1 (since it takes a value in {0, 1}) and by the
(additive) Chernoff bound (Theorem 3.1.10) we have
X £ ¤ ′ 2
Pr [D (E (m) + e) 6= m] ≤ Pr y|E (m) · 1D(y)6=m + e −(ε ) n/2 .
e∼BSCp y∈B (E (m),(p+ε′ )n)

In order to apply the probabilistic method (Section 3.2), we will analyze the expectation
(over the random choice of E ) of the decoding error probability, which by the upper bound
above satisfies

· ¸ h i
′ 2 X £ ¤
EE Pr [D (E (m) + e) 6= m] ≤ e −(ε ) n/2 + Pr y|E (m) ·EE 1D (y)6=m . (6.8)
e∼BSCp e∼BSCp
y∈B (E (m),(p+ε′ )n )

In the above, we used linearity of expectation (Proposition 3.1.4) and the fact that the distribu-
tions on e and E are independent.
Next, for a fixed received
£ word
¤ y and the transmitted codeword E (m) such that ∆(y, E (m)) ≤
(p + ε′ )n we estimate EE 1D(y)6=m . Since D is MLD, we have
£ ¤ £ ¤ X £ ¡ ¡ ¢ ¢ ¡ ¢ ¤
EE 1D(y)6=m = Pr 1D(y)6=m |E (m) ≤ Pr ∆ E m′ , y ≤ ∆ E (m) , y |E (m) , (6.9)
E
m′ 6=m

124
where in the above “|E (m)" is short for “being conditioned on E (m) being transmitted" and the
inequality follows from the union bound (Proposition 3.1.5) and the fact that D is MLD.
Noting that ∆(E (m′ ), y) ≤ ∆(E (m), y) ≤ (p + ε′ )n (see Figure 6.6), by (6.9) we have
£ ¤ X £ ¡ ¢ ¡ ¡ ¢ ¢ ¤
EE 1D(y)6=m ≤ Pr E m′ ∈ B y, p + ε′ n |E (m)
m′ 6=m
¯ ¡ ¡ ¢ ¢¯
X ¯B y, p + ε′ n ¯
= (6.10)
m′ 6=m 2n
X 2H (p+ε )n
′

≤ (6.11)
m′ 6=m 2n
<2k · 2−n (1−H (p+ε ))
′

≤2n (1−H (p+ε))−n (1−H (p+ε ))

′
(6.12)
=2−n (H (p+ε)−H (p+ε )) .
′
(6.13)

In the above, (6.10) follows from the fact that the choice for E (m′ ) is independent of E (m).
(6.11) follows from the upper bound on the volume of a Hamming ball (Proposition 3.3.3), while
(6.12) follows from our choice of k.
Using (6.13) in (6.8), we get
· ¸
′ 2 X £ ¤
Pr [D(E (m) + e) 6= m] ≤e −(ε ) n/2 + 2−n (H (p+ε)−H (p+ε ))
′
EE Pr y|E (m)
e∼BSCp y∈B (E (m),(p+ε′ )n)
′ 2
≤e −(ε ) + 2−n (H (p+ε)−H (p+ε )) ≤ 2−δ n ,
′ ′
n/2
(6.14)

where the second inequality follows from the fact that

X £ ¤ X £ ¤
Pr y|E (m) ≤ Pr y|E (m) = 1
y∈B (E (m),(p+ε′ )n) y∈{0,1}n

and the last inequality follows for large enough n, say ε′ = ε/2 and by picking δ′ > 0 to be small
enough. (See Exercise 6.3.)
Thus, we have shown that for any arbitrary m the average (over the choices of E ) decoding
error probability is small. However, we still need to show that the decoding error probability is
exponentially small for all messages simultaneously. Towards this end, as the bound holds for
each m, we have · · ¸¸
′
Em EE Pr [D (E (m) + e) 6= m] ≤ 2−δ n .
e∼BSCp

The order of the summation in the expectation with respect to m and the summation in the
expectation with respect to the choice of E can be switched (as the probability distributions are
defined over different domains), resulting in the following expression:
· · ¸¸
′
EE Em Pr [D (E (m) + e) 6= m] ≤ 2−δ n .
e∼BSCp

125
 By the probabilistic method, there exists an encoding function E ∗ (and a corresponding
decoding function D ∗ ) such that
· ¸
£ ∗¡ ∗ ¢ ¤ ′
Em Pr D E (m) + e 6= m ≤ 2−δ n . (6.15)
e∼BSCp

(6.15) implies that the average decoding error probability is exponentially small. However,
recall we need to show that the maximum decoding error probability is small. To achieve such
a result, we will throw away half of the messages, i.e. expurgate the code. In particular, we will
order the messages in decreasing order of their decoding error probability and then drop the
top half. We claim that the maximum decoding error probability for the remaining messages is
′
2 · 2−δ n . Next, we present the details.

From Average to Worst-Case Decoding Error Probability. We begin with the following “aver-
aging" argument.

Claim 6.3.3. Let the messages be ordered as m1 , m2 , . . . , m2k and define

Pi = Pr [D(E (mi ) + e) 6= mi ] .
e∼BSCp

′
Assume that P 1 ≤ P 2 ≤ . . . ≤ P 2k and (6.15) holds, then P 2k−1 ≤ 2 · 2−δ n

Proof. By the definition of P i ,

2k
1 X
P i = Em Pr [D(E (m) + e) 6= m]
2k i =1 e∼BSCp
′
≤ 2−δ n , (6.16)

where (6.16) follows from (6.15). For the sake of contradiction assume that
′
P 2k−1 > 2 · 2−δ n . (6.17)

So,

2k
1 X 1 2k
X
Pi ≥ Pi (6.18)
2k i =1 2k i =2k−1 +1
−δ′ n k−1
2·2 ·2
> (6.19)
2k
′
> 2−δ n , (6.20)

where (6.18) follows by dropping half the summands from the sum. (6.19) follows from (6.17)
and the assumption on the sortedness of P i . The proof is now complete by noting that (6.20)
contradicts (6.16).

126
 Thus, our final code will have m1 , . . . , m2k−1 as its messages and hence, has dimension k ′ =
′ 1
¥¡δ = δ + n . In¢ the
k − 1. Define ¦ new code,′ maximum
¥¡ error ¢probability
¦ is at most 2−δn . Also if we
picked k ≤ 1 − H (p + ε) n + 1, then k ≤ 1 − H (p + ε) n , as required. This completes the
proof of Theorem 6.3.1.
We have shown that a random code can achieve capacity. However, we do not know of even
a succinct representation of general codes. A natural question to ask is if random linear codes
can achieve the capacity of BSCp . The answer is yes: see Exercise 6.4.
For linear code, representation and encoding are efficient. But the proof does not give an
explicit construction. Intuitively, it is clear that since Shannon’s proof uses a random code, it
does not present an ‘explicit’ construction. Below, we formally define what we mean by an
explicit construction.
Definition 6.3.4. A code C of block length n is called explicit if there exists a poly(n)-time al-
gorithm that computes a succinct description of C given n. For linear codes, such a succinct
description could be a generator matrix or a parity check matrix.
We will also need the following stronger notion of an explicitness:
Definition 6.3.5. A linear [n, k] code C is called strongly explicit, if given any index pair (i , j ) ∈
[k] × [n], there is a poly(log n) time algorithm that outputs G i , j , where G is a generator matrix of
C.
Further, Shannon’s proof uses MLD for which only exponential time implementations are
known. Thus, the biggest question left unsolved by Shannon’s work is the following.

Question 6.3.1. Can we come up with an explicit construction of a code of rate 1 − H (p + ε)

with efficient decoding and encoding algorithms that achieves reliable communication over
BSCp ?

As a baby step towards the resolution of the above question, one can ask the following ques-
tion:

Question 6.3.2. Can we come up with an explicit construction with R > 0 and p > 0?

Note that the question above is similar to Question 1.8.2 in Hamming’s world. See Exercise 6.13
for an affirmative answer.

6.4 Hamming vs. Shannon

As a brief interlude, let us compare the salient features of the works of Hamming and Shannon
that we have seen so far:

127
 QUALITATIVE C OMPARISON
H AMMING S HANNON
Focus on codewords itself Directly deals with encoding and decoding
functions
Looked at explicit codes Not explicit at all
Fundamental trade off: rate vs. distance Fundamental trade off: rate vs. error
(easier to get a handle on this)
Worst case errors Stochastic errors

Intuitively achieving positive results in the Hamming world is harder than achieving positive
results in Shannon’s world. The reason is that the adversary in Shannon’s world (e.g. BSCp ) is
much weaker than the worst-case adversary in Hamming’s world (say for bits). We make this
intuition (somewhat) precise as follows:

Proposition 6.4.1. Let 0 ≤ p < 21 and 0 < ε ≤ 21 − p. If an algorithm A can handle p + ε fraction of
worst case errors, then it can be used for reliable communication over BSCp

−ε2 n
Proof. By the additive Chernoff bound (Theorem 3.1.10), with probability ≥ 1 − e 2 , the frac-
tion of errors in BSCp is ≤ p + ε. Then by assumption on A, it can be used to recover the trans-
mitted message.

Note that the above result implies that one can have reliable transmission over BSCp with
any code of relative distance 2p + ε (for any ε > 0).
A much weaker converse of Proposition 6.4.1 is also true. More precisely, if the decoding
error probability is exponentially small for the BSC, then the corresponding code must have
constant relative distance (though this distance does not come even close to achieving say the
Gilbert-Varshamov bound). For more see Exercise 6.5.

6.5 Exercises
Exercise 6.1. Let (E , D) be a pair of encoder and decoder that allows for successful transmission
over BSCp for every p ≤ 12 . Then there exists a pair (E ′ , D ′ ) that allows for successful transmission
over BSCp ′ for any p ′ > 1/2. If D is (deterministic) polynomial time algorithm, then D ′ also has
to be a (deterministic) polynomial time algorithm.

Exercise 6.2. Let (E , D) be a pair of encoder and decoder that allows for successful transmission
over qSCp for every p ≤ 1 − q1 . Then there exists a pair (E ′ , D ′ ) that allows for successful trans-
mission over qSCp ′ for any p ′ > 1 − 21 . If D is polynomial time algorithm, then D ′ also has to be a
polynomial time algorithm though D ′ can be a randomized algorithm even if D is deterministic.3
3
A randomized D ′ means that given a received word y the algorithm can use random coins and the decoding
error probability is over both the randomness from its internal coin tosses as well as the randomness from the
channel.

128
Exercise 6.3. Argue that in the positive part of Theorem 6.3.1, one can pick δ = Θ(ε2 ). That is, for
0 ≤ p < 1/2 and small enough ε, there exist codes of rate 1 − H (p) − ε and block length n that can
2
be decoded with error probability at most 2−Θ(ε )n over BSCp .

Exercise 6.4. Prove that there exists linear codes that achieve the BSCp capacity. (Note that in
Section 6.3 we argued that there exists not necessarily a linear code that achieves the capacity.)

Hint: Modify the argument in Section 6.3: in some sense the proof is easier.

Exercise 6.5. Prove that for communication on BSCp , if an encoding function E achieves a maxi-
mum decoding error probability (taken over all messages) that is exponentially small, i.e., at most
2−γn for some γ > 0, then there exists a δ = δ(γ, p) > 0 such that the code defined by E has relative
distance at least δ. In other words, good distance is necessary for exponentially small maximum
decoding error probability.

Exercise 6.6. Prove that the capacity of the qSCp is 1 − H q (p).

Exercise 6.7. The binary erasure channel with erasure probability α has capacity 1 − α. In this
problem, you will prove this result (and its generalization to larger alphabets) via a sequence of
smaller results.

1. For positive integers k ≤ n, show that less than a fraction q k−n of the k × n matrices G over
Fq fail to generate a linear code of block length n and dimension k. (Or equivalently, except
with probability less than q k−n , the rank of a random k × n matrix G over Fq is k.)

Hint: Try out the obvious greedy algorithm to construct a k × n matrix of rank k. You will see that you will
have many choices every step: from this compute (a lower bound on) the number of full rank matrices that
can be generated by this algorithm.

2. Consider the q-ary erasure channel with erasure probability α (qECα , for some α, 0 ≤ α ≤
1): the input to this channel is a field element x ∈ Fq , and the output is x with probability
1−α, and an erasure ‘?’ with probability α. For a linear code C generated by an k ×n matrix
G over Fq , let D : (Fq ∪ {?})n → C ∪ {fail} be the following decoder:
½
c if y agrees with exactly one c ∈ C on the unerased entries in Fq
D(y) =
fail otherwise

For a set J ⊆ {1, 2, . . . , n}, let P err (G|J ) be the probability (over the channel noise and choice
of a random message) that D outputs fail conditioned on the erasures being indexed by J .
Prove that the average value of P err (G|J ) taken over all G ∈ Fk×n q is less than q k−n+|J | .

3. Let P err (G) be the decoding error probability of the decoder D for communication using the
code generated by G on the qECα . Show that when k = Rn for R < 1 − α, the average value
of P err (G) over all k × n matrices G over Fq is exponentially small in n.

129
 4. Conclude that one can reliably communicate on the qECα at any rate less than 1 − α using
a linear code.

Exercise 6.8. Consider a binary channel whose input/output alphabet is {0, 1}, where a 0 is trans-
mitted faithfully as a 0 (with probability 1), but a 1 is transmitted as a 0 with probability 21 and a
1 with probability 1/2. Compute the capacity of this channel.

Hint: This can be proved from scratch using only simple probabilistic facts already stated/used in the book.

Exercise 6.9. Argue that Reed-Solomon codes from Chapter 5 are strongly explicit codes (as in
Definition 6.3.5).

Exercise 6.10. In this problem we will prove a special case of the source coding theorem. For any
0 ≤ p ≤ 1/2, let D(p) be the distribution on {0, 1}n , where each of the n bits are picked indepen-
dently to be 1 with probability p and 0 otherwise. Argue that for every ε > 0, strings from D(p)
can be compressed with H (p + ε) · n bits for large enough n.
More precisely show that for any constant 0 ≤ p ≤ 1/2 and every ε > 0, for large enough n there
exists an encoding (or compression) function E : {0, 1}n → {0, 1}∗ and a decoding (or decompres-
sion) function D : {0, 1}∗ → {0, 1}n such that4

1. For every x ∈ {0, 1}n , D(E (x)) = x, and

2. Ex←D(p) [|E (x)|] ≤ H (p + ε) · n, where we use |E (x)| to denote the length of the string E (x). In
other words, the compression rate is H (p + ε).

Hint: Handle the “typical" strings from D and non-typical strings separately.

Exercise 6.11. Show that if there is a constructive solution to Shannon’s channel coding theo-
rem with E being a linear map, then there is a constructive solution to Shannon’s source coding
theorem in the case where the source produces a sequence of independent bits of bias p.
More precisely, let (E , D) be an encoding and decoding pairs that allows for reliable com-
munication over BSCp with exponentially small decoding error and E is a linear map with rate
1 − H (p) − ε. Then there exists a compressing and decompressing pair (E ′ , D ′ ) that allows for
compression rate H (p) + ε (where compression rate is as defined in part 2 in Exercise 6.10). The
decompression algorithm D ′ can be randomized and is allowed exponentially small error prob-
ability (where the probability can be taken over both the internal randomness of D ′ and D(p)).
Finally if (E , D) are both polynomial time algorithms, then (E ′ , D ′ ) have to be polynomial time
algorithms too.

Exercise 6.12. Consider a Markovian source of bits, where the source consists of a 6-cycle with
three successive vertices outputting 0, and three successive vertices outputting 1, with the proba-
bility of either going left (or right) from any vertex is exactly 1/2. More precisely, consider a graph
with six vertices v 0 , v 1 , . . . , v 5 such that there exists an edge (v i , v (i +1) mod 6 ) for every 0 ≤ i ≤ 5.
4
We use {0, 1}∗ to denote the set of all binary strings.

130
Further the vertices v i for 0 ≤ i < 3 are labeled ℓ(v i ) = 0 and vertices v j for 3 ≤ j < 6 are labeled
ℓ(v j ) = 1. Strings are generated from this source as follows: one starts with some start vertex u 0
(which is one of the v i ’s): i.e. the start state is u 0 . Any any point of time if the current state if
u, then the source outputs ℓ(u). Then with probability 1/2 the states moves to each of the two
neighbors of u.
Compute the optimal compression rate of this source.

Hint: Compress “state diagram" to a minimum and then make some basic observations to compress the source infor-
mation.

Exercise 6.13. Given codes C 1 and C 2 with encoding functions E 1 : {0, 1}k1 → {0, 1}n1 and E 2 :
{0, 1}k2 → {0, 1}n2 let E 1 ⊗E 2 : {0, 1}k1 ×k2 → {0, 1}n1 ×n2 be the encoding function obtained as follows:
view a message m as a k 1 × k 2 matrix. Encode the columns of m individually using the function
E 1 to get an n 1 × k 2 matrix m′ . Now encode the rows of m′ individually using E 2 to get an n 1 × n 2
matrix that is the final encoding under E 1 ⊗E 2 of m. Let C 1 ⊗C 2 be the code associated with E 1 ⊗E 2
(recall Exercise 2.19).
For i ≥ 3, let Hi denote the [2i −1, 2i −i −1, 3]2 -Hamming code. Let C i = Hi ⊗C i −1 with C 3 = H3
be a new family of codes.

1. Give a lower bound on the relative minimum distance of C i . Does it go to zero as i → ∞?

2. Give a lower bound on the rate of C i . Does it go to zero as i → ∞?

3. Consider the following simple decoding algorithm for C i : Decode the rows of the rec’d vector
recursively using the decoding algorithm for C i −1 . Then decode each column according
to the Hamming decoding algorithm (e.g. Algorithm 5). Let δi denote the probability of
decoding error of this algorithm on the BSCp . Show that there exists a p > 0 such that
δi → 0 as i → ∞.

Hint: First show that δi ≤ 4i δ2i −1 .

Exercise 6.14. We consider the problem of determining the best possible rate of transmission on
a stochastic memoryless channel with zero decoding error probability. Recall that a memoryless
stochastic channel is specified by a transition matrix M s.t. M(x, y) denotes the probability of y
being received if x was transmitted over the channel. Further, the noise acts independently on
each transmitted symbol. Let D denote the input alphabet. Let R(M) denote the best possible rate
for a code C such that there exists a decoder D such that for every c ∈ C , Pr[D(y) 6= c] = 0, where y
is picked according to the distribution induced by M when c is transmitted over the channel (i.e.
Q
the probability that y is a received word is exactly ni=1 M(c i , y i ) where C has block length n). In
this exercise we will derive an alternate characterization of R(M).
We begin with some definitions related to graphs G = (V, E ). An independent set S of G is a
subset S ⊆ V such that there is no edge contained in S, i.e. for every u 6= v ∈ S, (u, v) 6∈ E . For
a given graph G , we use α(G ) to denote the size of largest independent set in G . Further, given
an integer n ≥ 1, the n-fold product of G , which we will denote by G n , is defined as follows:

131
G n = (V n , E ′ ), where ((u 1 , . . . , u n ), (v 1 , . . . , v n )) ∈ E ′ if and only if for every i ∈ [n] either u i = v i or
(u i , v i ) ∈ E .
Finally, define a confusion graph GM = (V, E ) as follows. The set of vertices V = D and for
every x 1 6= x 2 ∈ D, (x, y) ∈ E if and only if there exists a y such that M(x 1 , y) 6= 0 and M(x 2 , y) 6= 0.

1. Prove that
1 ¡ ¡ n ¢¢ 5
R(M) = lim · log|D| α GM . (6.21)
n→∞ n

2. A clique cover for a graph G = (V, E ) is a partition of the vertices V = {V1 , . . . ,Vc } (i.e. Vi
and V j are disjoint for every i 6= j ∈ [c] and ∪i Vi = V ) such that the graph induced on Vi is
a complete graph (i.e. for every i ∈ [c] and x 6= y ∈ Vi , we have (x, y) ∈ E ). We call c to be
the size of the clique cover V1 , . . . ,Vc . Finally, define ν(G ) to be the size of the smallest clique
cover for G . Argue that
α(G )n ≤ α(G n ) ≤ ν(G )n .
Conclude that
log|D| α(G ) ≤ R(M) ≤ log|D| ν(G ). (6.22)

3. Consider any transition matrix M such that the corresponding graph C 4 = GM is a 4-cycle
(i.e. the graph ({0, 1, 2, 3}, E ) where (i , i + 1 mod 4) ∈ E for every 0 ≤ i ≤ 3). Using part 2 or
otherwise, argue that R(M) = 21 .

4. Consider any transition matrix M such that the corresponding graph C 5 = GM is a 5-cycle
(i.e. the graph ({0, 1, 2, 4}, E ) where (i , i + 1 mod 5) ∈ E for every 0 ≤ i ≤ 4). Using part 2
or otherwise, argue that R(M) ≥ 21 · log5 5. (This lower bound is known to be tight: see Sec-
tion 6.6 for more.)

6.6 Bibliographic Notes

Shannon’s results that were discussed in this chapter appeared in his seminal 1948 paper [115].
All the channels mentioned in this chapter were considered by Shannon except for the B EC
channel, which was introduced by Elias.
The proof method used to prove Shannon’s result for BSCp has its own name– “random
coding with expurgation."
Elias [36] answered Question 6.3.2 (the argument in Exercise 6.13 is due to him).

5
In literature, R(M) is defined with log|D| replaced by log2 . We used the definition in (6.21) to be consistent with
our definition of capacity of a noisy channel. See Section 6.6 for more.

132
Chapter 7

Bridging the Gap Between Shannon and

Hamming: List Decoding

In Section 6.4, we made a qualitative comparison between Hamming and Shannon’s world. We
start this chapter by making a more quantitative comparison between the two threads of coding
theory. In Section 7.2 we introduce the notion of list decoding, which potentially allows us to
go beyond the (quantitative) results of Hamming and approach those of Shannon’s. Then in
Section 7.3, we show how list decoding allows us to go beyond half the distance bound for any
code. Section 7.4 proves the optimal trade-off between rate and fraction of correctable errors via
list decoding. Finally, in Section 7.5, we formalize why list decoding could be a useful primitive
in practical communication setups.

7.1 Hamming versus Shannon: part II

Let us compare Hamming and Shannon theories in terms of the asymptotic bounds we have
seen so far (recall rate R = nk and relative distance δ = dn ).

• Hamming theory: Can correct ≤ δ2 fraction of worse case errors for codes of relative dis-
tance δ. By the Singleton bound (Theorem 4.3.1),

δ ≤ 1 − R,

which by Proposition 1.4.2 implies that p fraction of errors can be corrected has to satisfy

1−R
p≤ .
2
The above can be achieved via efficient decoding algorithms for example for Reed-Solomon
codes (we will see this later in the book).

• Shannon theory: In qSCp , for 0 ≤ p < 1 − 1/q, we can have reliable communication with
R < 1 − H q (p). It can be shown that

133
 δ
δ c4 2
2
y
c1
δ
> 2
bad examples

c3 c2 δ
2

δ
2

bad examples

Figure 7.1: In this example, vectors are embedded into Euclidean space such that the Euclidean
distance between two mapped points is the same as the Hamming distance between vectors.
c1 , c2 , c3 , c4 are codewords. The dotted lines contain the “bad examples," that is, the received
words for which unique decoding is not possible.

1. 1 − H q (p) ≤ 1 − p (this is left as an exercise); and

2. 1− H q (p) ≥ 1− p −ε, for large enough q– in particular, q = 2Ω(1/ε) (Proposition 3.3.4).

Thus, we can have reliable communication with p ∼ 1 − R on qSCp for large enough q.

There is a gap between Shannon and Hamming world: one can correct twice as many errors
in Shannon’s world. One natural question to ask is whether we can somehow “bridge" this gap.
Towards this end, we will now re-visit the bad example for unique decoding (Figure 1.3) and
consider an extension of the bad example as shown in Figure 7.1.
Recall that y and the codewords c1 and c2 form the bad example for unique decoding that
we have already seen before. Recall that for this particular received word we cannot do error
recovery by unique decoding since there are two codewords c1 and c2 having the same distance
δ
2 from vector y. On the other hand, the received word z has a unique codeword c1 with distance
p > δ2 . However, unique decoding does not allow for error recovery from z. This is because by
definition of unique decoding, the decoder must be able to recover from every error pattern
(with a given Hamming weight bound). Thus, by Proposition 1.4.2, the decoded codeword can-
not have relative Hamming distance larger than δ/2 from the received word. In this example,
because of the received word y, unique decoding gives up on the opportunity to decode z.
Let us consider the example in Figure 7.1 for the binary case. It can be shown that the num-
ber of vectors in dotted lines is insignificant compared to the volume of shaded area (for large
enough block length of the code). The volume of all Hamming balls of radius δ2 around all the

134
2k codewords is roughly equal to:
δ
2k 2nH ( 2 ) ,
which implies that the volume of the shaded area (without the dotted lines) is approximately
equal to:
δ
2n − 2k 2nH ( 2 ) .
In other words, the volume when expressed as a fraction of the volume of the ambient space is
roughly:
δ
1 − 2−n(1−H ( 2 )−R) , (7.1)
where k = Rn and by the Hamming bound (Theorem 1.3) R ≤ 1 − H ( δ2 ). If R < 1 − H ( δ2 ) then
second term of (7.1) is very small. Therefore, the number of vectors in the shaded area (without
the bad examples) is almost all of the ambient space. Note that by the stringent condition on
unique decoding none of these received words can be decoded (even though for such received
words there is a unique closest codeword). Thus, in order to be able to decode such received
vectors, we need to relax the notion of unique decoding. We will consider such a relaxation
called list decoding next.

7.2 List Decoding

The new notion of decoding that we will discuss is called list decoding as the decoder is allowed
to output a list of answers. We now formally define (the combinatorial version of) list decoding:
Definition 7.2.1. Given 0 ≤ ρ ≤ 1, L ≥ 1, a code C ⊆ Σn is (ρ, L)-list decodable if for every received
word y ∈ Σn , ¯© ª¯
¯ c ∈ C |∆(y, c) ≤ ρn ¯ ≤ L

Given an error parameter ρ, a code C and a received word y, a list-decoding algorithm

should output all codewords in C that are within (relative) Hamming distance ρ from y. Note
that if the fraction of errors that occurred during transmission is at most ρ then the transmitted
codeword is guaranteed to be in the output list. Further, note that if C is (ρ, L)-list decodable,
then the algorithm will always output at most L codewords for any received word. In other
words, for an efficient list-decoding algorithm, L should be a polynomial in the block length
n (as otherwise, the algorithm will have to output a super-polynomial number of codewords
and hence, cannot have a polynomial running time). Thus, the restriction of L being at most
some polynomial in n is an a priori requirement enforced by the fact that we are interested in
efficient polynomial time decoding algorithms. Another reason for insisting on a bound on L
is that otherwise the decoding problem can become trivial: for example, one can output all the
codewords in the code. Finally, it is worthwhile to note that one can always have an exponential
time list-decoding algorithm: go through all the codewords in the code and pick the ones that
are within ρ (relative) Hamming distance of the received word.
Note that in the communication setup, we need to recover the transmitted message. In
such a scenario, outputting a list might not be useful. There are two ways to get around this
“problem":

135
 1. Declare a decoding error if list size > 1. Note that this generalizes unique decoding (as
when the number of errors is at most half the distance of the code then there is a unique
codeword and hence, the list size will be at most one). However, the gain over unique
decoding would be substantial only if for most error patterns (of weight significantly more
than half the distance of the code) the output list size is at most one. Fortunately, it can
be shown that:

• For random codes, with high probability, for most error patterns, the list size is at
most one. In other words, for most codes, we can hope to see a gain over unique
decoding. The proof of this fact follows from Shannon’s proof for the capacity for
qSC: the details are left as an exercise.
• In Section 7.5, we show that the above behavior is in fact general: i.e. for any code
(over a large enough alphabet) it is true that with high probability, for most error
patterns, the list size is at most one.

Thus, using this option to deal with multiple answers, we still deal with worse case errors
but can correct more error patterns than unique decoding.

2. If the decoder has access to some side information, then it can use that to prune the list.
Informally, if the worst-case list size is L, then the amount of extra information one needs
is O(log L). This will effectively decrease1 the dimension of the code by O(log L), so if L
is small enough, this will have a negligible effect on the rate of the code. There are also
applications (especially in complexity theory) where one does not really care about the
rate being the best possible.

Recall that Proposition 1.4.2 implies that δ/2 is the maximum fraction of errors correctable
with unique decoding. Since list decoding is a relaxation of unique decoding, it is natural to
wonder

Question 7.2.1. Can we correct more than δ/2 fraction of errors using list decoding?

and if so

Question 7.2.2. What is the maximum fraction of errors correctable using list decoding?

In particular, note that the intuition from Figure 7.1 states that the answer to Question 7.2.1
should be yes.
1
Note that side information effectively means that not all possible vectors are valid messages.

136
7.3 Johnson Bound
In this section, we will indeed answer Question 7.2.1 in the affirmative by stating a bound due
to Johnson. To setup³the context
´ again, recall that Proposition 1.4.2 implies that any code with
δ
relative distance δ is 2
,1 -list decodable.
j k ¡ ¢
Notice that if we can show a code for some e > d −1 2 is ne , n O(1) -list decodable, then it is
potentially possible to list decode that code up to e errors in polynomial time. By proving the
Johnson bound, we will show that this is indeed the case for any code.
³ ´
Theorem 7.3.1 (Johnson Bound). Let C ⊆ [q]n be a code of distance d . If ρ < J q dn , then C is a
(ρ, qd n)-list decodable code, where the function J q (δ) is defined as
µ ¶Ã s !
1 qδ
J q (δ) = 1 − 1− 1− .
q q −1

Proof (for q = 2). The proof technique that we will use has a name: double counting. The main
idea is to get both an upper and lower bound on the same quantity by counting it in two differ-
ernt ways. These bounds then imply an inequality, and we will derive our desired bound from
this inequality.
We have to show that for every binary code C ⊆ {0, 1}n with distance d (i.e. for every c1 6= c2 ∈
C , ∆(c1 , c2 ) ≥ d ) and every y ∈ {0, 1}n ,
\
|B (y, e) C | ≤ 2d n.

Fix arbitrary C and y. Let c1 , . . . , cM ∈ B (y, e). We need to show that M ≤ 2d n. Define c′i =
ci − y for 1 ≤ i ≤ M . Then we have the following:

(i) w t (c′i ) ≤ e for 1 ≤ i ≤ M because ci ∈ B (y, e).

(ii) ∆(c′i , c′j ) ≥ d for every i 6= j because ∆(ci , c j ) ≥ d .

Define X
S= ∆(c′i , c′j ).
i<j

We will prove both an upper and a lower bound on S, from which we will extract the required
upper bound on M . From (ii) we have à !
M
S≥ d (7.2)
2
Consider the n × M matrix (c′T ′T
1 , · · · , cM ). Define m i as the number of 1’s in the i -th row for
1 ≤ i ≤ n. Then the i -th row of the matrix contributes the value m i (M − m i ) to S because this
is the number of 0-1 pairs in that row. (Note that each such pair contributes one to S.) This
implies that
Xn
S= m i (M − m i ). (7.3)
i =1

137
 Define ē such that
n
X
ēM = mi .
i =1
Note that
n
X M
X
mi = w t (ci ) ≤ eM ,
i =1 j =1

where the inequality follows From (i) above. Thus, we have

ē ≤ e.

Using the (‘square’ of) Cauchy-Schwartz inequality (i.e., 〈x, z〉2 ≤ kxk2 · kzk2 for x, z ∈ Rn ) by
taking x = (m 1 , · · · , m n ), z = (1/n, · · · , 1/n), we have
µ Pn ¶2 Ã n !
i =1 m i
X 2 1
≤ mi . (7.4)
n i =1 n

Thus, from (7.3)

n
X n
X (M ē)2 ē 2
S= m i (M − m i ) = M 2 ē − m i2 ≤ M 2 ē − = M 2 (ē − ), (7.5)
i =1 i =1 n n

where the inequality follows from (7.4). By (7.2) and (7.5),

µ ¶
2 ē 2 M (M − 1)
M ē − ≥ d,
n 2

which implies that

dn 2d n 2d n
M≤ = =
d n − 2n ē + 2ē 2 2d n − n 2 + n 2 − 4n ē + 4ē 2 (n − 2ē)2 − n(n − 2d )
2d n
≤ 2
, (7.6)
(n − 2e) − n(n − 2d )
where the last inequality follows from the fact that ē ≤ e. Then from definition of J 2 (·), we get
 s 
e 1 2d 
< 1− 1− ,
n 2 n

we get p
n − 2e > n(n − 2d ).
In other words
(n − 2e)2 > n(n − 2d ).
Thus, (n −2e)2 −n(n −2d ) ≥ 1 because n, e are all integers and therefore, from (7.6), we have
M ≤ 2d n as desired.

138
 Next, we prove the following property of the function J q (·), which along with the Johnson
bound answers Question 7.2.1 in the affirmative.

Lemma 7.3.2. Let q ≥ 2 be an integer and let 0 ≤ x ≤ 1 − q1 . Then the following inequalities hold:

p x
J q (x) ≥ 1 − 1 − x ≥ ,
2
where the second inequality is tight for x > 0.

Proof. We start with by proving the inequality

µ ¶Ã s !
1 xq p
1− 1− 1− ≥ 1 − 1 − x.
q q −1

Indeed, both the LHS and RHS of the inequality are zero at x = 0. Further, it is easy to check that
the derivatives of the LHS and RHS are q 1 xq and p1 respectively. The former is always
2 1− q−1 2 1−x

larger than the latter quantity. This implies that the LHS increases more rapidly than the RHS,
which in turn proves the required inequality.
The second inequality follows from the subsequent relations. As x ≥ 0,

x2
1−x + ≥ 1 − x,
4
which implies that
³ x ´2
1− ≥ 1 − x,
2
which in turn implies the required
p inequality. (Note that the two inequalities above are strict
for x > 0, which implies that 1 − 1 − x > x/2 for every x > 0, as desired.)

Theorem 7.3.1 and Lemma 7.3.2 imply that for any code, list decoding can potentially cor-
rect strictly more errors than unique decoding in polynomial time, as long as q is at most some
polynomial in n (which will be true of all the codes that we discuss in this book). This answers
Question 7.2.1 in the affirmative. See Figure 7.2 for an illustration of the gap between the John-
son bound and the unique decoding bound.
Theorem 7.3.1 and Lemma 7.3.2 also implies the following “alphabet-free" version of the
Johnson bound.

Theorem 7.3.3 (Alphabet-Free

p Johnson Bound). For any q-ary code with block length n and
distance d , if e ≤ n − n(n − d ), then the code is (e/n, qnd )-list decodable.

A natural question to ask is the following:

139
 1
Singleton bound
Johnson bound
Unique decoding bound

0.8

Fraction of errors (p) ---> 0.6

0.4

0.2

0
0 0.2 0.4 0.6 0.8 1
Rate (R) --->

p
Figure 7.2: The trade-off between rate R and the fraction of errors that can be corrected. 1 − R
is the trade-off implied by the Johnson bound. The bound for unique decoding is (1−R)/2 while
1 − R is the Singleton bound (and the list decoding capacity for codes over large alphabets).

Question 7.3.1. Is the Johnson bound tight?

The answer is yes in the sense that there exist linear codes with relative distance δ such
that we can find Hamming ball of radius larger than J q (δ) with super-polynomially many code-
words. On the other hand, in the next section, we will show that, in some sense, it is not tight.

7.4 List-Decoding Capacity

In the previous section, we saw what can one achieve with list decoding in terms of distance of
a code. In this section, let us come back to Question 7.2.2. In particular, we will consider the
trade-off between rate and the fraction of errors correctable by list decoding. Unlike the case of
unique decoding (but like the case of BSCp ), we will be able to prove an optimal trade-off.
Next, we will prove the following result regarding the optimal trade-off between rate of a
code and the fraction of errors that can be corrected via list decoding.

Theorem 7.4.1. Let q ≥ 2, 0 ≤ ρ < 1 − q1 , and ε > 0. Then the following holds for codes of large
enough block length n:
¡ ¡ ¢¢
(i) If R ≤ 1 − H q (ρ) − ε, then there exists a ρ,O 1ε -list decodable code.
¡ ¢
(ii) If R > 1 − H q (ρ) + ε, every ρ, L -list decodable code has L ≥ q Ω(εn) .

140
 Thus, the List-decoding capacity 2 is 1 − H q (ρ) (where ρ is the fraction of errors). Further,
this fully answers Question 7.2.2. Finally, note that this exactly matches capacity for qSCρ and
hence, list decoding can be seen as a bridge between Shannon’s world and Hamming’s world.
The remarkable aspect of this result is that we bridge the gap between these worlds by allowing
the decoder to output at most O(1/ε) many codewords.

7.4.1 Proof of Theorem 7.4.1

We begin with the basic idea behind the proof of part (i) of the theorem.
As in Shannon’s proof for capacity of BSC, we will use the probabilistic method (Section 3.2).
In particular, we will pick a random code and show that it satisfies the required property with
non-zero probability. In fact, we will show that a random code is (ρ, L)-list decodable with high
probability as long as:
1
R ≤ 1 − H q (ρ) −
L
The analysis will proceed by proving that probability of a “bad event" is small. “Bad event"
means there exist messages m0 , m1 , · · · , mL ∈ [q]Rn and a received code y ∈ [q]n such that:
¡ ¢
∆ C (mi ), y) ≤ ρn, for every 0 ≤ i ≤ L.

Note that if a bad event occurs, then the code is not (ρ, L)-list decodable. The probability of the
occurrence of any bad event will then be calculated by an application of the union bound. § ¨
Next, we restate Theorem 7.4.1 and prove a stronger version of part (i). (Note that L = 1ε in
Theorem 7.4.2 implies Theorem 7.4.1.)

Theorem 7.4.2 (List-Decoding Capacity). Let q ≥ 2 be an integer, and 0 < ρ < 1 − q1 be a real
number.
¡ ¢
(i) Let L ≥ 1 be an integer, then there exists an ρ, L -list decodable code with rate

1
R ≤ 1 − H q (ρ) −
L
¡ ¢
(ii) For every ρ, L code of rate 1 − H q (ρ) + ε, it is necessary that L ≥ 2Ω(εn) .

Proof. We start with the proof of (i). Pick a code C at random where
µ ¶
k 1
|C | = q , and k ≤ 1 − H q (ρ) − n.
L

That is, as in Shannon’s proof, for every message m, pick C (m) uniformly and independently at
random from [q]n .
2
Actually the phrase should be something like “capacity of worst case noise model under list decoding" as the
capacity is a property of the channel. However, in the interest of brevity we will only use the term list-decoding
capacity.

141
 Given y ∈ [q]n , and m0 , · · · , mL ∈ [q]k , the tuple (y, m0 , · · · , mL ) defines a bad event if

C (mi ) ∈ B (y, ρn), for all 0 ≤ i ≤ L.

Note that a code is (ρ, L)-list decodable if and only if there does not exist any bad event.
Fix y ∈ [q]n and m0 , · · · , mL ∈ [q]k . Note that for fixed i , by the choice of C , we have:

V ol q (ρn, n)
Pr[C (mi ) ∈ B (y, ρn)] = ≤ q −n(1−Hq (ρ)) , (7.7)
qn

where the inequality follows from the upper bound on the volume of a Hamming ball (Proposi-
tion 3.3.3). Now the probability of a bad event given (y, m0 , · · · , mL ) is
" #
L
^ L
Y
Pr C (mi ) ∈ B (y, ρn) = Pr[C (mi ) ∈ B (y, ρn)] ≤ q −n(L+1)(1−Hq (ρ)) , (7.8)
i =0 i =0

where the equality follows from the fact that the random choices of codewords for distinct mes-
sages are independent and the inequality follows from (7.7). Then,
à !
qk
Pr[ There is a bad event] ≤ q n
q −n(L+1)(1−Hq (ρ)) (7.9)
L +1
≤ q n q Rn(L+1) q −n(L+1)(1−Hq (ρ)) (7.10)
1
−n(L+1)[1−H q (ρ)− L+1 −R]
= q
1 1
≤ q −n(L+1)[1−Hq (ρ)− L+1 −1+Hq (ρ)+ L ] (7.11)
− nL
= q
< 1

In the above, (7.9) follows by the union bound (Lemma 3.1.5) with (7.8) and by counting the
¡ qk ¢
number of y’s (which is q n ), and the number of L + 1 tuples (which is L+1 ). (7.10) follows from
¡a ¢
the fact that b ≤ a and k = Rn. (7.11) follows by assumption R ≤ 1 − H q (ρ) − L1 . The rest of the
b

steps follow from rearranging and canceling the terms. Therefore, by the probabilistic method,
there exists C such that it is (ρ, L)-list decodable.
Now we turn to the proof of part (ii). For this part, we need to show the existence of a y ∈ [q]n
such that |C ∩ B (y, ρn)| is exponentially large for every C of rate R ≥ 1 − H q (ρ) + ε. We will again
use the probabilistic method to prove this result.
Pick y ∈ [q]n uniformly at random. Fix c ∈ C . Then

Pr[c ∈ B (y, ρn)] = Pr[y ∈ B (c, ρn)]

V ol q (ρn, n)
= (7.12)
qn
≥ q −n(1−Hq (ρ))−o(n) , (7.13)

142
where (7.12) follows from the fact that y is chosen uniformly at random from [q]n and (7.13)
follows by the lower bound on the volume of the Hamming ball (Proposition 3.3.3).
We have
X
E [|C ∩ B (y, ρn)|] = E [1c∈B (y,ρn) ] (7.14)
c∈C
X
= Pr[c ∈ B (y, ρn)]
c∈C
X
≥ q −n(1−Hq (ρ)+o(n)) (7.15)
c∈C
n[R−1+H q (ρ)−o(1)]
= q
≥ q Ω(εn) . (7.16)

In the above, (7.14) follows by the linearity of expectation (Proposition 3.1.4), (7.15) follows
from (7.13), and (7.16) follows by choice of R. Hence, by the probabilistic method, there exists y
such that |B (y, ρn) ∩C | is q Ω(n) , as desired.

The above proof can be modified to work for random linear codes. (See Exercise 7.1.)
We now return to Question 7.3.1. Note that by the Singleton bound, the p Johnson bound im-
plies that for any code one can hope to list decode from about ρ ≤ 1 − R fraction of errors.
However, this trade-off between ρ and R is not tight. Note that Lemma 3.3.4 p along with Theo-
rem 7.4.1 implies that for large q, the list decoding capacity is 1 − R > 1 − R. Figure 7.2 plots
and compares the relevant trade-offs.
Finally, we have shown that the list decoding capacity is 1 − H q (ρ). However, we showed the
existence of a code that achieves the capacity by the probabilistic method. This then raises the
following question:

Question 7.4.1. Do there exist explicit codes that achieve list decoding capacity?

Also the only list decoding algorithm that we have seen so far is the brute force algorithm that
checks every codeword to see if they need to be output. This also leads to the follow-up question

Question 7.4.2. Can we achieve list decoding capacity with efficient list decoding algorithms?

A more modest goal related to the above would be the following:

143
 Question 7.4.3. Can we design an efficient list decoding algorithm that can achieve
p the John-
son bound? In particular, can we efficiently list decode a code of rate R from 1 − R fraction
of errors?

7.5 List Decoding from Random Errors

In this section, we formalize the intuition we developed from Figure 7.1. In particular, recall
that we had informally argued that for most error patterns we can correct beyond the δ/2 bound
for unique decoding (Proposition 1.4.2). Johnson bound (Theorem 7.3.1) tells us that one can
indeed correct beyond δ/2 fraction of errors. However, there are two shortcomings. The first is
that the Johnson bounds tells us that the output list size is qd n but it does not necessarily imply
that for most error patterns, there is unique by closest codewords (i.e. one can uniquely recover
the transmitted codeword). In other words, Johnson bound is a “true" list decoding result and
tells us nothing about the behavior p of codes on the “average." The second aspect is that the
Johnson bound holds for up to 1 − 1 − δ fraction of errors. Even though it is more than δ/2 for
every δ > 0, the bound e.g. is not say twice the unique decoding bound for every δ > 0.
Next we show that for any code with relative distance δ (over a large enough alphabet size)
for most error patterns, the output of a list decoder for any fraction of errors arbitrarily close to
δ will have size one. In fact, the result is somewhat stronger: it show that even if one fixes the
error locations arbitrarily, for most error patterns the output list size is one.

Theorem 7.5.1. Let ε > 0 be a real and q ≥ 2Ω(1/ε) be an integer. Then the following is true for any
0 < δ < 1 − 1/q and large enough n. Let C ⊆ {0, 1, ...q − 1}n be a code with relative distance δ and
let S⊆ [n] such that |S| = (1 − ρ)n, where (0 < ρ ≤ δ − ε).
Then, for all c ∈ C and all but a q −Ω(εn) fraction of error patterns, e ∈ {0, 1...q − 1}n such that

eS = 0 and w t (e) = ρn (7.17)

the only codeword within Hamming distance ρn of c + e is c itself.

For illustration of the kinds of error pattern we will deal with, see Figure 7.3.

e 0 eS

Figure 7.3: Illustration of the kind of error patterns we are trying to count.

Before we present the proof, we present certain corollaries (the proofs of which we leave as
exercises). First the result above implies a similar result of the output list size being one for the

144
following two random noise models: (i) uniform distribution over all error patterns of weight
ρn and (ii) qSCp . In fact, we claim that the result also implies that any code with distance at
least p + ε allows for reliable communication over qSCp . (Contrast the 2p + ε distance that was
needed for a similar result that was implied by Proposition 6.4.1.)
Finally, we present a lemma (the proof is left as an exercise) that will be crucial to the proof
of Theorem 7.5.1.

Lemma 7.5.2. Let be C be an (n, k, d )q code. If we fix the values in n − d + 1 out of the n positions
in a possible codeword, then at most one codeword in C can agree with the fixed values.

Proof of Theorem 7.5.1. For the rest of the proof, fix a c ∈ C . For notational convenience define
E S to be the set of all error patterns e such that eS = 0 and w t (e) = ρn. Note that as every error
position has (q − 1) non-zero choices and there are ρn such positions in [n] \ S, we have

|E s | = (q − 1)ρn . (7.18)
Call an error pattern e ∈ E s as bad if there exists another codeword c′ 6= c such that

△(c′ , c + e) ≤ ρn.

Now, we need to show that the number of bad error patterns is at most

q −Ω(εn) |E s |.

We will prove this by a somewhat careful counting argument.

We begin with a definition.

Definition 7.5.3. Every error pattern e is associated with a codeword c(e), which is the closest
codeword which lies within Hamming distance ρn from it.

For a bad error pattern we insist on having c(e) 6= c– note that for a bad error pattern such a
codeword always exists. Let A be the set of positions where c(e) agrees with c + e.
The rest of the argument will proceed as follows. For each possible A, we count how many
bad patterns e are associated with it (i.e. c + e and c(e) agree exactly in the positions in A). To
bound this count non-trivially, we will use Lemma 7.5.2.
Define a real number α such that |A| = αn. Note that since c(e) and c + e agree in at least
1 − ρ positions,
α ≥ 1 − ρ ≥ 1 − δ + ε. (7.19)
For now let us fix A with |A| = αn and to expedite the counting of the number of bad error
patterns, let us define two more sets:

A 1 = A ∩ S,
and
A2 = A \ A1.

145
 S

A2

c+e

A1

c(e)

Figure 7.4: Illustration of notation used in the proof of Theorem 7.5.1. Positions in two different
vectors that agree have the same color.
.

See Figure 7.4 for an illustration of the notation that we have fixed so far.
Define β such that
|A 1 | = βn. (7.20)

Note that this implies that

|A 2 | = (α − β)n. (7.21)

Further, since A 1 ⊆ A, we have

β ≤ α.

To recap, we have argued that every bad error pattern e corresponds to a codeword c(e) 6= c
and is associated with a pair of subsets (A 1 , A 2 ). So, we fix (A 1 , A 2 ) and then count the number
of bad e ’s that map to (A 1 , A 2 ). (Later on we will aggregate this count over all possible choices
of (A 1 , A 2 ).)
Towards this end, first we overestimate the number of error patterns e that map to (A 1 , A 2 )
by allowing such e to have arbitrary values in [n] \ (S ∪ A 2 ). Note that all such values have to be
non-zero (because of (7.17). This implies that the number of possible distinct e[n]\(S∪A 2 ) is at
most
(q − 1)n−|S|−|A 2 | = q n−(1−ρ)n−(α−β)n , (7.22)

where the equality follows from the given size of S and (7.21). Next fix a non-zero x and let us
only consider error patterns e such that

e[n]\(S∪A 2 ) = x.

Note that at this stage we have an error pattern e as depicted in Figure 7.5.

146
 S

e 0 ?? x

A1 A2

Figure 7.5: Illustration of the kind of error patterns we are trying to count now. The ? denote
values that have not been fixed yet.

Now note that if we fix c(e) A 2 , then we would also fix e A 2 (as (c + e) A 2 = (c(e)) A 2 ). Recall that
c is already fixed and hence, this would fix e as well. Further, note that

c(e) A 1 = (c + e) A 1 = c A 1 .

This implies that c(e) A 1 is already fixed and hence, by Lemma 7.5.2 we would fix c(e) if we fix (say
the first) (1−δ)n+1−|A 1 | positions in c(e) A 2 . Or in other words, by fixing the first (1−δ)n+1−|A 1 |
positions in e A 2 , e would be completely determined. Thus, the number of choices for e that have
the pattern in Figure 7.5 is upper bounded by

q (1−δ)n+1−|A 1 | = (q − 1)(1−δ)n+1−βn , (7.23)

where the equality follows from (7.20).

Thus, by (7.22) and (7.23) the number of possible bad error patterns e that map to (A 1 , A 2 )
is upper bounded by

(q − 1)n−(1−ρ)n−αn+βn+(1−δ)n+1−βn ≤ (q − 1)ρn−εn+1 = (q − 1)−εn+1 |E s |,

where the inequality follows from (7.19) and the equality follows from (7.18).
Finally, summing up over all choices of A = (A 1 , A 2 ) (of which there are at most 2n ), we get
that the total number of bad patterns is upper bounded by
1
n
− εn +
2n · (q − 1)−εn+1 · |E S | ≤ q log2 q 2 2 · |E A | ≤ q −εn/4 · |E S |,
p
where the first inequality follows from q − 1 ≥ q (which in turn is true for q ≥ 3) while the
εn
last inequality follows from the fact that for q ≥ Ω(1/ε) and large enough n, n+1/2 log2 q < 4 . This
completes the proof. ✷
It can be shown that Theorem 7.5.1 is not true for q = 2o(1/ε) . The proof is left as an exercise.

7.6 Exercises
Exercise 7.1. Show that with high probability, a random linear code is (ρ, L)-list decodable code
as long as
1
R ≤ 1 − H q (ρ) − . (7.24)
⌈logq (L + 1)⌉

147
Hint: Think how to fix (7.8) for random linear code.

Exercise 7.2. In this exercise we will see how we can "fix" the dependence on L is the rate of
random linear codes from Exercise 7.1. In particular, we will consider the following family of
codes that are somewhere between linear and general codes and are called pseudolinear codes,
which are defined as follows.
Let q be a prime power and let 1 ≤ k ≤ n and L ≥ 1 be integers. Then an (n, k, L, r, q)-family of
pseudolinear codes is defined as follows. Let H be the parity check matrix of an [q k − 1, q k − 1 −
r, L + 1]q linear code and H′ be an extension of H with the first column being 0 (and the rest being
H). Every code in the family is indexed by a matrix A ∈ Fn×r
q . Fix such a A. Then the corresponding
k
code C A is defined as follows. For any x ∈ Fq , we have

C A (x) = A · H′x ,

where H′x is the column corresonding to x, when though of as an integer between 0 and q k − 1.
Next, we will argue that random pseudolinear codes have near optimal list decodability:

1. Fix non-zero messages m1 , . . . mL . Then for a random code C A from an (n, k, L, r, q)-family
of pseudolinear code family, the codewords C A (m1 ), . . . ,C A (mL ) are independent random
vectors in Fnq .

2. Define (n, k, L, q)-family of pseudolinear codes to be (n, k, L,O(kL), q)-family of pseudolin-

ear codes. Argue that (n, k, L, q)-family of pseudolinear codes exist.
Hint: Exercise 5.10 might be helpful.

3. Let ε > 0 and q ≥ 2 be a prime power. Further let 0 ≤ ρ < 1 − 1/q. Then for a large enough n
and k such that
k 1
≥ 1 − H q (ρ) − − ε,
n L
a random (n, k, L, q)-pesudolinear code is (ρ, L)-list decodable.

4. Show that one can construct a (ρ, L)-list decodable pseudolinear code with rate at least
1 − H q (ρ) − L1 − ε in q O(kL+n) time.
Hint: Use method of conditional expectations.

Exercise 7.3. In this exercise we will consider a notion of “average" list decoding that is closely re-
lated to our usual notion of list decoding. As we will see in some subsequent exercises, sometimes
it is easier to work with this average list decoding notion.

1. We begin with an equivalent definition of our usual notion of list decoding. Argue that
a code C is (ρ, L) list decodable if and only if for every y ∈ [q]n and every subset of L + 1
codewords c0 , . . . , cL we have that

max ∆(y, ci ) > ρn.

0≤i ≤L

148
 2. We define a code C to be (ρ, L)-average list decodable if for every y ∈ [q]n and L + 1 code-
words c0 , . . . , cL we have
1 X L
· ∆(y, ci ) > ρn.
L i =0
Argue that if C is (ρ, L)-average list decodable then it is also (ρ, L)-list decodable.

3. Argue that if C is (ρ, L)-list decodable then it is also (ρ(1 − γ), ⌈L/γ⌉)-average list decodable
(for any 0 < γ < ρ).

Exercise 7.4. In Section 7.5 we saw that for any code one can correct arbitrarily close to relative
distance fraction of random errors. In this exercise we will see that one can prove a weaker result.
In particular let D be an arbitrary distribution on B q (0, ρn). Then argue that for most codes, the
list size with high probability is 1. In other words, show that for 1 − o(1), fraction of codes C we
have that for every codeword c ∈ C
£ ¤
Pr |B q (c + e, ρn) ∩C | > 1 = o(1).
e←D

Hint: Adapt the proof of Theorem 6.3.1 from Section 6.3.2.

Exercise 7.5. We call a code (ρ, L)-erasure list-decodable is informally for any received word
with at most ρ fraction of erasures at most L codewords agree with it in the unerased positions.
More formally, an (n, k)q -code C is (ρ, L)-erasure list-decodable if for every y ∈ [q](1−ρ)n and every
subset T ⊆ [n] with |T | = (1 − ρ)n, we have that
¯ ¯
¯{c ∈ C |cT = y}¯ ≤ L.

In this exercise you will prove some simple bounds on the best possible rate for erasure-list decod-
able code.
³ ´
d −1
1. Argue that if C has distance d then it is n , 1 -erasure list decodable.

2. Show that there exists a (ρ, L)-erasure list decodable code of rate

L H q (ρ)
· (1 − ρ) − − γ,
L +1 L
for any γ > 0.

3. Argue that there exists a linear (ρ, L)-erasure list decodable code with rate

J −1 H q (ρ)
· (1 − ρ) − − γ,
J J −1
l m
where J = logq (L + 1) and γ > 0.

149
 4. Argue that the bound in item 2 is tight for large enough L by showing that if a code of rate
1 − ρ + ε is (ρ, L)-erasure list decodable then L is 2Ωε (n) .

Exercise 7.6. In this exercise we will see an alternate characterization of erasure list-decodable
code for linear codes, which we will use to show separation between linear and non-linear code
in the next exercise.
Given a linear code C ⊆ Fnq and an integer 1 ≤ r ≤ n, define the r ’th generalized Hamming
distance, denoted by d r (C ), as follows. First given a set D ⊆ FN
q , we define the support of D as the
union of the supports of vectors in D. More precisely

supp (D) = {i | there exists (u 1 , . . . , u n ) ∈ S such that u i 6= 0}.

Then d r (C ) is size of the smallest support of all r -dimensional subcodes of C .

Argue the following:

1. (Warmup) Convince yourself that d 1 (C ) is the usual Hamming distance of C .

2. Prove that C is (ρn, L)-erasure list-decodable if and only if d 1+⌊logq L⌋ (C ) > ρn.

Exercise 7.7. In this exercise we use the connection between generalized Hamming distance and
erasure list decodability from Exercise 7.6 to show an “exponential separation" between linear
and non-linear codes when it comes to list decoding from erasure.
Argue the following:

1. Let C be an [n, k]q code. Then show that the average support size of r -dimensional subcodes
of C is exactly
qr − 1 |C |
· · n.
qr |C | − 1

2. From previous part or otherwise, conclude that if for an [n, k]q code C we have d r (C ) >
n(1 − q −r ), then we have
d r (C )
|C | ≤ ,
d r (C ) − n(1 − q −r )
Note that the above bound for r = 1 recovers the Plotkin bound (second part of Theo-
rem 4.4.1).

3. Argue that any (family) of code C with d r (C ) = δr · n, its rate satisfies:

qr
R(C ) ≤ 1 − · δr + o(1).
qr − 1

Hint: Use a the result from previous part on a code related to C .

4. Argue that for small enough ε > 0, any linear (1 − ε, L)-erasure list decodable code with
positive rate must have L ≥ Ω(1/ε).

150
 5. Argue that there exist (1 − ε,O(log(1/ε)))-erasure list decodable code with positive (in fact
Ω(ε)) rate. Conclude that there exists non-linear codes that have the same erasure list de-
codability but with exponentially smaller list sizes than linear codes.

Exercise 7.8. In this exercise we will prove an analog of the Johnson bound (Theorem 7.3.1) but
´ codes.´In particular, let C be an (n, k, δn)q code. Then show that for any
for erasure list-decodable
³³
q q
ε > 0, C is an q−1 − ε δ, (q−1)ε -erasure list decodable.

Hint: The Plotkin bound (Theorem 4.4.1) might be useful.

Exercise 7.9. Let C be a q-ary (ρ, L)-(average) list decodable of rate R, then show that there exists
another (ρ, L)-(average) list decodable code with rate at least

R + H q (λ) − 1 − o(1),

for any λ ∈ (ρ, 1 − 1/q] such that all codewords in C ′ have Hamming weight exactly λn.
Hint: Try to translate C .

Exercise 7.10. In this exercise, we will prove a lower bound on the list size of list decodable codes
that have optimal rate. We do this via a sequence of following steps:

1. Let C ⊆ [q]n be a (ρ, L − 1)-list decodable code such that all codewords have Hamming
weight exactly λn for
1
λ=ρ+ · ρL .
2L
Then prove that
2L 2
|C | < L .
λ

Hint: It might be useful to use the following result due to Erdös [38] (where we choose the variables to match
the relevant ones in the problem). Let A be a family of subsets of [n]. Then if every A ∈ A has size at least
nλL
2L 2 /λL , then there exist distinct A 1 , . . . , A L ∈ A such that ∩Li=1 A i has size at least 2 .

2. Argue that any q-ary (ρ, L−1)-list decodable code C (for large enough block length) has rate
ρL
at most 1 − H q (ρ) − b ρ,q · L for some constant b ρ,q that only depends on ρ and q.
Hint: Use the previous part and Exercise 7.9.

3. Argue that any q-ary (ρ, L)-list decodable C with rate 1−H q (ρ)−ε mush satisfy L ≥ Ωρ,q (log(1/ε)).

Exercise 7.11. It follows from Theorem 7.4.1 that a random code of rate 1 − H q (ρ) − ε with high
probability is (ρ,O(1/ε))-list decodable. On the other hand, the best lower bound on the list size
for codes of rate 1−H q (ρ)−ε (for constant p, q) is Ω(log(1/ε)) (as we just showed in Exercise 7.10).
It is natural to wonder if one can perhaps do a better argument for random codes. In this exercise,
we will show that our argument for random codes is the best possible (for random codes). We will
show this via the following sequence of steps:

151
 1. Let C be a random (n, k)q code of rate 1−H q (ρ)−ε. For any y ∈ [q]n and any subset S ⊆ [q]k
of size L + 1, define the random event E (y, S) that for every m ∈ S, C (m) is at Hamming
distance at most ρn from y. Define
X
W = E (y, S).
y,S

Argue that C is (ρ, L)-list decodable if and only if W = 0.

2. Define
µ = q −n · V ol q (ρn, n).
Argue that
1
E [W ] ≥ · µL+1 · q n · q k(L+1) .
(L + 1)L+1
3. Argue that
L+1
X
2 2n
σ (Z ) ≤ q · (L + 1)2(L+1) · q k(2L+2−ℓ) · µ2L−ℓ+3 .
ℓ=1

Hint: Analyze the probability of both events E (y, S) and E (z, T ) happening together for various intersection
sizes ℓ = |S ∩ T |.
³ ´
1−H q (ρ)
4. Argue that C is ρ, 2ε -list decodable with probability at most q −Ωρ,ε (n) .
Hint: Use Chebyschev’s inequality.

7.7 Bibliographic Notes

List decoding was defined by Elias [37] and Wozencraft [136].
The result showing that for random error patterns, the list size with high probability is one
for the special case of Reed-Solomon codes was shown by McEliece [92]. The result for all codes
was proved by Rudra and Uurtamo [112]
In applications of list decoding in complexity theory (see for example [125],[53, Chap. 12]),
side information is used crucially to prune the output of a list decoding algorithm to compute
a unique answer.
Guruswami [52] showed that the answer to Question 7.3.1 is yes in the sense that there ex-
ist linear codes with relative distance δ such that we can find Hamming ball of radius larger
than J q (δ) with super-polynomially many codewords. This result was proven under a number-
theoretic assumption, which was later removed by [64]. ¡ ¢
(7.24) implies that there exist linear codes with rate 1 − H q (ρ) − ε that are ρ, q O(1/ε) -list
decodable. (This is also true for most linear codes¡with the appropriate
¢ parameters.) However,
for a while just for q = 2, we knew the existence of ρ,O(1/ε) -list decodable codes [57] (though
it was not a high probability result). Guruswami, Håstad and Kopparty resolved this “gap" by
showing that random linear codes of rate 1 − H q (ρ) − ε are (ρ,O(1/ε))-list decodable (with high
probability) [56].

152
Chapter 8

What Cannot be Done-II

In this brief interlude of a chapter, we revisit the trade-offs between rate and relative distance
for codes. Recall that the best (and only) lower bound on R that we have seen is the GV bound
and the best upper bound on R that we have have seen so far is a combination of the Plotkin
and Hamming bounds (see Figure 4.5). In this chapter, we will prove the final upper bound on
R in this book due to Elias and Bassalygo. Then we will mention the best known upper bound
on rate (but without stating or proving it). Finally, we will conclude by summarizing what we
have seen so far and laying down the course for the rest of the book.

8.1 Elias-Bassalygo bound

We begin with the statement of a new upper bound on the rate called the Elias-Bassalygo bound.
Theorem 8.1.1 (Elias-Bassalygo bound). Every q-ary code of rate R, distance δ, and large enough
block length n, satisfies the following:
¡ ¢
R ≤ 1 − H q J q (δ) + o (1)
See Figure 8.1 for an illustration of the Elias-Bassalygo bound for binary codes. Note that
this bound is tighter than all the previous upper bounds on rate that we have seen so far.
The proof of Theorem 8.1.1 uses the following lemma:
Lemma 8.1.2. Given a q-ary code, C ⊆ [q]n , and 0 ≤ e ≤ n, there exists a Hamming ball of radius
|C |V ol q (e,n)
e with at least qn
codewords in it.
Proof. We will prove the existence of the required Hamming ball by the probabilistic method.
Pick a received word y ∈ [q]n at random. It is easy to check that the expected value of |B (y, e)∩C |
|C |V ol q (e,n)
is qn (We have seen this argument earlier in the proof of part (ii) of Theorem 7.4.2.)
.
By the probabilistic method, this implies the existence of a y ∈ [q]n such that
|C |V ol q (e, n)
|B (y, e) ∩C | ≥ ,
qn
as desired.

153
 1
Hamming bound
GV bound
Singleton bound
Plotkin bound
Elias-Bassalygo bound
0.8

0.6
R

0.4

0.2

0
0 0.2 0.4 0.6 0.8 1
δ

Figure 8.1: Singleton, Hamming, Plotkin, GV and Elias-Bassalygo bounds on rate versus dis-
tance for binary codes.

Proof of Theorem 8.1.1. Let C ⊆ [q]n be any code with relative distance δ. Define e = n J q (δ)−
1. By Lemma 8.1.2, there exists a Hamming ball with B codewords such that the following
inequality is true:

|C |V ol q (e, n)
B≥ .
qn
By our choice of e and the Johnson bound (Theorem 7.3.1), we have

B ≤ qd n.

Combining the upper and lower bounds on B implies the following

qn
|C | ≤ qd n · ≤ q n (1−Hq ( J q (δ))+o(1)) ,
V ol q (e, n)

where the second inequality follows from our good old lower bound on the volume of a
Hamming ball (Proposition 3.3.3) and the fact that qd n ≤ qn 2 ≤ q o(n) for large enough n. This
implies that the rate R of C satisfies:
¡ ¢
R ≤ 1 − H q J q (δ) + o (1) ,

as desired. ✷

154
8.2 The MRRW bound: A better upper bound
The MRRW bound (due to McEliece, Rodemich, Rumsey and Welch) is based on a linear pro-
gramming approach introduced by Delsarte to bound the rate of a code. The MRRW bound
is a better upper bound than the Elias-Bassalygo bound (though we will not state or prove the
bound in this book). However, there is a gap between the Gilbert-Varshamov (GV) bound and
the MRRW bound. The gap still exists to this day. To give one data ¡point ¢ on the gap, consider
δ = 12 −ε (think of ε → 0), the GV bound gives a lower bound on
¡ 2 R of Ω
¡ 1 ¢¢ ε 2
(see Proposition 3.3.7),
while the MRRW bound gives an upper bound on R of O ε log ε .

8.3 A Breather
Let us now recap the combinatorial results that we have seen so far. Table 8.1 summarizes what
we have seen so far for binary codes in Shannon’s world and Hamming’s world (under both
unique and list decoding settings).

Shannon Hamming
BSCp Unique List
¡ ¢ ¡ ¢
1-H p is capacity R ≥ 1 − H (δ) 1 − H p is list decoding capac-
ity
R ≤ M RRW
Explicit codes at capacity? Explicit Asymptotically good Explicit codes at capacity?
codes?
Efficient decoding algorithm? Efficient decoding algorithms? Efficient decoding algorithms?

Table 8.1: High level summary of results seen so far.

For the rest of this section, we remind the reader about the definition of explicit codes (Def-
inition 6.3.4) and strongly explicit codes (Definition 6.3.5).
We begin with BSCp . We have seen that the capacity of BSCp is 1 − H (p). The most nat-
ural open question is to obtain the capacity result but with explicit codes along with efficient
decoding (and encoding) algorithms (Question 6.3.1).
Next we consider Hamming’s world under unique decoding. For large enough alphabets,
we have seen that Reed-Solomon codes (Chapter 5) meet the Singleton bound (Theorem 4.3.1).
Further, the Reed-Solomon codes are strongly explicit1 . The natural question then is

Question 8.3.1. Can we decode Reed-Solomon codes up to half its distance?

1
The proof is left as an exercise.

155
 For smaller alphabets, especially binary codes, as we have seen in the last section, there is a
gap between the best known lower and upper bounds on the rate of a code with a given relative
distance. Further, we do not know of an explicit construction of a binary code that lies on the
GV bound. These lead to the following questions that are still wide open:

Open Question 8.3.1. What is the optimal trade-off between R and δ?

Open Question 8.3.2.

Does there exist an explicit construction of (binary) codes on the GV bound?

If we scale down our ambitions, the following is a natural weaker version of the second ques-
tion above:

Question 8.3.2. Do there exist explicit asymptotically good binary codes?

We also have the following algorithmic counterpart to the above question:

Question 8.3.3. If one can answer Question 8.3.2, then can we decode such codes efficiently
from a non-zero fraction of errors?

For list decoding, we have seen that the list decoding capacity is 1 − H q (p). The natural
open questions are whether we can achieve the capacity with explicit codes (Question 7.4.1)
along with efficient list decoding algorithms (Question 7.4.2).
For the remainder of the book, we will primarily focus on the questions mentioned above
(and summarized in the last two rows of Table 8.1).

8.4 Bibliographic Notes

The McEliece-Rodemich-Rumsey-Welch (MRRW) bound was introduced in 1977 in the paper
[93].

156
 Part III

The Codes

157
Chapter 9

When Polynomials Save the Day:

Polynomial Based Codes

As we saw in Chapter 5, The Reed-Solomon codes give a remarkable family of codes with op-
timal dimension vs. distance tradeoff. They even match the Singleton bound (recall Theo-
rem 4.3.1), get k = n − d + 1 for a code of block length n, distance d and dimension k. However
they achieve this remarkable performance only over large alphabets, namely when the alpha-
bet size q ≥ n. In fact, so far in this book, we have not seen any explicit asymptotically good
code other than a Reed-Solomon code. This naturally leads to the following question (which is
a weaker form for Question 8.3.2):

Question 9.0.1. Do there exist explicit asymptotically good codes for small alphabets q ≪ n?

In this chapter we study an extension of Reed-Solomon codes, called the (generalized) Reed-
Muller codes, that lead to codes over smaller alphabets while losing in the dimension-distance
tradeoff (but under certain settings do answer Question 9.0.1 in the affirmative).

The main idea is to extend the notion of functions we work with, to multivariate functions.
(See Exercise 5.2 for equivalence between certain Reed-Solomon codes and univariate func-
tions.) Just working with bivariate functions (functions on two variables), allows us to get codes
of block length n = q 2 , and more variables can increase the length further for the same alpha-
bet size. We look at functions of total degree at most r . Analysis of the dimension of the code
reduces to simple combinatorics. Analysis of the distance follows from “polynomial-distance”
lemmas, whose use is ubiquitous in algebra, coding theory and computer science, and we de-
scribe these in the sections below. We start with the generic construction.

159
9.1 The generic construction
d d d
Recall that for a monomial Xd = X 1 1 · X 2 2 · · · X mm its total degree is d 1 + d 2 + · · · + d m . We next
extend this to the definition of the degree of a polynomial:
P
Definition 9.1.1. The total degree of a polynomial P (X) = d c d Xd over Fq (i.e. every c d ∈ Fq ) is
the maximum over d such that c d 6= 0, of the total degree of Xd . We denote the total degree of P by
deg(P ).

For example, the degree of the polynomial 3X 3 Y 4 + X 5 + Y 6 is 7.

In turns out that when talking about Reed-Muller codes, it is convenient to switch back and
forth between multivariate functions and multivariate polynomials. We can extend the notion
above to functions from Fm m
q → Fq . For f : Fq → Fq let deg( f ) be the minimal degree of a polyno-
mial P ∈ Fq [X 1 , . . . , X m ] (where Fq [X 1 , . . . , X m ] denotes the set of all m-variate polynomials with
coefficients from Fq ) such that f (α) = P (α) for every α ∈ Fm q . Note that since (by Exercise 2.3) for
every a ∈ Fq we have a q − a = 0, it follows that a minimal degree polynomial does not contain
monomials with degree more than q − 1 any single variable. In what follows,

Definition 9.1.2. We use deg X i (p) to denote the degree of polynomial p in variable X i and deg X i ( f )
to denote the degree of (the minimal polynomial corresponding to) a function f in variable X i .

For example deg X (3X 3 Y 4 + X 5 + Y 6 ) = 5 and degY (3X 3 Y 4 + X 5 + Y 6 ) = 6. Further, in this

notation we have for every function f : Fm q → Fq , deg X i ( f ) ≤ q − 1 for every i ∈ [m].
Reed-Muller codes are given by three parameters: a prime power q and positive integers m
and r , and consist of the evaluations of m-variate polynomials of degree at most r over all of
the domain Fm q .

Definition 9.1.3 (Reed-Muller Codes). The Reed-Muller code with parameters q, m, r , denoted
RM(q, m, r ), is the set of evaluations of all m-variate polynomials in Fq [X 1 , . . . , X m ] of total degree
at most r and individual degree at most q − 1 over all points in Fm q . Formally
n o
def
RM(q, m, r ) = f : Fm
q → F q | deg( f ) ≤ r .

For example consider the case of m = q = 2 and r = 1. Note that all bivariate polynomials
over F2 of degree at most 1 are 0, 1, X 1 , X 2 , 1 + X 1 , 1 + X 2 , X 1 + X 2 and 1 + X 1 + X 2 . Thus, we have
that (where the evaluation points for (X 1 , X 2 ) are ordered as (0, 0), (0, 1), (1, 0), (1, 1)):

RM(2, 2, 1) = {(0, 0, 0, 0), (1, 1, 1, 1), (0, 0, 1, 1), (0, 1, 0, 1), (1, 1, 0, 0), (1, 0, 1, 0), (0, 1, 1, 0), (1, 0, 0, 1)} .

Also note that RM(q, m, 1) is almost the Hadamard code (see Exercise 5.6).
The Reed-Muller code with parameters (q, m, r ) clearly has alphabet Fq and block length
n = q m . Also it can be verified that RM(q, m, r ) is a linear code (see Exercise 9.1.) This leads to
the following question, which will be the primary focus of this chapter:

160
 Question 9.1.1. What are the dimension and distance of an RM(q, m, r ) code?

The dimension of the code is the number of m-variate monomials of degree at most r , with
the condition that degree in each variable is at most q − 1. No simple closed form expression
for this that works for all choices of q, m and r is known, so we will describe the effects only in
some cases. The distance analysis of these codes takes a little bit more effort and we will start
with two simple settings before describing the general result.

9.2 The low degree case

We start by considering RM(q, m, r ) when r < q, i.e., the degree is smaller than the field size. We
refer to this setting as the “low-degree” setting.

Dimension. The dimension of RM(q, m, r ) in the low-degree case turns out to have a nice
closed form, since we do not have to worry about the constraint that each variable has degree
at most q − 1: this is already imposed by restricting the total degree to at most r ≤ q − 1. This
leads to a nice expression for the dimension:
¡m+r ¢
Proposition 9.2.1. The dimension of the Reed Muller code RM(q, m, r ) equals r
when r < q.

Proof. The dimension equals the size of the set

( )
m
X
D = (d 1 , . . . , d m ) ∈ Zm |d i ≥ 0 for all i ∈ [m], di ≤ r , (9.1)
i =1

d d
since for every (d 1 , . . . , d m ) ∈ D, the monomial X 1 1 · · · X mm is a monomial of degree at most r and
these are all such monomials. The closed form expression for the dimension follows by a simple
counting argument. (See Exercise 9.2).

Distance. Next we turn to the analysis of the distance of the code. To understand the distance
we will first state and prove a simple fact about the number of zeroes a multivariate polynomial
can have. (We will have three versions of this in this chapter - with the third subsuming the first
(Lemma 9.2.2) and second (Lemma 9.3.1), but the first two will be slightly simpler to state and
remember.)

Lemma 9.2.2 (Polynomial Zero Lemma (low-degree case)). Let f ∈ Fq [X 1 , . . . , X m ] be a non-zero

polynomial with deg( f ) ≤ r . Then the fraction of zeroes of f is at most qr , i.e.,

|{a ∈ Fm
q | f (a) = 0}| r
≤ .
qm q

161
 We make couple of remarks. First note that the above lemma for m = 1 is the degree mantra
(Proposition 5.2.4). We note that for every m ≥ 1 the above lemma is tight (see Exercise 9.3).
However, there exists polynomials for which the lemma is not tight (see Exercise 9.4).
Proof of Lemma 9.2.2. Note that the lemma statement is equivalent to saying that the probabil-
deg( f )
ity that f (a) = 0 is at most q when a = (a 1 , . . . , a m ) is chosen uniformly at random from Fm
q .
We claim that this holds by induction on m.
We will prove the lemma by induction on m ≥ 1. Note that the base case follows from the
degree mantra (Proposition 5.2.4). Now consider the case of m > 1 (and we assume that the
lemma is true for m − 1). To apply inductive hypothesis we first write f as a polynomial in X m
with coefficients that are themselves polynomials in X 1 , . . . , X m−1 . So let
0 1 t
f = f0 Xm + f1 Xm + . . . ft Xm ,
where each f i (X 1 , . . . , X m−1 ) is a polynomial from Fq [X 1 , . . . , X m−1 ] and deg( f i ) ≤ r − i . Further-
more let t be the largest index such that f t is not zero. Now we consider picking a ∈ Fm q in two
m−1
steps: We first pick (a 1 , . . . , a m−1 ) uniformly at random from Fq , and then we pick a m uni-
formly from Fq . Let
f (a1 ,...,am−1 ) (X m ) = f 0 (a 1 , . . . , a m−1 )X m
0 t
+ · · · + . . . f t (a 1 , . . . , a m−1 )X m .
We consider two possible events:
E 1 = {(a 1 , . . . , a m )| f t (a 1 , . . . , a m−1 ) = 0}
and
E 2 = {((a 1 , . . . , a m )| f t (a 1 , . . . , a m−1 ) 6= 0 and f (a1 ,...,am−1 ) (a m ) = 0}.
By the inductive hypothesis, we have that
r −t
Pr [E 1 ] ≤ , (9.2)
q
since deg( f t ) ≤ r − t and f t 6= 0.
For every (a 1 , . . . , a m−1 ) ∈ Fm−1 q such that f t (a 1 , . . . , a m−1 ) 6= 0 we also have that the univariate
(a 1 ,...,a m−1 )
polynomial f (X m ) is non-zero and of degree at most t , and so by the degree mantra
it has at most t roots. It follows that for every such (a 1 , . . . , a m−1 ) the probability, over a m , that
f (a1 ,...,am−1 ) (a m ) = 0 is at most qt . In turn, it now immediately follows that
t
Pr [E 2 ] ≤ . (9.3)
q
Finally, we claim that if neither E 1 nor E 2 occur, then f (a) 6= 0. This is immediate from the defi-
nitions of E 1 and E 2 , since if f (a 1 , . . . , a m ) = 0, it must either be the case that f t (a 1 , . . . , a m−1 ) = 0
(corresponding to E 1 ) or it must be that f t (a 1 , . . . , a m−1 ) 6= 0 and f (a1 ,...,am−1 ) (a m ) = 0 (covered by
E 2 ). Note that this implies that Pra [ f (a) = 0] ≤ Pr [E 1 ∪ E 2 ]. The lemma now follows from the fact
that
r
Pr[ f (a) = 0] ≤ Pr [E 1 ∪ E 2 ] ≤ Pr [E 1 ] + Pr [E 2 ] ≤ ,
a q
where the second inequality follows from the union bound (Proposition 3.1.5) and the final
inequality follows from (9.2) and (9.3).

162
Comparison with other codes

The lemmas above, while quite precise may not be fully transparent in explaining the asymp-
totics of the performance of the Reed-Muller codes, or contrast them with other codes we have
seen. We mention a few basic facts here to get a clearer comparison.
If we set m = 1 and r = k − 1, then we get the Reed-Solomon codes evaluated on all of F q
(see Chapter 5). If we set m = k − 1, r = 1 and q = 2, then we get family of extended Hadamard
codes (extended by including all Hadamard codewords and their complements). For more on
this, see Exercise 5.6.
Thus Reed-Muller codes generalize some previously known codes - some with large alpha-
bets and some with small alphabets. Indeed if we wish the alphabet to be small compared to
the block length, then we can pick m to be a constant. For instance if we choose m = 2, we get
p
codes of length n over an alphabets of size n, while for any choice of relative distance δ, the
2
code has rate (1−δ)
2 . In general for larger values of m, the code has alphabet size n
1/m
and rate
(1−δ)m
m! . (See Exercise 9.5.) Thus for small values of m and fixed positive distance δ < 1 there is
a rate R > 0 such that, by choosing q appropriately large, one get codes on infinitely long block
length n and alphabet n 1/m with rate R and distance δ, which answers Question 9.0.1 in the
affirmative.
This is one of the simplest such families of codes with this feature. We will do better in later
in the book (e.g. Chapter 13), and indeed get alphabet size q independent of n with R > 0 and
δ > 0. But for now this is best we have.

9.3 The case of the binary field

Next we turn to a different extreme of parameter choices for the Reed-Muller codes. Here we fix
the alphabet size q = 2 and see what varying m and r gets us.
Since we will prove a stronger statement later in Lemma 9.4.1, we only state the distance of
the code RM(2, m, r ) below, leaving the proof to Exercise 9.6.

Lemma 9.3.1 (Polynomial distance (binary case)). Let f be a non-zero polynomial from F2 [X 1 . . . . , X m ]
m−deg( f )
with deg X i ( f ) ≤ 1 for every i ∈ [m]. Then |{a ∈ Fm
2 | f (a) 6= 0}| ≥ 2 .

Further, it can be established that the bound in Lemma 9.3.1 is tight (see Exercise 9.7).
The dimension of the code is relatively straightforward to analyze. The dimension is again
given by the number of monomials of degree at most r . Since the degree in each variable is
either zero or one, this just equals the number of subsets of [m] of size at most r . Thus we have:

Proposition 9.3.2. For any r ≤ m, the dimension of the Reed-Muller code RM(2, m, r ) is exactly
Pr ¡m ¢
i =0 i .

Lemma 9.3.1 and Proposition 9.3.2 imply the following result:

Theorem 9.3.3. ¡For

¢ every r ≤ m, the Reed-Muller code RM(2, m, r ) is a code of block length 2m ,
Pr
dimension i =0 mi and distance 2m−r .

163
 Again, to get a sense of the asymptotics of this code, we can fix τ > 0 and set r = τ · m and
let m → ∞. In this case we get a code of block length n (for infinitely many n) with rate roughly
n H (τ)−1 and distance n −τ (see Exercise 9.8). So both the rate and the distance tend to zero at a
rate that is a small polynomial in the block length but the code has a constant sized alphabet.
(Note that this implies that we have made some progress towards answering Question 8.3.2.)

9.4 The general case

We now turn to the general case, where q is general and r is allowed to be larger than q − 1. We
will try to analyze the dimension and distance of this code. The distance turns out to still have
a clean expression, so we will do that first. The dimension does not have a simple expression
describing it exactly, so we will give a few lower bounds that may be generally useful (and are
often asymptotically tight).

9.4.1 The general case: Distance

Lemma 9.4.1 (Polynomial distance (general case)). Let f be a non-zero polynomial from Fq [X 1 . . . . , X m ]
with deg X i ( f ) ≤ q − 1 for every i ∈ [m] and deg( f ) ≤ r . Furthermore, let s, t be the unique non-
negative integers such that t ≤ q − 2 and

s(q − 1) + t = r.

Then
r
m− q−1
|{a ∈ Fm
q | f (a) 6= 0}| ≥ (q − t ) · q
m−s−1
≥q .
r
m− q−1
Hence, RM(q, m, r ) has distance at least q .

Before proving the lemma we make a few observations: The above lemma clearly generalizes
both Lemma 9.2.2 (which corresponds to the case s = 0) and Lemma 9.3.1 (where q = 2, s = r −1
and t = 1). In the general case the second lower bound is a little simpler and it shows that the
−r /(q−1)
probability that a polynomial is non-zero at a uniformly chosen point in Fm q is at least q .
Finally, we note that Lemma 9.4.1 is tight for all settings of parameters (see Exercise 9.9).

Proof of Lemma 9.4.1. The proof is similar to the proof of Lemma 9.2.2 except we take advan-
tage of the fact that the degree in a single variable is at most q − 1. We also need to prove some
simple inequalities.
As in the proof of Lemma 9.2.2 we prove that for a random choice of a = (a 1 , . . . , a m ) ∈ Fm
q ,
the probability that f (a) 6= 0 is at least

(q − t ) · q −(s+1) . (9.4)

Note that in contrast to the proof of Lemma 9.2.2 we focus on the good events — the polynomial
being non-zero — rather than on the bad events.

164
 We prove the lemma by induction on m. In the case of m = 1 we have by the degree mantra
q−r
(Proposition 5.2.4) that the probability that f (a 1 ) 6= 0 is at least q . If r < q − 1 we have s = 0
and t = r and so the expression in (9.4) satisfies
q −r
(q − t ) · q −1 = ≤ Pr[ f (a 1 ) 6= 0].
q

If r = q − 1 we have s = 1 and t = 0, but then again we have that (9.4) equals

q − (q − 1)
q · q −2 = ≤ Pr[ f (a 1 ) 6= 0],
q

where the inequality follows from the degree mantra.

Now we turn to the inductive step. Assume the hypothesis is true for (m − 1)-variate poly-
P
nomials and let f = bi=0 f i X m i
where f i ∈ Fq [X 1 , . . . , X m−1 ] with f b 6= 0. Note 0 ≤ b ≤ q − 1 and
deg( f b ) ≤ r − b. Let E be the event of interest to us, i.e.,

E = {(a 1 , . . . , a m )| f (a 1 , . . . , a m ) 6= 0}.

Let
E 1 = {(a 1 , . . . , a m−1 )| f b (a 1 , . . . , a m−1 ) 6= 0}.
We first bound Pr [E |E 1 ]. Fix a 1 , . . . , a m−1 such that f b (a 1 , . . . , a m−1 ) 6= 0 and let

b
X
P (Z ) = f i (a 1 , . . . , a m−1 )Z i .
i =0

Note P is a non-zero polynomial of degree b and we have

Pr[ f (a 1 , . . . , a m ) = 0|a 1 , . . . , a m−1 ] = Pr [P (a m ) 6= 0].

am

Since by the degree mantra, a univariate polynomial of degree b has at most b roots, we have

q −b
Pr [P (a m ) 6= 0] ≥ .
am q

We conclude
b
Pr [E |E 1 ] ≥ 1 − .
q
Next we will bound Pr [E 1 ]. This will allow us to lower bound the probability of E since

Pr [E ] ≥ Pr [E and E 1 ] = Pr [E 1 ] · Pr [E |E 1 ] .

Recall that deg( f b ) ≤ r − b. Write r − b = s ′ (q − 1) + t ′ where s ′ , t ′ ≥ 0 and t ′ ≤ q − 2. By induction

we have
′
Pr [E 1 ] = Pr[ f b (a 1 , . . . , a m−1 ) 6= 0] ≥ (q − t ′ ) · q −(s +1) .

165
 Putting the two bounds together, we get

q −b ′
Pr [E ] ≥ Pr [E |E 1 ] · Pr [E 1 ] ≥ · (q − t ′ ) · q −(s +1) .
q

We are now left with a calculation to verify that the bound above is indeed lower bounded
by (q − t ) · q −(s+1) and we do so in Claim 9.4.2 using the facts that t , t ′ ≤ q − 2, b ≤ q − 1, r =
s(q − 1) + t , and r − b = s ′ (q − 1) + t ′ . In the claim further below (Claim 9.4.3), we also prove
(q − t ) · q −(s+1) ≥ q −r /(q−1) and this concludes the proof of the lemma.

Claim 9.4.2. If q, r, s, t , s ′ , t ′ , b are non-negative integers such that r = s(q − 1) + t , r − b = s ′ (q −

1) + t ′ , t , t ′ ≤ q − 2 and b ≤ q − 1 then we have

q −b ′
· (q − t ′ ) · q −(s +1) ≥ (q − t ) · q −(s+1) .
q

Proof. The proof breaks up in to two cases depending on s − s ′ . Note that an equivalent defini-
tion of s and s ′ are that these are the quotients when we divide r and r − b respectively by q − 1.
Since 0 ≤ b ≤ q − 1, it follows that either s ′ = s or s ′ = s − 1. We consider the two cases separately.
If s = s ′ we have t = t ′ + b and then it suffices to show that
q −b
· (q − t ′ ) ≥ q − (t ′ + b).
q

In turn this is equivalent to showing

(q − b)(q − t ′ ) ≥ q(q − (t ′ + b)).

But this is immediate since the expression on the left is

(q − b)(q − t ′ ) = q 2 − (b + t ′ )q + bt ′ = q(q − (b + t ′ )) + bt ′ ≥ q(q − (b + t ′ )),

where the final inequality uses bt ′ ≥ 0.

If s = s ′ + 1 we have a bit more work. Here we have t + q − 1 = t ′ + b and it suffices to show
that
q −b
· (q − t ′ ) · q ≥ (q − t ) = (2q − (t ′ + b + 1)).
q
Write q −b = α and q − t ′ = β. The expression on the left above simplifies to αβ and on the right
to α + β − 1. Since b, t ′ ≤ q − 1, we also have α, β ≥ 1. So it suffices to show that αβ ≥ α + β − 1.
This is true since αβ = α + α(β − 1) and we have α(β − 1) ≥ β − 1 since α ≥ 1 and β − 1 ≥ 0.
We thus conclude that the inequality holds for both s = s ′ and s = s ′ + 1 and this yields the
claim.

Claim 9.4.3. Let q, r, s, t be non-negative real numbers such that q ≥ 2, r = s(q − 1) + t and t ≤
q − 2. Then
(q − t ) · q −(s+1) ≥ q −r /(q−1) .

166
 We remark that while the inequality is quite useful, the proof below is not particularly in-
sightful. We include it for completeness, but we recommend that the reader skip it unless nec-
essary.

Proof of Claim 9.4.3. We have four parameters in the inequality above. We will simplify it in
steps removing parameters one at a time. First we get rid of r by substituting r = s(q − 1) + t . So
it suffices to prove:

(q − t ) · q −(s+1) ≥ q −(s(q−1)+t )/(q−1) = q −s · q −t /(q−1) .

We can get rid of q −s from both sides (since the remaining terms are non-negative) and so it
suffices to prove:
q −t
≥ q −t /(q−1) .
q
Let f q (t ) = qt + q −t /(q−1) − 1. The inequality above is equivalent to proving f q (t ) ≤ 0 for 0 ≤ t ≤
q − 2. We use some basic calculus to prove the above. Note that the first and second derivatives
ln q ¡ ¢2
of f q with respect to t are given by f q′ (t ) = q1 − q−1 q −t /(q−1) and f q′′ (t ) = ln(q)/(q − 1) q −t /(q−1) .
In particular the second derivative is always positive which means f q (t ) is maximized at one of
the two end points of the interval t ∈ [0, q − 2]. We have f q (0) = 0 ≤ 0 as desired and so it suffices
to prove that
2
f q (q − 2) = q −(q−2)/(q−1) − ≤ 0.
q
Multiplying the expression above by q we have that it suffices to show q 1/(q−1) ≤ 2 which in
turn is equivalent to proving q ≤ 2q−1 for every q ≥ 2. The final inequality follows easily from
Bernoulli’s inequality (Lemma B.1.4) 1 + kx ≤ (1 + x)k which holds for every x ≥ −1 and k ≥ 1. In
our case we substitute x = 1 and k = q − 1 to conclude q ≤ 2q−1 as desired.

9.4.2 The general case: Dimension

For integers q, m, r let
( )
m
X
S q,m,r = d = (d 1 , . . . , d m ) ∈ Zm |0 ≤ d i ≤ q − 1 for all i ∈ [m] and , di ≤ r (9.5)
i =1

and let
K q,m,r = |S q,m,r |.
We start with the following, almost tautological, proposition.
Proposition 9.4.4. For every prime power q and integers m ≥ 1 and r ≥ 0, the dimension of the
code RM(q, m, r ) is K q,m,r .
Proof. Follows from the fact that for every d = (d 1 , . . . , d m ) ∈ S q,m,r the associated monomial
d d
Xd = X 1 1 · · · X mm is a monomial of degree at most r and individual degree at most q − 1. Thus
these monomials (i.e., their evaluations) form a basis for the Reed-Muller code RM(q, m, r ). (See
Exercise 9.10.)

167
 The definition of K q,m,r does not give a good hint about its growth so below we give a few
bounds on K q,m,r that help estimate its growth. Specifically the proposition below gives a lower
− +
bound K q,m,r and an upper bound K q,m,r on K q,m,r that are (1) given by simple expressions and
(2) within polynomial factors of each other for every setting of q, m, and r .

Proposition 9.4.5. For integers q ≥ 2, m ≥ 1 and r ≥ 0, let

( Ã !)
+ m m +r
K q,m,r , min q ,
r

and let ( n o
− max q m /2, q m − K q,m,(q−1)m−r
+
if r ≥ (q − 1)m/2
K q,m,r , ©¡ ¢ 1 ¡¥ 2r +m ¦¢m ª
max mr
,2 m
if r < (q − 1)m/2
Then there are universal constants c 1 , c 2 (c 1 < 3.1 and c 2 < 8.2 suffice) such that
−
K q,m,r +
≤ K q,m,r ≤ K q,m,r −
≤ c 1 · (K q,m,r )c 2

Proof. We tackle the inequalities in order of growing complexity of the proof. In our bounds we
use the fact that K q,m,r is monotone non-decreasing in q as well as r (when other parameters
are fixed)– see Exercise 9.11.
+
First we prove K q,m,r ≤ K q,m,r . On the one hand we have

K q,m,r ≤ K q,m,(q−1)m = q m ,

which follows by ignoring the total degree restriction and on the other hand we have
à !
m +r
K q,m,r ≤ K r,m,r = ,
r

whereas here we ignored the individual degree restriction.

−
Next we show K q,m,r ≤ K q,m,r . First we consider the case r ≥ (q − 1)m/2. Here we argue
via symmetry. Consider a map that maps vectors d = (d 1 , . . . , d m ) ∈ Zm with 0 ≤ d i < q to d =
P
(q − 1 − d 1 , . . . , q − 1 − d m ). The map d → d is a one-to-one map which maps vectors with i d i >
P
r to vectors with i d i < (q − 1)m − r . In other words either d ∈ {0, . . . , q − 1}m is in S q,m,r or
d ∈ S q,m,(q−1)m−r , thus establishing

K q,m,r = q m − K q,m,(q−1)m−r .

Since r ≥ (q − 1)m/2 we have (q − 1)m − r ≤ r and so

K q,m,r ≥ K q,m,(q−1)m−r ,

which in turn implies

K q,m,r ≥ q m /2.

168
 −
This establishes K q,m,r ≥ K q,m,r when r ≥ (q − 1)m/2. Next, turning to the case r < (q − 1)m/2,
′
¥ 2r +m
¦
first let q = m . We have
K q,m,r ≥ K q ′ ,m,r ≥ (q ′ )m /2
since r ≥ (q ′ − 1)m/2, and this yields
µ¹ º¶m
′ m 1 2r + m
K q,m,r ≥ (q ) /2 = .
2 m
Finally we also have à ! à !
X r m m
K q,m,r ≥ K 2,m,r = ≥ ,
i =0 i r
−
thus establishing K q,m,r ≥ K q,m,r when r < (q − 1)m/2.
+
Finally we turn to the inequalities showing K q,m,r −
≤ c 1 · (K q,m,r )c2 . If r ≥ (q − 1)m/2 we have

qm −
≤ K q,m,r +
≤ K q,m,r ≤ qm
2
+ −
establishing K q,m,r ≤ 2K q,m,r . Next we consider the case r < m/2. In this case we have
à !
m
−
K q,m,r ≥ ≥ (m/r )r ≥ 2r .
r

On the other hand we also have

à ! µ ¶ µ ¶ µ ¶r ³ ´
m +r e(m + r ) r e · (3/2) · m r 3e m r
≤ ≤ = · .
r r r 2 r
¡ ¢r ¡ ¢r
From 2r ≤ K q,m,r
−
we get 3e2
−
≤ (K q,m,r )log2 (3e/2) . Combining with m r
−
≤ K q,m,r +
and K q,m,r ≤
¡m+r ¢
we get
r µ ¶r ³ ´
3e m r
+
K q,m,r ≤ · −
≤ (K q,m,r )1+log2 (3e/2)
2 r
. Finally, we consider the case m/2 ≤ r < (q − 1)m/2. In this range we have
¹ º ¹ º
2r + m 2r r m +r
= 1+ ≥ 1+ = .
m m m m
Thus µ¹ º¶m µ ¶
− 1 2r + m 1 ³ m + r ´m 1 3 m
K q,m,r ≥ ≥ ≥ .
2 m 2 m 2 2
On the other hand we have
à ! µ ¶
m +r e(m + r ) m ³ m + r ´m
+ m
K q,m,r ≤ ≤ =e · .
m m m
¡ ¢m
Again we have m+r m
−
≤ 2K q,m,r and e m ≤ (2K q,m,r−
)log2 (3e/2) and so K q,m,r
+ −
≤ (2K q,m,r )1+log2 (3e/2) .
+ − c2
Thus in all cases we have K q,m,r ≤ c 1 · (K q,m,r ) for c 2 = 1 + log2 (3e/2) < 3.1 and c 1 = 2c2 < 8.2, as
desired.

169
 We now give a few examples of codes that can be derived from the bounds above, to illus-
trate the variety offered by Reed-Muller codes. In each of the cases we set one or more of the
parameters among alphabet size, rate, (relative) distance or absolute distance to a constant and
explore the behavior in the other parameters. In all cases we use Lemma 9.4.1 to lower bound
the distance and Proposition 9.4.5 to lower bound the dimension.
Example 9.4.6 (RM Codes of constant alphabet size and (relative) distance.). Fix q and r < q −1
and consider m → ∞. Then the Reed-Muller codes RM(q, m, r ) are [N , K , D]q codes with block
length N = q m , distance D = δ · N for δ = 1 − r /q, with dimension
à ! à !r
m logq N
K≥ ≥ .
r r

In other words Reed-Muller codes yield codes of constant alphabet size and relative distance with
dimension growing as an arbitrary polynomial in the logarithm of the block length.
Example 9.4.7 (Binary RM Codes of rate close to 1 with constant (absolute) distance.). Fix q = 2
and d and let m → ∞. Then the Reed-Muller codes RM(2, m, m − d ) are [N , K , D]2 codes with
N = 2m , D = 2d and à !
log2 N + d
K ≥N− ≥ N − (log2 N )d .
d
(See Exercise 9.12 for bound on K .) Note that the rate → 1 as N → ∞.
Example 9.4.8 (RM codes of constant rate § 1 ¨ and relative distance over polynomially small al-
phabets.). Given any ε > 0 and let m = ε and now consider q → ∞ with r = q/2. Then the
Reed-Muller codes RM(q, m, r ) are [N , K , D]q codes with N = q m , D = N2 and
1 ³ q + m ´m 1
K≥ ≥ · N.
2 m 2m m
¡ ¢
Expressed in terms of N and ε, the codes have length N , dimension Ω ε1/ε · N and relative dis-
tance 1/2 over an alphabet of size N ε .
Another natural regime is to consider the case of constant rate 1/2: see Exercise 9.13 for
more.
Finally we mention a range of parameters that has been very useful in the theory of com-
puter science. Here the alphabet size is growing with N , but very slowly. But the code has a fixed
relative distance and dimension that is polynomially related to the block length.
Example 9.4.9 (RM Codes over polylogarithmic alphabets with polynomial dimension.). Given
0 < ε < 1, let q → ∞ and let r = q/2 and m = q ε . Then the Reed-Muller codes RM(q, m, r ) are
[N , K , D]q codes with N = q m , D = N2 and
1 ³ q + m ´m 1 ¡ 1−ε ¢m 1
K≥ ≥ q = · N 1−ε .
2 m 2 2
Expressed in terms of N and ε, the codes have length N , dimension Ω(N 1−ε ) and relative distance
1/2 over an alphabet of size (log N )1/ε . (See Exercise 9.14 for claim on the bound on q.)

170
9.5 Exercises
Exercise 9.1. Argue that any RM(q, m, r ) is a linear code.

Exercise 9.2. Argue that for D as defined in (9.1), we have

à !
m +r
|D| = .
r

Exercise 9.3. Show that Lemma 9.2.2 is tight in the sense that for every prime power q and inte-
gers m ≥ 1 and 1 ≤ r ≤ q − 1, there exists a polynomial with exactly r · q m−1 roots.

Exercise 9.4. Show that Lemma 9.2.2 is not tight for most polynomials. In particular show
that for every prime power q and integers m ≥ 1 and 1 ≤ r ≤ q − 1, a random polynomial in
Fq [X 1 , . . . , X m ] of degree r has q m−1 expected number of roots.

Exercise 9.5. Show that the Reed-Muller codes of Section 9.2 give rise to codes of relative distance
p m
δ (for any 0 < δ < 1) and block length n such that they have alphabet size of m n and rate (1−δ)
m!
.

Exercise 9.6. Prove Lemma 9.3.1.

Exercise 9.7. Prove that the lower bound in Lemma 9.3.1 is tight.

Exercise 9.8. Show that there exists a binary RM code with block length n, rate n H (τ)−1 and rela-
tive distance n −τ for any 0 < τ < 1/2.

Exercise 9.9. Prove that the (first) lower bound in Lemma 9.4.1 is tight for all settings of the
parameters.

Exercise 9.10. Prove that the evaluations of Xd for every d ∈ S q,m,r (as in (9.5)) form a basis for
RM(q, m, r ).

Exercise 9.11. Argue that K q,m,r is monotone non-decreasing in q as well as r (when other pa-
rameters are fixed).

Exercise 9.12. Argue the claimed bound on K in Example 9.4.7.

1
Exercise 9.13. Figure out a RM code that has rate 2
and has as large a distance as possible and
as small an alphabet as possible.

Exercise 9.14. Prove the claimed bound on q in Example 9.4.9.

Exercise 9.15. In this problem we will talk about the dual of Reed-Muller codes, which turn
out to be Reed-Muller codes (with a different degree) themselves. We do so in a sequence of sub-
problems:

171
 1. Show that for 1 ≤ j ≤ q − 1 X
α j 6= 0
α∈Fq

if and only if j = q − 1.
Hint: Use Exercise 2.2.

2. Argue that for any m ≥ 1 and 1 ≤ j 1 , . . . , j m ≤ q − 1,

X m
Y j
ci 1 = 0
(c 1 ,...,c m )∈Fm
q i =1

if and only if j 1 = j 2 = · · · = j m = q − 1.

3. Using the above or otherwise, show that for any 0 ≤ r < (q − 1) − s, we have

RM(q, m, r )⊥ = RM(q, m, m(q − 1) − r − 1).

9.6 Bibliographic Notes

We point out that the original code considered by Reed and Muller is the one in Section 9.3.

172
Chapter 10

From Large to Small Alphabets: Code

Concatenation

Recall Question 8.3.2: Is there an explicit asymptotically good binary code (that is, rate R > 0
and relative distance δ > 0)? In this chapter, we will consider this question in the context of
explicit code (Definition 6.3.4: i.e. for a linear code we can construct its generator matrix in
polynomial time) as well as the stronger notion of a strongly explicit code (Definition 6.3.5: i.e.
for a linear code we can compute any entry in its generator matrix in oly-logarithmic time).
Let us recall all the (strongly) explicit codes that we have seen so far:

Code R³ ´ δ
log n ¡1¢
Hamming 1−O n O n
³ ´
log n 1
Hadamard O n
³2 ´
1
Reed-Solomon 2 O log1 n

Table 10.1: Strongly explicit binary codes that we have seen so far.

Recall the Hamming code (Section 2.4), which has rate R = 1 − O(log n/n) and relative dis-
tance δ = O(1/n), and the Hadamard code (Section 2.6), which has rate R = O(log n/n) and
relative distance 1/2. Both of these codes have extremely good R or δ at the expense of the
other parameter.
In constrast, consider
³ ´the Reed-Solomon code (of say R = 1/2) as a binary code, which does
1
£ n n ¤
much better: δ = O log n . To see why this is so, note that it is possible to get an n, 2 , 2 + 1 2s
Reed-Solomon code (i.e. R = 1/2). We now consider a Reed-Solomon codeword, where every
symbol in F2s is represented by an s-bit vector. Now,
£ the “obvious”¤ binary code created by view-
1
ing symbols from F2s as bit vectors as above is an ns, ns ,
2 2
n
+ 1 2
code . Note that the distance
³ ´
of this code is only Θ logNN , where N = ns is the block length of the final binary code. (Recall
that n = 2s and so N = n log n.)
1
The proof is left as an exercise.

173
 The reason for the (relatively) poor distance is that the bit vectors corresponding to two
different symbols in F2s may only differ by one bit. Thus, d positions which have different F2s
symbols might result in a distance of only d as bit vectors.
To fix this problem, we can consider applying a function to the bit-vectors to increase the
distance between those bit-vectors that differ in smaller numbers of bits. Note that such a func-
tion is another code! This recursive construction is called concatenated codes and will help us
construct codes that are (strongly) explicit and asymptotically good.

10.1 Code Concatenation

A concatenation code is constructed from two codes: an outer code (which we will call C out ) and
an inner code (which we will call C in ). We first use C out to encode the message to get (c 0 , . . . , c N −1 )
and then use the C in to encode each symbol c i in the codeword in C out . This construction is also
illustrated in Figure 10.1.

m1 m2 mK

C out

C out (m)1 C out (m)2 C out (m)N

C in C in C in

C in (C out (m)1 ) C in (C out (m)2 ) C in (C out (m)N )

Figure 10.1: Concatenated code C out ◦C in .

We now formally define a concatenated code. For q ≥ 2, k ≥ 1 and Q = q k , consider two

codes which we call outer code and inner code:

C out : [Q]K → [Q]N ,

C in : [q]k → [q]n .
Note that the alphabet size of C out exactly matches the number of messages for C in . Then given
m = (m 1 , . . . , m K ) ∈ [Q]K , we have the code C out ◦C in : [q]kK → [q]nN defined as

C out ◦C in (m) = (C in (C out (m)1 ), . . . ,C in (C out (m)N )) ,

where
C out (m) = (C out (m)1 , . . . ,C out (m)N ) .
We now look at some properties of a concatenated code.
Theorem 10.1.1. If C out is an (N , K , D)q k code and C in is an (n, k, d )q code, then C out ◦ C in is an
(nN , kK , d D)q code. In particular, if C out (C in resp.) has rate R (r resp.) and relative distance δout
(δin resp.) then C out ◦C in has rate Rr and relative distance δout · δin .

174
Proof. The first claim immediately implies the second claim on the rate and relative distance of
C out ◦ C in . The claims on the block length, dimension and alphabet of C out ◦ C in follow from the
definition.2 Next we show that the distance is at least d D. Consider arbitrary m1 6= m2 ∈ [Q]K .
Then by the fact that C out has distance D, we have

∆ (C out (m1 ) ,C out (m2 )) ≥ D. (10.1)

Thus for each position 1 ≤ i ≤ N that contributes to the distance above, we have
¡ ¡ ¢ ¡ ¢¢
∆ C in C out (m1 )i ,C in C out (m2 )i ≥ d , (10.2)
as C in has distance d . Since there are at least D such positions (from (10.1)), (10.2) implies

∆ (C out ◦C in (m1 ) ,C out ◦C in (m2 )) ≥ d D.

The proof is complete as the choices of m1 and m2 were arbitrary.

If C in and C out are linear codes, then so is C out ◦ C in , which can be proved for example, by
defining a generator matrix for C out ◦C in in terms of the generator matrices of C in and C out . The
proof is left as an exercise.

10.2 Zyablov Bound

We now instantiate outer and inner codes in Theorem 10.1.1 to obtain a new lower bound on
the rate given a relative distance. We’ll initially just state the lower bound (which is called the
Zyablov bound) and then we will consider the explicitness of such codes.
We begin with the instantiation of C out . Note that this is a code over a large alphabet and
we have seen an optimal code over large enough alphabet: Reed-Solomon codes (Chapter 5).
Recall that the Reed-Solomon codes are optimal because they meet the Singleton bound 4.3.1.
Hence, let us assume that C out meets the Singleton bound with rate of R, i.e. C out has relative
distance δout > 1 − R. Note that now we have a chicken and egg problem here. In order for
C out ◦ C in to be an asymptotically good code, C in needs to have rate r > 0 and relative distance
δin > 0 (i.e. C in also needs to be an asymptotically good code). This is precisely the kind of code
we are looking for to answer Question 8.3.2! However the saving grace will be that k can be
much smaller than the block length of the concatenated code and hence, we can spend “more"
time searching for such an inner code.
Suppose C in meets the GV bound (Theorem 4.2.1) with rate of r and thus with relative dis-
tance δin ≥ H q−1 (1 − r ) − ε, for some ε > 0. Then by Theorem 10.1.1, C out ◦ C in has rate of r R and
δ = (1 − R)(H q−1 (1 − r ) − ε). Expressing R as a function of δ and r , we get the following:

δ
R = 1− .
H q−1 (1 − r ) − ε
2
Technically, we need to argue that the q kK messages map to distinct codewords to get the dimension of kK .
However, this follows from the fact, which we will prove soon, that C out ◦ C in has distance d D ≥ 1, where the in-
equality follows for d , D ≥ 1.

175
 1
GV bound
Zyablov bound

0.8

0.6

R
0.4

0.2

0
0 0.2 0.4 0.6 0.8 1
δ

Figure 10.2: The Zyablov bound for binary codes. For comparison, the GV bound is also plotted.

Then optimizing over the choice of r , we get that the rate of the concatenated code satisfies
à !
δ
R≥ max r 1 − −1 ,
0<r <1−H q (δ+ε) H q (1 − r ) − ε

where the bound of r < 1 − H q (δ + ε) is necessary to ensure that R > 0. This lower bound on the
rate is called the Zyablov bound. See Figure 10.2 for a plot of this bound for binary codes.
To get a feel for how the bound behaves, consider the case when δ = 12 − ε. We claim that
the Zybalov bound states that R ≥ Ω(ε3 ). (Recall that the GV bound for the same δ has a rate of
Ω(ε2 ).) The proof of this claim is left as an exercise.
Note that the Zyablov bound implies that for every δ > 0, there exists a (concatenated) code
with rate R > 0. However, we already knew about the existence of an asymptotically good code
by the GV bound (Theorem 4.2.1). Thus, a natural question to ask is the following:

Question 10.2.1. Can we construct an explicit code on the Zyablov bound?

We will focus on linear codes in seeking an answer to the question above because linear codes
have polynomial size representation. Let C out be an [N , K ]Q Reed-Solomon code where N =
Q − 1 (evaluation points being FQ ∗
with Q = q k ). This implies that k = Θ(log N ). However we still
need an efficient construction of an inner code that lies on the GV bound. We do not expect
to construct such a C in in time poly(k) as that would answer Open Question 8.3.2! However,
since k = O(log N ), note that an exponential time in k algorithm is still a polynomial (in N ) time
algorithm.
There are two options for this exponential (in k) time construction algorithm for C in :

176
 • Perform an exhaustive search among all generator matrices for one satisfying the required
property for C in . One can do this because the Varshamov bound (Theorem 4.2.1) states
that there exists a linear code which lies on the GV bound. This will take q O(kn) time.
2
Using k = r n (or n = O(k)), we get q O(kn) = q O(k ) = N O(log N ) , which is upper bounded by
(nN )O(log(nN )) , a quasi-polynomial time bound.

• The second option is to construct C in in q O(n) time and thus use (nN )O(1) time overall. See
Exercise 4.5 for one way to construct codes on the GV bound in time q O(n) .
Thus,
Theorem 10.2.1. We can construct a code that achieves the Zyablov bound in polynomial time.
In particular, we can construct explicit asymptotically good code in polynomial time, which
answers Question 10.2.1 in the affirmative.
A somewhat unsatisfactory aspect of this construction (in the proof of Theorem 10.2.1) is
that one needs a brute force search for a suitable inner code (which led to the polynomial con-
struction time). A natural followup question is

Question 10.2.2. Does there exist a strongly explicit asymptotically good code?

10.3 Strongly Explicit Construction

We will now consider what is known as the Justesen code. The main insight in these codes is that
if we are only interested in asymptotically good codes, then the arguments in the previous sec-
tion would go through even if (i) we pick different inner codes for each of the N outer codeword
positions and (ii) most (but not necessarily all) inner code lie on the GV bound. It turns out that
constructing an “ensemble" of codes such that most of the them lie on the GV bound is much
easier than constructing a single code on the GV bound. For example, the ensemble of all linear
codes have this property– this is exactly what Varshamov proved. However, it turns out that we
need this ensemble of inner codes to be a smaller one than the set of all linear codes.
Justesen code is a concatenated code with multiple, different linear inner codes. Specifi-
i
cally, it is composed of an (N , K , D)q k outer code C out and different inner codes C in : 1 ≤ i ≤ N.
¡ 1 N
¢
Formally, the concatenation of these codes, denoted by C out ◦ C in , . . . ,C in , is defined as follows:
£ ¤K def
given ¡a message m ¢ ∈ q k¡ , let the outer codeword¢be denoted by (c 1 , . . . , c N ) = C out (m). Then
1 N 1 2 n
C out ◦ C in , . . . ,C in (m) = C in (c 1 ),C in (c 2 ), . . . ,C in (c N ) .
We will need the following result (which shows that there is a set or ensemble of codes most
of which lie on the Gilbert-Varshamov bound).
Theorem 10.3.1. Let ε > 0. There exists an ensemble of inner codes C in 1 2
,C in N
, . . . ,C in of rate 12 , where
¡ ¢
N = q k − 1, such that for at least (1 − ε)N values of i , C in
i
has relative distance ≥ H q−1 21 − ε .

177
 α
In fact, this ensemble is the following: for α ∈ F∗k , the inner code C in : Fkq → F2k
q is defined as
q
α α
C in (x) = (x, αx). This ensemble is called the Wozencraft ensemble. We claim that C in for every
∗
α ∈ F k is linear and is strongly explicit. (The proof is left as an exercise.)
q

10.3.1 Justesen code

For the Justesen code, the outer code C out is a Reed-Solomon code evaluated over F∗k of rate
q
R, 0 < R < 1. The outer code C out has relative distance δout = 1 − R and block length of N =
α
q k − 1. The set of inner codes is the Wozencraft ensemble {C in }α∈F∗ from Theorem 10.3.1. So
qk
∗ def 1 2 N R
the Justesen code is the concatenated code C = C out ◦ (C in ,C in , . . . ,C in ) with the rate 2. The
following proposition estimates the distance of C ∗ .
¡1 ¢
Proposition 10.3.2. Let ε > 0. C ∗ has relative distance at least (1 − R − ε) · H q−1 2 −ε

Proof. Consider m1 6= m2 ∈ (Fq k )K . By the distance of the outer code |S| ≥ (1 − R)N , where
© ª
S = i |C out (m1 )i 6= C out (m2 )i .

def ¡ ¢
i
Call the i th inner code good if C in has distance at least d = H q−1 21 − ε ·2k. Otherwise, the inner
code is considered bad. Note that by Theorem 10.3.1, there are at most εN bad inner codes. Let
S g be the set of all good inner codes in S, while S b is the set of all bad inner codes in S. Since
S b ≤ εN ,
|S g | = |S| − |S b | ≥ (1 − R − ε)N . (10.3)

For each good i ∈ S, by definition we have

³ ¡ ¡ 1¢ ¢ i ¡ ¡ 2 ¢ ¢´
i
∆ C in C out m i ,C in C out m i ≥ d . (10.4)

Finally, from (10.3) and (10.4), we obtain that the distance of C ∗ is at least
µ ¶
1
(1 − R − ε) · N d = (1 − R − ε)H q−1 − ε N · 2k,
2

as desired.

Since the Reed-Solomon codes as well as the Wozencraft ensemble are strongly explicit, the
above result implies the following:

Corollary 10.3.3. The concatenated code C ∗ from Proposition 10.3.2 is an asymptotically good
code and is strongly explicit.

Thus, we have now satisfactorily answered Question 10.2.2 modulo Theorem 10.3.1, which
we prove next.

178
Proof of Theorem 10.3.1. Fix y = (y1 , y2 ) ∈ F2k q \{0}. Note that this implies that y1 = 0 and y2 = 0
α
are not possible. We claim that y ∈ C in for at most one α ∈ F∗k . The proof is by a simple case
2
α
analysis. First, note that if y ∈ C in , then it has to be the case that y2 = α · y1 .

α y
• Case 1: y1 6= 0 and y2 6= 0, then y ∈ C in , where α = y21 .

α
• Case 2: y1 6= 0 and y2 = 0, then y ∉ C in for every α ∈ F∗k (as αy1 6= 0 since product of two
2
∗ ∗
elements in F k also belongs to F k ).
2 2

α
• Case 3: y1 = 0 and y2 6= 0, then y ∉ C in for every α ∈ F∗k (as αy1 = 0).
2

α α
Now assume that w t (y) < H q−1 (1 − ε)n. Note that if y ∈ C in , then C in is “bad”(i.e. has relative
¡
−1 1
¢ α
distance < H q 2 − ε ). Since y ∈ C in for at most one value of α, the total number of bad codes
is at most
¯½ µ ¶ ¾¯ µ µ ¶ ¶
¯ 1 ¯ 1
¯ y|w t (y) < H −1
− ε · 2k ¯¯ ≤ V ol q H q
−1
− ε · 2k, 2k
¯ q
2 2
−1 1
≤ q Hq (Hq ( 2 −ε))·2k
(10.5)
( 21 −ε)·2k
=q
qk
=
q 2εk
< ε(q k − 1) (10.6)
= εN . (10.7)

In the above, (10.5) follows from our good old upper bound on the volume of a Hamming ball
(Proposition 3.3.3) while (10.6) is true¡ for large
¢ enough k. Thus for at least (1 − ε)N values of α,
α −1 1
C in has relative distance at least H q 2 − ε , as desired. ✷

By concatenating an outer code of distance D and an inner code of distance d , we can ob-
tain a code of distance at least ≥ Dd (Theorem 10.1.1). Dd is called the concatenated code’s
design distance. For asymptotically good codes, we have obtained polynomial time construc-
tion of such codes (Theorem 10.2.1), as well as strongly explicit construction of such codes
(Corollary 10.3.3). Further, since these codes were linear, we also get polynomial time encod-
ing. However, the following natural question about decoding still remains unanswered.

Question 10.3.1. Can we decode concatenated codes up to half their design distance in poly-
nomial time?

179
10.4 Bibliographic Notes
Code concatenation was first proposed by Forney[40].
Justesen codes were constructed by Justesen [77]. In his paper, Justesen attributes the Wozen-
craft ensemble to Wozencraft.

180
Chapter 11

When Graphs Come to the Party: Expander

Codes

In this chapter, we will again consider the question of explicit asymptotically good codes. Recall
that we gave such a construction using code concatentation in Chapter 13, and in fact were
able to get a strongly explicit construction using Justesen codes. Code concatenation first starts
with codes over a large alphabet and then re-encodes those symbols into bits. However, for
the Justesen code we needed two families of codes to construct our final code. Aesthetically, it
would be nice to be able to construct a strongly explicit asymptotically good code in ‘one shot.’
In this chapter, we will consider the following question

Question 11.0.1. Can we construct explicit asymptotically good binary codes without code
concatenation?

We will see an alternate approach that constructs asymptotically good codes directly over
the binary alphabet. In addition to being aesthetically nicer as a one-shot construction, as we
will see later in Chapter ??, these codes (which are dubbed expander codes) admit highly effi-
cient (linear time) decoding algorithms, that are further simple and easy to implement. They
serve as illustrations of the important paradigm of iterative decoding algorithms for the class of
low-density parity check codes of which expander codes are an instance. Iterative algorithms
correct a noisy received word in a sequence of steps that eventualy converges to the actual code-
word, and form a rich subject by themselves within coding theory (as well as practice). We will
get back to these decoding algorithms in Chapter ??.
The codes in this chapter are an instance of the broad class of graph based codes. Here the
parity checks of the code are based on the adjacency structure of the graph. The properties
of the code like minimum distance are related to the combinatorial properties of the graph.
The notion of expansion in graphs underlies the construction and analysis of the codes in this
chapter.

181
 To define expander codes, we will need some notions from graph theory, which we now start
with.

11.1 Bipartite Graphs

We begin with the definition of the general class of graphs that we will consider in this chapter.
Definition 11.1.1 (Bipartite Graphs). A bipartite graph is a triple G = (L, R, E ), where L is the set
of ‘left’ vertices and R is the set of ‘right’ vertices and the set E ⊆ L × R is the set of edges.
For example, Figure 11.1 gives an example of a bipartite graph G H with seven left vertices,
three right vertices and twelve edges.

ℓ1

ℓ2 r1

ℓ3

ℓ4 r2

ℓ5

ℓ6 r3

ℓ7

Figure 11.1: A bipartite graph G H

One way to represent such graphs is via its adjacency matrix:

Definition 11.1.2 (Adjacency matrix). Given a bipartite graph G = (L, R, E ), its adjacency matrix,
denoted by AG , is an |R|×|L| binary matrix, where we index each row by an element of R and every
column by an element of L such that for every (r, ℓ) ∈ R ×L, the (r, ℓ)’th entry in AG is 1 if (ℓ, r ) ∈ E
and 0 otherwise.
For example, the adjacency matrix of the graph in Figure 11.1 is given by
 
0 0 0 1 1 1 1
 0 1 1 0 0 1 1 .
1 0 1 0 1 0 1

182
Recall that the above is the parity check matrix of the [7, 4, 3]2 Hamming code (see Section 2.3).
This connection between the Hamming code and a bipartite graph is not a co-incidence:
we can assign a bipartite graph to any linear code. We do this next.

11.1.1 Factor Graphs

We define the natural bipartite graph representation for any linear code (via its parity check
matrix) next.

Definition 11.1.3 (Factor graph). Given any [n, k]2 code C with parity check matrix H , we will
call the bipartite graph G H with AG H = H to be a factor graph of C . Further, given a bipartite
graph G = (L, R, E ) with |L| ≥ |R|, we will denote the corresponding code with parity check matrix
AG to be C (G).

When the graph G is sparse, where each vertex in L has at most a fixed number of neigh-
bors in R, the associated parity check matrix has sparse rows with few 1’s. Such codes are called
low density parity check (LDPC) codes. The sparsity of the factor graphs lends itself for highly
efficient iterative algorithms for decoding LDPC codes. The efficacy of such algorithms in cor-
recting many errors relies on structural properties, most notably expansion, of the underlying
graph.
‘Expansion’ broadly means that the graph is well-connected despite being sparse. Expan-
sion comes in various guises and we begin in Section 11.2 with the definition that directly be-
stows good distance properties on the associated LDPC code, which are aptly dubbed expander
codes. In this chapter, we only concern outselves with the distance properties of the code, and
Chapter ?? will discuss algorithms for error-correcting expander codes and their variants that
we introduce in this chapter.

11.2 Bipartite Vertex Expanders

In this section, we will define the kind of bipartite expander graphs that we will use to construct
asymptotically good LDPC codes (called expander codes) and collect some known facts about
them. Informally, expander graphs are sparse graphs that have good connection properties. In
particular, we will consider bipartite graphs with only linear (in the number of vertices) many
edges, and we will require that any small subset of vertices on the left have many neighbors on
the right.
We begin with a series of definitions that will help us formally define expander graphs.

Definition 11.2.1 (Left Regularity). A bipartite graph G = (L, R, E ) is said to be D-left regular if
every vertex in L has degree exactly D.

For example, the graph in Figure 11.2 is 2-left regular.

183
 ℓ1

ℓ2 r1

ℓ3 r2

ℓ4 r3

ℓ5 r4

ℓ6 r5

ℓ7

Figure 11.2: A bipartite expander graph

Definition 11.2.2 (Neighbor Set). For any left vertex set S ⊆ L, a vertex u ∈ R is called a neighbor
of S if it is adjacent to some vertex in S. We denote by N (S) the set of neighbors of S. We anal-
ogously define N (T ) for any T ⊆ R. Finally, we will use N (u) as a shorthand for N ({u}) for any
u ∈ L ∪ R.
For example, in the graph in Figure 11.2, if S = {ℓ5 , ℓ6 } (set of gray left vertices), then N (S) =
{r 2 , r 4 , r 5 } (the set of orange right vertices).
Definition 11.2.3 (Unique Neighbor Set). For any left vertex set S ⊆ L, a vertex u ∈ R is called
a unique neighbor of S if it is adjacent to exactly one vertex in S. We denote by U (S) the set of
unique neighbors of S.
For example, in the graph in Figure 11.2, if S = {ℓ5 , ℓ6 } (set of gray left vertices), then U (S) =
{r 2 , r 5 } (the set of light orange right vertices).
We are finally ready to define bipartite expander graphs.
Definition 11.2.4 (Bipartite Expander Graphs). An (n, m, D, γ, α) bipartite expander is a D-left
regular bipartite graph G = (L, R, E ) where |L| = n and |R| = m such that for every S ⊆ L with
|S| ≤ γn, we have
|N (S)| ≥ α|S|.
¡ ¢
For example, the graph in Figure 11.2 is a 7, 5, 2, 72 , 32 bipartite expander (see Exercise 11.1).
In the above definition, γ gives a measure of how ‘small’ the expanding set can be and α
gives a measure of the expansion and is called the expansion factor. Note that we always have
α ≤ D. Next, we collect some known results about the existence of bipartite expanders.

184
Bounded right degree expander graphs. Note that the expander code that we have consid-
ered so far are left regular but in general there is no restriction on the degree of the right ver-
tices. Next, we record a simple lemma that show that any left-regular expander can be converted
into another one that in addition has ‘bounded’ right degree (without changing the expansion
factor)– we will need this fact later on in the book.

Lemma 11.2.5. Let G be an (n, m, D, γ, α) bipartite expander. Then there exists another bipartite
graph G ′ that is an (n, m ′ , D, γ, α) bipartite expander such that

• m ≤ m ′ ≤ 2m
§ nD ¨
• Every right vertex in G ′ has degree at most m .

Proof. Let G = (L, R, E ) and we will construct G ′ = (L, R ′ , E ′ ) with the required properties. Define
» ¼
nD
d= .
m
l m
dr
For each vertex r ∈ R, let d r be its degree. Then for each r ∈ R, add vertices to R ′ . Further
d
l m
the d r edges incident to vertex r are divided evenly among the corresponding ddr vertices in
R ′ such that all but potentially one such vertex has degree exactly d (and at most one vertex has
degree < d ).
The claim on the right degree bound in G ′ follows by construction. The claim on the expan-
sion follows since splitting the vertices can only increase vertex expansion. Recall that m ′ = |R ′ |
and m = |R|. Then again by construction, we have m ′ ≥ m. To complete the proof we will argue
that
m ′ − m ≤ m.

To see this note that µ» ¼ ¶

′
X dr X d r nD
m −m = −1 ≤ = ≤ m,
r ∈R d r ∈R d d
where the last inequality follows from the definition of d .

Existence of Bipartite Expander graphs. The following result shows that exists expanders
with an expansion factor that can get arbitrarily close to the upper bound of D:

Theorem 11.2.6. For every ε > ³0, and large enough´ m ≤ n, there exists an (n, m, D, γ, D(1 − ε))
log(n/m)+log(1/ε) ¡ εm ¢
bipartite expander where D = Θ ε and γ = Θ Dn .

The above can be proven with the probabilistic method (see Section 11.6 for a proof). For
fixed ε > 0 and large n ≤ m, the degree scales as O(log(n/m)/ε).

Remark 11.2.7. We present few remarks on the above result:

185
 1. Note that we have m ≤ n (and this is needed for the connection to constructing codes), so we
want expansion from the larger side to the smaller side. This is the harder direction since
is less room to expand to. (For example, if we could have m = Dn, then note that we have
a trivial (n, m, D, 1, D) bipartite expander by giving each node on the left its own private
neighborhood of D nodes on the right.)

2. The expansion factor can be brought arbitrarily close to the maximum value of D at the
cost of increasing the value of D.

3. By definition, γnD(1 − ε) is a trivial lower bound on m since sets of size up to (and includ-
ing) γn expand by a factor of D(1 − ε). The above result achieves a value of m that is 1/ε
times larger than this trivial bound. It turns out that this is necessary: see Section 11.8 for
more on this.

Theorem 11.2.6 guarantees the existence of excellently expanding graphs but to construct
explicit expander codes, we will need an explicit construction of bipartite expanders with α >
D/2.

Theorem 11.2.8. For every constant ε > 0 and every desired ratio 0 < β < 1, there exist explicit
(n, m, D, γ, D(1 − ε)) bipartite expanders for any large enough n (and m = βn) with D and γ > 0
being constants (that only depend on ε and β).

We will take the above expanders, which have a complicated construction, as a black-box
and will soon show how to use them to construct explicit asymptotically good codes.

A Property of Bipartite Expanders. We now state a property of D-left regular bipartite graphs
with expansion factor > D/2, which will be crucial in our answer to Question 11.0.1.

Lemma 11.2.9. Let G = (L, R, E ) be an (n, m, D, γ, D(1−ε)) bipartite expander graph with ε < 1/2.
Then for any S ⊆ L with |S| ≤ γn, we have

|U (S)| ≥ D(1 − 2ε)|S|.

Proof. The total number of edges going out of S is exactly D|S| by virtue of G being D-left reg-
ular. By the expansion property, |N (S)| ≥ D(1 − ε)|S|. Hence, out of the D|S| edges emanating
out of S, at least D(1 − ε)|S| go to distinct vertices, which leaves at most εD|S| edges. Therefore
at most εD|S| vertices out of the at least D(1 − ε)|S| vertices in N (S) can have more than one
incident edge. Thus, we have

|U (S)| ≥ D(1 − ε)|S| − εD|S| = (1 − 2ε)D|S|,

as desired.

186
11.3 Expander Codes
We are now finally ready to define expander codes:

Definition 11.3.1. If G is a bipartite graph with n left vertices and n − k right vertices, then we
say that C (G) is an expander code.

We begin with a simple observation about C (G) (for any bipartite graph G).

Proposition 11.3.2. Let G = (L, R, E ) be a bipartite graph with |L| = n and |R| = n − k. Then
(c 1 , . . . , c n ) ∈ {0, 1}n is in C (G) if and only if the following holds (where S = {i ∈ [n]|c i 6= 0}) for every
r ∈ N (S): X
c ℓ = 0, (11.1)
ℓ∈S:r ∈N ({ℓ})

where the sum is over F2 .

Proof. The proof follows from the definition of C (G), a parity check matrix and the fact that c j
for every j 6∈ S, does not contribute to any of the computed parities.

We record our first result on expander codes.

Theorem 11.3.3. Let G be an (n, n − k, D, γ, D(1 − ε)) bipartite expander with ε < 12 . Then C (G) is
an [n, k, γn + 1]2 code.

Proof. The claim on the block length and the linearity of C (G) follows from the definition of
expander codes. The claim on the dimension would follow once we argue the distance of C (G)
(since then as the distance is at least one, every 2k possible codewords are distinct).
For the sake of contradiction, let us assume that C (G) has distance at most γn. Then by
Proposition 2.3.6, exists a non-zero codeword c ∈ C (G) such w t (c) ≤ γn. Let S be the set of
non-zero coordinates of c. Since G is an expander, by Lemma 11.2.9,

|U (S)| ≥ D(1 − 2ε)|S| > 0,

where the inequality follows from the fact that ε < 21 and |S| ≥ 1 (since c is non-zero). This
implies exists an r ∈ U (S). Now the parity check in (11.1) corresponding to r is just c ℓ for some
ℓ ∈ S, which in turn implies that (11.1) is not satisfied (as c ℓ 6= 0). Thus, Lemma 11.3.2 implies
that c 6∈ C (G), which leads to a contradiction, as desired.

Note that Theorem 11.3.3 along with Theorem 11.2.8 answers Question 11.0.1 in the affir-
mative.

A Better Bound on Distance. It turns out that C (G) has almost twice the distance as argued in
Theorem 11.3.3, which we argue next.

Theorem 11.3.4. Let G be an (n, n − k, D, γ, D(1 − ε)) bipartite expander with ε < 1/2. Then C (G)
has distance at least 2γ(1 − ε)n.

187
Proof. As in the proof of Theorem 11.3.3, for the sake of contradiction, let us assume that C (G)
has distance < 2γ(1 − ε)n. Then by Proposition 2.3.6, exists a non-zero codeword c ∈ C (G) such
w t (c) < 2γ(1 − ε)n. Let S be the set of non-zero coordinates of c. We will argue that U (S) 6= ;
and the rest of the argument is the same as in the proof of Theorem 11.3.3.
If |S| ≤ γn, then we can just use the proof of Theorem 11.3.3. So let us assume that exists a
subset T ⊂ S such that |T | = γn. Then by Lemma 11.2.9, we have

|U (T )| ≥ D(1 − 2ε)γn. (11.2)

Now since the total number of edges emanating out of S \ T is at most D|S \ T |, we have

|N (S \ T )| ≤ D|S \ T | < Dγ(1 − 2ε)n, (11.3)

where the last inequality follows from the facts that |S| < 2γ(1 − ε)n and |T | = γn.
Now, note that
|U (S)| ≥ |U (T )| − |N (S \ T )| > 0,
where the last inequality follows from (11.2) and (11.3).

We will later study the question of efficiently decoding the above code construction from
≈ γn of errors in Chapter ??.

11.4 Codes from weaker expanders

The codes in the previous section required expansion factor > D2 (because of the ε < 21 require-
ment), and in fact the expansion requirement for efficient error-correction, which we will see
in Chapter ?? will be even stronger (namely, > 3D
4 ). While constructions of bipartite graphs with
such strong expansion are now known, they are complicated, and it is desirable to base our
codes on graphs with expansion requirements that are easier to meet.

11.4.1 Tanner codes

Our expander codes so far can be seen as a combination of an expander graph with the parity
check code, where the latter is used to impose a single parity check on the codeword bits neigh-
boring each check node on the right. The parity check code, however, has a distance of two and
cannot detect even the flipping of two bits. Thus, in order to even detect errors, we need a check
node which is adjacent to only one error, and guaranteeing this requires a non-trivial amount
of expansion.
In some sense, the expander was doing a lot of the hard work to compensate for the weak
error-resilience of the parity check code. We will now allow more general ‘local’ error-correcting
codes to restrict the bits in the neighborhood of a check node. The hope is that this can reduce
the requirement on the global expansion, something which will indeed be the case as we will
see shortly. This motivates the following definition—the naming follows the work by Tanner,
which first formally considered this construction.

188
Definition 11.4.1 (Tanner code). Let G be a n × m bipartite graph1 which is d -right regular and
let C 0 ⊆ Fd2 be a binary linear code. (Let LG and RG denote the set of left and right vertices.)
The Tanner code X (G,C 0 ) is defined as the set
© ª
c ∈ Fn2 | for all u ∈ RG , cN (u) ∈ C 0

where recall cN (u) ∈ Fd2 denotes the subsequence of c formed by the bits corresponding to the neigh-
bors of u in LG .

Remark 11.4.2. We note the following:

1. Tanner codes are linear codes since C 0 is a linear code (see Exercise 11.3).

2. Tanner Codes are a generalization of expander codes since in expander code C 0 was chosen
to be the [d , d − 1, 2]2 parity check code (see Exercise 11.4).

The following shows that if C 0 has large rate, then so does X (G,C 0 ).

Lemma 11.4.3. The dimension of X (G,C 0 ) is at least n − m(d − dim(C 0 )).

Proof. For each u ∈ RG , the condition that cN (u) ∈ C 0 imposes d − dim(C 0 ) independent linear
constraints on the bits of c. Therefore, the condition for all u ∈ RG , cN (u) ∈ C 0 imposes a total of
at most m(d − dim(C 0 )) linear constraints on the codeword bits of the code X (G,C 0 ). Note that
some of these constraints may be linearly dependent, but that only increases the dimension,
which is guaranteed to be at least n − m(d − dim(C 0 )).

The usefulness of Tanner codes comes from the fact that they require a much lower expan-
sion factor through the choice of an appropriate C 0 . In expander codes which are a special case
of Tanner codes, we used parity check codes for C 0 (see Exercise 11.4). Since parity check codes
have distance 2, we required that all sets of size at most γn expand by a factor of more than d /2
in order to argue that the code had distance at least γn. However, if we use a local code C 0 of
distance d 0 , then we only require an expansion factor exceeding d /d 0 to ensure the same code
distance. Hence a good choice of C 0 allows us to construct explicit Tanner codes using graphs
with weaker expansion properties, which are significantly easier to construct.

11.4.2 Edge-vertex incidence graphs

We can construct the requisite unbalanced bipartite expanders to use in the Tanner code con-
struction by starting with a good spectral expander (defined in Section 11.4.3), and taking its
edge-vertex incidence graph, defined below.

Definition 11.4.4. The Edge Vertex Incidence Graph of a graph G = (V, E ) is defined as the bi-
partite graph H0 = (L, R, E ′ ) where L has a node corresponding to each edge in E , R has a node
corresponding to each node in V and an edge exists in E ′ between each node e in L and corre-
sponding u e and v e in R where u e and v e are the nodes in R corresponding to the end-points of
edge e in E .

189
 e1 v1 v1 v1

v1 e2 v2 v2 v2

e1 e3

e2
v2 v3 e3 v3 v3 v3

Figure 11.3: The ‘triangle’ graph G on the left, its edge vertex incidence graph (see Defini-
tion 11.4.4) in the middle and its double cover (see Definition 11.4.13) on the right.

Figure 11.3 illustrates the above definition.

In the graph-code correspondence in Definition 11.4.1, the bits of the codeword used to
‘sit’ on nodes in the left partition and the constraints used to be imposed by nodes in the right
partition. The edges of graph G form the left partition of H0 and the nodes of graph G form
the right partition of H0 . Hence, we can equivalently view the codeword bits as residing on the
edges of the graph G, with each node of the graph G imposing a local constraint on the values
on the d edges incident at that node.
Let G be a d -regular graph with N vertices and N d /2 edges. Under the modified view of
code-bits sitting on the edges of the graph, the Tanner code X (H0 ,C 0 ) can alternately been de-
fined directly in terms of G as
½ Nd
¾
2
T (G,C 0 ) = c ∈ F2 | for every v ∈ V (H ), cN (v) ∈ C 0 . (11.4)

(We use the notation T (·, ·) instead of X (·, ·) to highlight this distinction.) Again, T (G,C 0 ) is
a linear code of dimension at least N · d2 − N (d − dim(C 0 )) (see Exercise 11.5) and a sufficient
condition for positive dimension is that dim(C 0 ) > d2 .

11.4.3 Spectral expanders

As mentioned above, we will now use for the graph G a d -regular graph with good spectral gap,
which is one of the most standard and versatile ways to quantify expansion.
We begin by recalling the definiton of an eigenvalue of a matrix (over R):
Definition 11.4.5. Let M ∈ Rn×n be a matrix over the reals. Then, λi is an eigenvalue of M if exists
a vector vi ∈ Rn such that M · vi = λi · vi .
The spectral theorem in linear algebra asserts that any real symmetric matrix, which is the
adjacency matrix of a graph is, has n real eigenvalues (we will take this result as a given).
1
That is, G has n left vertices and m right vertices.

190
Definition 11.4.6. A graph G = (V, E ) is said to be a (n, d , λ)-graph if G is a d -regular graph on
n vertices and λ = min {|λ2 | , |λn |} where λ1 ≥ λ2 ≥ · · · ≥ λn are the eigenvalues of the adjacency
matrix of G. In other words, λ is the second largest eigenvalue of the adjacency matrix of G, in
absolute value. We will also sometimes denote this value λ by λ(G).
For a d -regular graph G, it is easy to check that the highest eigenvalue λ1 equals d (see
Exercise 11.6). In order to obtain a family of Tanner codes, we will be interested in a family of
d -regular graphs for a fixed d with the number of vertices n growing. We now define spectral
expanders.
Definition 11.4.7. A family of (n, d , λ)-graphs is said to be an expander graph family if λ is
bounded away from d , i.e., d − λ ≥ µ for some µ > 0 that is independent of n.
What makes expanders as defined above useful? One of its significant properties is the Ex-
pander Mixing Lemma, stated below. The lemma says that, in a good expander (one where λ is
small compared to d ), the number of edges between every pair of sizeable subsets of vertices is
approximately equal to what one would expect in a random d -regular graph. This pseudoran-
dom property of expanders is the key ingredient in our analysis of both the distance property of
expander codes as well as the error-correction algorithms we present later in Chapter ??. We do
not prove this lemma here, but it is not hard to prove (see Section 11.8).
Lemma 11.4.8 (Expander mixing lemma). Let G = (V, E ) be a (n, d , λ)-graph. Then for every
S, T ⊆ V we have2
s µ ¶ µ ¶
¯ d |S||T | ¯ |S| |T |
¯ ¯
¯ |E (S, T )| − ¯ ≤ λ |S| · 1 − · |T | · 1 − , (11.5)
n n n

where |E (S, T )| is the number of edges between sets S and T with the edges in (S ∩ T ) × (S ∩ T )
counted twice. In particular, the above implies
¯ d |S||T | ¯¯ p
¯
¯ |E (S, T )| − ¯ ≤ λ |S||T |. (11.6)
n
A corollary of the above is the following, which justifies the term expander as it shows that
for any small S (of at most half the vertices), a large number of edge incident on S ‘leave’ S when
λ is much smaller than d . The proof is deferred to Exercise 11.7.
Lemma 11.4.9 (Spectral expansion: Cheeger’s inequality (easy direction)). Let G = (V, E ) be an
(n, d , λ)-graph and S ⊂ V be a subset with |S| ≤ n/2. Then
(d − λ)
|E (S, S)| ≥ · |S| .
2
Remark 11.4.10. There is also a converse to the above, which is the ‘harder’ direction of Cheeger’s
inequality, which says that there exists a sparse cut when λ is close to d . More concretely,p namely
there is a set S such that the number of edges crossing the cut (S, S) satisfies |E (S, S)| ≤ 2d (d − λ)|S|.
This plays a very important role in spectral algorithms for graph partitioning.
2
Note that S = T is allowed.

191
Remark 11.4.11. We now elaborate on the pseudorandom property of edge statistics in an ex-
pander that we alluded to above. Since G is a d -regular graph, we know that are d |S| edges
coming out of S. Now, if it were a purely random graph, we would expect that |Tn | fraction of these
edges to end up in T . Thus the expected value of |E (S, T )| would be d |S||T |
n . The expander mixing
lemma upper bounds the deviation of |E (S, T )| from the random graph expected value in terms
of how small the second largest eigenvalue (in absolute value) is in comparison to d . Note that
the lemma bounds this deviation for all pairs of sets S, T .

We conclude by stating one more implication of the Expander mixing lemma. First we note
that the expander mixing lemma implies an upper bound of nλd on the size of an indpendent set
in an expander (see Exercise 11.8).

Good expanders and Ramanujan graphs. By the above discussion, in a good spectral p ex-
pander we want λ ≪ d . How small can λ be? It is not too hard to show that λ ≥ Ω( d ) (see
Exercise 11.10).
p In fact, one can show that for an infinite family of d -regular graphs, we must
have λ ≥ 2 d − 1 − p o(1). Rather miraculously, this bound can be achieved; such (family of)
graphs with λ ≤ 2 d − 1 are called Ramanujan graphs. It turns out that small (enough) sets
expand by a factor of ≈ d4 (see exercise 11.9).
Ramanujan graphs can be constructed explicitly for a dense enough sequence of degrees,
for instance for d =
pq +1 where q is a prime with q ≡ 1 (mod 4), and almost-Ramanujan graphs
(which have λ ≈ 2 d − 1) can be constructed for any desired degree. For our purposes though,
it is not important that we have exactly Ramanujan or even near-Ramanujan graphs. It suffices
that the ratio λ/d can be made arbitrarily small by picking d large enough, and in this regime
some simpler constructions are available. Let us record the following result on the availability
of explicit expanders. See the bibliographic notes for relevant references.

Theorem 11.4.12. For every ε > 0, for all large enough d , there exists an infinite family of d -
regular (n, d , λ)-graphs with λ ≤ εd . Here by explicit we mean that the adjacency matrix of the
2
graph can be constructed in polynomial time. Furthermore, we can take d = O(1/ε ³ ), which
³p ´´ in
turns implies that for large enough d , we can in polynomial time construct an n, d ,O d -
graph.

Double cover of an expander. For technical reasons, it will be convenient to work with a ‘bi-
partite version’ of G called its double cover instead of G itself. Our final code will be T (H ,C 0 )
for suitable C 0 where H is the double cover (defined below) of an (n, d , λ)-expander G. Working
with the bipartite graph H (instead of G) makes the description and analysis of the decoding
algorithm for these codes simpler and cleaner. While for purposes of this chapter, where our
focus is on the dimension vs. distance trade-off, the switch to the double cover is not neces-
sary, we do so for sake of consistent notation with the algorithmic chapter coming later on (see
Chapter ??). Also, in Section 11.5.1, we will make use of the double cover to amplify the distance
of our codes, at the expense of lower rate and larger alphabet size.

192
Definition 11.4.13 (Double cover). The Double Cover of a graph G = (VG , EG ) is defined as the
bipartite graph H = (L H , R H , E H ) with both left and right partitions of graph H being equal to VG
i.e. L H = R H = VG and for all (u, v) ∈ EG , both (u, v) and (v, u) are in E H . Hence, the double cover
H of graph G has two copies of each node of G, one in the left partition and the other in the right
partition, and are two copies of each edge (u, v) of G.

See Figure 11.3 for an example of a double-cover of a graph.

11.4.4 Distance property of Tanner codes

We now prove that if the ‘local’ code C 0 has sufficiently large minimum distance compared to
the second largest eigenvalue λ of the expander, then the resulting code construction T (H ,C 0 )
has good distance.

Theorem 11.4.14. Let C 0 ⊂ Fd2 have distance at least δ0 d and G be an (n, d λ)-graph. Further, let
H be the³ double-cover
´ of G (see Definition 11.4.13). Then the relative distance of T (H ,C 0 ) is at
least δ0 δ0 − dλ

3
Proof. Since T (H ,C 0 ) is a linear code of block
³ length
´ nd , it will be sufficient to prove that no
non-zero codeword has weight less than δ0 δ0 − dλ nd .
Let c be a codeword in T (H ,C 0 ) and let F be the set of edges in H which have their corre-
sponding bits non-zero in c. Let S be the set of nodes in L which have at least one edge belong-
ing to F incident on them. Likewise, let T be the set of nodes in R which have at least one edge
from F incident on them.
Since the distance of C 0 is δ0 d any node in H that is incident to an edge of F should have at
least δ0 d edges from F incident to it. (This is because we know that any codeword c ∈ T (H ,C 0 )
satisfies the condition that for each node in H , the values assigned to the edges incident to the
node forms a codeword in C 0 .)
This implies that each vertex in S and T must have at least δ0 d edges of F incident to it.
Hence, |F | ≥ δ0 d |S| and |F | ≥ δ0 d |T | and therefore (by taking product of both sides of the
two inequalities and then taking square root on both sides), we have:
p
|F | ≥ δ0 d |S||T |.

Now, clearly |F | ≤ |E (S, T )| and by (11.6) in Lemma 11.4.8,

d |S||T | p
|E (S, T )| ≤ + λ |S||T |.
n
Combining these observations, we get
p d |S||T | p
δ0 d |S||T | ≤ + λ |S||T | ,
n
3
Note that while G has nd /2 edges, H has exactly nd edges since each edge in G appears twice in H .

193
which implies that
p µ ¶
λ
|S||T | ≥ δ0 − n.
d
p ³ ´
Recalling that |F | ≥ δ0 d |S||T |, we conclude |F | ≥ δ0 · δ0 − dλ nd , which completes the proof.

Remark 11.4.15. Note that when H is the n × n complete bipartite graph, the code T (H ,C 0 ) is
simply the tensor product of C 0 with itself and thus has relative distance exactly δ20 – see Ex-
ercise 11.11. (Recall the definition of a tensor code as well as it distance properties from Exer-
cise 2.19.) The above theorem states that for a good expander with λ = o(d ), in the limit of large
degree d , the relative distance becomes ≈ δ20 . Thus we can obtain distance as good as the product
construction, but we can get much longer codes (compared to the product construction, which
only gives a code of block length d 2 starting with a code of block length d ).

11.4.5 Rate-Distance Tradeoff

We consider the Tanner code T (H ,C 0 ), where H is the double-cover of an (n, d , λ)-graph. De-
note the rate of code C 0 by R. At each of the 2n nodes v of the bipartite graph H , we im-
pose (1 − R)d local constraints requiring membership in C 0 of the bits residing on edges in-
cident on v. This gives a total of 2nd (1 − R) constraints, so the dimension of T (H ,C 0 ) is at least
nd − 2nd (1 − R). We conclude that the rate of T (H ,C 0 ) is at least

nd − 2nd (1 − R)
= 2R − 1 .
nd

Let δ = δ20 be approximately the relative distance of T (H ,C 0 ) in the limit of large d (this
follows from Theorem 11.4.14). By picking C 0 to satisfy R ≥ 1 − H (δ0 ) (meeting the Gilbert-
Varshamov bound– Theorem 4.2.1), we obtain the following rate vs relative distance for T (H ,C 0 ):
p
R(T (H ,C 0 )) ≥ 2(1 − H (δ0 )) − 1 ≥ 1 − 2H ( δ + λ/d ), (11.7)

using the bound (from Theorem 11.4.14) δ ≥ δ0 (δ0 −λ/d ) ≥ δ20 −λ/d . When λ ≪ d (as is the case,
for example,
p when we use a Ramanjuan expander), the rate is lower bounded by approximately
1 − 2H ( δ).
This rate is positive when δ < 0.01. This implies that we get a positive rate for the construc-
tion T (H ,C 0 ) only when the relative distance of T (H ,C 0 ) is rather small. However, note that we
do get an asymptotically good construction of binary linear codes, as both the rate and rela-
tive distance can be bounded away from 0. Also, by Theorem 11.4.12 we can have an explicit
(n, d , λ)-expander for d = O(1) and λ ≪ d . Thus we can find the “local” code C 0 of block length
d and adequate minimum distance in constant time by brute-force. This leads to an explicit
construction of the overall Tanner code. We can thus conclude the following (which answers
Question 11.0.1 again in the affirmative).

194
Theorem 11.4.16. There is an explicit construction of an asymptotically good low-density partiy-
check (LDPC) code family. That is, there exist R, δ > 0 and an absolute constant d and an infinite
family of binary linear codes with rate at least R and relative distance at least δ each of which can
be defined by a parity check matrix with at most d 1’s in each row.

Recall that we have seen a construction with similar properties as above earlier in Sec-
tion 11.3– both require expanders with certain expansion properties. However, without ex-
panders we remark that proving the existence of such codes is not obvious to establish but it
can be shown that there exists such codes that lie on the Gilbert-Varshamov bound (see Exer-
cise 11.12 and Section 11.8 for more on this).

11.5 Optimizing the trade-off between rate and error fraction

In light of the above discussion, it is natural to ask whether one can use expander graphs to
give codes with larger relative distance. It turns out that this is possible, and in fact one can
achieve a relative distance arbitrarily close to 1/2 which is the information-theoretic limit for
binary codes. However, this uses expanders in a different manner, for encoding rather than
parity checks. This indicates the versatility of expanders in the design of codes.
We will begin with a construction that amplifies the distance of the code at the expense of a
larger alphabet size (and a corresponding loss in rate).

11.5.1 Codes in the low-rate regime

Definition 11.5.1 (distance amplified code G(C )). Let G = (L, R, E ) be a bipartite graph with
L = [n], R = [m], which is D-left-regular and d -right-regular. Let C be a binary linear code of
block length n = |L|. For c ∈ {0, 1}n , define G(c) ∈ ({0, 1}d )m by
¡ ¢
G(c) j = cN1 ( j ) , cN2 ( j ) , · · · , cNd ( j ) ,

for j ∈ [m], where Ni ( j ) ∈ L denotes the i -th neighbor of j ∈ R. Now define the code G(C ) as

G(C ) = {G(c)|c ∈ C }.

Note that the codewords of G(C ) are in one-to-one correspondence with codewords of C .
Each position j of a codeword of G(C ) ‘collects together’ the bits of a corresponding codeword
of C situated in the positions that are adjacent to j in the graph G.
The alphabet of G(C ) is {0, 1}d which can be identified with the extension F2d . Note though
that G(C ) is not necessarily linear over F2d . It is, however, linear over F2 , and the sum of two
codewords in G(C ) also belongs to G(C ).
Since each bit of a codeword c ∈ C is repeated D times in the associated codeword G(c) ∈
G(C ), we have
1
Lemma 11.5.2. R(G(C )) = · R(C ) .
D

195
 To make the (relative) distance of G(C ) larger than that of C , we would like to use a special
class of graphs to be G, which is defined as follows.

Definition 11.5.3 (dispersers). A bipartite graph G = (L, R, E ) is said to be a (γ, ε)-disperser if for
all subset S ⊆ L with |S| ≥ γn, we have |N (S)| ≥ (1 − ε)m.

The following lemma immediately follows from the definition of dispersers.

Lemma 11.5.4. If G is a (γ, ε)-disperser and ∆(C ) ≥ γn, then ∆(G(C )) ≥ (1 − ε)m, where n = |L|
and m = |R|.

Proof. Suppose c and c′ are distinct codewords in C , and let G(c) and G(c′ ) be the corresponding
codewords in G(C ). Let A ⊆ L be the positions where c and c′ differ. We have that G(c) and G(c′ )
differ in their j ’th location whenever j ∈ N (A). Since |N (A)| ≥ (1 − ε)m, the Hamming distance
between G(c) and G(c′ ) is at least (1 − ε)m. We can thus conclude that ∆(G(C )) ≥ (1 − ε)m.

Thus, if we can get a ‘good’ disperser (say, with small γ, ε), then we can use it to amplify the
distance of a code. The following lemma shows that we can construct a good disperser again
using spectral expanders.

Lemma 11.5.5. There exists an explicit (poly-time constructible) (γ, ε)-disperser with D = d =
Θ(1/(γε)) (and n = m).
³ ³p ´´
Proof. Let G = (L, R, E ) be the double cover of an explicit n, d , λ ≤ O d -graph, as guaran-
teed by Theorem
³ 11.4.12,
³p for
´´ a large enough degree d to be picked later. Recall that this means
that we an n, d , λ ≤ O d -graph H and let G = (L, R, E ) be the double-cover of H (recall Def-
inition 11.4.13).
Now we only need to prove that for each S ⊆ L with |S| = γn, we have N (S) ≥ (1 − ε)n.4 Fix
S, let T = R \ N (S), it suffices to prove that |T | ≤ εn. By Expander Mixing Lemma (in particu-
lar, (11.6)) and the fact that E (S, T ) = ; by definition of T , we have

d |S||T | p
0 = |E(S, T )| ≥ − λ |S||T |
n
⇒ d 2 |S||T | ≤ λ2 n 2
λ2 n
⇒ d 2 |T | ≤ (Since |S| = γn)
γ
(λ/d )2
⇒ |T | ≤ n
γ
µ ¶ ³p ´
n
⇒ |T | ≤ O (As λ ≤ O d )
γd
³ ´ ³ ´
1 1
To make |T | ≤ εn, it suffices that d ≥ Ω γε , so we can achieve the stated goals with d = Θ γε .
Since G is a double cover we also have D = d and n = m, as claimed.
4
¯ ¯
Note that for any S ′ ⊆ L with ¯S ′ ¯ ≥ γn, we get the required expansion by considing any S ⊆ S ′ such that |S| = γn.

196
 Using any asymptotically good explicit code as C , and plugging Lemma 11.5.5 into Lemma
11.5.2 and Lemma 11.5.4, we get the following codes. Note that the best possible rate would be ε,
attaining the Singleton bound, and the construction is off by a constant fact. On the other hand,
unlike Reed-Solomon or other codes achieving the Singleton that necessarily need alphabet size
Ω(n) for block length n codes, here the alphabet size is a constant depending only on ε. Further,
the alphabet size matches what we would get with random linear codes (see Exercise 11.13).
Corollary 11.5.6. There are explicit codes of relative distance (1−ε) and rate Ω(ε), over an alpha-
bet of size 2O(1/ε) .

11.5.2 Codes almost matching the Singleton bound

The above scheme gave codes in the large distance regime, with rates optimal within a constant
factor (as ε is allowed to approach 0).
We now discuss an alternate scheme that can be used to construct codes that achieve a
rate vs. relative distance trade-off that almost matches the Singleton bound. In Chapter ??, we
will also give linear time algorithms to decode these codes up to almost half the stated rela-
tive distance bound, but here we describe the construction and analysis. For concreteness, we
construct the codes over a field of characteristic two, but this is not inherent.
Theorem 11.5.7. For every r , 0 < r < 1, and all ε > 0, there is an explicit family of codes of rate r
and relative distance at least (1−r −ε) over a fixed alphabet Σ of size bounded by exp(O(r −1 ε−4 log3 (1/ε))).
Further, the alphabet size can be assumed to be a power of two, and we can assume that the codes
are F2 -linear.5
Proof. Suppose the target rate r and desired proximity to the Singleton bound ε > 0 are given.
We will describe the code via its encoding process. The encoding will proceed in two steps,
where the first step is creating a concatenated code C ∗ and the second step re-distributes the
symbols in codewords of C ∗ according to an expander H (in a manner different from the notion
of H (C ∗ ) as in Defintion 11.5.1). Next we describe each of these two steps separately and then
we analyze its distance (Figure 11.4 for an illustration).

Concatenated code C out ◦ C in . We first decribe the properties we need from C out and C in and
then how we instantiate C out and C in . Before we present the parameters for the code, we setup
some notation.
Let δ > 0 be a small enough constant and define
µ µ ¶¶
p 1
r T ≥ 1 − O δ log ,
δ
such that r T > r . Let k ≥ 1 be an integer and let
k
n0 = .
rT
5
This means that treating the alphabet Σ as a vector space over F2 , the sum of any two codewords in the code
also belongs to the code.

197
Let s be a parameter (sufficiently large as a function of ε) to be set later and define
B = 2s ,
and
r
b=B· .
rT
Finally define
n0
n= .
bs
We setup the parameters for C in and C out as follows (we also state the corresponding param-
eters for C out ◦C in , which follow from Theorem 10.1.1):
C out C in C out ◦C in
Dimension k b bk
r
Rate rT rT r
Block length n B ³nB ´
Rel. distance δ 1 − rrT δ · 1 − rrT
q 2bs 2s 2s
We define C out by first considering a binary linear code T with rate approaching 1 that has a
small relative distance. For instance, we may use the Tanner codes with the guarantee given by
(11.7). So we can assume that T has relative distance δ and rate r T . Note that by defnition, n 0
is block length of this code. We construct C out from T as follows. We divide the n 0 bits in each
codeword in T into n = n 0 /(bs) blocks of size bs bits each. (Assume for notational simplicity
that n 0 is divisible by bs as otherwise this can be arranged by simply padding the codeword of
T with at most bs −1 0’s at negligible loss in rate.) We view each block of bs bits as a sequence of
b symbols over F2s using some canonical F2 -linear map from s-bit vectors to F2s . This completes
the definition of C in – note that it satisfies all the claimed parameters in the table above.
Let C in be a Reed-Solomon code over F2s with evaluation points being F2s with parameters
as in the table above. Note that for r T ≈ 1, the rate of the Reed-Solomon code is close to r and
thus its relative distance is close to 1 − r .

Using an expander. In the next step, we will redistribute the symbols of each Reed-Solomon
block (i.e. we think of each codeword in C out ◦ C in as vector of length n over symbols of size
(F2s )B via an expander. The expander will have degree equal to the block length B of thepReed-
Solomon code. Let H = (U ,V, E ) be the double cover of an (n, B, λ)-graph,
³ ´ with λ ≤ ε δB as
guaranteed by Theorem 11.4.12. Therefore, we only need to take B = Θ δε1 2 .
We will imagine the n Reed-Solomon codewords residing on the n nodes in U . For each
codeword, we will redistribute its B symbols to the B neighbors in V . On the right hand side,
each node v ∈ V will ‘collect’ B symbols from its B neighbors, and view it as a vector symbol in
FB2s . The order in which these symbols are collected together can be fixed in an arbitrary way.
Let the code constructed at this stage be C ∗ . Note that the rate of C ∗ equals r of C out ◦ C in —the
expander redistribution step does not incur any rate loss as it just moves symbols around and
repackages them but does not introduce any redundancy.

198
The final code. This completes the specification of the encoding. Note that C ∗ maps a mes-
sage in Fk2 to a final codeword that resides in (F2s )nB . We define our final code FB2s by thinking of
¡ ¢n
codes in (F2s )nB as codewords in FB2s is the obvious way. Thus we have constructed a code of
block length n over an alphabet of size 2sB – note that the rate remains at r .

Analysis of distance. All that remains to be done is to argue a lower bound on the distance of
the code. While the constructed code is not linear (indeed its alphabet is not naturally a field), it
is however F2 -linear, which means that if c, c′ ∈ (FB2s )n are the codewords encoding two messages
x, x′ ∈ Fk2 (these are messages for the Tanner code, which comprises the first step of the encod-
ing), then the encoding of x + x′ ∈ Fk2 equals c + c′ where addition in the alphabet FB2s is defined
componenent-wise. This F2 -linearity can be checked in a straightforward way by inspecting the
encoding process. To lower bound the distance by D, we thus have to prove the encoding of any
nonzero bit vector Fk2 has nonzero vectors of FB2s in at least D of the n coordinates.
After the encoding by the Tanner code T , at least a fraction δ of the n 0 bits are nonzero
owing to the distance property of T . This means that at least a δ fraction of the n blocks are
nonzero vectors in Fb2s . The Reed-Solomon encodings
³ ´ of these blocks will lead to vectors in
FB2s (Reed-Solomon codewords) with at least 1 − rrT · B nonzero components. Denote the set
of these blocks (i.e. vectors in FB2s ) by X . Let Y ⊆ V be the neighborhood of X , but restricted
to those edges which carry one of these nonzero values. (Recall that the B symbols of each
Reed-Solomon codeword are pushed along the B edges incident to the corresponding expander
node.)
Observe that it is precisely the positions corresponding to Y that will be nonzero in the
final codeword, so we would like to argue that |Y | is large. We now do this by appealing to the
expander mixing lemma which will finish the proof.
By definition, we have µ ¶
r
|E (X , Y )| ≥ |X |B 1 − .
rT
By the expander mixing lemma (in particular (11.6)), therefore, we have that
µ ¶ p
r B |X ||Y |
|X |B 1 − ≤ + λ |X ||Y |
rT n
which after rearranging gives
s r
|Y | r λ |Y | r λ n
≥ 1− − ≥ 1− − ,
n rT B |X | rT B |X |
³p ´
where the second inequality follows since |Y | ≤ n. Using |X | ≥ δn and λ ≤ O δεB (by picking
p
λ small enough), we get |T | ≥ (1 − r /r T − ε/2). Recalling that r T ≥ 1 − O( δ log(1/δ)), taking
2
δ = c · ε2 ¡ 1 ¢ for a sufficiently small constant c > 0, we get that |T |/n ≥ (1 − r − ε), as desired.
log ε
The alphabet size of the code is
µ µ µ ¶¶¶ µ µ ¶¶
sB B −1 −2 1 1 3 1
2 = B = exp O δ ε log = exp 4 log ,
δε2 ε ε

199
 a

a→
b b→

c→ d→
c
d→

b→
d

a→
c→
g→
(c, g , e, f )

e→

f →
e
Codeword in C out ◦ C in

e→
Codeword in C out

Codeword in C ∗

f
f→

Expander G

Figure 11.4: Code construction in proof of Theoremm 11.5.7.

as desired.

Remark 11.5.8. The near-optimal trade-off (rate r for distance close to (1−r )) that almost matches

200
the optimal Singleton bound comes from using the Reed-Solomon codes. The overall scheme can
be viewed as using several independent constant-sized RS codes; the role of the expander is then
to “spread out” the errors among the different copies of the RS code, so that most of these copies
can be decoded, and the remaining small number of errors can be corrected by the left code C .
Since only a small fraction of errors needs to be corrected by C it can have rate close to 1 and there
is not much overhead in rate on top of the Reed-Solomon code.

Remark 11.5.9. An alternate construction of codes that have a rate vs. distance trade-off close to
the Singleton bound are the so-called algebraic geometric codes (see Exercise 5.21). For suitable
constructions, these can achieve a trade-off of δ ≥ 1 − R − ε for rate R and relative distance δ over
an alphabet size of O(1/ε2 ). The best known lower bound on alphabet size is Ω(1/ε) implied by
the Plotkin bound. While the expander based construction requires much larger alphabet size, it
is simpler and more elementary.

11.5.3 Binary codes approaching the Zyablov bound

The codes in Theorem 11.5.1 are defined over a large alphabet Σ (whose size depends expo-
nentially on 1/ε). But since this is still a constant for any fixed ε, we can find an inner code
of dimension log2 |Σ| that achieves the Gilbert-Varshamov bound in time that depends only on
ε, and is thus a constant when ε is constant (see Exercises 4.5 and 4.7 for various options to
compute such codes in times ranging from 2O(kn) to 2O(k) for an [n, k]2 inner code). Thus, if
the codes in Theorem 11.5.1 are concatenated with constant-sized binary codes that lie on the
Gilbert-Varshamov bound (where the inner codes can be constructed using any of the options
in Exercises 4.5 and 4.7) to give constructions of binary codes which meet the Zyablov bound
(which was described in Section 10.2).
If we use the code in Corollary 11.5.6 as outer code, and concatenate it with constant-size
binary linear codes that lie on the Gilbert-Varshamov bound, we can conclude the following
(using the same argument we used to prove Theorem 10.2.1):

Corollary 11.5.10. There are explicit binary linear codes that lie within ε of the Zybalov bound
and can be constructed in time polynomial in the block length and exponential in poly(1/ε).

We note that the above re-proves Theorem 10.2.1. While it seems like we did not ‘gain’ any-
thing with the above Corollary, in Chapter ?? how the codes in Corollary 11.5.10 can be decoded
in linear-time, something that is not known to be the case for the codes in Theorem 10.2.1.

11.6 Existence of lossless expanders: Proof of Theorem 11.2.6

In this section, we will prove Theorem 11.2.6. As mentioned earlier, we will use the probabilistic
method.
We begin by fixing some parameters. Let c > 0 be a large enough constant (that will get fixed
later in the proof) so that µ µ ¶
c 1 ³ n ´¶
D = · log + log ,
ε ε m

201
and let
εm
γ= .
2eDn
Note that these choices satisfy the claim on these parameter in the statement of Theorem 11.2.6.
We will pick G = (L, R, E ) to be a random bipartite as follows. In particular, we let |L| = n and
|R| = m as required and pick the random edges in E as follows. For every vertex ℓ ∈ L be pick D
random (with replacement) ¥ ¦ vertices in R and connect them to ℓ.6
Let 1 ≤ j ≤ γn be an integer and let S ⊆ L be an arbitrary subset of size exactly j . We will
argue that with the chosen parameters, the probability that |N (S)| < D(1 − ε) j is small enough
so that even after taking union bound over all choices of j and S, we get that the probability all
small enough set expand by a factor of D(1−ε) is strictly more than 0, which by the probabilistic
method will prove the result.
Let us for now fix j and S as above. Let r 1 , r 2 , . . . , r j D be the j D random choices of the right
neighbor of the j vertices in S as outlined above. We call a choice r i for i > 1 to be a repeat if
r i ∈ {r 1 , . . . , r i −1 }. Note that if the total number of repeats is at most ε j D, then we have |N (S)| ≥
D(1 − ε) j . Thus we will show that the probability of > ε j D repeats is small.
Towards that end, first note that for any given r i the probability that r i is a repeat is at most
i −1 jD
≤ ,
m m
where the first bound follows from the fact that each of the m choices for r i in R is picked uni-
formly at random and at worst all of the previous i −1 choices are all distinct while the inequality
follows from the fact that i ≤ j D. This implies that
à !µ ¶
£ ¤ Dj j D εD j
Pr number of repetitions > ε j D ≤ (11.8)
εjD m
³ e ´ε j D µ j D ¶εD j
≤ · (11.9)
ε m
µ ¶
e j D εjD
=
εm
µ ¶
j εjD
≤ . (11.10)
2γn
In the above, (11.8) follows by taking union bound over all possible locations of ε j D repetitions
(and noting that the choices for each of these repetition are made independently), (11.9) follows
from Lemma B.1.3 and finally (11.10) follows from our choice of γ (indeed we have by choice of
γ, 2eγn = εm
D ). ¡ ¢
Now taking union bound over all the nj choices for S, we see that the probability that exists
some set S of size j that does not expand by a factor of D(1 − ε) is upper bounded by
à ! µ ¶ µ ¶j µ ¶ µ ¶j
n j εjD en j εjD 1
· ≤ · ≤ , (11.11)
j 2γn j 2γn 2
6
Note that this implies that we can have multi-edges and so technically the vertices in L need not be D-regular.
However, this is easy to fix: see Exercise 11.2.

202
where the first inequality follow from Lemma B.1.3 and the second inequality follow from the
argument in the next paragraph. Taking union bound over all value of j ≤ γn, it can be seen that
the probability that G is not an (n, m, D, γ, D(1 − ε)) bipartite expander is strictly smaller than 1,
as desired.
First note that the second inequality in (11.11) is equivalent to proving (for every 1 ≤ j ≤ γn):
µ ¶ µ ¶
en j εD 1
· ≤ .
j 2γn 2

Note that since by our choice of D we have εD ≥ 1, the LHS on the above increasing in j . Hence
the above is true if µ ¶ µ ¶
en γn εD 1
· ≤ ,
γn 2γn 2
which is satisfied if
µ ¶ µ 2 ¶ µ µ 2¶ ³ n ´¶
1 2e 1 4e Dn 1 4e
D ≥ · log = · log = · log + log D + log .
ε γ ε εm ε ε m

We note the above is satisfied for our choice of D for a large enough constant c. The proof is
complete.7

11.7 Exercises
¡ ¢
Exercise 11.1. Argue that the graph in Figure 11.2 is a 7, 5, 2, 27 , 23 bipartite expander.

Exercise 11.2. Show that the graph generated in proof of Theorem 11.2.6 can be made to be ex-
actly D-regular with at least as good an expansion property as needed in Theorem 11.2.6.

Exercise 11.3. Show that the Tanner codes defined on linear code C 0 in Definition 11.4.1 are
linear codes.

Exercise 11.4. Let G be a bipartite expander graphs that is both left and right regular. Then the
expander code corresponding to G is the same as the tanner code X (G,C 0 ) where C 0 is the parity
code.

Exercise 11.5. Let G be a d -regular graph on n nodes. Then for any binary linear code C 0 ⊆ Fd2 ,
we have that the Tanner code T (G,C 0 ) has dimension at least N · d2 − N (d − dim(C 0 )).

Exercise 11.6. For this problem let G be a d -regular graph and H be its adjacency matrix. Then
argue the following:

1. Argue that d is an eigenvalue of H .

7
The above construction does not necessarily give a left-regular bipartite graph: but this is easy to fix– see Exer-
cise 11.2.

203
 2. Argue that the absolute value of all eigenvalues is at most d .
Hint: Consider any eigenvector v and consider the location of H v corresponding to largest absolute value in
v.

3. Using the above, or otherwise, conclude that λ1 = d .

Exercise 11.7. Prove Lemma 11.4.9.
Hint: Use the bound (11.5) of Lemma 11.4.8.

Exercise 11.8. Let G = (V, E ) be an (n, d , λ)-graph. Then the any independent set8 of G has size
at most λn
d .
Hint: Use the bound (11.6) of Lemma 11.4.8.

Exercise 11.9. In this exercise we will show that in a Ramanujan graph, small enough sets ex-
pand by a factor of ≈ d4 . We do so in a two step process:
1. Let G = (V, E ) be an (n, d , λ)-graph. For any S ⊆ V , let N (S) ⊆ V be its neighbor set.9 . Prove
that for any S ⊆ V with |S| = α · n, we have
|N (S) ∪ S| d2
≥ .
|S| α · d 2 + (1 − α) · λ2

Hint: Pick T = V \ (N (S) ∪ S). What can you say about E (S, T )? Then apply (11.5) of Lemma 11.4.8.
p
2. Now consider the case when G is a Ramanujan graph, i.e. λ = 2 d − 1. Using the above
part or otherwise argue that for every γ > 0 and for large enough d , there exists an α0 ≥
Ω(γ/d ) such that for every S ⊆ V such that |S| ≤ α0 · n, we have
µ ¶
d
|N (S) ∪ S| ≥ − γ · |S| .
4
³p ´
Exercise 11.10. In this exercise we will argue that an (n, d , λ)-graph must have λ ≥ Ω d as
long as d ≤ n − Ω(n). We will do so in multiple steps.
We first setup some notation. Let G = (V, E ) be an (n, d , λ)-graph. Let M be the adjacency
matrix of G (note that M is symmetric). Let λ1 ≥ λ2 ≥ · · · ≥ λn be the eigenvalues of M. Recall that
λ = min {|λ2 | , |λn |} and (by Exercise 11.6) λ1 = d .
1. Argue that the eigenvalues of M2 are λ21 , λ22 , . . . , λ2n .

2. Argue that s
p n −d
λ≥ d· .
n −1

Hint: Use the fact that the sum of diagonal elements of a matrix (also known as the trace of the matrix) is
equal to the sum of its eigenvalues. The first part might also be useful.
8
An independent set is a subset S ⊆ V such that there are no edges from E contained in S.
9
This is the natural generalization of definition of neighbor set for bi-partite graphs from Definition 11.2.2, i.e.,
N (S) = {v|u ∈ S, (u, v) ∈ E }.

204
 ³p ´
3. Argue that as long as d ≤ n − Ω(n), we have λ ≥ Ω d .

Exercise 11.11. Let C 0 ⊆ Fd2 be a code of distance at least δ0 · d . Let H be the double cover of a
graph G such that H is a d × d complete graph.
1. Argue that the Tanner code T (H ,C 0 ) is the tensor code C 0 ×C 0 (recall the definition of tensor
codes from Exercise 2.19).

2. What is the graph G (for which H is the double cover)?

3. Using the above part or otherwise, argue that λ(G) = 0.

Hint: Use the fact that for a matrix M with rank r , λr +1 = · · · = λn = 0.

4. Use Theorem 11.4.14 argue that T (H ,C 0 ) has (relative) distance δ20 .

Exercise 11.12. In this exercise, we will show a weaker form of Gallagher LDPC results that states
that there exists a code on the GV bound when each row in the parity check matrix has at most
(some large enough) constant number of ones. Here we will show that O(log n) ones in each row
of the parity check matrix suffices.
Let 0 < δ < 12 . Let H ∈ F2m×n be a random parity check matrix of a code C where each entry in
H is picked to be 1 independently at random with probability
ln n
p =c· ,
n
for a large enough constant c (that can depend on δ). We will argue that for large enough n, there
exists a code C with relative distance δ with

m = (h(δ) + ε) · n,

for any constant ε > 0. We do so in the following sequence of steps.

1. Argue that for any x ∈ [0, 1],
1 1
(1 − x) x ≤ .
e
Further, for any natural number a ≥ 0, we have
1
(1 − x)a ≤ .
1 + ax

Hint: Use Lemma B.2.5 for the first inequality.

2. For any 0 ≤ w ≤ n, let N w denote the expected number of codewords in C with Hamming
weight exactly w. Argue that
à ! à ¡ ¢ w !m
n 1 + 1 − 2p
Nw = · .
w 2

In the next few steps we will show that this quantity is tiny for 0 ≤ w < δn.

205
 3. Show that for large enough n (compared to δ, γ) such that for any
£ ¤
w ∈ γn, δn ,

we have
N w ≤ 2−Ω(εn) .

4. Show that there exists a γ > 0 small enough (compared to δ) and a choice of α (in terms of
c) such that for any · ¸
ln n
w ∈ α· , γn ,
n
we have
N w ≤ 2−Ω(εn) .

5. Show that there exists a large enough (in terms of δ1 ) constant c such that any
· ¸
ln n
w ∈ 1, α · ,
n
we have
1
Nw ≤ .
n2
6. Using the above parts (or otherwise), argue that for large enough n
δn
X
N w < 1.
w=1

Then conclude that there exists a code C on the GV bound with a parity check matrix where
each row has O(log n) ones in it.

Exercise 11.13. Let ε > 0. Argue that a random linear code over an alphabet of size 2O(1/ε) has
relative distance (1 − ε) and rate Ω(ε).

11.8 Bibliographic notes

Graph-based codes have a long and storied history within coding theory. In a remarkable work
that was way ahead of its time, Gallagher introduced Low-density Parity Check (LDPC) codes [42].
These are codes whose parity check matrix are very sparse, with at most a fixed constant num-
ber of nonzero entries in each row (as well as column). Equivalently, their factor graphs are
sparse. For a random choice of such a factor graph, Gallager analyzed the distance properties
of these codes, proving that they can attain the Gilbert-Varshamov trade-off when the graph is
picked randomly. Gallager also gave iterative algorithms for correting errors caused by a binary
symmetric channel with some positive crossover probability. These algorithms were very influ-
ential as a blueprint for later developments in the mid 1990s when, after a long dormancy, the
subject of LDPC codes and iterative message passing algorithms was revitalized.

206
 Tornado codes, a construction of LDPC codes, that provably achieve the capacity of the
erasure channel with linear complexity algorithms were given in [90]. A general framework of
belief-propagation algorithms for other channels and strong results based on those were given
in [110, 109]. Empirical results approaching Shannon capacity very closely were obtained [24].
The book by Richardson and Urbanke [110] provides a comprehensive treatment of these de-
velopments. For a shorter survey, the reader might refer to [54].
Returning to the subject of bounds on distance of codes and correction from worst-case er-
rors, the codes X (G,C 0 ) in Definition 11.4.1 were defined by Tanner [128] as a generalization of
Gallager’s LDPC codes (they are thus referred to as Tanner codes). He established lower bounds
on the distance of these codes as a function of the girth — the length of shortest simple cycle
— of the graph G. Sipser and Spielman [120] were the first to realize that the expansion of the
factor graph can be used to lower bound its distance. The term expander codes were dubbed
in their work, which led to many follow-up works on expander-based code constructions. The
results of Sections 11.3 and 11.4 follow from their work.
Turning to the expander graphs themselves, for unbalanced bipartite vertex expanders, exis-
tential bounds similar to Theorem 11.2.6 appear in paper [105] (such expanders are typically re-
ferred to as dispersers in that and other works in pseudorandomness). This comprehensive work
also proved lower bounds on the degree showing that the probabiistic construction achieves es-
sentially the best possible parameters.
The question of constructing an explicit expander code with expansion strictly better than
half the left-degree was open for a long time. The explicit “lossless” expanders, which have ex-
pansion (1 − ε)D for any desired small ε > 0. claimed in Theorem 11.2.8 were given by Capalbo,
Reingold, Vadhan, and Wigderson [17] following an impressive line of work that unearthed initi-
mate connections between expander graphs and various forms of randomness extraction pro-
cedures, and in particular developed the zig-zag product on graphs.
A proof of Lemma 11.4.8 can be found in several places, for instance in Alon and Spencer’s
text [3].
The proof of Lemma 11.2.5 is a procedure similar to a right-regularization trick in [59].
The seminal work of Gallager [42] which introduced and studied LDPC codes showed that
for growing d , there exist LDPC codes with at most d 1’s in each row of the parity check matrix
whose rate-distance trade-off approaches the Gilbert-Varshamov bound. Note that this is a
stronger result than the one we proved in Exercise 11.12.

207
208
Chapter 12

Information Theory Strikes Back: Polar

Codes

We begin by recalling Question 14.4.1, which we re-produce for the sake of completeness:

Question 12.0.1. Can we get to within ε of capacity for BSCp (i.e. rate 1− H (p)−ε) via codes
with block length and decoding times that are poly(1/ε)?

In this chapter we introduce Polar codes, a class of codes developed from purely information-
theoretic insights. We then show how these codes lead to a resolution of Question 12.0.1, namely
how to get arbitrarily close to capacity on the binary symmetric channel with block length, and
decoding complexity growing polynomially in the inverse of the gap to capacity. This answers
in the affirmative one of the most crucial questions in the Shannon setting.
This chapter is organized as follows. We define the precise question, after some simplifi-
cation, in Section 12.1. In the same section, we discuss why the simplified question solves a
much more general problem. We then switch the problem from an error-correction question to
a linear-compression question in Section 12.2. This switch is very straightforward but very use-
ful in providing insight into the working of Polar codes. In Section 12.3 we introduce the idea of
polarization, which provides the essential insight to Polar codes. (We remark that this section
onwards is based on notions from Information Theory. The reader unfamiliar with the theory
should first consult Appendix E to get familiar with the basic concepts.) In Section 12.4 we then
give a complete description of the Polar codes, and describe the encoding and decoding algo-
rithms. In Section 12.5 we then describe the analysis of these codes. We remark that the only
complex part of this chapter is this analysis and the construction and algorithms themselves
are quite simple (and extremely elegant) modulo this analysis.

209
12.1 Achieving Gap to Capacity
The goal of this section is to present a simple question that formalizes what it means to achieve
capacity with polynomial convergence, and to explain why this is the right question (and how
answering this positively leads to much more powerful results by standard methods).
Recall that for p ∈ [0, 1/2) the BSCp is the channel that takes as input a sequence of bits X =
(X 1 , . . . , X n ) and outputs the sequence Y = (Y1 , . . . , Yn ) where for each i , X i = Yi with probability
1 − p and X i 6= Yi with probability p; and this happens independently for each i ∈ {1, . . . , n}. We
use the notation Z = (Z1 , . . . , Zn ) ∈ Bern(p)n to denote the error pattern, so that Y = X + Z.
Our target for this chapter is to prove the following theorem:

Theorem 12.1.1. For every p ∈ [0, 1/2) there is a polynomial1 n 0 (·) such that for every ε > 0 there
exist k, n and an encoder E : Fk2 → Fn2 and decoder D : Fn2 → Fk2 satisfying the following conditions:

Length and Rate The codes are short, and the rate is close to capacity, specifically, 1/ε ≤ n ≤
n 0 (1/ε) and k ≥ (1 − H (p) − ε) · n.

Running times The encoder and decoder run in time O(n log n) (where the O(·) notation hides a
universal constant independent of p and ε).

Failure Probability The probability of incorrect decoding is at most ε. Specifically, for every m ∈
Fk2 ,
Pr n [m 6= D(E (m) + Z)] ≤ ε.
Z∈Bern(p)

Theorem 12.1.1 is not the ultimate theorem we may want for dealing with the binary sym-
metric channel. For starters, it does not guarantee codes of all lengths, but rather only of one
fixed length n for any fixed choice of ε. Next, Theorem 12.1.1 only guarantees a small probabil-
ity of decoding failure, but not one that say goes to zero exponentially fast in the length of the
code. The strength of the theorem is (1) its simplicity - it only takes one parameter ε and delivers
a good code with rate ε close to capacity and (2) Algorithmic efficiency: the running time of the
encoder and decoder is a polynomial in 1/ε. It turns out both the weaknesses can be addressed
by applying the idea of concatenation of codes (Chapter 13) while preserving the strength. We
present the resulting theorem, leaving the proof of this theorem from Theorem 12.1.1 as an ex-
ercise. (See Exercise 12.1.)

Theorem 12.1.2. There exists polynomially growing functions n 0 : [0, 1] → Z+ and T : Z+ → Z+

such that for all p ∈ [0, 1], ε > 0 there exists δ > 0, a function k : Z+ → Z+ and an ensemble of
function E = {E n }n and D = {D n }n such that for all n ∈ Z+ with n ≥ n 0 (1/ε) the following hold:

1. The codes are ε-close to capacity: Specifically, k = k(n) ≥ (1 − H (p) − ε)n, E n : Fk2 → Fn2 and
D n : Fn2 → Fk2 .

1
I.e. n 0 (x) = x c for some constant c.

210
 2. The codes correct p-fraction of errors with all but exponentially small probability: Specifi-
cally
Pr [D n (E n (X) + Z) 6= X] ≤ exp(−δn).
Z∼Bern(p)n ,X∼U (Fk2 )

3. Encoding and Decoding are efficient: Specifically E n and D n run in time at most T (n/ε).

12.2 Reduction to Linear Compression

In this section we change our problem from that of coding for error-correction to compress-
ing a vector of independent Bernoulli random variables i.e., the error-pattern. (Recall that we
encountered compression in Exercise 6.10). We show that if the compression is linear and the
decompression algorithm is efficient, then this turns into a linear code with efficient decod-
ing (this is the converse of what we saw in Exercise 6.11). By virtue of being linear the code is
also polynomial time encodable, given the generator matrix. We explain this simple connection
below.
For n ≥ m, we say that a pair (H, D) where H ∈ F2n×m , and D : Fm n
2 → F2 forms an τ-error linear
n
compression scheme for Bern(p) if H has rank m and

Pr [D(Z · H) 6= Z] ≤ τ.
Z∼Bern(p)n

m
We refer to the ratio n as the (compression) rate of the scheme (recall Exercise 6.10).

Proposition 12.2.1. Let (H, D) be a τ-error linear compression scheme for Bern(p)n with H ∈
F2n×m . Let k = n − m and let G ∈ Fk×n
2 and G∗ : F2n×k be full-rank matrices such that G · H = 0 and
G · G∗ = Ik (the k × k identity matrix). Then the encoder E : Fk2 → Fn2 given by

E (X ) = X · G

and the decoder D ′ : Fn2 → Fk2 given by

D ′ (Y) = (Y − D(Y · H)) · G∗

satisfy for every m ∈ Fk2 :

Pr [m 6= D ′ (E (m) + Z)] ≤ τ.
Z∈Bern(p)n

Remark 12.2.2. 1. Recall that straightforward linear algebra implies the existence of matrices
∗
G and G above (see Exercise 12.2).

2. Note that the complexity of encoding is simply the complexity of multiplying a vector by
G. The complexity of decoding is bounded by the complexity of decompression plus the
complexity of multiplying by G∗ . In particular, if all these operations can be carried out in
O(n log n) time then computing E and D ′ takes O(n log n) time as well.

211
 3. Note that the above proves the converse of Exercise 6.11. These two results show that (at
least for linear codes), channel and source coding are equivalent.

Proof. Suppose D(Z · H) = Z. Then we claim that if Z is the error pattern, then decoding is
successful. To see this, note that

D ′ (E (m) + Z) =(E (m) + Z − D((E (m) + Z) · H)) · G∗ (12.1)

∗
=(E (m) + Z − D(Z · H)) · G (12.2)
∗
=(E (m) + Z − Z)) · G (12.3)
∗
=E (m) · G
=m. (12.4)

In the above (12.1) follows by definition of D ′ , (12.2) follows from the fact that E (m) · H = m · G ·
H = 0, (12.3) follows by assumption that D(Z · H) = Z and (12.4) follows since E (m) = m · G and
G·G∗ = I. Thus, the probability of a decoding failure is at most the probability of decompression
failure, which by definition is at most τ, as desired.

Thus, our updated quest from now on will be to

Question 12.2.1. Design a linear compression scheme for Bern(p)n of rate at most H (p) + ε.

See Exercise 12.4 on how one can answer Question 12.2.1 with a non-linear compression
scheme.
In what follows we will introduce the polarization phenomenon that will lead us to such a
compression scheme.

12.3 The Polarization Phenomenon

12.3.1 Information Theory Review
The only information theoretic notions that we need in this chapter are that of Entropy (see
Definition E.1.2) and Conditional Entropy (Definition E.2.2). We use the notations H (X ) to de-
note the entropy of a variable X and H (X |Y ) to be the entropy of X conditioned on Y . The main
properties of these notions we will use are the chain rule (see Theorem E.2.4):

H (X , Y ) = H (Y ) + H (X |Y ),

and the fact that conditioning does not increase entropy (see Lemma E.2.6):

H (X |Y ) ≤ H (X ).

212
We also use the basic fact that the uniform distribution maximizes entropy (see Lemma E.1.3)
and hence,
H (X ) ≤ log |Ω|
if Ω denotes the support of X . A final fact that will be useful to keep in mind as we develop the
polar codes is that variables with low entropy are essentially determined, and variables with low
conditional entropy are predictable. We formalize this (with very loose bounds) below.
Proposition 12.3.1. Let α ≥ 0.
1. Let X be a random variable with H (X ) ≤ α. Then there exists an x such that Pr X [X 6= x] ≤ α.

2. Let (X , Y ) be jointly distributed variables with H (X |Y ) ≤ α. Then the function

A(y) = argmax{Pr[X = x|Y = y]}

x

satisfies
Pr [X 6= A(Y )] ≤ α.
(X ,Y )

We defer the proof to Section 12.6.1.

12.3.2 Polarized matrices and decompression

We now return to the task of designing a matrix H (and corresponding matrices G and G∗ ) such
that the map Z 7→ Z·H is a good compression scheme. While we are seeking an m×n rectangular
matrices with some extra properties, in this section we will convert the question of constructing
H into a question about square n × n invertible matrices.
For an invertible matrix P ∈ F2n×n , we consider its effect on Z = (Z1 , . . . , Zn ) ∼ Bern(p)n . Let
W = (W1 , . . . ,Wn ) be given by W = Z·P. Now consider the challenge of predicting the Wi ’s as they
arrive online. Thus, when attempting to predict Wi , we get to see

W<i , (W1 , . . . ,Wi −1 ),

which we can use to predict Wi . For arbitrary matrices, e.g. the identity matrix, seeing W<i gives
us no advantage on predicting Wi . A matrix will be considered polarized if, for an appropriately
large fraction of i ’s, Wi is highly predictable from W<i .
To formalize the notion of highly predictable, we turn to information theory and simply
require H (Wi |W<i ) ≤ τ for some very small parameter τ of our choice.2 With this definition,
how many i ’s should be very predictable? Let

S = S τ = {i ∈ [n] | H (Wi |W<i ) ≥ τ}

denote the set of unpredictable bits. An entropy calculation will tell us how small we can hope
S to be. Since P is invertible, we have (see Exercise 12.5):

H (W) = H (Z) = n · H (p). (12.5)

2
Eventually we will set τ = o(1/n).

213
However, by the chain rule we have
n
X
H (W) = H (Wi |W<i )
i =1
X X
= H (Wi |W<i ) + H (Wi |W<i )
i ∈S i 6∈S
X
≤ H (Wi |W<i ) + (n − |S|)τ (12.6)
i ∈S
X
≤ H (Wi |W<i ) + nτ
i ∈S
X
≤ H (Wi ) + nτ (12.7)
i ∈S
≤ |S| + nτ. (12.8)

In the above, (12.6) follows by using definition of S, (12.7) follows from the fact that conditioning
does not increase entropy and (12.8) follows from the fact that uniformity maximizes entropy
and so H (Wi ) ≤ 1. We thus conclude that, since τ is small, |S| ≥ H (p)·n −nτ ≈ H (p)·n. Thus, the
smallest that the set S can be is H (p) · n. We will allow an εn additive slack to get the following
definition:

Definition 12.3.2 (Polarizing matrix, unpredictable columns). We say that an invertible matrix
P ∈ F2n×n is (ε, τ)-polarizing for Bern(p)n if for W = Z · P (where Z ∈ Bern(p)n ) and

S = S τ = {i ∈ [n] | H (Wi |W<i ) ≥ τ}

we have |S| ≤ (H (p) + ε)n. We refer to the set S as the set of unpredictable columns of P (and
{Wi }i ∈S as the unpredictable bits of W).

We next show how to get a compression scheme from a polarizing matrix (without necessar-
ily having an efficient decompressor). The idea is simple: the compressor simply outputs the
“unpredictable” bits of W. Let WS = (Wi )i ∈S , the compression of Z is simply (Z · P)S . For the sake
of completeness, we record this in Algorithm 9.

Algorithm 9 P OLAR C OMPRESSOR(Z, S)

I NPUT: String Z ∈ Fn2 and subset S ⊆ [n]
O UTPUT: Compressed string W ∈ F2|S| ⊲ Assumes a polarizing matrix P ∈ F2n×n

1: RETURN (Z · P)S

Equivalently, if we let PS denote the n × |S| matrix whose columns correspond to indices in
S, then the compression of Z is Z · PS . Thus, PS will be the matrix H we are seeking. Before
turning to the decompression, let us also specify G and G∗ for the linear
¡ ¢ compression scheme
corresponding to Algorithm 9. Indeed, Exercise 12.3 shows that G = P−1 S̄ (where S̄ is the com-
plement of set S) and G∗ = PS̄ . In particular, the complexity of multiplying an arbitrary vector

214
by P and P−1 dominate the cost of the matrix multiplications needed for the encoding and de-
coding.
We finally turn to the task of describing the decompressor corresponding to compression
with a polarizing matrix P with unpredictable columns S. The method is a simple iterative one,
based on the predictor from Proposition 12.3.1, and is presented in Algorithm 10.

Algorithm 10 Successive Cancellation Decompressor SCD(W, P, S)

I NPUT: S ⊆ [n], W ∈ FS2 and P ∈ F2n×n
O UTPUT: Ze ∈ Fn such that (Ze · P)S = W
2
P ERFORMANCE PARAMETER : 3 PrZ∼Bern(p)n [SCD((Z · P)S , P, S) 6= Z] ⊲ Smaller is better

1: FOR i = 1 to n DO
2: IF i ∈ S THEN
3: fi ← Wi
W
4: ELSE
© £ ¤ª
5: fi ← argmaxb∈F Pr Wi = b|W<i = W
W e <i
2
e←W
6: RETURN Z e · P−1

Next we argue that Algorithm 10 has low failure probability:

Lemma 12.3.3. If P is (ε, τ)-polarizing for Bern(p)n with unpredictable columns S, then the suc-
cessive cancellation decoder has failure probability at most τn, i.e.,
Pr [Z 6= SCD((Z · P)S , P, S)] ≤ τn.
Z∈Bern(p)n

Thus, if P is (ε, ε/n)-polarizing for Bern(p)n then the failure probability of the successive cancel-
lation decoder is at most ε.

fi = Wi . For
Proof. Let W = Z · P. Note that by Step 3 in Algorithm 10, we have for every i ∈ S, W
any i 6∈ S, by Proposition 12.3.1 applied with X = Wi , Y = W<i , α = τ we get that
e <i )] ≤ τ,
Pr[Wi 6= A i (W
Z

where A i (·) is the corresponding function defined for i 6∈ S (in Proposition 12.3.1). By a union
bound, we get that
n
X
e <i )] ≤
Pr[∃i s.t. Wi 6= A i (W e <i )] ≤ τn.
Pr[Wi 6= A i (W
Z i =1 Z

Note that by step 5 in Algorithm 10 and the definition of A i (·), we have Wfi = A i (W
e <i ). But if
e there must exists a least i such that W
W 6= W fi 6= Wi . Thus, we get Pr[W 6= W]
e ≤ τn and so
probability that SCD(WS , P, S) 6= Z is at most τn.
3
Note that the Successive Cancellation Decompressor, and Decompressors in general are not expected to work
correctly on every input. Thus, the I NPUT /O UTPUT relations don’t fully capture the goals of the algorithm. In
such cases in the rest of the chapter, we will include a P ERFORMANCE PARAMETER, which we wish to minimize that
attempts to capture the real goal of the algorithm.

215
 Z1 L W1 = Z 1 + Z 2
H (p) H (2p(1 − p))
P2
Z2 W2 = Z 2
H (p) 2H (p) − H (2p(1 − p))

Figure 12.1: The 2 × 2 Basic Polarizing Transform. Included in red are the conditional entropies
of the variables, conditioned on variables directly above them. Acknowledgement: Figure by and used
with permission from Matt Eichhorn.

To summarize, in this section we have learned that to prove Theorem 12.1.1 it suffices to
answer the following question:

Question 12.3.1. Given any ε > 0, does there exist an (ε, ε/n)-polarizing matrix P ∈ F2n×n
where n is bounded by a polynomial in 1/ε; where SCD (potentially a re-implementation of
Algorithm 10) as well as multiplication and inversion by P takes O(n log n) time.

Next we will describe the idea behind the construction, which will answer the above ques-
tion.

12.3.3 A polarizing primitive

Thus far in the chapter, we have essentially only been looking at the problem from different per-
spectives, but have not yet suggested an idea on how to get the codes or compression schemes
that we desire (i.e., to answer Question 12.3.1). In this section we will provide the essence of the
idea, which is to start with a simple and basic polarization step, and then iterate it appropriately
many times to get a highly polarized matrix. Indeed, it is this section that will explain the term
polarization (and why we use this term to describe the matrices we seek).
Recall that the ultimate goal of polarization is to start with many bits Z1 , . . . , Zn that are in-
dependent and slightly unpredictable (if p is small), and to produce some linear transform that
concentrates all the unpredictability into fewer bits. We will first try to achieve this with two
bits. Therefore we have Z1 , Z2 such that H (Z1 ) = H (Z2 ) = p and we wish to produce two bits
W1 ,W2 such that at least one of these is less predictable than either Zi . Since there are only 4
possible linear combinations of two bits (over F2 ) and three of them are trivial (0, Z1 , and Z2 )
we are left with only one candidate function, namely Z1 + Z2 , so we will set W1 = Z1 + Z2 . For
W2 we are left with the trivial functions: 0 carries no information and so is ruled out. Without
loss of generality, the only remaining choice is W2 = Z2 . Thus, we look at this transformation:
P 2 : (Z1 , Z2 ) 7→ (W1 ,W2 ) = (Z1 + Z2 , Z2 ). (See Figure 12.1.)

216
 This is an invertible linear transformation given by the matrix
µ ¶
1 0
P2 = .
1 1

This in turn implies (see Exercise 12.6):

H (W1 ,W2 ) = 2H (p). (12.9)

However, some examination shows that H (W1 ) > H (Z1 ), H (Z2 ). In particular, the probability
that W1 is 1 is 2p(1−p) ∈ (p, 1/2), and since H (·) is monotonically increasing in this interval (see
Exercise 12.7) it follows that H (W1 ) > H (p) = H (Z1 ) = H (Z2 ). Thus, W1 is less predictable than
either of the input bits, and thanks to the chain rule:

H (W2 |W1 ) = H (W1 ,W2 ) − H (W1 ) = H (Z1 , Z2 ) − H (W1 ) = H (Z1 ) + H (Z2 ) − H (W1 ) < H (Z1 ), H (Z2 ).

In other words, multiplying by P2 has separated the entropy of two equally entropic bits into
a more entropic bit and a (conditionally) less entropic one. Of course this may be only slight
polarization, and what we are hoping for is many bits that are almost completely determined
by preceding ones.
To get more polarization, we apply this 2×2 operation repeatedly. Specifically, let P 2 (Z1 , Z2 ) =
(Z1 + Z2 , Z2 ). Then we let P 4 (Z1 , Z2 , Z3 , Z4 ) = (W1 ,W2 ,W3 ,W4 ) = (P 2 (U1 ,U3 ), P 2 (U2 ,U4 )) where
(U1 ,U2 ) = P 2 (Z1 , Z3 ) and (U3 ,U4 ) = P 2 (Z2 , Z4 ). Thus, the bit W1 = Z1 +Z2 +Z3 +Z4 has higher en-
tropy than say Z1 or even U1 = Z1 + Z3 . On the other hand, W4 = Z4 conditioned on (W1 ,W2 ,W3 )
can be shown to have much lower entropy than Z4 (unconditionally) or even U4 = Z4 condi-
tioned on U2 .
The composition above can be extended easily to n bit inputs, when n is a power of two, to
get a linear transform P n (See Figure 12.2). We will also give this transformation explicitly in the
next section).
It is also clear that some bits will get highly entropic due to these repeated applications of P 2 .
What is remarkable is that the polarization is nearly “perfect” - most bits Wi have conditional
entropy (conditioned on W<i ) close to 1, or close to 0. (We will show this result later on.) This
leads to the simple construction of the polarizing matrix we will describe in the next section.
A striking benefit of this simple construction is that multiplying a vector by either P or P−1
only takes O(n log n) time. Further, a version of SCD (Algorithm 10) is also computable in time
O(n log n) and this leads to an overall compression and decompression algorithms running in
time O(n log n), which we describe in the next section.
We note that one missing element in our description is the challenge of determining the
exact set of indices S that includes all the high-conditional-entropy bits. We will simply skirt
the issue and assume that this set is known for a given matrix P and given to the compres-
sion/decompression algorithms. Note that this leads to a non-uniform solution to compression
and decompression problem, as well as the task of achieving Shannon capacity on the binary
symmetric channel. We stress that this is not an inherent problem with the polarization ap-
proach. An explicit algorithm to compute S (or a small superset of S) is actually known and we
discuss this in Section 12.7.

217
 L
Z1 W1
L
Z2 W2
.. .. Pn P n2 ..
. . .
L
Z n2 W n2

Z n2 +1 W n2 +1
Z n2 +2 W n2 +2
.. .. P n2 ..
. . .
Zn Wn

³Figure 12.2: The ´ n × n Basic Polarizing Transform defined as P n (Z) = P n (U, V) =

P n (U + V), P n (V) . Acknowledgement: Figure by and used with permission from Matt Eichhorn.
2 2

12.4 Polar codes, Encoder and Decoder

We begin with the description of polar codes along with the statement of the main results in Sec-
tion 12.4.1. We explicitly state the encoding algorithm and analyze its runtime in Section 12.4.2.
We present the decoder as well as its proof of correctness in Section 12.4.3.

12.4.1 The Code and Polarization Claims

We are now ready to describe the code.

Definition 12.4.1 (Basic polarizing matrix). We define the n × n polarization matrix Pn recur-
sively for n = 2, 4, 8, . . ., by describing the linear map P n : Z 7→ Z·Pn . For n = 2 and Z ∈ F22 we define
P 2 (Z) = (Z1 + Z2 , Z2 ). 4 For n = 2t and Z = (U, V) for U, V ∈ Fn/22 we define

P n (Z) = (P n/2 (U + V), P n/2 (V)).

Exercise 12.8 talks about an explicit description of Pn as well as some extra properties.
In Section 12.5 we show that this matrix polarizes qtickly as n → ∞. The main theorem we
will prove is the following:
4
We will be using Pn to denote the n × n matrix and P n to denote the corresponding linear map that acts on Z.

218
Theorem 12.4.2 ((Polynomially) Strong Polarization). Fix p ∈ (0, 1/2) and constant c. There ex-
ists a polynomial function n 0 such that for every ε > 0, there exists n = 2t with 1/ε ≤ n ≤ n 0 (1/ε)
and a set E ⊆ [n] with |E | ≤ (ε/2)·n such that for every i 6∈ E , the conditional entropy H (Wi |W<i ) is
either less than n −c , or greater than 1 − n −c . Furthermore, if we let S = {i ∈ [n]|H (Wi |W<i ) ≥ n −c }
then |S| ≤ (H (p)+ε)·n and the matrix Pn is (ε, 1/n c )-polarizing for Bern(p)n with unpredictable
columns S.
This theorem allows us to specify how close to zero the conditional entropy of the polarized
bits should be. Notably, this threshold can be the inverse of an arbitrarily-high degree polyno-
mial in n. We will prove Theorem 12.4.2 in Section 12.5, which will be quite technical. But with
the theorem in hand, it is quite simple to complete the description of the Basic Polar Code along
with the associated encoding and decoding algorithms, and to analyze their performance.
Definition 12.4.3 (Basic Polar (Compressing) Code). Given 0 < p < 1/2 and ε ≤ 1/4, let n and
S ⊆ [n] be as given by Theorem 12.4.2 for c = 2. Then the Basic Polar Code with parameters p and
ε maps Z ∈ Fn2 to P n (Z)S .
Proposition 12.4.4 (Rate of the Basic Polar Code). For every p ∈ (0, 1/2) and ε > 0, the rate of the
Basic Polar Code with parameters p and ε is at most H (p) + ε.5

12.4.2 Encoding
The description of the map P n (Z) is already explicitly algorithmic, modulo the computation of
the set S. For the sake of completeness, we write the algorithm below in Algorithm 11, assuming
S is given as input, and argue its runtime.

Algorithm 11 B ASIC P OLAR E NCODER(Z; n, S)

I NPUT: n power of 2, Z ∈ Fn2 and S ⊆ [n]
O UTPUT: Compression W ∈ FS2 of Z given by W = (P n (Z))S

1: RETURN W = (P (n, Z))S

2: FUNCTION P(n, Z)
3: IF n = 1 THEN
4: RETURN Z
5: ELSE
6: Let U = (Z1 , . . . , Zn/2 ) and V = (Zn/2+1 , . . . , Zn )
7: RETURN (P (n/2, U + V), P (n/2, V))

Proposition 12.4.5. The runtime of the B ASIC P OLAR E NCODER algorithm is O(n log n).
Proof. If T (n) denotes the runtime of the algorithm on inputs of length n, then T (·) satisfies the
recurrence T (n) = 2T (n/2)+O(n) (since all operations other than the two recursive calls can be
done in O(n) time), which implies the claimed runtime.
5
Recall that we are trying to solve the compression problem now.

219
12.4.3 Decoding
£ ¤
Note that a polynomial time algorithm to compute Pr Wi = b|W<i = W e <i given b ∈ F2 and
We <i ∈ Fi −1 would lead to a polynomial time implementation of the S UCCESSIVE C ANCELLA -
2
TION D ECOMPRESSOR (Algorithm 10). However, by exploiting the nice structure of the Basic
Polarizing Matrix, we will get an O(n log n) algorithm without much extra effort. The key insight
into this faster decoder is that the decoder works even if Z ∼ Bern(p 1 ) × · · · × Bern(p n ), i.e., even
when the bits of Z are not identically distributed, as long as they are independent. This stronger
feature allows for a simple recursive algorithm. Specifically we use the facts that:

1. If Z1 ∼ Bern(p 1 ) and Z2 ∼ Bern(p 2 ) are independent then Z1 + Z2 is a Bernoulli random

variable. Let b + (p 1 , p 2 ) denote the bias (i.e., probability of being 1) of Z1 + Z2 (and so
Z1 + Z2 ∼ Bern(b + (p 1 , p 2 )) (see Exercise 12.9).

2. If Z1 ∼ Bern(p 1 ) and Z2 ∼ Bern(p 2 ) are sampled conditioned on Z1 + Z2 = a (for some

a ∈ F2 ) then Z2 is still a Bernoulli random variable. Let b | (p 1 , p 2 , a) denote the bias of Z2
conditioned on Z1 + Z2 = a. (Note that b | (p 1 , p 2 , 0) is not necessarily equal to b | (p 1 , p 2 , 1).)
See Exercise 12.10 for more.

We now use the functions b + and b | defined above to describe our decoding algorithm. We
switch our notation slightly to make for a cleaner description. Rather than being given the
vector WS ∈ F2|S| , we assume that our decoder is given as input a vector W ∈ (F2 ∪ {?})n where
Wi =? if and only if i 6∈ S.
The main idea behind the decoding algorithm is that to complete W to a vector in Fn2 , we
can first focus on computing
def
W[1, . . . , n/2] = (W1 , . . . ,Wn/2 ).

It will turn out that we can use the fact that W[1, . . ., n/2] = P n/2 (Z1′ , . . . , Zn/2
′
) where Zi′ ∈ Bern(b + (p, p))
are independent.6 We use recursion to solve this problem, and by computing the Zi′ ’s along the
way, we can in turn compute W[n/2 + 1, . . . , n] = P n/2 (Zn/2+1 , . . . , Zn ). Note that here Zi is no
longer drawn from Bern(p) but instead we have Zi ∼ Bern(b | (p, p, Zi′−n/2 )). Nevertheless, the
Zi ’s are still independent. This stronger condition allows us to solve the problem recursively, as
detailed below in Algorithm 12.
We assume that b + and b | can be computed in constant time, and with this assumption it
is straightforward to see that the above algorithm also has a runtime of O(n log n), by using the
same recursive analysis that we used in the proof of Proposition 12.4.5. The correctness is a bit
more involved and we argue this in the next lemma.

Lemma 12.4.6. Let Z ∼ Bern(p 1 ) × · · · × Bern(p n ), and W = P n (Z). Further let W′ = (W1′ , . . . ,Wn′ )
be given by Wi′ = Wi if i ∈ S and Wi′ =? otherwise. Let (Ze, W,
e ρ) = RPD(W′ ; n, (p 1 , . . . , p n )). Then, if
H (Wi |W<i ) ≤ τ for every i 6∈ S, we have the following:
e <i ] = ρ i .
(1) For every i , we have that PrZ [Wi = 1|W<i = W
6
Note that this follows from definition of P n .

220
Algorithm 12 B ASIC P OLAR D ECODER : BPD(W; n, p)
I NPUT: n (power of 2), W ∈ (F2 ∪ {?})n , and 0 ≤ p < 1/2
O UTPUT: Ze ∈ Fn such that for every i either Wi =? or (Z e · P)i = Wi
2
P ERFORMANCE PARAMETER : PrZ∼Bern(p)n [Z 6= BPD(W ; n, p)] where W′S = (Z · P)S and Wi′ =? if i 6∈
′

e, W,
1: (Z e ρ) = RPD(W; n, (p, · · · , p))
e
2: RETURN Z

3: FUNCTION R ECURSIVE P OLAR D ECODER : RPD((W; n, (p 1 , . . . , p n )))

I NPUT: W ∈ (F2 ∪ {?})n and p 1 , . . . , p n ∈ [0,
¡ 1].¢
e e n e e e = WS . ρ = (ρ 1 , . . . , ρ n ) ∈ [0, 1]n . e is the main
O UTPUT: Z, W ∈ F2 with W = P n (Z) and W S ⊲ Z
output while W e and ρ will help us reason about correctness.
P ERFORMANCE PARAMETER : PrZ∼Bern(p 1 )×···×Bern(p n ) [Z e 6= Z] where Z e is the first element of the
triple output by RPD((Z · Pn )S ; n, (p 1 , . . . , p n ))
4: IF n = 1 and W1 ∈ F2 THEN
5: RETURN (W1 ,W1 , p 1 )
6: ELSE IF n = 1 and W1 =? THEN
7: RETURN (1, 1, p 1 ) if p 1 ≥ 1/2 and (0, 0, p 1 ) otherwise
8: ELSE ⊲n≥2
9: W = (W(1) , W(2) ) where W(1) = W[1, . . . , n/2] and W(2) = W[n/2 + 1, . . . , n]
10: FOR i = 1 to n/2 DO
11: let q i = b + (p i , p n/2+i )
12: Let (X e 1 , ρ 1 ) = RPD(W(1) ; n/2, (q 1 , . . . , q n/2 ))
e, W
13: FOR i = 1 to n/2 DO
14: let r i = b | (p i , p n/2+i , Xei )
15: Let (Y e 2 , ρ 2 ) = RPD(W(2) ; n/2, (r 1 , . . . , r n/2 ))
e, W
16: e = (X
Let Z e+Y e, Y e ), and let W e 1, W
e = (W e 2 ) and ρ = (ρ 1 , ρ 2 )
17: RETURN (Z e, W,
e ρ)

221
 £ ¤
(2) PrZ W 6= We ≤ τn.
£ ¤
e ≤ τn.
(3) PrZ Z 6= Z
Note that part (3) of Lemma 12.4.6 proves the same decoding error bound that we proved in
Lemma 12.3.3 for the S UCCESSIVE C ANCELLATION D ECOMPRESSOR (Algorithm 10). The correct-
ness of B ASIC P OLAR D ECODER (Algorithm 12) follows immediately and we state this explicitly
below (see Exercise 12.11).
Corollary 12.4.7. For every input n = 2t , p ∈ [0, 1/2), and W ∈ (F2 ∪ {?})n , the B ASIC P OLAR D E -
CODER (Algorithm 12) runs in time O(n log n) and computes an output Z e ∈ Fn such that P n (Z
e )i =
2
Wi holds for every i for which Wi 6=?. Furthermore if
(1) Z ∼ Bern(p)n ,

(2) WS = P n (Z)S and

(3) H (Wi |W<i ) ≤ τ for every i 6∈ S

then
e 6= Z] ≤ τn.
Pr[Z
Z

Proof of Lemma 12.4.6. The main part of the lemma is part (1). Part (2) follows almost immedi-
ately from part (1) and Proposition 12.3.1. And part (3) is straightforward. We prove the parts in
turn below.
We begin by first arguing that for every n that is a power of two:
e = P n (Z
W e). (12.10)

For the base case of n = 1, lines 5 and 7 show that W1 = Z1 as desired.7 By induction (and lines 12
and 15) we have that W e 1 = P n/2 (X
e ) and W e 2 = P n/2 (Y
e). Finally, line 16 implies that:
¡ ¢
e) = P n ((X
P n (Z e+Y e, Y
e )) = P n/2 (X
e+Y e+Y e 1, W
e), P n/2 (Y) = (W e 2 ) = W,
e

as desired. In the above, the second equality follows from the definition of P n .
Part (1) follows by induction on n. If n = 1 (where say we call RPD((W1 ), 1, (p 1′′ ))), then the
claim follows since here we have ρ 1 = p 1′′ , W1 = Z1 and Z1 ∼ Bern(p 1′′ ). For larger values of n, we
consider two cases (below we have Z = (U, V)).
If i ≤ n/2, then we have Wi = P n/2 (U + V)i (via definition of Pn ). Furthermore,¡ ′ (U + V) ∼ ¢
Bern(q 1 )×· · ·×Bern(q n/2 ). Thus, by the inductive claim, the recursive call RPD W [1, . . . , n/2]; n/2, (q 1 , . . . , q n/2 )
satisfies

ρ i = ρ (1)
i
£ ¤
= Pr Wi = 1|W<i = W e <i
(U+V)∼Bern(q 1 )×···×Bern(q n/2 )
£ ¤
= Pr Wi = 1|W<i = W e <i
Z∼Bern(p 1 )×···×Bern(p n )

7
Note that when defining P n , the base case was n = 2 but note that if we started with n = 1 and define P 1 (Z ) = W ,
then the resulting definition is the same as on the we saw in Definition 12.4.1.

222
as desired. In the above, the first equality follows from the algorithm definition and the third
equality follows from the definition of q i .
Now if i > n/2, note that the condition W[1, . . . , n/2] = W[1, e . . . , n/2] is equivalent to the con-
dition that U + V = X e since W[1, . . . , n/2] = P n/2 (U + V) and X
e = P −1 (W[1,
e . . . , n/2]), where the
n/2
latter equality follows from (12.10) and the fact that the map P n/2 is invertible. And now from
definition of Pn , we have W[n/2 + 1, . . . , n] = P n/2 (V). Conditioning on U + V = X e implies that
V ∼ Bern(r 1 ) × · · · × Bern(r n/2 ) — this is exactly how r i ’s were defined. Thus, we have

Pr [Wi = 1|W<i = W e <i ]

Z∼Bern(p 1 )×···×Bern(p n )
h n hn i i
= Pr e
P n (V)i − n = 1|P n (V)[1, . . . , i − − 1] = W e .
+ 1, . . . , i − 1 ∧ U + V = X
V∼Bern(r 1 )×Bern(r n )
2
2 2 2 2 2

By induction again on the recursive call to RPD(W′ [n/2 + 1, . . . , n]; n/2, (r 1 , . . . , r n/2 )) we have the
final quantity above equals ρ (2) i −n/2
= ρ i (where the last equality follows from the algorithm defi-
nition). This concludes the proof of part (1).
Part (2) follows from Proposition 12.3.1. We first note that if i ∈ S, then by line 5 of the algo-
rithm we have Wi = W fi . Now assume i 6∈ S. We claim that W fi = 1 if and only if ρ i = PrZ [Wi =
1|W<i = W e <i ] ≥ 1/2. To see this note that we set ρ i = p when RPD is called on the input
′
i
′ ′
(Wi , 1, p i ) and then the claim follows from line 7 of the algorithm. Thus, W fi = argmaxb∈F Pr[Wi =
2
b|W<i = W e <i ]. By Proposition 12.3.1 applied to the variables X = Wi and Y = W<i with α = τ, we
get
Pr[Wi 6= Wfi |W<i = W
e <i ] ≤ τ.

By a union bound over i , we thus have

fi |W<i = W
Pr[∃i ∈ [n] s.t. Wi 6= W e <i ] ≤ τn.

But if W 6= We there must exist an index i such that Wi 6= W fi and so we have Pr[W 6= W] e ≤ τn
concluding proof of part (2).
For part (3), note that by (12.10), if We = W (which holds with probability at least 1 − τn from
e = P n−1 (W)
part (2)), we have Z e = P n−1 (W) = Z as desired.

To summarize the claims of this section, Theorem 12.4.2 guarantees the existence of a po-
larizing matrix as desired to satisfy the information-theoretic conditions of Question 12.3.1.
And Proposition 12.4.5 and Corollary 12.4.7 ensure that the encoding and descoding times are
O(n log n). This allows us to complete the proof of Theorem 12.1.1 (modulo the proof of Theo-
rem 12.4.2 — which will be proved in the next section).

Proof of Theorem 12.1.1. Recall from Proposition 12.2.1 and Question 12.3.1 that it suffices to
find, given p ∈ [0, 1/2) and ε > 0, an (ε, ε/n)-polarizing matrix P ∈ F2n×n with n bounded by a
polynomial in 1/ε; such that multiplication by P and decompression take O(n log n) time.
Theorem 12.4.2 applied with parameters p, ε and c = 2 yields n and the matrix P = Pn ∈ F2n×n
that is (ε, 1/n 2 )-polarizing. Moreover, since Theorem 12.4.2 also guarantees ε ≥ 1/n, we have
that Pn is (ε, ε/n)-polarizing. Furthermore, there exists a set S ⊆ [n] with |S| ≤ (H (p) + ε)n such

223
that H (WS̄ |WS ) ≤ ε when W = Z · P and Z ∼ Bern(p)n . Given such a set S we have, by Proposi-
tion 12.4.5, that the time to compress Z ∈ Fn2 to (Z · Pn )S is O(n log n). Finally Corollary 12.4.7
asserts that a decompression Z e can be computed given (Z · Pn )S in time O(n log n) and Ze equals
Z with probability at least 1 − ε thereby completing the proof of Theorem 12.1.1.

12.5 Analysis: Speed of Polarization

We now turn to the most crucial aspect of polarization - the fact that it happens, and it is fast
enough to deliver polynomial convergence to capacity. In this section we first give an overview
of how we will think about polarization. We will then analyze the convergence by first explor-
ing what happens in a single polarization step (i.e., the action of P 2 ) and then showing how the
local effects aggregate after log2 n steps of polarization. This will lead us to the proof of Theo-
rem 12.4.2.

12.5.1 Overview of Analysis

We start by setting up some more notation. Recall n = 2t . In this section it will be convenient
(j)
for us to give names to intermediate variables {Zi }(i ∈[n],0≤ j ≤t ) that are computed during the
computation of P n (Z1 , . . . , Zn ). Let Zi(0) = Zi . For 1 ≤ j ≤ t , let
(j) (j) ( j −1) ( j −1) ( j −1) ( j −1) ( j −1)
(Zi , Z ) = P 2 (Zi , Z t − j ) = (Zi + Z t − j , Z t − j ). (12.11)
i +2t − j i +2 i +2 i +2

for every i ∈ [n] such that i and i + 2t − j are in the same “block at the j th” level. i.e., ⌈i /2t − j +1 ⌉ =
⌈(i + 2t − j )/2t − j +1 ⌉. (Alternatively one could say i and i + 2t − j as in the same dyadic interval of
size 2t − j +1 .) Further,

Definition 12.5.1. We will say that a pair (i , i ′ ) are j th-level siblings if they are in the same block
at the j th level and i ′ = i + 2t − j .

Note that if one unravels the recursion in (12.11), then if Zi , Zi ′ are on the LHS, then (i , i ′ )
are siblings at the j th level.
We now claim that (see Exercise 12.12):

P n (Z) = (Z1(t ) , . . . , Zn(t ) ). (12.12)

Figure 12.3 illustrates the block structure of P n and the notion of j th level blocks and siblings at
the j th level.
(j) (j)
In what follows we will pick a random i ∈ [n] and analyze the conditional entropy of Zi |Z<i
as j progresses from 0 to t (we independently pick i for different values of j ). Indeed, let
(j) (j)
X j = H (Zi |Z<i ).

Clearly X 0 = H (p) since Zi(0) = Zi is independent of Z<i and is distributed according to Bern(p).
In what follows we will show that for every constant c if t is a sufficient large then with high

224
 ✞☛…
✁
✂

✂✄
✞☛…

Figure 12.3: Block structure of the Basic Polarizing Transform. Circled are a block at the 2nd
level and two 2nd level siblings.

probability over the choice of i , X t 6∈ (n −c , 1 − n −c ). To track the evolution of X j as j increases,

we will first try to analyze local polarization which will study how X j compares with X j −1 . Def-
inition 12.5.2 below captures the desired effect of a local step, and the following lemma asserts
that the operator P 2 does indeed satisfy the conditions of local polarization.
Definition 12.5.2 (Local Polarization). A sequence of random variables X 0 , . . . , X j , . . . , with X j ∈
[0, 1] is locally polarizing if the following conditions hold:
(1) (Unbiased): For every j , and a ∈ [0, 1] we have E[X j +1 |X j = a] = a.

(2) (Variance in the middle): For every τ > 0, there exists θ = θ(τ) > 0 such that for all j , we
have: If X j ∈ (τ, 1 − τ) then |X j +1 − X j | ≥ θ.

(3) (Suction at the ends): For every c < ∞, there exists τ = τ(c) > 0 such that (i) if X j ≤ τ then
Pr[X j +1 ≤ X j /c] ≥ 1/2; and similarly (ii) if 1 − X j ≤ τ then Pr[(1 − X j +1 ≤ (1 − X j )/c] ≥ 1/2.
We further say a sequence is simple if for every sequence a 0 , . . . , a j , conditioned on X 0 = a 0 , . . . , X j =
a j , there are two values a + and a | such that X j +1 takes value a + with probability 1/2 and a | with
probability 1/2.
(j) (j)
Lemma 12.5.3 (Local Polarization). The sequence X 0 , . . . , X j , . . . , with X j = H (Zi |Z<i ) where i
is drawn uniformly from [n] is a simple and locally polarizing sequence.
We will prove Lemma 12.5.3 in Section 12.5.2 but use it below. But first let us see what it does
and fails to do. While local polarization prevents the conditional entropies from staying static,
it doesn’t assert that eventually all conditional entropies will be close to 0 or close to 1, the kind
of strong polarization that we desire. The following definition captures our desire from a strong
polarizing process, and the lemma afterwards asserts that local polarization does imply strong
polarization.
Definition 12.5.4 ((Polynomially) Strong Polarization). A sequence of random variables X 0 , X 1 , . . . , X t , . . .
with X j ∈ [0, 1] strongly polarizes if for all γ > 0 there exist α < 1 and β < ∞ such that for all t we
have
Pr[X t ∈ (γt , 1 − γt )] ≤ β · αt .

225
Lemma 12.5.5 (Local vs. Global Polarization). If a sequence X 0 , . . . , X t , . . . , with X t ∈ [0, 1] is sim-
ple and locally polarizing, then it is also strongly polarizing.

Armed with Lemmas 12.5.3 and 12.5.5, proving Theorem 12.4.2 is just a matter of setting
parameters.

Proof of Theorem 12.4.2. We assume without loss of generality that c ≥ 1. (Proving the theorem
for larger c implies it also for smaller values of c.) Given p and c ≥ 1, let γ = 2−c . Let β < ∞
and α < 1 be the constants given by the definition of strong polarization (Definition 12.5.4) for
this choice of γ. We prove the theorem nfor n 0 (x) = max{8x, 2(2βx)⌈log(1/α)⌉ }. Note that n 0 is a
¥ ¦ l log(2β/ε) mo
polynomial in x. Given ε > 0, let t = max log(8/ε) , log(1/α) so that
n o
n = 2t ≤ max 8/ε, 2 · (2β/ε)1/ log(1/α) = n 0 (1/ε).

Note that the choice of t gives β · αt ≤ ε/2 and γt = 2−c t = n −c . We also have n ≥ 4/ε and thus
2n −c ≤ 2n −1 ≤ ε/2. We show that for this choice and t and n, the polarizing transform P n has the
desired properties — namely that the set S of variables of noticeably large conditional entropy
is of small size.
We first show that the set of variables with intermediate conditional entropies is small. Let
(j)
us recall some notations from above, specifically (12.11). Let (Zi ) denote the intermediate
(j) (j)
results of the computation W = P n (Z) = (Z1(t ) , . . . , Zn(t ) ), and let X j = H (Zi |Z<i ) for a uniformly
random choice of i ∈ [n]. By Lemmas 12.5.3 and 12.5.5 we have that the sequence X 0 , . . . , X t , . . .
is strongly polarizing. By the definition of strong polarization, we have that
£ ¤ h i
Pr H (Wi |W<i ) ∈ (n −c , 1 − n −c ) = Pr H (Zi(t ) |Z(t <i
)
) ∈ (γ t
, 1 − γ t
)
i ∈[n] i
£ ¤
= Pr X t ∈ (γt , 1 − γt )
≤ βαt
≤ ε/2.

Thus, we have that the set E = {i ∈ [n]|H (Wi |W<i ) ∈ (n −c , 1 − n −c )} satisfies |E | ≤ εn/2.
Finally, we argue the “Further" part. Indeed, we have
X X
nH (p) = H (Wi |W<i ) ≥ H (Wi |W<i ) ≥ (|S| − |E |)(1 − n −c ),
i ∈[n] i ∈S\E

where the first equality follows from the chain rule and the last inequality follows from defini-
tions of S and E . Re-arranging one gets that

nH (p)
|S| ≤ + εn/2 ≤ nH (p)(1 + 2n −c ) + εn/2 ≤ nH (p) + εn.
1 − n −c

It remains to prove Lemmas 12.5.3 and 12.5.5 which we prove in the rest of this chapter.

226
12.5.2 Local Polarization
To understand how X j compares with X j −1 , we start with some basic observations about these
(j) ( j +1)
variables, or more importantly the variables Zi and Zi (recall (12.11)). Let i and i ′ be j th
(j) (j) ( j −1) ( j −1)
level siblings, so that (Zi , Zi ′ ) = P 2 (Zi , Zi ′ ). Our goal is to compare the pairs of con-
(j) (j) (j) (j) ( j −1) ( j −1) ( j −1) ( j −1)
ditional entropies (H (Zi |Z<i ), H (Zi ′ |Z<i ′ ))
with (H (Zi |Z<i ), H (Zi ′ |Z<i ′ )). The col-
lection of variables involved and conditioning seem messy, so let us look at the structure of P n
(j)
more carefully to simplify the above. We do this by noticing the Zi is really independent of
(j) ( j −1)
most Zi ′ (at least for small values of j ) and in particular the set of variables that Zi and
( j −1)
Zi ′ depend on are disjoint. Furthermore these two variables, and the sets of variables that
they depend on are identically distributed. Next, we present the details.
We begin with a useful notation. Given i ∈ [n = 2t ] and 0 ≤ j ≤ t , let
n o
def
S i , j = k ∈ [n]|i ≡ k mod 2t − j .

Note that the ℓ1 , ℓ2 ∈ S i , j need not be siblings at the j th level.

Proposition 12.5.6. For every 1 ≤ j ≤ t and j th level siblings i and i ′ with i < i ′ the following
hold:

(1) S i , j = S i ′ , j = S i , j −1 ∪ S i ′ , j −1 .
n o n o
(j) (j)
(2) Zk |k ∈ S i , j is independent of Zk |k 6∈ S i , j .

(3)
µ ¶
( j −1) ( j −1) ( j −1) ( j −1)
H (Zi |Z<i ) = H Zi |Z© ª
k∈S i , j −1 ,k<i
µ ¶
( j −1) ( j −1)
=H Zi |Z© ª .
k∈S i , j ,k<i

(4)
à !
( j −1) ( j −1) ( j −1) ( j −1)
H (Zi ′ |Z<i ′ ) = H Zi ′ |Zn o
i , j −1 ,k<i
k∈S ′ ′
µ ¶
( j −1) ( j −1)
=H Zi ′ |Z© ª .
k∈S i , j ,k<i

(5)
µ ¶
(j) (j) (j) (j)
H (Zi |Z<i ) = H Zi |Z© ª
k∈S i , j ,k<i
µ ¶
( j ) ( j −1)
=H Zi |Z© ª .
k∈S i , j ,k<i

227
 (6)
µ n o ¶
(j) (j) (j) (j) (j)
H (Zi ′ |Z<i ′ ) = H Zi ′ | Zi ∪ Z© ª
k∈S i , j ,k<i
µ n o ¶
(j) (j) ( j −1)
=H Zi ′ | Zi ∪ Z© ª .
k∈S i , j ,k<i

Proof. Part (1) follows from the definition of S i , j and the definition of siblings. Indeed, since
i ′ = i + 2t − j , we have i ≡ i ′ mod 2t − j , which implies the first equality. The second equality
follows from the observations that k 1 ≡ k 2 mod 2t − j +1 implies k 1 ≡ k 2 mod 2t − j (this in turn
implies S i , j −1 , S i ′ , j −1 ⊆ S i , j ) and that if k ≡ i mod 2t − j +1 then k 6≡ i ′ mod 2t − j and vice versa
(which in turn implies that S i , j −1 and S i ′ , j −1 are disjoint. Part (2) follows from the fact that (see
Exercise 12.13):
n o © ª
(j)
Lemma 12.5.7. For every i , the set Zk |k ∈ S i , j is determined completely by Zk |k ∈ S i , j ,

and the Zk ’s are all independent. The first equality in part (3) follows immediately from part
( j −1) © ª
(2), and the second uses part (1) and the fact that Zi is independent of Zk |k ∈ S i ′ , j −1 , k < i
(the latter claim follows from the fact that S i , j −1 and S i ′ , j −1 as disjoint, as argued in the proof of
part (1) above). The first equality in part (4) is similar, whereas the second uses the additional
′
fact that
à S i , j −1 contains no elements
′
! Ã between i and i .!Indeed, the latter observation implies
( j −1) ( j −1) ( j −1) ( j −1) ( j −1)
that H Zi ′ |Zn o = H Zi ′ |Zn o . But by part (2), Zi ′ is independent
k∈S i ′ , j −1 ,k<i ′ k∈S i ′ , j −1 ,k≤i
à ! à !
( j −1) ( j −1) ( j −1) ( j −1) ( j −1)
of Zi and hence we have H Zi ′ |Zn o = H Zi ′ |Zn o . The second
, j −1 ,k<i k∈S i ′ , j −1 ,k<i
k∈S ′ ′
i
equality in (4) then follows from parts (1) and (2). The first equalities in © parts (5) and ª (6) are
′
©similar to theªfirst equality in part (3) with part (6) using the fact that k ∈ S i , j |k < i = {i } ∪
′

k ∈ S i , j |k < i . The second equality follows from the fact that (see Exercise 12.14):

( j −1) (j)
Lemma 12.5.8. There is a one-to-one map from the variables Z© ª to the variables Z© ª,
k∈S i , j ,k<i k∈S i , j ,k<i

and so conditioning on one set is equivalent to conditioning on the other.

To summarize the effect of Propositionn 12.5.6 above, let us name o the nrandom variables U = o
( j −1) ( j −1) ( j −1) ( j −1)
Zi and V
= Zi ′ and further let A = Zk |k ∈ S i , j −1 , k < i and B = Zk |k ∈ S i ′ , j −1 , k < i ′ .
By the proposition above, the conditional entropies of interest (i.e., those of i and i ′ ) at the
( j − 1)th stage are H (U |A) and H (V |B ). On the other hand the conditional entropies of interest
one stage later (i.e., at the j th stage) are H (U + V |A, B ) and H (V |A, B,U ). (Here we use that fact
that P 2 (U ,V ) = (U + V,V ).) By part (2) of Proposition 12.5.6 we also have that (U , A) and (V, B )
are independent of each other. Finally, by examination we also have that (see Exercise 12.15)

Lemma 12.5.9. (U , A) and (V, B ) are identically distributed.

228
 Thus, our concern turns to understanding the local polarization of two independent and
identically distributed bits. If one could ignore the conditioning then this is just a problem
about two bits (U ,V ) and their polarization when transformed to (U + V,V ).
In the following lemma, we show how in the absence of conditioning these variables show
local polarization effects. (For our application it will be useful for us to allow the variables to
be not identically distributed, though still independent.) Suppose H (U ) = H (p 1 ) and H (V ) =
H (p 2 ), then notice that H (U + V ) = H (p 1 ◦ p 2 ) where
def
p 1 ◦ p 2 = p 1 (1 − p 2 ) + p 2 (1 − p 1 ).

In the following lemma we show how H (p 1 ◦ p 2 ) relates to H (p 1 ) and H (p 2 ).

Lemma 12.5.10. Let p 1 , p 2 ∈ [0, 1/2] with p 1 < p 2 and τ ∈ (0, 1/2). Then we have:

(1) H (p 1 ◦ p 2 ) ≥ H (p 2 ).

(2) There exists θ = θ(τ) > 0 such that if H (p 1 ), H (p 2 ) ∈ (τ, 1 − τ) then

H (p 1 ◦ p 2 ) − H (p 2 ) ≥ θ.

(3) If H (p 1 ), H (p 2 ) ≤ τ then

H (p 1 ◦ p 2 ) ≥ (1 − 9/ log(1/τ))(H (p 1 ) + H (p 2 )).

In particular, for every c < ∞, if τ ≤ 2−9c then

H (p 1 ) + H (p 2 ) − H (p 1 ◦ p 2 ) ≤ (H (p 1 ) + H (p 2 ))/c.

(4) If H (p 1 ), H (p 2 ) ≥ 1 − τ and τ ≤ 1 − H (1/4) then

H (p 1 ◦ p 2 ) ≥ 1 − 20τ(1 − H (p 2 )).

In particular, for every c ′ < ∞, if τ < 1/(20c ′ ) then

1 − H (p 1 ◦ p 2 ) ≤ (1 − H (p 2 ))/c ′ .

We defer the proof of the above lemma to Section 12.6.2.

The lemma above essentially proves that H (U +V ) satisfies the requirements for local polar-
ization relative to H (U ) and H (V ), but we still need to deal with the conditioning with respect
to A and B . We do this below using some careful applications of Markov’s inequality.

Lemma 12.5.11. If (U , A) and (V, B ) are identical and independent random variables with U ,V
being elements of F2 with H (U |A) = H (V |B ) = H (p), then the following hold:

(1) For every τ > 0 there exists θ > 0 such that if H (p) ∈ (τ, 1 − τ) then

H (U + V |A, B ) ≥ H (p) + θ.

229
 (2) For every c < ∞ there exists τ > 0 such that if H (p) ≤ τ then

H (U + V |A, B ) ≥ (2 − 1/c)H (p),

and if H (p) ≥ 1 − τ then

H (U + V |A, B ) ≥ 1 − 1/c(1 − H (p)).

Proof. Let p a = Pr[U = 1|A = a] so that H (p) = H (U |A) = E A [H (p A )]. Similarly let q b = Pr[V =
1|B = b]. In what follows we consider what happens when A and B are chosen at random. If
H (p A ) and H (q B ) are close to their expectations, then the required polarization comes from
Lemma 12.5.10. But if H (p A ) or H (q B ) can deviate significantly from their expectation, then
polarization happens simply due to the fact that one of them is much larger than the other and
H (U + V |A = a, B = b) ≥ max{H (p a ), H (q b )}. The details are worked out below.
We start with part (1). Let θ(·) be the function from part (2) of Lemma 12.5.10 so that if
H (p 1 ), H (p 2 ) ∈ (ρ, 1 −
n ρ) then
o H (p 1 ◦ p 2 ) − H (p 2 ) ≥ θ(ρ). Given τ > 0 let θ1 = θ(τ/2). We prove
θ 1 τ2
this part for θ = min ,
9 36
> 0.
Let
r 1 = Pr[H (p A ) ≤ τ/2],
A
r 2 = Pr[H (p A ) ∈ (τ/2, 1 − τ/2)],
A
and
r 3 = Pr[H (p A ) ≥ 1 − τ/2].
A
(Note that since (U , A) and (V, B ) are identically and independently distributed if one replaces
p A by q B in the above equalities, then the equalities still remain valid. We will be implicitly
using this for the rest of the proof.) Since r 1 + r 2 + r 3 = 1, at least one of them must be greater
than or equal to 1/3. Suppose r 2 ≥ 1/3, then we have with probability at least 1/9, both H (p A ) ∈
(τ/2, 1 − τ/2) and H (q B ) ∈ (τ/2, 1 − τ/2). Let a, b be such that H (p a ), H (q b ) ∈ (τ/2, 1 − τ/2). Then,
since U + V ∼ Bern(p a ◦ p b ), by Lemma 12.5.10 part (2),

H (U + V |A = a, B = b) ≥ H (p a ) + θ1 .

And by Lemma 12.5.10 part (1), we have for all a, b,

H (U + V |A = a, B = b) ≥ H (p a ).

Putting it together, we have

1 θ1
H (U + V |A, B ) ≥ E A [p A ] + · θ1 = H (p) + .
9 9
Next we consider the case where r 3 ≥ 1/3. Now consider the probability that Pr A [H (p A ) ≤
1 − τ]. Notice that

1 − τ ≥ H (p) ≥ (1 − r 3 − Pr[H (p A ) ≤ 1 − τ]) · (1 − τ) + r 3 · (1 − τ/2).

A

230
Rearranging we conclude
r3τ τ
Pr[H (p A ) ≤ (1 − τ)] ≥ ≥ .
A 2(1 − τ) 6
Thus, with probability at least τ/18 we have A such that H (p A ) ≤ (1−τ) and B such that H (q B ) ≥
1 − τ/2. Let a, b be such that H (p a ) ≤ 1 − τ and H (q b ) ≥ 1 − τ/2. We have (from part (1) of
Lemma 12.5.10)
τ
H (U + V |A = a, B = a) ≥ H (q b ) ≥ H (p a ) + .
2
We conclude that in this case

τ2 τ2
H (U + V |A, B ) ≥ E A [H (p A )] + = H (p) + .
36 36

The case r 1 ≥ 1/3 is similar and also yields

H (U + V |A, B ) ≥ H (p) + τ2 /36.

Thus, in all cases we have

H (U + V |A, B ) ≥ H (p) + θ,

which completes the proof of part (1).

We now turn to part (2). We only prove the case where H (p) ≤ τ. The case where H (p) ≥ 1−τ
is similar and we omit that part (see Exercise 12.16). Given c < ∞, let τ′ = τ(4c) be the constant
from part (3) of Lemma 12.5.10 for constant 4c, so that if H (p 1 ), H (p 2 ) ≤ τ′ then
µ ¶
1 ¡ ¢
H (p 1 ◦ p 2 ) ≥ 1 − · H (p 1 ) + H (p 2 ) .
4c
′
τ
Now let τ = 2c and H (p) ≤ τ. Define
£ ¤
α = Pr H (p A ) ≥ τ′ .
A

By Markov’s inequality (Lemma 3.1.6) we have α ≤ 1/(2c). Let

£ ¤
γ = E A H (p A )|H (p A ) ≥ τ′ .

and
£ ¤
δ = E A H (p A )|H (p A ) < τ′ .

We have
H (p) = γα + δ(1 − α). (12.13)

We divide our analysis into four cases depending on whether H (p A ) ≥ τ′ or not, and whether
H (q B ) ≥ τ′ or not. Let S 11 denote the event that H (p A ) ≥ τ′ and H (q B ) ≥ τ′ and S 00 denotes the
event that H (p A ) < τ′ and H (q B ) < τ′ . Define S 10 and S 01 similarly.

231
 We start with the case of S 10 . Let a, b be such that H (p a ) ≥ τ′ and H (q b ) < τ′ . We have by part
(1) of Lemma 12.5.10, H (U + V |A = a, B = b) ≥ H (U |A = a) = H (p a ) (and similarly H (U + V |A =
a, B = b) ≥ H (q b ). Thus, taking expectation after conditioning on (A, B ) ∈ S 10 we have
£ ¤
E(A,B )|(A,B )∈S 10 [H (U + V |A, B )] ≥ E H (p A )|H (p A ) ≥ τ′ = γ.

Similarly we have
E(A,B )|(A,B )∈S 01 [H (U + V |A, B )] ≥ γ
as well as
E(A,B )|(A,B )∈S 11 [H (U + V |A, B )] ≥ γ.
Note that S 11 ∪ S 10 ∪ S 01 happen with probability 2α − α2 . Now we turn to S 00 . Let a, b be
such that H¡ (p a ), H (q b ) < ¢τ′ . By Lemma 12.5.10 part (3) we have H (U + V |A = a, B = b) ≥
(1 − 1/(4c)) H (p a ) + H (q b ) . Taking expectations conditioned on (A, B ) ∈ S 00 we get
µ ¶
1 ¡ £ ¤ £ ¤¢
E(A,B )|(A,B )∈S 00 [H (U + V |A, B )] ≥ 1 − · E A H (p A )|H (p A ) < τ′ + EB H (q B )|H (q B ) < τ′
4c
µ ¶
1
= 1− · 2δ.
4c

Note finally that S 00 happens with probability (1 − α)2 . Combining the four cases we have
µ ¶
2 1 2
H (U + A|A, B ) ≥ (2α − α )γ + (1 − α) 1 − (2δ)
4c
1
= 2αγ + (1 − α)2δ − α2 γ − (α)(1 − α)δ − · (1 − α)2 2δ
4c
1
= 2H (p) − α · H (p) − · (1 − α)((1 − α)δ).
2c
In the above, the last equality follows from (12.13). Part (2) now follows by using (1−α)δ ≤ H (p)
(which in turn follows from (12.13)) and α ≤ 1/(2c).

We are now ready to prove the local polarization lemma.

(j)
Proof of Lemma 12.5.3. Recall that X j = EI ∼[n] [Z I ]. Let X j = H (p). Note that conditioned on
the value of X j , for any ( j +1)-level siblings i < i ′ , I is equally likely to equal i or i ′ . Conditioning
(j) (j)
on I ∈ {i , i ′ }, with probability 1/2, I = i and with probability 1/2 I = i ′ . Let U = Zi , V = Zi ′ ,
n o n o
(j) (j)
A = Zk |k < i , k ∈ S i , j and B = Zk |k < i ′ , k ∈ S i ′ , j then if I = i , X j = H (U |A) (this follows
from Lemma 12.5.6 part (3)) and if I = i ′ then X j = H (V |B ) (this follows from Lemma 12.5.6 part
(4)). Furthermore if I = i then X j +1 = H (U + V |A, B ) (this follows from (12.11) and parts (1) and
(5) from Lemma 12.5.6) and if I = i ′ then X j +1 = H (V |A, B,U ) (this follows from (12.11), parts
(1) and (6) from Lemma 12.5.6 and the fact that V |U and V |U + V have the same distribution).
With this setup, we are now ready to prove that the sequence X 0 , X 1 , . . . , satisfy the conditions
of local polarization, and furthermore are simple.

232
 We argue the conditions hold for each conditioning I ∈ {i , i ′ } and so hold without the con-
ditioning (the latter holds because the pairs {i , i ′ } make a disjoint cover of [n] and hence for a
random I ∼ [n] is equally likely to fall in one of these pairs). The condition E[X j +1 |X j = a] = a
follows from the fact that there is a bijection from (U ,V ) to (U + V,V ), and so

H (U + V |A, B ) + H (V |A, B,U ) = H (U |A) + H (V |B ).

Indeed, note that 2a is the RHS and 2X j +1 is the LHS of the above equality.
Now note that (see Exercise 12.17):

Lemma 12.5.12. (U , A) and (V, B ) are independently and identically distributed.

The variance in the middle condition follows from Lemma 12.5.11 part (1) and the suction at
the ends condition follows from Lemma 12.5.11 part (2). Finally simplicity follows from the fact
that with probability 1/2, X j = H (U + V |A, B ) and with probability 1/2, X j = H (V |A, B,U ).

12.5.3 Local vs. Global Polarization

Finally we prove Lemma 12.5.5 which shows that simple local polarization implies strong polar-
ization. We prove this part in two phases. First, we show that in the first t /2 steps, the sequence
shows moderate polarization — namely, with all but exponentially ¡ t smallt probability
¢ X t /2 is an
inverse exponential in t , but with a small constant base (so X t 6∈ α1 , 1 − α1 for some α1 < 1, but
α1 is close to 1). Next we show ¡ that conditioned
¢ on this moderate polarization, the sequence
gets highly polarized (so X t 6∈ γt , 1 − γt for any γ > 0 of our choice), again with an exponentially
small failure probability. We start with part (1).
In what follows, let γ > 0 be given and let
½ ¾
γ8
c = max 4, .
16

Let τ = τ(c) be given by condition (3) of the definition of Local Polarization (Definition 12.5.2)
and ½ ¾
1
θ = min 1 − , θ(τ)
c
where θ(τ) is the constant given by condition (2) of the same definition.
We start with the first phase. We consider a potential function
nq q o
def
φ j = min Xj, 1− Xj .

We first notice that φ j is expected to drop by a constant factor in each step of polarization.

Lemma 12.5.13. µ ¶
£ ¤ θ2
E φ j +1 |φ j = a ≤ 1 − · a.
16

233
 p
Proof. Without loss of generality assume X j ≤ 1/2 (see Exercise 12.18) and so a = £ φ j = X j and
¤
2
so X j = a . Using the simplicity of the sequence X 0 , . . . as well as the fact that E X j +1 |X j = a =
a, we have that there exists δ such that X j +1 = a 2 + δ with probability 1/2 and a 2 − δ with
probability 1/2. Furthermore, if X j ≤ τ, by the unbiasedness and suctions at the ends condi-
tions, we have δ ≥ (1 − 1/c)a 2 and if X j > τ by the variance in the middle condition, we have
δ ≥ θ(τ) ≥ θ(τ)a 2 . Thus, in either case we have

δ ≥ θa 2 . (12.14)
£ ¤
We now bound E φ j +1 as follows:
£ ¤ hq i
E φ j +1 ≤ E X j +1
1p 2 p
= a + δ + 1/2 a 2 − δ
2 
s s
a δ δ
=  1+ 2 + 1− 2
2 a a
µ ¶
a δ δ2 δ δ2
≤ 1+ 2 − +1− 2 −
2 2a 16a 4 2a 16a 4
µ 2 ¶
δ
= a 1−
16a 4
µ ¶
θ2
≤ a 1− .
16

In the above, the first inequality follows from Lemma B.1.5 while the second inequality follows
from (12.14).

Lemma 12.5.14 (Weakly Polynomial Polarization). There exists α1 < 1 such that for all even t ,
we have £ ¤
Pr X t /2 ∈ (α1t , 1 − α1t ) ≤ α1t .

Proof. We first prove by induction on j that

µ ¶j
£ ¤ θ2
E φj ≤ 1 − .
16

This is certainly true for j = 0 since φ0 ≤ 1. For higher j , by Lemma 12.5.13 we have
µ ¶ µ ¶j
£ ¤ θ2 £ ¤ θ2
E φj ≤ 1 − E φ j −1 ≤ 1 −
16 16

as claimed. Let s
θ2
β= 1−
16

234
 p £ ¤
and α1 = β (note that α1 < 1). By our claim, we have E φt /2 ≤ βt . By Markov’s inequality
(Lemma 3.1.6), we now get that

£ ¤ βt
Pr φt /2 ≥ α1t ≤ t = α1t .
α1

Finally we note that if φt /2 ≤ α1t then X t /2 6∈ (α2t 2t t t

1 , 1 − α1 ) and so in particular X t /2 6∈ (α1 , 1 − α1 ).
We conclude that the probability that X t /2 ∈ (α1t , 1 − α1t ) is at most α1t , yielding the lemma.

We now turn to phase two of the polarization. Here we use the fact that if X t /2 is much
smaller than τ, then X j is very unlikely to become larger than τ for any t /2 ≤ j ≤ t . Furthermore
if it does not ever become larger than τ then X t is very likely to be close to its expected value
(which grows like γt ). The following lemmas provide the details. In the following recall that
τ = τ(c) where c ≥ 4.

Lemma 12.5.15. For all λ > 0, if X 0 ≤ λ, then the probability there exists j > 0 such that X j ≥ τ is
at most λ/τ. Similarly if X 0 ≥ 1 − λ, then the probability there exists j > 0 such that X j ≤ 1 − τ is
at most λ/τ.

The lemma above is a special case of Doob’s inequality for martingales. We give the (simple)
proof below.

Proof. We give the proof for the case X 0 ≤ λ. The case X 0 ≥ 1 − λ is symmetrical (see Exer-
cise 12.19). Notice that we wish to show that for every integer T > 0
· ¸
Pr max {X t } ≥ τ ≤ λ/τ.
0≤t ≤T

Let us create a related sequence of variables Yi as follows. Let Y0 = X 0 and for i ≥ 1, if Yi −1 < τ
then Yi = X i , else Yi = Yi −1 . Note that for every i and a, by the simplicity of X i ’s, we have
E [Yi |Yi −1 = a] = a. Note further that max0≤t ≤T {X t } ≥ τ if and only if YT ≥ τ. Thus,
· ¸
E [YT ]
Pr max {X t } ≥ τ = Pr [YT ≥ τ] ≤ ,
0≤t ≤T τ
where the final inequality is Markov’s inequality (Lemma 3.1.6). But

E [YT ] = E [YT −1 ] = · · · = E [Y0 ] = E [X 0 ] ≤ λ

and this yields the lemma.

Lemma 12.5.16 (Weak to Strong Polarization). There exists α2 < 1 such that for every λ > 0 if
X 0 6∈ (λ, 1 − λ), then the probability that X t /2 ∈ (γt , 1 − γt ) is at most λ/τ + α2t .

Proof. Again we consider the case X 0 ≤ λ with the other case being symmetrical (see Exer-
cise 12.20).
Let Zi = 1 if X i < X i −1 and 0 otherwise. For simple sequences, notice that Zi ’s are indepen-
P /2
dent and 1 with probability 1/2. Let Z = it =1 Zi . We consider two possible “error” events. E 1 is

235
the event that there exists 1 ≤ j ≤ t /2 such that X j ≥ τ, and E 2 is the event that Z ≤ t /8. Note
that by Lemma 12.5.15, E 1 happens with probability at most λ/τ and (by the Chernoff bounds–
Theorem 3.1.10) E 2 happens with probability at most α2t for some α2 < 1. Now, if event E 1 does
not occur, then
X t /2 ≤ 2t /2 · c −Z X 0 ≤ 2t /2 c −Z .
The first inequality follows from the subsequent argument. Using simplicity, we have with prob-
ability 1/2, X 1 ≤ (1/c)X 0 ≤ X 0 /4 (because of the suction at the ends condition) and with proba-
bility 1/2 X 1 ≤ 2X 0 (this follows the bound in the other case and the unbiasedness of the X i s).
Further if E 2 also does not occur we have

X t /2 ≤ 2t /2 · c −t /8 ≤ γt

by the choice of c = 1/(2/γ2 )4 .

Proof of Lemma 12.5.5. Recall that we wish to show, given γ > 0, that there exists α < 1 and
β < ∞ such that for all t we have
£ ¡ ¢¤
Pr X t ∈ γt , 1 − γt ≤ β · αt .

Let α1 < 1 be the constant from Lemma 12.5.14. Let α2 < 1 be the constant from Lemma 12.5.16.
We prove this for α = max{α1 , α2 } < 1 and β = 2 + 1/τ < ∞.
Let E be the event that X t /2 ∈ (α1t , 1 − α1t ). By Lemma 12.5.14 we have that
£ Pr [E ] ≤ α1t . Now
¤
conditioned of E not occurring, using Lemma 12.5.16 with λ = α1t , we have Pr X t ∈ (γt , 1 − γt ) ≤
α1t /τ + α2t . Thus, putting the two together we get

£ ¤ αt αt
Pr X t ∈ (γt , 1 − γt ) ≤ α1t + 1 + α2t ≤ αt + + αt = β · αt ,
τ τ
as desired.

12.6 Entropic Calculations

In this section, we present the omitted proofs on various properties of entropy and probability
that mostly need some calculations.

12.6.1 Proof of Proposition 12.3.1

We begin with the first part, which is a straightforward calculation expanding the definition.
For any i in the support of X , let p i denote Pr X [X = i ] and let x = argmaxi {p i } be the value
maximizing this probability. Let p x = 1 − γ. We wish to show that γ ≤ α. We now perform some
crude calculations that lead us to this bound.
If γ ≤ 1/2 we have

α ≥ H (X )

236
 X 1
= p i log
i pi
X 1
≥ p i log (12.15)
i 6=x pi
X 1
≥ p i log P (12.16)
i 6=x j 6=x pj
à ! à !
X 1
= p i · log P
i 6=x j 6=x pj
= γ · log 1/γ
≥ γ, (12.17)
as desired. In the above, (12.15) follows since all summands are non-negative, (12.16) follows
P
since for every i 6= x, p i ≤ j 6=x p j and (12.17) follows since γ ≤ 1/2 and so log 1/γ ≥ 1.
Now if γ > 1/2 we have a much simpler case since now we have
α ≥ H (X )
X 1
= p i log
i pi
X 1
≥ p i log (12.18)
i px
1
= log (12.19)
px
1
= log
1−γ
≥ 1. (12.20)
P
(In the above, (12.18) follows since p i ≤ p x , (12.19) follows since i p i = 1 and (12.20) follows
from the assumption that γ ≥ 1/2.) But γ is always at most 1 so in this case also we have α ≥ 1 ≥ γ
as desired.
We now consider the second part, which follows from the previous part via a simple averag-
ing argument. Given y and i , let p i ,y = Pr X [X = i |Y = y] and let x y = argmaxi {p i ,y } be the value
maximizing this probability. Let γ y = 1 − p x y ,y and note that γ = EY [γY ]. Let α y = H (X |Y = y)
and note again we have α = EY [αY ]. By the first part, we have for every y, γ y ≤ α y and so it
follows that
γ = EY [γY ] ≤ EY [αY ] = α.

12.6.2 Proof of Lemma 12.5.10

The lemma follows in a relatively straightforward manner with parts (3) and (4) using Lemma B.2.3.
Part (1) is immediate from the monotonicity of the entropy function in the interval [0, 1/2]
(see Exercise 12.7). For 0 ≤ p 1 , p 2 ≤ 1/2 we have p 2 ≤ p 1 ◦ p 2 ≤ 1/2 and so (see Exercise 12.21)
H (p 1 ◦ p 2 ) ≥ H (p 2 ). (12.21)

237
 Next we turn to part (2). Let H −1 (x) = p such that 0 ≤ p ≤ 1/2 such that H (p) = x. Note H −1
is well defined and satisfies H −1 (x) > 0 if x > 0 and H −1 (x) < 1/2 if x < 1. Let

α = α(τ) = H −1 (τ)(1 − 2H −1 (1 − τ))

and
β = β(τ) = 2H −1 (1 − τ)(1 − H −1 (1 − τ))
and
γ = γ(τ) = log((1 − β)/β).
Note that α > 0 and β < 1/2 and so γ > 0. We prove that H (p 1 ◦ p 2 ) − H (p 2 ) ≥ α · γ, and this will
yield part (2) for θ = θ(τ) = α · γ > 0.
First note that since H (p 1 ), H (p 2 ) ∈ (τ, 1 − τ), we have p 1 , p 2 ∈ (H −1 (τ), H −1 (1 − τ)). Thus,

p 1 ◦ p 2 − p 2 = p 2 (1 − 2p 1 ) + p 1 − p 2 = p 1 (1 − 2p 2 ) ≥ H −1 (τ)(1 − 2H −1 (1 − τ)) = α.

Next we consider minp 2 ≤q≤p 1 ◦p 2 {H ′ (q)}. Note that by Exercise 12.22 H ′ (q) = log((1 − q)/q) and
this is minimized when q is maximum. The maximum value of q = p 1 ◦ p 2 is in turn maximized
by using the maximum values of p 1 , p 2 = H −1 (1−τ). Thus, we have that minp 2 ≤q≤p 1 ◦p 2 {H ′ (q)} ≥
H ′ (β) = γ. By elementary calculus we now conclude that

H (p 1 ◦ p 2 ) − h(p 2 ) ≥ (p 1 ◦ p 2 − p 2 ) · min {H ′ (q)} ≥ α · γ = θ.

p 2 ≤q≤p 1 ◦p 2

This concludes the proof of part (2).

Next we move to part (3). For this we first describe some useful bounds on H (p). On the one
hand we have H (p) ≥ p log 1/p. For p ≤ 1/2 we also have −(1 − p) log(1 − p) ≤ (1/ ln 2)(1 − p)(p +
p 2 ) ≤ (1/ ln 2)p ≤ 2p. And so we have H (p) ≤ p(2 + log 1/p).
Summarizing, we have for p ≤ 1/2,

p log(1/p) ≤ H (p) ≤ p log(1/p) + 2p. (12.22)

We now consider H (p 1 ) + H (p 2 ) − H (p 1 ◦ p 2 ). We have

H (p 1 ) + H (p 2 ) − H (p 1 ◦ p 2 )
≤ p 1 (log(1/p 1 ) + 2) + p 2 (log(1/p 2 ) + 2) − (p 1 ◦ p 2 ) log(1/(p 1 ◦ p 2 )) (12.23)
≤ p 1 (log(1/p 1 ) + 2) + p 2 (log(1/p 2 ) + 2) − (p 1 + p 2 − 2p 1 p 2 ) log(1/(2p 2 )) (12.24)
= p 1 log(2p 2 /p 1 ) + p 2 log(2p 2 /p 2 ) + 2p 1 p 2 log(1/(2p 2 )) + 2(p 1 + p 2 )
≤ p 1 log(p 2 /p 1 ) + 2p 1 p 2 log(1/(p 2 )) + 6p 2 (12.25)
≤ 2p 1 H (p 2 ) + 7p 2 (12.26)
≤ 2p 1 H (p 2 ) + 7H (p 2 )/ log(1/p 2 ) (12.27)
≤ 9H (p 2 )/ log(1/τ). (12.28)

In the above, (12.23) follows from (12.22), (12.24) follows from the fact that p 1 ◦ p 2 ≤ p 1 + p 2 ≤
2p 2 , (12.25) follows from the fact that 3(p 1 +p 2 ) ≤ 6p 2 , (12.26) follows from the fact that p 1 log(p 2 /p 1 ) ≤

238
p 2 , (12.27) follows from (12.22) and (12.28) follows from the subsequent argument. Indeed, by
definition of τ and (12.22) we have p 2 log(1/p 2 ) ≤ τ. Using the fact that p 2 ≤ 1/2, this implies
that p 2 ≤ τ, which in turn implies log(1/p 2 ) ≥ log(1/τ). Similarly, we have p 1 log(1/p 1 ) ≤ τ,
which again with p 1 ≤ 1/2, we have p 1 ≤ τ ≤ 1/ log(1/τ) (where the second equality uses the fact
that τ < 1/2). This concludes the proof of part (3).
Finally we turn to part (4). Here we let H (p i ) = 1 − y i and p i = 1/2 − x i for i ∈ {1, 2}. Since
τ ≤ 1 − H (1/4) and H (p i ) ≥ 1 − τ, we have x i ≤ 1/4. By Lemma B.2.4, we have 1 − 5x 2 ≤ H (1/2 −
x) ≤ 1 − x 2 for x ≤ 1/4. Returning to our setup if 1 − τ ≥ H (1/4) and 1 − y i = H (p i ) ≥ 1 − τ, and
p i = 1/2 − x i , then 1 − x i2 ≥ 1 − y i , so
p
xi ≤ y i . (12.29)

Furthermore, p 1 ◦ p 2 = 1/2 − 2x 1 x 2 and

H (p 1 ◦ p 2 ) = H (1/2 − 2x 1 x 2 )
≥ 1 − 20(x 1 x 2 )2
≥ 1 − 20y 1 y 2
= 1 − 20(1 − H (p 1 ))(1 − H (p 2 ))
≥ 1 − 20τ(1 − H (p 2 )),

where the second inequality follows from (12.29). This yields part (4).

12.7 Summary and additional information

In this chapter we showed how a very simple phenomenon leads to a very effective coding
and decoding mechanism. Even the idea of reducing error-correction to compression is novel,
though perhaps here the novelty is in the realization that this can idea can be put to good use.
The idea of using polarization to create a compression scheme, as well as the exact procedure
to create polarization are both radically novel, and remarkably effective.
Our description of this compression mechanism is nearly complete. The one omission is
that we do not show which columns of the matrix Pn should be used to produce the compressed
output — we only showed that a small subset exists. The reader should know that this aspect
can also be achieved effectively, and this was first shown by Tal and Vardy [126], and adapted
to the case of strong polarization by Guruswami and Xia. Specifically there is a polynomial time
algorithm that given p, ε and c outputs n ≤ poly(1/ε), P n ∈ F2n×n and a set S ⊆ [n] such that
P n is (ε, n −c )-polarizing for Bern(p)n with unpredictable columns S, and |S| ≤ (H (p) + ε)n. The
details are not very hard given the work so far, but still out of scope of this chapter.
Our analysis of local polarization differs from the literature in the absence of the use of “Mrs.
Gerber’s Lemma” due to Wyner and Ziv, which is a convexity claim that provides a convenient
way to deal with conditional entropies (essentially implying that the conditioning can be ig-
nored). In particular, it yields the following statement whose proof can be found as Lemma 2.2
in [29].

239
Lemma 12.7.1. If (U , A) and (V, B ) are independent and U ,V are binary valued random vari-
ables with H (U |A) = H (p) and H (V |B ) = H (q), then H (U + V |A, B ) ≥ H (p(1 − q) + q(1 − p)).

The proof of the lemma uses the convexity of the function H (a ◦ H −1 (x)) which turns out to
have a short, but delicate and technical proof which led us to omit it here. This lemma would
be a much cleaner bridge between the unconditioned polarization statement (Lemma 12.5.10)
and its conditional variant (Lemma 12.5.11). Unfortunately Lemma 12.7.1 is known to be true
only in the binary case whereas our proof method is applicable to larger alphabets (as shown
by Guruswami and Velingker [67]).

12.8 Exercises
Exercise 12.1. Prove Theorem 12.1.2 (assuming Theorem 12.1.1).

Exercise 12.2. Argue that the matrices G and G∗ in Proposition 12.2.1 exist.
¡ ¢
Exercise 12.3. Show that for the compressor defined in Algorithm 9, we have G = P −1 S̄ and
G∗ = PS̄ .

Exercise 12.4. Show that there exists a non-linear comrepssion scheme for Bern(p)n of rate at
most H (p) + ε.

Exercise 12.5. Prove (12.5).

Exercise 12.6. Prove (12.9).

Exercise 12.7. Show that H (p) is monotonically increasing for 0 ≤ p ≤ 12 .

Exercise 12.8. Give an explicit description of the polarizing matrix Pn such that P n (Z) = Z · Pn .
Further, prove that Pn is its own inverse.

Exercise 12.9. Show that

b + (p 1 , p 2 ) = p 1 (1 − p 2 ) + (1 − p 1 )p 2 .

Exercise 12.10. Show that

b | (p 1 , p 2 , 0) = p 1 p 2 /(p 1 p 2 + (1 − p 1 )(1 − p 2 ))

and
b | (p 1 , p 2 , 1) = (1 − p 1 )p 2 /((1 − p 1 )p 2 + p 1 (1 − p 2 )).

Exercise 12.11. Prove Corollary 12.4.7.

Exercise 12.12. Prove (12.12).

Exercise 12.13. Prove Lemma 12.5.7.

Exercise 12.14. Prove Lemma 12.5.8.

240
Exercise 12.15. Prove Lemma 12.5.9.

Exercise 12.16. Prove part (2) of Lemma 12.5.11 for the case H (p) ≥ 1 − τ.

Exercise 12.17. Prove Lemma 12.5.12.

Exercise 12.18. Prove Lemma 12.5.13 for the case X j > 1/2.

Exercise 12.19. Prove Lemma 12.5.15 when X 0 ≥ 1 − λ.

Exercise 12.20. Prove Lemma 12.5.16 when X 0 > λ.

Exercise 12.21. Prove (12.21).

Exercise 12.22.
H ′ (q) = log((1 − q)/q).

12.9 Bibliographic Notes

Polar codes were invented in the remarkable paper by Arıkan [4] where he showed that they
achieve capacity in the limit of large block lengths n → ∞ with O(n log n) encoding time and
O(n log n) decoding complexity via the successive cancellation decoder. In particular, Arıkan
proved that the transform P 2⊗t is polarizing in the limit of t → ∞, in the sense that for any fixed
γ > 0, the fraction of indices for which H (Wi | W<i ) ∈ (γ, 1 − γ), where W = P 2⊗t Z, is vanishing for
large t . In fact, Arıkan showed that one could take γ = γ(t ) = 2−5t /4 , which led to an upper bound
of n · γ = O(1/n 1/4 ) (block) decoding error probability for the successive cancellation decoder.
βt
Soon afterwards, Arıkan and Teletar proved that one can take γ < 2−Ω(2 ) for any β < 1/2, which
−β
led to improved decoding error probability of 2−n as a function of the block length n = 2t . The
fall-off of the parameter γ in n was referred to as the “rate” of (limiting) polarization.
These works considered the basic 2 × 2 transform P 2 and binary codes. More general trans-
forms, and non-binary codes, were considered later in [114, 83, 95]. These results showed that
limiting polarization is universal, as long as some minimal conditions are met by the basic ma-
trix being tensored.
The 2012 survey by Şaşoğlu is an excellent and highly recommended resource for some of
the early works on polarization and polar codes [29]. Polar codes were widely described as the
first constructive capacity achieving codes. Further, polarization was also found to be a versatile
technique to asymptotically resolve several other fundamental problems in information theory
such as lossless and lossy source coding problem, coding for broadcast, multiple access, and
wiretap channels, etc.
However, none of these works yield effective finite length bounds on the block length n
needed to achieve rates within ε of capacity, i.e., a rate at least 1 − h(p) − ε for the binary sym-
metric channel with crossover probability p. Without this it was not clear in what theoretical
sense polar codes are better than say Forney’s construction, which can also get within any de-
sired ε > 0 of capacity, but have complexity growing exponentially in 1/ε2 due to the need for
inner codes of length 1/ε2 that are decoded by brute-force.

241
 A finite length analysis of polar codes, and strong polarization where the probability of not
polarizing falls off exponentially in t , and thus is polynomially small in the block length n =
2t , was established in independent works by Guruswami and Xia [68] and Hassani, Alishahi,
and Urbanke [72]. The latter tracked channel “Bhattacharyya parameters” whereas the former
tracked conditional entropies (as in the present chapter) which are a bit cleaner to deal with as
they form a martingale. This form of fast polarization made polar codes the first, and so far only
known, family with block length and complexity scaling polynomially in 1/ε where ε is the gap
to capacity,
This analyis of strong polarization in the above works applied only to the 2 × 2 transofrm
and binary case. The strong polarization of the basic 2 × 2 transform was also established for
all prime alphabets in [67], leading to the first construction of codes achieving the symmetric
capacity of all discrete memoryless channels (for prime alphabets) with polynomial complexity
in the gap to capacity. However, these analyses relied on rather specific inequalities (which were
in particular somewhat painful to establish for the non-binary case) and it was not clear what
exactly made them tick.
The recent work of the authors and Błasiok and Nakkiran [7] gave a modular and concep-
tually clear analysis of strong polarization by abstracting the properties needed from each local
step to conclude fast global polarization. This made the demands on the local evolution of the
conditional entropies rather minimal and qualitative, and enabled showing strong polarization
and polynomially fast convergence to capacity for the entire class of polar codes, not just the
binary 2 × 2 case. We followed this approach in this chapter, and in particular borrowed the
concepts of variance in the middle and suction at the ends for local polarization from this work.
However, we restrict attention to the basic 2 × 2 transform, and the binary symmetric channel,
and gave elementary self-contained proofs of the necessary entropic inequalities needed to es-
tablish the properties required of the local polarization step.
Another difference in our presentation is that we described the successive cancellation de-
coder for the polarizing transform P 2⊗t , which leads to clean recursive description based on a
more general primitive of decoding copies of independent but not necessary identical random
variables. In contrast, in many works, including Arıkan’s original paper [4], the decoding is de-
scribed for the transform followed by the bit reversal permutation. The polarization property
of the bit reversed transform is, however, notationally simpler to establish. Nevertheless, the
transform P 2⊗t commutes with the bit reversal permutation, so both the transforms, with or
without bit reversal, end up having identical polarization properties.

242
 Part IV

The Algorithms

243
Chapter 13

Decoding Concatenated Codes

In this chapter, we study Question 10.3.1. Recall that the concatenated code C out ◦C in consists of
an outer [N , K , D]Q=q k code C out and an inner [n, k, d ]q code C in , where Q = O(N ). (Figure 13.1
illustrates the encoding function.) Then C out ◦ C in has design distance Dd and Question 10.3.1
asks if we can decode concatenated codes up to half the design distance (say for concatenated
codes that we saw in Section 10.2 that lie on the Zyablov bound). In this chapter, we begin
with a very natural unique decoding algorithm that can correct up to Dd /4 errors. Then we
will consider a more sophisticated algorithm that will allow us to answer Question 10.3.1 in the
affirmative.

13.1 A Natural Decoding Algorithm

We begin with a natural decoding algorithm for concatenated codes that “reverses" the encod-
ing process (as illustrated in Figure 13.1). In particular, the algorithm first decodes the inner
code and then decodes the outer code.

For the time being, let us assume that we have a polynomial time unique decoding algo-
£ ¤N £ ¤K
rithm D C out : q k → q k for the outer code that can correct up to D/2 errors.
This leaves us with the task of coming up with a polynomial time decoding algorithm for the
inner code. Our task of coming up with such a decoder is made easier by the fact that the
running time needs to be polynomial in the final block length. This in turn implies that we
would be fine if we pick a decoding algorithm that runs in singly exponential time in the inner
block length as long as the inner block length is logarithmic in the outer code block length.
(Recall that we put this fact to good use in Section 10.2 when we constructed explicit codes on
the Zyablov bound.) Note that the latter is what we have assumed so far and thus, we can use
the Maximum Likelihood Decoder (or MLD) (recall Algorithm 2, which we will refer to as D C in ).
Algorithm 13 formalizes this algorithm.
It is easy to check that each step of Algorithm 13 can be implemented in polynomial time.
In particular,

245
 m1 m2 mK

C out

C out (m)1 C out (m)2 C out (m)N

C in C in C in

C in (C out (m)1 ) C in (C out (m)2 ) C in (C out (m)N )

Encoding of C out ◦ C in

m1 m2 mK

D C out

y′ y 1′ y 2′ ′
yN

D C in D C in D C in

y y1 y2 yN

Decoding of C out ◦ C in

Figure 13.1: Encoding and Decoding of the concatenated code C out ◦ C in . D C out is a unique
decoding algorithm for C out and D C in is a unique decoding algorithm for the inner code (e.g.
MLD).

Algorithm 13 Natural Decoder for C out ◦C in

¡ ¢ £ ¤N
I NPUT: Received word y = y 1 , · · · , y N ∈ q n
£ ¤K
O UTPUT: Message m′ ∈ q k
¡ ¢ £ ¤N
1: y′ ← y 1′ , · · · , y N
′
∈ qk where
¡ ¢ ¡ ¢
C in y i′ = D C in y i 1 ≤ i ≤ N .
¡ ¢
2: m′ ← D C out y′
3: RETURN m′

246
 1. The time complexity of Step 1 is O(nq k ), which for our choice of k = O(log N ) (and con-
stant rate) for the inner code, is (nN )O(1) time.

2. Step 2 needs polynomial time by our assumption that the unique decoding algorithm
D C out takes N O(1) time.

Next, we analyze the error-correction capabilities of Algorithm 13:

Proposition 13.1.1. Algorithm 13 can correct < Dd

4 many errors.
¡ ¢
Proof. Let m be the (unique) message such that ∆ C out ◦C in (m) , y < Dd 4 .
We begin the proof by defining a bad event as follows. We say a bad event has occurred (at
position 1 ≤ i ≤ N ) if y i 6= C in (C out (m)i ). More precisely, define the set of all bad events to be
© ª
B = i |y i 6= C in (C out (m)i ) .

Note that if |B| < D2 , then the decoder in Step 2 will output the message m. Thus, to com-
plete the proof, we only need to show that |B| < D/2. To do this, we will define a superset
B ′ ⊇ B and then ¡argue that |B ′ | < D/2,¢ d which would complete the proof.
Note that if ∆ y i ,C in (C out (m)i ) < 2 then i 6∈ B (by the proof of Proposition 1.4.2)– though
the other direction does not hold. We define B ′ to be the set of indices where i ∈ B ′ if and only
if
¡ ¢ d
∆ y i ,C in (C out (m)i ) ≥ .
2
′
Note that B ⊆ B .
Now by definition, note that the total number of errors is at least |B ′ | · d2 . Thus, if |B ′ | ≥ D2 ,
then the total number of errors is at least D2 · d2 = Dd ′ D
4 , which is a contradiction. Thus, |B | < 2 ,
which completes the proof.

Note that Algorithm 13 (as well the proof of Proposition 13.1.1) can be easily adapted to work
for the case where the inner codes are different, e.g. Justesen codes (Section 10.3).
Thus, Proposition 13.1.1 and Theorem 13.3.3 imply that

Theorem 13.1.2. There exists an explicit linear code on the Zyablov bound that can be decoded
up to a fourth of the Zyablov bound in polynomial time.

This of course is predicated on the fact that we need a polynomial time unique decoder for
the outer code. Note that Theorem 13.1.2 implies the existence of an explicit asymptotically
good code that can be decoded from a constant fraction of errors.
We now state an obvious open question and an observation. The first is to get rid of the
assumption on the existence of D C out :

Question 13.1.1. Does there exist a polynomial time unique decoding algorithm for outer
codes, e.g. for Reed-Solomon codes?

247
 Next, note that Proposition 13.1.1 does not quite answer Question 10.3.1. We move to an-
swering this latter question next.

13.2 Decoding From Errors and Erasures

Now we digress a bit from answering Question 10.3.1 and talk about decoding Reed-Solomon
codes. For the rest of the chapter, we will assume the following result.

Theorem 13.2.1. An [N , K ]q Reed-Solomon code can be corrected from e errors (or s erasures) as
long as e < N −K
2
+1
(or s < N − K + 1) in O(N 3 ) time.

We defer the proof of the result on decoding from errors to Chapter 17 and leave the proof
of the erasure decoder as an exercise. Next, we show that we can get the best of both worlds by
correcting errors and erasures simultaneously:

Theorem 13.2.2. An [N , K ]q Reed-Solomon code can be corrected from e errors and s erasures in
O(N 3 ) time as long as
2e + s < N − K + 1. (13.1)

Proof. Given a received word y ∈ (Fq ∪ {?})N with s erasures and e errors, let y′ be the sub-vector
with no erasures. This implies that y′ ∈ FqN −s is a valid received word for an [N − s, K ]q Reed-
Solomon code. (Note that this new Reed-Solomon code has evaluation points that correspond-
ing to evaluation points of the original code, in the positions where an erasure did not occur.)
Now run the error decoder algorithm from Theorem 13.2.1 on y′ . It can correct y′ as long as

(N − s) − K + 1
e< .
2

This condition is implied by (13.1). Thus, we have proved one can correct e errors under (13.1).
Now we have to prove that one can correct the s erasures under (13.1). Let z′ be the output after
correcting e errors. Now we extend z′ to z ∈ (Fq ∪{?})N in the natural way. Finally, run the erasure
decoding algorithm from Theorem 13.2.1 on z. This works as long as s < (N − K + 1), which in
turn is true by (13.1).
The time complexity of the above algorithm is O(N 3 ) as both the algorithms from Theo-
rem 13.2.1 can be implemented in cubic time.

Next, we will use the above errors and erasure decoding algorithm to design decoding algo-
rithms for certain concatenated codes that can be decoded up to half their design distance (i.e.
up to Dd /2).

248
13.3 Generalized Minimum Distance Decoding
Recall the natural decoding algorithm for concatenated codes from Algorithm 13. In particular,
we performed MLD on the inner code and then fed the resulting vector to a unique decoding
algorithm for the outer code. A drawback of this algorithm is that it does not take into account
the information that MLD provides. For example, it does not distinguish between the situations
where a given inner code’s received word has a Hamming distance of one vs where the received
word has a Hamming distance of (almost) half the inner code distance from the closest code-
word. It seems natural to make use of this information. Next, we study an algorithm called the
Generalized Minimum Distance (or GMD) decoder, which precisely exploits this extra informa-
tion.
In the rest of the section, we will assume C out to be an [N , K , D]q k code that can be decoded
(by D C out ) from e errors and s erasures in polynomial time as long as 2e + s < D. Further, let C in
be an [n, k, d ]q code with k = O(log N ) which has a unique decoder D C in (which we will assume
is the MLD implementation from Algorithm 2).
We will in fact look at three versions of the GMD decoding algorithm. The first two will be
randomized algorithms while the last will be a deterministic algorithm. We will begin with the
first randomized version, which will present most of the ideas in the final algorithm.

13.3.1 GMD algorithm- I

Before we state the algorithm, let us look at two special cases of the problem to build some
intuition.
Consider the received word y = (y 1 , . . . , y N ) ∈ [q n ]N with the following special property: for
every i such that 1 ≤ i ≤ N , either y i = y i′ or ∆(y i , y i′ ) ≥ d /2, where y i′ = M LD C in (y i ). Now we
claim that if ∆(y,C out ◦ C in ) < d D/2, then there are < D positions in y such that ∆(y i ,C in (y i′ )) ≥
d /2 (we call such a position bad). This is because, for every bad position i , by the definition of
y i′ , ∆(y i ,C in ) ≥ d /2. Now if there are ≥ D bad positions, this implies that ∆(y,C out ◦ C in ) ≥ d D/2,
which is a contradiction. Now note that we can decode y by just declaring an erasure at every
bad position and running the erasure decoding algorithm for C out on the resulting vector.
Now consider the received word y = (y 1 , . . . , y N ) with the special property: for every i such
that i ∈ [N ], y i ∈ C in . In other words, if there is an error at position i ∈ [N ], then a valid codeword
in C in gets mapped to another valid codeword y i ∈ C in . Note that this implies that a position
with error has at least d errors. By a counting argument similar to the ones used in the previous
paragraph, we have that there can be < D/2 such error positions. Note that we can now decode
y by essentially running a unique decoder for C out on y (or more precisely on (x 1 , . . . , x N ), where
y i = C in (x i )).
Algorithm 14 generalizes these observations to decode arbitrary received words. In particu-
lar, it smoothly “interpolates" between the two extreme scenarios considered above.
Note that if y satisfies one of the two extreme scenarios considered earlier, then Algorithm 14
works exactly the same as discussed above.
By our choice of D C out and D C in , it is easy to see that Algorithm 14 runs in polynomial time
(in the final block length). More importantly, we will show that the final (deterministic) version

249
Algorithm 14 Generalized Minimum Decoder (ver 1)
¡ ¢ £ ¤N
I NPUT: Received word y = y 1 , · · · , y N ∈ q n
£ ¤K
O UTPUT: Message m′ ∈ q k

1: FOR 1 ≤ i ≤ N DO
2: y i′ ← D C in (y i ).
³ ´
3: w i ← min ∆(y i′ , y i ), d2 .
2w i
4: With probability d , set y i′′ ←?, otherwise set y i′′ ← x, where y i′ = C in (x).
5: m′ ← D C out (y′′ ), where y = (y 1′′ , . . . , y N
′′ ′′
).
6: RETURN m′

of Algorithm 14 can do unique decoding of C out ◦C in up to half of its design distance.

As a first step, we will show that in expectation, Algorithm 14 works.

Lemma 13.3.1. Let y be a received word such that there exists a codeword C out ◦C in (m) = (c 1 , . . . , c N ) ∈
[q n ]N such that ∆(C out ◦ C in (m), y) < Dd ′′ ′ ′
2 . Further, if y has e errors and s erasures (when com-
pared with C out ◦C in (m)), then £ ¤
E 2e ′ + s ′ < D.

Note that if 2e ′ + s ′ < D, then by Theorem 13.2.2, Algorithm 14 will output m. The lemma
above says that in expectation, this is indeed the case.

Proof of Lemma 13.3.1. For every 1 ≤ i ≤ N , define e i = ∆(y i , c i ). Note that this implies that
N
X Dd
ei < . (13.2)
i =1 2

Next for every 1 ≤ i ≤ N , we define two indicator variables:

X i? = 1 y ′′ =? ,
i

and
X ie = 1C in (y ′′ )6=ci and y ′′ 6=? .
i i

We claim that we are done if we can show that for every 1 ≤ i ≤ N :

£ ¤ 2e i
E 2X ie + X i? ≤ . (13.3)
d
P P
Indeed, by definition we have: e ′ = X ie and s ′ = X i? . Further, by the linearity of expectation
i i
(Proposition 3.1.4), we get
£ ¤ 2X
E 2e ′ + s ′ ≤ e i < D,
d i

250
where the inequality follows from (13.2).
To complete the proof, we will prove (13.3) by a case analysis. Towards this end, fix an arbi-
trary 1 ≤ i ≤ N .
Case 1: (c i = y i′ ) First, we note that if y i′′ 6=? then since c i = y i′ , we have X ie = 0. This along with
2w
the fact that Pr[y i′′ =?] = d i implies
£ ¤ 2w i
E X i? = Pr[X i? = 1] = ,
d
and £ ¤
E X ie = Pr[X ie = 1] = 0.
Further, by definition we have
µ ¶
d
w i = min ∆(y i′ , y i ), ≤ ∆(y i′ , y i ) = ∆(c i , y i ) = e i .
2
The three relations above prove (13.3) for this case.
Case 2: (c i 6= y i′ ) As in the previous case, we still have
£ ¤ 2w i
E X i? = .
d
Now in this case, if an erasure is not declared at position i , then X ie = 1. Thus, we have
£ ¤ 2w i
E X ie = Pr[X ie = 1] = 1 − .
d
Next, we claim that as c i 6= y i′ ,
ei + wi ≥ d , (13.4)
which implies
£ ¤ 2w i 2e i
E 2X ie + X i? = 2 − ≤ ,
d d
as desired.
To complete the proof, we show (13.4) via yet another case analysis.
Case 2.1: (w i = ∆(y i′ , y i ) < d /2) By definition of e i , we have
e i + w i = ∆(y i , c i ) + ∆(y i′ , y i ) ≥ ∆(c i , y i′ ) ≥ d ,
where the first inequality follows from the triangle inequality and the second inequality follows
from the fact that C in has distance d .
Case 2.2: (w i = d2 ≤ ∆(y i′ , y i )) As y i′ is obtained from MLD, we have
∆(y i′ , y i ) ≤ ∆(c i , y i ).
This along with the assumption on ∆(y i′ , y i ), we get
d
e i = ∆(c i , y i ) ≥ ∆(y i′ , y i ) ≥ .
2
This in turn implies that
ei + wi ≥ d ,
as desired. ✷

251
13.3.2 GMD Algorithm- II
Note that Step 4 in Algorithm 14 uses “fresh" randomness for each i . Next we look at another
randomized version of the GMD algorithm that uses the same randomness for every i . In par-
ticular, consider Algorithm 15.

Algorithm 15 Generalized Minimum Decoder (ver 2)

¡ ¢ £ ¤N
I NPUT: Received word y = y 1 , · · · , y N ∈ q n
£ ¤K
O UTPUT: Message m′ ∈ q k

1: Pick θ ∈ [0, 1] uniformly at random.

2: FOR 1 ≤ i ≤ N DO
3: y i′ ← D C in (y i ).
³ ´
4: w i ← min ∆(y i′ , y i ), d2 .
2w i
5: If θ < d
, set y i′′ ←?, otherwise set y i′′ ← x, where y i′ = C in (x).
6: m′ ← D C out (y ), where y′′ = (y 1′′ , . . . , y N
′′ ′′
).
7: RETURN m′

We note that in the proof of Lemma 13.3.1, we only use the randomness to show that
£ ¤ 2w i
Pr y i′′ =? = .
d
In Algorithm 15, we note that
· · ¶¸
£ ¤ 2w i 2w i
Pr y i′′ =? = Pr θ ∈ 0, = ,
d d
as before (the last equality follows from our choice of θ). One can verify that the proof of
Lemma 13.3.1 can be used to show the following lemma:

Lemma 13.3.2. Let y be a received word such that there exists a codeword C out ◦C in (m) = (c 1 , . . . , c N ) ∈
[q n ]N such that ∆(C out ◦ C in (m), y) < Dd ′′ ′ ′
2 . Further, if y has e errors and s erasures (when com-
pared with C out ◦C in (m)), then £ ¤
Eθ 2e ′ + s ′ < D.

Next, we will see that Algorithm 15 can be easily “derandomized."

13.3.3 Derandomized GMD algorithm

Lemma 13.3.2 along with the probabilistic method shows that there exists a value θ ∗ ∈ [0, 1] such
that Algorithm 15 works correctly even if we fix θ to be θ ∗ in Step 1. Obviously we can obtain
such a θ ∗ by doing an exhaustive search for θ. Unfortunately, there are uncountable choices of
θ because θ ∈ [0, 1]. However, this problem can be taken care of by the following discretization
trick.

252
 Define Q = {0, 1} ∪ { 2w
d
1
, · · · , 2wd N }. Then because for each i , w i = min(∆(y i′ , y i ), d /2), we have

Q = {0, 1} ∪ {q 1 , · · · , q m }
j k
where q 1 < q 2 < · · · < q m for some m ≤ d2 . Notice that for every θ ∈ [q i , q i +1 ), just before Step
6, Algorithm 15 computes the same y′′ . (See Figure 13.2 for an illustration as to why this is the
case.)
θ
Everything here is not an erasure Everything gets ?

0 q1 q2 q i −1 qi q i +1 1

Figure 13.2: All values of θ ∈ [q i , q i +1 ) lead to the same outcome

Thus, we need to cycle through all possible values of θ ∈ Q, leading to Algorithm 16.

Algorithm 16 Deterministic Generalized Minimum Decoder‘

¡ ¢ £ ¤N
I NPUT: Received word y = y 1 , · · · , y N ∈ q n
£ ¤K
O UTPUT: Message m′ ∈ q k

2w 2w
1: Q ← { d 1 , · · · , d N } ∪ {0, 1}.
2: FOR θ ∈ Q DO
3: FOR 1 ≤ i ≤ N DO
4: y i′ ← D C in (y i ).
³ ´
5: w i ← min ∆(y i′ , y i ), d2 .
2w i
6: If θ < d
, set y i′′ ←?, otherwise set y i′′ ← x, where y i′ = C in (x).
7: m′θ ← D C out (y′′ ), where y′′ = (y 1′′ , . . . , y N
′′
).
¡ ¡ ¢ ¢
8: RETURN m′θ∗ for θ ∗ = arg minθ∈Q ∆ C out ◦C in m′θ , y

Note that Algorithm 16 is Algorithm 15 repeated |Q| times. Since |Q| is O(n), this implies
that Algorithm 16 runs in polynomial time. This along with Theorem 10.2.1 implies that

Theorem 13.3.3. For every constant rate, there exists an explicit linear binary code on the Zyablov
bound. Further, the code can be decoded up to half of the Zyablov bound in polynomial time.

Note that the above answers Question 10.3.1 in the affirmative.

13.4 Bibliographic Notes

Forney in 1966 designed the Generalized Minimum Distance (or GMD) decoding [41].

253
254
Chapter 14

Efficiently Achieving the Capacity of the

BSCp

Table 14.1 summarizes the main results we have seen so far for binary codes.

Shannon Hamming
Unique Decoding List Decoding
Capacity 1 − H (p) (Thm 6.3.1) ≥ GV (Thm 4.2.1) 1 − H (p) (Thm 7.4.1)
≤ MRRW (Sec 8.2)
Explicit Codes ? Zyablov bound (Thm 10.2.1) ?
1
Efficient Algorithms ? 2 · Zyablov bound (Thm 13.3.3) ?

Table 14.1: An overview of the results seen so far

In this chapter, we will tackle the open questions in the first column of Table 14.1. Recall that
there exist linear codes of rate 1− H (p)−ε such that decoding error probability is not more than
2−δn , δ = Θ(ε2 ) on the B SC p (Theorem 6.3.1 and Exercise 6.3). This led to Question 6.3.1, which
asks if we can achieve the BSCp capacity with explicit codes and efficient decoding algorithms.

14.1 Achieving capacity of B SC p

We will answer Question 6.3.1 in the affirmative by using concatenated codes. The main intu-
ition in using concatenated codes is the following. As in the case of construction of codes on
the Zyablov bound, we will pick the inner code to have the property that we are after: i.e. a code
that achieves the BSCp capacity. (We will again exploit the fact that since the block length of the
inner code is small, we can construct such a code in a brute-force manner.) However, unlike the
case of the Zyablov bound construction, we do not know of an explicit code that is optimal over
say the qSCp channel. The fact that the BSCp noise is memory-less can be exploited to pick the
outer code that can correct from some small but constant fraction of worst-case errors.
Before delving into the details, we present the main ideas. We will use an outer code C out that
has rate close to 1 and can correct from some fixed constant (say γ) fraction of worst-case errors.

255
We pick an inner code C in that achieves the BSCp capacity with parameters as guaranteed by
Theorem 6.3.1. Since the outer code has rate almost 1, the concatenated code can be made
to have the required rate (since the final rate is the product of the rates of C out and C in ). For
decoding, we use the natural decoding algorithm for concatenated codes from Algorithm 13.
Assume that each of the inner decoders has a decoding error probability of (about) γ. Then the
intermediate received word y′ has an expected γ fraction of errors (with respect to the outer
codeword of the transmitted message), though we might not have control over where the errors
occur. However, we picked C out so that it can correct up to γ fraction of worst-case errors. This
shows that everything works in expectation. To make everything work with high probability
(i.e. achieve exponentially small overall decoding error probability), we make use of the fact
that since the noise in BSCp is independent. Therefore, the decoding error probabilities of each
of the inner decodings is independent. Thus, by the Chernoff bound (Theorem 3.1.10), with all
but an exponentially small probability y′ has Θ(γ) fraction of errors, which we correct with the
worst-case error decoder for C out . See Figure 14.1 for an illustration of the main ideas. Next, we
present the details.

m1 m2 mK

Can correct ≤ γ worst-case errors D out

y′ y 1′ y 2′ ′
yN

D in D in D in

y y1 y2 yN

γ
Independent decoding error probability of ≤ 2

Figure 14.1: Efficiently achieving capacity of BSCp .

We answer Question 6.3.1 in the affirmative by using a concatenated code C out ◦C in with the
following properties (where γ > 0 is a parameter that depends only on ε and will be fixed later
on):

(i) C out : The outer code is a linear [N , K ]2k code with rate R ≥ 1 − 2ε , where k = O(log N ).
Further, the outer code has a unique decoding algorithm D out that can correct at most γ
fraction of worst-case errors in time Tout (N ).

(ii) C in : The inner code is a linear binary [n, k]2 code with a rate of r ≥ 1− H (p)−ε/2. Further,
there is a decoding algorithm D in (which returns the transmitted codeword) that runs in
γ
time Tin (k) and has decoding error probability no more than 2 over B SC p .

Table 14.2 summarizes the different parameters of C out and C in .

256
 Dimension Block q Rate Decoder Decoding Decoding
length time guarantee
C out K N 2k 1 − 2ε D out Tout (N ) ≤ γ fraction of
worst-case errors
γ
C in k ≤ O(log N ) n 2 1 − H (p) − 2ε D in Tin (k) ≤ 2 decoding error
probability over BSCp

Table 14.2: Summary of properties of C out and C in

Suppose C ∗ = C out ◦C in . Then, it is easy to check that

³ ε´ ³ ε´
R(C ∗ ) = R · r ≥ 1 − · 1 − H (p) − ≥ 1 − H (p) − ε,
2 2
as desired.
For the rest of the chapter, we will assume that p is an absolute constant. Note that this
implies that k = Θ(n) and thus, we will use k and n interchangeably in our asymptotic bounds.
Finally, we will use N = nN to denote the block length of C ∗ .
The decoding algorithm for C ∗ that we will use is Algorithm 13, which for concreteness we
reproduce as Algorithm 17.

Algorithm 17 Decoder for efficiently achieving BSCp capacity

¡ ¢ £ ¤N
I NPUT: Received word y = y 1 , · · · , y N ∈ q n
£ ¤K
O UTPUT: Message m′ ∈ q k
¡ ¢ £ ¤N
1: y′ ← y 1′ , · · · , y N
′
∈ qk where
¡ ¢ ¡ ¢
C in y i′ = D in y i 1 ≤ i ≤ N .
¡ ¢
2: m′ ← D out y′
3: RETURN m′

Note that encoding C ∗ takes time

O(N 2 k 2 ) + O(N kn) ≤ O(N 2 n 2 ) = O(N 2 ),

as both the outer and inner codes are linear1 . Further, the decoding by Algorithm 17 takes time

N · Tin (k) + Tout (N ) ≤ poly(N ),

where the inequality is true as long as

Tout (N ) = N O(1) and Tin (k) = 2O(k) . (14.1)

1
Note that encoding the outer code takes O(N 2 ) operations over Fq k . The term O(N 2 k 2 ) then follows from the
fact that each operation over Fq k can be implemented with O(k 2 ) operations over Fq .

257
 Next, we will show that decoding via Algorithm 17 leads to an exponentially small decoding
error probability over B SC p . Further, we will use constructions that we have already seen in this
book to instantiate C out and C in with the required properties.

14.2 Decoding Error Probability

We begin by analyzing Algorithm 17.
γ
By the properties of D in , for any fixed i , there is an error at y i′ with probability ≤ 2 . Each
such error is independent, since errors in B SC p itself are independent by definition. Because of
γN
this, and by linearity of expectation, the expected number of errors in y′ is ≤ 2 .
Taken together, these two facts allow us to conclude that, by the (multiplicative) Chernoff
bound (Theorem 3.1.10), the probability that the total number of errors will be more than γN
γN
is at most e − 6 . Since the decoder D out fails only when there are more than γN errors, this is
also the final decoding error probability. Expressed in asymptotic terms, the error probability is
γN
)
2−Ω( n .

14.3 The Inner Code

We find C in with the required properties by an exhaustive search among linear codes of di-
mension k with block length n that achieve the BSCp capacity by Shannon’s theorem (Theo-
rem 6.3.1). Recall that for such codes with rate 1 − H (p) − 2ε , the MLD has a decoding error
µ ¶
log( γ1 )
−Θ(ε2 n)
probability of 2 (Exercise 6.3). Thus, if k is at least Ω ε2 , Exercise 6.3 implies the exis-
γ
tence of a linear code with decoding error probability at most 2 (which is what we need). Thus,
with the restriction on k from the outer code, we have the following restriction on k:

à !
log( γ1 ) ¡ ¢
Ω ≤ k ≤ O log N .
ε2

However, note that since the proof of Theorem 6.3.1 uses MLD on the inner code and Al-
gorithm 2 is the only known implementation of MLD, we have Tin = 2O(k) (which is what we
needed in (14.1)). The construction time is even worse. There are 2O(kn) generator matrices; for
each of these, we must check the error rate for each of 2k possible transmitted codewords, and
for each codeword, computing the decoding error probability requires time 2O(n) .2 Thus, the
2
construction time for C in is 2O(n ) .

2
To see why the latter claim is true, note that there are 2n possible received words and given any one of these
received words, one can determine (i) if the MLD produces a decoding error in time 2O(k) and (ii) the probability
that the received word can be realized, given the transmitted codeword in polynomial time.

258
14.4 The Outer Code
We need an outer code with the required properties. There are several ways to do this.
One option is to set C out to be a Reed-Solomon code over F2k with k = Θ(log N ) and rate 1− 2ε .
Then the decoding algorithm D out , could be the error decoding algorithm from Theorem 13.2.2.
Note that for this D out we can set γ = 4ε and the decoding time is Tout (N ) = O(N 3 ).
Till now everything looks on track. However, the problem is the construction time for C in ,
2 2
which as we saw earlier is 2O(n ) . Our choice of n implies that the construction time is 2O(log N ) ≤
N O(log N ) , which of course is not polynomial time.
p Thus, the trick is to find a C out defined over a
log N )
smaller alphabet (certainly no larger than 2O( ). This is what we do next.

14.4.1 Using a binary code as the outer code

The main observation is that we can also use an outer code which is some explicit binary linear
code (call it C ′ ) that lies on the Zyablov bound and can be corrected from errors up to half
its design distance3 . We have seen that such a code can be constructed in polynomial time
(Theorem 13.3.3).
Note that even though C ′ is a binary code, we can think of C ′ as a code over F2k in the obvious
way: every k consecutive bits are considered to be an element in F2k (say via a linear map). Note
that the rate of the code does not change. Further, any decoder for C ′ that corrects bit errors
can be used to correct errors over F2k . In particular, if the algorithm can correct β fraction
of bit errors, then it can correct the same fraction of errors over F2k . To see this, think of the
′
received word as y ∈ (F2k )N /k , where N ′ is the block length of C ′ (as a binary code), which is at
′
a fractional Hamming distance at most ρ away from c ∈ (F2k )N /k . Here, c is what one gets by
′
“folding" consecutive k bits into one symbol in some codeword c′ ∈ C ′ . Now consider y′ ∈ F2N ,
which is just “unfolded" version of y. Now note that each symbol in y that is in error (w.r.t. c)
leads to at most k bit errors in y′ (w.r.t. c′ ). Thus, in the unfolded version, the total number of
errors is at most
N′
k ·ρ · = ρ · N ′.
k
(See Figure 14.2 for an example for the case when k = 2.) Thus to decode y, one can just “unfold"
y to y′ and use the decoding algorithm for C ′ (which can handle ρ fraction of errors) on y′ .
We will pick C out to be C ′ when considered over F2k , where we choose
à !
log( γ1 )
k =Θ .
ε2

Further, D out is the GMD decoding algorithm (Algorithm 16) for C ′ .

Now, to complete the specification of C ∗ , we relate γ to ε. The Zyablov bound gives δout =
(1 − R)H −1 (1 − r ), where R and r are the rates of the outer and inners codes for C ′ . Now, we can
3
Recall that the design distance of a concatenated code (where the outer code has distance D and the inner
code has distance d ) is d D.

259
 c1 c3 c N −1
···
c2 c4 cN

⇓
c1 c2 c3 c4 ··· c N −1 cN

Figure 14.2: Error Correction cannot decrease during “folding." The example has k = 2 and a
pink cell implies an error.

p p p
set 1 −
³pR = 2 γ´ (which implies that R = 1 − 2 γ) and H −1 (1 − r ) = γ, which implies that r is4
1 −O γ log γ1 . Since we picked D out to be the GMD decoding algorithm, it can correct δout2
=γ
fraction of errors in polynomial time, as desired.
¡ p ¢ ³ ³p ´´
The overall rate of C out is simply R · r = 1 − 2 γ · 1 − O γ log γ1 . This simplifies to 1 −
³p ³ ´´
O γ log γ1 . Recall that we need this to be at least 1 − 2ε . Thus, we would be done here if we
³p ´
1
could show that ε is Ω γ log γ , which would follow by setting

γ = ε3 .

14.4.2 Wrapping Up
We now recall the construction, encoding and decoding time complexity for our
³ construction
´
1
¡1¢
2 O log2
of C ∗ . The construction time for C in is 2O(n ) , which substituting for n, is 2 ε4 ε
. The
construction ³time for ´C out , meanwhile, is only poly(N ). Thus, our overall, construction time is
1
¡1¢
O log2
poly(N ) + 2 ε4ε
.
As we have seen in Section 14.1, the encoding
³ time
´ for this code is O(N 2 ), and the decoding
1
¡ ¢
O log 1ε
time is N O(1) + N · 2O(n) = poly(N ) + N · 2 ε2 . Further, we have shown that the decoding
γN
−Ω( ) −Ω(ε6 N )
error probability is exponentially small: 2 n =2 . Thus, we have proved the following
result:

Theorem 14.4.1. For every constant p and 0 < ε < 1 − H (p), there exists a linear code C ∗ of block
length N and rate at least 1 − H (p) − ε, such that
−5
)
(a) C ∗ can be constructed in time poly(N ) + 2O(ε ;

(b) C ∗ can be encoded in time O(N 2 ); and

−5
(c) There exists a poly(N ) + N · 2O(ε ) time decoding algorithm that has an error probability
6
of at most 2−Ω(ε N ) over the B SC p .
4 p p p p p p p
Note that r = 1 − H ( γ) = 1 + γ log γ + (1 − γ) log(1 − γ). Noting that log(1 − γ) = − γ − Θ(γ), we can
p
deduce that r = 1 − O( γ log(1/γ)).

260
 Thus, we have answered in the affirmative Question 6.3.1, which was the central open ques-
tion from Shannon’s work. However, there is a still somewhat unsatisfactory aspect of the result
above. In particular, the exponential dependence on 1/ε in the decoding time complexity is not
nice. This leads to the following question:

¡1¢
Question 14.4.1. Can we bring the high dependence on ε down to poly ε in the decoding
time complexity?

14.5 Discussion and Bibliographic Notes

Forney answered Question 6.3.1 in the affirmative by using concatenated codes. (As was men-
tioned earlier, this was Forney’s motivation for inventing code concatenation: the implication
for the rate vs. distance question was studied by Zyablov later on.)
We now discuss Question 14.4.1. For the binary erasure channel, the decoding time com-
plexity can be brought down to N ·poly( 1ε ) using LDPC codes, specifically a class known as Tor-
nado codes developed by Luby et al. [91]. The question for binary symmetric channels, however,
is still open. Recently there have been some exciting progress on this front by the construction
of the so-called Polar codes.
We conclude by noting an improvement to Theorem 14.4.1. We begin with a theorem due to
Spielman:
1
Theorem 14.5.1 ([121]). For every small enough β > 0, there exists an explicit C out of rate 1+β
µ ¶
β2
and block length N , which can correct Ω 1 2 errors, and has O(N ) encoding and decoding.
(log β )

Clearly, in terms of time complexity, this is superior to the previous option in Section 14.4.1.
Such codes are called “Expander
³ codes.”
´ One can essentially do the same calculations as in
ε2
Section 14.4.1 with γ = Θ .5 However, we obtain an encoding and decoding time of
log2 (1/ε)
1
N ·2poly( ε ) . Thus, even though we obtain an improvement in the time complexities as compared
to Theorem 14.4.1, this does not answer Question 14.4.1.

5
This is because we need 1/(1 + β) = 1 − ε/2, which implies that β = Θ(ε).

261
262
Chapter 15

Decoding Reed-Muller Codes

In this chapter we describe decoding algorithms for the Reed-Muller codes, introduced in Chap-
ter 9. Recall that these are the codes obtained by evaluations of multivariate polynomials over
all possible assignments to the variables. We will see several decoding algorithms for these
codes, ranging from simplistic ones that correct a constant fraction of the minimum distance
(with the constant depending on q), to algorithms based on more sophisticated concepts that
correct up to half the minimum distance.
To elaborate on the above, recall that the Reed-Muller code with parameters q, m, r is the
set of functions n o
def
RM(q, m, r ) = f : Fm
q → F q | deg( f ) ≤ r .

The minimum distance distance of the code is

def
∆q,m,r = (q − t ) · q m−s−1 ,

where s, t satisfy r = s(q − 1) + t and 0 ≤ t ≤ q − 2 (recall Lemma 9.4.1). We will first describe an
algorithm to correct ε · ∆jq,m,r forksome constant ε > 0 that depends only on q. Later we will give
∆q,m,r −1
algorithms that correct 2 errors.

15.1 A natural decoding algorithm

The main insight behind our first decoding algorithm is the simple fact that the degree of poly-
nomials does not increase on affine substitutions. Let us introduce this notion and then explain
why this might be useful in building decoding algorithms.

Definition 15.1.1. A one-dimensional s-variate affine form a ∈ Fq [Z1 , . . . , Z s ] is a polynomial of

P
the form a(Z1 , . . . , Z s ) = is=1 αi Zi + α0 . In other words an affine form is a polynomial of degree
at most 1. An m-dimensional s-variate affine form A = 〈a 1 , . . . , a m 〉 is simply an m-tuple of one-
dimensional affine forms.

For example A 0 = 〈Z1 + Z2 , Z1 , Z2 〉 is a 3-dimensional 2-variate affine form over F2 .

263
Definition 15.1.2. Given an m-variate polynomial P ∈ Fq [X 1 , . . . , X m ] and an m-dimensional s-
variate affine form A = 〈a 1 , . . . , a m 〉 ∈ (Fq [Z ])m where Z = (Z1 , . . . , Z s ), the affine substitution of A
into P is given by the polynomial P ◦ A ∈ Fq [Z ] given by (P ◦ A)(Z ) = P (a 1 (Z ), . . . , a m (Z )).

Let A 0 be the affine form as above and let P 0 (X 1 , X 2 , X 3 ) = X 1 X 2 + X 1 X 2 X 3 + X 3 over F2 . Then

we have

(P 0 ◦ A 0 )(Z1 , Z2 ) = (Z1 +Z2 )Z1 +(Z1 +Z2 )Z1 Z2 +Z2 = Z12 +Z1 Z2 +Z12 Z2 +Z1 Z22 +Z2 = Z1 +Z1 Z2 +Z2 ,

where the last equality follows since we are working over F2 .

Notice that the notion of affine substitutions extends to functions naturally, viewing both
f and A as functions (given by the evaluations of corresponding polynomials) in the definition
above.
Affine substitutions have nice algebraic, geometric, and probabilistic properties and these
combine to give us the decoding algorithm of this section. We introduce these properties in
order.

Proposition 15.1.3 (Degree of Affine Substitutions). Affine substitutions do not increase the de-
gree of a polynomial. Specifically, if A is an affine form, then for every polynomial P , we have
deg(P ◦ A) ≤ deg(P ).
Q ri
Proof. The proof is straightforward. First note that for any single monomial M = m i =1 X i the
Qm
affine substitution M ◦ A = i =1 a i (Z )r i has degree at most deg(M ). Next note that if we write a
P
general polynomial as a sum of monomials, say P = M c M · M , then the affine substitution is
P
additive and so P ◦ A = M c M (M ◦ A). The proposition now follows from the fact that
X
deg(P ◦ A) = deg( c M (M ◦ A)) ≤ max{deg(M ◦ A)} ≤ max deg(M )} = deg(P ).
M M M

We remark that the bound above can be tight (see Exercise 15.1) and that the result above
generalizes to the case when we replace each term by a degree d -polynomial instead of a degree
1-polynomial (see Exercise 15.2).
Next we turn to the geometric aspects of affine substitutions. These aspects will be essential
for some intuition, though we will rarely invoke them formally.
One way to view affine substitutions into functions is that we are viewing the restriction of a
function on a small subset of the domain. For example, when s = 1, then an affine substitution
A into a function f , restricts the domain of the function to the set {A(z)|z ∈ Fq } where A(z) is of
the form az + b for some a, b ∈ Fm m
q . This set forms a line in Fq with slope a and passing through
the point b. When s becomes larger, we look at higher dimensional (affine) subspaces such as
planes (s = 2) and cubes (s = 3). While lines, planes and cubes are not exactly the same as in the
Euclidean space they satisfy many similar properties and this will be used to drive some of the
probabilistic thinking below.
In what follows we will be looking restrictions of two functions f and g on small-dimensional
affine subspaces. On these subspaces we would like to argue that f and g disagree roughly as

264
often as they do on Fm q . To do so, we use the fact that “random” affine substitutions sample
m
uniformly from Fq . We formalize this below.
Consider a uniform choice of an affine form A(z) = Mz + b, i.e., where M ∈ Fm×s q and b ∈ Fm
q
are chosen uniformly and independently from their respective domains. (Note that this allows
M to be of less than full rank with positive probability, and we will allow this to keep calculations
simple and clean. We do warn the reader that this can lead to degenerate lines and subspaces -
e.g., when M is the zero matrix then these subspaces contain only one point.)

Proposition 15.1.4. (1) Fix z ∈ Fsq . Then, for a uniformly random A, the point A(z) is dis-
tributed uniformly in Fm
q .

(2) Fix z ∈ Fsq \ {0} and x ∈ Fm

q . and let A be chosen uniformly subject to the condition A(0) = x.
Then the point A(z) is distributed uniformly in Fm q . Consequently, for every pair of functions
m
f , g : Fq → Fq , we have
£ ¤
Pr f ◦ A(z) 6= g ◦ A(z) = δ( f , g ).
A

Proof. Let A(z) = Mz + b where M ∈ Fm×sq and b ∈ Fmq are chosen uniformly and independently.
For part (1), we use the fact that for every fixed M and z, Mz + b is uniform over Fm
q when b is
uniform. In particular, for every y ∈ Fm
q we have
£ ¤ £ ¤
Pr Mz + b = y = Pr b = y − Mz = q −m .
b b

Since this holds for every M, it follows that

£ ¤
Pr Mz + b = y = q −m
M,b

and so we conclude that A(z) = Mz + y is uniformly distributed over Fm q .

For part (2), note that the condition A(0) = x implies b = x. So, for fixed y ∈ Fm
q , we have
£ ¤ £ ¤
Pr A(z) = y | A(0) = x = Pr Mz + x = y .
M,b M

Now let z = (z 1 , . . . , z s ) and denote the columns of M by M 1 , . . . , M s so that

Mz = z 1 M 1 + · · · + z s M s .

Since z 6= 0 we must have some z i 6= 0 and let i be the largest such index. We note that for every
choice of M 1 , . . . , M i −1 , M i +1 , . . . , M s , the probability, over the choice of M i that Mz+x = y is q −m ,
since this happens if and only if M i = z i−1 (y − (z 1 M 1 + · · · z i −1 M i −1 + x), and this event happens
with probability q −m . Averaging over the choices of the remaining columns of M, we still have
£ ¤ £ ¤
Pr A(z) = y | A(0) = x = Pr Mz + x = y = q −m ,
M,b M

thus establishing that A(z) is distributed uniformly over Fm

q even when conditioned on A(0) = x.

265
 Finally to see the final implication of part (2), fix functions f , g : Fm
q and let
n o
E = y ∈ Fmq | f (y) 6= g (y) ,
£ ¤
so that δ( f , g ) = Pry y ∈ E . We have
£ ¤
Pr f ◦ A(z) 6= g ◦ A(z) = Pr [A(z) ∈ E ] ,
A A

but since A(z) is uniform in Fm

q even given A(0) = x, we have
£ ¤
Pr [A(z) ∈ E ] = Pr y ∈ E = δ( f , g ),
A y

as claimed.

15.1.1 The Actual Algorithm

Now we explain why affine substitutions might help in decoding the Reed-Muller code. Recall
that the decoding problem for the Reed-Muller codes is the following:

• Input: Parameters q, m, r and e (bound on number of errors) and a function f : Fm

q →
Fq .

• Output: Polynomial P ∈ Fq [X 1 , . . . , X m ] with deg(P ) ≤ r such that |{x ∈ Fm

q | f (x) 6=
P (x)}| ≤ e.

One way to recover the desired polynomial P is to output its value at every given point x ∈
Fm
q . (This works provided the polynomial P to be output is uniquely determined by f and the
number of errors, and that is the setting we will be working with.) In what follows we will do
exactly this. The main idea behind the algorithm of this section is the following: We will pick an
affine form A such that A(0) = x and attempt to recover the polynomial P ◦ A. Evaluating P ◦ A(0)
gives us P (x) and so this suffices, but why is the task of computing P ◦ A any easier? Suppose
we use an s-variate form A for small s. Then the function P ◦ A is given by q s values with s < m
this can be a much smaller sized function and so brute force methods would work faster. But
an even more useful observation is that if A is chosen at random such that A(0) = x, then most
of the q s points (in fact all but one) are random points and so unlikely to be erroneous. In
particular for any fixed non-zero z, we would have with high probability f ◦ A(z) = P ◦ A(z),
where the probability is over the choice of A, assuming the number of errors is small. Since
q s < q m one can apply a union bound over the roughly q s choices of z to (hopefully) establish
that all the points z ∈ Fsq \ {0} are not errors, and if this happens a further hope would be that
P ◦ A is uniquely determined by its values on Fsq \ {0}. The two hopes are in tension with each
other — the former needs small values l m of s and the latter needs s to be large; and so we pick
r +1
an intermediate s, specifically s = q−1 , where both conditions are realized and this yields the
algorithm below. We describe the algorithm first and then explain this choice of parameters
later.

266
Algorithm 18 S IMPLE R EED -M ULLER D ECODER
I NPUT: r < m, 0 < e ≤ 13 · q m−⌈(r +1)/(q−1)⌉ , and function f : Fm
q → Fq .
O UTPUT: Polynomial P ∈ Fq [X 1 , . . . , X m ] with deg(P ) ≤ r such that |{x ∈ Fm
q | f (x) 6= P (x)}| ≤ e, if
such a polynomial exists and NULL otherwise

FOR x ∈ Fmq DO
g (x) =L OCAL -D ECODE
³ -RM-S IMPLE
´ (x, f ).
RETURN I NTERPOLATE q, m, g , r, Fm
q

procedure L OCAL -D ECODE -RM-S IMPLE(x, f )

Repeat L OCAL -D ECODE -RM-S IMPLE -I TER(x, f ) O(m log q) times and return most fre-
quent answer.

procedure lL OCAL
m -D ECODE -RM-S IMPLE -I TER(x, f )
r +1
Let s ← q−1
Select an m-dimensional
³ s-variate affine
´ form A uniformly conditioned on A(0) = x.
g ← I NTERPOLATE q, s, f ◦ A, r, F qs \ {0}
IF g is NULL THEN
g ←0
RETURN g (0).

procedure I NTERPOLATE(q, m, f , r, S) ⊲ Returns a polynomial P ∈ Fq (Z1 , . . . , Z s ) such that

deg(P ) ≤ r and P (x) = f (x) for every x ∈ S and return NULL is no such P exists. ⊲ See
comments in Section 15.1.2 for more on how this algorithm can be implemented.

267
 The detailed algorithm is given as Algorithm 18. Roughly the algorithm contains two loops.
The outer loop enumerates x ∈ Fnq and invokes a subroutine L OCAL -D ECODE -RM-S IMPLE that
determines P (x) correctly with very high probability. This subroutine creates an inner loop
which invokes a less accurate subroutine L OCAL -D ECODE -RM-S IMPLE -I TER, which computes
P (x) correctly with probability 32 , many times and reports the most commonly occurring an-
swer. The crux of the algorithm is thus L OCAL -D ECODE -RM-S IMPLE -I TER. This algorithm
picks a random affine form A such that A(0) = x and assumes that f ◦ A(z) = P ◦ A(z) for ev-
ery non-zero z. Based on this assumption it interpolates the polynomial P ◦ A and returns
P ◦ A(0) = P (A(0)) = P (x).
The crux of the analysis is to show that the assumption holds with probability at least 23 over
the random choice of A provided the number of errors is small. We will undertake this analysis
next.

15.1.2 Analysis of the simple decoding algorithm

We first show that each invocation of L OCAL -D ECODE -RM-S IMPLE -I TER succeeds with high
probability:

Lemma 15.1.5. Let P ∈ Fq [X 1 , . . . , X m ] be a polynomial of degree at most r and let f : Fm q → Fq be

such that
1 m−⌈(r +1)/(q−1)⌉
e = |{x ∈ Fm
q | f (x) 6= P (x)}| ≤ · q .
3
Then, for every x ∈ Fm q , the probability that L OCAL -D ECODE -RM-S IMPLE -I TER ( f , x) returns P (x)
is at least 2/3.
l m
r +1 q m−s
Proof. Recall s = q−1 and so e ≤ 3 . We use this condition in the analysis below.
Fix z ∈ Fsq \ {0}. Since A was picked conditioned on A(0) = x, by part (2) of Proposition 15.1.4
we have that A(z) is a uniformly random element of Fm q (and in particular this is independent
of x). So the probability that f (A(z)) 6= P (A(z)) is exactly qem . Taking the union bound over all
z ∈ Fsq \ {0} we get that
h i e e 1
Pr ∃z ∈ Fsq \ {0} s.t. f (A(z)) 6= P (A(z)) ≤ (q s − 1) · m ≤ m−s ≤ . (15.1)
A q q 3

So, with probability at least 23 , we have that f ◦A(z) = P ◦A(z) for every z ∈ Fsq \{0}. We argue below
that if this holds, then L OCAL -D ECODE -RM-S IMPLE -I TER( f , x) returns P (x) and this proves the
lemma.
Since P ◦ A is a polynomial in Fq [Z1 , . . . , Z s ] of degree at most r that agrees with f ◦ A on ev-
ery z ∈ Fsq \ {0}, we have that the there exists at least one polynomial satisfying the condition of
the final interpolation step in L OCAL -D ECODE -RM-S IMPLE -I TER( f , x). It suffices to show that
this polynomial is unique, but this follows from Exercise 15.4, which asserts that δ(P ◦ A, h) ≥ q2s
for every polynomial l hm∈ Fq [Z1 , . . . , Z s ] of degree at most r , provided r < (q − 1)s. (Note that
r +1
our choice of s = q−1 ensures this.) In particular this implies that every pair of polynomi-
als disagree on at least two points in Fsq and so on at least one point in Fsq \ {0}. Thus P ◦ A is

268
the unique polynomial that fits the condition of the interpolation step in L OCAL -D ECODE -RM-
S IMPLE -I TER( f , x) and so this subroutine returns P (x) with probability at least 23 .

We note that one can push the 13 fraction of errors to 21 − γ for any 0 < γ < 1/2 with a success
probability of 12 + γ (see Exercise 15.5).
With Lemma 15.1.5 in hand, some routine analysis suffices to show the correctness of the
Simple Reed-Muller Decoder (Algorithm 18) and we do so in the theorem below.

Theorem 15.1.6. The Simple Reed-Muller Decoder (Algorithm 18) is a correct (randomized) poly-
nomial in n time algorithm decoding the Reed-Muller code RM(q, m, r ) from e ≤ 31 ·q m−⌈(r +1)/(q−1)⌉
errors.

Proof. Fix P ∈ Fq [X 1 , . . . , X m ] be a polynomial of degree at most r and f : Fm

q → Fq such that

1 m−⌈(r +1)/(q−1)⌉
e = |{x ∈ Fm
q | f (x) 6= P (x)}| ≤ ·q .
3
Further fix x ∈ q m . Lemma 15.1.5 asserts that a call to L OCAL -D ECODE -RM-S IMPLE -I TER( f , x)
returns P (x) with probability at least 32 . By an application of the Chernoff bounds (in par-
ticular, see Exercise 3.3), the majority of the O(m log q) calls to L OCAL -D ECODE -RM-S IMPLE -
I TER( f , x) is P (x) except with probability exp(−m log q) and by setting the constant in the O(·)
q −m
appropriately, we an ensure this probability is at most 3 . We thus conclude that for every
fixed x ∈ Fm q the probability that L OCAL -D ECODE -RM-S IMPLE ( f , x) does not return P (x) is at
q −m
most 3 . By the union bound, we could that the probability that there exists x ∈ Fm q such that
L OCAL -D ECODE -RM-S IMPLE( f , x) 6= P (x) is at most 3 . Thus with probability at least 23 the algo-
1

rithm computes P (x) correctly for every x and thus the interpolation returns P with probability
at least 23 .
The running time of the algorithm is easy to establish. Let Tint (n) denote the time it takes
to interpolate to find the coefficients of a polynomial P given its n evaluations. It is well-known
that Tint is a polynomial with near linear running time. (See Remarks on Interpolation below.)
We have that the L OCAL -D ECODE -RM-S IMPLE -I TER takes time at most Tint (q s ) per invocation,
and thus L OCAL -D ECODE -RM-S IMPLE takes O(m · Tint (q s ) · log q) steps per invocation. Since
L OCAL -D ECODE -RM-S IMPLE is executed q m times by the overall algorithm, the overall run-
ning time is bounded by Tint (q m ) + O(m · q m · Tint (q s ) log q). Expressed in terms of n = q m and
e max = q m−s /3 and crudely bounding
³ interpolation
´ cost by a cubic function, this translates into
n4
a running time of O(n 3 ) + O 3
e max
log n .

Remarks on Interpolation. As mentioned in the proof above, the running time of the algo-
rithm depends on the running time of the two interpolation steps in the algorithm D ECODE -
RM-S IMPLE. To get polynomial time algorithms for either step, it suffices to note that interpo-
lation is just solving a system of linear equations and thus can always be solved in cubic time
by Gaussian elimination (see Exercise 15.6). To make the steps more efficient, one can use the
structure of polynomial interpolation to get some speedups for the first interpolation step (see
Section 15.5). For the second, since we are only interested in evaluating P ◦ A(0), interpolation

269
is a bit of overkill. It turns out one can explicitly determine the exact linear form which de-
scribes P ◦ A(0) in terms of {P ◦ A(z)|z ∈ Fsq \{0}} and this turns out to be extremely simple: In fact
P
P ◦ A(0) = − z∈Fsq \{0} P ◦ A(z) (see Exercise 15.7).

Remark on Fraction of Errors corrected. The number of errors corrected by the Simple Reed-
Muller Decoder, 31 · q m−⌈(r +1)/(q−1)⌉ , is complex and requires some explanation. It turns out that
l m
r +1
this quantity is closely related to the distance of the code. For s = q−1 if we now let t be such
that r = s(q −1)− t (note that this is different from the way we did this splitting in Lemma 9.4.1),
then from Lemma 9.4.1 we have that the distance of the code RM(q, m, r ) is (t + 1)q m−s where
1 ≤ t ≤ q − 1 (see Exercise 15.8). So in particular the distance of the code is between q m−s and
q m−s 1
q m−s+1 . In contrast, our algorithm corrects 3 errors, which is at least a 3q -fraction of the
distance of the code. Ideally we would like algorithms correcting up to 21 as many errors as the
distance, and this algorithm falls short by a “constant” factor, if q is a constant. In the rest of the
chapter we will try to achieve this factor of 21 .

15.2 Majority Logic Decoding

The algorithm of the previous section corrects errors up to a constant fraction of the distance
(with the constant depending on q, but not on m or r ) but is not the best one could hope for.
In this section we develop an algorithm that corrects the optimal number of errors over F2 . The
main idea is to continue to explore the function over “affine subspaces” but now the substi-
tutions will be much simpler. Specifically they will be of the form x i = b i for many different
choices of i where b i ∈ F2 . This will leave us with a function on the unset variables and while we
won’t be able to determine the function completely on the remaining variables, we will be able
to determine some coefficients and this will allow us to make progress.
The main idea driving this algorithm is the following proposition about degree r polynomi-
als.

Proposition 15.2.1. Let P ∈ F2 [X 1 , . . . , X m ] be of degree r and let C ∈ F2 be the coefficient of the

Q P
monomial ri=1 X i in P . Then, for every b ∈ F2m−r , it is the case that a∈Fr2 P (a, b) = C .

Proof. Let P b (X 1 , . . . , X r ) = P (X 1 , . . . , X r , b), i.e., P b is P restricted to the subspace X i = b i for

r < i ≤ m. Note that the coefficient of the monomial X 1 · · · X r in P b remains C , since all other
monomial now have degree strictly less than r after the substitutions X i = b i . (Note that we
used the fact that P has degree at most r to make this assertion.) So we can write P b = C ·
X 1 · · · X r + g where deg(g ) < r . We wish to show that
à !
X X Yr X
P b (a) = C· aj + g (a) = C .
a∈Fr2 a∈Fr2 j =1 a∈Fr2

We first note that the first summation is trivially C since all terms except when a 1 = · · · = a r = 1
evaluate to zero and the term corresponding to a 1 = · · · = a r = 1 evaluates to C . The proposition

270
now follows from Exercise 15.7 which asserts that for every polynomial g of degree less than r ,
P
the summation a∈Fr2 g (a) = 0.

As such the proposition above only seems useful in the error-free setting — after all, it as-
sumes P is given correctly everywhere. But it extends to the setting of a small number of er-
rors immediately. Note that if a function f disagrees with polynomial P on at most e points
P
in Fm2 then there are at most e choices of b ∈ F2
m−r
for which a∈Fr2 f (a, b) does not equal C .
In particular, if e < 2m−r /2 then the majority of choices of b lead to the correct value of C .
(And remarkably, for the class of degree r polynomials, this is exactly one less than half the
Q
distance of the associated code.) Of course, the monomial ri=1 X i is not (very) special. The
same reasoning allows us to compute the coefficient of any monomial of degree r . For example
P P
majorityb∈Fm−r { a∈Fr2 f (a, b)} gives the coefficient of X 1 · · · X r , and majorityb∈Fm−r { a∈Fr2 f (b, a)}
2 2
(note the exchange of a and b) gives the coefficient of X m−r +1 · · · X m . (See Exercise 15.9.) With
appropriate notation for substituting a and b into the right places, we can calculate any other
monomial of degree r as well. And then downward induction on r allows us to compute coef-
ficients of lower degree monomials. This leads us to the algorithm described next. For the sake
of completeness we also give the full analysis afterwards.

15.2.1 The Majority Logic Decoding Algorithm

We start with some notation that will help us describe the algorithm more precisely.
Q
Definition 15.2.2. For S ⊆ [m] we let X S denote the monomial i ∈S Xi .

Definition 15.2.3. For S ⊆ [m] with |S| = t and vectors a ∈ F2t and b ∈ F2m−t , let (S ← a, S̄ ← b)
denote the vector whose coordinates in S are given by a and coordinates in S̄ are given by b.

Definition 15.2.4. For S ⊆ [m] with |S| = t and vectors a ∈ F2t and b ∈ F2m−t , let f (S ← a, S̄ ← b)
denote the evaluation of f on (S ← a, S̄ ← b). In other words, let S = {i 1 , . . . , i t } with i k < i k+1 and
let S̄ = { j 1 , . . . , j m−t } with j k < j k+1 . Then f (S ← a, S̄ ← b) = f (c) where c ∈ Fm
2 is the vector such
that c i k = a k and c j ℓ = b ℓ .

The majority logic decoder details are presented in Algorithm 19.

15.2.2 The analysis

We next argue that the algorithm M AJORITY L OGIC D ECODER (Algorithm 19) correct up to half
the errors for the RM(2, m, r ) code.

Lemma 15.2.5. On input f : Fm 2 → F2 that disagrees with a polynomial Q ∈ F2 [X 1 , . . . , X m ] of

degree at most r on at most e < 21 · 2m−r points, the algorithm M AJORITY L OGIC D ECODER( f )
correctly outputs Q.
P P
Proof. Let Q(X ) = S⊆[m] C S′ X S and let Q t (X ) = S⊆[m]:|S|≥t C S′ X S . We argue by downward in-
duction on t (from r + 1 down to 0) that Q t = P t where P t ’s are the polynomials computed by

271
Algorithm 19 Majority Logic Decoder
I NPUT: r < m, 0 ≤ e < 12 2m−r , and function f : Fm2 → F2 .
O UTPUT: Output P such deg(P ) ≤ r and |{x ∈ Fm 2 |P (x) 6= f (x)}| ≤ e.
P r +1 ← 0
FOR t = r downto 0 DO
f t ← f − P t +1
FOR every S ⊆ [m] with |S| = t DO
FOR every b ∈ F2m−t DO
P
C S,b ← a∈Ft f t (S ← a, S̄ ← b).
2
© ª
C S ← majorityb C S,b
P
P t ← P t +1 + S⊆[m],|S|=t C S X S
RETURN P0

our algorithm. The base case is obvious since P r +1 = Q r +1 = 0. Assume now that P t +1 = Q t +1
and so we have that f t = f − P t +1 disagrees with Q − Q t +1 on at most e points. (See Exer-
cise 15.10.) We now argue that for every subset S ⊆ [m] with |S| = t , C S = C S′ . Fix such a set
S. For b ∈ F2m−t , we refer to the partial assignment S̄ ← b as a “subcube” corresponding to the
points {(S ← a, S̄ ← b)|a ∈ F2t }. We say that a subcube S̄ ← b is in error if there exists a such that
f t (S ← a, S̄ ← b) 6= (Q − Q t +1 )(S ← a, S̄ ← b). By Proposition 15.2.1, we have that if a subcube is
not in error then C S,b = C S′ , since C S′ is the coefficient of X S in the polynomial (Q −Q t +1 ) (whose
degree is at most t ). Furthermore at most e subcubes can be in error (see Exercise 15.11). Fi-
nally, since the total number of subcubes is 2m−t ≥ 2m−r > 2e we thus have that a majority of
subcubes are not in error and so C S = majorityb {C S,b } = C S′ .
Thus we have for every S with |S| = t that C S = C S′ and so Q t = P t , giving the inductive step.
So we have for every t , P t = Q t and in particular P 0 = Q 0 = Q as desired.

The running time of the algorithm is easy to see as¡being

¢ at most n = 2m times the number
Pr
of coefficients of a degree r polynomial, which is i =0 mi ≤ n in the binary case. Thus O(n 2 ) is
a crude upperj boundk on the running time of this algorithm. Note that this algorithm corrects
d −1
up to exactly 2 errors where d = 2m−r is the minimum distance of RM(2, m, r ). (Since d is
d
even, this quantity equals 2 − 1.) We thus have the following theorem.

Theorem 15.2.6. For every 0 ≤ r < m, The Majority Logic Decoder (Algorithm 19), corrects up to
d
2
− 1 errors in the Reed-Muller code, RM(2, m, r ), in O(n 2 ) time, where n = 2m is the block length
of the code and d = 2m−r is its minimum distance.

15.3 Decoding by reduction to Reed-Solomon decoding

The algorithms described so far were based on very basic ideas, but they have their limitations.
The S IMPLE R EED -M ULLER D ECODER (Algorithm 18) fails to correct errors up to half the min-

272
imum distance. And the majority logic algorithm (Algorithm 19) seems to work only over F2
(where the monomial structure is especially simple). The final algorithm we give uses a slightly
more sophisticated algebraic idea, but then ends up yielding an almost ‘trivial’ reduction to
Reed-Solomon decoding. (It is trivial in the sense that the reduction algorithm almost does no
work.) The resulting reduction can use any algorithm for Reed-Solomon decoding including
any of the ones from Chapter 17.
The crux of the reduction is a natural bijection between the vector space Fm q and the field
m
Fq m . This bijection converts the space of functions { f |Fq → Fq } to the space of functions { f :
Fq m → Fq } ⊆ { f : Fq m → Fq m }. Algorithmically, it is important that the bijection only acts on the
domain and so almost no work is needed to convert a function g ∈ { f |Fm q → Fq } to its image
G ∈ { f : Fq → Fq } under the bijection. Thus Reed-Muller codes get transformed to a subcode
m m

of some Reed-Solomon code, and corrupted Reed-Muller codewords get mapped to corrupted
Reed-Solomon codewords. Now comes the algebraic part: namely, analyzing how good is the
distance of the so-obtained Reed-Solomon code, or equivalently upper bounding the degree
of the polynomials G obtained by applying the bijection to g ∈ RM(q, m, r ). It turns out the
bijection preserves the distance exactly and so algorithms correcting the Reed-Solomon code
up to half its distance does the same for the Reed-Muller code.
In the rest of this section we first describe the ‘nice’ bijection Φ from Fq m → Fm q and intro-
duce a parameter called the extension degree that captures how good the bijection is. Then,
we analyze the extension degree of the bijection map and show that it ends up mapping Reed-
Muller codes to Reed-Solomon codes of the same distance, and thus an algorithm to decode
Reed-Solomon codes with errors up to half the distance of the code also yield algorithms to
decode Reed-Muller code with errors up to half the distance of the code.

15.3.1 A bijection from Fm

q vs. Fq m

The bijections we will eventually work with in this section will be linear-bijections. We introduce
this concept first.

Definition 15.3.1. A function Φ : Fq m → Fm

q is said to be an Fq -linear bijection if

1. Φ is a bijection, i.e., Φ(u) = Φ(v) ⇒ u = v for every u, v ∈ Fq m .

2. Φ is Fq -linear, i.e., for every α, β ∈ Fq and u, v ∈ Fq m it is the case that Φ(αu +βv) = αΦ(u)+
βΦ(v).

(Above and throughout this section it will be useful to remember that Fq ⊆ Fq m and so oper-
ations such as αu for α ∈ Fq and u ∈ Fq m are well-defined.)
Note that a linear bijection Φ : Fq m → Fm q can be viewed as m functions (Φ1 , . . . , Φm ) with
Φi : Fq m → Fq so that Φ(u) = (Φ1 (u), . . . , Φm (u)). Furthermore each Φi is a linear function from
Fq m → Fq and since Fq ⊆ Fq m , Φi can be viewed as a polynomial in Fq m [Z ] (see Exercise 15.12).
Our proposition below recalls the basic properties of such linearized polynomials.

Proposition 15.3.2. There exists an Fq -linear bijection from Fq m to Fm q . If Φ = (Φ1 , . . . , Φm ) :

m
Fq m → Fq is an Fq -linear bijection then each Φi (Z ) is a trace function. Specifically there exist

273
 Pm−1 qj j
λ1 . . . , λm ∈ Fq m , which are linearly independent over Fq , such that Φi (Z ) = Tr(λi Z ) = j =0 λi Z q .
In particular deg(Φi ) = q m−1 and Φ is a linearized polynomial (i.e., only non-zero coefficients are
j
for monomials of the form Z q ).

Proof. Given a bijection Φ the fact that it is a Trace function follows from Proposition D.5.18,
which implies its degree and linearized nature (see Exercise 15.13). All that remains to show
is that a linear bijection exists. We claim that if λ1 , . . . , λm ∈ Fq m are Fq -linearly independent
then Φ = (Φ1 , . . . , Φm ), with Φi (Z ) = Tr(λi Z ), is a Fq linear bijection. Linearity follows from the
linearity of Trace so all we need to verify is that this is a bijection. And since the domain and
range of Φ have the same cardinality, it suffices to show that Φ is surjective. Consider the set

S = {(Φ(u)|u ∈ Fq m } ⊆ Fm
q .

By the linearity of Φ, S is a subspace of Fm m

q . If S 6= Fq (i.e., if Φ is not surjective) we must have
that elements of S satisfy some non-trivial constraint, i.e., there exists (α1 , . . . , αm ) ∈ Fm q \{0} such
Pm
that i =1 αi βi = 0 for every (β1 , . . . , βm ) ∈ S (see Exercise 15.14). But now consider
ÃÃ ! !
X X X
αi Φi (Z ) = αi Tr (λi Z ) = Tr αi λi · Z , (15.2)
i i i

where the last equality follows from the fact that Tr is a linear map (see Proposition D.5.18). On
the one hand (see Exercise 15.15) this is a non-zero polynomial in Z of degree at most q m−1 ,
while on the other hand it evaluates to zero on every u ∈ Fq m , which contradicts the degree
mantra. We conclude Φ is surjective, and hence it is an Fq -linear bijection.

Our goal is to use a linear bijection from Φ : Fq m → Fmq (any such bijection will do for us)
m
to convert functions whose domain is Fq (which is the case for codewords of the Reed-Muller
code) to functions whose domain is Fq m . Specifically, given f : Fm m
q → Fq and Φ : Fq m → Fq , let
f ◦ Φ : F q m → Fm
q be the function ( f ◦ Φ)(u) = f (Φ(u)).
Key to the utility of this transformation is the analysis of how this blows up the degree of
the underlying polynomials. Recall that for a function F : Fq m → Fq m , its degree is defined to be
the degree of the (unique) polynomial P ∈ Fq m [Z ] with deg(P ) < q m such that P (u) = F (u) for
every u ∈ Fq m . Our main challenge henceforth is to understand the question: If f : Fm q → Fq is
a degree r polynomial, how large can the degree of f ◦ Φ be? We do not answer this question
right away, but define the parameter quantifying this effect next, and then design and analyze a
Reed-Muller decoding algorithm in terms of this parameter.

Definition 15.3.3. For prime power q and non-negative integers m and r , let the extension
degree of r over Fq m , denoted R q,m (r ), be the maximum degree of p ◦ Φ over all choices of p ∈
Fq [X 1 , . . . , X m ] (or the associated function p : Fm
q → Fq ) of degree at most r and over all Fq -linear
bijections Φ : Fq m → Fq .

Our algorithm and its analysis are quite natural modulo the analysis of R q,m (r ) and we de-
scribe them below.

274
Algorithm 20 R EED -S OLOMON - BASED D ECODER
I NPUT: q, r < m(q − 1), 0 ≤ e < (q m − R q,m (r ))/2, and function f : Fm
q → Fq .
m
O UTPUT: Output p such deg(p) ≤ r and |{x ∈ Fq |P (x) 6= f (x)}| ≤ e.
Let Φ : Fq m → Fm
q be an Fq -linear bijection
FOR u ∈ Fq m DO
F (u) ← f (Φ(u))
Let P be the output of decoding F using Reed-Solomon codes by Algorithm 23 ⊲ With inputs
k = R q,m (r ) + 1, n = q m and n pairs (u, F (u)) for every u ∈ Fq m .
FOR u ∈ Fm q DO
p(u) ← P (Φ−1 (u))
RETURN p

We note that the decoder here outputs a polynomial p ∈ Fq [X 1 , . . . , X m ] in terms of its func-
tion representation. If a coefficient representation is desired one can use some interpolation
algorithm to convert it. Other than such interpolation, most of the transformation above is
mostly syntactic, since a normal representation of Fq m is already in the form of vectors in Fm q via
some Fq -linear bijection. The only real work is in the call to the Reed-Solomon decoder.
Below we show that the algorithm above is correct for e < (q m − R q,m (r ))/2. The crux of the
analysis is in showing that this quantity is actually half the distance of the Reed-Muller code,
and we defer that analysis to the next section.
Proposition 15.3.4. Let f : Fm m
q → Fq be any function and let g : Fq → Fq be a degree r polynomial
such that |{u ∈ Fm m
q | f (u) 6= g (u)}| ≤ e < (q −R q,m (r ))/2. Then R EED -S OLOMON - BASED D ECODER ( f )
returns g
Proof. Let G = g ◦ Φ. Then we have that deg(G) ≤ R q,m (r ) and we have that {v ∈ Fq m |F (v) 6=
G(v)}| ≤ e < (q m − R q,m (r ))/2. Since the distance of the Reed-Solomon code with N = q m and
K = R m,q (r ) + 1 is N − K + 1 = q m − R q,m (r ) and e is less than half the distance, we have that
G is the unique polynomial with this property, and so the Reed-Solomon decoder must return
P = G. We conclude that p = P ◦ Φ−1 = G ◦ Φ−1 = g , as desired.

15.3.2 Analysis of Extension Degree

We start with a simple warmup result that already leads to an optimal algorithm for decoding
when r < q.
Proposition 15.3.5. R q,m (r ) ≤ r · q m−1 .
Proof. The proof following immediately from the definition and the fact that linear functions
are polynomials of degree q m−1 . Specifically, let p ∈ Fq [X 1 , . . . , X m ] be of degree at most r and
let Φ = (Φ1 , . . . , Φm ) be an Fq -linear bijection. Then since each Φi is a polynomial of degree
q m−1 we have that p(Φ1 (Z ), . . . , Φm (Z )) is a polynomial of degree at most r · q m−1 . Finally since
m
the reduction modulo (Z q − Z ) does not increase the degree we have p ◦ Φ is a polynomial of
degree at most r · q m−1 , as desried.

275
Corollary 15.3.6. If r < q then R EED -S OLOMON - BASED D ECODER decodes RM(q, m, r ) up to half
its minimum distance.
Proof. By Lemma 9.2.2 we have that the distance of the Reed-Muller code RM(q, m, r ) is (q −
r )·q m−1 . From Proposition 15.3.5 we have that R EED -S OLOMON - BASED D ECODER decodes pro-
vided e < (q m − R m,q (r ))/2 = (q m − r · q m−1 )/2 = (q − r ) · q m−1 /2, i.e., up to half the minimum
distance.

Finally we turn to the general case (i.e. r ≥ q). For this part, the crude bound that the
degree of f ◦ Φ is at most q m−1 · deg( f ) is no longer good enough. This bound is larger than q m ,
whereas every function has degree at most q m −1. To get the ‘right’ degree bound on the degree
m
of f ◦ Φ, we now need to use the fact that we can reduce any polynomial modulo (Z q − Z ) and
this leaves the underlying function on Fq m unchanged. Thus from this point on we will try to
m
understand the degree of f ◦Φ (mod Z q − Z ). Using this reduction properly we will eventually
be able to get the correct bound on the degree of f ◦ Φ. We state the bound next and then work
our way towards proving it.
Lemma 15.3.7. Let r = s(q − 1) + t where 0 ≤ t < q − 1. Then R q,m (r ) = q m − (q − t )q m−s−1 .
We first state the immediate consequence of Lemma 15.3.7 to the error-correction bound of
the Reed-Solomon-based decoder.
Theorem 15.3.8. For every prime power q, integers m ≥ 1 and 0 ≤ r < m(q − 1), the R EED -
S OLOMON - BASED D ECODER decodes RM(q, m, r ) up to half its minimum distance.
Proof. Let r = s(q − 1) + t with 0 ≤ t < q − 1. By the polynomial distance lemma (Lemma 9.4.1)
we have that the distance of the Reed-Muller code RM(q, m, r ) is (q − t ) · q m−s−1 . Combining
Proposition 15.3.4 with Lemma 15.3.7 we have that R EED -S OLOMON - BASED D ECODER decodes
provided e < (q m − R m,q (r ))/2 = (q − t ) · q m−s−1 /2, i.e., up to half the minimum distance of
RM(q, r, m).

The proof of Lemma 15.3.7 is somewhat involved and needs some new notions. We intro-
duce these notions next.
Definition 15.3.9 (q-degree). For integer d , let d 0 , d 1 , d 2 , . . . denote its expansion in base q, i.e.,
P
d = ∞ i d
i =0 d i q and 0 ≤ d i < qPfor every i . For a monomial Z ,Pdefine its q-degree, denoted
degq (Z d ), to be the quantity ∞ i =0 d i . For a polynomial p(Z ) =
d
d c d Z , define its q-degree,
denoted degq (p), to be maxd |cd 6=0 {degq (Z d )}.

For example deg2 (X 8 + X 3 + X + 1) = deg2 (X 3 ) = 2.

We describe some basic properties of q-degree below. Informally, the proposition below
proves (in parts (1)-(3)) that the q-degree behaves just like the regular degree when it comes
m
to addition, multiplication and reduction modulo Z q − Z . Note that while parts (1) and (2)
are natural, part (3) is already special in that it only holds for reduction modulo some special
polynomials. Finally part (4) of the proposition allows us to related the q-degree of a polynomial
with its actual degree and this will come in useful when we try to bound the degree of f ◦ Φ(
m
(mod Z )q − Z ).

276
Proposition 15.3.10. For every α, β ∈ Fq m and P, P 1 , P 2 ∈ Fq m [Z ] we have:

(1) degq (αP 1 + βP 2 ) ≤ max{degq (P 1 ), degq (P 2 )}.

(2) degq (P 1 · P 2 ) ≤ degq (P 1 ) + degq (P 2 ).

m
(3) degq (P (mod Z q − Z )) ≤ degq (P ). (Note that here the total degree deg(P ) can be strictly
greater than q m .)

(4) deg(P ) < q m and degq (P ) = s(q − 1) + t for 0 ≤ t < q − 1 implies

deg(P ) ≤ q m − (q − t )q m−s−1 .

Proof. Part (1) is immediate from the definition since the monomials of αP 1 + βP 2 is in the
union of the monomials of P 1 and P 2 . Next, note that due to part (1), it suffices to prove parts
(2)-(4) for monomials.
For part (2) for monomials, we wish to show that that degq (Z d · Z e ) ≤ degq (Z d ) + degq (Z e ).
P P P
Let d = i d i q i , e = i e i q i and let f = d +e = i f i q i . Then it can be verified that for every i we
Pi Pi
have j =0 f j ≤ j =0 (d j + e j ) (see Exercise 15.16) and this eventually implies
X X
degq (Z d +e ) = fj ≤ (d j + e j ) = degq (Z d ) + degq (Z e ). (15.3)
j j

i
³³ ⌊i /m⌋
´m ´i mod m
For part (3), note that since Z q = Zq ,

i m (i mod m)
Zq (mod Z q − Z ) = Z q .

So
i m (i mod m)
Z di q mod (Z q − Z ) = Z di q . (15.4)
P
We conclude that for d = d i q i with 0 ≤ d i < q we have:
i
³ ³ m ´´ ³ P ³ m ´´
di q i
degq Z d q
mod Z − Z = degq Z i mod Z − Zq
³ P i mod m
´
i di q
≤ degq Z
X ³ i mod m
´
≤ degq Z di q
i
X
= di
i
³ ´
d
= degq Z ,

as desried. In the above, the first inequality follows from Exercise 15.17 and the second inequal-
ity follows from part (2) while the final two equalities follows from definition of degq (·).
Finally we turn to part (4), which compares the (actual) degree of a polynomial to its q-
P
degree. Again it suffices to prove for monomials. Let d < q m be given by d = im−1 i
=0 d i q . Subject

277
 P
to the condition i d i ≤ s(q − 1) + t , we note that d is maximized when d m−1 = · · · = d m−s =
(q − 1) and d m−s−1 = t (see Exercise 15.18) in which case we get d + (q − t )q m−s−1 = q m , or
d = q m − (q − t )q m−s−1 .

Our next lemma relates the degree of a multivariate function f : Fm

q → Fq to the q-degree of
f ◦ Φ for a linear bijection Φ.

Lemma 15.3.11. For every polynomial p ∈ Fq [X 1 , . . . , X m ] and every Fq -linear bijection, we have
degq (p ◦ Φ) ≤ deg(p).

Proof. By Proposition 15.3.10, part (1), it suffices to prove the lemma for the special case of
r r P
monomials. Fix a monomial M (X 1 , . . . , X m ) = X 1 1 · · · X mm with j r j = r . Also fix an Fq -linear
m
bijection Φ = (Φ1 , . . . , Φm ). Let M̃ denote the univariate polynomial M ◦ Φ (mod Z q − Z ). Note
Q
that M ◦ Φ(Z ) = m ri
i =1 Φi (Z ) . And note further that degq (Φi (Z )) = 1 for every i . By Proposi-
¡Qm ¢ P
tion 15.3.10 part (2), we now conclude that degq i =1 Φi (Z )r i ≤ m i =1 r i = r . Finally by Propo-
sition 15.3.10 part (3) we have that
¡ ¢ ³ m
´
degq M̃ = degq M ◦ Φ (mod Z q − Z ) ≤ degq (M ◦ Φ) ≤ r,

as desried.
¡ ¢
We are now ready to prove Lemma 15.3.7 which asserts that R q,m s(q − 1) + t = q m − (q −
t )q m−s−1 .

Proof of Lemma 15.3.7. We focus on proving R q,m (s(q − 1) + t ) ≤ q m − (q − t )q m−s−1 . The other
direction follows from Exercise 15.19. Fix a polynomial p ∈ Fq [X 1 , . . . , X m ] of degree at most
r = s(q − 1) + t and consider the function p ◦ Φ : Fq m → Fq m . This corresponds to the polynomial
¡ m ¢
p̃(Z ) = p(Φ1 (Z ), . . . , Φm (Z )) mod Z q − Z . By Lemma 15.3.11 we have that degq (p̃) ≤ r . And
by construction deg(p̃) < q m . So by Proposition 15.3.10, part (4), we have that deg(p̃) ≤ q m −
(q − t )q m−s−1 , yielding the lemma.

15.4 Exercises
Exercise 15.1. Show that if q > deg( f ), then for any polynomial P ∈ Fq [X 1 , . . . , X m ], there exists
an m-dimensional affine form A such that deg(P ◦ A) = deg(P ).

Exercise 15.2. An s-variate d -form is a polynomial a(Z1 , . . . , Zm ) of degree at most d . Note that
d = 1 gives Definition 15.1.1. Similar to Definition 15.1.1 one can define an m-dimensional s-
variate d -form 〈a 1 , . . . , a m 〉. Finally, given such a d -form analogous to Definition 15.1.2, for an
m-variate polynomial P one can define P ◦ A.
Prove that
deg(P ◦ A) ≤ d · deg(P ).

278
Exercise 15.3. Prove that for every pair z1 6= z2 ∈ Fsq , for a random affine form A, A(z1 ) and A(z2 )
are distributed uniformly and independently over Fm q .

Exercise 15.4. Show that any two distinct polynomials in Fq [Z1 , . . . , Z s ] of degree at most r <
q(s − 1) differ in at least two positions x ∈ Fsq .
Hint: Use the polynomial distance lemma (Lemma 9.4.1).
1
Exercise 15.5. Let P ∈ Fq [X 1 , . . . , X m ] be a polynomial of degree at most r , 0 < γ < 2 and let
f : Fm
q → Fq be such that
µ ¶
1
e = |{x ∈ Fm
q |f (x) 6= P (x)}| ≤ − γ · q m−⌈(r +1)/(q−1)⌉ .
2
Then, for every x ∈ Fm q , the probability that L OCAL -D ECODE -RM-S IMPLE -I TER ( f , x) returns P (x)
1
is at least 2 + γ.
¡ 3m ¢
Exercise 15.6. Let g : Fm q → Fq and integer 0 ≤ r < m(q − 1) − 1 be given. Then one can in O q
operations compute a polynomial P ∈ Fq [X 1 , . . . , X m ] of degree at most r such that for every x ∈ Fm
q ,
P (x) = g (x) (if such a polynomial exists).
Hint: Use Exercise 2.6.

Exercise 15.7. If P : Fsq → Fq is a polynomial of degree r < s(q − 1) then

X
P (0) = − P (z).
z∈Fsq \{0}

Hint: Use Exercise 9.15.

Exercise 15.8. Let r = s(q − 1) − t . Then RM(q, s, r ) has distance at least (t + 1)q m−s .

Exercise 15.9. Let f : Fm 2 → F2 differ from a degree r polynomial P (of degree r ) in < 2m−r −1 lo-
P
cations. Show that majorityb∈Fm−r { a∈Fr2 f (a, b)} gives the coefficient of X 1 · · · X r in P (X 1 , . . . , X m )
P 2
and majorityb∈Fm−r { a∈Fr2 f (b, a)} (note the exchange of a and b) gives the coefficient of X m−r +1 · · · X m
2
in P (X 1 , . . . , X m ).

Exercise 15.10. Let f , g : Fm m m

q → Fq disagree in e positions x ∈ Fq . Then for any function h : Fq →
Fq , the functions f − h and g − h also disagree in e positions.

Exercise 15.11. Let f , g : Fm m

q → Fq disagree in e positions x ∈ Fq . Fix a subset S ⊆ [m] of size t .
Argue that there are at most e values of b ∈ Fm−t q for which there is an a ∈ Ftq such that f (S ←
a, S̄ ← b) 6= g (S ← a, S̄ ← b).

Exercise 15.12. Let Φ : Fq m → Fm

q be a linear bijection. How that

1. Φ can be viewed as m functions (Φ1 , . . . , Φm ) with Φi : Fq m → Fq so that Φ(u) = (Φ1 (u), . . . , Φm (u)).

2. Furthermore each Φi is a linear function from Fq m → Fq and each Φi can be viewed as a

polynomial in Fq m [Z ].

279
Exercise 15.13. Show that a linear-bijection is a linearized polynomial of degree q m−1 .

Exercise 15.14. Argue that if a linear subspace S ⊂ Fm q of dimension < m, then there (α1 , . . . , αm ) ∈
Pm
Fm
q \ {0} such that α β
i =1 i i = 0 for every (β 1 , . . . , β m ) ∈ S.
P
Exercise 15.15. Argue that the polynomial Tr(( i αi λi ) · Z ) from (15.2) is

1. Non-zero and has degree at most q m−1 ; and

2. Evaluates to zero on all u ∈ Fq m .

P i
Exercise 15.16. Let (d 0 , d 1 , . . . ) and (e 0 , e 1 , . . . ) be d and e in base q ≥ 2. Let f = d + e = i fi q .
P P
Then show that for every i we have ij =0 f j ≤ ij =0 (d j + e j ).
Hint: Use induction.

Exercise 15.17. Show that

³ P i
³ m ´´ ³ P i mod m
´
degq Z i di q mod Z q − Z ≤ degq Z i di q .
P Pm−1
Exercise 15.18. Show that subject to the condition im−1 i
=0 d i ≤ s(q − 1) + t , that d = i =0 d i q is
maximized when d m−1 = · · · = d m−s = (q − 1) and d m−s−1 = t .

Exercise 15.19. T ⊆ Fq be a set of size t . Consider the polynomial

q−1 q−1 Y
p(X 1 , . . . , X m ) = (X 1 − 1) · · · (X s − 1) · (X s+1 − a).
a∈T

Note that deg(p) = s(q − 1) + t .

1. Prove that for every linear bijection Φ, we have deg(p ◦ Φ) ≥ q m − (q − t )q m−s−1 .

Hint: How many zeroes does p have? What does this say about the degree of p ◦ Φ?

2. Conclude that R q,m (r ) ≥ q m − (q − t )q m−s−1 , where r = s(q − 1) + t where 0 ≤ t < q − 1.

15.5 Bibliographic Notes

We start with the history of the Majority Logic Decoder, Algorithm 19. This algorithm is the first
non-trivial algorithm in coding theory, dating back to the paper of Reed [107] from 1954. Indeed
the codes were proposed by Muller [97] and the reason Reed’s name is associated with the codes
is due to the decoding algorithm. Despite their “in hindsight” simplicity, the algorithm is partic-
ularly clever and subtle. One proof of the subtlety is in the fact that the algorithm doesn’t seem
to extend immediately to non-binary settings — indeed even extending to the ternary case ends
up involving some careful reasoning (and is settled in the work of Kim and Kopparty [80]).
See [134, Chapter 10] for details on near-linear time polynomial interpolation algorithm.
The Simple Reed-Muller Decoder, Algorithm 18, originates from the work of Beaver and
Feigenbaum [10] and Lipton [89]. (We note that neither paper mentions the codes by name,

280
and only consider the case r < q.) Subsequent works by Gemmell et al. [46] and Gemmell and
Sudan [48] extended these algorithms to correct a number of errors close to (but not matching)
half the distance of the code. These algorithms also played a central role in the theory of “locally
decodable codes” that we will describe later.
Finally, the Reed-Solomon-based Decoder, Algorithm 20, is due to Pellikaan and Wu [101],
who gave this algorithm in the context of “list-decoding”.

281
282
Chapter 16

Fast encoding: linear time encodable codes

In the last chapter we saw how low-density parity check (LDPC) matrices1 lead to codes with
very fast (linear-time) decoders. Unfortunately these codes are not known to be encodable as
efficiently. Indeed if one considers the generator matrix corresponding to a LPDC matrix of a
code with good distance, the generator matrix will have high density (see Exercise 1.14), and
so the natural encoding x 7→ x · G will take nearly quadratic time if carried out naively. This
motivates the following natural question:

Question 16.0.1. Do there exists (asymptotically good) binary code that are linear-time en-
codable (and linear time decodable?

In this chapter we will answer the above question in the affirmative and show how to con-
struct codes that can be encoded as well as decoded in linear time. This construction will rely
on ideas from Chapter ?? while involving a host of new ideas as well.

16.1 Overview of the construction

Our construction will yield a systematic code, i.e., one in which the first k coordinates of the
codeword are the message (see Exercise 2.16), the rest of the codeword are what we will call
check bits.
The first idea behind the construction is to use a low-density matrix as a generator. Of course
this idea can not possibly work on its own (recall Exercise 1.14). But it turns out that this idea
does work well as an ingredient in a more careful construction. Indeed to encode a message
x ∈ Fk2 , the first set of check bits, denote y1 will be obtained by multiplying m with a low-density
matrix G1 , i.e., y1 = x · G1 . The insight behind this step is that if y1 is known (i.e., there are no

1
We saw LDPC codes in Section 11.1.1.

283
errors in the check bit part) then the x can be recovered from x̂ that is close to x, in the same
way that we decoded LDPC codes from errors. (We will elaborate on this in Section 16.2.2.)
So our attention from now turns to protecting y1 from errors. Here the advantage we will
have is that y1 will be smaller in length that x and so we can assume that such a code is available
by induction. Indeed this is the second idea, and this is what we will implement in the rest of
the chapter. We thus add some more checkbits y2 which will correspond to the checkbits when
encoding y1 by a smaller, linear-time encodable code.
Unfortunately we can not stop at this stage. While we can use the fact that y1 has smaller
length than x to our advantage, the smaller code can only correct a smaller number of errors
(proportionate to the length of the code). So we can not hope that y1 will be recovered com-
pletely without protecting it further. Indeed we do so by adding more checkbits, denoted y3
that will protect the pair (y1 , y2 ).
This brings us to our final idea which is a strengthening of the idea in the first step. We will
compute y3 = [y1 y2 ] · G 2 where G 2 is another low-density matrix (of appropriate dimensions).
Earlier we had asserted that if y3 is known completely and [y1 , y2 ] are known up to a few errors,
then y1 and y2 can be recovered completely. However a more robust version of this statement
can be proved: If we are given y1 , y2 and y3 each with few errors, then an LDPC-type decoding
algorithm can reduce the amount of error in y1 and y2 to an even smaller amount. With a careful
choice of parameters, we can actually endure that the error in (y1 , y2 ) is small enough to allow
our inductive idea (more precisely the ‘second idea’ above) to work correctly and thus recover
y1 completely. And in turn, our first step will now manage to recover x completely.
In what follows we give details of the construction sketched above. To keep the number of
parameters under control we focus on the case of codes of rate 1/4. In particular, we will show
that

Theorem 16.1.1. There exists linear-time encodable and decodable codes of rate 14 .

Exercise 16.5 shows how to build codes of higher rate. We start with the error-reduction algo-
rithms and show that the codes obtained by computing checkbits by multiplying the message
with a low-density matrix have nice error-reduction properties. Armed with this ingredient we
describe our codes in Section 16.3. Finally we describe the encoding and decoding algorithms
in Section 16.4 and analyze the running times there.

16.2 Low-density Error-Reduction Codes

While we described the ‘first-step” of the encoding operation as a matrix-vector multiplication,
what will be important to us is the graph theoretic view. Recall from Definition 11.1.2 that an
n × m matrix G over F2 can be viewed as a bipartite graph B with n left vertices, m right vertices
with G i j = 1 if and only if there is an edge from left vertex i to right vertex j . In these terms the
product x · G corresponds to taking a 0/1 labeling of the left vertices and assigning labels to the
right vertices, where the label of a right vertex j is the parity of the labels of its neighbors, i.e.,
the quantity ⊕{i |G i j =1} x i (where as usual we assume x = (x 1 , . . . , x n ).

284
 Let B = ([n], [m], E ) be a bipartite graph. For j ∈ [m], let

N ( j ) = {i ∈ [n]|(i , j ) ∈ E }

denote the neighborhoods of the ‘right’ vertices in B . Let x ∈ Fn2 be an arbitrary labeling of the
left vertices, and let y ∈ Fm2 be the derived labeling of the right vertices, i.e., y j = ⊕i ∈N ( j ) x i . Let
x̂ and ŷ be vectors that are ‘close’ to x and y. In what follows we show that if B is a sufficiently
good ‘expander’ then a variant of the decoding algorithm from Section ?? produces as output a
vector x̃ that is ‘very’ close to x. (We will quantify the many adjectives that we’ve used loosely in
Lemma 16.2.1 below.)

16.2.1 The Code

We assume the existence of good bipartite expanders as guaranteed by Theorem 11.2.6. We
recall the notion and theorem first. Recall that a (n, m, D, γ, α)-expander is a bipartite graph
with [n] as the left vertex sets, [m] as the right vertex set, left degree D, and satisfies the feature
that every subset S ⊆ [n] with |S| ≤ γn, we have |N (S)| ≥ α|S|. We will apply the Theorem 11.2.6
with n = k = 2t for integer t , m = k/2, and ε = 1/8. Let B k denote the resulting bipartite graphs
— so B k is a (k, k/2, D, γ, (7/8)D)-expander for D = O(1) and γ = Ω(1). Finally we will assume
that in B k all right vertices have degree O(1) (see Exercise 16.1).
Given the graphs B k we now define our Error-reduction codes. These codes have rate 2/3
and thus map k message bits to 3k/2 codeword bits, of which the first k are the message bits,
and k/2 remaining bits are the check bits.
The error-reduction code R̃ k is easy to define: Given x ∈ Fk2 let y ∈ Fk/2 2 be given by y j =
P
x
{i |i ∈N ( j )} i , where N ( j ) denotes the neighbors of j in B k . We let R k s(x) = y and the encoding
R̃ k : x 7→ (x, R k (x)).

Throughout this chapter we adopt of the convention of using C̃ (·) to denote some system-
atic encoding, where C (·) denotes the checkbit part of the encoding.
Thus the code is quite simple. Next we describe an almost equally simple ‘error-reduction’
procedure. The most involved part of the section is describing the error-reduction property
(and then proving it!).

16.2.2 G EN -FLIP Algorithm

We formally write down the error-reduction algorithm in Algorithm 21.

16.2.3 Error-Reduction Guarantee

As motivated earlier, we would like the error-reduction algorithm to have two crucial features:

1. If (x, y = R k (x)) is a codeword, and δ(x̂, x) is sufficiently small, then we want G EN -FLIP(x̂, y)
to output x.

285
Algorithm 21 G EN -FLIP
I NPUT: bipartite graph B = ([n], [m], E ) and vectors x̂ ∈ Fn2 , ŷ ∈ Fm
2
O UTPUT: x̃ ∈ Fn2

1: x̃ ← x̂
⊲ We say j ∈ [m] is satisfied if ŷ j = ⊕i ∈N ( j ) x̃ i and unsatisfied otherwise.
2: WHILE there exists i ∈ [n] with more unsatisfied than satisfied neighbors in N (i ) DO
3: Flip x̃ i and update the list of satisfied and unsatisfied vertices in [m].
4: RETURN x̃

2. On the other hand when the exact check bits are not available, we can’t hope to get x
exactly. So in this case we would settle for a guarantee of the form: ‘if δ(x̂, x) and δ(ŷ, y)
are small, then G EN -FLIP(x̂, ŷ) outputs x̃ such that δ(x̃, x) is even smaller’.

The following lemma gives both these properties in a smooth way.

Lemma 16.2.1. There exists β > 0 such that for all k = 2t the following holds for the error-
reduction code R k and the algorithm G EN -FLIP: For every x, x̂ ∈ Fk2 and y, ŷ ∈ Fk/2 2 such that
(x, y) = R k (x), ∆(x, x̂) ≤ βk and ∆(y, ŷ) ≤ βk, it is the case that the output x̃ =G EN -FLIP(x̂, ŷ) satis-
fies ∆(x, x̃) ≤ ∆(y, ŷ)/2.

Proof. Let a denote ∆(x, x̂) and let

A = {i |x i 6= xˆi } .
Similarly let b = ∆(y, ŷ) and let © ª
B = j |y j 6= ŷ j .
We have a, b ≤ βk. We will set
γ
β=
D +2
so that we have a(D + 1) + b ≤ γk (recall D is the degree of B k ). Assume also that D ≥ 8 (see
Exercise 16.2 on why this assumption is fine for Theorem 11.2.6).
We first claim that the initial number of unsatisfied right nodes is at most aD + b. This is so
since if j 6∈ N (A) ∪ B then
ŷ j = y j = ⊕i ∈N ( j ) x i = ⊕i ∈N ( j ) xˆi
and so j is satisfied. We conclude number of initially unsatisfied right nodes is at most

|N (A) ∪ B | ≤ aD + b.

Next, we derive from the above that at the end of all iterations ∆(x, x̃) ≤ a(D + 1) + b. This is
so since initially ∆(x, x̃) = a. And in each iteration we change at most one bit of x̃. And the total
number of iterations is upper bounded by the number of initially unsatisfied right nodes, since
in each iteration the number of unsatisfied nodes decreases by one (see Exercise 16.3).
Let
S = {i |x̃ i 6= x i }

286
at the end of the algorithm G EN -FLIP, and let T be the set of unsatisfied right vertices at the
end. From the previous para we have
|S| ≤ a(D + 1) + b ≤ γk.
Let U (S) be the unique neighbors of S, i.e.,
© ª
U (S) = j ||N ( j ) ∩ S| = 1 .
(See Definition 11.2.3.) Recall by Lemma 11.2.9 that
3D
|U (S)| ≥ (1 − 2ε)D|S| = · |S|,
4
where we used that ε = 81 . Now every vertex in U (S) \ B must be an unsatisfied vertex and so
3D
|T | ≥ |U (S) \ B | ≥ · |S| − b.
4
On the other hand at the end the total number of unsatisfied vertices must be less than D2 ·
|S| or else some vertex in S has more than D2 unsatisfied neighbors and thus more unsatisfied
neighbors than satisfied ones. We thus conclude
3D|S| D
− b ≤ |T | ≤ · |S|.
4 2
Rearranging and simplifying, we get
4b b
|S| ≤ ≤
D 2
as desired.

It turns out that the above result also holds if we defined B k based on expanders with fewer
right neighbors (as long as it has good enough expansion)– see Exercise 16.4.

16.3 The error-correcting code: Recursive construction

Armed with the error-reduction codes R k , we are now ready to construct our error-correcting
codes C k for k = 2t for every integer t . These codes will have rate 1/4 (so |C k (x)| = 3k and
|C̃ k (x)| = 4k for x ∈ Fk2 ).
We define the codes inductively. For small enough constants k (in particular, let k 0 be a
constant such that for all k ≤ k 0 ), C k will be chosen to be check bits of some arbitrary systematic
code of rate 1/4.
For the inductive step, assume the code C k/2 has been defined. For x ∈ Fk2 , we define the
encoding
C k (x) = (y1 , y2 , y3 ) where y1 = R k (x), y2 = C k/2 (y1 ) and y3 = R 2k (y1 , y2 ).
The final code is defined by
C̃ k (x) = (x,C k (x)).
See Figure 16.1 for an illustration of C k .

287
 x x

Rk y1

Ck y2
2

R 2k y3
C̃ k Ck

Figure 16.1: The recursive construction of C k . The final code C̃ k is also shown.

16.4 Analysis
We analyze the encoding first, and then describe the decoding algorithm and analyze it. The
analysis will show that the code corrects Ω(1)-fraction of error and this will also establish that
the code has constant relative distance.

16.4.1 Encoding Analysis

First we note that the error-reduction coding takes linear time. In particular it was argued in
the proof of Lemma 16.2.1 that the number of iterations is linear, and we note in Exercise 16.6
each iteration can be implemented in constant time. Let B be the constant such that R k (x) can
be computed in Bk time for x ∈ Fk2 .
Let TE (k) denote the time to encode a vector x ∈ Fk2 . We assert that there exists a constant A
such that TE (k) ≤ Ak. For constant k we ensure this picking A large enough and so we turn to
the inductive part. We now have (see Exercise 16.7)

TE (k) ≤ Bk + TE (k/2) + 2Bk. (16.1)

By induction, the above implies that

TE (k) ≤ 3Bk + Ak/2.

So if 3B ≤ A/2 (or equivalently A ≥ 6B which we can ensure) then we have TE (k) ≤ Ak as desired.

288
16.4.2 Decoding Algorithm
The decoding algorithm is straightforward. Following our norm for systematic codes, we will
only try to recover the correct message bits given potentially corrupted message and check bits.
We describe below the algorithm L INEAR-D ECODE whose input is a 4-tuple (x̂, yˆ1 , yˆ2 , yˆ3 ) cor-
responding to a corrupted message x̂ and corrupted checkbits (yˆ1 , yˆ2 , yˆ3 ). Its output will be a
vector x̃ which hopefully equals the original message.

Algorithm 22 L INEAR-D ECODE

3k/2
I NPUT: (x̂, yˆ1 , yˆ2 , yˆ3 ) where x̂ ∈ Fk2 , yˆ1 ∈ Fk/2
2 , yˆ2 ∈ F2 and yˆ3 ∈ Fk2
O UTPUT: x̃ ∈ Fk2

1: IF k ≤ k 0 THEN
2: RETURN D M LD (x̂, yˆ1 , yˆ2 , yˆ3 ) ⊲ Run Algorithm 2 for C̃ k
3: Set (y˜1 , y˜2 ) ←G EN -FLIP(B 2k , (yˆ1 , yˆ2 ), yˆ3 ).
4: Set (z1 , z2 ) ←L INEAR -D ECODE (y˜1 , y˜2 ).
5: Set x̃ ←G EN -FLIP(B k , x̂, z1 ).
6: RETURN x̃

In English, the algorithm first reduces the error in the y1 , y2 part using the properties of the
error-reduction code R 2k . Then it recursively decodes y1 from the information in the error-
reduced y1 , y2 -parts. Hopefully at this stage y1 is completely corrected. Finally it uses the error-
reduction code R k to now recover x. We analyze this in the following section.

16.4.3 Analysis of the decoder

We first note that running time analysis is similar to that of the encoder and so we defer it to
Exercise 16.8. We turn to the correctness claim. The lemma below asserts that the decoder
corrects βk errors where β is the constant from Lemma 16.2.1. (Note that this implies that the
code corrects a β/4 fraction of errors since the length of the codeword is 4k.)

Lemma 16.4.1. Let β > 0 be the constant from Lemma 16.2.1. The Algorithm L INEAR-D ECODE
corrects βk errors for codes of message length k. Specifically on input (x̂, yˆ1 , yˆ2 , yˆ3 ) such that
∆((x̂, yˆ1 , yˆ2 , yˆ3 ), C̃ k (x)) ≤ βk, L INEAR-D ECODE outputs x.

Proof. We prove the lemma by induction on k. Suppose we have the claim for all k ′ < k (see
Exercise 16.9).
Let (y1 , y2 , y3 ) = C k (x). Since ∆((x̂, yˆ1 , yˆ2 , yˆ3 ), C̃ k (x)) ≤ βk, we have in particular that ∆((y1 , y2 ), (yˆ1 , yˆ2 )) ≤
βk and ∆(y3 , yˆ3 ) ≤ βk. Thus by Lemma 16.2.1, the output (y˜1 , y˜2 ) of G EN -FLIP(B 2k , (yˆ1 , yˆ2 ), yˆ3 )
in Step 1 satisfies ∆((y1 , y2 ), (y˜1 , y˜2 )) ≤ ∆(y3 , yˆ3 )/2 ≤ βk/2.
Now we turn to Step 2. By induction we have that L INEAR-D ECODE decodes from βk/2 errors
when decoding for messages of length k/2. Since ∆((y1 , y2 ), (y˜1 , y˜2 )) ≤ βk/2, we thus have that
L INEAR-D ECODE(y˜1 , y˜2 ) outputs z1 , z2 and so z1 = y1 and z2 = y2 .

289
 Finally, in Step 3, we now have ∆(x̂, x) ≤ βk (another consequence of ∆((x̂, yˆ1 , yˆ2 , yˆ3 ), C̃ k (x)) ≤
βk) and so the output x̃ of Step 3 satisfies ∆(x̃, x) ≤ ∆(z1 , y1 )/2 = 0, or in other words x̃ = x. We
thus conclude that L INEAR-D ECODE corrects decodes from βk errors.

16.5 Exercises
Exercise 16.1. Argue that B k as defined in Section 16.2.1 can be assumed to have O(1) maximum
right degree.
Hint: Use Lemma 11.2.5.

Exercise 16.2. Argue why in Theorem 11.2.6 one can assume D ≥ 8 (or more generally we can
assume it is larger than any constant).

Exercise 16.3. Argue that in each iteration of G EN -FLIP the number of unsatisfied nodes de-
creases by one.

Exercise 16.4. Let α > 0 be such that (1/α)t is an integer. Let k = (1/α)t and let B k be an (k, α ·
k, D, γ, 7D/8)-expander for D = O(log(1/α)) and γ = Ω(α/D). Then define error-reduction code
as we did earlier in Section 16.2.1 but with this updated B k (note that earlier we used α = 21 ). Run
G EN -FLIP with this updated B k . Argue the following claim.
There exists β > 0 such that for all k = (1/α)t the following holds for the error-reduction code
R k and G EN -FLIP as defined above: For every x, x̂ ∈ Fk2 and y, ŷ ∈ Fαk2 such that (x, y) = R k (x),
∆(x, x̂) ≤ βk and ∆(y, ŷ) ≤ βk, it is the case that the output x̃ =G EN -FLIP(x̂, ŷ) satisfies ∆(x, x̃) ≤
∆(y, ŷ)/2.

Exercise 16.5. For every rate R ∈ (0, 1) give a linear-time encodable and decodable code of rate at
least R correcting some ε(R) > 0 fraction of errors.

Hint: Exercise 16.4 and Theorem 16.1.1 might be useful here.

Exercise 16.6. Argue that each iteration of G EN -FLIP (i.e. Lines 2 and 3) can be implemented in
O(1) time.

Exercise 16.7. Argue (16.1).

Exercise 16.8. Argue why L INEAR-D ECODE is a linear time algorithm.

Exercise 16.9. Argue Lemma 16.4.1 for the case when k ≤ k 0 .

16.6 Bibliographic Notes

The construction of this chapter is due to Spielman [121].

290
Chapter 17

Efficient Decoding of Reed-Solomon Codes

So far in this book, we have shown how to efficiently decode explicit codes up to half of the
Zyablov bound (Theorem 13.3.3) and how to efficiently achieve the capacity of the BSCp (The-
orem 14.4.1). The proofs of both of these results assumed that one can efficiently do unique
decoding for Reed-Solomon codes up to half its distance (Theorem 13.2.1). In this chapter, we
present such a unique decoding algorithm. Then we will generalize the algorithm to a list de-
coding algorithm that efficiently achieves the Johnson bound (Theorem 7.3.1).

17.1 Unique decoding of Reed-Solomon codes

Consider the [n, k, d = n−k+1]q Reed-Solomon code with evaluation points (α1 , · · · , αn ). (Recall
Definition 5.2.1.) Our goal is to describe
¡ an algorithm
¢ that corrects up to e errors (where e <
n−k+1 n
2 ) in polynomial time. Let y = y 1 , · · · , y n ∈ F q be the received word. We will now do a
syntactic shift that will help us better visualize all the decoding algorithms in this chapter. In
particular, we will also think of y as the set of ordered pairs {(α1 , y 1 ), (α2 , y 2 ), . . . , (αn , y n )}, that is,
as a collection of “points" in “2-D space." See Figure 17.1 for an illustration. From now on, we
will switch back and forth between our usual vector interpretation of y and this new geometric
notation.
¡ Further, nlet ¢us assume that there exists a polynomial P (X ) of degree at most k − 1 such that
∆ y, (P (αi ))i =1 ≤ e. (Note that if such a P (X ) exists then it is unique.) See Figure 17.2 for an
illustration.
We will use reverse engineering to design a unique decoding algorithm for Reed-Solomon
codes. We will assume that we somehow know P (X ) and then prove some identities involving
(the coefficients of) P (X ). Then, to design the algorithm, we will just use the identities and try
to solve for P (X ). Towards this end, let us assume that we also magically got our hands on a
polynomial E (X ) such that

E (αi ) = 0 if and only if y i 6= P (αi ) .

E (X ) is called an error-locator polynomial. We remark that there exists such a polynomial of

291
 yi

7
6
5
4
3
2
1
−6 −4 −2 2 4 6
αi
−7 −5 −3 −1 1 3 5 7
−1
−2
−3
−4
−5
−6
−7

n = 14, k = 2, e = 6

Figure 17.1: An illustration of a received word for a [14, 2] Reed-Solomon code

(we have implicitly embedded the field Fq in the set {−7, . . . , 7}). The evalua-
tions points are (−7, −5, −4, −3, −2, −1, 0, 1, 2, 3, 4, 5, 6, 7) and the received word is
(−7, 5, −4, −3, 2, −4, 0, 1, −2, 3, 4, −5, −2, 7).

degree at most e. In particular, consider the polynomial:

Y
E (X ) = (X − αi ) .
i :y i 6=P (αi )

See Figure 17.3 for an illustration of the E (X ) corresponding to the received word in Figure 17.1.

Now we claim that for every 1 ≤ i ≤ n,

y i E (αi ) = P (αi ) E (αi ) . (17.1)

To see why (17.1) is true, note that if y i 6= P (αi ), then both sides of (17.1) are 0 (as E (αi ) = 0).
On the other hand, if y i = P (αi ), then (17.1) is obviously true.
All the discussion above does not seem to have made any progress as both E (X ) and P (X ) are
unknown. Indeed, the task of the decoding algorithm is to find P (X )! Further, if E (X ) is known
then one can easily compute P (X ) from y (the proof is left as an exercise). However, note that we
can now try and do reverse engineering. If we think of coefficients of P (X ) (of which there are
k) and the coefficients of E (X ) (of which there are e + 1) as variables, then we have n equations
from (17.1) in e + k + 1 variables. From our bound on e, this implies we have more equations
than variables. Thus, if we could solve for these unknowns, we would be done. However, there

292
 yi P (X ) = X

7
6
5
4
3
2
1
−6 −4 −2 2 4 6
αi
−7 −5 −3 −1 1 3 5 7
−1
−2
−3
−4
−5
−6
−7

n = 14, k = 2, e = 6

Figure 17.2: An illustration of the closest codeword P (X ) = X for the received word from Fig-
ure 17.1. Note that we are considering polynomials of degree 1, which are “lines."

is a catch– these n equations are quadratic equations, which in general are NP-hard to solve.
However, note that for our choice of e, we have e + k − 1 ≪ n. Next, we will exploit this with a
trick that is sometimes referred to as linearization. The idea is to introduce new variables so that
we can convert the quadratic equations into linear equations. Care must be taken so that the
number of variables after this linearization step does not exceed the (now linear) n equations.
Now we are in familiar territory as we know how to solve linear equations over a field (e.g. by
Gaussian elimination). (See section 17.4 for some more discussion on the hardness of solving
quadratic equations and the linearization technique.)
def
To perform linearization, define N (X ) = P (X ) · E (X ). Note that N (X ) is a polynomial of
degree less than or equal to e + k − 1. Further, if we can find N (X ) and E (X ), then we are done.
This is because we can compute P (X ) as follows:

N (X )
P (X ) = .
E (X )
The main idea in the Welch-Berlekamp algorithm is to “forget" what N (X ) and E (X ) are
meant to be (other than the fact that they are degree bounded polynomials).

17.1.1 Welch-Berlekamp Algorithm

Algorithm 23 formally states the Welch-Berlekamp algorithm.
As we have mentioned earlier, computing E (X ) is as hard as finding the solution polynomial
P (X ). Also in some cases, finding the polynomial N (X ) is as hard as finding E (X ). E.g., given

293
 yi

7
6
5
4
3
2
1
−6 −4 −2 2 4 6
αi
−7 −5 −3 −1 1 3 5 7
−1
−2
−3
−4
−5
−6
−7

E (X ) is the product of these lines

n = 14, k = 2, e = 6

Figure 17.3: An illustration of the the error locator polynomial E (X ) = (X + 5)(X + 2)(X + 1)(X −
2)(X − 5)(X − 6) for the received word from Figure 17.1. Note that E (X ) is the product of the
green lines.

N (X ) and y (such that y i 6= 0 for 1 ≤ i ≤ n) one can find the error locations by checking positions
where N (αi ) = 0. While each of the polynomials E (X ) , N (X ) is hard to find individually, the
main insight in the Welch-Berlekamp algorithm is that computing them together is easier.
Next we analyze the correctness and run time of Algorithm 23.

Correctness of Algorithm 23. Note that if Algorithm 23 does not output fail, then the algo-
rithm produces a correct output. Thus, to prove the correctness of Algorithm 23, we just need
the following result.
Theorem 17.1.1. If (P (αi ))ni=1 is transmitted (where P (X ) is a polynomial of degree at most k −1)
and at most e < n−k+1
2 errors occur (i.e. ∆(y, (P (αi ))ni=1 ) ≤ e), then the Welch-Berlekamp algo-
rithm outputs P (X ).
The proof of the theorem above follows from the subsequent claims.
Claim 17.1.2. There exist a pair of polynomials E ∗ (X ) and N ∗ (X ) that satisfy Step 1 such that
N ∗ (X )
E ∗ (X ) = P (X ).
1 (X ) N2 (X )
Note that now it suffices to argue that N E 1 (X ) = E 2 (X ) for any pair of solutions ((N1 (X ), E 1 (X ))
and (N2 (X ), E 2 (X )) that satisfy Step 1, since Claim 17.1.2 above can then be used to see that ratio
must be P (X ). Indeed, we will show this to be the case:

294
Algorithm 23 Welch-Berlekamp Algorithm
I NPUT: n ≥ k ≥ 1, 0 < e < n−k+1
2 and n pairs {(αi , y i )}ni=1 with αi distinct
O UTPUT: Polynomial P (X ) of degree at most k − 1 or fail.

1: Compute a non-zero polynomial E (X ) of degree exactly e, and a polynomial N (X ) of degree

at most e + k − 1 such that
y i E (αi ) = N (αi ) 1 ≤ i ≤ n. (17.2)
2: IF E (X ) and N (X ) as above do not exist or E (X ) does not divide N (X ) THEN
3: RETURN fail
N (X )
4: P (X ) ← E (X ) .
5: IF ∆(y, (P (αi ))ni =1
) > e THEN
6: RETURN fail
7: ELSE
8: RETURN P (X )

Claim 17.1.3. If any two distinct solutions (E 1 (X ), N1 (X )) 6= (E 2 (X ), N2 (X )) satisfy Step 1, then

they will satisfy
N1 (X ) N2 (X )
= .
E 1 (X ) E 2 (X )

Proof of Claim 17.1.2. We just take E ∗ (X ) to be the error-locating polynomial for P (X ) and let
N ∗ (X ) = P (X )E ∗ (X ) where deg(N ∗ (X )) ≤ deg(P (X ))+deg(E ∗ (X )) ≤ e+k−1. In particular, define
E ∗ (X ) as the following polynomial of degree exactly e:
¡ n
¢ Y
E ∗ (X ) = X e−∆ y,(P (αi ))i =1 (X − αi ). (17.3)
1≤i ≤n|y i 6=P (αi )

By definition, E ∗ (X ) is a non-zero polynomial of degree e with the following property:

E ∗ (αi ) = 0 iff y i 6= P (αi ).

We now argue that E ∗ (X ) and N ∗ (X ) satisfy (17.2). Note that if E ∗ (αi ) = 0, then N ∗ (αi ) =
P (αi )E ∗ (αi ) = y i E ∗ (αi ) = 0. When E ∗ (αi ) 6= 0, we know P (αi ) = y i and so we still have P (αi )E ∗ (αi ) =
y i E ∗ (αi ), as desired.

Proof of Claim 17.1.3. Note that the degrees of the polynomials N1 (X )E 2 (X ) and N2 (X )E 1 (X )
are at most 2e + k − 1. Let us define polynomial R(X ) with degree at most 2e + k − 1 as follows:

R(X ) = N1 (X )E 2 (X ) − N2 (X )E 1 (X ). (17.4)

Furthermore, from Step 1 we have, for every i ∈ [n] ,

N1 (αi ) = y i E 1 (αi ) and N2 (αi ) = y i E 2 (αi ). (17.5)

295
Substituting (17.5) into (17.4) we get for 1 ≤ i ≤ n:

R(αi ) = (y i E 1 (αi ))E 2 (αi ) − (y i E 2 (αi ))E 1 (αi )

= 0.

The polynomial R(X ) has n roots and

deg(R(X )) ≤ e + k − 1 + e
= 2e + k − 1
< n,

Where the last inequality follows from the upper bound on e. Since deg(R(X )) < n, by the degree
mantra (Proposition 5.2.4) we have R(X ) ≡ 0. This implies that N1 (X )E 2 (X ) ≡ N2 (X )E 1 (X ). Note
1 (X ) N2 (X )
that as E 1 (X ) 6= 0 and E 2 (X ) 6= 0, this implies that N
E 1 (X ) = E 2 (X ) , as desired.

Implementation of Algorithm 23. In Step 1, N (X ) has e + k unknowns and E (X ) has e + 1

unknowns. For each 1 ≤ i ≤ n, the constraint in (17.2) is a linear equation in these unknowns.
Thus, we have a system of n linear equations in 2e + k + 1 < n + 2 unknowns. By claim 17.1.2,
this system of equations have a solution. The only extra requirement is that the degree of the
polynomial E (X ) should be exactly e. We have already shown E (X ) in equation (17.3) to satisfy
this requirement. So we add a constraint that the coefficient of X e in E (X ) is 1. Therefore, we
have n + 1 linear equations in at most n + 1 variables, which we can solve in time O(n 3 ), e.g. by
Gaussian elimination.
Finally, note that Step 4 can be implemented in time O(n 3 ) by “long division.” Thus, we have
proved that Algorithm 23 runs in polynomial time.

Theorem 17.1.4. For any [n, k]q Reed-Solomon code, unique decoding can be done in O(n 3 ) time
up to d −1 n−k
2 = 2 number of errors.

Recall that the above is a restatement of the error decoding part of Theorem 13.2.1. Thus,
this fills in the final missing piece from the proofs of Theorem 13.3.3 (decoding certain concate-
nated codes up to half of their design distance) and Theorem 14.4.1 (efficiently achieving the
BSCp capacity).

17.2 List Decoding Reed-Solomon Codes

Recall Question 7.4.3, which
p asks if there is an efficient list decoding algorithm for a code of rate
R > 0 that can correct 1 − R fraction of errors. Note that in the question above,p explicitness is
not an issue as e.g., a Reed-Solomon code of rate R by the Johnson bound is (1 − R,O(n 2 ))-list
decodable (Theorem 7.3.1).
We willp study an efficient list decoding algorithm for Reed-Solomon codes that can correct
up to 1 − R fraction of errors. To this end, we will present a sequence of algorithms for (list)
decoding Reed-Solomon codes that ultimately will answer Question 7.4.3.

296
 Before we talk about the algorithms, we restate the (list) decoding problem for Reed-Solomon
codes. Consider any [n, k]q Reed-Solomon code that has the evaluation set {α1 , . . . , αn }. Below
is a formal definition of the decoding problem for Reed-Solomon codes:

• Input: Received word y = (y 1 , . . . , y n ), y i ∈ Fq and error parameter e = n − t .

• Output: All polynomials P (X ) ∈ Fq [X ] of degree at most k − 1 such that P (αi ) = y i for

at least t values of i .
Our main goal of course is to make t as small as possible.
n +k
We begin with the unique decoding regime, where t > . We looked at the Welch-
2
Berlekamp algorithm in Algorithm 23, which we restate below in a slightly different form (that
will be useful in developing the subsequent list decoding algorithms).

• Step 1: Find polynomials N (X ) of degree k + e − 1, and E (X ) of degree e such that

N (αi ) = y i E (αi ), for every 1 ≤ i ≤ n

• Step 2: If Y −P (X ) divides Q(X , Y ) = Y E (X )−N (X ), then output P (X ) (assuming ∆(y, (P (αi ))ni=1 ) ≤
e).
N (X )
Note that Y −P (X ) divides Q(X , Y ) in Step 2 above if and only if P (X ) = E (X )
, which is exactly
what Step 4 does in Algorithm 23.

17.2.1 Structure of list decoding algorithms for Reed-Solomon

Note that the Welch-Berlekamp Algorithm has the following general structure:

• Step 1: (Interpolation Step) Find non-zero Q(X , Y ) such that Q(αi , y i ) = 0, 1 ≤ i ≤ n.

• Step 2: (Root Finding Step) If Y − P (X ) is a factor of Q(X , Y ), then output P (X ) (assuming

it is close enough to the received word).

In particular, in the Welch-Berlekamp algorithm we have Q(X , Y ) = Y E (X )−N (X ) and hence,

Step 2 is easy to implement.
All the list decoding algorithms that we will consider in this chapter will have the above
two-step structure. The algorithms will differ in how exactly Step 1 is implemented. Before we
move on to the details, we make one observation that will effectively “take care of" Step 2 for us.
Note that Step 2 can be implemented if one can factorize the bivariate polynomial Q(X , Y ) (and
then only retain the linear factors of the form Y − P (X )). Fortunately, it is known that factoring
bivariate polynomials can be done in polynomial time (see e.g. [78]). We will not prove this
result in the book but will use this fact as a given.
Finally, to ensure the correctness of the two-step algorithm above for Reed-Solomon codes,
we will need to ensure the following:

297
 • Step 1 requires solving for the co-efficients of Q(X , Y ). This can be done as long as the
number of coefficients is greater than the the number of constraints. (The proof of this
fact is left as an exercise.) Also note that this argument is a departure from the correspond-
ing argument for the Welch-Berlekamp algorithm (where the number of coefficients is
upper bounded by the number of constraints).

• In Step 2, to ensure that for every polynomial P (X ) that needs to be output Y − P (X ) di-
vides Q(X , Y ), we will add restrictions on Q(X , Y ). For example, for the Welch-Berlekamp
algorithm, the constraint is that Q(X , Y ) has to be of the form Y E (X ) − N (X ), where E (X )
and N (X ) are non-zero polynomials of degree e and at most e + k − 1 respectively.

Next, we present the first instantiation of the algorithm structure above, which leads us to
our first list decoding algorithm for Reed-Solomon codes.

17.2.2 Algorithm 1
The main insight in the list decoding algorithm that we will see is that if we carefully control the
degree of the polynomial Q(X , Y ), then we can satisfy the required conditions that will allow
us to make sure Step 1 succeeds. Then we will see that the degree restrictions, along with the
degree mantra (Proposition 5.2.4), will allow us to show Step 2 succeeds too. The catch is in
defining the correct notion of degree of a polynomial. We do that next.
First, we recall the definition of maximum degree of a variable.

Definition 17.2.1. deg X (Q) is the maximum degree of X in any monomial of Q(X , Y ). Similarly,
degY (Q) is the maximum degree of Y in any monomial of Q(X , Y )

For example, for Q(X , Y ) = X 2 Y 3 + X 4 Y 2 , deg X (Q) = 4 and degY (Q) = 3. Given deg X (Q) = a
and degY (Q) = b, we can write X
Q(X , Y ) = ci j X i Y j ,
0≤i ≤a,
0≤ j ≤b

where the coefficients c i j ∈ Fq . Note that the number of coefficients is equal to (a + 1)(b + 1).
The main idea in the first list decoding algorithm for Reed-Solomon code is to place bounds
on deg X (Q) and degY (Q) for Step 1. The bounds are chosen so that there are enough vari-
ables to guarantee the existence of a Q(X , Y ) with the required properties. We will then use
these bounds along with the degree mantra (Proposition 5.2.4) to argue that Step 2 works. Al-
gorithm 24 presents the details. Note that the algorithm generalizes the Welch-Berlekamp al-
gorithm (and follows the two step skeleton outlined above).

Correctness of Algorithm 24. To ensure the correctness of Step 1, we will need to ensure that
the number of coefficients for Q(X , Y ) (which is (ℓ + 1)(n/ℓ + 1)) is larger than the number of
constraints in (17.6 (which is n). Indeed,
³n ´ n
(ℓ + 1) · + 1 > ℓ · = n.
ℓ ℓ

298
Algorithm 24 The First List Decoding Algorithm for Reed-Solomon Codes
I NPUT: n ≥ k ≥ 1, ℓ ≥ 1, e = n − t and n pairs {(αi , y i )}ni=1
O UTPUT: (Possibly empty) list of polynomials P (X ) of degree at most k − 1
n
1: Find a non-zero Q(X , Y ) with deg X (Q) ≤ ℓ, degY (Q) ≤ such that
ℓ
Q(αi , y i ) = 0, 1 ≤ i ≤ n. (17.6)

2: L ← ;
3: FOR every factor Y − P (X ) of Q(X , Y ) DO
4: ∆(y, (P (αi ))ni=1 ) ≤ e and deg(P ) ≤ k − 1 THEN
IF
5: Add P (X ) to L.
6: RETURN L

We need to argue that the final L in Step 6 contains all the polynomials P (X ) that need to be
output. In other words, we need to show that if P (X ) of degree ≤ k − 1 agrees with Y in at least
t positions, then Y − P (X ) divides Q(X , Y ). Towards this end, we define
def
R(X ) = Q(X , P (X )).
Note that Y − P (X ) divides Q(X , Y ) if and only if R(X ) ≡ 0. Thus, we need to show R(X ) ≡ 0. For
the sake of contradiction, assume that R(X ) 6≡ 0. Note that
deg(R) ≤ deg X (Q) + deg(P ) · degY (Q) (17.7)
n(k − 1)
≤ ℓ+ . (17.8)
ℓ
On the other hand, if P (αi ) = y i then (17.6) implies that
Q(αi , y i ) = Q(αi , P (αi )) = 0.
Thus, αi is a root of R(X ). In other words R has at least t roots. Note that the degree mantra
(Proposition 5.2.4) this will lead to a contradiction if t > deg(R), which will be true if
n(k − 1)
t > ℓ+ .
ℓ
p p
If we pick ℓ = n(k − 1), we will have t > 2 n(k − 1). Thus, we have shown
p
Theorem 17.2.2. Algorithm 24 can list decode Reed-Solomon codes of rate R from 1 − 2 R frac-
tion of errors. Further, the algorithm can be implemented in polynomial time.
The claim on the efficient run time follows as Step 1 can be implemented by Gaussian elim-
ination and for Step 3, all the factors of Q(X , Y ) (and in particular all linear factors of the form
Y − P (X )) can be computed
p using e.g. the algorithm from [78].
The bound 1 − 2 R is better than the unique decoding bound of 1−R 2 for R < 0.07. This is
p
still far from the 1 − R fraction of errors guaranteed by the Johnson bound. See Figure 17.2.2
for an illustration.

299
 1
Unique Decoding bound
Johnson bound
Algorithm 1

0.8

0.6
R

0.4

0.2

0
0 0.2 0.4 0.6 0.8 1
δ

Figure 17.4: The tradeoff between rate R and the fraction of errors that can be corrected by
Algorithm 24.

17.2.3 Algorithm 2
To motivate the next algorithm, recall that in Algorithm 24, in order to prove that the root
def
finding step (Steps 3-6 in Algorithm 24) works, we defined a polynomial R(X ) = Q(X , P (X )).
In particular, this implied that deg(R) ≤ deg X (Q) + (k − 1) · degY (Q) (and we had to select t >
deg X (Q) + (k − 1) · degY (Q)). One shortcoming of this approach is that the maximum degree of
X and Y might not occur in the same term. For example, in the polynomial X 2 Y 3 + X 4 Y 2 , the
maximum X and Y degrees do not occur in the same monomial. The main insight in the new
algorithm is to use a more “balanced" notion of degree of Q(X , Y ):

Definition 17.2.3. The (1, w) weighted degree of the monomial X i Y j is i +w j . Further, the (1, w)-
weighted degree of Q(X , Y ) (or just its (1, w) degree) is the maximum (1, w) weighted degree of its
monomials.

For example, the (1, 2)-degree of the polynomial X Y 3 + X 4 Y is max(1+3·2, 4+2·1) = 7. Also
note that the (1, 1)-degree of a bivariate polynomial Q(X , Y ) is its total degree (or the “usual"
definition of degree of a bivariate polynomial). Finally, we will use the following simple lemma
(whose proof we leave as an exercise):

Lemma 17.2.4. Let Q(X , Y ) be a bivariate polynomial of (1, w) degree D. Let P (X ) be a polyno-
mial such that deg(P ) ≤ w. Then we have

deg (Q(X , P (X ))) ≤ D.

300
 Note that a bivariate polynomial Q(X , Y ) of (1, w) degree at most D can be represented as
follows:
def X
Q(X , Y ) = ci , j X i Y j ,
i +w j ≤D
i , j ≥0

where c i , j ∈ Fq .
The new algorithm is basically the same as Algorithm 24, except in the interpolation step,
where we compute a bivariate polynomial of bounded (1, k − 1) degree. Before we state the
precise algorithm, we will present the algorithm via an example. Consider the received word in
Figure 17.5.

yi

4
3
2
1
−6 −4 −2 2 4 6
αi
−5 −3 −1 1 3 5
−1
−2
−3
−4

n = 14, k = 2, e = 9

Figure 17.5: An illustration of a received word for the [14, 2] Reed-Solomon code from Fig-
ure 17.1 (where again we have implicitly embedded the field Fq in the set {−7, . . . , 7}). Here we
have considered e = 9 errors which is more than what Algorithm 23 can handle. In this case, we
are looking for lines that pass through at least 5 points.

Now we want to interpolate a bivariate polynomial Q(X , Y ) with a (1, 1) degree of 4 that
“passes" through all the 2-D points corresponding to the received word from Figure 17.5. Fig-
ure 17.6 shows such an example.
Finally, we want to factorize all the linear factors Y − P (X ) of the Q(X , Y ) from Figure 17.6.
Figure 17.7 shows the two polynomials X and −X such that Y − X and Y + X are factors of
Q(X , Y ) from Figure 17.6.
We now precisely state the new list decoding algorithm in Algorithm 25.

Proof of Correctness of Algorithm 25. As in the case of Algorithm 24, to prove the correctness
of Algorithm 25, we need to do the following:

301
 yi

L 2 (X , Y ) = Y − X
4
3
2
1
−6 −4 −2 2 4 6
αi
−5 −3 −1 1 3 5
−1
−2 E (X , Y ) = Y 2 /16 + X 2 /49 − 1

−3
−4
L 1 (X , Y ) = Y + X

Q(X , Y ) = L 1 (X , Y ) · L 2 (X , Y ) · E (X , Y )
n = 14, k = 2, e = 9

Figure 17.6: An interpolating polynomial Q(X , Y ) for the received word in Figure 17.5.
yi

L 2 (X , Y ) = Y − X
4
3
2
1
−6 −4 −2 2 4 6
αi
−5 −3 −1 1 3 5
−1
−2 E (X , Y ) = Y 2 /16 + X 2 /49 − 1

−3
−4
L 1 (X , Y ) = Y + X

Q(X , Y ) = L 1 (X , Y ) · L 2 (X , Y ) · E (X , Y )
n = 14, k = 2, e = 9

Figure 17.7: The two polynomials that need to be output are shown in blue.

• (Interpolation Step) Ensure that the number of coefficients of Q(X , Y ) is strictly greater
than n.
def
• (Root Finding Step) Let R(X ) = Q(X , P (X )). We want to show that if P (αi ) ≥ y i for at least
t values of i , then R(X ) ≡ 0.

To begin with, we argue why we can prove the correctness of the root finding step. Note that
since Q(X , Y ) has (1, k − 1) degree at most D, Lemma 17.2.4 implies that

deg(R) ≤ D.

Then using the same argument as we used for the correctness of the root finding step of Algo-
rithm 24, we can ensure R(X ) ≡ 0 if we pick

t > D.

302
Algorithm 25 The Second List Decoding Algorithm for Reed-Solomon Codes
I NPUT: n ≥ k ≥ 1, D ≥ 1, e = n − t and n pairs {(αi , y i )}ni=1
O UTPUT: (Possibly empty) list of polynomials P (X ) of degree at most k − 1

1: Find a non-zero Q(X , Y ) with (1, k − 1) degree at most D, such that

Q(αi , y i ) = 0, 1 ≤ i ≤ n. (17.9)

2: L ← ;
3: FOR every factor Y − P (X ) of Q(X , Y ) DO
4: ∆(y, (P (αi ))ni=1 ) ≤ e and deg(P ) ≤ k − 1 THEN
IF
5: Add P (X ) to L.
6: RETURN L

Thus, we would like to pick D to be as small as possible. On the other hand, Step 1 will need D
to be large enough (so that the number of variables is more than the number of constraints in
(17.9). Towards that end, let the number of coefficients of Q(X , Y ) be
¯© ª¯
N = ¯ (i , j )|i + (k − 1) j ≤ D, i , j ∈ Z+ ¯
¥ D ¦
To bound N , we first note that in the definition above, j ≤ k−1 . (For notational convenience,
¥ D ¦
define ℓ = k−1 .) Consider the following sequence of relationships

ℓ D−(k−1)
X X j
N = 1
j =1 i =0
ℓ
X
= (D − (k − 1) j + 1)
j =0
ℓ
X ℓ
X
= (D + 1) − (k − 1) j
j =0 j =0
(k − 1)ℓ(ℓ + 1)
= (D + 1)(ℓ + 1) −
2
ℓ+1
= (2D + 2 − (k − 1)ℓ)
µ 2 ¶
ℓ+1
≥ (D + 2) (17.10)
2
D(D + 2)
≥ . (17.11)
2(k − 1)

D
In the above, (17.10) follows from the fact that ℓ ≤ k−1 and (17.11) follows from the fact that
D
k−1 − 1 ≤ ℓ.

303
 Thus, the interpolation step succeeds (i.e. there exists a non-zero Q(X , Y ) with the required
properties) if
D(D + 2)
> n.
2(k − 1)
The choice lp m
D= 2(k − 1)n
suffices by the following argument:

D(D + 2) D2 2(k − 1)n

> ≥ = n.
2(k − 1) 2(k − 1) 2(k − 1)
§p ¨
Thus for the root finding step to work, we need t > 2(k − 1)n , which implies the following
result:
p
Theorem 17.2.5. Algorithm 2 can list decode Reed-Solomon codes of rate R from up to 1 − 2R
fraction of errors. Further, the algorithm runs in polynomial time.

Algorithm 2 runs in polynomial time as Step 1 can be implemented using Gaussian elimi-
nation (and the fact that the number of coefficients is O(n)), while the root finding step can be
implementedpby any polynomial time algorithm to factorize bivariate polynomials. Further, we
note that 1 − 2R beats the unique decoding bound of (1 − R)/2 for R < 1/3. See Figure 17.2.3
for an illustration.

1
Unique Decoding bound
Johnson bound
Algorithm 1
Algorithm 2

0.8

0.6
R

0.4

0.2

0
0 0.2 0.4 0.6 0.8 1
δ

Figure 17.8: The tradeoff between rate R and the fraction of errors that can be corrected by
Algorithm 24 and Algorithm 25.

304
17.2.4 Algorithm 3
Finally,
p we present the list decoding algorithm for Reed-Solomon codes, which can correct 1 −
R fraction of errors. The main idea is to add more restrictions on Q(X , Y ) (in addition to its
(1, k − 1)-degree being at most D). In particular, the restriction is as follows: for some integer
parameter r ≥ 1, we will insist on Q(X , Y ) having r roots at (αi , y i ), 1 ≤ i ≤ n (we will come to
the formal definition of this shortly).
This change will have the following implications:

1. The number of equations (on the coefficients of Q) will increase but the number of co-
efficients will remain the same. This seems to be bad as this results in an increase in D
(which in turn would result in an increase in t ).

2. However, this change also increases the number of roots of R(X ) and this gain in the num-
ber of roots more than compensates for the increase in D.

To motivate the definition of multiplicity of a root of a bivariate polynomial, let us consider

the following simplified examples. In Figure 17.9 the curve Q(X , Y ) = Y − X passes through the

Y −X

X
(0, 0)

Figure 17.9: Multiplicity of 1

origin once and has no term of degree 0.

In Figure 17.10, the curve Q(X , Y ) = (Y − X )(Y + X ) passes though the origin twice and has
no term with degree at most 1.
In Figure 17.11, the curve Q(X , Y ) = (Y − X )(Y + X )(Y − 2X ) passes through the origin thrice
and has no term with degree at most 2. More generally, if r lines pass through the origin, then
note that the curve corresponding to their product has no term with degree at most r − 1. This
leads to the following more general definition:

Definition 17.2.6. Q(X , Y ) has r roots at (0, 0) if Q(X , Y ) doesn’t have any monomial with degree
at most r − 1.

305
 Y
Y +X
Y −X

X
(0, 0)

Figure 17.10: Multiplicity of 2

Y
Y +X Y − 2X
Y −X

X
(0, 0)

Figure 17.11: Multiplicity of 3

The definition of a root with multiplicity r at a more general point follows from a simple
translation:
def
Definition 17.2.7. Q(X , Y ) has r roots at (α, β) if Q α,β (X , Y ) = Q(x +α, y +β) has r roots at (0, 0).

Before we state the precise algorithm, we will present the algorithm with an example. Con-
sider the received word in Figure 17.12.
Now we want to interpolate a bivariate polynomial Q(X , Y ) with (1, 1) degree 5 that “passes
twice" through all the 2-D points corresponding to the received word from Figure 17.12. Fig-
ure 17.13 shows such an example.
Finally, we want to factorize all the linear factors Y − P (X ) of the Q(X , Y ) from Figure 17.13.
Figure 17.14 shows the five polynomials of degree one are factors of Q(X , Y ) from Figure 17.13.

306
 yi

−9 −7 −1 1 2 5 8 11
αi
−5

n = 10, k = 2, e = 6

Figure 17.12: An illustration of a received word for the [10, 2] Reed-Solomon code (where we
have implicitly embedded the field Fq in the set {−9, . . . , 11}). Here we have considered e = 6
errors which is more than what Algorithm 25 can decode. In this case, we are looking for lines
that pass through at least 4 points.

yi

−9 −7 −1 1 2 5 8 11
αi
−5

n = 10, k = 2, e = 6

Figure 17.13: An interpolating polynomial Q(X , Y ) for the received word in Figure 17.12.

(In fact, Q(X , Y ) exactly decomposes into the five lines.)

Algorithm 26 formally states the algorithm.

Correctness of Algorithm 26. To prove the correctness of Algorithm 26, we will need the fol-
lowing two lemmas (we defer the proofs of the lemmas above to Section 17.2.4):
¡ ¢
Lemma 17.2.8. The constraints in (17.12) imply r +1
2 constraints for each i on the coefficients of
Q(X , Y ).

307
 yi

−9 −7 −1 1 2 5 8 11
αi
−5

n = 10, k = 2, e = 6

Figure 17.14: The five polynomials that need to be output are shown in blue.

Algorithm 26 The Third List Decoding Algorithm for Reed-Solomon Codes

I NPUT: n ≥ k ≥ 1, D ≥ 1, r ≥ 1, e = n − t and n pairs {(αi , y i )}ni=1
O UTPUT: (Possibly empty) list of polynomials P (X ) of degree at most k − 1

1: Find a non-zero Q(X , Y ) with (1, k − 1) degree at most D, such that

Q(αi , y i ) = 0, with multiplicity r for every 1 ≤ i ≤ n. (17.12)

2: L ← ;
3: FOR every factor Y − P (X ) of Q(X , Y ) DO
4: ∆(y, (P (αi ))ni=1 ) ≤ e and deg(P ) ≤ k − 1 THEN
IF
5: Add P (X ) to L.
6: RETURN L

def
Lemma 17.2.9. R(X ) = Q(X , P (X )) has r roots for every i such that P (αi ) = y i . In other words,
(X − αi )r divides R(X ).

Using arguments similar to those used for proving the correctness of Algorithm 25, to argue
the correctness of the interpolations step we will need
à !
D(D + 2) r +1
>n ,
2(k − 1) 2

where the LHS is an upper bound on the number of coefficients of Q(X , Y ) as before from
(17.11) and the RHS follows from Lemma 17.2.8. We note that the choice
lp m
D= (k − 1)nr (r − 1)

308
works. Thus, we have shown the correctness of Step 1.
For the correctness of the root finding step, we need to show that the number of roots of
R(X ) (which by Lemma 17.2.9 is at least r t ) is strictly bigger than the degree of R(X ), which
from Lemma 17.2.4 is D. That is we would be fine we if have,

t r > D,

which is the same as

D
t> ,
r
which in turn will follow if we pick
&s µ ¶'
1
t= (k − 1)n 1 − .
r

If we pick r = 2(k − 1)n, then we will need

&r '
1 lp m
t> (k − 1)n − > (k − 1)n ,
2

where the last inequality follows because of the fact that t is an integer. Thus, we have shown
p
Theorem 17.2.10. Algorithm 26 can list decode Reed-Solomon codes of rate R from up to 1 − R
fraction of errors. Further, the algorithm runs in polynomial time.

The claim on the run time follows from the same argument that was used to argue the poly-
nomial running time of Algorithm 25. Thus, Theorem 17.2.10 shows that Reed-Solomon codes
can be efficiently decoded up to the Johnson bound. For an illustration of fraction of errors
correctable by the three list decoding algorithms we have seen, see Figure 17.2.3.
A natural question to ask is if Reed-Solomon codes of rate R can be list decoded beyond
p
1 − R fraction of errors. The answer is still not known:

p 17.2.1. Given a Reed-Solomon code of rate R, can it be efficiently list decoded

Open Question
beyond 1 − R fraction of errors?

Recall that to complete the proof of Theorem 17.2.10, we still need to prove Lemmas 17.2.8
and 17.2.9, which we do next.

Proof of key lemmas

Proof of Lemma 17.2.8. Let X

Q(X , Y ) = ci , j X i Y j
i,j
i +(k−1) j ≤D

309
and X α,β
Q α,β (X , Y ) = Q(X + α, Y + β) = ci , j X i Y j .
i,j

We will show that

α,β
(i) c i , j are homogeneous linear combinations of c i , j ’s.
¡r +1¢
(ii) If Q α,β (X , Y ) has no monomial with degree < r , then that implies 2 constraints on
α,β
c i , j ’s.

Note that (i) and (ii) prove the lemma. To prove (i), note that by the definition:
X α,β
Q α,β (X , Y ) = ci , j X i Y j
(17.13)
i,j
X ′ ′
= c i ′ , j ′ (X + α)i (Y + β) j (17.14)
i ′, j ′
i ′ +(k−1) j ′ ≤D

α,β ′ ′
Note that, if i > i ′ or j > j ′ , then c i , j doesn’t depend on c i , j . By comparing coefficients of X i Y j

from (17.13) and (17.14), we obtain

à !à !
α,β X i′ j′ i j
ci , j = ci ′ , j ′ αβ ,
′
i >i
i j
j ′> j

which proves (i). To prove (ii), recall that by definition Q α,β (X , Y ) has no monomial of degree
α,β
< r . In other words, we need to have constraints c i , j = 0 if i + j ≤ r − 1. The number of such
constraints is
à !
r + 1
|{(i , j )|i + j ≤ r − 1, i , j ∈ Z≥0 }| = ,
2

where the equality follows from the following argument. Note that for every fixed value of 0 ≤
j ≤ r − 1, i can take r − j values. Thus, we have that the number of constraints is
à !
rX −1 Xr r +1
r−j = ℓ= ,
j =0 ℓ=1 2

as desired.

We now re-state Lemma 17.2.9 more precisely and then prove it.

Lemma 17.2.11. Let Q(X , Y ) be computed by Step 1 in Algorithm 26. Let P (X ) be a polynomial
of degree ≤ k − 1, such that P (αi ) = y i for at least t > Dr many values of i , then Y − P (X ) divides
Q(X , Y ).

310
Proof. Define
def
R(X ) = Q(X , P (X )).
As usual, to prove the lemma, we will show that R(X ) ≡ 0. To do this, we will use the following
claim.

Claim 17.2.12. If P (αi ) = y i , then (X − αi )r divides R(X ), that is αi is a root of R(X ) with multi-
plicity r .

Note that by definition of Q(X , Y ) and P (X ), R(X ) has degree ≤ D. Assuming the above claim
is correct, R(X ) has at least t · r roots. Therefore, by the degree mantra (Proposition 5.2.4), R(X )
is a zero polynomial as t · r > D. We will now prove Claim 17.2.12. Define

def
P αi ,y i (X ) = P (X + αi ) − y i , (17.15)

and
def
R αi ,y i (X ) = R(X + αi ) (17.16)
= Q(X + αi , P (X + αi )) (17.17)
= Q(X + αi , P αi ,y i (X ) + y i ) (17.18)
= Q αi ,y i (X , P αi ,y i (X )), (17.19)

where (17.17), (17.18) and (17.19) follow from the definitions of R(X ), P αi ,y i (X ) and Q αi ,y i (X , Y )
respectively.
By (17.16) if R αi ,y i (0) = 0, then R(αi ) = 0. So, if X divides R αi ,y i (X ), then X − αi divides R(X ).
(This follows from a similar argument that we used to prove Proposition 5.2.4.) Similarly, if X r
divides R αi ,y i (X ), then (X − αi )r divides R(X ). Thus, to prove the lemma, we will show that X r
divides R αi ,y i (X ). Since P (αi ) = y i when αi agrees with y i , we have P αi ,y i (0) = 0. Therefore, X is
a root of P αi ,y i (X ), that is, P αi ,y i (X ) = X · g (X ) for some polynomial g (X ) of degree at most k −1.
We can rewrite
X α ,y ′ ′ X α ,y ′ ′
R αi ,y i (X ) = c i ′ ,i j ′ i X i (P αi ,y i (X )) j = c i ′ ,i j ′ i X i (X g (X )) j .
i ′, j ′ i ′, j ′

α ,y
Now for every i ′ , j ′ such that c i ′ ,i j ′ i 6= 0, we have i ′ + j ′ ≥ r as Q αi ,y i (X , Y ) has no monomial of
degree < r . Thus X r divides R αi ,y i (X ), since R αi ,y i (x) has no non-zero monomial X ℓ for any
ℓ <r.

17.3 Extensions
We now make some observations about Algorithm 26. In particular, the list decoding algorithm
is general enough to solve more general problems than just list decoding. In this section, we
present an overview of these extensions.

311
 Recall that the constraint (17.12) states that Q(X , Y ) has r ≥ 0 roots at (αi , y i ), 1 ≤ i ≤ n.
However, our analysis did not explicitly use the fact that the multiplicity is same for every i . In
particular, given non-zero integer multiplicities w i ≥ 0, 1 ≤ i ≤ n, Algorithm 26 can be general-
ized to output all polynomials P (X ) of degree at most k − 1, such that
v à !
u
X u X n w +1
w i > t(k − 1)n
i
.
i :P (αi )=y i i =0 2

(We leave the proof as an exercise.) Note that till now we have seen the special case w i = r ,
1 ≤ i ≤ n.
Further, we claim that the αi ’s need not be distinct for the all of the previous arguments to
go through. In particular, one can generalize Algorithm 26 even further to prove the following
(the proof is left as an exercise):

Theorem 17.3.1. Given integer weights w i ,α for every 1 ≤ i ≤ n and α ∈ F, in polynomial time
one can output all P (X ) of degree at most k − 1 such that
v à !
u
X u X n X w
i ,α + 1
w i ,P (αi ) > t(k − 1)n .
i i =0 α∈F 2

This will be useful to solve the following generalization of list decoding called soft decoding.

Definition 17.3.2. Under soft decoding problem, the decoder is given as input a set of non-
negative weights w i ,d (1 ≤ i ≤ n, α ∈ Fq ) and a threshold W ≥ 0. The soft decoder needs to output
all codewords (c 1 , c 2 , . . . , c n ) in q-ary code of block length n that satisfy:
n
X
w i ,ci ≥ W.
i =1

Note that Theorem 17.3.1 solve the soft decoding problem with
v à !
u
u X n X w
i ,α + 1
W = t(k − 1)n .
i =0 α∈F 2

Consider the following special case of soft decoding where w i ,y i = 1 and w i ,α = 0 for α ∈ F \
{y i } (1 ≤ i ≤ n). Note that this is exactly the list decoding problem with the received word
(y 1 , . . . , y n ). Thus, list decoding is indeed a special case of soft decoding. Soft decoding has
practical applications in settings where the channel is analog. In such a situation, the “quan-
tizer” might not be able to pinpoint a received symbol y i with 100% accuracy. Instead, it can
use the weight w i ,α to denote its confidence level that i th received symbol was α.
Finally, we consider a special case of soft called list recovery, which has applications in de-
signing list decoding algorithms for concatenated codes.

312
Definition 17.3.3 (List Recovery). Given S i ⊆ Fq , 1 ≤ i ≤ n where |S i | ≤ ℓ, output all [n, k]q
codewords (c 1 , . . . , c n ) such that c i ∈ S i for at least t values of i . If for every valid input the number
of such codewords is at most L, then the corresponding code is called (1−t /n, ℓ, L)-list recoverable.

We leave the proof that list decoding is a special case of soft decoding as an exercise. Finally,
we claim that Theorem 17.3.1 implies the following result for list recovery (the proof is left as an
exercise):
p
Theorem 17.3.4. Given t > (k − 1)ℓn, the list recovery problem with agreement parameter t for
[n, k]q Reed-Solomon codes can be solved in polynomial time.

17.4 Bibliographic Notes

In 1960, before polynomial time complexity was regarded as an acceptable notion of efficiency,
Peterson designed an O(N 3 ) time algorithm for the unique decoding of Reed-Solomon codes [103].
This algorithm was the first efficient algorithm for unique decoding of Reed-Solomon codes.
The Berlekamp-Massey algorithm, which used shift registers
¡ 2 ¢ for multiplication, was even more
efficient, achieving a computational complexity ¡of O N . Currently,
¢ an even more efficient
algorithm, with a computational complexity of O N poly(log N ) , is known [106].
The Welch-Berlekamp
¡ 3¢ algorithm, covered under US Patent [135], has a running time com-
plexity of O N . We will follow a description of the Welch-Berlekamp algorithm provided by
Gemmell and Sudan in [47].
Håstad, Philips and Safra showed that solving a system of quadratic equations (even those
without any square terms like we have in (17.1)) over any field Fq is NP-hard [73]. (In fact, it is
even hard to approximately solve this problem: i.e. where one tries to compute an assignment
that satisfies as many equations as possible.) Linearization is a trick that has been used many
times in theoretical computer science and cryptography. See this blog post by Dick Lipton for
more on this.
Algorithm 25 is due to Sudan [124] and Algorithm 26 is due to Guruswami and Sudan [65].
Near-linear time implementations of these list decoding algorithms are also known [2].
It is natural to ask whether Theorem 17.3.4 is tight for list recovery, i.e. generalize Open
Question 17.2.1 to list recovery. It was shown by Guruswami and Rudra that Theorem 17.3.4 is
indeed the best possible list recovery result for Reed-Solomon codes [60]. Thus, any algorithm
that answers Open Question 17.2.1 in some sense has to exploit the fact that in the list decoding
problem, the αi ’s are distinct. Recently it was shows by Rudra and Wootters that at least combi-
natorially, Reed-Solomon codes (with random evaluation points) are list decodable beyond the
Johnson bound [113]. On the flip side, there are limits known on list decoding Reed-Solomon
codes (both unconditional ones due to Ben-Sasson et al. [11] as well as those based on hardness
of computing discrete log in the worst-case due to Cheng and Wan [22]) but none of them are
close to the Johnson bound (especially for constant rate Reed-Solomon codes).

313
314
Chapter 18

Efficiently Achieving List Decoding Capacity

In the previous chapters, we have seen these results related to list decoding:
p
• Reed-Solomon codes of rate R > 0 can be list-decoded in polynomial time from 1 − R
errors (Theorem 17.2.10). This is the best algorithmic list decoding result we have seen so
far.
¡ ¡ ¢¢ 1
• There exist codes of rate R > 0 that are 1 − R − ε,O 1ε -list decodable for q ≥ 2Ω( ε ) (and
in particular for q = poly(n)) (Theorem 7.4.1 and Proposition 3.3.4). This of course is the
best possible combinatorial result.

Note that there is a gap between the algorithmic result and the best possible combinatorial
result. This leads to the following natural question:

Question 18.0.1. Are there explicit codes of rate R > 0 that can be list-decoded in polynomial
time from 1 − R − ε fraction of errors for q ≤ pol y(n)?

In this chapter, we will answer Question 18.0.1 in the affirmative.

18.1 Folded Reed-Solomon Codes

We will now introduce a new family of codes called the Folded Reed-Solomon codes. These
codes are constructed by combining every m consecutive symbols of a regular Reed-Solomon
code into one symbol from a larger alphabet. Note that we have already seen such a fold-
ing trick when we instantiated the outer code in the concatenated code that allowed us to
efficiently achieve the BSCp capacity (Section 14.4.1). For a Reed-Solomon code that maps
Fkq → Fnq , the corresponding Folded Reed-Solomon code will map Fkq → Fn/m q m . We will ana-
lyze Folded Reed-Solomon codes that are derived from Reed-Solomon codes with evaluation
{1, γ, γ2 , γ3 , . . . , γn−1 }, where γ is the generator of F∗q and n ≤ q −1. Note that in the Reed-Solomon
code, a message is encoded as in Figure 18.1.

315
 f (1) f (γ) f (γ2 ) f (γ3 ) ··· f (γn−2 ) f (γn−1 )

Figure 18.1: Encoding f (X ) of degree ≤ k−1 and coefficients in Fq corresponding to the symbols
in the message.

For m = 2, the conversion from Reed-Solomon to Folded Reed-Solomon can be visualized

as in Figure 18.2 (where we assume n is even).

f (1) f (γ) f (γ2 ) f (γ3 ) ··· f (γn−2 ) f (γn−1 )

⇓
f (1) f (γ2 ) f (γn−2 )
···
f (γ) f (γ3 ) f (γn−1 )

Figure 18.2: Folded Reed-Solomon code for m = 2.

For general m ≥ 1, this transformation will be as in Figure 18.3 (where we assume that m
divides n).

f (1) f (γ) f (γ2 ) f (γ3 ) ··· f (γn−2 ) f (γn−1 )

⇓
f (1) f (γm ) f (γ2m ) f (γn−m )
f (γ) f (γm+1 ) f (γ2m+1 ) ··· f (γn−m+1 )
.. .. .. ..
. . . .
f (γm−1 ) f (γ2m−1 ) f (γ3m−1 ) f (γn−1 )

Figure 18.3: Folded Reed-Solomon code for general m ≥ 1.

More formally, here is the definition of folded Reed-Solomon codes:

Definition 18.1.1 (Folded Reed-Solomon Code). The m-folded version of an [n, k]q Reed-Solomon
code C (with evaluation points {1, γ, . . . , γn−1 }), call it C ′ , is a code of block length N = n/m over
Fq m , where n ≤ q − 1. The encoding of a message f (X ),¡ a ¡polynomial over
¢ ¡ j m+1 ¢ Fq of ¡degree at ¢¢
most
jm j m+m−1
k−1, has as its j ’th symbol, for 0 ≤ j < n/m, the m-tuple f γ ,f γ ,··· , f γ . In
other words, the codewords of C ′ are in one-one correspondence with those of the Reed-Solomon
code C and are obtained by bundling together consecutive m-tuple of symbols in codewords of C .

316
18.1.1 The Intuition Behind Folded Reed-Solomon Codes
We first make the simple observation that the folding trick above cannot decrease the list de-
codability of the code. (We have already seen this argument earlier in Section 14.4.1.)

Claim 18.1.2. If the Reed-Solomon code can be list-decoded from ρ fraction of errors, then the
corresponding folded Reed-Solomon code with folding parameter m can also be list-decoded from
ρ fraction of errors.

Proof. The idea is simple: If the Reed-Solomon code can be list decoded from ρ fraction of
errors (by say an algorithm A ), the Folded Reed-Solomon code can be list decoded by “unfold-
ing" the received word and then running A on the unfolded received word and returning the
resulting set of messages. Algorithm 27 has a more precise statement.

Algorithm 27 Decoding Folded Reed-Solomon Codes by Unfolding

I NPUT: y = ((y 1,1 , . . . , y 1,m ), . . . , (y n/m,1 , . . . , y n/m,m )) ∈ Fn/m
qm
O UTPUT: A list of messages in Fkq

1: y′ ← (y 1,1 , . . . , y 1,m , . . . , y n/m,1 , . . . , y n/m,m ) ∈ Fn

q.
2: RETURN A (y′ )

The reason why Algorithm 27 works is simple. Let m ∈ Fkq be a message. Let RS(m) and
FRS(m) be the corresponding Reed-Solomon and folded Reed-Solomon codewords. Now for
every i ∈ [n/m], if FRS(m)i 6= (y i ,1 , . . . , y i ,n/m ) then in the worst-case for every j ∈ [n/m], RS(m)(i −1)n/m+ j 6=
y i , j : i.e. one symbol disagreement over Fq m can lead to at most m disagreements over Fq . See
Figure 18.4 for an illustration.

f (1) f (γ2 ) f (γn−2 )

···
f (γ) f (γ3 ) f (γn−1 )

⇓
f (1) f (γ) f (γ2 ) f (γ3 ) ··· f (γn−2 ) f (γn−1 )

Figure 18.4: Error pattern after unfolding. A pink cell means an error: for the Reed-Solomon
code it is for RS(m) with y′ and for folded Reed-Solomon code it is for FRS(m) with y.

n n
This implies that for any m ∈ Fkq if ∆(y, FRS(m)) ≤ ρ · m , then ∆(y′ , RS(m)) ≤ m · ρ · m = ρ · n,
which by the properties of algorithm A implies that Step 2 will output m, as desired.

The intuition for a strict improvement by using Folded Reed-Solomon codes is that if the
fraction of errors due to folding increases beyond what it can list-decode from, that error pat-
tern does not need to be handled and can be ignored. For example, suppose a Reed-Solomon

317
 f (1) f (γ) f (γ2 ) f (γ3 ) ··· f (γn−2 ) f (γn−1 )

⇓
f (1) f (γ2 ) f (γn−2 )
···
f (γ) f (γ3 ) f (γn−1 )

Figure 18.5: An error pattern after folding. The pink cells denotes the location of errors.

code that can be list-decoded from up to 21 fraction of errors is folded into a Folded Reed-
Solomon code with m = 2. Now consider the error pattern in Figure 18.5.
The error pattern for Reed-Solomon code has 21 fraction of errors, so any list decoding al-
gorithm must be able to list-decode from this error pattern. However, for the Folded Reed-
Solomon code the error pattern has 1 fraction of errors which is too high for the code to list-
decode from. Thus, this “folded" error pattern case can be discarded from the ones that a list
decoding algorithm for folded Reed-Solomon code needs to consider. This is of course one
example– however, it turns out that this folding operation actually rules out a lot of error pat-
terns that a list decoding p
algorithm for folded Reed-Solomon code needs to handle (even be-
yond the current best 1 − R bound for Reed-Solomon codes). Put another way, an algorithm
for folded Reed-Solomon codes has to solve the list decoding problem for the Reed-Solomon
codes where the error patterns are “bunched" together (technically they’re called bursty er-
rors). Of course, converting this intuition into a theorem takes more work and is the subject
of this chapter.

Wait a second... The above argument has a potential hole– what if we take the argument to
the extreme and "cheat" by setting m = n where any error pattern for the Reed-Solomon code
will result in an error pattern with 100% errors for the Folded Reed-Solomon code: thus, we
will only need to solve the problem of error detection for Reed-Solomon codes (which we can
easily solve for any linear code and in particular for Reed-Solomon codes)? It is a valid concern
but we will “close the loophole" by only using a constant m as the folding parameter. This
will still keep q to be polynomially large in n and thus, we would still be on track to answer
Question 18.0.1. Further, if we insist on smaller list size (e.g. one independent of n), then we can
use code concatenation to achieve capacity achieving results for codes over smaller alphabets.
(See Section 18.4 for more.)

General Codes. We would like to point out that the folding argument used above is not specific
to Reed-Solomon codes. In particular, the argument for the reduction in the number of error
patterns holds for any code. In fact, one can prove that for general random codes, with high
probability, folding does strictly improve the list decoding capabilities of the original code. (The
proof is left as an exercise.)

318
18.2 List Decoding Folded Reed-Solomon Codes: I
We begin with an algorithm for list decoding folded Reed-Solomon codes that works with agree-
ment t ∼ mR N . Note that this is a factor m larger than the R N agreement we ultimately want.
In the next section, we will see how to knock off the factor of m.
Before we state the algorithm, we formally (re)state the problem we want to solve:

• Input: An agreement parameter 0 ≤ t ≤ N and the received word:

 
y0 ym y n−m
 .. .. ··· ..  m×N n
y= . . .  ∈ Fq , N=
m
y m−1 y 2m−1 y n−1

• Output: Return all polynomials f (X ) ∈ Fq [X ] of degree at most k − 1 such that for at

least t values of 0 ≤ i < N

 ¡ ¢   
f γmi y mi
 ..   .. 
 . = .  (18.1)
¡ ¢
f γm(i +1)−1 y m(i +1)−1

The algorithm that we will study is a generalization of the Welch-Berlekamp algorithm (Al-
gorithm 23). However unlike the previous list decoding algorithms for Reed-Solomon codes
(Algorithms 24, 25 and 26), this new algorithm has more similarities with the Welch-Berlekamp
algorithm. In particular, for m = 1, the new algorithm is exactly the Welch-Berlekamp algo-
rithm. Here are the new ideas in the algorithm for the two-step framework that we have seen in
the previous chapter:

• Step 1: We interpolate using (m +1)-variate polynomial, Q(X , Y1 , . . . , Ym ), where degree of

each variable Yi is exactly one. In particular, for m = 1, this interpolation polynomial is
exactly the one used in the Welch-Berlekamp algorithm.

• Step 2: As we have done so far, in this step, we output all "roots" of Q. Two remarks are in
order. First, unlike Algorithms 24, 25 and 26, the roots f (X ) are no longer simpler linear
factors Y − f (X ), so one cannot use a factorization algorithm to factorize Q(X , Y1 , . . . , Ym ).
Second, the new insight in this algorithm, is to show that all the roots form an (affine)
subspace,1 which we can use to compute the roots.

Algorithm 28 has the details.

1
An affine subspace of Fkq is a set {v + u|u ∈ S}, where S ⊆ Fkq is a linear subspace and v ∈ Fkq .

319
Algorithm 28 The First List Decoding Algorithm for Folded Reed-Solomon Codes
I NPUT: An agreement parameter 0 ≤ t ≤ N , parameter D ≥ 1 and the received word:

 
y0 ym y n−m
 .. .. ··· ..  m×N n
y= . . .  ∈ Fq , N=
m
y m−1 y 2m−1 y n−1

O UTPUT: All polynomials f (X ) ∈ Fq [X ] of degree at most k − 1 such that for at least t values of
0≤i <N
 ¡ ¢   
f γmi y mi
 ..   .. 
 . = .  (18.2)
¡ m(i +1)−1 ¢
f γ y m(i +1)−1

1: Compute a non-zero Q(X , Y1 , . . . , Ym ) where

Q(X , Y1 , . . . , Ym ) = A 0 (X ) + A 1 (X )Y1 + A 2 (X )Y2 + · · · + A m (X )Ym

with deg(A 0 ) ≤ D + k − 1 and deg(A j ) ≤ D for 1 ≤ j ≤ m such that

Q(γmi , y mi , · · · , y m(i +1)−1 ) = 0, ∀0 ≤ i < N (18.3)

2: L ← ;
3: FOR every f (X ) ∈ Fq [X ] such that Q(X , f (X ), f (γX ), f (γ2 X ), . . . , f (γm−1 X )) = 0 DO
4: IF deg( f ) ≤ k − 1 and f (X ) satisfies (18.2) for at least t values of i THEN
5: Add f (X ) to L.
6: RETURN L

Correctness of Algorithm 28. In this section, we will only concentrate on the correctness of
the algorithm and analyze its error correction capabilities. We will defer the analysis of the
algorithm (and in particular, proving a bound on the number of polynomials that are output by
Step 6) till the next section.
We first begin with the claim that there always exists a non-zero choice for Q in Step 1 using
the same arguments that we have used to prove the correctness of Algorithms 25 and 26:
Claim 18.2.1. If (m + 1) (D + 1) + k − 1 > N , then there exists a non-zero Q (X , Y1 , ...Ym ) that satis-
fies the required properties of Step 1.
Proof. As in the proof of correctness of Algorithms 24, 25 and 26, we will think of the constraints
in (18.3) as linear equations. The variables are the coefficients of A i (X ) for 0 ≤ i ≤ m. With the
stipulated degree constraints on the A i (X )’s, note that the number of variables participating in
(18.3) is
D + k + m(D + 1) = (m + 1) (D + 1) + k − 1.

320
The number of equations is N . Thus, the condition in the claim implies that we have strictly
more variables then equations and thus, there exists a non-zero Q with the required properties.

Next, we argue that the root finding step works (again using an argument very similar to
those that we have seen for Algorithms 24, 25 and 26):

Claim 18.2.2. If t > D +k −1, then all polynomial f (X ) ∈ Fq [X ] of degree at most k −1 that agree
with the received word in at least t positions is returned by Step 6.

Proof. Define the univariate polynomial

¡ ¡ ¢ ¡ ¢¢
R (X ) = Q X , f (X ) , f γX , ..... f γm−1 X .

Note that due to the degree constraints on the A i (X )’s and f (X ), we have

deg (R) ≤ D + k − 1,

since deg( f (γi X )) = deg( f (X )). On the other hand, for every 0 ≤ i < N where (18.1) is satisfied
we have ³ ´ ³ ´
R γmi = Q γmi , y mi , . . . , y m(i +1)−1 = 0,

where the first equality follows from (18.1), while the second equality follows from (18.3). Thus
R(X ) has at least t roots. Thus, the condition in the claim implies that R(X ) has more roots then
its degree and thus, by the degree mantra (Proposition 5.2.4) R(X ) ≡ 0, as desired.

Note that Claims 18.2.1 and 18.2.2 prove the correctness of the algorithm. Next we analyze
the fraction of errors the algorithm can correct. Note that the condition in Claim 18.2.1 is satis-
fied if we pick ¹ º
N −k +1
D= .
m +1
This in turn implies that the condition in Claim 18.2.2 is satisfied if

N −k +1 N + m(k − 1)
t> +k −1 = .
m +1 m +1
Thus, the above would be satisfied if
µ ³ m ´¶
N mk 1
t≥ + =N + mR ,
m +1 m +1 m +1 m +1

where the equality follows from the fact that k = mR N .

Note that when m = 1, the above bound exactly recovers the bound for the Welch-Berlekamp
algorithm (Theorem 17.1.4). Thus, we have shown that

Theorem 18.2.3. Algorithm 28 can list decode folded Reed-Solomon code with folding parameter
m
m ≥ 1 and rate R up to m+1 (1 − mR) fraction of errors.

321
 1
m=1
m=2
m=2
m=4
Johnson bound
0.8

0.6
R

0.4

0.2

0
0 0.2 0.4 0.6 0.8 1
δ

Figure 18.6: The tradeoff between rate R and the fraction of errors that can be corrected by
Algorithm 28 for folding parameter m = 1, 2, 3 and 4. The Johnson bound is also plotted for
comparison. Also note that the bound for m = 1 is the Unique decoding bound achieved by
Algorithm 23.

See Figure 18.2 for an illustration of the tradeoff for m = 1, 2, 3, 4.

Note that if we can replace the mR factor in the bound from Theorem 18.2.3 by just R then
we can approach the list decoding capacity bound of 1 − R. (In particular, we would be able
to correct 1 − R − ε fraction of errors if we pick m = O(1/ε).) Further, we need to analyze the
number of polynomials output by the root finding step of the algorithm (and then analyze the
runtime of the algorithm). In the next section, we show how we can “knock-off" the extra factor
m (and we will also bound the list size).

18.3 List Decoding Folded Reed-Solomon Codes: II

In this section, we will present the final version of the algorithm that will allow us to answer
Question 18.0.1 in the affirmative. We start off with the new idea that allows us to knock off the
factor of m. (It would be helpful to keep the proof of Claim 18.2.2 in mind.)
To illustrate the idea let us consider the folding parameter to be m = 3. Let f (X ) be a poly-
nomial of degree at most k − 1 that needs to be output and let 0 ≤ i < N be a position where it
agrees with the received word. (See Figure 18.7 for an illustration.)
The idea is to “exploit" this agreement over one F3q symbol and convert it into two agree-
ments over Fq 2 . (See Figure 18.8 for an illustration.)

322
 f (γ3i ) f (γ3i +1 ) f (γ3i +2 )

y 3i y 3i +1 y 3i +2

Figure 18.7: An agreement in position i .

f (γ3i ) f (γ3i +1 ) f (γ3i +1 ) f (γ3i +2 )

y 3i y 3i +1 y 3i +1 y 3i +2

Figure 18.8: More agreement with a sliding window of size 2.

Thus, in the proof of Claim 18.2.2, for each agreement we can now get two roots for the
polynomial R(X ). In general for an agreement over one Fq m symbols translates into m − s + 1
agreement over Fsq for any 1 ≤ s ≤ m (by “sliding a window" of size s over the m symbols from
Fq ). Thus, in this new idea the agreement is m − s + 1 times more than before which leads to the
mR
mR term in Theorem 18.2.3 going down to m−s+1 . Then making s smaller than m but still large
enough we can get down the relative agreement to R + ε, as desired. There is another change
that needs to be done to make the argument go through: the interpolation polynomial Q now
has to be (s + 1)-variate instead of the earlier (m + 1)-variate polynomial. Algorithm 29 has the
details.

Correctness of Algorithm 29. Next, we analyze the correctness of Algorithm 29 as well as com-
pute its list decoding error bound. We begin with the result showing that there exists a Q with
the required properties for Step 1.
j k
Lemma 18.3.1. If D ≥ N (m−s+1)−k+1
s+1 , then there exists a non-zero polynomial Q(X , Y1 , ..., Y s )
that satisfies Step 1 of the above algorithm.

Proof. Let us consider all coefficients of all polynomials A i as variables. Then the number of
variables will be
D + k + s(D + 1) = (s + 1)(D + 1) + k − 1.
On the other hand, the number of constraints in (18.5), i.e. the number of equations when
all coefficients of all polynomials A i are considered variables) will be N (m − s + 1).
Note that if we have more variables than equations, then there exists a non-zero Q that
satisfies the required properties of Step 1. Thus, we would be done if we have:

(s + 1)(D + 1) + k − 1 > N (m − s + 1),

which is equivalent to:
N (m − s + 1) − k + 1
D> − 1.
s +1
The choice of D in the statement of the claim satisfies the condition above, which complete the
proof.

323
Algorithm 29 The Second List Decoding Algorithm for Folded Reed-Solomon Codes
I NPUT: An agreement parameter 0 ≤ t ≤ N , parameter D ≥ 1 and the received word:

 
y0 ym y n−m
 .. .. ··· ..  m×N n
y= . . .  ∈ Fq , N=
m
y m−1 y 2m−1 y n−1

O UTPUT: All polynomials f (X ) ∈ Fq [X ] of degree at most k − 1 such that for at least t values of
0≤i <N
 ¡ ¢   
f γmi y mi
 ..   .. 
 . = .  (18.4)
¡ m(i +1)−1 ¢
f γ y m(i +1)−1

1: Compute non-zero polynomial Q(X , Y1 , .., Y s ) as follows:

Q(X , Y1 , .., Y s ) = A 0 (X ) + A 1 (X )Y1 + A 2 (X )Y2 + .. + A s (X )Y s ,

with deg[A 0 ] ≤ D + k − 1 and deg[A i ] ≤ D for every 1 ≤ i ≤ s such that for all 0 ≤ i < N and
0 ≤ j ≤ m − s, we have
Q(γi m+ j , y i m+ j , ..., y i m+ j +s−1 ) = 0. (18.5)
2: L ← ;
3: FOR every f (X ) ∈ Fq [X ] such that
¡ ¡ ¢ ¡ ¢ ¡ ¢¢
Q X , f (X ), f γX , f γ2 X , . . . , f γs−1 X ≡ 0 (18.6)

DO
4: IF deg( f ) ≤ k − 1 and f (X ) satisfies (18.2) for at least t values of i THEN
5: Add f (X ) to L.
6: RETURN L

Next we argue that the root finding step works.

Lemma 18.3.2. If t > D+k−1

m−s+1 , then every polynomial f (X ) that needs to be output satisfies (18.6).
¡ ¡ ¢ ¡ s−1 ¢¢
¡ ℓ ¢Consider the polynomial R(X ) = Q X , f (X ), f γX , ..., f γ X . Because the degree of
Proof.
f γ X (for every 0 ≤ ℓ ≤ s − 1) is at most k − 1,

deg(R) ≤ D + k − 1. (18.7)

Let f(X) be one of the polynomials of degree at most k − 1 that needs to be output, and f (X )
agrees with the received word at column i for some 0 ≤ i < N , that is:

324
  ¡ ¢   
f¡ γmi ¢ y mi
 f γmi +1   y mi +1 
   
   
 ·   · 
 = ,
 ·   · 
   
 ·   · 
¡ ¢
f γm(i +1)−1 y m(i +1)−1
then for all 0 ≤ j ≤ m − s, we have:

³ ´ ³ ³ ´ ³ ´ ³ ´´
R γmi + j = Q γmi + j , f γmi + j , f γmi +1+ j , ..., f γmi +s−1+ j
³ ´
= Q γmi + j , y mi + j , y mi +1+ j , ..., y mi +s−1+ j = 0.

In the above, the first equality follows as f (X ) agrees with y in column i while the second equal-
ity follows from (18.5). Thus, the number of roots of R(X ) is at least
t (m − s + 1) > D + k − 1 ≥ deg(R),

where the first inequality follows from the assumption in the claim and the second inequality
follows from (18.7). Hence, by the degree mantra R(X ) ≡ 0, which shows that f (X ) satisfies
(18.6), as desired.

18.3.1 Error Correction Capability

Now, we analyze the the fraction of errors the algorithm above can handle. (We will come back
to the thorny issue of proving a bound on the output list size for the root finding step in Sec-
tion 18.3.2.)
The argument for the fraction of errors follows the by now standard route. To satisfy the
constraint in Lemma 18.3.1, we pick
¹ º
N (m − s + 1) − k + 1
D= .
s +1
This along with the constraint in Lemma 18.3.2, implies that the algorithm works as long as
¹ º
D +k −1
t> .
m −s +1
The above is satisfied if we choose
N (m−s+1)−k+1
s+1 +k −1 N (m − s + 1) − k + 1 + (k − 1)(s + 1) N (m − s + 1) + s(k − 1)
t> = = .
m −s +1 (m − s + 1)(s + 1) (s + 1)(m − s + 1)
Thus, we would be fine if we pick
µ ³ s ´³ ´ ¶
N s k 1 m
t> + · =N + ·R ,
s +1 s +1 m −s +1 s +1 s +1 m −s +1
where the equality follows from the fact that k = mR N . This implies the following result:

325
Theorem 18.3.3. Algorithm 29 can list decode folded Reed-Solomon code with folding parameter
s
m ≥ 1 and rate R up to s+1 (1 − mR/(m − s + 1)) fraction of errors.

See Figure 18.3.1 for an illustration of the bound above.

1
m=6,s=6
m=9, s=6
m=12, s=6
m=15, s=6
Johnson bound
0.8

0.6
R

0.4

0.2

0
0 0.2 0.4 0.6 0.8 1
δ

Figure 18.9: The tradeoff between rate R and the fraction of errors that can be corrected by
Algorithm 29 for s = 6 and folding parameter m = 6, 9, 12 and 15. The Johnson bound is also
plotted for comparison.

18.3.2 Bounding the Output List Size

We finally address the question of bounding the output list size in the root finding step of the
algorithm. We will present a proof that will immediately lead to an algorithm to implement the
root finding step. We will show that there are at most q s−1 possible solutions for the root finding
step.
The main idea is the following: think of the coefficients of the output polynomial f (X ) as
variables. Then the constraint (18.6) implies D +k linear equations on these k variables. It turns
out that if one picks only k out of these D +k constraints, then the corresponding constraint ma-
trix has rank at least k − s + 1, which leads to the claimed bound. Finally, the claim on the rank
of the constraint matrix follows by observing (and this is the crucial insight) that the constraint
matrix is upper triangular. Further, the diagonal elements are evaluation of a non-zero polyno-
mial of degree at most s − 1 in k distinct elements. By the degree mantra (Proposition 5.2.4),
this polynomial can have at most s − 1 roots, which implies that at least k − s + 1 elements of the

326
 B (γk−1 ) f0 −a 0,k−1
B (γk−2 ) f1 −a 0,k−2

× =

B (γ3 ) f k−4 −a 0,3

B (γ2 )
0 f k−3 −a 0,2
B (γ) f k−2 −a 0,1
B (1) f k−1 −a 0,0

Figure 18.10: The system of linear equations with the variables f 0 , . . . , f k−1 forming the coeffi-
P
cients of the polynomial f (X ) = k−1 i
i =0 f i X that we want to output. The constants a j ,0 are ob-
tained from the interpolating polynomial from Step 1. B (X ) is a non-zero polynomial of degree
at most s − 1.

diagonal are non-zero, which then implies the claim. See Figure 18.10 for an illustration of the
upper triangular system of linear equations.
Next, we present the argument above in full detail. (Note that the constraint on (18.8) is the
same as the one in (18.6) because of the constraint on the structure of Q imposed by Step 1.)

Lemma 18.3.4. There are at most q s−1 solutions to f 0 , f 1 , .., f k−1 (where f (X ) = f 0 + f 1 X + ... +
f k−1 X k−1 ) to the equations
¡ ¢ ¡ ¢
A 0 (X ) + A 1 (X ) f (X ) + A 2 (X ) f γX + ... + A s (X ) f γs−1 X ≡ 0 (18.8)

Proof. First we assume that X does not divide all of the polynomials A 0 , A 1 , ..., A s . Then it im-
plies that there exists i ∗ > 0 such that the constant term of the polynomial A i ∗ (X ) is not zero.
(Because otherwise, since X |A 1 (X ), ..., A s (X ), by (18.8), we have X divides A 0 (X ) and hence X
divide all the A i (X ) polynomials, which contradicts the assumption.)
To facilitate the proof, we define few auxiliary variables a i j such that

D+k−1
X
A i (X ) = a i j X j for every 0 ≤ i ≤ s,
j =0

and define the following univariate polynomial:

B (X ) = a 1,0 + a 2,0 X + a 3,0 X 2 + ... + a s,0 X s−1 . (18.9)

Notice that a i ∗ ,0 6= 0, so B (X ) is non-zero polynomial. And because degree of B (X ) is at most

s − 1, by the degree mantra (Proposition 5.2.4), B (X ) has at most s − 1 roots. Next, we claim the
following:

327
Claim 18.3.5. For every 0 ≤ j ≤ k − 1:

• If B (γ j ) 6= 0, then f j is uniquely determined by f j −1 , f j −2 , . . . , f 0 .

• If B (γ j ) = 0, then f j is unconstrained, i.e. f j can take any of the q values in Fq .

We defer the proof of the claim above for now. Suppose that the above claim is correct. Then
as γ is a generator of Fq , 1, γ, γ2 , ..., γk−1 are distinct (since k − 1 ≤ q − 2). Further, by the degree
mantra (Proposition 5.2.4) at most s − 1 of these elements are roots of the polynomial B (X ).
Therefore by Claim 18.3.5, the number of solutions to f 0 , f 1 , ..., f k−1 is at most q s−1 . 2
We are almost done except we need to remove our earlier assumption that X does not divide
every A i . Towards this end, we essentially just factor out the largest common power of X from
all of the A i ’s, and proceed with the reduced polynomial. Let l ≥ 0 be the largest l such that
A i (X ) = X l A ′i (X ) for 0 ≤ i ≤ s; then X does not divide all of A ′i (X ) and we have:
¡ ¢
X l A ′0 (X ) + A ′1 (X ) f (X ) + · · · + A ′s (X ) f (γs−1 X ) ≡ 0.

Thus we can do the entire argument above by replacing A i (X ) with A ′i (X ) since the above con-
straint implies that A ′i (X )’s also satisfy (18.8).

Next we prove Claim 18.3.5.

Proof of Claim 18.3.5. Recall that we can assume that X does not divide all of {A 0 (X ), . . . , A s (X )}.
¡ ¢
Let C (X ) = A 0 (X )+ A 1 (X ) f (X )+· · ·+ A s f γs−1 X . Recall that we have C (X ) ≡ 0. If we expand
out each polynomial multiplication, we have:

C (X ) =a 0,0 + a 0,1 X + · · · + a 0,D+k−1 X D+k−1

³ ´³ ´
+ a 1,0 + a 1,1 X + · · · + a 1,D+k−1 X D+k−1 f 0 + f 1 X + f 2 X 2 + · · · + f k−1 X k−1
³ ´³ ´
+ a 2,0 + a 2,1 X + · · · + a 2,D+k−1 X D+k−1 f 0 + f 1 γX + f 2 γ2 X 2 + · · · + f k−1 γk−1 X k−1
..
.
³ ´³ ´
+ a s,0 + a s,1 X + · · · + a s,D+k−1 X D+k−1 f 0 + f 1 γs−1 X + f 2 γ2(s−1) X 2 + · · · + f k−1 γ(k−1)(s−1) X k−1
(18.10)

Now if we collect terms of the same degree, we will have a polynomial of the form:

C (X ) = c 0 + c 1 X + c 2 X 2 + · · · + c D+k−1 X D+k−1 .
2
Build a “decision tree" with f 0 as the root and f j in the j th level: each edge is labeled by the assigned value to
the parent node variable. For any internal node in the j th level, if B (γ j ) 6= 0, then the node has a single child with
the edge taking the unique value promised by Claim 18.3.5. Otherwise the node has q children with q different
labels from Fq . By Claim 18.3.5, the number of solutions to f (X ) is upper bounded by the number of nodes in the
kth level in the decision tree, which by the fact that B has at most s − 1 roots is upper bounded by q s−1 .

328
 So we have D +k linear equations in variables f 0 , . . . , f k−1 , and we are seeking those solutions
such that c j = 0 for every 0 ≤ j ≤ D + k − 1. We will only consider the 0 ≤ j ≤ k − 1 equations. We

first look at the equation for j = 0: c 0 = 0. This implies the following equalities:
0 = a 0,0 + f 0 a 1,0 + f 0 a 2,0 + · · · + f 0 a s,0 (18.11)
¡ ¢
0 = a 0,0 + f 0 a 1,0 + a 2,0 + · · · + a s,0 (18.12)
0 = a 0,0 + f 0 B (1). (18.13)
In the above (18.11) follows from (18.10), (18.12) follows by simple manipulation while (18.13)
follows from the definition of B (X ) in (18.9).
Now, we have two possible cases:
−a 0,0
• Case 1: B (1) 6= 0. In this case, (18.13) implies that f 0 = B (1)
. In particular, f 0 is fixed.

• Case 2: B (1) = 0. In this case f 0 has no constraint (and hence can take on any of the q
values in Fq ).
Now consider the equation for j = 1: c 1 = 0. Using the same argument as we did for j = 0,
we obtain the following sequence of equalities:
0 = a 0,1 + f 1 a 1,0 + f 0 a 1,1 + f 1 a 2,0 γ + f 0 a 2,1 + · · · + f 1 a s,0 γs−1 + f 0 a s,1
à !
¡ ¢ Xs
s−1
0 = a 0,1 + f 1 a 1,0 + a 2,0 γ + · · · + a s,0 γ + f0 a l ,1
l =1

0 = a 0,1 + f 1 B (γ) + f 0 b 0(1) (18.14)

P
where b 0(1) = ls=1 a l ,1 is a constant. We have two possible cases:

−a 0,1 − f 0 b 0(1)
• Case 1: B (γ) 6= 0. In this case, by (18.14), we have f 1 = B (γ) and there is a unique
choice for f 1 given fixed f 0 .

• Case 2: B (γ) = 0. In this case, f 1 is unconstrained.

Now consider the case of arbitrary j : c j = 0. Again using similar arguments as above, we get:

0 = a 0, j + f j (a 1,0 + a 2,0 γ j + a 3,0 γ2 j + · · · + a s,0 γ j (s−1) )

+ f j −1 (a 1,1 + a 2,1 γ j −1 + a 3,1 γ2( j −1) + · · · + a s,1 γ( j −1)(s−1) )
..
.
+ f 1 (a 1, j −1 + a 2, j −1 γ + a 3, j −1 γ2 + · · · + a s, j −1 γs−1 )
+ f 0 (a 1, j + a 2, j + a 3, j + · · · + a s, j )
jX
−1
(j)
0 = a 0, j + f j B (γ j ) + f l bl (18.15)
l =0
(j) Ps
where b l = ι=1 a ι, j −l · γl (ι−1) are constants for 0 ≤ j ≤ k − 1.
We have two possible cases:

329
 • Case 1: B (γ j ) 6= 0. In this case, by (18.15), we have
P j −1 (j)
−a 0, j − f b
l =0 l l
fj = (18.16)
B (γ j )

and there is a unique choice for f j given fixed f 0 , . . . , f j −1 .

• Case 2: B (γ j ) = 0. In this case f j is unconstrained.

This completes the proof.

We now revisit the proof above and make some algorithmic observations. First, we note that
to compute all the tuples ( f 0 , . . . , f k−1 ) that satisfy (18.8) one needs to solve the linear equations
(18.15) for j = 0, . . . , k − 1. One can state this system of linear equation as (see also Figure 18.10)
   
f0 −a 0,k−1
 ..   .. 
C · . = . ,
f k−1 −a 0,0

(j)
where C is a k × k upper triangular matrix. Further each entry in C is either a 0 or B (γ j ) or b l –
each of which can¡be computed
¢ in O(s log s) operations over Fq . Thus, we can setup this system
2
of equations in O s log sk operations over Fq .
Next, we make the observation that all the solutions to (18.8) form an affine subspace. Let
0 ≤ d ≤ s − 1 denote the number of roots of B (X ) in {1, γ, . . . , γk−1 }. Then since there will be
j
d unconstrained variables among f 0 , . . . , f k−1 (one
n of every j such
o that B (γ ) = 0), it is not too
hard to see that all the solutions will be in the set M · x + z|x ∈ Fdq , for some k ×d matrix M and
some z ∈ Fkq . Indeed every x ∈ Fdq corresponds to an assignment to the d unconstrained variables
among f 0 , . . . , f j . The matrix M and the vector z are determined by the equations
¡ 2¢ in (18.16).
Further, since C is upper triangular, both M and z can be computed with O k operations over
Fq .
The discussion above implies the following:
n o
d
Corollary 18.3.6. The set of solutions to (18.8) are contained in an affine subspace M · x + z|x ∈ Fq
for some 0 ≤ d ≤ s −1 and M ∈ Fk×d q and z ∈ Fkq . Further, M and z can be computed from the poly-
nomials A 0 (X ), . . . , A s (X ) with O(s log sk 2 ) operations over Fq .

18.3.3 Algorithm Implementation and Runtime Analysis

In this sub-section, we discuss how both the interpolation and root finding steps of the algo-
rithm can be implemented and analyze the run time of each step.
Step 1 involves solving N m linear equation in O(N m) variables and can e.g. be solved by
Gaussian elimination in O((N m)3 ) operations over Fq . This is similar to what we have seen for
Algorithms 24, 25 and 26. However, the fact that the interpolation polynomial has total degree

330
of one in the variables Y1 , . . . , Y s implies a much faster algorithm. In particular, one can perform
the interpolation in O(N m log2 (N m) log log(N m)) operations over Fq .
The root finding step involves computing all the “roots" of Q. The proof of Lemma 18.3.4
actually suggests Algorithm 30.

Algorithm 30 The Root Finding Algorithm for Algorithm 29

I NPUT: A 0 (X ), . . . , A s (X )
O UTPUT: All polynomials f (X ) of degree at most k − 1 that satisfy (18.8)

1: Compute ℓ such that X ℓ is the largest common power of X among A 0 (X ), . . . , A s (X ).

2: FOR every 0 ≤ i ≤ s DO
A i (X )
3: A i (X ) ← Xℓ
.
4: Compute B (X ) according to (18.9)
5: Compute d , nz and M such that
o the solutions to the k linear system of equations in (18.15)
lie in the set M · x + z|x ∈ Fdq .
6: L←;
7: FOR every x ∈ Fd q DO
8: ( f 0 , . . . , f k−1 ) ← M · x + z.
P
9: f (X ) ← k−1 i
i =0 f i · X .
10: IF f (X ) satisfies (18.8) THEN
11: Add f (X ) to L.
12: RETURN L

Next, we analyze the run time of the algorithm. Throughout, we will assume that all polyno-
mials are represented in their standard coefficient form.
Step 1 just involves figuring out the smallest power of X in each A i (X ) that has a non-zero
coefficient from which one can compute the value of ℓ. This can be done with O(D + k + s(D +
1)) = O(N m) operations over Fq . Further, given the value of ℓ one just needs to “shift" all the
coefficients in each of the A i (X )’s to the right by ℓ, which again can be done with O(N m) oper-
ations over Fq .
Now we move to the root finding step. The run time actually depends on what it means to
“solve" the linear system. If one is happy with a succinct description of a set of possible solution
that contains the actual output then one can halt ¡Algorithm ¢ 30 after
¡ Step 5 and ¢ Corollary 18.3.6
2 2
implies that this step can be implemented in O s log sk = O s log s(N m) operations over
Fq . However, if one wants the actual set of polynomials that need to be output, then the only
known option so far is to check all the q s−1 potential solutions as in Steps 7-11. (However, we’ll
see a twist in Section 18.4.) The latter would imply a total of O(s log s(N m)2 ) + O(q s−1 · (N m)2 )
operations over Fq .
Thus, we have the following result:

Lemma 18.3.7. With O(s log s(N m)2 ) operations over Fq , the algorithm above can return an
affine subspace of dimension s − 1 that contains all the polynomials of degree at most k − 1

331
that need to be output. Further, the exact set of solution can be computed in with additional
O(q s−1 · (N m)2 ) operations over Fq .

18.3.4 Wrapping Up
By Theorem 18.3.3, we know that we can list decode a folded Reed-Solomon code with folding
parameter m ≥ 1 up to
s ³ m ´
· 1− ·R (18.17)
s +1 m −s +1
fraction of errors for any 1 ≤ s ≤ m.
To obtain our desired bound 1 − R − ε fraction of errors, we instantiate the parameter s and
m such that
s m
≥ 1 − ε and ≤ 1 + ε. (18.18)
s +1 m −s +1
It is easy to check that one can choose

s = Θ(1/ε) and m = Θ(1/ε2 )

such that the bounds in (18.18) are satisfied. Using the bounds from (18.18) in (18.17) implies
that the algorithm can handle at least

(1 − ε)(1 − (1 + ε)R) = 1 − ε − R + ε2 R > 1 − R − ε

fraction of errors, as desired.

We are almost done since Lemma 18.3.7 shows that the run time of the algorithm is q O(s) .
The only thing we need to choose is q: for the final result we pick q to be the smallest power
of 2 that is larger than N m + 1. Then the discussion above along with Lemma 18.3.7 implies
the following result (the claim on strong explicitness follows from the fact that Reed-Solomon
codes are strongly explicit):

Theorem 18.3.8. There exist strongly explicit folded Reed-Solomon codes of rate R that for large
enough block length N can be list decoded from 1 − R − ε fraction of errors (for any small enough
¡ ¢O(1/ε) ¡ ¢O(1/ε) ¡ ¢O(1/ε2 )
ε > 0) in time Nε . The worst-case list size is Nε and the alphabet size is Nε .

18.4 Bibliographic Notes and Discussion

There was no improvement to the Guruswami-Sudan result (Theorem 17.2.10) for about seven
years till Parvaresh and Vardy showed that “Correlated" Reed-Solomon codes can be list-decoded
1
up to 1 − (mR) m+1 fraction of errors for m ≥ 1 [100]. Note that for m = 1, correlated Reed-
Solomon codes are equivalent to Reed-Solomon codes and the result of Parvaresh and Vardy
recovers Theorem 17.2.10. Immediately, after that Guruswami and Rudra [61] showed that
Folded Reed-Solomon codes can achieve the list-decoding capacity of 1 − R − ε and hence, an-
swer Question 18.0.1 in the affirmative. Guruswami [55] reproved this result but with a much

332
simpler proof. In this chapter, we studied the proof due to Guruswami. Guruswami in [55] cred-
its Salil Vadhan for the the interpolation step. An algorithm presented in Brander’s thesis [14]
shows that for the special interpolation in Algorithm 29, one can perform the interpolation in
O(N m log2 (N m) log log(N m)) operations over Fq . The idea of using the “sliding window" for list
decoding Folded Reed-Solomon codes is originally due to Guruswami and Rudra [60].
The bound of q s−1 on the list size for folded Reed-Solomon codes was first proven in [60] by
roughly the following argument. One reduced the problem of finding roots to finding roots of a
univariate polynomial related to Q over Fq k . (Note that each polynomial in Fq [X ] of degree at
most k −1 has a one to one correspondence with elements of Fq k – see e.g. Theorem 13.2.1.) The
list size bound follows from the fact that this new univariate polynomial had degree q s−1 . Thus,
implementing the algorithm entails running a root finding algorithm over a big extension field,
which in practice has terrible performance.

Discussion. For constant ε, Theorem 18.3.8 answers Question 18.0.1 in the affirmative. How-
ever, from a practical point of view, there are three issues with the result: alphabet, list size and
run time. Below we tackle each of these issues.

Large Alphabet. Recall that one only needs an alphabet of size 2O(1/ε) to be able to list de-
code from 1 − R − ε fraction of errors, which is independent of N . It turns out that combining
Theorem 18.3.8 along with code concatenation and expanders allows us to construct codes over
4
alphabets of size roughly 2O(1/ε ) [60]. (The idea of using expanders and code concatenation was
not new to [60]: the connection was exploited in earlier work by Guruswami and Indyk [58].)
The above however, does not answer the question of achieving list decoding capacity for
fixed q, say e.g. q = 2. We know that there exists binary code of rate R that are (H −1 (1 − R −
ε),O(1/ε))-list decodable codes (see Theorem 7.4.1). The best known explicit codes with effi-
cient list decoding algorithms are those achieved by concatenating folded Reed-Solomon codes
with suitable inner codes achieve the so called Blokh-Zyablov bound [62]. However, the tradeoff
is far from the list decoding capacity. As one sample point, consider the case when we want to
list decode from 12 − ε fraction of errors. Then the result of [62] gives codes of rate Θ(ε3 ) while
the codes on list decoding capacity has rate Ω(ε2 ). The following fundamental question is still
very much wide open:

Open Question 18.4.1. Do there exist explicit binary codes with rate R that can be list de-
coded from H −1 (1 − R − ε) fraction of errors with polynomial list decoding algorithms?

The above question is open even if we drop the requirement on efficient list decoding al-
gorithm or we only ask for a code that can list decode from 1/2 − ε fraction of errors with rate
Ω(εa ) for some a < 3. It is known (combinatorially) that concatenated codes can achieve the list
decoding capacity but the result is via a souped up random coding argument and does not give
much information about an efficient decoding algorithm [63].

333
List Size. It is natural to wonder if the bound on the list size in Lemma 18.3.4 above can be
improved as that would show that folded Reed-Solomon codes can be list decoded up to the list
decoding capacity but with a smaller output list size than Theorem 18.3.8. Guruswami showed
that in its full generality the bound cannot be improved [55]. In particular, he exhibits explicit
polynomials A 0 (X ), . . . , A s (X ) such that there are at least q s−2 solutions for f (X ) that satisfy
(18.8). However, these A i (X )’s are not known to be the output for an actual interpolation in-
stance. In other words, the following question is still open:

Open Question 18.4.2. Can folded Reed-Solomon codes of rate R be list decoded from 1 −
R −ε fraction of errors with list size f (1/ε)·N c for some increasing function f (·) and absolute
constant c?

o(1)
Even the question above with N (1/ε) is still open.
However, if one is willing to consider codes other than folded Reed-Solomon codes in or-
der to answer to achieve list decoding capacity with smaller list size (perhaps with one only
dependent on ε), then there is good news. Guruswami in the same paper that presented the
algorithm in this chapter also present a randomized construction of codes of rate R that are
(1 − R − ε,O(1/ε2 ))-list decodable codes [55]. This is of course worse than what we know from
the probabilistic method. However, the good thing about the construction of Guruswami comes
with an O(N /ε)O(1/ε) -list decoding algorithm.
Next we briefly mention the key ingredient in the result above. To see the potential for im-
provement consider Corollary 18.3.6. The main observation is that all the potential solutions
lie in an affine subspace of dimension s − 1. The key idea in [55] was use the folded Reed-
Solomon encoding for a special subset of the message space Fkq . Call a subspace S ⊆ Fkq to be a
(q, k, ε, ℓ, L)-subspace evasive subset if

1. |S| ≥ q k(1−ε) ; and

2. For any (affine) subspace T ⊆ Fkq of dimension ℓ, we have |S ∩ T | ≤ L.

¡ ¡ ¢¢
The code in [55], applies the folded Reed-Solomon encoding on a q, k, s,O s 2 -subspace eva-
sive subset (such a subset can be shown to exist via the probabilistic method). The reason why
this sub-code of folded Reed-Solomon code works is as follows: Condition (1) ensures that the
new code has rate at least R(1−ε), where R is the rate of the original folded Reed-Solomon code
and condition (2) ensures that the number of output polynomial in the root finding step of the
algorithm we considered in the last section is at most L. (This is because by Corollary 18.3.6 the
k
output message space is an affine subspace of dimension s − 1 in FQ . However, in the new code
¡ 2¢
by condition 2, there can be at most O s output solutions.)
The result above however, has two shortcomings:
³ ´ (i) the code is no longer explicit and (ii)
1
even though the worst case list size is O ε2
, it was not know how to obtain this output without
s−1
listing all the q possibilities and pruning them against S. The latter meant that the decoding
runtime did not improve over the one achieved in Theorem 18.3.8.

334
Large Runtime. We finally address the question of the high run time of all the list decoding
algorithms so far. Dvir and Lovett [34], presented a construction of an explicit (q, k, ε, s, s O(s) )-
subspace evasive subset S ∗ . More interestingly, given any affine subspace T of dimension at
most s, it can compute S ∩T in time proportional to the output size. Thus, this result along with
the discussion above implies the following result:

Theorem 18.4.1. There exist strongly explicit codes of rate R that for large enough block length
µ³ ´ ¶N
2
can be list decoded from 1−R −ε fraction of errors (for any small enough ε > 0) in time O εN2 +
¡ 1 ¢O(1/ε) ¡ ¢O(1/ε) ¡ ¢O(1/ε2 )
ε . The worst-case list size is 1ε and the alphabet size is Nε .

The above answers Question 18.0.1 pretty satisfactorily. However, to obtain a completely
satisfactory answer one would have to solve the following open question:

¡ ¢
Open Question 18.4.3. Are there explicit codes of rate R > 0 that are 1 − R − ε, (1/ε)O(1) -list
decodable that can be list-decoded in time poly(N , 1/ε) over alphabet of size q ≤ pol y(n)?

The above question, without the requirement of explicitness, has been answered by Gu-
ruswami and Xing [69].

335
336
Chapter 19

Recovering very locally: Locally Recoverable

Codes

19.1 Context

In this chapter, we describe an exciting recent direction in coding theory that emerged due to
applications in modern distributed storage systems. Such storage systems store vast amounts
of data that need to be maintained in a fault-tolerant manner, resilient to intermittent or per-
manent failures of servers storing the data. We can imagine the data encoded into a codeword
(c 1 , c 2 , . . . , c n ) ∈ Σn , where the i ’th symbol is stored on the i ’th server. (Of course the servers will
store multiple codewords, but we will imagine server failures as symbol erasures (recall Propo-
sition 1.4.2) in the codeword.) Erasure codes (i.e. codes capable of recovering from erasures) are
thus a natural choice to ensure that the data can be safely recovered even when many servers
are unresponsive.
Traditional MDS codes like Reed-Solomon codes appear attractive due to their optimal trade-
off between storage overhead and number of erasures tolerated. MDS codes, and more gen-
erally codes with good minimum distance, allow recovery from the worst-case scenario of a
large number of erasures (recall Proposition 1.4.2). However, a much more common situation
that emerges in the context of large scale distributed storage systems is that a small number of
servers fail or become unresponsive. This calls for the repair of a single (or few) failed server(s)
quickly, while at the same time retaining as much of the the distance property of the code
as possible, thus enabling protection against more rare or catastrophic failures or large-scale
maintenance of many servers. This is exactly what locally recoverable codes (also called locally
reparable or local reconstruction codes), abbreviated LRCs, are designed to achieve. They en-
able that any codeword symbol can be quickly recovered, in a local fashion, based on few other
codeword symbols, and at the same time they have as large a distance as is compatible with the
local constraints that the codeword symbols obey. This is a fairly natural trade-off under which
to examine classical coding bounds and constructions, and at the same time, LRCs have had
significant practical impact, with their deployment in large scale cloud systems saving billions

337
of dollars in storage costs!1
With this backdrop, we now turn to the formal description of locally recoverable codes. We
will focus only on the coding-theoretic aspects, and not have a chance to describe further as-
pects that related to the use of LRCs for distributed storage. For simplicity we will focus on
the local recovery of single erased symbols. Note that compared to locally decodable or locally
correctable codes (LDC or LCCs– see Chapter ??), where the goal is to recover from a constant
fraction of errors, for LRCs the goal is to recover from a single (or small number of) erasures.
Thus the noise model is the most benign possible, but the demands on the code are strong —
small locality and high rate. In comparison, LDCs and LCCs necessarily have vanishing rate.

19.2 Definition of Locally Recoverable Codes

We will restrict our attention to linear codes over some field F. This is mainly for simplicity. Our
LRC constructions will be linear, and the Singleton type bound we prove on the limitats of LRCs
(in Section 19.4) will work for non-linear codes as well.

Definition 19.2.1. Consider a linear code C ⊆ Fn of dimension k where the first k symbols are
information symbols, and the last n − k are check symbols2 . Such a code is said to be a message
symbol (r, d )-locally recoverable code, or (r, d )-mLRC for short, if

(i) it has minimum distance at least d , and

(ii) for every i ∈ [k], there exists R i ⊆ [n] \ {i } of size at most r such that the i ’th symbol c i of any
codeword c = (c 1 , c 2 , . . . , c n ) ∈ C can be recovered from cRi .

One can also demand local recovery of all codeword symbols, including the check symbols,
as defined below.

Definition 19.2.2. A linear code C ⊆ Fn is said to be an (r, d )-locally recoverable code, or (r, d )-
LRC for short, if

(i) it has minimum distance at least d , and

(ii) for every i ∈ [n], there exists R i ⊆ [n] \ {i } of size at most r such that the i ’th symbol c i of any
codeword c = (c 1 , c 2 , . . . , c n ) ∈ C can be recovered from cRi .

We make two remarks:

1. Note that Definition 19.2.2 does not specify anything about how c i could be recovered
from cRi . However, for linear codes, there is always a cannoical ‘linear’ recovery mechanism–
see Exercise 19.2.
1
A different coding construct, called regenerating codes, has also been extensively studied in the context of us-
ing codes for efficient repair of single/few erasures. These codes do not optimize for locality, but rather the total
amount of information downloaded from other codeword positions, allowing for transmission of partial informa-
tion about c j to c i . We do not discuss these codes in this book.
2
I.e. these are systematic codes: recall Exercise 2.16.

338
 2. Definition 19.2.2 does not impose any upper bound on r but it turns out that an [n, k d ]q
codes is (r, d )-LRC for r ≤ k– see Exercise 19.3.

Given the above definition, the following is the natural followup question:

Question 19.2.1. If an (n, k, d )q code is an (r, d )-LRC, what is the optimal tradeoff between
n and k?

In the remainder for the chapter, we will exactly pin-point the optimal tradeoff between n
and k.

19.3 A simple construction for message symbol LRCs

We will allow our codes to be defined over large fields (or size at least Ω(n)).3 It turns out local
recovery of only the message symbols is easy to arrange along with good distance (which we
will show to be optimal in the next section, which answers Question 19.2.1).
Specifically, we will prove the following.

Theorem 19.3.1. Let n > k ≥ r be positive integers and q ≥ n a prime power. Then there is an
explicit [n, k] linear code over Fq that is an (r, d )-mLRC where
» ¼
k
d = n −k − +2 . (19.1)
r

Proof. The construction is quite simple. We begin with a systematic [n 0 , k, d ] MDS code (recall
Definition 5.3.1 and Exercise 2.16) C 0 over Fq with k message symbols and n 0 − k = d − 1 parity
n
symbols. This code encodes a message x = (x 1 , . . . , x k ) ∈ Fkq into c ∈ Fq 0 where c i = x i for 1 ≤ i ≤ k
­ ®
is the systematic part, and the check symbols c k+ j for 1 ≤ j ≤ n 0 − k are given by c k+ j = p( j ) , x
for some p( j ) ∈ Fkq . That is, the encoding map is
³ ­ ® ­ ® D E´
x 7→ x, p(1) , x , p(2) , x , . . . , p(d −1) , x . (19.2)

By the MDS property, each vector p( j ) ∈ Fkq has full support (see Exercise 19.4).
l m
We then take one of the check symbols (say c n0 ), and split it into ℓ := kr symbols, each of
which depends on at most r disjoint message symbols. Formally, partition [k] = {1, 2, . . . , k} into
sets S 1 , S 2 , . . . , S ℓ where S 1 , S 2 , . . . , S ℓ−1 have size exactly r , and S ℓ has the remaining (at most) r
elements of [k]. For definiteness, let us take (for 1 ≤ j < ℓ):
© ª
S j = ( j − 1)r + 1, ( j − 1)r + 2, . . . , j r
3
This assumption is satisfied in practice.

339
and
S ℓ = {(ℓ − 1)r + 1, . . . , k} .

Given these notations, one can represent a generator matrix of the code defined by (19.2) as
below.
 
¡ (1) ¢
 p S1 
 ¡ (2) ¢ 
 
 p S2 
 
 
 .. .. 
 . . 



I p (1)
p (2)
· · · p (d −2)
¡ ( j )¢
p


 Sj 

 

 .. .. 

 . . 
 ¡ ¢ 
p(ℓ) S
ℓ

Now consider the above generator matrix but where we ‘split‘ the last column as follows:
 
¡ (1) ¢
 p S1 0 ··· 0 ··· 0 
 ¡ ¢ 
 
 0 p(2) S 2 · · · 0 ··· 0 
 
 
 .. .. .. .. .. 
 . . . . . 



I p(1) p(2) · · · p(d −2) 0 0
· · ·
¡ ¢
· · · p( j ) S j 0



 
 

 .. .. .. .. .. 

 . . ··· . . . 
 ¡ (ℓ)
¢ 
0 0 0 ··· p S
ℓ

For 1 ≤ j ≤ ℓ, define q( j ) to be the vector p(d −1) that is zeroed out outside S j . Based on the
above generator matrix, we now define a new code C that encodes x ∈ Fkq into a codeword in Fnq
for » ¼
k
n = k + (d − 2) + ℓ = k + d − 2 + (19.3)
r
as follows: ³ ­ D E ­ D E´
® ­ ® ®
x 7→ x, p(1) , x , p(2) , x , . . . , p(d −2) , x , q(1) , x , . . . q(ℓ) , x . (19.4)

Note that by (19.3), the parameters n, k, d , r obey the relation (19.1) claimed in the theorem. We
now verify that C is an (r, d )-mLRC, which would finish the proof.
Comparing the encodings (19.2) and (19.4), the sum of the last ℓ check symbols in (19.4)
equals the last check symbol in (19.2), and the remaining codeword symbols are the same. It
follows that the Hamming weight of the encoding (19.4) of a nonzero x is at least the Hamming
weight under the encoding of x under (19.2). The latter is at least d , since C 0 has distance d .
Thus, the code defined by (19.4) also has distance at least d .

340
 Finally, the message symbol locality of (19.4) is guaranteed by the ℓ ‘split-up’ check symbols.
Specifically, each message symbol
­ ( j ) ®in S j can be recovered based on the other message symbols
(d −1)
in S j and the check symbol q , x — this follows because p has full support and therefore
the support of q( j ) is precisely S j . Since |S j | ≤ r , every message bit can be recovered based on at
most r other bits of the codeword.

19.4 A Singleton-type bound

We now prove that the distance achieved in (19.1) is the best possible. We will present a general
argument that does not rely on linearity. Specifically, the proof below works as long as there are
k coordinates on which the code projects biectively (this is the analog of the information set of
a linear code), each of which has which a local recovery set of size at most r (see Exercise 19.5
for a formal definition).

Theorem 19.4.1. The distance of an (r, d )-mLRC of length n and dimension k must satisfy
» ¼
k
d ≤ n −k − +2 . (19.5)
r

Proof. Let C be an (r, d )-mLRC (or to be precise (r, d )-gmLRC as defined in Exercise 19.5) with
q k codewords where q is the alphabet size of the code. Assume, without loss of generality, that
C projects onto the first k coordinates bijectively, and that these coordinates all have a local
recovery group of size r . j k
Our first (key) claim will be that we can find a subset S ⊂ {1, 2, . . . , k} of size k−1
r and a
disjoint set T ⊂ [n] of size at most k −1 such ∀c ∈ C , cT determines cS , where recall that cT (resp.
cS ) denotes the projection c onto the coordinates in T (resp. S).
Indeed, we can construct these sets S, T greedily as follows:

Algorithm 31 Computing disjoint S and T

I NPUT: Sets R i for i ∈ [k]
O UTPUT: Set S, T such that S ∩ T = ;

1: S, T ← ; j k
k−1
2: WHILE |S| < r DO
3: Let t ∈ [k] be the minimum element that does not belong to S ∪ T
4: S ← S ∪ {t }
5: T ← T ∪ (R t \ S)
6: RETURN S, T

Each of the sets R t in the above procedure has size at most r . In fact, since [k] is an informa-
tion set, each R t must include at least one index outside [k] (see Exercise 19.6), and thus

|R t ∩ [k]| ≤ r − 1.

341
Therefore, at any stage in the above procedure, we have
|T ∩ [k]| ≤ (r − 1)|S|.
As long as |S| < k−1
r , we have
|S| + |T ∩ [k]| ≤ r |S| < (k − 1).
Therefore an index t ∈ [k] outside the current S ∪ T , which is then added to S, can be found.
Thus the above procedure is well defined.
By construction, it is clear that T is disjoint from S, since at each stage we exclude the current
elements in S from R t before adding it to T . Also it can be argued that cT determines cS (see
Exercise 19.7). Also the final set T output has size at most
¹ º
k −1
r ≤ k − 1.
r
Since cS is determined by cT , it is also determined by c[n]\S . This implies that the projection
of C onto [n] \ S is one-one4 , and in particular n − |S| ≥ k. Therefore, we can add k − 1 − |T |
elements outside S ∪ T to T to obtain a set T ′ of size k − 1. By construction, we have
(i) |T ′ | = k − 1,

(ii) T ′ ∩ S = ;, and

(iii) cT ′ determines cS (since T ′ ⊃ T and cT determines cS ).

Since |T ′ | = k − 1, by the pigeonhole principle5 , there must exist two distinct codewords
c, c ∈ C such that cT ′ = c′T ′ . Note that (by property (iii) above) this also implies cS = c′S . Thus c
′
j k
and c′ agree on at least k − 1 + k−1 r
positions. Therefore the distance of C is at most
¹ º
k −1
n −k − +1 .
r
j k l m
Noting that k−1 r = kr − 1 (see Exercise 19.8), the proof is complete.

19.5 An LRC meeting the Singleton type bound

In Section 19.3 we presented a simple construction of a message symbol LRC (recall Defini-
tion 19.2.1) whose distance is optimal (meeting the bound (19.5)). We now construct a general
(all-symbol) LRC (recall Definition 19.2.2). This will be harder than the message only case. The
codes will be a carefully picked sub-code of the Reed-Solomon code that exhibits locality.
In particular, in this section we will argue the following result:
Theorem 19.5.1. Let n > k ≥ r be positive integers with n being a multiple of (r + 1) and let
q ≥ n + 1 a prime power such that q − 1 is also divisible by r + 1.6 Then there is an explicit [n, k]q
4
Unless C has distance 0 in which case there is nothing to prove
5
Recall that the piegonhole principle state that is > m pigeons are placed in m holes there will be one hole with
at least two pigeons in it. We use this with the holes being all the q k−1 possible vectors of length q and the pigeons
are the q k codeword projections onto T ′ .
6
These divisibility requirements can be relaxed, but for simplicity we assume them.

342
code, which is in fact a sub-code of a Reed-Solomon code, that is an (r, d )-LRC with the optimal
distance » ¼
k
d = n −k − +2 . (19.6)
r
Fix a field Fq such that q − 1 is divisible by r + 1 (we argue in Exercise 19.9 that there are
infinitely many such n, q and r that satisfy the divisibility conditions of Theorem 19.5.1). This
means that Fq has primitive r +1’th root of unity (let’s call it ω), so that ω, ω2 , . . . , ωr are all distinct
and ωr +1 = 1 (see Exercise 19.10).
We will construct an [n, k]q linear LRC with locality r for n = q − 1, which will be a sub-code
of a certain Reed-Solomon code. Let k ′ be the smallest integer so that (we will soon see an
explicit expression for k ′ in terms of k and r )
» ¼
k ′r
k= . (19.7)
r +1
′
Note that this means k = krr+1
+a
for some a, 0 < a ≤ r .7 Then, expressing k ′ as a function of k, we
have » ¼
′ (r + 1)k − a k −a k
k = =k+ =k+ −1 (19.8)
r r r
where the last equality holds because a > 0 (see Exercise 19.11).
Consider the Reed-Solomon code over Fq of dimension k ′ and block length n := q − 1 which
is obtained by evaluating message polynomials f ∈ Fq [X ] of degree less than k ′ at F∗q (all the
nonzero field elements), to give the codeword 〈 f (α)〉α∈F∗q (recall Definition 5.2.1). A degree d −1
polynomial can take every possible set of values on any d -tuple of field elements (this e.g. fol-
lows from Proposotion 5.3.3). Therefore, these Reed-Solomon codes has no non-trivial locality
— one needs to know k ′ other codeword symbols to recover any particular erased codeword
symbol.
Consider the set © ª
U = 1, ω, ω2 , . . . , ωr (19.9)
of the (r + 1)’th roots of unity in F∗q . We will now see how we to pick a subcode of the above
Reed-Solomon code, by restricting which powers are allowed in the message polynomials, so
that the evaluations at U will exhibit locality (and similarly for the multiplicative cosets8 of U ,
which partition F∗q ).
We mention the following fact (see Exercise 19.12):

Fact 19.5.2. We have Y

(X − u) = X r +1 − 1.
u∈U

If we restrict a polynomial f ∈ Fq [X ] to U , its restriction fU agrees with the polynomial

g (X ) := f (X ) mod (X r +1 − 1) on U (see Exercise 19.13). Now if g has degree less than r , then
l m
7 k′r (k ′ −1)r
We cannot have a = 0 since if k = r +1 , then k = r +1 so k ′ will not be the minimum choice satisfying (19.7).
8
See part 2 of Exercise 2.4 for a definition of (multiplicative) coset.

343
 P
the evaluations of g on U will satisfy a non-trivial linear constraint, i.e., u∈U λu g (u) = 0 where
not all λα ’s are 0 (see Exercise 19.14).
However, in general the remainder of f (X ) modulo (X r +1 −1) is a polynomial of degree r . To
ensure that it has degree less than r , we will restrict the message polynomials f (X ) in the Reed-
Solomon code to not have X a terms (or equivalently force those coefficients to 0) whenever
a ≡ r (mod r + 1). Formally, our code will be
( ′
)
kX −1
∗ i
C = 〈 f (α)〉α∈F∗q | f (X ) = f i X , f i = 0 if i ≡ r (mod r + 1) . (19.10)
i =0

Dimension of the code. We set the coefficients f r , f 2r +1 , f 3r +2 , . . . to 0. Thus every (r + 1)’th

coefficient starting at r is set to 0. The number of such coefficients that are at most k ′ −1 equals
¹ º ¹ ′ º
k′ − 1 − r k
+1 = .
r +1 r +1

Therefore, the dimension of C ∗ equals

¹ º » ′ ¼
′ k′ kr
k − = .
r +1 r +1

which equals k by our choice of k ′ in (19.7).

Since C ∗ is a subcode of the Reed-Solomon code, its distance d is at least that of the original
Reed-Solomon code. We thus have
» ¼
′ k
d ≥ n −k +1 = n −k − +2
r

where the second equality follows from (19.8). Note that his is optimal by Theorem 19.4.1.

Locality of the code. By construction, the restriction of any polynomial f (X ) in (19.10) on U

is a polynomial of degree at most r − 1. Further there exist such f for which the restriction has
degree equal to r − 1 (see Exercise 19.15). The evaluations of a degree r − 1 polynomial on r + 1
distinct points obeys a single non-trivial linear condition that involves all the r + 1 evaluations
with non-zero coefficients (recall Exercise 19.14). Therefore, the locations U of C ∗ form a local
group of size r +1, where each codeword symbol can be recovered from the remaining r values.
For the other local groups, we use the cosets of U (recall part 2 of Exercise 2.4). Namely define
© ª
αU = α, αω, · · · , αωr . (19.11)

q−1
The set F∗q can be written as the disjoint union of r +1 cosets αU .9 The local groups will be in
one-one correspondence with these cosets.
9
The claim on disjoint union follows from part 2 of Exercise 2.4. The claim on the number of disjoint cosets
follows from the fact that each coset has size r + 1 and there are q − 1 elements in F∗q .

344
 Let us focus on any one of these cosets αU and prove the desired locality. Note that (see
Exercise 19.16)
r
Y
(X − αωi ) = (X r +1 − αr +1 ) .
i =0

So the restriction of f (X ) on αU is given by g (α) (X ) = f (X ) mod (X r +1 −αr +1 ). By the restriction

placed on f (X ) in (19.10), g (α) (X ) has degree less than r . Further, this degree equals r − 1 for
some f (X ). Therefore, by Exercise 19.14, the values of g (α) (X ), and hence f (X ), at the locations
P
in αU satisfy a linear constraint, ri=0 λαωi f (αωi ) = 0, with λαωi 6= 0 for every i . This proves that
the evaluation of f (X ) at an arbitrary point in αU can be recovered from its evaluations at the
r other points of αU . Thus all locations in αU have local recovery sets of size r . This completes
the proof of Theorem 19.5.1.

19.6 Exercises
Exercise 19.1. In this problem, we will prove a general structural result about linear codes. Let
C ⊆ Fnq be a linear code. Let i ∈ [n]. Prove that at one of these two conditions have to hold:
1. There exists v ∈ C ⊥ such that i ∈ supp (v); or

2. © ª
C = (c 1 , . . . , c i −1 , α, c i +1 , . . . , c n )|α ∈ Fq , (c 1 , . . . , c i −1 , c i +1 , . . . , c n ) ∈ C [n]\{i } .

Exercise 19.2. Let C be an (r, d )-LRC that is an [n, k, d ]q code. Then

1. Argue that for every i ∈ [n], there exists dual codeword v ∈ C ⊥ with i ∈ supp (v) with supp (v) ⊆
R i ∪ {i }.

2. Using the previous part or otherwise argue that any c i for any codeword c = (c 1 , . . . , c n ) ∈ C
can be recovered as a linear combination of values in cRi (where R i is as defined in Defini-
tion 19.2.2).

Hint: Exercise 19.1 could be useful.

Exercise 19.3. Show that any [n, k, d ] code is an (r, d )-LRC for some r ≤ k.
Hint: Exercise 19.1 could be useful.
¯ ¡ ¢¯
Exercise 19.4. Let p(1) , . . . , p(d −1) be as defined in (19.2). Argue that for all i ∈ [d −1], ¯supp p(i ) ¯ =
k.
Exercise 19.5. This exercise will essentially generalize Definition 19.2.1 to work for non-linear
codes as well.
Let C be a (not necessarily linear) (n, k, d )q code with a bijection σ : C S → [q]k for some subset
S of size k, i.e. the k codeword symbols indexed by S are the same as set of q k possible vectors (up
to the bijection σ.
Such a code is said to be a general message symbol (r, d )-locally recoverable code, or (r, d )-
gmLRC for short, if

345
 (i) it has minimum distance at least d , and

(ii) for every i ∈ S, there exists R i ⊆ [n] \ {i } of size at most r such that the i ’th symbol c i of any
codeword c = (c 1 , c 2 , . . . , c n ) ∈ C can be recovered from cRi .

Argue that a linear code C that is an (r, d )-mLRC is also an (r, d )-gmLRC.

Exercise 19.6. Let C be an (r, d )-gmLRC (see Exercise 19.5 for a definition) and S be as defined in
Exercise 19.5. Then argue that for every i ∈ S, it has to be the case that R i ∩ S 6= R i (i.e. R i has an
index outside of S).

Exercise 19.7. Let S and T be as computed by Algorithm 31 in the proof of Theorem 19.4.1. Argue
that cT determines cS .
Hint: Use induction and the definition of the set R t for t ∈ S.

Exercise 19.8. Argue that for positive integers a and b, we have

¹ º l m
a −1 a
= − 1.
b b
Exercise 19.9. Argue that there are infinitely many such n, q and r that satisfy the divisibility
conditions of Theorem 19.5.1.

Exercise 19.10. Fix a field Fq such that q − 1 is divisible by r + 1. Then argue that there exists an
element ω ∈ F∗q so that ω, ω2 , . . . , ωr are all distinct and ωr +1 = 1.
Hint: Lemma D.5.11 might be useful. Can you define ω in terms of the primitive element of F∗q ?
′
Exercise 19.11. Let k ′ be as in (19.7) and let k = krr+1
+a
for some a, 0 < a ≤ r . Then argue that
» ¼
k −a k
= − 1.
r r

Exercise 19.12. Let 1, ω, . . . , ωr +1 be the (r + 1)th roots of unity in F∗q . Then argue that
r
Y
(X − ωi ) = X r +1 − 1.
i =0

Exercise 19.13. Let U be as in (19.9). Argue If we restrict a polynomial f ∈ Fq [X ] to U , its restric-

tion fU agrees with the polynomial g (X ) := f (X ) mod (X r +1 − 1) on U .

Exercise 19.14. Let S ⊆ Fq be a subset and assume a polynomial g (X ) has degree at most |S| − 2,
P
then there exists λα for α ∈ S such that α∈S λα g (α) = 0 where not all λα ’s are 0.

Exercise 19.15. Let U be as in (19.9). Then argue there exists an f (X ) such that the polynomial
corresponding to restriction of f on U has degree exactly r − 1.

Exercise 19.16. Let 1, ω, . . . , ωr +1 be the (r + 1)th roots of unity in F∗q . Then argue that
r
Y
(X − αωi ) = (X r +1 − αr +1 ) .
i =0

346
19.7 Bibliographic notes
Local Recoverable Codes (LRCs) were invented precisely for meeting the dual objectives of im-
portance in distributed storage: (i) good global erasure resilience and (ii) low latency servicing
of user requests or node reair in the wake of single server failures. Locality in distributed stor-
age was first introduced by Huang, Chen, and Li [75], where the construction of message symbol
LRCs of Section 19.3, called pyramid codes, also appeared. LRCs were first formally defined and
studied by Gopalan, Huang, Simitci and Yekhanin [51] and Papailiopoulos and Dimakis [99].
The Singleton-type bound of Theorem 19.4.1 was first established in [51], and various dif-
ferent proofs and extensions of it have since appeared in the literature. Our treatment is a bit
more general as it works also for non-linear codes. The optimal LRC meeting the Singleton-type
bound from Section 19.5 is due to Tamo and Barg [127].
LRCs with suitably optimized parameters have been implemented in several large scale sys-
tems such as Microsoft Azure [?] and Hadoop [?]. They have led to billions of dollars of savings
in storage costs, and thus have had enormous commercial impact to go along with fundamental
theoretical developments.
Another class of codes motivated by the problem of efficient repair of failed nodes in dis-
tributed storage are regenerating codes. Here the quantity optimized is not the number of other
nodes contacted (which is the locality), but rather the total amount of information downloaded
from the other nodes. To this end, we imagine that the nodes store vectors of symbols, and one
is allowed to sownload some linear combinations of them.

347
348
 Part V

The Applications

349
Chapter 20

Cutting Data Down to Size: Hashing

In this chapter, we will study hashing, which is a method to compute a small digest of data
that can be used as a surrogate to later perform quick checks on the data. We begin with brief
descriptions of three practical applications where hashing is useful. We then formally state
the definition of hash functions that are needed in these applications (the so called “universal"
hash functions). Next, we will show how in some sense good hashing functions and good codes
are equivalent. Finally, we will see how hashing can solve a problem motivated by outsourced
storage in the “cloud."

20.1 Why Should You Care About Hashing?

Hashing is one of the most widely used objects in computer science. In this section, we outline
three practical applications that heavily use hashing. While describing the applications, we will
also highlight the properties of hash functions that these applications need.
Before we delve into the applications, let us first formally define a hash function.

Definition 20.1.1 (Hash Function). Given a domain D and a range Σ, (typically, with |Σ| < |D|),
a hash function is a map
h : D → Σ.

Of course, the definition above is too general and we will later specify properties that will
make the definition more interesting.

Integrity Checks on Routers. Routers on the Internet process a lot of packets in a very small
amount of time. Among other tasks, router has to perform an “integrity check" on the packet
to make sure that the packet it is processing is not corrupted. Since the packet has well defined
fields, the router could check if all the field have valid entries. However, it is possible that one of
the valid entry could be turned into another valid entry. However, the packet as a whole could
still be invalid.
If you have progressed so far in the book, you will recognize that the above is the error detec-
tion problem and we know how to do error detection (see e.g., Proposition 2.3.5). However, the

351
algorithms that we have seen in this book are too slow to implement in routers. Hence, Internet
protocols use a hash function on a domain D that encodes all the information that needs to go
into a packet. Thus, given an x ∈ D, the packet is the pair (x, h(x)). The sender sends the packet
(x, h(x)) and the receiver gets (x′ , y). In order to check if any errors occurred during transmis-
sion, the receiver checks if h(x′ ) = y. If the check fails, the receiver asks for a re-transmission
otherwise it assumes there were no errors during transmission. There are two requirements
from the hash function: (i) It should be super efficient to compute h(x) given x and (ii) h should
avoid “collisions," i.e. if x 6= x′ , then h(x) 6= h(x′ ).1

Integrity Checks in Cloud Storage. Say, you (as a client) have data x ∈ D that you want to
outsource x to a cloud storage provider. Of course once you “ship" off x to the cloud, you do not
want to store it locally. However, you do not quite trust the cloud either. If you do not audit the
cloud storage server in any way, then nothing stops the storage provider from throwing away
x and send you some other data x′ when you ask for x. The problem of designing an auditing
protocol that can verify whether the server has the data x is called the data possession problem.
We consider two scenarios. In the first scenario, you access the data pretty frequently during
“normal" operation. In such cases, here is a simple check you can perform. When you ship off
x to the cloud, compute z = h(x) and store it. Later when you access x and the storage provider
send you x′ , you compute h(x′ ) and check if it is the same as the stored h(x). This is exactly the
same solution as the one for packet verification mentioned above.
Now consider the scenario, where the cloud is used as an archival storage. In such a case,
one needs an “auditing" process to ensure that the server is indeed storing x (or is storing some
massaged version from which it can compute x– e.g. the storage provider can compress x). One
can always ask the storage provider to send back x and then use the scheme above. However,
if x is meant to be archived in the cloud, it would be better to resolve the following question:

Question 20.1.1. Is there an auditing protocol with small client-server communicationa ,

which if the server passes then the client should be able to certain (with some high confidence)
that the server is indeed storing x?
a
In particular, we rule out solutions where the server sends x to the client.

We will see later how this problem can be solved using hashing.

Fast Table Lookup. One of the most common operations on databases is the following. As-
sume there is a table with entries from D. One would like to decide on a data structure to store
1
Note that in the above example, one could have x 6= x′ and h(x) 6= h(x′ ) but it is still possible that y = h(x′ ) and
hence the corrupted packet (x′ , y) would pass the check above. Our understanding is that such occurrences are
rare.

352
the table so that later on given an element x ∈ D, one would quickly like to decide whether x is
in the table or now.
Let us formalize the problem a bit: assume that the table needs to store N values a 1 , . . . , a N ∈
D. Then later given x ∈ D one needs to decide if x = a i for some i . Here is one simple solution:
sort the n elements in an array T and given x ∈ D use binary search to check if x is in T or not.
This solution uses Θ(N ) amounts of storage and searching for x takes Θ(log N ) time. Further,
the pre-processing time (i.e. time taken to build the array T ) is Θ(N log N ). The space usage of
this scheme is of course optimal but one would like the lookup to be faster: ideally we should
be able to perform the search in O(1) time. Also it would be nice to get the pre-processing time
closer to the optimal O(N ). Further, this scheme is very bad for dynamic data: inserting an item
to and deleting an item from T takes Θ(N ) time in the worst-case.
Now consider the following solution: build a boolean array B with one entry for each z ∈ D
and set B [a i ] = 1 for every i ∈ [N ] (and every other entry is 0).2 Then searching for x is easy: just
lookup B [x] and check if B [x] 6= 0. Further, this data structure can easily handle addition and
deletion of elements (by incrementing and decrementing the corresponding entry of B respec-
tively). However, the amount of storage and pre-processing time are both Θ (|D|), which can be
much much bigger than the optimal O(N ). This is definitely true for tables stored in real life
databases. This leads to the following question:

Question 20.1.2. Is there a data structure that supports searching, insertion and deletion in
O(1) time but only needs O(N ) space and O(N ) pre-processing time?

We will see later how to solve this problem with hashing.

20.2 Avoiding Hash Collisions

One of the properties that we needed in the applications outlined in the previous section was
that the hash function h : D → Σ should avoid collisions. That is, given x 6= y ∈ D, we want
h(x) 6= h(y). However, since we have assumed that |Σ| < |D|, this is clearly impossible. A simple
counting argument shows that there will exist an x 6= y ∈ D such that h(x) = h(y). There are two
ways to overcome this hurdle.
The first is to define a cryptographic collision resistant hash function h, i.e. even though
there exists collisions for the hash function h, it is computationally hard for an adversary to
compute x 6= y such that h(x) = h(y).3 This approach is out of the scope of this book and hence,
we will not pursue this solution.
2
If one wants to handle duplicates, one could store the number of occurrences of y in B [y].
3
This is a very informal definition. Typically, an adversary is modeled as a randomized polynomial time algo-
rithm and there are different variants on whether the adversary is given h(x) or x (or both). Also there are variants
where one assumes a distribution on x. Finally, there are no unconditionally collision resistant hash function but
there exists provably collision resistant hash function under standard cryptographic assumptions: e.g. factoring is
hard.

353
 The second workaround is to define a family of hash functions and then argue that the prob-
ability of collision is small for a hash function chosen randomly from the family. More formally,
we define a hash family:

Definition 20.2.1 (Hash Family). Given D, Σ and an integer m ≥ 1, a hash family H is a set
{h 1 , . . . , h m } such that for each i ∈ [m],
h i : D → Σ.

Next we define the notion of (almost) universal hash function (family).

Definition 20.2.2 (Almost Universal Hash Family). A hash family H = {h 1 , . . . , h m } defined over
the domain D and range Σ is said to be ε-almost universal hash function (family) for some 0 <
ε ≤ 1 if for every x 6= y ∈ D,
£ ¤
Pr h i (x) = h i (y) ≤ ε,
i

where in the above i is chosen uniformly at random from [m].

We will show in the next section that ε-almost universal hash functions are equivalent to
codes with (large enough) distance. In the rest of the section, we outline how these hash families
provides satisfactory solutions to the problems considered in the previous section.

Integrity Checks. For the integrity check problem, one pick random i ∈ [m] and chooses h i ∈
H , where H is an ε-almost universal hash function. Thus, for any x 6= y, we’re guaranteed
with probability at least 1 − ε (over the random choice of i ) that h i (x) 6= h i (y). Thus, this gives a
randomized solution to the integrity checking problem in routers and cloud storage (where we
consider the first scenario in which the cloud is asked to return the original data in its entirety).
It is not clear whether such hash functions can present a protocol that answers Question 20.1.1.
There is a very natural protocol to consider though. When the client ships off data x to the cloud,
it picks a random hash function h i ∈ H , where again H is an ε-universal hash function, and
computes h i (x). Then it stores h i (x) and ships off x to the cloud. Later on, when the client wants
to audit, it asks the cloud to send h i (x) back to it. Then if the cloud returns with z, the client
checks if z = h i (x). If so, it assumes that the storage provider is indeed storing x and otherwise
it concludes that the cloud is not storing x.
Note that it is crucial that the hash function be chosen randomly: if the client picks a de-
terministic hash function h, then the cloud can store h(x) and throw away x because it knows
that the client is only going to ask for h(x). Intuitively, the above protocol might work since the
random index i ∈ [m] is not known to the cloud till the client asks for h i (x), it seems “unlikely"
that the cloud can compute h i (x) without storing x. We will see later how the coding view of
almost universal hash functions can make this intuition rigorous.

Fast Table Lookup. We now return to Question 20.1.2. The basic idea is simple: we will mod-
ify the earlier solution that maintained an entry for each element in the domain D. The new
solution will be to keep an entry for all possible hash values (instead of all entries in D).

354
 More formally, let H = {h 1 , . . . , h m } be an ε-almost hash family with domain D and range
Σ. Next we build an array of link list with one entry in the array for each value v ∈ Σ. We pick a
random hash function h i ∈ H . Then for each a j ( j ∈ [N ]) we add it to the link list corresponding
to h i (a j ). Now to determine whether x = a j for some j , we scan the link list corresponding to
h i (x) and check if x is in the list or not. Before we analyze the space and time complexity of
this data structure, we point out that insertion and deletion are fairly easy. For inserting an
element x, we compute h i (x) and add x to the link list corresponding to h i (x). For deletion, we
first perform the search algorithm and then remove x from the list corresponding to h i (x), if it
is present. It is easy to check that the algorithms are correct.
Next we analyze the space complexity. Note that for a table with N elements, we will use
up O(N ) space in the linked lists and the array is of size O(|Σ|). That is, the total space usage is
O(N + |Σ|). Thus, if we can pick |Σ| = O(N ), then we would match the optimal O(N ) bound for
space.
Now we analyze the time complexity of the various operations. We first note that insertion is
O(1) time (assuming computing the hash value takes O(1) time). Note that this also implies that
the pre-processing time is O(N + |Σ|), which matches the optimal O(N ) bound for |Σ| ≤ O(N ).
Second, for deletion, the time taken after performing the search algorithm is O(1), assuming
the lists as stored as doubly linked lists. (Recall that deleting an item from a doubly linked list if
one has a pointer to the entry can be done in O(1) time.)
Finally, we consider the search algorithm. Again assuming that computing a hash value
takes O(1) time, the time complexity of the algorithm to search for x is dominated by size of the
list corresponding to h i (x). In other words, the time complexity is determined by the number
of a j that collide with x, i.e., h i (x) = h i (a j ). We bound this size by the following simple observa-
tion.

Claim 20.2.3. Let H = {h 1 , . . . , h m } with domain D and range Σ be an ε-almost universal hash
family. Then the following is true for any (distinct) x, a 1 , a 2 , . . . , a N ∈ D:
£ ¤
Ei |{a j |h i (x) = h i (a j )}| ≤ ε · N ,

where the expectation is taken over a uniformly random choice of i ∈ [m].

Proof. Fix a j ∈ [N ]. Then by definition of an ε-almost universal hash family, we have that

Pr[h i (x) = h i (a j )] ≤ ε.
i
hP i
Note that we want to bound E N 1 h
j =1 i j(a )=h i (x) . The probability bound above along with the
linearity of expectation (Proposition 3.1.4) and Lemma 3.1.3 completes the proof.

The above discussion then implies the following:

¡ ¢
Proposition 20.2.4. Given an O N1 -almost universal hash family with domain D and range Σ
such that |Σ| = O(N ), there exists a randomized data structure that given N elements a 1 , . . . , a N ∈
D, supports searching, insertion and deletion in expected O(1) time while using O(N ) space in the
worst-case.

355
 Thus, Proposition 20.2.4 answers Question 20.1.2 in the affirmative if we can answer the
following question in the affirmative:

¡1¢
Question 20.2.1. Given a domain D and an integer N ≥ 1, does there exist an O N -almost
universal hash function with domain D and a range Σ such that |Σ| = O(N )?

We will answer the question above (spoiler alert!) in the affirmative in the next section.

20.3 Almost Universal Hash Function Families and Codes

In this section, we will present a very strong connection between almost universal hash families
and codes with good distance: in fact, we will show that they are in fact equivalent.
We first begin by noting that any hash family has a very natural code associated with it and
that every code has a very natural hash family associated with it.

Definition 20.3.1. Given a hash family H = {h 1 , . . . , h n } where for each i ∈ [n], h i : D → Σ, con-
sider the following associated code
C H : D → Σn ,
where for any x ∈ D, we have

C H (x) = (h 1 (x), h 2 (x), . . . , h n (x)) .

The connection also goes the other way. That is, given an (n, k)Σ code C , we call the associated
hash family H C = {h 1 , . . . , h n ), where for every i ∈ [n],

h i : Σk → Σ

such that for every x ∈ Σk and i ∈ [n],

h i (x) = C (x)i .

Next we show that an ε-almost universal hash family is equivalent to a code with good dis-
tance.

Proposition 20.3.2. Let H = {h 1 , . . . , h n } be an ε-almost universal hash function, then the code
C H has distance at least (1 − ε)n. On the other hand if C is an (n, k, δn)-code, then H C is a
(1 − δ)-almost universal hash function.

Proof. We will only prove the first claim. The proof of the second claim is essentially identical
and is left as an exercise.
Let H = {h 1 , . . . , h n } be an ε-almost universal hash function. Now fix arbitrary x 6= y ∈ D.
Then by definition of C H , we have

{i |h i (x) = h i (y)} = {i |C H (x)i = C H (y)i }.

356
This implies that

£ ¤ |{i |h i (x) = h i (y)}| n − ∆(C H (x),C H (y)) ∆(C H (x),C H (y))

Pr h i (x) = h i (y) = = = 1− ,
i n n n

where the second equality follows from the definition of the Hamming distance. By the defi-
nition of ε-almost universal hash family the above probability is upper bounded by ε, which
implies that
∆(C H (x),C H (y)) ≥ n(1 − ε).
Since the choice of x and y was arbitrary, this implies that C H has distance at least n(1 − ε) as
desired.

20.3.1 The Polynomial Hash Function

We now consider the hash family corresponding to a Reed-Solomon code. In particular, let C
be a [q, k, q − k + 1]q Reed-Solomon code. By Proposition 20.3.2, the hash family H C is an k−1q
-
almost universal hash family– this hash family in the literature is called the polynomial hash.
Thus, if we pick q to be the smallest power of 2 larger than N and pick k = O(1), then this leads
to an O(1/N )-universal hash family that satisfies all the required properties in Question 20.2.1.
Note that the above implies that |D| = N O(1) . One might wonder if we can get an O(1/N )-
almost universal hash family with the domain size being N ω(1) . We leave the resolution of this
question as an exercise.

20.4 Data Possession Problem

In this section, we return to Question 20.1.1. Next we formalize the protocol for the data pos-
session problem that we outlined in Section 20.2. Algorithm 32 presents the pre-processing
step.

Algorithm 32 Pre-Processing for Data Possession Verification

I NPUT: Data x ∈ D, hash family H = {h 1 , . . . , h m } over domain D

1: Client computes an index i for x.

2: Client picks a random j ∈ [m].
3: Client computes z ← h j (x) and stores (i , j , z).
4: Client sends x to the server.

Algorithm 33 formally states the verification protocol. Note that if the server has stored x
(or is able to re-compute x from what it had stored), then it can pass the protocol by returning
a ← h j (x). Thus, for the remainder of the section, we will consider the case when the server
tries to cheat. We will show that if the server is able to pass the protocol in Algorithm 33 with
high enough probability, then the server indeed has stored x.

357
Algorithm 33 Verification for Data Possession Verification
I NPUT: Index i of data x ∈ D
O UTPUT: 1 if Server has x and 0 otherwise

1: Client sends a challenge (i , j ) to the server.

2: Client receives an answer a.
3: IF a = z THEN
4: RETURN 1
5: ELSE
6: RETURN 0

Before we formally prove the result, we state our assumptions on what the server can and
cannot do. We assume that the server follows the following general protocol. First, when the
server receives x, it does performs some computation (that terminates) on x to produce y and
then it stores y. (E.g., the server could store y = x or y could be a compressed version of x.)
Then when it receives the challenge (i , j ) for x, it uses another algorithm A and returns the
answers a ← A (y, j ). We assume that A always terminates on any input.4 Note that the server
is allowed to use arbitrary (but finite) amount of time to compute its answer. Next, we will prove
that under these assumptions, the server cannot cheat with too high a probability.

Theorem 20.4.1. Assume that the hash family H is an ε-almost universal hash family. Then if
the server passes the protocol in Algorithm 33 with probability > 12 + 2ε , then the server has enough
information to recreate x.

Proof. To prove the claim, we present an algorithm that can compute x from y. (Note that we do
not need this algorithm to be efficient: it just needs to terminate with x.) In particular, consider
Algorithm 34.

Algorithm 34 Decompression Algorithm

I NPUT: A , y
O UTPUT: x′
¡ ¢
1: z ← A (y, j ) j ∈[m] .
2: Run the MLD algorithm (Algorithm 2) for C H on z and let C H (x′ ) be its output.
3: RETURN x′

To complete the proof, we will show that x′ = x. Towards this end we claim that ∆(z,C H (x)) <
m
2 · (1 − ε). Assuming this is true, we complete the proof. Note that Proposition 20.3.2 implies
that C H has distance at least m(1 − ε). Thus, Proposition 1.4.2 (in particular, its proof) implies
that Algorithm 2 will return C H (x) and thus, x′ = x, as desired.
4
We have stated the algorithm to be independent of y and j but that need not be the case. However later in the
section, we will need the assumption that A is independent of y and j , so we will keep it that way.

358
 Finally, we argue that ∆(z,C H (x)) < m(1 − ε)/2. To see this note that if the server passes
def
the protocol in Algorithm 33 (i.e. the client outputs 1), then it has to be the case that z j =
A (y, j ) = h j (x). Recall that by definition of C H , h j (x) = C H (x) j and that the server passes the
protocol with probability > 1/2+ε/2. Since j is chosen uniformly from [m], this implies that for
> m(1/2 + ε/2) positions j , z j = C H (x) j , which then implies the claim.

20.4.1 Driving Down the Cheating Probability

One of the unsatisfying aspects of Theorem 20.4.1 is that the probability of catching a “cheating"
server is strictly less than 50%.5 It is of course desirable to drive this up as close to 100% as possi-
ble. One way to obtain this would be to “repeat" the protocol: i.e. the client can choose multiple
random hashes and store the corresponding values (in Algorithm 32) and (in Algorithm 33) asks
the server to send back all the hash values and accepts if and only if all the returned answers
match with the stored hash values. This however, comes at a cost: the client has to store more
hash values (and also the communication cost between the client and the server goes up ac-
cordingly.)
Next we argue using list decoding that the protocol in Algorithm 32 and 33 (without any
modification) gives a more powerful guarantee than the one in Theorem 20.4.1. To see why list
decoding might buy us something, let us look back at Algorithm 34. In particular, consider Step
2: since we run MLD, we can only guarantee unique decoding up to half the (relative) distance
of C H . This in turn leads to the bound of 1/2 + ε/2 in Theorem 20.4.1. We have seen that list
decoding allows us to go beyond half the distance number of errors. So maybe, running a list
decoding algorithm instead of MLD in Step 2 of Algorithms 34 would help us get better results.
There are two potential issues that we’ll need to tackle:

• We will need a general bound that shows that list decoding (arbitrarily) close to 100% is
possible for any C H for an ε-almost universal hash family; and

• Even if the above is possible, what will we do when a list decoding algorithm returns a list
of possible data?

We will get around the first concern by using the Johnson bound 7.3.1. To get around the second
issue we will indirectly use “side information" (like we mentioned in Section 7.2). For the latter,
we will need the notion of Kolmogorov complexity, which captures the amount of information
content in any given string. For our purposes, the following informal description is enough:

Definition 20.4.2. Given a string x, its Kolmogorov complexity, denoted by K (x) is the minimum
of |y| + |D|, where D is a decompression algorithm that on input y outputs x (where |x| and |D|
are the length of x and (a description of) D in bits).

Informally, K (x) is the amount of information that can be obtained algorithmically from x.
Kolmogorov complexity is a fascinating topic that it outside the scope of this book. Here we will
5
Note that Theorem 20.4.1 states that a server that cannot recreate x can pass the test with probablity at most
1/2 + ε/2. In other words, the probability that such a server is caught is at most 1/2 − ε/2 < 1/2.

359
only need to use the definition of K (x). We are now ready to prove the following list decoding
counterpart of Theorem 20.4.1:

Theorem 20.4.3. Assume that the hash family H is an ε-almost universal hash family. Then if
p
the server passes the protocol in Algorithm 33 with probability > ε, then the amount of infor-
mation server has stored for x is at least K (x) − O(log |x|).

We note that the above is not a strict generalization of Theorem 20.4.1, as even though
probability of catching a cheating server has gone up our guarantee is weaker. Unlike Theo-
rem 20.4.1, where we can guarantee that the server can re-create x, here we can only guarantee
“storage enforceability"– i.e. we can only force a server to store close to K (x) amounts of mem-
ory.

Proof of Theorem 20.4.3. Here is the main idea of the proof. We first assume for the sake of
contradiction that |y| < K (x)−O(log(|x|)). Then using we construct a decompression algorithm
D that on given input y and O(log(|x|)) extra information (or “advice"), outputs x. Then we will
show this overall contradicts the definition of K (x) (as this gives an overall smaller description
of x).
Before we state the decompression algorithm, we recall some facts. First note that C H by
Proposition 20.3.2 is a q-ary code (with |Σ| = q) with distance m(1 − ε). Further, by the Johnson
p
bound (Theorem 7.3.1), C H is a (1 − ε, L)-list decodable, where

L ≤ qm 2 . (20.1)

Next, in Algorithm 35, we present a decompression algorithm that can compute x from y
and an advice string a ∈ [L]. (As before, we do not need this algorithm to be efficient: it just
needs to terminate with x.)

Algorithm 35 Decompression Algorithm Using List Decoding

I NPUT: A , y, a
O UTPUT: x
¡ ¢
1: z ← A (y, j ) j ∈[m] .
2: L ← ;.
3: FOR x′ ∈ D DO
p
4: ∆(C H (x′ ), z) ≤ (1 − ε)m THEN
IF
5: Add x′ to L
6: RETURN The ath element in L

To complete the proof, we claim that there exists a choice of a ∈ [L] such that Algorithm 35
outputs x. Note that this implies that (y, a) along with Algorithm 35 gives a complete description
of x. Now note that Algorithm 35 can be described in O(1) bits. This implies that the size of this
description is |y| + log L + O(1), which by Definition 20.4.2 has to be at least K (x). This implies
that
|y| ≥ K (x) − |a| − O(1) = K (x) − log L − O(1) ≥ K (x) − O(log |x|),

360
where the last inequality follows from (20.1).
Next, we argue the existence of an appropriate a ∈ [L]. Towards this end we claim that
p
∆(z,C H (x)) < m(1 − ε). Note that this implies that x ∈ L . Since |L | ≤ L, then we can just
p
assign a to be the index of x in L . Finally, we argue that ∆(z,C H (x)) < m(1 − ε). To see this
note that if the server passes the protocol in Algorithm 33 (i.e. the client outputs 1), then it has
def
to be the case that z j = A (y, j ) = h j (x). Recall that by definition of C H , h j (x) = C H (x) j and
p
that the server passes the protocol with probability > ε. Since j is chosen uniformly from [m],
p
this implies that for > m ε positions j , z j = C H (x) j , which then implies the claim.

20.5 Bibliographic Notes

Universal hash functions were defined in the seminal paper of Carter and Wegman [18]. Almost
universal hash function family was defined by Stinson [123].
Kolmogorov complexity was defined by Kolmogorov [82]. For a thorough treatment see the
textbook by Li and Vitányi [87].

361
362
Chapter 21

Securing Your Fingerprints: Fuzzy Vaults

String-based passwords are the dominant mode of authentication in today’s information-reliant

world. Indeed, all of us use passwords on a regular basis to authenticate ourselves in almost
any online activity. Strings, a primitive data type, have become widespread due to several nice
mathematical properties. First, matching two strings (that is, checking if two strings are exactly
the same) is computationally very fast (and easy). Second, and more importantly, there exist se-
cure hash functions that map a string x to another string h(x) such that, given h(x), determining
x is hard. Furthermore, since h(x) is itself a string, we can check if a claimed password y is the
same as the original string x by comparing h(y) and h(x), which (as we just observed) is easy to
do. This implies that the server performing the authentication only needs to store the hashes
h(x) of the original passwords. Hence, even if the list of hashed passwords were compromised,
the passwords themselves would remain secure.
The above scheme is perfect as long as the passwords x are “random enough," and this can
be achieved if the passwords were generated randomly by some automated process. However,
in real life passwords are generated by humans and are not really random. (One of the most
quoted facts is that the most commonly used password is the string “password" itself.) Further,
we tend to forget passwords, which has lead to the near ubiquity of “Forgot passwords" links in
places where we need to login.
One alternative that has been gaining traction in the last decade or so is to use a user’s finger-
print (and more generally their biometrics: e.g. their face) as their password. The big advantage
is that it is hard to “forget" one’s fingerprint. In this chapter, we will look at the issues in using
fingerprints as passwords and see how Reed-Solomon codes can help.

21.1 Some quick background on fingerprints

First we give a very short (and necessarily incomplete) description of how a fingerprint (im-
age/sensor reading) is converted in to a string f . The standard way to store a fingerprint (see
Figure 21.1 for images of two fingerprints) is as a collection of triples, called minutia. Each
minutia point is located where one ridge1 splits into two, or where one ridge ends. The i th
1
In Figure 21.1, the ridges are the lines.

363
minutia is the triple (x i , y i , θi ), where x i and y i are the x and y coordinates of a point on the
finger, and θi indicates the direction of the ridge that created the minutia point relative to the
plane.
Given that we now have a string representation of a fingerprint, we have the following naive
solution for designing a hash function for the fingerprint f :

Naive Solution. Use any off-the-shelf hash function h for strings and then store h( f ) instead
of f .
To see the issues with the naive solution, we first need to know a little bit about how finger-
prints are stored.
The main issue with our naive solution is that two fingerprint readings will never be exactly
the same, even if the same finger is used. For any two fingerprint readings, the following issues
may produce errors:

1. Translation and rotation, even when using the same finger.

2. Varying pressure.

3. Each reading may not completely overlap with the ideal fingerprint region (i.e., the finger
may be slightly tilted).

4. The minutiae are not ordered, so they form a set instead of a vector. Of course one can
sort the set by the lexicographic order to produce a string. But the earlier issue (especially
points 1 and 2) imply that the specific values of (x i , y i , θi ) are not that important individu-
ally. Furthermore, the fact that any two readings might not have complete overlap means
that we are interested in matching readings that have significant overlap, so it turns out
that the set notation is ideal to theoretically deal with these issues.

We can now see that the naive solution is inadequate. Even if we could somehow correct
the first three issues, existing hash functions for strings require a vector, not a set, so our naive
solution will fail.

Remark 21.1.1. The four problems that came up in our naive solution will come up in any solu-
tion we propose. Technology has not yet developed to the point where we can securely eliminate
these issues, which is why there are no prevalent secure commercial systems that safeguard secrets
using fingerprints. (The reason government agencies, such as the police or FBI, use fingerprinting
is because there is an inherent trust that the government will keep your data secure, even when it
does not apply a good hash function to it.)

Thus, we need secure hash functions designed to handle the additional challenges posed by
fingerprints. We would like to mention that for fingerprints to replace strings as passwords, the
hash function needs to satisfy both of these properties simultaneously: (i) we should be able to
match hashes from the “same" fingerprint and (ii) an adversary should not be able to “break"
the hash function.

364
 Figure 21.1: The minutiae are unordered and form a set, not a vector.

21.2 The Fuzzy Vault Problem

We begin with the fuzzy vault problem, which is slightly different from the one we have been
studying so far. Say you have a secret string s, and you want to store it in a secure way. Instead
of using a password, you want to use your fingerprint, f , to “lock" the secret s. You want the
locked version of your secret to have two properties:
1. You should be able to “unlock" the locked version of s

2. No one else should be able to “unlock" s

We claim that if we can solve the above problem, then we can solve the problem of designing a
secure hash function for fingerprints. We leave the details as an exercise. (Hint: pick s at random
and then in addition to the locked version of s also store h(s), where h is an off-the-shelf secure
hash function for strings.)
We will now formalize the fuzzy vault problem.

21.2.1 Formal Problem Statement

The first thing we need to do is quantize the measurements of the minutiae. We cannot be
infinitely precise in our measurements anyways, so let us assume that all quantized minutiae,
(x i , y i , θi ), can be embedded into Fq for some large enough prime power q. Theoretically, this
can also help to correct the first two issues from our naive solution. We could go through all
possible values in Fq to get rid of translation and rotation errors (e.g., for every (∆x, ∆y, ∆z) ∈ Fq ,
we rotate and translate each minutia (x i , y i , z i ) to (x i + ∆x, y i + ∆y, z i + ∆z)). 2 We could also
2
To be more precise we first perform the translation and rotation over the reals and then quantize and map to
the appropriate Fq value.

365
do some local error correction to a quantized value to mitigate the effect of varying pressure.
Going over all possible shifts is not a practical solution, but theoretically this can still lead to a
polynomial-time solution.
We now formally ¡F ¢define our problem, which primarily captures issues 3 and 4. (Below for
any integers t ≥ 1, tq denotes the set of all subsets of Fq of size exactly t .) The following are the
components of the problem:

• Integers k ≥ 1, n ≥ t ≥ 1

• Secret s ∈ Fkq
à !
Fq
• Fingerprint f ∈
t
à ! à !
Fq Fq
• LOCK : Fkq × →
t n
à ! à !
Fq Fq
• UNLOCK : × → Fkq
t n

The goal of the problem is to define the functions LOCK and UNLOCK such that they satisfy
these two properties (for some c < t ):

¡F q ¢
1. (c-completeness.) For any f , f ′ ∈ t
such that | f − f ′ | ≤ c, the following should hold:
¡ ¢
UNLOCK LOCK (s, f ), f ′ = s.

2. (Soundness.) It should be “hard" for an adversary to get s from LOCK(s, f ). (The notion of
“hard" will be more formally defined later.)

Note that the completeness property corresponds to the matching property we need from
our hash function, while the soundness property corresponds to the security property of the
hash function.

21.2.2 Two Futile Attempts

We begin with two attempts at designing the LOCK and UNLOCK functions, which will not work.
However, later we will see how we can combine both to get our final solution.
For this section, unless mentioned otherwise, we will assume that the original fingerprint f
is given by the set {α1 , . . . , αt }.

366
Attempt 1. We begin with a scheme that focuses on the soundness property. A very simple
idea, which is what we will start off with, would be to just add n − t random values to f to
get our vault. The intuition, which can be made precise, is that an adversary just looking at the
vault will just see random points and will not be able to recover f from the random set of points.
The catch of course that this scheme has terrible completeness. In particular, if we get a match
between a value in the second fingerprint f ′ and the vault, we have no way to know whether
the match is to one of the original values in f or if the match is with one of the random “chaff"
points there were added earlier.

Attempt 2. Next, we specify a scheme that has good completeness (but has pretty bad sound-
ness).
We begin with the LOCK function:

LOCK 2 (s, f ) = {(α1 , P s (α1 )), . . . , (αt , P s (αt ))},

P
where P s (X ) = k−1 i
i =0 s · X and recall f = {α1 , . . . , αt }. (Note that we have n = t .)
The main intuition behind LOCK2 is the following. Given another fingerprint f ′ = {β1 , . . . , βt }
such that it is close enough to f , i.e. | f \ f ′ | ≤ c, for every value in f ∩ f ′ , we will know the
corresponding P s value and thus, we can use the fact that we can decode Reed-Solomon codes
from erasures to recover the secret s. We formally present UNLOCK2 as Algorithm 36.

Algorithm 36 UNLOCK2
I NPUT: Vault {(α1 , y 1 ), . . . , (αt , y t )} = LOCK(s, f ) and another fingerprint f ′ = {β1 , . . . , βt }
O UTPUT: s if | f \ f ′ | ≤ c

1: FOR i = 1, . . . , t DO
2: IF there exists a j ∈ [t ] such that αi = β j THEN
3: z j ← yi
4: ELSE
5: z j ←?
6: z ← (z 1 , . . . , z t )
7: Run Algorithm from Theorem 13.2.1 to correct z from erasures for RS codes with evaluation
points {β1 , . . . , βt } and output resulting message as s.

The following result is fairly simple to argue.

Lemma 21.2.1. The pair (LOCK2 , UNLOCK2 ) of functions is (t − k)-complete. Further, both func-
tions can be implemented in polynomial time.

Proof. Let us assume | f \ f ′ | ≤ t −k. Now as both f and f ′ have exactly t values, this means that
z has at most t − k erasures. Thus, by Theorem 13.2.1, Step 6 will output s and UNLOCK2 can
be implemented in polynomial time. Further, the claim on the polynomial run time of LOCK2
follows from the fact that one can do encoding of Reed-Solomon code in polynomial time.

367
 Unfortunately, (LOCK2 , UNLOCK2 ) pair has terrible soundness. This is because the vault {(α1 , y 1 ), . . . , (αt , y t )}
has f in the first component in each pair. This an adversary can just read off those values and
present f ′ = {α1 , . . . , αt }, which would imply that UNLOCK2 (LOCK2 (s, f ), f ′ ) = s, which means
that the vault would be “broken."

21.3 The Final Fuzzy Vault

So far we have seen two attempts: one that (intuitively) has very good soundness but no com-
pleteness and another which has good completeness but terrible soundness. It is natural to
consider if we can combine both of these attempts and get the best of both worlds. Indeed, it
turns we can easily combine both of our previous attempts to get the final fuzzy vault.
Algorithm 37 presents the new LOCK3 function.

Algorithm 37 LOCK3
I NPUT: Fingerprint f = {α1 , . . . , αt } and secret s = (s 0 , . . . , s k−1 ) ∈ Fkq
O UTPUT: Vault with f locking s

1: R, T ← ;
P
2: P s (X ) ← k−1
i =0 s i · X
i

3: FOR i = 1, . . . , t DO
4: T ← T ∪ {αi }
5: FOR i = t + 1, . . . , n DO
6: αi be a random element from Fq \ T
7: T ← T ∪ {αi }
8: FOR every α ∈ T DO
9: γ be a random element from Fq \ P s (α)
10: R ← R ∪ {(α, γ)}
11: Randomly permute R
12: RETURN R

Algorithm 38 presents the new UNLOCK3 function.

The following result is a simple generalization of Lemma 21.2.1.
Lemma 21.3.1. The pair (LOCK3 , UNLOCK3 ) of functions is (t −k)/2-complete. Further, both func-
tions can be implemented in polynomial time.
Proof. Let us assume | f \ f ′ | ≤ (t − k)/2. Now as both f and f ′ have exactly t values, it implies
that | f ∩ f ′ | ≥ (t + k)/2. Further for each j ∈ [t ] such that β j ∈ f ∩ f ′ , we have that z j = P s (β j ).
In other words, this means that z has at most (t − k)/2 errors.3 Thus, by Theorem 13.2.2, Step 6
will output s and UNLOCK3 can be implemented in polynomial time. Further, the claim on the
polynomial run time of LOCK3 follows from the fact that one can do encoding of Reed-Solomon
code in polynomial time.
3
To be more precise if z has e errors and s erasures w.r.t. the codeword corresponding to s, then 2e + s ≤ t − k.

368
Algorithm 38 UNLOCK2
I NPUT: Vault {(α1 , y 1 ), . . . , (αn , y n )} = LOCK(s, f ) and another fingerprint f ′ = {β1 , . . . , βt }
O UTPUT: s if | f \ f ′ | ≤ c

1: FOR i = 1, . . . , t DO
2: IF there exists a j ∈ [n] such that αi = β j THEN
3: z j ← yi
4: ELSE
5: z j ←?
6: z ← (z 1 , . . . , z t )
7: Run Algorithm from Theorem 13.2.2 to correct z from errors and erasures for RS codes with
evaluation points {β1 , . . . , βt } and output resulting message as s.

21.3.1 Soundness
To avoid getting into too much technical details, we will present a high level argument for why
the proposed fuzzy vault scheme has good soundness. Given a vault {(α1 , y 1 ), . . . , (αn , y n )} =
LOCK 3 (s, f ), we know that there are exactly t values (i.e. those α j ∈ f ) such that the polynomial
P s (X ) agrees with the vault on exactly those t points. Thus, an intuitive way to argue the sound-
ness of the vault would be to argue that there exists a lot other secrets s ′ ∈ Fkq such that P s ′ (X )
also agrees with the vault in exactly t positions. (One can formalize this intuition and argue that
the vault satisfies a more formal definition of soundness but we will skip those details.)
We will formalize the above argument by proving a slightly different result (and we will leave
the final proof as an exercise).

Lemma 21.3.2. Let V = {(x 1 , y 1 ), . . . , (x n , y n ) be n independent random points from Fq ×Fq . Then,
³ ´t
in expectation, there are at least 13 · q k · qnt polynomials P (X ) of degree at most k − 1 such that
for exactly t values of j ∈ [n], we have P (x j ) = y j .

Proof. Consider a fixed polynomial P (X ) and a j ∈ [n]. Then for any x j ∈ Fq , the probability that
for a random y j ∈ F q , P (x j ) = y j is exactly 1/q. Further, these probabilities are all independent.
This implies that the probability that P (X ) agrees with V in exactly t positions is given by
à ! µ ¶ µ ¶ µ ¶
n 1 t 1 n−t 1 n t
· · 1− ≥ .
t q q 3 qt

Since there are q k such polynomials, the claimed result follows.

We note that there are two aspects of the above lemma that are not satisfactory. (i) The result
above is for a vault V with completely random points whereas we would like to prove a similar
result but with V = LOCK3 (s, f ) and (ii) Instead of a bound in expectation, we would like to prove
a similar exponential lower bound but with high probability. We leave the proof that these can
be done as an exercise. (Hint: Use the “Inverse Markov Inequality.")

369
21.4 Bibliographic Notes
The fuzzy vault presented in this chapter is due to Juels and Sudan [76]. The “inverse Markov
inequality" first appeared in Dumer et al. [32].

370
Chapter 22

Finding Defectives: Group Testing

Consider the following situation that arises very frequently in biological screens. Say there are N
individuals and the objective of the study is to identify the individuals with a certain “biomarker"
that could e.g. indicate that the individual has some specific disease or is at risk for a certain
health condition. The naive way to do this would be to test each person individually, that is:

1. Draw sample (e.g. a blood or DNA sample) from a given individual,

2. Perform required tests, then

3. Determine presence or absence of the biomarker.

This method of one test per person will gives us a total of N tests for a total of N individuals.
Say we had more than 70 − 75% of the population infected. At such large numbers, the use of
the method of individual testing is reasonable. However, our goal is to achieve effective testing
in the more likely scenario where it doesn’t make sense to test 100, 000 people to get just (say)
10 positives.
The feasibility of a more effective testing scheme hinges on the following property. We can
combine blood samples and test a combined sample together to check if at least one individual
has the biomarker.
The main question in group testing is the following: If we have a very large number of items
to test, and we know that only certain few will turn out positive, what is a nice and efficient way
of performing the tests?

22.1 Formalization of the problem

We now formalize the group testing problem. The input to the problem consists of the follow-
ing:

• The total number of individuals: N .

• An upper bound on the number of infected individuals d .

371
 • The input can be described as a vector x = (x 1 , x 2 , ..., x n ) where x i = 1 if individual i has
the biomarker, else x i = 0.

Note that w t (x) ≤ d . More importantly, notice that the vector x is an implicit input since we
do not know the positions of 1s in the input. The only way to find out is to run the tests. Now,
we will formalize the notion of a test.
A query/test S is a subset of [N ]. The answer to the query S ⊆ [N ] is defined as follows:
( X
1 if x i ≥ 1;
A(S) = i ∈S
0 otherwise.
W
Note that the answer to the S is the logical-OR of all bits in S, i.e. A(S) = i ∈S x i .
The goal of the problem is to compute x and minimize the number of tests required to de-
termine x.

Testing methods. There is another aspect of the problem that we need specify. In particular,
we might need to restrict how the tests interact with each other. Below are two commons ways
to carry out tests:

1. Adaptive group testing is where we test a given subset of items, get the answer and base
our further tests on the outcome of the previous set of tests and their answers.

2. Non-Adaptive group testing on the other hand is when all our tests are set even before we
perform our first test. That is, all our tests are decided a priori.

Non-adaptive group testing is crucial for many applications. This is because the individuals
could be geographically spread pretty far out. Due to this, adaptive group testing will require
a very high degree of co-ordination between the different groups. This might actually increase
the cost of the process.

Notation. We will also need notation to denote the minimum number of tests needed in group
testing. Towards this end, we present the following two definitions.

Definition 22.1.1 (t (d , N )). Given a subset of N items with d defects represented as x ∈ {0, 1}N ,
the minimum number of non-adaptive tests that one would have to make is defined as t (d , N ).

Definition 22.1.2. t a (d , N ) : Given a set of N items with d defects, t a (d , N ) is defined as the

number of adaptive tests that one would have to make to detect all the defective items.

The obvious questions are to prove bounds on t (d , N ) and t a (d , N ):

Question 22.1.1. Prove asymptotically tight bounds on t (d , N ).

372
 Question 22.1.2. Prove asymptotically tight bounds on t a (d , N ).

We begin with some simple bounds:

Proposition 22.1.3. For every 1 ≤ d ≤ N , we have

1 ≤ t a (d , N ) ≤ t (d , N ) ≤ N .

Proof. The last inequality follows from the naive scheme of testing all individuals with singleton
tests while the first inequality is trivial. The reason for t a (d , N ) ≤ t (d , N ) is due to the fact that
any non-adaptive test can be performed by an adaptive test by running all of the tests in the
first step of the adaptive test. Adaptive tests can be faster than non-adaptive tests since the test
can be changed after certain things are discovered.

Representing the set of tests as a matrix. It turns out that is is useful to represent a non-
adaptive group testing scheme as a matrix. Next, we outline the natural such representation.
For, S ⊆ [N ], define χS ∈ {0, 1}N such that i ∈ S if and only if χS (i ) = 1. Consider a non-adaptive
group testing scheme with t test S 1 , . . . , S t . The corresponding matrix M is a t × N matrix where
the i th row is χS i . (Note that the trivial solution of testing each individual as a singleton set
would just be the N × N identity matrix.) In other words, M = {M i j }i ∈[t ], j ∈[N ] such that M i j = 1
if j ∈ S i and M i j = 0 otherwise.
V W
If we assume that multiplication is logical AND ( ) and addition is logical OR ( ), then we
have M × x = r where r ∈ {0, 1}t is the vector of the answers to the t tests. We will denote this
operation as M ⊙x. To think of this in terms of testing, it is helpful to visualize the matrix-vector
multiplication. Here, r will have a 1 in position i if and only if there was a 1 in that position in
both M and x i.e. if that person was tested with that particular group and if he tested out to be
positive.
Thus, our goal is to get to compute x from M ⊙ x with as small a t as possible.

22.2 Bounds on t a (d , N )
In this section, we will explore lower and upper bounds on t a (d , N ) with the ultimate objective
of answering Question 22.1.2.
We begin with a lower bound that follows from a simple counting argument.

Proposition 22.2.1. For every 1 ≤ d ≤ N ,

N
t a (d , N ) ≥ d log .
d

Proof. Fix any valid adaptive group testing scheme with t tests. Observe that if x 6= y ∈ {0, 1}N ,
with w t (x), w t (y) ≤ d then r(x) 6= r(y), where r(x) denotes the result vector for running the tests

373
on x and similarly for r(y). The reason for this is because two valid inputs cannot give the same
result. If this were the case and the results of the tests gave r(x) = r(y) then it would not be
possible to distinguish between x and y.
The above observation implies that total number of distinct test results is the number dis-
tinct binary vectors with Hamming weight at most d , i.e. V ol 2 (d , N ). On the other hand, the
number of possible distinct t -bit vectors is at most 2t , which with the previous argument im-
plies that
2t ≥ V ol 2 (d , N )
and hence, it implies that
t ≥ logV ol 2 (d , N ).
Recall that à ! µ ¶
N N d
V ol 2 (d , N ) ≥ ≥ ,
d d
where the first inequality follows from (3.23) and the second inequality follows from Lemma B.1.1.
So t ≥ d log(N /d ), as desired.
¡ ¡ ¢¢
It turns out that t a (d , N ) is also O d log N . (See Exercise 22.1.) This along with Propo-
a
¡ ¡dN ¢¢
sition 22.2.1 implies that t (d , N ) = Θ d log d , which answers Question 22.1.2. The upper
bound on t a (d , N ) follows from an adaptive group testing scheme and hence does not say
anything meaningful for Question 22.1.1. (Indeed, we will see later that t (d , N ) cannot be
O(d log(N /d )).) Next, we switch gears to talk about non-adaptive group testing.

22.3 Bounds on t (d , N )
We begin with the simplest case of d = 1. In this case it is instructive to recall our goal. We want
to define a matrix M such that given any x with w t (x) ≤ 1, we should be able to compute x from
M ⊙ x. In particular, let us consider the case when x = ei for some i ∈ [N ]. Note that in this
case M ⊙ x = M i , where M i is the i th column of M . Hence we should design M such that M i
uniquely defined i . We have already encountered a similar situation before in Section 2.5 when
trying to decode the Hamming code. It turns out that is suffices to pick M as the parity check
matrix of a Hamming code. In particular, we can prove the following result:

Proposition 22.3.1. t (1, N ) ≤ ⌈log(N + 1)⌉ + 1

Proof. We prove the upper bound by exhibiting a matrix that can handle non adaptive group
testing for d = 1. The group test matrix M is the parity check matrix for [2m − 1, 2m − m − 1, 3]2 ,
i.e. Hm where the i -th column is the binary representation of i (recall Section 2.4). This works
because when performing Hm ⊙x = r, if w t (v) ≤ 1 then r will correspond to the binary represen-
tation of i . Further, note that if w t (x) = 0, then r = 0, which is exactly x. Hence, M ⊙ x uniquely
identifies x when w t (x) ≤ 1, as desired.
If N 6= 2m − 1 for any m, the matrix Hm corresponding to the m such that 2m−1 − 1 < N <
2m − 1 can be used by adding 0s to the end of x. By doing this, decoding is "trivial" for both

374
cases since the binary representation is given for the location. So the number of tests is at most
⌈log(N + 1)⌉ + 1, which completes the proof.

Note that Propositions 22.1.3 and 22.2.1 imply that t (d , N ) ≥ log N , which with the above
result implies that t (1, N ) = Θ(log N ). This answers Question 22.1.1 for the case of d = 1. We will
see later that such a tight answer is not known for larger d . However, at the very least we should
try and extend Proposition 22.3.1 for larger values of d . In particular,

Question 22.3.1. Prove asymptotic upper bounds on t (d , N ) that hold for every 1 < d ≤ N .

We would like to point out something that was implicitly used in the proof of Proposi-
tion 22.3.1. In particular, we used the implicitly understanding that a non-adaptive group test-
ing matrix M should have the property that given any x ∈ {0, 1}N such that w t (x) ≤ d , the result
vector M ⊙ x should uniquely determine x. This notion is formally captured in the following
definition of non-adaptive group testing matrix:

Definition 22.3.2. A t ×N matrix M is d -separable if and only if for every S 1 6= S 2 ⊆ [N ] such that
|S 1 |, |S 2 | ≤ d , we have
[ [
M j 6= Mi .
j ∈S 1 i ∈S 2

In the above we think of a columns M i ∈ {0, 1}t as a subset of [t ] and for the rest of this
chapter we will use both views of the columns of a group testing matrix. Finally, note that the
above definition is indeed equivalent to our earlier informal definition since for any x ∈ {0, 1}N
with w t (x) ≤ d , the vector M ⊙ x when thought of as its equivalent subset of [t ] is exactly the set
∪i ∈S M i , where S is the support of x, i.e. S = {i |x i = 1}.
Like in the coding setting, where we cared about the run time of the decoding algorithm,
we also care about the time complexity of the decoding problem (given M ⊙ x compute x) for
group testing. We will now look at the obvious decoding algorithm for d -separable matrices:
just check all possible sets that could form the support of x. Algorithm 39 has the details.
The correctness of Algorithm 39 follows from Definition 22.3.2. Further, it is easy to check
that this algorithm will run in N Θ(d ) time, which is not efficient for even moderately large d .
This naturally leads to the following question:

Question 22.3.2. Do there exists d -separable matrices that can be efficient decoded?

We would like to remark here that the matrices that we seek in the answer to Question 22.3.2
should have small number of tests (as otherwise the identity matrix answers the question in the
affirmative).

375
Algorithm 39 Decoder for Separable Matrices
I NPUT: Result vector r and d -separable matrix M
O UTPUT: x if r = M ⊙ x else Fail

1: R ← {i |r i = 1}.
2: FOR Every T ⊆ [N ] such that |T | ≤ d DO
3: S T ← ∪i ∈T M i
4: IF R = S T THEN
5: x ← (x 1 , . . . , x N ) ∈ {0, 1}N such that x i = 1 if and only i ∈ T .
6: RETURN x
7: RETURN Fail

22.3.1 Disjunct Matrices

We now define a stronger notion of group testing matrices that have a more efficient decoding
algorithm than d -separable matrices.

Definition 22.3.3. A t × N matrix M is d -disjunct if and only if for every S ⊂ [N ] with |S| ≤ d and
for every j ∉ S, there exist an i ∈ [t ] such that M i j = 1 but for all k ∈ S, M i k = 0. Or equivalently
[
M j 6⊆ Mk.
k∈S

For an illustration of the definition, see Figure 22.3.3.

i 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0

j S

Figure 22.1: Pick a subset S (not necessarily contiguous). Then pick a column j that is not
present in S. There will always be i such that row i has a 1 in column j and all zeros in S.

Next we argue that disjunctness is a sufficient condition for separability.

Lemma 22.3.4. Any d -disjunct matrix is also d -separable.

376
Proof. For contradiction, assume M is d -disjunct but not d -separable. Since M is not d -separable,
then union of two subset S 6= T ⊂ [N ] of size at most d each are the same; i.e.

[ [
Mk = Mk.
k∈S k∈T

Since S 6= T , there exists j ∈ T \ S. But we have

[ [
Mj ⊆ Mk = Mk,
k∈T k∈S

where the last equality follows from the previous equality. However, since by definition j 6∈ S,
the above contradicts the fact that M is d -disjunct.

In fact, it turns out that disjunctness is also almost a necessary condition: see Exercise 22.2.
Next, we show the real gain of moving to the notion of disjunctness from the notion of sep-
arability.

Lemma 22.3.5. There exists a O(tN) time decoding algorithm for any t × N matrix that is d -
disjunct.

Proof. The proof follows from the following two observations.

First, say we have a matrix M and a vector x and r = M ⊙ x such that r i = 1. Then there exists
a column j in matrix that made it possible i.e. if r i = 1, then there exists a j such that M i j = 1
and x j = 1.
Second, let T be a subset and j be a column not in T where T = {ℓ | x ℓ = 1} and |T | ≤ d .
Consider the i th row such that T has all zeros in the i th row, then r i = 0. Conversely, if r i = 0,
then for every j ∈ [N ] such that M i j = 1, it has to be the case that x j = 0. This naturally leads to
the decoding algorithm in Algorithm 40.
The correctness of Algorithm 40 follows from the above observation and it can be checked
that the algorithm runs in time O(t N )– see Exercise 22.3.

Modulo the task of exhibiting the existence of d -disjunct matrices, Lemmas 22.3.5 and 22.3.4
answer Question 22.3.2 in the affirmative. Next, we will tackle the following question:

Question 22.3.3. Design d -disjunct matrices with few rows.

As we will see shortly answering the above question will make connection to coding theory
becomes even more explicit.

377
Algorithm 40 Naive Decoder for Disjunct Matrices
I NPUT: Result vector r and d -disjunct matrix M
O UTPUT: x if M ⊙ x = r else Fail

1: Initialize x ∈ {0, 1}N to be the all ones vector

2: FOR every i ∈ [t ] DO
3: IF r i = 0 THEN
4: FOR Every j ∈ [N ] DO
5: IF M i j = 1 THEN
6: xj ← 0
7: IF M ⊙ x = r THEN
8: RETURN x
9: ELSE
10: RETURN Fail

22.4 Coding Theory and Disjunct Matrices

In this section, we present the connection between coding theory and disjunct matrices with
the final goal of answering Question 22.3.3. First, we present a sufficient condition for a matrix
to be d -disjunct.

Lemma 22.4.1. Let 1 ≤ d ≤ N be an integer and M be a t × N matrix, such that

¯ ¯
(i) For every j ∈ [N ], the j th column has at least w min ones in it, i.e. ¯M j ¯ ≥ w min and

(ii) ¯For every ¯i 6= j ∈ [N ], the i and j ’th columns have at most a max ones in common, i.e.
¯M i ∩ M j ¯ ≤ a max

j k
w min −1
for some integers a max ≤ w min ≤ t . Then M is a a max -disjunct.

j k
w min −1
Proof. For notational convenience, define d = a max . Fix an arbitrary S ⊂ [N ] such that |S| ≤
d and a j 6∈ S. Note we have to show that

M j 6⊆ ∪i ∈S M i ,

or equivalently
³ ´
j i j
M 6⊆ ∪i ∈S M ∩ M .

We will prove the above by showing that

¯ ³ ´¯
¯ j ¯
¯M \ ∪i ∈S M i ∩ M j ¯ > 0.

378
Indeed, consider the following sequence of relationships:
¯ ³ ´¯ ¯ ¯ ¯ ³ ´¯
¯ j ¯ ¯ ¯ ¯ ¯
¯M \ ∪i ∈S M i ∩ M j ¯ = ¯M j ¯ − ¯∪i ∈S M i ∩ M j ¯
¯ ¯ X ¯³ ´¯
¯ ¯ ¯ ¯
≥ ¯M j ¯ − ¯ M i ∩ M j ¯ (22.1)
i ∈S
≥ w min − |S| · a max (22.2)
≥ w min − d · a max (22.3)
w min − 1
≥ w min − · a max (22.4)
a max
= 1.

In the above, (22.1) follows from the fact that size of the union of sets is at most the sum of
their sizes. (22.2) follows from the definitions of w min and a max . (22.3) follows from the fact that
|S| ≤ d while (22.4) follows from the definition of d . The proof is complete.

Next, we present a simple way to convert a code into a matrix. Let C ⊆ [q]t be a code such
that C = {c1 , . . . , cN }. Then consider the matrix MC whose i ’th column is ci , i.e.
 
↑ ↑ ↑
MC = c1 c2 · · · cn  .
↓ ↓ ↓
j k
w min −1
Thus, by Lemma 22.4.1, to construct an a max -disjunct matrix, it is enough to design a
binary code C ∗ ⊆ {0, 1}t such that (i) for every c ∈ C , w t (c) ≥ w min and (ii) for every c1 6= c2 ∈ C ∗ ,
∗

we have |{i |c i1 = c i2 = 1}| ≤ a max . Next, we look at the construction of such a code.

22.4.1 Kautz-Singleton Construction

In this section, we will prove the following result:

³ ¡ integer¢ d´ ≥ 1 and large enough N ≥ d , there exists a t × N matrix is

Theorem 22.4.2. For every
2
d -disjunct where t = O d 2 logd N .

Note that the above result answers Question 22.3.3. It turns out that one can do a bit better:
see Exercise 22.4.
Towards this end, we will now study a construction of C ∗ as in the previous section due to
Kautz and Singleton. As we have already seen in Chapter 13, concatenated codes are a way
to design binary codes. For our construction of C ∗ , we will also use code concatenation. In
particular, we will pick C ∗ = C out ◦ C in , where C out is a [q, k, q − k + 1]q Reed-Solomon code (see
Chapter 5) while the inner code C in : Fq → {0, 1}q is defined as follows. For any i ∈ Fq , define
C in (i ) = ei . Note that MC in is the identity matrix and that N = q k and t = q 2 .

379
Example 22.4.3. Let k = 1 and q = 3. Note that by our choice of [3, 1]3 Reed-Solomon codes, we
have C out = {(0, 0, 0), (1, 1, 1), (2, 2, 2)}. In other words,
 
0 1 2
MC out = 0 1 2 .
0 1 2

Then the construction of MC ∗ can be visualized as in Figure 22.4.3.

 
0 0 1
0 1 0
 
1 0 0
     
0 1 2 0 0 1 0 0 1
 
0 1 2 ◦ 0 1 0 → 0 1 0

 
0 1 2 1 0 0 1 0 0
 
MC out MC in 0 0 1
 
0 1 0
1 0 0
MC ∗

Figure 22.2: Construction of the final matrix MC ∗ from MC out and MC in from Example 22.4.3.
The rows in MC ∗ that correspond to the same row in MC out have the same color.

Next, we instantiate parameters in the Kautz-Singleton construction to prove Theorem 22.4.2.

Proof of Theorem 22.4.2. We first analyze the construction to determine the parameters w min
and a max . Then we pick the parameters q and k in terms of d to complete the proof.
Recall that N = q k and t = q 2 . It is easy to check that every column of MC ∗ has exactly q
ones in it. In other words, w min = q. Next, we estimate a max .
Divide the rows into q sized chunks, and index the t = q 2 rows by pairs in [q] × [q]. Recall
that each column in MC ∗ corresponds to a codeword in C ∗ . For notational convenience, we
will use M for MC ∗ . Note that for any row (i , j ) ∈ [q] × [q] and a column index ℓ ∈ [N ], we have
M (i , j ),ℓ = 1 if and only if cℓ ( j ) = j (where we use some fixed bijection between Fq and [q] and
cℓ is the ℓ’th codeword in C out ). In other words, the number of rows where the ℓ1 th and ℓ2 th
columns both have a one is exactly the number of positions where cℓ1 and cℓ2 agree, which is
exactly q − ∆(cℓ1 , cℓ2 ). Since C out is a [q, k, q − k + 1]q code, the number of rows where any two
columns agree is at most k − 1. In other words, a max = k − 1.1
Lemma 22.4.1 implies that MC ∗ is d -disjunct if we pick
¹ º
q −1
d= .
k −1
1
The equality is obtained due to columns that corresponds to codewords that agree in exactly k − 1 positions.

380
Thus, we pick q and k such that the above is satisfied. Note that we have q = O(kd ). Further,
since we have N = q k , we have
k = logq N .
This implies that q = O(d · logq N ), or q log q = O(d log N ). In other words we have

q = O(d logd N ).

Recalling that t = q 2 completes the proof.

An inspection of the proof of Theorem 22.4.2 shows that we only used the distance of the
Reed-Solomon code and in particular, any C out with large enough distance suffices. In particu-
lar, if we pick C out to be a random code over an appropriate sized alphabet then one can obtain
t = O(d 2 log N ). (See Exercise 22.5 for more on this.) Note that this bound is incomparable to
the bound in Theorem 22.4.2. It turns out that these two are the best known upper bounds on
t (d , N ). In particular,

¡ ¡ ¢¢
Open Question 22.4.1. Can we beat the upper bound of O d 2 · min log(N /d ), log2d N on
t (d , N )?

It turns out that the quadratic dependence on d in the upper bounds is tight. In fact it is
known that t (d , N ) ≥ Ω(d 2 logd N ). (See Exercises 22.7 and 22.8.)
Next, we present an application of group testing in the field of data stream algorithms, which
in turn will bring out another facet of the connection between coding theory and group testing.

22.5 An Application in Data Stream Algorithms

Let us consider the problem of tracking updates on stock trades. Given a set of trades (i 1 , u 1 ), · · · ,
(i m , u m ), where i j is the stock id for the j t h trade, u j is the amount of the stocks in the j t h trade.
The problem is to keep track of the top d stocks. Such a problem is also called hot items/ heavy
hitters problem.
Let N be the total number of stocks in the market. This problem could be solved in O(m) +
O(N log N ) ≈ O(m) time and O(N ) space by setting a O(N ) size buffer to record the total number
of trading for each stock and then sort the buffer later. However, m could be of the order of
millions for one minute’s trading, e.g. in the first minute of April 19, 2010, there are 8077600
stocks were traded. Taking the huge amount of trades into consideration, such an algorithm is
not practical.
A more practical model of efficient algorithms in this context is one of data stream algo-
rithm, which is defined as follows.

Definition 22.5.1. A data stream algorithm has four requirements listed below:

1. The algorithm should make one sequential pass over the input.

381
 2. The algorithm should use poly-log space. (In particular, it cannot store the entire input.)

3. The algorithm should have poly-log update time, i.e. whenever a new item appears, the
algorithm should be able to update its internal state in poly-log time.

4. The algorithm should have poly-log reporting time, i.e. at any point of time the algorithm
should be able to return the required answers in poly-log time.

Thus, ideally we would like to design a data stream algorithm to solve the hot items problem
that we discussed earlier. Next, we formally define the hot items problem. We begin with the
definition of frequencies of each stock:

Definition 22.5.2. Let f ℓ denote the total count for the stock id ℓ. Initially f ℓ = 0, given (ℓ, u ℓ ), f ℓ ←
f ℓ + uℓ .

Next, we define the hot items problem.

Definition 22.5.3 (Hot Items Problem). Given N different items, for m input pairs of data (i ℓ , u ℓ )
for 1 ≤ ℓ ≤ m, where i ℓ ∈ [N ] indicates the item index and u ℓ indicates corresponding count. The
problem requiresPupdating the count f ℓ (1 ≤ ℓ ≤ m) for each item, and to output all item indices
N
u
ℓ=1 ℓ
j such that f j > d . (Any such item is called a hot item.)

Note that there can be at most d hot items. In this chapter, we will mostly think of d as
O(log N ). Hot items problem is also called heavy hitters problems. We state the result below
without proof:

Theorem 22.5.4. Computing hot items exactly by a deterministic one pass algorithm needs Ω(n)
space (even with exponential time).

This theorem means that we cannot solve the hot items problem in poly-log space as we
want. However, we could try to find solutions for problems around this. The first one is to
output an approximate solution, which will output a set that contains all hot items and some
non-hot items. For this solution, we want to make sure that the size of the output set is not too
large (e.g. outputting [N ] is not a sensible solution).
Another solution is to make some assumptions on the input. For example, we can assume
Zipf-like distribution of the input data, which means only a few items appear frequently. More
specifically, we can assume heavy-tail distribution on the input data, i.e.:
X m
fℓ ≤ . (22.5)
ℓ:not hot d

This is reasonable for many applications, such as hot stock finding, where only a few of them
have large frequency. Next, we will explore the connection between group testing and hot items
problem based on this assumption.

382
22.5.1 Connection to Group Testing
Let us recall the naive solution that does not lead to a data stream algorithm: for each item
j ∈ [N ], we maintain the actual count of number of trades for stock j . In other words, at any
point of time, if C j is the count for stock j , we have C j = f j . Another way to represent this is if
M is the N × N identity matrix, then we maintain the vector of counts via M · f, where f is the
vector of the frequencies of the items. Paralleling the story in group testing where we replace
the identity matrix with a matrix with fewer rows, a natural idea here would be to replace M
by matrix with fewer rows that utilizes the fact that there can be at most d hot items. Next, we
show that this idea works if the heavy tail distribution holds. In particular, we will reduce the
hot items problem to the group testing problem.
We now show how we solve the hot items problem from Definition 22.5.3. Let M be an t × N
matrix that is d -disjunct. We maintain counters C 1 , . . . ,C t , where each C i is the total count of
any item that is present in the i th row. We also maintain the total number of items m seen so far.
Algorithm 41 and Algorithm 42 present the initialization and update algorithms. The reporting
algorithm then needs to solve the following problem: at any point of time, given the counts
C 1 , . . . ,C t and m output the at most d hot items.

Algorithm 41 Initialization
O UTPUT: Initialize the counters

1: m ← 0
2: FOR every j ∈ [t ] DO
3: Cj ← 0

Algorithm 42 Update
I NPUT: Input pair (i , u), i ∈ [N ] and u ∈ Z
O UTPUT: Update the Counters

1: m ← m + 1,
2: FOR every j ∈ [t ] DO
3: IF M i j = 1 THEN
4: Cj ←Cj +u

Next, we reduce the problem of reporting hot items to the decoding problem of group test-
ing. The reduction essentially follows from the following observations.

Observation 22.5.5. If j is a hot item and M i j = 1, then C i > m

d.

383
Proof. Let i ∈ [t ] be such that M i j = 1. Then note that at any point of time,
X
Ci = f k ≥ f j .2
k:M i k =1

Since j is a hot item, we have f j > m

d
, which completes the proof.

Observation 22.5.6. For any 1 ≤ i ≤ t , if all j with M i j = 1 are not hot items, then we have C i ≤ m
d.

Proof. Fix an ∈ [t ] such that every j ∈ [N ] such that M i j = 1 is not a hot item. Then by the same
argument as in proof of Observation 22.5.5, we have
X
Ci = fk .
k:M i k =1

The proof then follows by the choice of i and (22.5).

Armed with these observations, we now present the reduction. Define x = (x 1 , x 2 , . . . , x N ) ∈

{0, 1}N with x j = 1 if and only if j is a hot item, and r = (r 1 , r 2 , . . . , r t ) ∈ {0, 1}t with r i = 1 if and
only if C i > m
d
, we will have r i = ∨ j :Mi j =1 x j . The latter claim follows from Observations 22.5.5
and 22.5.6 above. This means we have:

M ⊙ x = r. (22.6)

Note that by definition, w t (x) < d . Thus reporting the hot items is the same as decoding to
compute x given M and r, which successfully changes the hot items problem into group testing
problem. Algorithm 43 has the formal specification of this algorithm.

Algorithm 43 Report Heavy Items

I NPUT: Counters m and C 1 , . . . ,C t
O UTPUT: Output the heavy items

1: FOR every j ∈ [t ] DO
2: IF C t>md
THEN
3: rj ← 1
4: ELSE
5: rj ← 0
6: Let x be the result of decoding (for group testing) r
7: RETURN {i |x i = 1}

Next, we will design and analyze the algorithm above and check if the conditions in Defini-
tion 22.5.1 are met.
2
The equality follows e.g. by applying induction on Algorithm 42.

384
Analysis of the Algorithm

In this part, we will review the requirements on data stream algorithm one by one and check
if the algorithm for the hot items problem based on group testing satisfies them. In particular,
we will need to pick M and the decoding algorithm. We will pick M to be the d -disjunct matrix
from Theorem 22.4.2.

1. One-pass requirement
If we use non-adaptive group testing, the algorithm for the hot items problem above can
be implemented in one pass, which means each input is visited only once. (If adaptive
group testing is used, the algorithm is no longer one pass, therefore we choose non-
adaptive group testing.) We note that by definition, our choice of M satisfies this con-
dition.

2. Poly-log space requirement

In the algorithm, we have to maintain the counters C i and m. The maximum value for
them is mN , thus we can represent each counter in O(log N + log m) bits. This means
we need O((log N +log m)t )bits to maintain the counters. Theorem 22.4.2 implies that t =
O(d 2 log2d N ). Thus, the total space we need to maintain the counters is O(d 2 log2d N (log N +
log m)).
On the other hand, if we need to store the matrix M , we will need Ω(t N ) space. Therefore,
poly-log space requirement can be achieved only if matrix M is not stored directly. (We
will tackle this issues in the next point.)

3. Poly-log update time

As mentioned in the previous part, we cannot store the matrix M directly in order to have
poly-log space. Since RS code is strongly explicit (see Exercise 6.9), we do not need to
explicitly store M (we just need to store the parameters of the code C out and C in , which can
be done in poly-log space). In the following, we will argue that the runtime of Algorithm 42
is O(t × poly log t ). It is easy to check the claimed time bound is correct as long as we can
perform the check in Step 3 in poly log(t ) time. In particular, we would be done if given
j ∈ [N ], we can compute the column M j in O(t × poly log t ) time. Next, we argue that the
latter claim is correct.
£ ¤
Recall that M = MC ∗ , with C ∗ = C out ◦ C in , where C out is a q, k, q − k + 1 q RS code and
C in chosen such that MC in is the q × q identity matrix. Recall that codewords of C ∗ are
columns of the matrix M , and we have n = q k , t = q 2 .
Since every column of M corresponds to a codeword of C ∗ , we can think of j equiva-
lently as a message m ∈ Fq k . In particular, M j then corresponds to the codeword C out (m).
On the other hand, the column M j can be partitioned into q chunks, each chunk is of
length q. Notice that (C out (m))i 1 = i 2 if and only if the i 1 th chunk has 1 on its i 2 th po-
sition and 0 on other positions (recall the definition of C in ). Therefore, we can compute
M j by computing C out (m). Because C out is a linear code, C out (m) can be computed in

385
 O(q 2 ×poly log q) time,3 implies that M j can be computed in O(q 2 ×poly log q) time. Since
we have t = q 2 , the update process can be finished with O(t × poly log t ) time. (We do not
need C out to be strongly explicit: as long as C out is linear the arguments so far work just as
well.)

4. Reporting time
It is easy to check that the run time of Algorithm 43 is dominated by Step 6. So far, the only
decoding algorithm for M that we have seen is Algorithm 40, which runs in time Ω(t N ),
which does not satisfy the required reporting time requirement. In Exercise 22.11, we
show that using the fact that C out is the Reed-Solomon code, one can solve the decoding
problem in poly(t ).

Thus, we have argued that

Theorem 22.5.7. There exists a data streaming algorithm that computes d hot items with one
pass, O(t log N ) space for t = O(d 2 log2d N ), O(t poly log t ) update time and poly(t ) reporting time.

22.6 Summary of best known bounds

We conclude the chapter by collecting the best known bounds on both adaptive and non-
adaptive group testing. First, we know the correct bound on the best possible number of adap-
tive tests:

Theorem 22.6.1.
¡ ¢
t a (d , N ) = Θ d log(N /d ) .

The upper bound follows from Exercise 22.1 while the lower bound follows from Proposi-
tion 22.2.1.
There is a gap between the best known upper and lower bound on the number of non-
adaptive tests:

Theorem 22.6.2.
¡ ¢ ¡ ¡ ¢¢
Ω d 2 logd N ≤ t (d , N ) ≤ O d 2 min log(N /d ), log2d N .

The upper bounds follow from Theorem 22.4.2 and Exercise 22.5 while the lower bound
follows from Exercise 22.8.
Finally, note that Theorem 22.6.1 and 22.6.2 imply that there is a gap between the minimum
number of tests needed for adaptive and non-adaptive group testing:

Corollary 22.6.3. µ ¶
t (d , N ) d
≥Ω .
t a (d , N ) log d
3
This follows from Proposition 2.3.4 and the fact that C out is strongly explicit

386
22.7 Exercises
Exercise 22.1 (Upper bound on t a (d , N )). In this problem we will show that t a (d , N ) = O(d log(N /d )).
We begin by trying to prove a weaker bound of O(d log N ):

• Show that one can identify at least one i such that x i = 1 (or report none exist) with O(log N )
adaptive tests.
(Hint: Use binary search.)

• Using the scheme above argue that one can compute x with O(w t (x) · log N ) adaptive tests.
Conclude that t a (d , N ) ≤ O(d log N ).

Next we argue that we can tighten the bound to the optimal bound of O(d log(N /d )):

• Argue that any scheme that computes x ∈ {0, 1}N with O(w t (x) · log N ) adaptive tests can be
used to compute x with O(d log(N /d )) adaptive tests where w t (x) ≤ d .

• Conclude that t a (d , N ) ≤ O(d log(N /d )).

Exercise 22.2. Show that every d -separable matrix is also (d − 1)-disjunct.

Exercise 22.3. Prove that Algorithm 40 is correct and runs in time O(t N ).

Exercise 22.4. For every integer d ≥ 1 and large enough integer N ≥ d show that there exists a
d -disjunct matrix with O(d 2 log(N /d )) rows.

(Hint: Use the probabilistic method. It might help to pick each of t N bits in the matrix inde-
pendently at random with the same probability.)

Exercise 22.5. We first begin by generalizing the argument of Theorem 22.4.2:

• Let C out be an (n, k, D)q code. Let C in be defined such that MC in is the q × q identity matrix.
Let MC out ◦C in be a t × N matrix that is d -disjunct. Derive the parameters d , t and N .

Next argue that it is enough to pick an outer random code to obtain a d -disjunct matrix with the
same parameters obtained in Exercise 22.4:

• Pick q = Θ(d ). Then using the previous part or otherwise show that if C out is a random
[n, k, D]q code, then the resulting t × N matrix MC out ◦C in is d -disjunct with t = O(d 2 log N )
for large enough N .
(Hint: Use Theorem 4.2.1 and Proposition 3.3.7.)

Exercise 22.6. For every integer d ≥ 1 and large enough N ≥ d , construct a d -disjunct matrix
with O(d 2 log N ) rows in (deterministic) time poly(N ).

Hint: Recall Exercise 4.7.

387
Exercise 22.7 n(Lower Bound on t (d , N ) due to Bassalygo). In this problem we will show that
¡d +2¢ o
t (d , N ) ≥ min 2 , N . In what follows let M be a t × N matrix that is d -disjunct.

(a) Argue that if w t (M j ) < d then M j has a private row i.e. there exists a row i ∈ [t ] such that
M i j = 1 but M i j ′ = 0 for every j ′ 6= j .

(b) Using part (a) or otherwise, argue that if all columns of M have Hamming weight at most
d − 1, then t ≥ N .

(c) Let M − j for j ∈ [N ] be the matrix M with M j as well as all rows i ∈ [t ] such that M i j = 1
removed. Then argue that M − j is (d − 1)-disjunct.

(d) Argue that t (1, N ) ≥ min {3, N }.

n¡ ¢ o
d +2
(e) Using induction with parts (b)-(d) or otherwise, argue that t ≥ min 2 ,N .

Exercise 22.8 (Lower Bound on t (d , N ) due to Ruszinkó and Alon-Asodi). In this problem, we
will show that ¡ © ª¢
t (d , N ) ≥ Ω min d 2 logd N , N . (22.7)
In what follows let M be a t × N matrix that is d -disjunct.

(a) Argue that any j ∈ [N ] such that w t (M j ) < 2t 2

d has a private subset of size ⌈4t /d ⌉, i.e. there
exists a subset S ⊆ [N ] with |S| = ⌈4t /d 2 ⌉ such that M j has ones in all i ∈ S but for every
′
j 6= j ′ , M j has at least one row i ′ ∈ S such that M i ′ j ′ = 0.

(b) Using part (a) or otherwise, argue:

à !
d t
N− ≤ .
2 ⌈4t /d 2 ⌉

(c) Using Exercise 22.7 and part (b) or otherwise argue (22.7).

Exercise 22.9. In this exercise and the ones that follow it, we will consider the following equiv-
alent version of the decoding problem: given r = M ⊙ x with w t (x) ≤ d , output {i |x i = 1}. Now
consider the following easier version of the problem. In addition to r and M assume that one is
also given a set S such that {i |x i = 1} ⊆ S. Modify Algorithm 40 to design a decoding algorithm
that computes {i |x i = 1} in time O(t · |S|).

Exercise 22.10. A t × N matrix M is called (d , L)-list disjunct if and only if the following holds
for every disjoint subsets S, T ⊂ [N ] such that |S| = d and |T | = L −d , there is a row in M where all
columns in S have a 0 but at least one column in T has a 1.

• What is a (d , d + 1)-list disjunct matrix?

• Let C out be an (n, k)q code that is (0, d , L)-list recoverable code (recall Definition 17.3.3). Let
C in be the inner code such that MC in is the q × q identity matrix. Argue that MC out ◦C in is
(d , L) list disjunct.

388
Exercise 22.11. Using Exercises 22.9 and 22.10 or otherwise prove the following. Let MC ∗ be the
Kautz-Singleton matrix from Section 22.4.1. Then given MC ∗ ⊙x with w t (x) ≤ d , one can compute
{i |x i = 1} in poly(t ) time.
(Hint: Theorem 17.3.4 could be useful.)

22.8 Bibliographic Notes

Robert Dorfman’s paper in 1943 [30] introduced the field of (Combinatorial) Group Testing. It
must be noted that though this book covers group testing as an application of coding theory, it
took off long before coding theory itself.
The original motivation arose during the Second World War when the United States Public
Health service and the Selective Service embarked upon a large scale project. The objective was
to weed out all syphilitic men called up for induction. [30].
The connection between group testing and hot items problem considered in Section 22.5
was established by Cormode and Muthukrishnan [27]. More details on data stream algorithms
can be bound in the survey by Muthukrishnan [98].

389
390
Chapter 23

Complexity of Coding Problems

Throughout this book it should have become clear that the algorithmic complexity of some fun-
damental tasks play a critical role in the utility of the code. The most basic tasks are encoding,
and decoding; though in the latter case we may consider many variants such as decoding up to
half the minimum distance, or list-decoding (when the number of errors is more than half the
minimum distance), or simply finding the nearest codeword. In most of the book thus far, we
considered these tasks for specially designed codes. In this chapter we will revisit the complex-
ity of solving some of these tasks for general (linear) codes.1
The main goal in this chapter is to point to some algorithmic tasks that are not likely to be
solvable in polynomial time. Before launching on our quest let us first eliminate the complex-
ity of encoding from our focus. For all linear codes, once the generator matrix is known, the
encoding takes at most quadratic time in the block length which is already polynomial time.
Indeed for special codes this running time can be reduced even further. For example, for many
algebraic codes this running time can be nearly-linear — formally O(n logc n) for some univer-
sal constant c, where n denotes the block length. And for the codes in Chapter 16, the running
time even became O(n).
The main focus in this chapter is decoding, where some of the most general problems turn
out to be too hard. At a high level, we will be considering the following question:

Question 23.0.1. Given an arbitrary linear code (say via its generator matrix), how easy (or
hard) is to perform (various notions of) decoding?

We will describe some variations which remain hard. Finally we will also talk about the chal-
lenge of determining the minimum distance of a linear code, which also turns out to be hard.
1
As we saw in Chapter 2, linear codes have the advantage that they can be represented in size O(n 2 ) for codes of
block length b. For general random codes ones needs to use exponential (in dimension k) space to even represent
the code. It turns out that in this case all interesting algorithm operations are polynomial time in the input size
due to trivial reasons– see Exercise 23.1.

391
The main point of this chapter is to reinforce the message that codes need to be carefully de-
signed (and presented) to determine their distance and enable efficient decoding.
We will assume for this chapter that the reader is familiar with the notions of NP-completeness
(and related notions of intractability). Appendix C has a primer on the notions of computation
efficiency and intractability (and in particular, Appendix C.5 has a quick overview of the theory
of NP-completeness and lists the background knowledge that we will assume for this chapter).

23.1 Nearest Codeword Problem (NCP)

The Nearest Codeword Problem is the most basic and ambitious goal for decoding of linear
codes. Roughly, here the problem is to find the nearest codeword to a given word in the ambient
space, given the generator matrix of the code. As in most complexity analyses, we focus on a
decision problem (see Definition C.5.1) that captures the complexity of this general task.

Problem 23.1.1 (Nearest Codeword Problem (NCP)).

• Input: (F, G, v, t ) where G ∈ Fk×n , v ∈ Fn and t ∈ Z≥0 .

• Output: Y ES if there exists x ∈ Fk such that ∆(v, xG) ≤ t and N O otherwise.

We note that the above is the decision problem version of the following (perhaps more nat-
ural) algorithmic problem, where is an x exists with ∆(v, xG) ≤ t , then we actually output such
an x. Exercise 23.2 shows that these two problems are essentially equivalent in the sense that if
there exists a polynomial time algorithm for one problem then there exists a polynomial time
algorithm for the other problem (and vice-versa).
It turns out the NCP is NP-complete and hence not likely to find a polynomial time solution.
We prove this below. As usual we rely on the knowledge of other NP-complete problems. The
easiest to use for our goal is the NP-completeness of the MaxCut Problem.

Problem 23.1.2 (Maximum Cut Problem (MaxCut)).

¡V ¢
• Input: Graph H = (V, E ) with vertices V and edges E ⊆ 2 ; and integer ℓ.

• Output: Y ES if there exists a cut in H of size at least ℓ i.e., a set S ⊆ V such that Cut(S) ,
{e ∈ E | |e ∩ S| = 1} satisfies |Cut(S)| ≥ ℓ and N O otherwise.

The following is a well-known result from the theory of NP-completeness.

Theorem 23.1.3. MaxCut is NP-complete.

We now use the theorem above to show the NP-Completeness of NCP.

Theorem 23.1.4. The Nearest Codeword Problem (NCP) is NP-complete.

392
Proof. We first note that NCP is indeed in NP, by noting that there is a polynomial time algo-
rithm that can verify Yes instances given an appropriate certificate. Specifically certificate we
will use is the vector x ∈ Fk and the verification algorithm simply checks that ∆(v, xG) ≤ t and
accepts if this holds. Clearly the verification algorithm runs in polynomial time, and satisfies
the condition that for every instance (F, G, v, t ) for which the answer is Y ES there is a certificate
(namely the x ∈ Fk ) such that the verification algorithm accepts.
We now turn to the NP-hardness result. We show how to reduce MaxCut to NCP with F = F2 .2
Given a graph H on vertex set V and edges E , let k = |V | and n = |E |. Our matrix G will be
the so-called incidence matrix of H , i.e., rows of G are indexed by V and columns by E and
Gu,e = 1 if u ∈ e and 0 otherwise. In other words for vertex u and edge e, Gu,e = 1 if and only
if the edge e touches (or is ‘incident to’) the vertex u. Our target vector is v = 1n .3 Finally the
parameter t = n − ℓ. This gives us the instance (F, G, v, t ) of NCP. We now show that (F, G, v, t ) is
a Y ES instance of NCP if and only if (H , ℓ) is a Y ES instance of MaxCut which will conclude the
proof of this theorem.
Assume (for simplicity of notation) that V = [k]. We first note that there is a one-to-one
correspondence between x ∈ Fk2 and S ⊆ V where xi = 1 if and only if i ∈ S. For this correspon-
dence, now note that xG is simply the characteristic vector of Cut(S), since e ∈ Cut(S) and only if
(xG)e = 1 (see Exercise 23.5). It follows thus that ∆(xG, 1n ) = n −|Cut(S)|. We conclude that there
exists x ∈ Fk2 such that ∆(xG, 1n ) ≤ n − ℓ if and only if there exists S ⊆ V such that |Cut(S)| ≥ ℓ. In
other words (F, G, v, t ) is a Y ES instance of NCP if and only if (H , ℓ) is a Y ES instance of MaxCut,
thereby establishing that NCP is NP-hard.

As pointed out earlier, NCP was an ambitious problem and a hardness result should not be
too daunting. NCP asks for the exact distance to the nearest codeword, possibly in codes of
small minimum distance and possibly in codes which do have nice structure, but this is not
evident in the generator matrix. In what follows we will consider each of these aspects, model
them formally and try to assess the complexity of the problem.

23.2 Decoding with Preprocessing

One of the sources of the complexity of the Nearest Codeword Problem might be the fact that
the decoding algorithm does not have the time to ‘preprocess’ the code and understand its
‘intricacies’. For example our code may have a low-density parity check matrix, and if it is does
surely we should be able to decode it efficiently. However, if the code is presented by an arbitrary
generator matrix, then a low-density parity check matrix may not necessarily be algorithmically
easy to find. This leads to the informal question: Can every code be easy to decode, after some
preprocessing?.
To formalize this question we fix some family of codes {C n }n with generator matrices {Gn }n
and consider the nearest codeword problem for this family of codes as follows:
2
Note that this is enough to prove that NCP is NP-hard since F is part of the input for NCP. A similar result can
be proven for other fields as well– see Exercise 23.3.
3
The choice of 1n is crucial. Not all choices will work– see e.g. Exercise 23.4.

393
Problem 23.2.1 (Nearest Codeword Problem with Preprocessing (NCPP){Gn }n ).

• Input: (v, t ) where v ∈ Fn and t ∈ Z≥0

• Output: Y ES if there exists x ∈ Fk(n) such that ∆(v, xGn ) ≤ t and N O otherwise.

The above does not fully capture the effect of preprocessing, in that it does not capture how
the understanding gained by preprocessing could be provided to an algorithm aiming to solve
(NCPP){Gn }n . It turns out that the right way to capture the effect of preprocessing is to allow the
decoding algorithm to be non-uniform. I.e., we will be satisfied if there is an ‘efficient’ algorithm
A(·, ·; ·) and a sequence of strings (often referred to as advice in the literature) {B n }n such that
A(v, t ; B n ) correctly solves NCPP({Gn }n ) for every (v, t ) with v ∈ Fn . Two aspects to stress here
are:

1. A should be efficient, i.e., run in time polynomial in n. In particular, this implies that B n
is a string of length polynomial in n.

2. B n itself may not be easy to compute given Gn and it is important that we allow the com-
putation time of B n to be unboundedly large (or else our definitions do not capture the
intuition that our preprocessor takes a long time to study the code). What is important is
that B n be a string of length polynomial in n (both to enable A to run efficiently and to
capture the intuition that our understanding can be captured succinctly).

The two definitions above, of the (NCPP){Gn }n problem, and the non-uniform algorithmic
solution concept turn out to capture the effect of preprocessing adequately. The resulting ques-
tion is the following:

Question 23.2.1. Is it possible that for every family of codes given by generators {Gn }n , the
problem NCPP{Gn }n has an efficient non-uniform solution?

Unfortunately, the answer to this question also turns out negative as we will see shortly.
However, we move to this result it is worthwhile to reflect on the proof of Theorem 23.1.4 fails
in this case. Go on, think about it before looking at the answer below.
The ‘issue’ with the proof of Theorem 23.1.4 is that the hardness of MaxCut for the input
graph G is encoded into the generator matrix Gn itself. In other words, since in the non-uniform
setting we are allowed to pre-process the generator matrix Gn – we can simply set B n = 1 if the
original graph G has a cut of size at least ℓ and set B n = 0 otherwise. Note that this is a perfectly
legitimate thing to do since we have not restriction on the computation tractability of comput-
ing B n – just that it should not be too large (and in this case it is just a bit). Thus, intuitively what
we want is a reduction where the hardness is ‘baked’ into the received word v instead of the
generator matrix Gn . Next, we show that this is possible to do by reducing MaxCut to NCPP:

394
Theorem 23.2.2. There exists a family of codes with generators {Gn }n such that NCPP{Gn }n is
NP-hard. Specifically there is a polynomial time reduction from MaxCut to NCPP{Gn }n .

Proof. Roughly the idea here is to build a generator matrix corresponding to the incidence ma-
trix of complete graph on k vertices. Thus the generator matrix is always the same for all graphs
on k vertices.4 To capture the actual edges of a graph H we will use the target vector v. The
target distance t will turn out to depend on the number of vertices and the number of edges in
H , as also the size of the cut expected in H . Details below.
We start with a description of the family {Gn }n . We define Gn ∈ Fk×n 2 for every positive integer
k and for n = k(k − 1). Given such a pair k and n, we index the rows of G by the elements of
[k], and the columns by pairs (i , j ) where i 6= j and i , j ∈ [k]. Given a row index r ∈ [k] and
column index (i , j ), the entry Gn [r, (i , j )] = 1 if r = i or r = j and 0 otherwise. In effect Gn has
two columns corresponding to every undirected edge {i , j } in the complete graph on k vertices
— one indexed by (i , j ) and the other by ( j , i ). These two columns are actually identical. The
k
reason for ©the two ª copies will become clear shortly. Specifically this implies that for every x ∈ F2
and every i , j we have that (xGn )(i , j ) = (xGn )( j ,i ) (see Exercise 23.6).
We now show how to reduce an instance (H , ℓ) of MaxCut to NCPP{Gn }n . Let H be a graph
on k vertices, and say the vertex set equals [k] and let E denote the edges of H . We map H to a
vector v ∈ Fn2 as follows: If the edge {i , j } ∈ E then we let v(i , j ) = v( j ,i ) = 1. Else, assuming i < j ,
we set v(i , j ) = 0 and v( j ,i ) = 1. Finally we set

n
t= + |E | − 2ℓ.
2
We now explain why this reduction works correctly.
As in the proof of Theorem 23.1.4 we use the fact that there is a correspondence between
x ∈ Fk2 and cuts in the graph H (using x as the characteristic vector of the set S). Fix a vector x
and the corresponding cut S and let c(S) denote the number of edges cut by S, i.e.,

c(S) = {{i , j } ∈ E |xi + x j = 1}.

Let w = xGn . Note that

© ªfor every i 6= j ∈ [k], Exercise 23.6 implies that w(i , j ) = w( j ,i ) (note that
this is true whether i , j ∈ E or not) and we will use this equality multiple times in the proof
We claim that the distance ∆(w, v) is exactly
n
+ |E | − 2c(S).
2
To see this, note that if {i , j } 6∈ E then w(i , j ) = w( j ,i ) while by construction v(i , j ) 6= v( j ,i ) . It follows
that the contribution of the coordinates (i , j ) corresponding to {i , j } 6∈ E to ∆(w, v) is exactly
n
2 − |E | (i.e., each pair {i , j } 6∈ E contributes 1 to the distance). Now we turn to the coordinates
{i , j } ∈ E - and here the analysis is exactly as in the proof of Theorem 23.1.4. If the edge {i , j } is cut
4
Going back to our earlier discussion on non-uniform algorithms, note that the advice that the pre-processing
algorithm on Gn can then compute only depends on n and is independent of the MaxCut instance. This allows us
to side-step the issue with the proof of Theorem 23.1.4 in the non-uniform setting.

395
by S, then we have w(i , j ) = w( j ,i ) = v(i , j ) = v( j ,i ) = 1 and so these coordinates do not contribute to
the Hamming distance. (Note that there are 2c(S) such coordinates). Finally if {i , j } is not cut by
S then w(i , j ) = w( j ,i ) = 0 whereas v(i , j ) = v( j ,i ) = 1 and so each such coordinate contributes 1 to
the Hamming distance ∆(w, v) (and now we have 2(|E | − c(S)) such coordinates). We conclude
that
n
∆(w, v) = + |E | − 2c(S).
2
It follows that the maximum cut will minimize the distance and so a vector at distance at most
n/2 + |E | − 2ℓ exists if and only if a cut of size at least ℓ exists. Thus (v, t ) is a YES instance of
NCPP{Gn }n if and only if (H , ℓ) is a YES instance of MaxCut, thus showing that MaxCut reduces
(in polynomial time) to NCPP{Gn }n .

We stress that while the hardness result for NCPP{Gn }n is a straightforward NP-hardness
result, the application to preprocessing only asserts that: If NCPP{Gn }n has an efficient non-
uniform algorithm, then so does all of NP (see Exercise 23.7). This would not imply NP = P .
But the conclusion that all of NP has efficient non-uniform algorithms is considered almost as
unlikely (see Appendix C.5), thus suggesting that not all codes can be preprocessed effectively
to yield efficient decoders.

23.3 Approximate NCP

The results of the previous sections rule out finding the nearest codeword to a given word v in a
general linear code generated by G. But what if are willing to find some other nearby codeword?
Of course if the distance t of the target vector v from the code generated by G is much smaller
than the minimum distance of the code, then there are no other nearby codewords. But this is
not the case in the hardness results we have proved (see Exercise 23.8). So it is conceivable than
that there are other codewords nearby (and not too much further than the nearest one). Could
it be easier to find one such codeword? Again after appropriate formalization, we will show that
the answer is negative.
To formalize this question we exploit promise problems (Definition C.5.2). The correct
promise problems to capture approximations turn out to be a gap problem. To define this prob-
lem, we define two disjoint subsets of inputs to decoding problems. For a real number g ≥ 1,
let
Gapg NCPYes = {(F, G, v, t )| exists x ∈ Fk2 s.t. ∆(v, xG) ≤ t }

and Gapg NCPNo = {(F, G, v, t )| for every x ∈ Fk2 , ∆(v, xG) > g · t }.
The GapNCP problem, defined below is simply the restriction of NCP to inputs from Gapg NCPYes ∪
Gapg NCPNo .

Problem 23.3.1 (Gap Nearest Codeword Problem (GapNCP)) with parameter g ).

• Input: (F, G, v, t ) ∈ Gapg NCPYes ∪ Gapg NCPNo .

396
 • Output: Y ES if (F, G, v, t ) ∈ Gapg NCPYes and N O otherwise.

For a real number g > 1, the Gapg NCP-problem captures the complexity of finding a ‘g -
approximate nearby codeword’ where a codeword yG is said to be a g -approximate nearby
codeword to v if for every x ∈ Fk , we have ∆(v, yG) ≤ g · ∆(v, wG). Thus a 2-approximate nearby
codeword is at distance at most twice the distance of the nearest codeword to v. Exercise 23.9
shows that if Gapg NCP is NP-hard and NP 6= P then no polynomial time algorithm can find a
g -approximate nearby codeword.
Having formulated the correct problem to capture ‘approximately nearby codewords’ it is
easy to use known hardness of approximation results to show that Gapg NCP is NP-hard for
some g > 1. This result in turn uses the hardness of the Gap version of the MaxCut problem
defined below. Let

Gapg CUTYes = {(H , ℓ)| exists a cut in H of size at least ℓ}

and Gapg CUTNo = {(H , ℓ)| every cut in H has size at most ℓ/g }.
We use the following theorem that captures the known hardness of Gapg CUT.

Theorem 23.3.2. There exists g > 1 such that Gapg CUT is NP-hard.

It turns out that our reduction from MaxCut to NCP (proof of Theorem 23.1.4) essentially
preserves approximation (see Exercise 23.10) and so we get

Lemma 23.3.3. There exists g > 1 such that Gapg NCP is NP-hard. Furthermore the hardness
holds even when restricted to instances (F, G, v, t ) where F = F2 and the target vector v = 1n .

The more interesting result for NCP is that we can now amplify the hardness to a much
stronger one.

Theorem 23.3.4. For every g 1 < ∞, Gapg 1 NCP is NP-hard.

Proof. The main ingredient of this proof is a reduction that shows that for every g , Gapg NCP
reduces to Gapg 2 NCP provided the target vector v = 1n . Given such a reduction the theorem
is straightforward. We use Lemma 23.3.3 to get Gapg 0 NCP is NP-hard for some g 0 > 1 (with
v = 1n ). We then compose our reductions to get that Gapg 0 NCP reduces to Gapg k NCP for every
0
k of the form 2s for positive integer s. Setting k large enough so that g 0k > g 1 , we get Gapg 0 NCP
reduces to Gapg 1 NCP and so the latter is NP-hard, yielding the theorem. We thus turn to the
reduction asserted above.
The goal of the reduction is to take a code C of block length n (generated by G) and construct
a new code that we will call C 2 of block length n 2 (generated by some matrix G2 ) such that C 2
contains a codeword at distance at most t 2 from the all 1’s vector if and only if C contains a
codeword at distance at most t from the all 1’s vector. This code C 2 is is in turn the direct sum of
two codes C R and C I (R for repetition and I for independent). Codewords of both codes should
be viewed as n × n matrices: C R has as its rows codewords of C and the columns are the all 0

397
vector or the all 1 vector5 . C I has as its columns codewords of C , and the rows are arbitrary (so
the columns are totally independent). Some inspection reveals that if w ∈ C has distance t to 1n
(i.e., it has t zeroes) then the matrix M R + M I , where the rows of M R are all w and M I is the zero
vector on the columns where M R is all one, and w on the columns where M R is all 0, satisfies:
(1) M R + M I is a codeword of C 2 and (2) M R + M I is zero on t 2 coordinates. Further inspection
reveals this is the nearest codeword to the all 1’s matrix. We give the formal description and
proof below.
Given codes C and D recall that C ⊗D denotes the code whose codewords are matrices such
that every rows is a codeword of C and every column is a codeword of D (recall Exercise 2.19).
Let R ⊆ Fn2 be the code R = {0n , 1n } be the n-fold repetition code. Let I = Fn2 be the identity
code (i.e., the code corresponding to the identity matrix as the generator). Let (F2 , G, v, t ) be
an instance of Gapg NCP with G ∈ Fk×n 2 and v = 1n , and let C be the code generated by G. Let
C R = C ⊗ R and let C I = I ⊗C . (Note that by Exercise 2.19 each is a linear code whose generators
GR and GI can be computed in polynomial time from G.) Let C 2 = C R +C I , i.e.

C 2 = {cR + cI |cR ∈ C R , cI ∈ C I } .

. Exercise 23.11 shows that we can compute a generator matrix G2 of code C 2 in polynomial
time. Our reduction outputs (F, G2 , 1n 2 , t 2 ). We argue below that this reduction is correct.
First we show that if there exists w ∈ C such that ∆(w, 1n ) ≤ t then there exists w2 ∈ C 2 such
that ∆(w2 , 1n 2 ) ≤ t 2 . Let v = 1n . Recall that by convention our vectors are row vectors. For
row vector x, let xT denote its transpose, namely the column vector x. We claim that w2 =
vT ·w+wT ·(v−w) satisfies w2 ∈ C 2 and ∆(w2 , 1n 2 ) ≤ t 2 . First note that by construction vT ·w ∈ C R
and wT · (v − w) ∈ C I and so w2 ∈ C 2 . Next to verify the distance, let S = {i |wi = 0}. We claim that
(w2 )i , j = 0 if and only if i , j ∈ S. (See Exercise 23.12.) The distance bound follows since |S| ≤ t .
To see the other direction suppose w2 ∈ C 2 satisfies ∆(w2 , 1n 2 ) ≤ g 2 t 2 (i.e. w2 has ≤ g 2 t 2
zeroes). We wish to show that there exists w ∈ C such that ∆(w, 1n ) ≤ g t . Let w2 = wR +wI where
wR ∈ C R and wI ∈ C I . By our observation on C R earlier, we have that wR contains n identical
rows each of which is some codeword wa ∈ C , i.e., wR = vT · wa . If ∆(wa , 1n ) ≤ g t then we are
done (setting w = wa ). If not, we have that wa has > g t zeroes, which implies > g t columns
of wR is all zero. Let T be the matrix obtained by restricting w2 to those columns where wR
is all zero. Note that T has at least g t columns (by our observation on wR earlier) and each
column is a codeword of C (by definition of C I ). Now let wb be the column of maximum weight
in T . If ∆(wb , 1n ) > g t then we have that ∆(w′ , 1n ) > g t for every column w′ of T ; and so T ,
and hence w2 has strictly more than g 2 t 2 zeroes contracting our assumption. We conclude that
∆(wb , 1n ) ≤ g t .
This gives the desired reduction from Gapg NCP reduces to Gapg 2 NCP, which concludes the
proof.

We note that Theorem 23.5.3 (which we will prove later) provides an alternate proof of The-
orem 23.3.4 (see Exercise 23.13).
5
Alternatively, each codeword matrix in C R has the same codeword from C in all of its rows.

398
 Theorem 23.3.4 thus rules out seemingly very weak approximation algorithms also. In fact
the proof rules out even more (e.g. we can fix the received word v to be the all ones vector), but
it is important to note that these are likely being ruled out in codes whose minimum distance
is quite small, and so correcting large amount of errors (much more than the distance) is not a
particularly useful task. The next section turns to this question.

23.4 Distance bounded decoding

In this section we consider the task of decoding when the number of errors is bounded by the
distance of the code. Once again formalizing the problem is non-trivial given that we do not
know of an algorithm to compute the minimum distance of a code (see Section 23.5 for the
hardness of the problem of computing the distance of a linear code). Once again promise prob-
lems come to our rescue in articulating the problem here. We define the problem already with
a gap, keeping in mind some future applications.
To define this problem, we again define two disjoint subsets of inputs to decoding problems.
For a matrix G ∈ Fk×n let d (G) denote the minimum distance of the code generated by G, i.e.
(recall Proposition 2.3.6),
d (G) = min {wt(xG)}.
x∈Fk \{0k }

For a real number g ≥ 1, let

Gapg DBDYes = {(F, G, v, t )|d (G) ≥ g · t and ∃x ∈ Fk2 s.t. d (v, xG) ≤ t }

and
Gapg DBDNo = {(F, G, v, t )|d (G) ≥ g · t and ∀x ∈ Fk2 , d (v, xG) > g · t }.
We now define the Distance Bounded Decoding problem to be the restriction of NCP to the
union of the sets above. We discuss the meaning of this problem after the definition.

Problem 23.4.1 (Gap Distance Bounded Decoding (GapDBD) with parameter g ).

• Input: (F, G, v, t ) ∈ Gapg DBDYes ∪ Gapg DBDNo

• Output: Y ES if (F, G, v, t ) ∈ Gapg DBDYes and N O otherwise.

So in other words, GapDBD is the restriction of GapNCP to instances where the code itself
has distance greater than d = g ·t and the goal is to determine if the target v is within distance of
d /g from the code, or at least d . Thus, if the goal of NCP is to detect instances where the target
vector v is obtained by introducing few errors into a codeword, DBD enhances the problem by
ensuring that the number of errors is less than the distance of the code. We remark that we will
not be going down to half the distance of the code. As we discuss later (Open Question 23.6.1)
decoding up to half the minimum distance of every code is not known to be NP-complete. But
in this section we will see that decoding up to the minimum distance is actually NP-complete,
at least under randomized reductions.

399
Theorem 23.4.2. There exists g ′ > 1, such that Gapg ′ DBD is NP-hard under randomized reduc-
tions. Specifically there exists g and a randomized polynomial time reduction R from Gapg NCP
to Gapg ′ DBD such that for every instance I ∈ Gapg NCPYes ∪ Gapg NCPNo we have

(1) R(I ) ∈ Gapg ′ DBDYes ∪ Gapg ′ DBDNo with probability 1 − o(1), and

(2) with probability 1 − o(1), R(I ) ∈ Gapg ′ DBDYes if and only if I ∈ Gapg NCPYes .

Note that the above result states that decoding up to dg(G) ′ is NP-hard (under randomized
′
reductions). Ideally, we would like to have g be as close to 2 as possible (but such a result is
not known as mentioned earlier). See Exercise 23.14 for more the largest value of g ′ that we can
achieve.
To prove Theorem 23.4.2, we need several ingredients, each one of which is non-trivial. We
first motivate their need, then state lemmas asserting their existence, and then use them to
prove the theorem.
Our goal is to consider an instance (F, G, v, t ) of Gapg NCP and somehow ‘boost’ the distance
of the underlying code. Let G ∈ Fk×n . One simple idea would be to take a known code of high
distance of dimension k, block length n 0 with generator G0 and adjoin G0 to G to get a new
code. So the new code is generated by G′ = [G0 |G]. Clearly this code has high distance since
G0 itself has high distance. However it is yet unclear how to extend our target vector v to some
(n 0 + n)-dimensional vector. Here comes the first new ingredient. We will select C 0 , the code
generated by G0 to be a code of large distance, say d 0 , and also find a vector w ∈ Fn0 that has
many codewords of C 0 at distance at most (1 − ε)d 0 from it (this is done in Lemma 23.4.3). Now
we can try to use the vector v′ = (w, v) as our target.
Indeed we now have a candidate reduction (assuming we are given G0 and w) which maps
(F, G, v, t ) to (F, G′ , v′ , t ′ ) where G′ = [G0 |G], v′ = (w, v) and t ′ = t +(1−ε)d 0 . If we select t = ε d20 and
1
g ′ = 1−ε/2 , then we get that the resulting code has distance at least d 0 , while the target distance
is at most (1 − ε/2)d 0 . Furthermore the reduction is ‘sound’ in that if there exists x such that
∆(xG′ , v′ ) ≤ d 0 = g ′ · t ′ then ∆(xG, v) ≤ d 0 ≤ g t (where the last inequality follows by choosing
g = 2/ε) , and so (F, G′ , v′ , t ′ ) ∈ Gapg DBDYes implies that (F, G, v, t ) ∈ Gapg ′ NCPYes .
Completeness (i.e., the condition (F, G, v, t ) ∈ Gapg ′ NCPYes implies that (F, G′ , v′ , t ′ ) ∈ Gapg DBDYes ),
unfortunately does not hold for this reduction. In particular if there exists x such that ∆(xG, v) ≤
t , we don’t necessarily have ∆(xG0 , w) ≤ (1 − ε)d 0 . (There are many such x’s, but not every
x ∈ ©Fk satisfies this condition.) ª To fix this problem we need a second idea: Roughly, the set
S = y|∆(yG0 , w) ≤ (1 − ε)d 0 is too unstructured. We will impose structure on it by compressing
it, using a random linear map A. If the parameters are chosen right then the image of S under
A will be the entire range (or at least any given element will be hit with high probability) and so
in particular there will exist y ∈ S such that yA = z for the z such that ∆(zG, v) ≤ t . This ensures
the desired completeness. We now state our lemmas which assert the existence of G0 , w and A
as mentioned above and formally prove the theorem follows from them.

Lemma 23.4.3. There exists 0 < ε > 21 and a randomized algorithm that on input an integer
k, runs in time polynomial in k and outputs, with probability 1 − o(1) integers k 0 , n 0 , a matrix

400
 k ×n 0
G0 ∈ F2 0 generating a code C 0 of minimum distance

k j 2
k
d0 = · (k − 1) 1−2ε
2
and a vector w ∈ Fn0 such that
¯n o¯
¯ ¯
¯ y ∈ Fk0 |∆(yG0 , w) ≤ (1 − ε)d 0 ¯ ≥ 4k .

(The above result does not produce an asymptotically good code but we can prove a stronger
version of Lemma 23.4.3 that produces an asymptotically good code– see Exercise 23.18.)
Our next lemma is a standard property of linear maps, used for instance in constructions of
small families of hash functions. It says that if S ⊆ Fk0 is a set of size sufficiently larger than Fk
then for every y ∈ Fk the probability that for a random A ∈ Fk0 ×k that there exists a x ∈ S such
that xA = y is close to 1.
k
Lemma 23.4.4. For integers k, k 0 , N let S ⊆ F2 0 be a set of size at least N and let z ∈ Fk2 be a fixed
k ×k
vector. Then for a uniformly random A ∈ F2 0 , we have

2k
Pr[Exists y ∈ S s.t. yA = z] ≥ 1 − .
A N
Given the lemmas above, Theorem 23.4.2 is not too hard to prove along the lines described
earlier and we do so below.

Proof of Theorem 23.4.2. Let ε be as given by Lemma 23.4.3. We assume (to avoid some complex
roundings) that ε = 1s for some integer s; if this is not the case we can reduce ε so that it takes
this form while remaining positive. We let
1
g′ =
1 − ε/2
and
2
g= .
ε
For this choice of parameters, we show that Gapg NCP reduces to Gapg ′ DBD.
We start with the reduction. Let (F2 , G, v, t ) be an instance of Gapg ′ NCP, with G ∈ Fk×n
2 . Let
n0
n 0 , k 0 , G0 , d 0 and w ∈ F2 be the output of the randomized algorithm from Lemma 23.4.3 on
input k. Let6
2t
d0 = t · g = .
ε
l m
6
If t < d 0 · 2ε , then we can take the product of the code generated by G with a d2t0 ε -fold repetition code and repeat
l m l m
v also d2t0 ε times — this will multiply n and t by d2t0 ε while leaving membership in Gapg NCPYes or Gapg NCPNo
l m
unchanged. If on the other hand, t > d 0 · 2ε , then the code C 0 from Lemma 23.4.3 would be the d2t0 ε -fold repetition
of the code generated by G0 (and we repeat w the same number of times). This would increase the distance of
the code to the required amount but the other properties remains preserved. We note that there might be some
rounding errors that we are ignoring for the sake of clarity.

401
 k ×k
Let A ∈ F2 0 be a uniformly random matrix. Then let

G′ = [G0 |AG] ,

k ×(n 0 +n) n +n
so that G′ ∈ F2 0 . Further, let v′ = (w, v) ∈ F2 0 . Finally let

t ′ = t + (1 − ε)d 0 .

Note that for this choice of t ′ and the choice of d 0 we have

ε ³ ε´ d0
t ′ = d 0 + (1 − ε)d 0 = 1 − · d 0 = ′ ,
2 2 g

or which yields d 0 ≥ g ′ t ′ as desired7 . We show in the next two paragraphs that (1) Completeness
holds, i.e., (F2 , G′ , v′ , t ′ ) ∈ Gapg ′ DBDYes if (F2 , G, v, t ) ∈ Gapg NCPYes (with high probability) and (2)
Soundness holds, i.e., (F2 , G′ , v′ , t ′ ) ∈ Gapg ′ DBDNo if (F2 , G, v, t ) ∈ Gapg NCPNo (with probability
1), and this will prove the theorem.
We start with the soundness since it is simpler. Since (F2 , G, v, t ) ∈ Gapg NCPNo we have for
k
every x ∈ Fk2 we have ∆(v, xG) > g t . It follows that for every y ∈ F2 0 we have ∆(v, yAG) > g t (since
this holds for x = yA). Finally since ∆((w, v), y[G0 |AG]) ≥ ∆(v, yAG) we conclude

∆(v′ , yG′ ) ≥ g t = d 0 = g ′ t ′ ,

as desired (recall we argued above that d 0 = g ′ t ′ ).

Finally we need to argue the completeness. Let z ∈ Fk2 be such that ∆(v, zG) ≤ t . We now
assume that the conditions of Lemmas 23.4.3 and 23.4.4 hold, i.e.,
n o
k
(i) S , y ∈ F2 0 |∆(yG, w} ≤ (1 − ε)d 0 satisfies |S| ≥ 4k ; and

(ii) For the z and S as defined above, there exists y ∈ S such that yA = z.

Note that the probability that any one of these events does not happen is o(1). (In particular
since |S| ≥ 4k , by Lemma 23.4.4 the probability that (ii) does not hold is at most 2k /4k = o(1).) So
by the union bound we get the probability that both hold simultaneously is still at least 1 −o(1).
We now verify that for this choice of y, we have ∆(v′ , yG′ ) ≤ t ′ and this will conclude the proof.
To verify this note that since y ∈ S we have ∆(yG0 , w) ≤ (1 − ε)d 0 . And since yA = z we have

∆(v, yAG) = ∆(v, zG) ≤ t .

We conclude that
∆(v′ , yG′ ) = ∆(w, yG0 ) + ∆(v, yAG) ≤ (1 − ε)d 0 + t ≤ t ′ ,

as desired.
7
Recall that we need d (G′ ) ≥ g ′ · t ′ .

402
23.5 Minimum distance problem
Finally we turn to a different computational problem associated with codes — that of determin-
ing the minimum distance of a (linear) code.8 Specifically we consider the task of determining,
or approximating the minimum distance of a code given its generator matrix. We show directly
that even the latter is a hard task, specifically that it is NP-hard under randomized reductions.
As usual to show such hardness we work with gap problems. We define the Gap Minimum Dis-
tance Problem next.
As usual, let F denote a field, G ∈ Fk×n denote a generator matrix of a code of dimension
k and block length n, and let d (G) denote the minimum distance of a code. We define our
Gap problem by defining as YES instances the codes of small minimum distance, and as NO
instances the codes of large minimum distance.9 For a real number g ≥ 1, let

Gapg M IN D ISTYes = {(F, G, d )|d (G) ≤ d }

and Gapg M IN D ISTNo = {(F, G, d )|d (G) > g · d }.

Problem 23.5.1 (Gap Minimum Distance (GapMinDist)) with parameter).

• Input: (F, G, d ) ∈ Gapg M IN D ISTYes ∪ Gapg M IN D ISTNo

• Output: Y ES if (F, G, d ) ∈ Gapg M IN D ISTYes and N O otherwise.

Lemma 23.5.2. The following are true:

(i) For every g > 1 there is a deterministic polynomial time reduction from Gapg DBD to Gapg M IN D IST.

(ii) For every g > 1 and g ′ < ∞ there is a deterministic polynomial time reduction from Gapg M IN D IST
to Gapg ′ M IN D IST.

Proof. Both parts are quite simple.

For part (i) given an instance (F, G, v, t ) of Gapg DBD we transform it to the instance (F, G′ , d )
h i
G
′
for d = t and G = − , i.e., G′ is a (k + 1) × n matrix with v being the added row. One can show
v
that if for some y ∈ Fk , ∆(v, yG) ≤ t then d (G′ ) ≤ t , while if for every y ∈ Fk , we have ∆(v, yG) > g t
and d (G) > g t then d (G′ ) > g t – see Exercise 23.21. This proves the completeness and soundness
of the reduction.
ℓ
For part (ii) we reduce (F, G, d ) to (F, G⊗ℓ , d ), where G1 ⊗ G2 denotes the tensor product of
matrices (recall Exercise 2.19), and G⊗ℓ denotes the product of G with itself ℓ times. Recall from
8
We note that the linearity condition is required since the problem of computing the distance of a completely
arbitrary code is polynomial time– see Exercise 23.20
9
Note that this inversion is necessitated by the fact that it is possible to prove that a code has small minimum
distance by exhibiting two nearby codewords. In particular, this gives the definition of a witness to show that the
problem is in NP (see Definition C.5.4).

403
Exercise 2.19 that the tensor product of two codes of minimum ¡ distance
¢ d 1 and d 2 respectively
yields a code of minimum distance d 1 d 2 . This implies that d G ⊗ℓ
= d (G)ℓ and so if d (G) ≤ d
¡ ⊗ℓ ¢ ℓ ¡ ¢ ℓ
then d G ≤ d and if d (G) > g d then d G⊗ℓ > (g d )ℓ = g ℓ d . By picking ℓ large enough we
get g ℓ ≥ g ′ and this yields the desired reduction from Gapg M IN D IST to Gapg ′ M IN D IST.

Combining Lemma 23.5.2 with Theorem 23.4.2 we conclude that approximating the mini-
mum distance to within any constant factor is hard. Specifically it is NP-hard under randomized
reductions.

Theorem 23.5.3. For every constant g < ∞, the problem Gapg M IN D IST is NP-hard under ran-
domized reductions. Consequently, unless all of NP has randomized polynomial time algorithms,
there are no (randomized) polynomial time algorithms to approximate the minimum distance of
a linear code given its generator to within a multiplicative factor of g .

We note that the NP-hardness result above is not necessarily for an asymptotically good
code but see Exercise 23.22 on how to extend it to work for asymptotically good codes as well.

23.6 Conclusions
To summarize the results of this chapter, we see that many coding theoretic problems can be-
come very hard (NP-hard, or NP-hard under randomized reductions) if the code is not carefully
designed. In particular, if we are just given the generator matrix of a code, it may be hard to
determine the minimum distance of the code (Theorem 23.5.3), or decode the nearest code-
word (Theorem 23.1.4), or even find a nearby codeword (not necessarily the nearest– see Theo-
rem 23.3.4). Furthermore the decoding may remain hard even if one is given arbitrary amounts
of time to preprocess the code (i.e., to design an efficient decoder)– see Theorem 23.2.2.
One way to avoid the hardness results, is to design the codes carefully — which is exactly
what we have been doing for much of this book. But there is another glimmer of hope (yet).
All the hardness results work beyond the list-decoding setting, i.e., when the number of errors
is so large that a full list of codewords within the target ball may be exponentially large. What
happens if the list sizes are guaranteed to be small? Or even unique — i.e., when the goal is
to decode only up to the error-correction bound of the code (i.e., half its minimum distance).
Specifically we note that

Open Question 23.6.1. The status of the Gap1/2 DBD problem (whether it is in P or whether
it is NP-hard) is still open.

We note that hardness of coding problems has been one of the sources of ‘hard’ problems
for cryptography as well. Examples of such proposals include the McEliece cryptosystem and
Alekhnovich’s cryptostem. More broadly an entire array of cryptographic primitives have now
been proposed based on the Learning Parity with Noise (LPN) and Learning With Noise (LWN)

404
problems, both of which are essentially problems based on decoding linear codes from error.
Any attempts to prove the security of these schemes, or to firm them up further, will surely
require an improved understanding of the problems discussed in this chapter.

23.7 Exercises
Exercise 23.1. Argue that for an arbitrary (not necessarily linear) code, one can perform encoding
and decoding in time polynomial in the description size of the code. (Recall that in the worst-case
one has to explicitly list all the codewords.)

Exercise 23.2. Show that if there is a polynomial time algorithm for NCP (Problem 23.1.1, then
there is a polynomial time algorithm to find an x such that ∆(v, xG) ≤ t . Show the converse (i.e.
if there exists a polynomial time algorithm for the latter problem then there exists one for NCP as
well).

Exercise 23.3. In this exercise, we will see how one can extend the proof of Theorem 23.1.4 to
make it work for any field F.

1. (Warmup) Consider the variant of NCP where instead of looking for any x ∈ Fk such that
∆(v, xG) ≤ t , we only consider binary vectors. I.e. given (F, G, v, t ), output Y ES if there exists
an x ∈ {0, 1}k such that ∆(v, xG) ≤ t and N O otherwise. Argue that this problem is NP-
complete.
Hint: The proof of Theorem 23.1.4 with very little modification should do the trick.

2. Argue that the NCP problem is NP-complete for any field F.

Hint: Modify all of G, v and t from the proof of Theorem 23.1.4 so that the only x ∈ Fk that can have ∆(v, xG) ≤ t
are binary vectors. Then use the previous part.
Hint: To modify G consider adding appropriate number of copies of the identity matrix Ik×k to the G from the
proof of Theorem 23.1.4.

Exercise 23.4. Argue why the reduction in the proof of Theorem 23.1.4 fails if we pick v to be the
all zeroes vector.

Exercise 23.5. Argue the following. Let x ∈ Fn2 and S = supp (x). Then we have (xG)e = 1 (where G
is as defined in proof of Theorem 23.1.4) if and only if e ∈ Cut(S)

Exercise
© 23.6.
ª Let Gn be as defined in the proof of Theorem 23.2.2. Argue that for every x ∈ Fk2 and
every i , j we have that (xGn )(i , j ) = (xGn )( j ,i ) .

Exercise 23.7. Prove that if NCPP{Gn }n has an efficient non-uniform algorithm, then so does all
of NP.

Exercise 23.8. In this problem we look into the distance of the code generated in the proof of
Theorem 23.2.2. For the rest of the problem let Gn be as defined in the proof of Theorem 23.2.2.

1. Argue that the distance d k of the code generated by Gn is 2(k − 1) (recall that n = k(k − 1)).

405
 2. Argue that the threshold quantity t in the proof of Theorem 23.2.2 satisfies t ≥ k4 · d k . Con-
clude that for large enough k, the distance threshold t is larger than half the distance of
the code and hence there could be more than one possible codeword close enough to the
received word.

Exercise 23.9. Show that if A is a poly time algorithm such that A(F, G, v) always outputs a g -
approximate nearby codeword to v, then Gapg NCP can be decided in polynomial time.

Exercise 23.10. In this problem, we will reduce Gapg CUT to Gapg ′ NCP. We will do this in two
parts:
|E |
1. Argue that any graph G = (V, E ) has a cut of size at least 2 .
Hint: Use the probabilistic method.

2. Reduce Gapg CUT to Gapg ′ NCP with v = 1. Further argue that the reduction will satisfy
g ′ > 1 if g > 1. Conclude that Lemma 23.3.3 holds.
Hint: Use the first part and the proof of Theorem 23.1.4.

Exercise 23.11. Let C 1 and C 2 be linear codes with generator matrices G1 and G2 respectively. Let
C 3 be their direct sum, i.e.
C 3 = {c1 + c2 |c1 ∈ C 1 , c2 ∈ C 2 } .
Show how to compute a generator matrix for C 3 from G1 G2 in polynomial time.

Exercise 23.12. We first recall some notation used in the proof of Theorem 23.3.4. Let w2 = vT ·
w + wT · (v − w), where w ∈ C and v = 1n . Further define

S = {wi = 0} .

Then argue that (w2 )i , j = 0 iff i , j ∈ S.

Exercise 23.13. In this problem we show the following for any g > 1. If Gapg NCP ∈ promise − P,
then Gapg M IN D IST ∈ promise − P. In particular, we will prove a Cook/Turing reduction from
Gapg M IN D IST to Gapg NCP (i.e. a reduction that preserves the hardness of approximation as
well). Note that assuming Theorem 23.5.3, this gives an alternate proof for Theorem 23.3.4. We
will do so in a sequence of steps.
Assume we are given as an input a generator matrix G ∈ Fk×n q for a code C whose distance d
we want to compute/approximate (i.e. G will be an input for the Gapg M IN D IST problem). Define
Gi to be G without it’s i th row and let C i be the corresponding code. We consider the following k
instances of the Gapg NCP problem: (Fq , gi , ci , d ) where ci is the i th row of G (for i ∈ [k]).

1. Argue that for every i ∈ [k], all codewords in C i are at distance at least d from ci . The next
couple of problems tries to prove that in some sense the converse holds as well.

2. Let u ∈ C be a non-zero codeword. Argue that there exists at least one i ∈ [k] such that ci is
at distance at most w t (u) from some codeword in C i .
Pk
Hint: Let u = j =1 αi · ci . Let i ∈ [k] be such that αi 6= 0 (which should such an i exist?). Think of an appro-
¡P ¢
priate β 6= 0 (that is related to αi ) such that ∆ j 6=i ∈[k] β · α j · c j , ci = w t (u).

406
 3. Using the above (or otherwise), argue that there exists an i ∈ [k] such that ∆(ci ,C i ) = d .

4. Using the above sub-problems or otherwise argue that if Gapg NCP ∈ promise − P, then
Gapg M IN D IST ∈ promise − P.

Exercise 23.14. What is the largest value of g ′ for which you can argue Theorem 23.4.2?

Exercise 23.15. In this exercise we will argue that for any code with distance d there are lots of
Hamming balls of radius d (1 − ε) with ‘lots’ of codewords in it. In particular, we will quantify
what ‘lots‘ means for any code.
Let C be an (n, k, d )q code (note that the code need not be linear). Now construct a bipartite
graph G = (C , [q]n , E ), where E is defined as follows:
© ª
E = (c, y)|c ∈ C , y ∈ [q]n , ∆(c, y) ≤ (1 − ε)d .

Also for notational convenience define r = (1 − ε)d . We talk through a sequence of problems to
prove our final bound:

1. Argue that G is left regular: i.e. every c ∈ C has degree D L for some positive integer D L .

2. Argue that D L = V ol q (r, n)

3. Argue the average degree of the right vertices in G satisfy

D R = q k−n · V ol q (r, n).

4. Argue that at most γ fraction of edges e = (u, v) ∈ E such that v has degree at most γ · D R .

5. Argue that pick c ∈ C uniformly at random and then pick a random right neighbor of c is
the same as picking an edge in E uniformly at random.

6. Using the above parts or otherwise argue that

h¯ ¯ i
Pr ¯C ∩ B (y, r )¯ ≤ γ · q k−n · V ol q (r, n) ≤ γ.
c∈C ,y∈B (c,r )

7. Argue that any code that lies beyond the GV bound (i.e. has relative distance δ and rate
at least 1 − H q (δ) + ε0 ) satisfies the following property with all but an exponentially small
probability– a random Hamming ball of relative radius (1 − ε)δ has exponentially many
codewords (where ε is some constant that depends on ε0 and δ).

Exercise 23.16. In this exercise we will prove Lemma 23.4.3 but for large enough alphabet size.
In Exercise 23.17, we will see how to get the result for binary codes.
Let 0 < δ < 12 be arbitrary and define

1
ε= − δ.
2

407
Assume ℓ ≥ 33 and let q be a power of 2 such that

q δ = ℓ − 1.

(We note that the equality might not hold for all ℓ but we make the above simplifying assump-
tions to make some of the subsequent calculations easier.)
Let C be an [q, q − q δ , q δ + 1]q Reed-Solomon code. We will now prove Lemma 23.4.3 (with
slightly different parameters) using the Reed-Solomon code C and Exercise 23.15.

1. Define
4ℓ · q ℓ−1
γ= . (23.1)
V ol q ((1 − ε)ℓ, q)
q
Then argue that for a random w ∈ Fq with probability at least 1 − γ, we have that

|{c ∈ C |∆(w, c) ≤ (1 − ε)ℓ}| ≥ 4ℓ .

2. Argue that γ as defined in (23.1) satisfies γ ≤ 2−ℓ .

3. Using the above parts or otherwise, argue that the statement of Lemma 23.4.3 holds (except
that d 0 = ℓ and the result is for a q-ary code instead of a binary code).

Exercise 23.17. Prove Lemma 23.4.3.

Hint: Use Exercise 23.1 along with a Hadamard code. The proof of Proposition 2.6.3 might be useful.

Exercise 23.18. Prove Lemma 23.4.3 but for an asymptotically good code.
1
Hint: Use the fact that there exists q-ary codes with q ≥ 49 with relative distance δ and rate at least 1 −δ − pq−1 (and
this is known to be strictly better than the GV bound).

Exercise 23.19. In this exercise we will prove Lemma 23.4.4 via a sequence of steps. Let k, k 0 , N , S, z, A
be as defined in statement of Lemma 23.4.4. Then consider the following steps:

1. Re-define S to subset of size exactly N − 1 such that all vectors in S are non-zero.10 Define
Nz to be (the random variable that denotes) the number of vectors y such that yA = z. Argue
that
EA [Nz ] = (N − 1) · 2−k .

2. Let Nz be as defined in the item above. Argue that

£ ¤
EA (Nz )2 = (N − 1) · 2−k + (N − 1)(N − 2) · 2−2k .

Hint: Argue that for any y1 6= y2 ∈ S, y1 A and y2 A are independent and then use this fact.

10
Convince yourself that this is valid.

408
 3. We will take a bit digression to prove a general result about random variables. Let X be a
non-negative integer random variable. Argue that

(E [X ])2
Pr [X > 0] ≥ £ ¤.
E X2

Hint: Write down the expression for (E [X ])2 and use Cauchy-Schwartz inequality (Lemma B.1.6).

4. Using the above parts (or otherwise), complete the proof of Lemma 23.4.4.
Hint: The lemma can also be proved using Chebyschev’s inequality without using the previous part.

Exercise 23.20. Argue that given a completely arbitrary code C , one can compute its distance in
polynomial time (in the size of the representation of C ).
¡ ¢
Hint: Recall that an arbitrary (n, k)q code needs Θ q k · n space to represent it.

Exercise 23.21. Let v, G and G′ be as defined in the proof of Lemma 23.5.2. Argue the following:

1. If for some y ∈ Fk , ∆(v, yG) ≤ t then d (G′ ) ≤ t ,

2. If for every y ∈ Fk , we have ∆(v, yG) > g t and d (G) > g t then d (G′ ) > g t .

Exercise 23.22. Prove Theorem 23.5.3 for the special case of the code being asymptotically good
as well.

23.8 Bibliographic Notes

Theorem 23.1.4 is due to Berlekamp, McEliece and van Tilborg [13]. This work seems be the
first to apply the lens of computational complexity, and in particular NP-hardness, to coding
theoretic problems. Theorem 23.1.3 showing the hardness of MaxCut is due to Garey, Johnson
and Stockmeyer [44]. For more on classical NP-completeness results the reader is pointed to the
text by Garey and Johnson [45]. Theorem 23.2.2 on the hardness of decoding after preprocessing
is due to Bruck and Naor [15]. The hardness of approximating MaxCut, Theorem 23.3.2, is based
on the PCP theorem due to Arora et al. [6, 5]. The hardness of approximating the distance of
the nearest codeword, Theorem 23.3.4, is due to Stern [122]. The hardness of decoding up to
the minimum distance, Theorem 23.4.2, is due to Dumer, Micciancio and Sudan [33]. We note
that the literature includes many significant variations of this result. In particular Guruswami
and Vardy [66] (see also Gandikotta, Ghazi, Grigorescu [43]) have shown that it is NP-hard to
decode Generalized Reed-Solomon codes (recall Exercise 5.12). Since these are MDS codes, any
decoding hardness is automatically a hardness for a ‘Distance Bounded Decoding’ problem.
The NP-hardness of computing the minimum distance of a linear code is due to Vardy [132].
We stress that this is NP-hardness with a deterministic reduction unlike the results proven in
this chapter. The NP-hardness, under randomized reductions, of approximating the minimum
distance, Theorem 23.5.3, is from Dumer et al. [33].

409
410
Bibliography

[1] Manindra Agrawal, Neeraj Kayal, and Nitin Saxena. PRIMES Is in P. Annals of Mathemat-
ics, 160(2):781–793, 2004.

[2] M. Alekhnovich. Linear diophantine equations over polynomials and soft decoding of
reed-solomon codes. In The 43rd Annual IEEE Symposium on Foundations of Computer
Science, 2002. Proceedings., pages 439–448, Nov 2002.

[3] Noga Alon and Joel Spencer. The Probabilistic Method. John Wiley, 1992.

[4] Erdal Arıkan. Channel polarization: A method for constructing capacity-achieving codes
for symmetric binary-input memoryless channels. IEEE Transactions on Information
Theory, pages 3051–3073, July 2009.

[5] Sanjeev Arora, Carsten Lund, Rajeev Motwani, Madhu Sudan, and Mario Szegedy. Proof
verification and the hardness of approximation problems. Journal of the ACM, 45(3):501–
555, May 1998.

[6] Sanjeev Arora and Shmuel Safra. Probabilistic checking of proofs: A new characterization
of NP. Journal of the ACM, 45(1):70–122, January 1998.

[7] Jarosław Bł asiok, Venkatesan Guruswami, Preetum Nakkiran, Atri Rudra, and Madhu Su-
dan. General strong polarization. In Proceedings of the 50th Annual ACM Symposium on
Theory of Computing, pages 485–492, 2018.

[8] P.G.H. Bachmann. Die analytische Zahlentheorie. Number v. 2 in Zahlentheorie. Ver-

such einer Gesammtdarstellung dieser Wissenschaft in ihren Haupttheilen. 2. th. Teub-
ner, 1894.

[9] John Bather. A conversation with herman chernoff. Statistical Science, 11(4):335–350,
1996.

[10] Donald Beaver and Joan Feigenbaum. Hiding instances in multioracle queries. In Chris-
tian Choffrut and Thomas Lengauer, editors, STACS 90, 7th Annual Symposium on The-
oretical Aspects of Computer Science, Rouen, France, February 22-24, 1990, Proceedings,
volume 415 of Lecture Notes in Computer Science, pages 37–48. Springer, 1990.

411
[11] Eli Ben-Sasson, Swastik Kopparty, and Jaikumar Radhakrishnan. Subspace polynomi-
als and limits to list decoding of reed-solomon codes. IEEE Trans. Information Theory,
56(1):113–120, 2010.

[12] E. R. Berlekamp. Factoring polynomials over large finite fields. Mathematics of Compu-
tation, 24:713–735, 1970.

[13] Elwyn R. Berlekamp, Robert J. McEliece, and Henk C. A. van Tilborg. On the inher-
ent intractability of certain coding problems. IEEE Transactions on Information Theory,
24(3):384–386, May 1978.

[14] Kristian Brander. Interpolation and list decoding of algebraic codes. PhD thesis, Technical
University of Denmark, 2010.

[15] Jehoshua Bruck and Moni Naor. The hardness of decoding linear codes with preprocess-
ing. IEEE Transactions on Information Theory, 36(2), March 1990.

[16] P.S. Bullen. Handbook of Means and Their Inequalities. Mathematics and Its Applications.
Springer Netherlands, 2010.

[17] Michael R. Capalbo, Omer Reingold, Salil P. Vadhan, and Avi Wigderson. Randomness
conductors and constant-degree lossless expanders. In John H. Reif, editor, Proceedings
on 34th Annual ACM Symposium on Theory of Computing, May 19-21, 2002, Montréal,
Québec, Canada, pages 659–668. ACM, 2002.

[18] Larry Carter and Mark N. Wegman. Universal classes of hash functions. J. Comput. Syst.
Sci., 18(2):143–154, 1979.

[19] Donald G. Chandler, Eric P. Batterman, and Govind Shah. Hexagonal, information en-
coding article, process and system. US Patent Number 4,874,936, October 1989.

[20] C. L. Chen and M. Y. Hsiao. Error-correcting codes for semiconductor memory applica-
tions: A state-of-the-art review. IBM Journal of Research and Development, 28(2):124–134,
1984.

[21] Peter M. Chen, Edward K. Lee, Garth A. Gibson, Randy H. Katz, and David A. Patter-
son. RAID: High-performance, reliable secondary storage. ACM Computing Surveys,
26(2):145–185, 1994.

[22] Q. Cheng and D. Wan. On the list and bounded distance decodability of reed–solomon
codes. SIAM Journal on Computing, 37(1):195–209, 2007.

[23] Herman Chernoff. A measure of asymptotic efficiency for tests of a hypothesis based
on the sum of observations. Annals of Mathematical Statistics, 23(4):493–507, December
1952.

412
[24] S. Chung, Jr. G. D. Forney, T. Richardson, and R. Urbanke. On the design of low-density
parity-check codes within 0.0045 dB of the shannon limit. IEEE Communications Letters,
5:58–60, February 2001.

[25] Alan Cobham. The Intrinsic Computational Difficulty of Functions. In Y. Bar-Hillel, edi-
tor, Logic, Methodology and Philosophy of Science, proceedings of the second International
Congress, held in Jerusalem, 1964, Amsterdam, 1965. North-Holland.

[26] Stephen A. Cook. The complexity of theorem-proving procedures. In Proceedings of the

3rd Annual ACM Symposium on Theory of Computing (STOC), pages 151–158, 1971.

[27] Graham Cormode and S. Muthukrishnan. What’s hot and what’s not: tracking most fre-
quent items dynamically. ACM Trans. Database Syst., 30(1):249–278, 2005.

[28] Thomas M. Cover and Joy A. Thomas. Elements of Information Theory. John Wiley & Sons,
Inc., second edition edition, 2005.

[29] Eren Şaşoğlu. Polarization and polar codes. Foundations and Trends in Communications
and Information Theory, 8(4):259–381, 2012.

[30] Robert Dorfman. The detection of defective members of large populations. The Annals
of Mathematical Statistics, 14(4):436–440, December 1943.

[31] Devdatt P. Dubhashi and Alessandro Panconesi. Concentration of Measure for the Analysis
of Randomized Algorithms. Cambridge University Press, 2009.

[32] Ilya Dumer, Daniele Micciancio, and Madhu Sudan. Hardness of approximating the min-
imum distance of a linear code. IEEE Transactions on Information Theory, 49(1):22–37,
2003.

[33] Ilya Dumer, Daniele Micciancio, and Madhu Sudan. Hardness of approximating the min-
imum distance of a linear code. IEEE Trans. Information Theory, 49(1):22–37, 2003.

[34] Zeev Dvir and Shachar Lovett. Subspace evasive sets. Electronic Colloquium on Compu-
tational Complexity (ECCC), 18:139, 2011.

[35] Jack Edmonds. Paths, trees, and flowers. In Ira Gessel and Gian-Carlo Rota, editors,
Classic Papers in Combinatorics, Modern Birkhäuser Classics, pages 361–379. Birkhäuser
Boston, 1987.

[36] Peter Elias. Error-free coding. IEEE Transactions on Information Theory, 4(4):29–37, 1954.

[37] Peter Elias. List decoding for noisy channels. Technical Report 335, Research Laboratory
of Electronics, MIT, 1957.

[38] P. Erdös. On extremal problems of graphs and generalized graphs. Israel Journal of Math-
ematics, 2(3):183–190, 1964.

413
[39] Paul Erdös. Some remarks on the theory of graphs. Bulletin of the American Mathematical
Society, 53:292–294, 1947.

[40] G. David Forney. Concatenated Codes. MIT Press, Cambridge, MA, 1966.

[41] G. David Forney. Generalized Minimum Distance decoding. IEEE Transactions on Infor-
mation Theory, 12:125–131, 1966.

[42] Robert G. Gallager. Low-Density Parity-Check Codes. MIT Press, 1963.

[43] Venkata Gandikota, Badih Ghazi, and Elena Grigorescu. Np-hardness of reed-solomon
decoding, and the prouhet-tarry-escott problem. SIAM J. Comput., 47(4):1547–1584,
2018.

[44] M. R. Garey, D. S. Johnson, and L. J. Stockmeyer. Some simplified np-complete graph

problems. Theoretical Computer Science, 1(3):237–267, 1976.

[45] Michael R. Garey and David S. Johnson. Computers and Intractability. Freeman, 1979.

[46] Peter Gemmell, Richard J. Lipton, Ronitt Rubinfeld, Madhu Sudan, and Avi Wigderson.
Self-testing/correcting for polynomials and for approximate functions. In Cris Kout-
sougeras and Jeffrey Scott Vitter, editors, Proceedings of the 23rd Annual ACM Symposium
on Theory of Computing, May 5-8, 1991, New Orleans, Louisiana, USA, pages 32–42. ACM,
1991.

[47] Peter Gemmell and Madhu Sudan. Highly resilient correctors for multivariate polynomi-
als. Information Processing Letters, 43(4):169–174, 1992.

[48] Peter Gemmell and Madhu Sudan. Highly resilient correctors for polynomials. Inf. Pro-
cess. Lett., 43(4):169–174, 1992.

[49] E. N. Gilbert. A comparison of signalling alphabets. Bell System Technical Journal, 31:504–
522, 1952.

[50] M. J. E. Golay. Notes on digital coding. Proceedings of the IRE, 37:657, 1949.

[51] Parikshit Gopalan, Cheng Huang, Huseyin Simitci, and Sergey Yekhanin. On the locality
of codeword symbols. IEEE Trans. Inf. Theory, 58(11):6925–6934, 2012.

[52] Venkatesan Guruswami. Limits to list decodability of linear codes. In Proceedings of the
34th ACM Symposium on Theory of Computing (STOC), pages 802–811, 2002.

[53] Venkatesan Guruswami. List decoding of error-correcting codes. Number 3282 in Lecture
Notes in Computer Science. Springer, 2004. (Winning Thesis of the 2002 ACM Doctoral
Dissertation Competition).

[54] Venkatesan Guruswami. Iterative decoding of low-density parity check codes. Bull.
EATCS, 90:53–88, 2006.

414
[55] Venkatesan Guruswami. Linear-algebraic list decoding of folded reed-solomon codes.
In Proceedings of the 26th Annual IEEE Conference on Computational Complexity (CCC),
pages 77–85, 2011.

[56] Venkatesan Guruswami, Johan Håstad, and Swastik Kopparty. On the list-decodability of
random linear codes. IEEE Transactions on Information Theory, 57(2):718–725, 2011.

[57] Venkatesan Guruswami, Johan Håstad, Madhu Sudan, and David Zuckerman. Combi-
natorial bounds for list decoding. IEEE Transactions on Information Theory, 48(5):1021–
1035, 2002.

[58] Venkatesan Guruswami and Piotr Indyk. Linear-time encodable/decodable codes with
near-optimal rate. IEEE Transactions on Information Theory, 51(10):3393–3400, 2005.

[59] Venkatesan Guruswami, James R. Lee, and Alexander A. Razborov. Almost euclidean sub-
spaces of l 1 n VIA expander codes. Comb., 30(1):47–68, 2010.

[60] Venkatesan Guruswami and Atri Rudra. Limits to list decoding reed-solomon codes. IEEE
Transactions on Information Theory, 52(8):3642–3649, August 2006.

[61] Venkatesan Guruswami and Atri Rudra. Explicit codes achieving list decoding capac-
ity: Error-correction with optimal redundancy. IEEE Transactions on Information Theory,
54(1):135–150, 2008.

[62] Venkatesan Guruswami and Atri Rudra. Better binary list decodable codes via multilevel
concatenation. IEEE Transactions on Information Theory, 55(1):19–26, 2009.

[63] Venkatesan Guruswami and Atri Rudra. The existence of concatenated codes list-
decodable up to the hamming bound. IEEE Transactions on Information Theory,
56(10):5195–5206, 2010.

[64] Venkatesan Guruswami and Igor Shparlinski. Unconditional proof of tightness of john-
son bound. In Proceedgins of the Fourteenth Annual ACM-SIAM Symposium on Discrete
Algorithms (SODA), pages 754–755, 2003.

[65] Venkatesan Guruswami and Madhu Sudan. Improved decoding of Reed-Solomon and
algebraic-geometry codes. IEEE Transactions on Information Theory, 45(6):1757–1767,
1999.

[66] Venkatesan Guruswami and Alexander Vardy. Maximum-likelihood decoding of reed-

solomon codes is np-hard. IEEE Trans. Information Theory, 51(7):2249–2256, 2005.

[67] Venkatesan Guruswami and Ameya Velingker. An entropy sumset inequality and poly-
nomially fast convergence to Shannon capacity over all alphabets. In Proceedings of 30th
Conference on Computational Complexity, pages 42–57, 2015.

415
[68] Venkatesan Guruswami and Patrick Xia. Polar codes: Speed of polarization and poly-
nomial gap to capacity. IEEE Trans. Information Theory, 61(1):3–16, 2015. Preliminary
version in Proc. of FOCS 2013.

[69] Venkatesan Guruswami and Chaoping Xing. Folded codes from function field towers and
improved optimal rate list decoding. Electronic Colloquium on Computational Complex-
ity (ECCC), 19:36, 2012.

[70] Richard W. Hamming. Error Detecting and Error Correcting Codes. Bell System Technical
Journal, 29:147–160, April 1950.

[71] G.H. Hardy and J.E. Littlewood. Some problems of diophantine approximation. Acta
Mathematica, 37(1):193–239, 1914.

[72] Seyed Hamed Hassani, Kasra Alishahi, and Rüdiger L. Urbanke. Finite-length scaling for
polar codes. IEEE Trans. Information Theory, 60(10):5875–5898, 2014.

[73] Johan Håstad, Steven Phillips, and Shmuel Safra. A well-characterized approximation
problem. Inf. Process. Lett., 47(6):301–305, 1993.

[74] Tom Høholdt, J. H. van Lint, and Ruud Pellikaan. Algebraic geometry codes. In W. C. Huf-
famn V. S. Pless and R. A.Brualdi, editors, Handbook of Coding Theory. North Holland,
1998.

[75] Cheng Huang, Minghua Chen, and Jin Li. Pyramid codes: Flexible schemes to trade space
for access efficiency in reliable data storage systems. ACM Trans. Storage, 9(1), March
2013.

[76] Ari Juels and Madhu Sudan. A fuzzy vault scheme. Des. Codes Cryptography, 38(2):237–
257, 2006.

[77] J. Justesen. Class of constructive asymptotically good algebraic codes. IEEE Trans. Inform.
Theory, pages 652–656, Sep 1972.

[78] Erich Kaltofen. Polynomial-time reductions from multivariate to bi- and univariate inte-
gral polynomial factorization. SIAM J. Comput., 14(2):469–489, 1985.

[79] Richard M. Karp. Reducibility among combinatorial problems. In Complexity of Com-

puter Computations, pages 85–103, 1972.

[80] John Y. Kim and Swastik Kopparty. Decoding reed-muller codes over product sets. Theory
of Computing, 13(1):1–38, 2017.

[81] Donald E. Knuth. Big omicron and big omega and big theta. SIGACT News, 8(2):18–24,
April 1976.

[82] Andrei N. Kolmogorov. Three Approaches to the Quantitative Definition of Information.

Problems of Information Transmission, 1(1):1–7, 1965.

416
[83] Satish Babu Korada, Eren Sasoglu, and Rüdiger L. Urbanke. Polar codes: Characteriza-
tion of exponent, bounds, and constructions. IEEE Transactions on Information Theory,
56(12):6253–6264, 2010.

[84] E. Landau. Handbuch der lehre von der verteilung der primzahlen. Number v. 1 in Hand-
buch der lehre von der verteilung der primzahlen. B. G. Teubner, 1909.

[85] Amos Lapidoth and P. Narayan. Reliable communication under channel uncertainty.
IEEE Transactions on Information Theory, 44(6):2148–2177, 1998.

[86] Leonid A Levin. Universal sequential search problems. Problemy Peredachi Informatsii,
9(3):115–116, 1973.

[87] Ming Li and Paul M. B. Vitányi. An Introduction to Kolmogorov Complexity and Its Appli-
cations. Graduate Texts in Computer Science. Springer, New York, NY, USA, third edition,
2008.

[88] Rudolf Lidl and Harald Niederreiter. Introduction to Finite Fields and their applications.
Cambridge University Press, Cambridge, MA, 1986.

[89] Richard J. Lipton. Efficient checking of computations. In Christian Choffrut and Thomas
Lengauer, editors, STACS 90, 7th Annual Symposium on Theoretical Aspects of Computer
Science, Rouen, France, February 22-24, 1990, Proceedings, volume 415 of Lecture Notes in
Computer Science, pages 207–215. Springer, 1990.

[90] Michael Luby, Michael Mitzenmacher, Amin Shokrollahi, and Daniel Spielman. Efficient
erasure correcting codes. IEEE Transactions on Information Theory, 47(2):569–584, 2001.

[91] Michael Luby, Michael Mitzenmacher, Mohammad Amin Shokrollahi, and Daniel A.
Spielman. Efficient erasure correcting codes. IEEE Transactions on Information Theory,
47(2):569–584, 2001.

[92] Robert J. McEliece. On the average list size for the Guruswami-Sudan decoder. In 7th In-
ternational Symposium on Communications Theory and Applications (ISCTA), July 2003.

[93] Robert J. McEliece, Eugene R. Rodemich, Howard Rumsey Jr., and Lloyd R. Welch. New
upper bounds on the rate of a code via the Delsarte-Macwilliams inequalities. IEEE Trans-
actions on Information Theory, 23:157–166, 1977.

[94] Michael Mitzenmacher and Eli Upfal. Probability and Computing: Randomized Algo-
rithms and Probabilistic Analysis. Cambridge University Press, 2005.

[95] Ryuhei Mori and Toshiyuki Tanaka. Source and channel polarization over finite fields and
Reed-Solomon matrices. IEEE Trans. Information Theory, 60(5):2720–2736, 2014.

[96] Rajeev Motwani and Prabhakar Raghavan. Randomized Algorithms. Cambridge Univer-
sity Press, 1995.

417
 [97] David E. Muller. Application of boolean algebra to switching circuit design and to error
detection. Trans. I.R.E. Prof. Group on Electronic Computers, 3(3):6–12, 1954.

[98] S. Muthukrishnan. Data streams: Algorithms and applications. Foundations and Trends
in Theoretical Computer Science, 1(2), 2005.

[99] Dimitris S. Papailiopoulos and Alexandros G. Dimakis. Locally repairable codes. IEEE
Trans. Inf. Theory, 60(10):5843–5855, 2014.

[100] Farzad Parvaresh and Alexander Vardy. Correcting errors beyond the guruswami-sudan
radius in polynomial time. In Proceedings of the 46th Annual IEEE Symposium on Foun-
dations of Computer Science (FOCS), pages 285–294, 2005.

[101] Ruud Pellikaan and Xin-Wen Wu. List decoding of q-ary reed-muller codes. IEEE Trans.
Information Theory, 50(4):679–682, 2004.

[102] Larry L. Peterson and Bruce S. Davis. Computer Networks: A Systems Approach. Morgan
Kaufmann Publishers, San Francisco, 1996.

[103] W. Wesley Peterson. Encoding and error-correction procedures for Bose-Chaudhuri

codes. IEEE Transactions on Information Theory, 6:459–470, 1960.

[104] Michael O. Rabin. Probailistic algorithms. In J. F. Traub, editor, Algorithms and Complex-
ity, Recent Results and New Directions, pages 21–39, 1976.

[105] Jaikumar Radhakrishnan and Amnon Ta-Shma. Bounds for dispersers, extractors, and
depth-two superconcentrators. SIAM J. Discret. Math., 13(1):2–24, 2000.

[106] I. Reed, R. Scholtz, , and L. Welch. The fast decoding of reed-solomon codes using fermat
theoretic transforms and continued fractions. IEEE Transactions on Information Theory,
24(1):100–106, January 1978.

[107] Irving S. Reed. A class of multiple-error-correcting codes and the decoding scheme.
Trans. of the IRE Professional Group on Information Theory (TIT), 4:38–49, 1954.

[108] Irving S. Reed and Gustav Solomon. Polynomial codes over certain finite fields. SIAM
Journal on Applied Mathematics, 8(2):300–304, 1960.

[109] T. Richardson, A. Shokrollahi, and R. Urbanke. Design of capacity-approaching irregular

low-density parity-check codes. IEEE Trans. Inform. Theory, 47:619–637, February 2001.

[110] T. Richardson and R. Urbanke. The capacity of low-density parity check codes under
message-passing decoding. IEEE Trans. Inform. Theory, 47:599–618, February 2001.

[111] Herbert Robbins. A remark on Stirling’s formula. Amer. Math. Monthly, 62:26–29, 1955.

[112] Atri Rudra and Steve Uurtamo. Two theorems on list decoding. In Proceedings of the 14th
Intl. Workshop on Randomization and Computation (RANDOM), pages 696–709, 2010.

418
[113] Atri Rudra and Mary Wootters. Every list-decodable code for high noise has abundant
near-optimal rate puncturings. In Symposium on Theory of Computing, STOC 2014, New
York, NY, USA, May 31 - June 03, 2014, pages 764–773, 2014.

[114] E. Sasoglu, E. Telatar, and E. Arikan. Polarization for arbitrary discrete memoryless chan-
nels. In 2009 IEEE Information Theory Workshop, pages 144–148, Oct 2009.

[115] Claude E. Shannon. A mathematical theory of communication. Bell System Technical

Journal, 27:379–423, 623–656, 1948.

[116] Victor Shoup. New algorithms for finding irreducible polynomials over finite fields. Math.
Comp., 54:435–447, 1990.

[117] Victor Shoup. A computational introduction to number theory and algebra. Cambridge
University Press, 2006.

[118] R. Singleton. Maximum distance q -nary codes. Information Theory, IEEE Transactions
on, 10(2):116 – 118, apr 1964.

[119] Michael Sipser. The history and status of the p versus np question. In Proceedings of the
Twenty-fourth Annual ACM Symposium on Theory of Computing, STOC ’92, pages 603–
618, New York, NY, USA, 1992. ACM.

[120] Michael Sipser and Daniel Spielman. Expander codes. IEEE Transactions on Information
Theory, 42(6):1710–1722, 1996.

[121] Daniel A. Spielman. Linear-time encodable and decodable error-correcting codes. IEEE
Transactions on Information Theory, 42(6):1723–1731, 1996.

[122] Jacques Stern. Approximating the number of error locations within a constant ratio is
np-complete. In Gérard D. Cohen, Teo Mora, and Oscar Moreno, editors, Applied Algebra,
Algebraic Algorithms and Error-Correcting Codes, 10th International Symposium, AAECC-
10, San Juan de Puerto Rico, Puerto Rico, May 10-14, 1993, Proceedings, volume 673 of
Lecture Notes in Computer Science, pages 325–331. Springer, 1993.

[123] Douglas R. Stinson. Universal hashing and authentication codes. Des. Codes Cryptogra-
phy, 4(4):369–380, 1994.

[124] Madhu Sudan. Decoding of Reed Solomon codes beyond the error-correction bound. J.
Complexity, 13(1):180–193, 1997.

[125] Madhu Sudan. List decoding: Algorithms and applications. SIGACT News, 31:16–27, 2000.

[126] Ido Tal and Alexander Vardy. How to construct polar codes. IEEE Trans. Information
Theory, 59(10):6562–6582, 2013.

[127] Itzhak Tamo and Alexander Barg. A family of optimal locally recoverable codes. IEEE
Trans. Inf. Theory, 60(8):4661–4676, 2014.

419
[128] R. M. Tanner. A recursive approach to low complexity codes. IEEE Transactions on Infor-
mation Theory, 27(5):533–547, 1981.

[129] Robert Endre Tarjan. Algorithmic design. Commun. ACM, 30(3):204–212, 1987.

[130] Aimo Tietavainen. On the nonexistence theorems for perfect error-correcting codes.
SIAM Journal of Applied Mathematics, 24(1):88–96, 1973.

[131] Jacobus H. van Lint. Nonexistence theorems for perfect error-correcting codes. In Pro-
ceedings of the Symposium on Computers in Algebra and Number Theory, pages 89–95,
1970.

[132] Alexander Vardy. The intractability of computing the minimum distance of a code. IEEE
Trans. Information Theory, 43(6):1757–1766, 1997.

[133] R. R. Varshamov. Estimate of the number of signals in error correcting codes. Doklady
Akadamii Nauk, 117:739–741, 1957.

[134] Joachim von zur Gathen and Jürgen Gerhard. Modern Computer Algebra. Cambridge
University Press, 3 edition, 2013.

[135] Lloyd R. Welch and Elwyn R. Berlekamp. Error correction of algebraic block codes. US
Patent Number 4,633,470, December 1986.

[136] John M. Wozencraft. List Decoding. Quarterly Progress Report, Research Laboratory of
Electronics, MIT, 48:90–95, 1958.

420
Appendix A

Notation Table

R The set of real numbers

Z The set of integers
¬E Negation of the event E
log x Logarithm to the base 2
Σm Vectors of length m with symbols from Σ
v A row vector
0 The all zero vector
ei The i th standard vector, i.e. 1 in position i and
0 everywhere else
vS Vector v projected down to indices in S
〈u, v〉 Inner-product of vectors u and v
[a, b] {x ∈ R|a ≤ x ≤ b}
[x] The set {1, . . . , x} Section 1.2
n Block length of a code Definition 1.2.1
Σ Alphabet of a code Definition 1.2.1
q q = |Σ| Definition 1.2.1
k Dimension of a code Definition 1.2.3
R Rate of a code Definition 1.2.4
∆(u, v) Hamming distance between u and v Definition 1.3.3
d Minimum distance of a code Definition 1.4.1
w t (v) Hamming weight of v Definition 1.5.1
B (x, r ) Hamming ball of radius r centered on x Definition 1.6.1
V ol q (r, n) Volume Hamming ball of radius r Definition 3.3.2
(n, k, d )Σ A code with block length n, dimension k, dis- Definition 1.7.1
tance d and alphabet Σ
(n, k, d )q A code with block length n, dimension k, dis- Definition 1.7.1
tance d and alphabet size q
[n, k, d ]q A linear (n, k, d )q code Definition 2.3.1
Fq The finite field with q elements (q is a prime Section 2.1
power)

421
F∗ The set of non-zero elements in the field F
Fm×N
q The set of all m × N matrices where each entry
is from Fq
Fq [X 1 , . . . , X m ] The set of all m-variate polynomials with coef-
ficients from Fq
R(C ) Rate of a code family C Definition 1.8.1
δ(C ) Relative distance of a code family C Definition 1.8.1
U The uniform distribution Definition 3.1.1
E[V ] Expectation of a random variable V Definition 3.1.2
1E Indicator variable for event E Section 3.1
H q (x) x logq (q − 1) − x logq x − (1 − x) logq (1 − x) Definition 3.3.1
H q−1 (y) Unique x ∈ [0, 1 − 1/q] such that H q (x) = y Section 3.3.2
deg(P ) Degree of polynomial P (X ) Definition 5.1.2
Fq [X ] The set of all univariate polynomials in X over Section 5.1
Fq
p
J (x) (1 − 1/q)(1 − 1 − q x/(q − 1)) Theorem 7.3.1
¡Sq¢
t {T ⊆ S||T | = t }
S̄ The complement set of S
M ⊙x Binary matrix-vector multiplication where
multiplication is AND and addition is OR
supp (X ) The support of a random variable X Definition E.1.2

422
Appendix B

Some Useful Facts

B.1 Some Useful Inequalities

Recall that the binomial coefficient for integers a ≤ b, defined as
à !
b b!
= .
a a!(b − a)!

We begin with a simple lower bound on the binomial coefficient:

Lemma B.1.1. For all integers 1 ≤ a ≤ b, we have

à ! µ ¶
b b a
≥ .
a a

Proof. The following sequence of relations completes the proof:

à ! µ ¶a
a Y b − i a−1
a−1 Yb b
= ≥ = .
b i =0 a − i i =0 a a

In the above, the first equality follows from definition and the inequality is true since b ≥ a and
i ≥ 0.

We state the next set of inequalities without proof (see [111] for a proof):

Lemma B.1.2 (Stirling’s Approximation). For every integer n ≥ 1, we have

p ³ n ´n p ³ n ´n
2πn e λ1 (n) < n! < 2πn e λ2 (n) ,
e e
where
1 1
λ1 (n) = and λ2 (n) = .
12n + 1 12n
We prove another inequality involving Binomial coefficient.

423
Lemma B.1.3. For all integers 1 ≤ a ≤ b, we have
à ! µ ¶
b eb a
≤ .
a a
Proof. First note that à !
b b(b − 1) · · · (b − a + 1) b a
= ≤ .
a a! a!
The final bound follows from the fact that
³ a ´a
a! > ,
e
which in turns follows from the following relationships:
aa X∞ ai
< = ea.
a! i =0 i !

We next state Bernoulli’s inequality:

Lemma B.1.4 (Bernoulli’s Inequality). For every real numbers k ≥ 1 and x ≥ −1, we have
(1 + x)k ≥ 1 + kx.
Proof Sketch. We only present the proof for integer k. For the full proof see e.g. [16].
For the base case of k = 1, the inequality holds trivially. Assume that the inequality holds
for some integer k ≥ 1 and to complete the proof, we will prove it for k + 1. Now consider the
following inequalities:
(1 + x)k+1 = (1 + x) · (1 + x)k
≥ (1 + x) · (1 + kx)
= 1 + (k + 1)x + kx 2
≥ 1 + (k + 1)x,
as desired. In the above, the first inequality follows from the inductive hypothesis and the sec-
ond inequality follows from the fact that k ≥ 1.
Lemma B.1.5. For |X | ≤ 1,
p x x2
1+x ≤ 1+ − .
2 16
Proof. Squaring the RHS we get
µ ¶2
x x2 x2 x4 x2 x3 3x 2 x 3 x4
1+ − = 1+ + +x − − = 1+x + − + ≥ 1 + x,
2 16 4 256 16 32 16 32 256
as desired.
We will also use the Cauchy-Schwartz inequality:
Lemma B.1.6. For any vector x, y ∈ Rn , we have
|〈x, z〉| ≤ kxk2 · kzk2 .

424
B.2 Some Useful Identities and Bounds
We start off with an equivalence between two inequalities.
a
Lemma B.2.1. Let a, b, c, d > 0. Then b ≤ dc if and only if a
a+b
c
≤ c+d .
a
Proof. Note that b ≤ dc if and only if
b d
≥ .
a c
The above is true if and only if
b d
+ 1 ≥ + 1,
a c
a c
which is same as a+b ≤ c+d .

Next, we state some infinite sums that are identical to certain logarithms (the proofs are
standard and are omitted).

Lemma B.2.2. For |x| < 1,

x2 x3
ln(1 + x) = x − + −··· .
2! 3!
We can use the above to prove some bounds on ln(1 + x) (we omit the proof):

Lemma B.2.3. For 0 ≤ x < 1, we have

x − x 2 /2 ≤ ln(1 + x) ≤ x,

and for 0 ≤ x ≤ 1/2, we have

−x − x 2 ≤ ln(1 − x) ≤ −x.

We can use the above bounds to further prove boounds on the (binary) entropy function:

Lemma B.2.4. For x ≤ 1/4, we have

1 − 5x 2 ≤ H (1/2 − x) ≤ 1 − x 2 .

Proof. By definition H (1/2 − x) = 1 − 1/2 log(1 − 4x 2 ) + x log(1 − 2x)/(1 + 2x), and using the ap-
proximations for ln(1 + x) from Lemma B.2.3, we have, for x < 1/4,
1 1 1
H (1/2 − x) ≤ 1 + · (4x 2 + 16x 4 ) + · (−2x 2 ) − · (2x 2 − 2x 3 )
2 ln 2 ln 2 ln 2
2 2 2 3 8 4
= 1− ·x + ·x + ·x
ln 2 ln 2 ln 2
x2
≤ 1− (B.1)
ln 2
≤ 1 − x 2.

In the above, (B.1) follows by using our assumption that x ≤ 1/4.

425
 Using the other sides of the approximations we also have:

1 1 1
H (1/2 − x) ≥ 1 + · (4x 2 ) + · (−2x 2 − 4x 3 ) − · (2x 2 )
2 ln 2 ln 2 ln 2
3x 2
≥ 1−
ln 2
≥ 1 − 5x 2 ,

where the second inequality uses our assumption that x ≤ 1/4.

The following fact follows from the well-known fact that limx→∞ (1 + 1/x)x = e:

Lemma B.2.5. For every real x > 0, µ ¶

1 x
1+ ≤ e.
x

426
Appendix C

Background on Asymptotic notation,

Algorithms and Complexity

In this chapter, we collect relevant background on algorithms and their analysis (as well as their
limitations). We begin with notation that we will use to bound various quantities when we do
not pay close attention to the constants.

C.1 Asymptotic Notation

Throughout the book, we will encounter situations where we would be interested in how a func-
tion f (N ) grows as the input parameter N grows. (We will assume that the real valued function
f is monotone.) The most common such situation is when we would like to bound the run-
time of an algorithm we are analyzing– we will consider this situation in some detail shortly. In
particular, we will interested in bounds on f (N ) that are “oblivious" to constants. E.g. given
that an algorithm takes 24N 2 + 100N steps to terminate, we would be interested in the fact that
the dominating term is the N 2 (for large enough N ). Technically, speaking we are interested in
the asymptotic growth of f (N ). Throughout this chapter, we will assume that all functions are
monotone.
The first definition is when we are interested in an upper bound on the function f (N ). When
talking about numbers, we say b is an upper bound on a if a ≤ b. We will consider a similar
definition for functions that in some sense ignores constants.

Definition C.1.1. We say f (N ) is O(g (N )) (to be read as f (N ) is “Big-Oh" of g (N )) if there exists

constants c, N0 ≥ 0 that are independent of N such that for every large enough N ≥ N0 :

f (N ) ≤ c · g (N ).

Alternatively f (N ) is O(g (N )) if and only if

f (N )
lim ≤ C,
N →∞ g (N )

427
for some absolute constant C . (See Exercise C.1.) So for example both 24N 2 +100N and N 2 /2−N
are O(N 2 ) as well as O(N 3 ). However, neither of them are O(N ) or O(N 3/2 ).
The second definition is when we are interested in a lower bound on the function f (N ).
When talking about numbers, we say b is a lower bound on a if a ≥ b. We will consider a similar
definition for functions that in some sense ignores constants.
Definition C.1.2. We say f (N ) is Ω(g (N )) (to be read as f (N ) is “Big-Omega" of g (N )) if there
exists constants ε, N0 ≥ 0 that are independent of n such that for every large enough N ≥ N0 :

f (N ) ≥ ε · g (N ).

Alternatively f (N ) is Ω(g (N )) if and only if

f (N )
lim ≥ C,
N →∞ g (N )

for some absolute constant C . (See Exercise C.2.) So for example both 24N 2 +100N and N 2 /2−N
are Ω(N 2 ) as well as Ω(N 3/2 ). However, neither of them are Ω(N 3 ) or Ω(N 5/2 ).
The third definition is when we are interested in a tight bound on the function f (N ). When
talking about numbers, we say b is same as a if a = b. We will consider a similar definition for
functions that in some sense ignores constants.
Definition C.1.3. We say f (N ) is Θ(g (N )) (to be read as f (N ) is “Theta" of g (N )) if and only if
f (N ) is O(g (N )) and is also Ω(g (N )).
Alternatively f (N ) is Θ(g (N )) if and only if
f (N )
lim = C,
N →∞ g (N )

for some absolute constant C . (See Exercise C.3.) So for example both 24N 2 +100N and N 2 /2−N
are Θ(N 2 ). However, neither of them are Θ(N 3 ) or Θ(N ).
The fourth definition is when we are interested in a strict upper bound on the function f (N ).
When talking about numbers, we say b is a strict upper bound on a if a < b. We will consider a
similar definition for functions that in some sense ignores constants.
Definition C.1.4. We say f (N ) is o(g (N )) (to be read as f (N ) is “little-oh" of g (N )) if f (N ) is
O(g (N )) but f (N ) is not Ω(g (N )).
Alternatively f (N ) is o(g (N )) if and only if
f (N )
lim = 0.
N →∞ g (N )

(See Exercise C.4.) So for example both 24N 2 + 100N and N 2 /2 − N are o(N 3 ) as well as o(N 5/2 ).
However, neither of them are o(N 2 ) or o(N 3/2 ).
The final definition is when we are interested in a strict lower bound on the function f (N ).
When talking about numbers, we say b is a strict lower bound on a if a > b. We will consider a
similar definition for functions that in some sense ignores constants.

428
Definition C.1.5. We say f (N ) is ω(g (N )) (to be read as f (N ) is “little-omega" of g (N )) if f (N ) is
Ω(g (N )) but f (N ) is not O(g (N )).

Alternatively f (N ) is ω(g (N )) if and only if

f (N )
lim = ∞.
N →∞ g (N )

(See Exercise C.5.) So for example both 24N 2 + 100N and N 2 /2 − N are ω(N ) as well as ω(N 3/2 ).
However, neither of them are ω(N 2 ) or ω(N 5/2 ).

C.1.1 Some Properties

We now collect some properties of asymptotic notation that we will be useful in this book.
First all the notations are transitive:

Lemma C.1.6. Let α ∈ {O, Ω, Θ, o, ω}. Then if f (N ) is α(g (N )) and g (N ) is α(h(N )), then f (N ) is
α(h(N )).

Second, all the notations are additive:

Lemma C.1.7. Let α ∈ {O, Ω, Θ, o, ω}. Then if f (N ) is α(h(N )) and g (N ) is α(h(N )), then f (N ) +
g (N ) is α(h(N )).

Finally, all the notations are multiplicative:

Lemma C.1.8. Let α ∈ {O, Ω, Θ, o, ω}. Then if f (N ) is α(h 1 (N )) and g (N ) is α(h 2 (N )), then f (N ) ·
g (N ) is α(h 1 (N ) · h 2 (N )).

The proofs of the above properties are left as an exercise (see Exercise C.6).

C.2 Bounding Algorithm run time

Let A be the algorithm we are trying to analyze. Then we will define T (N ) to be the worst-case
run-time of A over all inputs of size N . Slightly more formally, let t A (x) be the number of steps
taken by the algorithm A on input x. Then

T (N ) = max t A (x). (C.1)

x:x is of size N

In this section, we present two useful strategies to prove statements like T (N ) is O(g (N ))
or T (N ) is Ω(h(N )). Then we will analyze the run time of a very simple algorithm. However,
before that we digress to clarify the following: (i) For most of the book, we will be interested in
deterministic algorithms (i.e. algorithm whose execution is fixed given the input). However, we
will consider randomized algorithms (see Section C.3 for more on this). (ii) One needs to clarify
what constitutes a “step" in the definition of T (N ) above. We do so next.

429
C.2.1 RAM model
In this book, unless specified otherwise we will assume that the algorithms run on the RAM
model. Informally, this computation model is defined as follows. For an input with n items, the
memory consists of registers with O(log n) bits. For simplicity, we can assume that the input and
output have separate dedicated registers. Note that the input will have n dedicated registers.
Any (atomic) step an algorithm can take are essentially any basic operations on constant
such registers which can be implemented in O(log n) bit operations. In particular, the following
operations are considered to take one step: loading O(log n) from a register or storing O(log n)
bits in a register, initializing the contents of a register, bit-wise operations among registers, e.g.
taking bit-wise XOR of the bits of two registers, adding numbers stored in two registers, incre-
menting the value stored in a register, comparing the values stored in two registers. Some exam-
ples of operations that are not single step operations: multiplying numbers or exponentiation
(where the operands fit into one register each).

C.2.2 Proving T (N ) is O( f (N ))
We start off with an analogy. Say you wanted prove that given m numbers a 1 , . . . , a m , maxi a i ≤
U . Then how would you go about doing so? One way is to argue that the maximum value
is attained at i ∗ and then show that a i ∗ ≤ U . Now this is a perfectly valid way to prove the
inequality we are after but note that you will also have to prove that the maximum value is
attained at i ∗ . Generally, this is a non-trivial task. However, consider the following strategy:

Show that for every 1 ≤ i ≤ m, a i ≤ U . Then conclude that maxi a i ≤ U .

Let us consider an example to illustrate the two strategies above. Let us say for whatever rea-
son we are interested in showing that the age of the oldest person in your coding theory lectures
is at most 100. Assume there are 98 students registered and the instructor is always present in
class. This implies that there are at most m = 99 folks in the class. Let us order them somehow
and let a i denote the age of the i ’th person. Then we want to show that max{a 1 , . . . , a 99 } ≤ 100
(i.e. U = 100). The first strategy above would be to first figure out who is the oldest person in
room: say that is the i ∗ ’th person (where 1 ≤ i ∗ ≤ 99) and then check if a i ∗ ≤ 100. However, this
strategy is somewhat invasive: e.g. the oldest person might not want to reveal that he or she
is the oldest person in the room. This is where the second strategy works better: we ask every
person in the room if their age is ≤ 100: i.e. we check if for every 1 ≤ i ≤ 99, a i ≤ 100. If everyone
says yes, then we have proved that maxi a i ≤ 100 (without necessarily revealing the identity of
the oldest person).
Mathematically the above two strategies are the same. However, in "practice," using the
second strategy turns out to be much easier. (E.g. this was true in the age example above.)
Thus, here is the strategy to prove that T (N ) is O( f (N )):

For every large enough N , show that for every input x of size N , t A (x) is O( f (N )).
Then conclude that T (N ) is O( f (N )).

430
C.2.3 Proving T (N ) is Ω( f (N ))
We start off with the same analogy as in the previous section. Say you wanted prove that given
m numbers a 1 , . . . , a m , maxi a i ≥ L. Then how would you go about doing so? Again, one way
is to argue that the maximum value is attained at i ∗ and then show that a i ∗ ≥ L. Now this is a
perfectly valid way to prove the inequality we are after but note that you will also have to prove
that the maximum value is attained at i ∗ . Generally, this is a non-trivial task. However, consider
the following strategy:

Show that there exists an 1 ≤ i ≤ m, such that a i ≥ L. Then conclude that maxi a i ≥
L.

Let us go back to the class room example. Now let us say we are interesting in proving that
the oldest person in the room is at least 25 years old. (So a 1 , . . . , a m is as in Section C.2.2 but now
L = 25.) Again, the first strategy would be to first figure out the oldest person, say i ∗ and check
if a i ∗ ≥ 25. However, as we saw in Section C.2.2, this strategy is somewhat invasive. However,
consider the the following implementation of the second strategy above. Say for the sake of
mathematics, the instructor comes forward and volunteers the information that her age is at
least 25. Since the oldest person’s age has to be at least the instructor’s age, this proves that
maxi a i ≥ 25, as desired.
Mathematically the above two strategies are the same. However, in "practice," using the
strategy second turns out to be much easier. (E.g., this was true in the age example above.)
Thus, here is the strategy to prove that T (N ) is Ω( f (N )):

For every large enough N , show that there exists an input x of size N , t A (x) is
Ω( f (N )). Then conclude that T (N ) is Ω( f (N )).

C.2.4 An Example
Now let us use all the strategies from Section C.2.2 and Section C.2.3 to asymptotically bound
the run-time of a simple algorithm. Consider the following simple problem: given n+1 numbers
a 1 , . . . , a n ; v, we should output 1 ≤ i ≤ n if a i = v (if there are multiple such i ’s then output any
one of them) else output −1. Below is a simple algorithm to solve this problem.

Algorithm 44 Simple Search

I NPUT: a 1 , . . . , a n ; v
O UTPUT: i if a i = v; −1 otherwise

1: FOR every 1 ≤ i ≤ n DO
2: a i = v THEN RETURN i
IF
3: RETURN −1

We will show the following:

Theorem C.2.1. The Simple Search algorithm 44 has a run time of Θ(n).

431
 We will prove Theorem C.2.1 by proving Lemmas C.2.2 and C.2.3.

Lemma C.2.2. T (n) for Algorithm 44 is O(n).

Proof. We will use the strategy outlined in Section C.2.2. Let a 1 , . . . , a n ; v be an arbitrary input.
Then first note that there are at most n iterations of the for loop in Step 1. Further, each iteration
of the for loop (i.e. Step 2) can be implemented in O(1) time (since it involves one comparison
and a potential return of the output value). Thus, by Lemma C.1.8, the total times taken overall
in Steps 1 and 2 is given by
T12 ≤ O(n · 1) = O(n).
Further, since Step 3 is a simple return statement, it takes time T3 = O(1) time. Thus, we have
that
t Algorithm 44 (a 1 , . . . , a n ; v) = T12 + T3 ≤ O(n) + O(1) ≤ O(n),
where the last inequality follows from Lemma C.1.7 and the fact that O(1) is also O(n). Since the
choice of a 1 , . . . , a n ; v was arbitrary, the proof is complete.

Lemma C.2.3. T (n) for Algorithm 44 is Ω(n).

Proof. We will follow the strategy laid out in Section C.2.3. For every n ≥ 1, consider the specific
input a i′ = n+1−i (for every 1 ≤ i ≤ n) and v ′ = 1. For this specific input, it can be easily checked
that the condition in Step 2 is only satisfied when i = n. In other words, the for loop runs at least
(actually exactly) n times. Further, each iteration of this loop (i.e. Step 2) has to perform at least
one comparison, which means that this step takes Ω(1) time. Since n is Ω(n), by Lemma C.1.8
(using notation from the proof of Lemma C.2.2), we have

T12 ≥ Ω(n · 1) = Ω(n).

Thus, we have
t Algorithm 44 (a 1′ , . . . , a n′ ; v ′ ) ≥ T12 ≥ Ω(n).
Since we have shown the existence of one input for each n ≥ 1 for which the run-time is Ω(n),
the proof is complete.

A quick remark on the proof of Lemma C.2.3. Since by Section C.2.3, we only need to exhibit
only one input with runtime Ω(n), the input instance in the proof of Lemma C.2.3 is only one
possibility. One can choose other instances: e.g. we can choose an instance where the output
has to be −1 (as a specific instance consider a i = i and v = 0). For this instance one can make a
similar argument as in the proof of Lemma C.2.3 to show that T (n) ≥ Ω(n).

C.2.5 The Best-Case Input “Trap"

We now briefly talk about a common mistake that is made when one starts trying to prove Ω(·)
on T (N ). Note that in Section C.2.3, it says that one can prove that T (N ) to be Ω( f (N )) for
every large enough N , one only needs to pick one input of size N for which the algorithm takes
Ω( f (N )) steps.

432
 The confusing part about the strategy in Section C.2.3 is how does one get a hand on that
special input that will prove the Ω( f (N )) bound. There is no mechanical way of finding this
input. Generally, speaking you have to look at the algorithm and get a feel for what input might
force the algorithm to spend a lot of time. Sometimes, the analysis of the O(·) bound itself gives
gives us a clue.
However, one way of picking the “special" input that almost always never works in practice
is to consider (for every large enough N ), the “best-case input," i.e. an input of size N on which
the algorithm runs very fast. Now such an input will give you a valid lower bound but it would
almost never give you a tight lower bound.
So for example, let us try to prove Lemma C.2.3 using the best case input. Here is one best
case input: a i = i for every i ∈ [n] and v = 1. Note that in this case the algorithm finds a match
in the first iteration and this terminates in constant many steps. Thus, this will prove an Ω(1)
lower bound but that is not tight/good enough.
Another common mistake is to make an argument for a fixed value of N (say N = 1). How-
ever, note that in this case one can never prove a bound better than Ω(1) and again, this trick
never works in proving any meaningful lower bound.

C.3 Randomized Algorithms

So far the algorithms we have considered are deterministic, i.e. these are algorithm whose be-
havior is completely determined once the input is fixed. We now consider a generalization of
such algorithms to algorithms that have access to random bits. In particular, even when the
input is fixed, the behavior of the algorithm might change depending on the actual value of the
random bits.1 For the machine model, it is easy to modify the RAM model from Section C.2.1
to handle randomized algorithms: we can always load a register with independent and uniform
random bits in one step.
Typically one considers randomized algorithms due to the following reasons:

• For some problems, it is easier to think of a randomized algorithm. Once one has de-
signed a randomized algorithm, one could then attempt to “derandomize" the random-
ized algorithm to construct deterministic algorithms.

• In addition to conceptual simplicity, a randomized algorithm might run faster than all
corresponding known deterministic algorithms.

• For certain problems, it might be provably impossible to design deterministic algorithms

with certain guarantees but it is possible to design randomized algorithms with such guar-
antees. This is a common situation when we might be interested in algorithms that run
in sub-linear time.
1
There are many fundamental and interesting questions regarding how truly random these random bits are and
how many such bits can an algorithm access. We will consider the ideal case, where an algorithm has access to as
many uniform and independent random bits as it wants.

433
In this section, we will consider a problem where the third scenario above is applicable. For
examples of the first and second scenarios, see Sections 13.3 and D.6 respectively.
Before delving into an example problem, we would like to clarify how we determine the
run time and correctness of a randomized algorithm. There are multiple natural definitions
but we will consider the following ones. The run time of a randomized algorithm will again
be the worst-case run time as we defined for deterministic algorithms in Section C.2 for every
possible choice of internal random bits that the algorithm might use (with the modification to
the RAM model as discussed above). For correctness, the definition for deterministic algorithm
was obvious so we did not explicitly state it: for every input, a deterministic algorithm must
return the correct output. We call a randomized algorithm correct if on all its inputs, it returns
the correct answer with probability bounded away from a 1/2– to be precise let us say it has to
return the correct output with probability at least 2/3.2
We would like to remark on a subtle point in the definition above. In the definition of the
correctness of a randomized algorithm above, the probability is taken over the random coin
tosses that the algorithm might make. However, note that the guarantee is of the worst-case
flavor in the sense that the algorithm has to be correct with high probability for every input.
This should be contrasted with a scenario where the input might itself be random in which case
we might be happy with an average case guarantee where the algorithm is supposed to return
the correct output with high probability (over the distribution over the input). In particular, the
algorithm is allowed to err on certain inputs as long as the total probability mass on the inputs
on which it is incorrect is small: see Chapter 6 where this definition of correctness makes perfect
sense. In such situations one can always assume that the algorithm itself is deterministic (see
Exercise C.9).

C.3.1 An example problem

In the rest of the section, we will consider the following problem and will attempt to design
(deterministic and randomized) algorithms with an eye to illustrate various points that were
raised when we defined randomized algorithms.

Given a vector x ∈ {0, 1}n determine whether w t (x) ≤ n3 or w t (x) ≥ 2n

3 . For the cases
where w t (x) ∈ (n/2, 2n/3) the algorithm can have arbitrary behavior.3

We will refer to the above as the G AP H AMMING problem.

It is easy to design an O(n) time deterministic algorithm to solve G AP H AMMING: In O(n)
one can compute w t (x) and then in O(1) time one can verify if w t (x) ≤ n/3 or w t (x) ≥ 2n/3. In
addition one can show that any correct deterministic algorithm will need a run time of Ω(n):
see Exercise C.10.
We will now design a randomized algorithm that solves G AP H AMMING problem. Recall that
we only need to determine if w t (x) ≤ n/3 or w t (x) ≥ 2n/3 (note that we assumed we do not get
2
The choice of 2/3 was arbitrary: see Exercise C.8.
3
Or equivalently one can assume that the algorithm is given the promise that it will never encounter an input x
with w t (x) ∈ (n/3, 2n/3).

434
inputs with Hamming weight in (n/3, 2n/2)) with high probability. We will present what is called
a sampling algorithm for this task. To gain intuition, pick a random index i ∈ [n]. Note that then
x i is a random bit. Further, if w t (x) ≤ n/3, then Pri [x i = 1] ≤ 1/3. On the other hand, if w t (x) ≥
2n/3, then the probability is at least 2/3. Thus, if we take s samples, with high probability in the
first case we expect to see less than s/3 ones and in the second case we expect to see at least
2s/3 ones. To get a constant probability of success we will invoke Chernoff bound to bound
the probability of seeing more ones in the first case than the second case. Algorithm 45 for the
details.

Algorithm 45 Sampling algorithm for G AP H AMMING

I NPUT: x ∈ {0, 1}n
O UTPUT: 0 if w t (x) ≤ n/3 and 1 if w t (x) ≥ 2n/3 with probability at least 1 − ε

1: s ← 98 · ln(1/ε)
2: C ← 0
3: FOR j ∈ [s] DO
4: Pick i to be a random index from [n] ⊲ The choice of i is independent for each j
5: C ← C + xi
6: IF C < s/2 THEN
7: RETURN 0
8: RETURN 1

It can be checked that Algorithm 45 runs in time O(log(1/ε)): see Exercise C.11. Next we
argue that the algorithm is correct with probability at least 1 − ε.

Lemma C.3.1. Algorithm 45 outputs the correct answer with probability at least 1 − ε for every x
(such that w t (x) 6∈ (n/3, 2n/3)).

Proof. We will prove the lemma for the case when w t (x) ≤ n/3 and leave the other case to Exer-
cise C.12.
Fix an arbitrary input x such that w t (x) ≤ n/3. We will argue that at Step 6, we have
h s si
Pr C ≥ + ≤ ε. (C.2)
3 7
Note that the above is enough to prove that the algorithm will output 0, as desired.
Towards that end for every j ∈ [s], let Y j be the random bit x i that is picked. Note that C =
Ps
j =1 Y j . Since each of the Y j ’s are independent binary random variables, the additive Chernoff
bound (Theorem 3.1.10) implies that
h si − s
Pr C > E[C ] + ≤ e 72 ·2 ≤ ε,
7
where the last inequality follows from our choice of s. As observed earlier for any j , Pr[Y j = 1] ≤
1/3, which implies that E[C ] ≤ s/3, which with the above bound implies (C.2), as desired.

435
 Finally, we consider the average-case version of the G AP H AMMING problem. Our goal is
to illustrate the difference between randomized algorithms and average-case algorithms that
was alluded to earlier in this section. Recall that in the G AP H AMMING problem, we are trying to
distinguish between two classes of inputs: one with Hamming weight at most n/3 and the other
with Hamming weight at least 2n/3. We now consider the following natural version where the
inputs themselves comes from two distributions and our goal is to distinguish between the two
cases.

Let Dp denote the distribution on {0, 1}n , where each bit is picked independently
with probability 0 ≤ p ≤ 1. Given an x ∈ {0, 1}n sampled from either D 1 or D 2 , we
3 3
need to figure out which distribution x is sampled from.

The intuition for an algorithm that is correct with high probability (over the corresponding
distributions) is same as Algorithm 45, so we directly present the the algorithm for the new
version of the problem above.

Algorithm 46 An average-case algorithm for G AP H AMMING

I NPUT: x ∈ {0, 1}n sampled from either D 1 or D 2
3 3
O UTPUT: 0 if x was sampled from D 1 and 1 otherwise with probability at least 1 − ε
3

1: s ← 98 · ln(1/ε)
2: C ← 0
3: FOR j ∈ [s] DO
4: C ← C + xj
5: IF C < s/2 THEN
6: RETURN 0
7: RETURN 1

Note that unlike Algorithm 45, Algorithm 46 is a deterministic algorithm and the algorithm
might make an incorrect decision on certain specific inputs x that it receives.
Using pretty much the same analysis as in the proof of Lemma C.3.1, one can argue that:

Lemma C.3.2. Let x be a random sample from D 1 (D 2 resp.). Then with probability at least 1 − ε
3 3
(over the choice of x), Algorithm 46 outputs 0 (1 resp.)

(See Exercise C.13 for a proof.)

C.4 Efficient Algorithms

A major focus of this book is to design algorithms that are efficient. A somewhat smaller focus is
to argue that for certain problems efficient algorithms do not exists (maybe with a well accepted
assumption that certain computational tasks are hard to accomplish efficiently). In this section,
we first begin with the notion of efficient algorithms that will be standard for this book and then

436
present a peek into how one might argue that a computational task is hard. To illustrate various
concepts we will focus on the following problem:

Definition C.4.1. Given n linear equations over k variables (all over F2 : i.e. all the variables are
in {0, 1} and all arithmetic operations are over the binary field 4 F2 ) and an integer 0 ≤ s ≤ n, we
want to find a solution to the systems of equations that satisfies at least s out of the n equations.
We will denote this problem as M AX L INEAR E Q (k, n, s). We will drop the arguments when we want
to talk about the problem in general.

We choose the non-standard notation of k for number of variables and n for number of
equations as they correspond better to problems in coding theory that we would be interested
in.
An overwhelming majority of the algorithmic problems considered in this book will have
the following property: there are exponentially many possible solutions and we are interested
in a solution (or solutions) that satisfy a certain objective. For example, in the M AX L INEAR E Q
problem, there are 2k possible solutions and we are interested in a solution that satisfies at least
s many linear equations. Note that such problems have a very natural exponential time algo-
rithm: generate all (the exponentially many) potential solutions and check if the current poten-
tial solution satisfy the objective. If it does, then the algorithm stops. Otherwise the algorithm
continues to the next solution. For example, Algorithm 47 instantiates this general algorithm
for the M AX L INEAR E Q problem.

Algorithm 47 Exponential time algorithm for M AX L INEAR E Q

I NPUT: n linear equations over k variables and an integer 0 ≤ s ≤ n
O UTPUT: A solution in {0, 1}k that satisfies at least s of the equations or fail if none exists

1: FOR every x ∈ {0, 1}k DO

2: Let t be the number of equations the solution x satisfies
3: IF t ≥ s THEN
4: RETURN x
5: RETURN fail
¡ ¢
It is not too hard to argue that Algorithm 47 runs in time O kn2k (see Exercise C.14). We
point out two things that will expand into more detailed discussion on what is an efficient algo-
rithm (and what is not):

1. A run time of Ω(2k ) is not efficient for even moderate values of k: indeed for k = 100, the
number of steps of the algorithm exceeds the number of particles in the universe.

2. In the generic exponential time algorithm mentioned earlier, we made the implicit as-
sumption that given a potential solution we can “quickly" verify if the potential solution
satisfies the objective or not.
4
In other words, addition is XOR and multiplication is AND.

437
 Notwithstanding the fact that an exponential run time can become infeasible for moderate
input size, one might think that one cannot do better than Algorithm 47 to solve the M AX L IN -
EAR E Q problem. In particular, the lack of any extra information other than the fact that we have
a system of linear equations on our hands seems to make the possibility of coming up with a
faster algorithm slim. However, looks can sometimes be deceptive, as we will see shortly.
Consider the special case of the M AX L INEAR E Q problem: M AX L INEAR E Q(k, n, n). In other
words, we want to see if there exists a solution x ∈ {0, 1}n that satisfies all the equations. Not
only is this is an interesting special case but it is also relevant to this book since this setting
corresponds to the error detection problem (Definition 1.3.6) for linear codes (Chapter 2)– see
Exercise C.15. It turns out this special setting of parameters makes the problem easy: one can
use Gaussian elimination to solve this problem in time O(kn 2 ) (see Exercise C.16). For the case
of k = Θ(n) (which would be the most important parameter regime for this book), this cubic
run time is much faster than the exponential time Algorithm 47. In particular, any run time
of the form O(n c ) for some fixed constant c would be much faster than the 2Ω(n) run time of
Algorithm 47 (for large enough n). Note that the appealing aspect of a run time of the form
O(n c ) is that when the input size doubles, the run time only increases by a constant (though
clearly we might be pushing the boundary of a practical definition of a constant for moderately
large values of c) as opposed to the exponential run time, where the run time on the new input
size is quadratic in the old run time.
In theoretical computer science, the notion of an efficient algorithm is one that runs in time
O(N c ) on inputs of size N for some fixed constant c ≥ 0: such algorithms are said to have poly-
nomial run time. In particular, a problem is said to be in the complexity class P if it admits
a polynomial time algorithm5 . While one might debate the definition of P as capturing algo-
rithms that are efficient in practice, it clearly seems to capture the difference between problems
that “need" exponential time algorithms and problems that have some inherent structure that
allows much faster algorithmic solutions (in this case polynomial time algorithm).

C.4.1 Computational Intractability

So far we have talked mainly about problems that admit efficient algorithms. We now consider
the issue of how we talk about a problem being hard: e.g. can we somehow formally argue that
a certain problem cannot admit efficient solutions? In particular, are there problems where the
generic exponential time algorithm discussed earlier is the best possible? To be more precise,
let us consider problems where given a potential solution one can in polynomial time deter-
mine whether the solution satisfies the objective or not. We call the class of such problems as
NP.6 For example, M AX L INEAR E Q(k, n, s) is such a problem because given a potential solution
x, one can in time O(kn) verify whether it satisfies at least s out of the n solutions– see Exer-
cise C.17 and hence M AX L INEAR E Q ∈ NP. Like the earlier special case of M AX L INEAR E Q(k, n, n),

5
The technical definition of P is a bit more nuanced: in particular it only considers problems with a binary
output but we will ignore this technical issue in this book.
6
Again for the technical definition we need to only consider problems with binary output but we will ignore this
technicality.

438
the more general problem M AX L INEAR E Q(k, n, s) for s < n is also interesting from a coding the-
ory perspective: see Exercise C.18.
Thus, the question of whether there exists a problem where the earlier exponential time
algorithm is the best possible is essentially the same as showing P 6= NP (see Exercise C.19).
While we are nowhere close to answer this fundamental question, we do know a way to identify
the “core" of hard problems in NP. Such problems (called NP-complete problems) have the
property that if any of them do not have a polynomial time algorithms then none of them do.
(Conversely if any of them do have a polynomial time algorithm then P = NP.) Note that this
implies if one assumes that P 6= NP, then these NP-complete problems are hard problems since
they are not in P (which we consider to be the class of “easy" problems).
At first blush, one might wonder how one would go about proving that such problems exist.
Proving the existence of such a problem is out of the scope of the book. However, we do want to
give an overview of how given one such specific problem that is NP-complete one might argue
that another problem is also NP-complete. The way to show such a result is to reduce the known
NP-complete problem (let us call this problem P 1 ) to the other problem (let us call this problem
P 2 ). Without going into the technical definition of a reduction, we present an informal defini-
tion, which would be sufficient for our purposes. A reduction is a polynomial time algorithm
(let us call it A1 ) that given an arbitrary instance x1 of P 1 can produce in polynomial time an-
other instance x2 but this time for the problem P 2 such that given the answer for problem P 2 on
x2 , one can in polynomial time exactly determine the answer of P 1 on x1 (by another algorithm,
which let us call A2 ). There are two (equivalent) ways to think about such a reduction:
1. A reduction implies that to solve P 1 in polynomial time, it is enough to “only" solve some
subset of instances for problem P 2 (in particular, those inputs for P 2 that are generated by
A1 on all possible input instances of P 1 ). In other words, P 2 is “harder" to solve than P 1 .
Since the problem P 1 is a hard problem, P 2 is also a hard problem.

2. Let us for the sake of contradiction assume that there exists a polynomial time algorithm
A3 that solves P 2 on all instances (i.e. P 2 is easy). Then one can construct a polynomial
time algorithm to solve P 1 as follows. Given an arbitrary input x1 for P 1 , first use A1 to
generate an input x2 for P 2 . Then use A3 to solve P 2 on x2 and then convert the answer of
P 2 on x2 to the answer of P 1 on x1 by using A2 . Note that this is a polynomial time algo-
rithm and is a correct algorithm. Thus, we have proved that P 1 is easy, which contradicts
our assumption that P 1 is hard.
To make the concept of reduction a bit less abstract we outline a reduction from a known
NP-complete problem to our M AX L INEAR E Q problem.7 In particular, the following problem is
known to be NP-complete
Definition C.4.2. Given a graph G = (V, E ) with |V | = k and |E | = n and an integer 0 ≤ s ≤ n,
does there exist a cut of size at least s. In other words, does there exist a subset S ⊂ V such that
the number of edges with one end point in S and the other in V \ is at least s? We will call this the
M AXC UT(k, n, s) problem.
7
We assume that the reader is familiar with the mathematical concept of graphs, where we do not mean graphs
in the sense of plots.

439
 Algorithm 48 is the algorithm A1 of the reduction from M AXC UT(k, n, s) to M AX L INEAR E Q(k, n, s).

Algorithm 48 Reduction from M AXC UT to M AX L INEAR E Q

I NPUT: An instance for M AXC UT(k, n, s): a graph G and an integer s
O UTPUT: An instance of M AX L INEAR E Q(k ′ , n ′ , s ′ )

1: k ′ ← k, n ′ ← n, s ′ ← s
2: FOR every vertex i ∈ V DO
3: Add a variable x i to the set of variables
4: FOR every edge (i , j ) ∈ E DO
5: Add a linear equation x i + x j = 1 to the system of equation

Further, the algorithm A2 is simple: given a solution (x 1 , . . . , x k ) to the instance for M AX L INEAR E Q(k, n, s)
problem, consider the cut S = {i ∈ V |x i = 1}. It can be checked that this algorithm and Algo-
rithm 48 forms a valid reduction. (See Exercise C.20.)

C.5 More on intractability

In this section, we formally define some of the notions we defined informally in Section C.4.1.
This section is by design terse and is not meant as a substitute for a more formal exposition of
computational complexity.
We begin with the specific kind of problem that we need to work with when arguing that
certain computational tasks as hard. The most basic notion of a problem is one with a binary
output:

Definition C.5.1 (Decision Problem). Without loss of generality, the input to a decision problem
x ∈ Σ∗ , where Σ∗ refers to the set of all strings (including the empty string) over the alphabet Σ.
Then a problem is defined by a subset L ⊆ Σ∗ . If x ∈ L, then we say that x is an Y ES instance/input;
otherwise we say it is a N O instance/input. We will sometimes use L to denote the problem as well.
We say an algorithm A solves the problem L if for every input x ∈ Σ∗ , we have that
(
Y ES if x ∈ L
A (x) = .
NO if x 6∈ L

Note that the M AXC UT problem from Definition C.4.2 is a decision problem. We will define
our ‘hard’ problems to be decision problems.
We will also need to handle a variant of decision problems.

Definition C.5.2 (Promise Problem). A promise problem is defined by a pair of two disjoint non-
empty subsets Y , N ⊂ Σ∗ such that all x ∈ Y are the Y ES instances and all x ∈ N are the N O
instances. We will refer to the problem by the pair (Y , N ).

440
 We say an algorithm A solves the promise problem (defined by Y and N ) if for every input
x ∈ Y ∪ N , we have that (
Y ES if x ∈ Y
A (x) = .
N O if x ∈ N
Note that there are no constraints on how A behaves on inputs in Σ∗ \ (Y ∪ N )
It is easy to see that a decision problem (as defined in Definition C.5.1) is a special case of a
promise problem (see Exercise C.21). Promise problems will be used to define ‘hard’ problems
when we need to argue that a computational problem cannot be solved even approximately.
We are now ready to define the classes P and NP (as well as their promise versions promise − P
and promise − NP).
Definition C.5.3 (P and promise − P). We say that a problem L is in P (a promise problem (Y , N )
is in the class promise − P respectively) if there exists a polynomial time algorithm that solves the
problem L (the problem (Y , N ) respectively).
Definition C.5.4 (NP and promise − NP). We say that a problem L is in NP (a promise problem
(Y , N ) is in the class promise − NP respectively) if there exists a polynomial time verification al-
gorithm R with the following properties:
• If x ∈ L (x ∈ Y resp.), then there exists another string y (that can be polynomially larger than
x) such that R(x, y) returns Y ES;

• If x 6∈ L (x 6∈ N resp.), then for every string y (that is polynomially larger than x), we have
that R(x, y) returns N O
We first note the following inclusion (see Exercise C.22):
Proposition C.5.5. Prove that P ⊆ NP and promise − P ⊆ promise − NP.
Next, we formally define a notion of a reduction.
Definition C.5.6 (Polynomial time reduction). We say a decision problem L 1 is polynomial time
reducible to another decision problem L 2 (denoted by L 1 ≤P L 2 ) if there exists a polynomial time
algorithm A such that given a potential input x for L 1 , A (x) is a potential output to L 2 such that
x ∈ L 1 if and only if A (x) ∈ L 2 .8
We say a promise problem (Y1 , N1 ) is polynomial time reducible to another promise problem
(Y2 , N2 ) if there exists a polynomial time algorithm A such that given a potential input x for
(Y1 , N1 ), A (x) is a potential output to (Y2 , N2 ) such that x ∈ Y1 if and only if A (x) ∈ Y2 and
x ∈ N1 if and only if A (x) ∈ N2 .9
Finally, sometimes we will allow for the reductions to be randomized polynomial time algo-
rithms in which case the condition x ∈ L 1 if and only if A (x) ∈ L 2 holds with say probability at
least 2/3.
8
Technically, this is called a Karp reduction. There is also the notion of a Cook/Turing reduction, which is a
polynomial time algorithm that decides whether x ∈ L 1 with the "extra power" of being able to query in constant
time (technically this is called oracle access) for any y such that |y| = poly(|x|) whether y ∈ L 2 .
9
Again this is a Karp reduction. The notion of a Cook/Turing reduction is similar to that in the decision version.

441
 We can use the notion of reductions algorithmically (and indeed this forms the basis of a lot
of algorithm design) by noting that if L 1 ≤P L 2 and L 2 ∈ P, then L 1 ∈ P (see Exercise C.23). In
other words, assume L 1 ≤P L 2 . Then if L 2 is "easy" (i.e. L 2 ∈ P) then so is L 1 . However, we can
use the logically equivalent negation of this implication to argue that if L 1 is "hard" then so is
L 2 . The question then becomes what is the notion of a "hard" problem, which we define next.

Definition C.5.7. We say a decision problem L is NP-complete if the following two hold:

(1) L ∈ NP

(2) Every decision problem L ′ ∈ NP, is polynomial time reducible to L, i.e., L ′ ≤P L.

If L only satisfies the second property above, then it is called an NP-hard problem.

We note that NP-complete problems are the hardest problems in NP because of the follow-
ing result (and Proposition C.5.5):

Proposition C.5.8. If there exists an NP-complete problem L such that L ∈ P. Then P = NP.

(See Exercise C.24.)

It is a non-trivial fact to prove that there do exist NP-complete problems. Once we have this
fact, one can "port" the hardness of NP-complete problems to other problems as follows (see
Exercise C.25):

Proposition C.5.9. Let L be an NP-complete problem. Then if L ≤P L ′ , then L ′ is an NP-hard

problem. If further, we have L ′ ∈ NP, then L ′ is also NP-complete.

The above proposition gives a roadmap for us to prove that the problem we are considering
is NP-complete/hard: we just need to reduce an NP-complete problem to our problem.
This finally, brings us to the hardness assumption that we will be primarily using to prove
lower bounds in this book:

We assume that P 6= NP.

We will also sometimes assume that NP is not the same as class of problems that have a
randomized polynomial time algorithms as well not being the same as problems that have
polynomial sized circuits.

C.6 Exercises
Exercise C.1. Prove that f (N ) is O(g (N )) (as per Definition C.1.1) if and only if

f (N )
lim ≤ C,
N →∞ g (N )

for some absolute constant C .

442
Exercise C.2. Prove that f (N ) is Ω(g (N )) (as per Definition C.1.2) if and only if

f (N )
lim ≥ C,
N →∞ g (N )

for some absolute constant C .

Exercise C.3. Prove that f (N ) is Θ(g (N )) (as per Definition C.1.3) if and only if

f (N )
lim = C,
N →∞ g (N )

for some absolute constant C .

Exercise C.4. Prove that f (N ) is o(g (N )) (as per Definition C.1.4) if and only if

f (N )
lim = 0.
N →∞ g (N )

Exercise C.5. Prove that f (N ) is ω(g (N )) (as per Definition C.1.5) if and only if

f (N )
lim = ∞.
N →∞ g (N )

Exercise C.6. Prove Lemmas C.1.6, C.1.7 and C.1.8.

Exercise C.7. Prove or disprove the following for every α ∈ {O, Ω, Θ, o, ω}:

Let f (N ) be α(h(N )) and g (N ) be α(h(N )). Then f (N ) · g (N ) is α(h(N )).

Exercise C.8. Say there exists a randomized algorithm A that is correct with probability 12 +δ for
some δ > 0 with runtime T (N ). Then show that for every ε > 0,³ there exists another
´ randomized
log(1/ε)
algorithm that is correct with probability 1 − ε with runtime O δ · T (N ) .

Hint: Repeat A multiple times and pick one among the multiple outputs. For analysis use the Chernoff bound
(Theorem 3.1.10).

Exercise C.9. Assume that there is a randomized algorithm A , which one when provided with
an input from a distribution D, is correct with probability p (where the probability is taken over
both D and internal randomness of A ). Then show that there exists a deterministic algorithm
that is correct with probability at least p (where the probability is now only taken over D) with
the same run time as A .

Exercise C.10. Argue that any correct deterministic algorithm that solves the G AP H AMMING
problem needs a run time of Ω(n).

Hint: Argue that any correct deterministic algorithm needs to read Ω(n) bits of the input.

443
Exercise C.11. Argue that Algorithm 45 runs in time O(log(1/ε)).

Exercise C.12. Prove that for every x ∈ {0, 1}n such that w t (x) ≥ 2n/3, Algorithm 45 outputs 1
with probability at least 1 − ε.

Exercise C.13. Prove Lemma C.3.2 and that Algorithm 46 runs in time O(log(1/ε)).
¡ ¢
Exercise C.14. Argue that Algorithm 47 runs in time O kn2k . Conclude that the algorithm runs
in time 2O(n) .

Exercise C.15. Show that if any M AX L INEAR E Q(k, n, n) problem can be solved in time T (k, n),
then the error detection for any [n, k]2 code can be solved in T (k, n) time.

Hint: The two problems are in fact equivalent.

Exercise C.16. Argue that the problem M AX L INEAR E Q(k, n, n) can be solved in time O(kn 2 ).

Exercise C.17. Show that given a system of n linear equation on k variables over F2 , there exists
a O(kn) time algorithm that given a vector x ∈ {0, 1}n can compute the exact number of equations
x satisfies.

Exercise C.18. Consider the following problem called the B OUNDED D ISTANCE D ECODING prob-
lem. Given a code C ⊆ {0, 1}n , a vector y ∈ {0, 1}n and an integer 0 ≤ e ≤ n (called the error radius),
output any codeword c ∈ C such that ∆(c, y) ≤ e (or state that no such codeword exists).
Prove that if any M AX L INEAR E Q (k, n, s) problem can be solved in time T (k, n, s), then one can
solve the B OUNDED D ISTANCE D ECODING problem for any [k, n]2 linear code with error radius
n − s.

Exercise C.19. Argue that showing P 6= NP is equivalent to showing that NP \ P 6= ;.

Exercise C.20. Argue that Algorithm 48 and the algorithm A2 defined just below it are correct
and run in polynomial time.

Exercise C.21. Let L be a decision problem (as defined in Definition C.5.1). Then argue that L is
also a promise problem (as defined in Definition ??).

Exercise C.22. Argue Proposition C.5.5.

Exercise C.23. Argue that if L 1 ≤P L 2 and L 2 ∈ P, then L 1 ∈ P.

Exercise C.24. Prove Proposition C.5.8.

Exercise C.25. Prove Proposition C.5.9.

444
C.7 Bibliographic Notes
The full suite of asymptotic notation in Section C.1 was advocated for analysis of algorithms by
Knuth [81]. The Big-Oh notation is credited to Bachmann [8] form a work in 1894 and the little-
oh notation was first used by Landau [84] in 1909. A variant of the Big-Omega notation was
defined by Hardy and Littlewood [71] in 1914 though the exact definition in Section C.1 seems
to be from [81]. The Theta and little omega notation seem to have been defined by Knuth [81]
in 1976: Knuth credits Tarjan and Paterson for suggesting the Theta notation to him.
The choice to use worst-case run time as measure of computational efficiency in the RAM
model as well as only considering the asymptotic run time (as opposed to more fine grained
analysis as advocated by Knuth) seem to have been advocated by Hopcroft and Tarjan: see
Tarjan’s Turing award lecture for more on this [129].
Cobham [25] and Edmonds [35] are generally credited with making the first forceful case
for using P as the notion of efficiently solvable problems. Somewhat interestingly, Peterson’s
paper on decoding of Reed-Solomon codes [103] that predates these two work explicitly talks
about why a polynomial time algorithm is better than an exponential time algorithm (though
it does not explicitly define the class P). The notion of NP (along with a proof of the existence
of an NP-complete problem) was defined independently by Cook [26] and Levin [86]. This no-
tion really took off when Karp showed that 21 natural problems where NP-complete (including
the M AXC UT problem) [79]. For more historical context on P and NP including some relevant
historical comments, see the survey by Sipser [119].
The first randomized algorithms is generally credited to Rabin [104]. However, an earlier
work of Berlekamp on factoring polynomials presents a randomized algorithm (though it is not
stated explicitly as such) [12].
This chapter gave a very brief overview of topics that generally span multiple classes. For
further readings, please consult standard textbooks on the subjects of (introductory) algorithms
and computational complexity as well as randomized algorithms.

445
446
Appendix D

Basic Algebraic Algorithms

D.1 Executive Summary

In this appendix we include some basic facts about abstract algebra that were used throughout
the book. Readers who are comfortable with their background in algebra should feel free to skip
it entirely. However, this background should include both aspects introduced by finiteness —
most fields we work with are finite, and so are the vector spaces defined over them — and com-
putation — the mere existence of a nice algebraic structure is not good enough for us, we need
to know how to carry out basic, and not so basic operations over these structures efficiently. If
you are not very comfortable with these settings you will find the appropriate sections of this
appendix more useful. The opening paragraph of each section summarizes the main aspects
covered in the section and the reader may use them to decide if they wish to read further.
Some of the material in this appendix appears earlier in the book (e.g. Sections 2.1, 2.2
and 5.1). Finally, this coverage of algebra in this appendix is not exhaustive and the reader is
referred to the book by Lidl and Niederreiter [88] for more matetrial (and proofs) on finite fields
and the book by Shoup for more details on the basic algebraic algorithms [117].

D.2 Groups, Rings, Fields

The title of this section says it all. We cover, very tersely, the definition of a group, a ring, and a
field.
We begin with some terminology. We consider binary operations over some set of elements.
Given a set X such a binary operator would be a function ◦ : X × X → X , and we usually use
a ◦ b to denote ◦(a, b), for a, b ∈ X . We say the operator ◦ is associative if a ◦ (b ◦ c) = (a ◦ b) ◦ c,
for every a, b, c ∈ X . For associative operations it is customary to drop the parenthesis. We say
the operator ◦ is commutative if a ◦ b = b ◦ a for every a, b ∈ X . We say an element e ∈ X is an
identity for ◦ if a ◦ e = e ◦ a = a for every a ∈ X . Identities are, by definition, unique if they exist,
since if e 1 , e 2 ∈ X were identities, we would have e 1 = e 1 ◦ e 2 = e 2 . Given a ∈ X and operator ◦
with inverse e we say that a is is invertible with respect to ◦ if there exists an element a −1 ∈ X
such that a ◦ a −1 = a −1 ◦ a = e. Often ◦ will be clear from context in which case we will refer to a

447
as simply invertible.

Definition D.2.1 (Group). Given a set G and a binary operation ◦ over G, we say that (G, ◦) is a
group if ◦ is associative, has an identity, and every element of G is invertible. A group (G, ◦) is said
to be an abelian group if ◦ is also commutative.

Examples of groups include the integers with addition, the non-zero rationals with multi-
plication and the set of permutations (one-to-one functions) on any finite set under the com-
position operation.

Definition D.2.2 (Ring). A finite set R with two binary operations + and · are said to form a ring
if (1) (R, +) form an abelian group, (2) · is associative and has an identity and (3) · distributes
over +, i.e., for every a, b, c ∈ R we have a ·(b +c) = (a ·b)+(a ·c) and have (b +c)·a = (b ·a)+(c ·a).
The ring (R, +, ·) is said to be a commutative ring if · is commutative.

Examples include the integers over addition and multiplication (a commutative ring) and
the set of k × k integer matrices (for any positive integer k) under matrix addition and matrix
multiplication (which forms a non-commutative ring for k ≥ 2).

Definition D.2.3 (Field). A set F with operations + and · forms a field if (F, +, ·) is a commutative
ring, and (F \ {0}, ·) is a group where 0 denotes the identity for +.

Examples of fields include the rationals, the reals, the complexes (all under addition and
multiplication) and (more interestingly to us) the integers modulo any prime number p (see
Lemma 2.1.4 for the latter).
It is customary in rings and fields to let 0 denote the additive identity, 1 the multplicative
identity and to let −a denote the additive inverse of a and a −1 the multiplicative inverse of a. It
is also customary to abbreviate a + (−b) to a − b.

D.3 Polynomials
In this section we will introduce polynomial rings, mention when they satisfy the unique factor-
ization property, describe the ‘remainder algorithm’, and describe the evaluation map and the
polynomial distance property (where the latter is a re-statement of the degree mantra (Propo-
sition 5.2.4)).

Definition D.3.1 (Formal Polynomials). Let (R, +, ·) be a commutative ring with identity 0. The
set of formal polynomials over R in indeterminate X , denoted R[X ], is given by finite formal sums
P P P −1
R[X ] = { di=0 f i X i | f 0 , . . . , f d ∈ R; d ∈ Z≥0 }, under the equivalence di=0 f i X i = id=0 f i X i if f d = 0.
(The term formal refers to the fact that the summation, and the terms X i are just formal symbols
and do not have operational meaning, yet. So really polynomials are just finite sequences of
elements from R under the equivalence ( f 0 , . . . , f d , 0) ∼ = ( f 0 , . . . , f d ).)
Basic terminology The elements f i are referred to as the coefficients of f , the symbols X i as the
P
monomials of f and the product f i X i as the terms of f . For f = di=0 f i X i , its degree,
denoted deg X ( f ) or simply deg( f ), is the largest integer e such that f e 6= 0.

448
 P P
Addition The sum of two polynomials f = di=0 f i X i and g = di=0 g i X i , denoted f + g , is the
P
polynomial di=0 ( f i + g i )X i . (Note that by padding the coefficients of f and g with zeroes
we can always arrange it so that they have the same number of terms.)
P P
Multiplication Finally, the product of f = di=0 f i X i g = ei=0 g i X i , denoted f · g (or sometimes
P +e Pe ³ ´
simply f g ), is given by id=0 i
j =0 f i − j · g j X .

The following proposition follows immediately from the definitions above.

Proposition D.3.2. For every commutative ring R, R[X ] is a commutative ring under the sum
and product of polynomials.

In fact R inherits many properties of R and in particular the notion of “unique factorization”
which we describe next.

Definition D.3.3 (Unique Factorization Domains). Let R be a commutative ring. An element

u ∈ R is said to be a unit if it has a multiplicative inverse in R. Elements a and b are said to be
associates if there exists a unit u such that a = b · u. (Note that being associates is an equivlence
relationship.) Element a ∈ R is said to be irreducible if a = b · c implies either b or c is a unit. A
factorization of a ∈ R is a sequence b 1 , . . . , b k such that a = b 1 · b 2 · · · b k and none of the b i ’s are
units. The b i are referred to as the factors of a in this factorization. Ring R is a factorization
domain if for non-zero every a ∈ R that is not a unit, there is a finite bound k a such that every
factorization of a has at most k a factors. A factorization domain R is a unique factorization
domain (UFD) if every non-zero, non-unit element has a unique irreducible factorization, upto
associates. I.e., if a = b 1 · · · b k = c 1 · · · c ℓ and the b i ’s and c j ’s are irreducible, then k = ℓ and there
exists a bijection π : [k] → [ℓ] such that b i and c π(i ) are associates, for every i ∈ [k].

Since every non-zero element of a field is a unit, every field is a UFD.

Proposition D.3.4. Every field is a UFD.

A central result in basic commutative algebra is the following lemma of Gauss.

Lemma D.3.5 (Gauss). If R is a UFD, then so is R[X ].

We omit the proof of the above lemma here, but point out its implications. It allows us to
build many interesting rings from a simple base case, namely a field. Given a field F, F[X ] is
a UFD. So is (F[X ])[Y ]. Now we could have gone in the other direction and created the ring
(F[Y ])[X ] and this would be a UFD too. However if X and Y commute (so X Y = Y X ) then the
rings (F[X ])[Y ] and (F[Y ])[X ] are isomorphic under the isomorphism that preserves F and sends
X → X and Y → Y . So we tend to compress the notation and refer to this ring as F[X , Y ], the
ring of “bivariate” polynomials over F. Rings of univariate and mutlivariate polynomials play a
central role in algebraic coding theory.
We now turn to the notion of polynomial division with remainder that lead us to some im-
portant notions associated with polynomials.
P
Let f ∈ R[X ] and let f = di=0 f i X i with f d 6= 0. f is said to be monic if f d is a unit in R.

449
Proposition D.3.6. Given a monic polynomial f , and general polynomial p there exists a unique
pair of polynomials q (for quotient) and r (for remainder) such that p = q · f + r and deg(r ) <
deg( f ).
See Exercise D.1 for a proof.
The function p 7→ f (q, r ) described is often referred to as the ‘division algorithm’ (since it is
the outcome of long division). A special case that is of great interest to us is when f = X − α for
α ∈ R. In this case the remainder is polynomial of degree at most 0, and so can be associated
with an element of R. Denote this element p(α) (since it depends only on p and α) and we
get the “evaluation” map which maps elements of R[X ] × R to R. The remainder p(α) can be
worked out explicitly and is given by the simple form below (where the uniqueness follows from
Proposition D.3.6).
P P
Proposition D.3.7. Given p = di=0 p i X i ∈ R[X ] and α ∈ R, let p(α) = di=0 p i αi . Then there
exists a unique q ∈ R[X ] such that p = q · (X − α) + p(α). It follows that p(α) = 0 if and only if
X − α divides p(X ).
Finally using Proposition D.3.7 and the fact that F[X ] is a UFD, we get the following the
following central fact about univariate polynomials.
Lemma D.3.8 (Polynomial Distance Lemma). Let f 6= g ∈ F[X ] be polynomials of degree at most
d . Then there exist at most d elements α ∈ F such that f (α) = g (α).
Proof. Let h = f − g . We have h is non-zero and of degree at most d . Let S = {α| f (α) = g (α)}.
Then we have (X − α) divides h for every α ∈ S. Furthermore, by the unique factorization prop-
Q
erty we have h̃ = α∈S (X −α) divides h. But if h̃ divides h, then deg(h̃) ≤ deg(h) and deg(h̃) = |S|.
We conclude |S| ≤ d .

D.4 Vector Spaces

In this section we introduce vector spaces over fields and describe two basic views of describing
a finite dimensional vector space: first via its generators (and the generator matrix) and next via
constraints on the vector space (and its parity check matrix). We first start with a quick overview
of matrices and the corresponding notation and then move on to vector spaces.

D.4.1 Matrices and Vectors

In this
¡ book, a vector
¢ of length n over the field F (i.e. x ∈ Fn ) is a row vector1 . E.g., we have
4
x = 0 1 3 4 0 ∈ F5 . Given two vectors u, v ∈ Fn , their inner product is defined as
n
X
〈u, v〉 = ui · v i ,
i =1
1
We acknowledge that this is different from the usual assumption in linear algebra that all vectors are column
vectors. We are assuming row vectors to be consistent with how message vectors are assumed to be row vectors in
coding theory.

450
where the multiplication and addition are over F.
A matrix M ∈ Fk×n is a two-dimensional array/vector, where we refer to the (i , j )’th entry
(for (i , j ) ∈ [k] × [n]) as M i , j (or M i j if the two indices are clear without being separated by a
comma). We will use M i ,· as the i ’th row and M ·, j as the j th column of M respectively.
So e.g. consider G ∈ F32×3 as follows:
µ ¶
1 0 1
G= .
0 2 1
µ ¶
¡ ¢ 0
In the above G 1,2 = 2, G 1,· = 1 0 1 and G ·,2 = .
2
The transpose of a matrix M ∈ Fk×n , denoted by M T is an n × k matrix over F such that for
any ( j , i ) ∈ [n] × [k], we have
M Tj,i = M i j .
Note that if k = 1, then the above says that for a row vector x ∈ Fn , its transpose xT is a column
vector.
The product of two matrices A ∈ Fk×n and B ∈ Fn×m is a matrix C ∈ Fk×m such that for any
(i , j ) ∈ [k] × [m], we have ­ ®
C i , j = A i ,· , B ·, j .

D.4.2 Definition and Properties of Vector Spaces

This section will repeat some of the material from Section 2.2. We begin with the definition of a
vector space:
Definition D.4.1 (Vector Space). Over a field F, a vector space is given by a triple (V, +, ·) where
(V, +) is a commutative group and · : F × V → V distributes over addition, so that α · (u + v) =
α · u + α · v for every α ∈ F and u, v ∈ V . It is customary to denote the identity of the group (V, +) by
0 and to refer to V as an F-vector space.
The simplest example of an F-vector space is Fn , whose elements are sequences of n ele-
ments of F. The sum is coordinate-wise summation and product is “scalar” product, so if u =
(u 1 , . . . , u n ), v = (v 1 , . . . , v n ) and α ∈ F then u+v = (u 1 +v 1 , . . . , u n +v n ) and α·u = (α·u 1 , . . . , α·u n ).
Essentially these are the only vector spaces (as we will make precise soon), but representations
of the vectors is important to us, and will make a difference.
Definition D.4.2 (Dimension of a vector space). A sequence of vectors v1 , . . . , vk ∈ V are said to
P
be linearly independent if ki=1 βi · vi = 0 implies that β1 = · · · = βk = 0. v1 , . . . , vk ∈ V are said to
linearly dependent otherwise.
V is said to be finite dimensional of dimension k if every sequence of k + 1 vectors from V is
linearly dependent and there exists a sequence of length k that is linearly independent.
A linearly independent set v1 , . . . , vk ∈ V is said to form a basis for V if V has dimension k.
Every F-vector space of dimension k is isomorphic to Fk as described by the following propo-
sition.

451
 Pk
Proposition D.4.3. If v1 , . . . , vk for a basis for an F-vector space V , then V = { i =a βi ·vi |β1 , . . . , βk ∈
P
F} and the map (β1 , . . . , βk ) 7→ ki=1 βi · vi is an isomorphism from Fk to V .

The point we wish to stress now is that even though all vector spaces are isomorphic, dif-
ferent spaces do lead to different codes with different error-correction properties, and these
properties are not preserved by such isomorphisms. So not all k-dimensional vector spaces
are identical for our purposes. We will specially be interested in k-dimensional vector spaces
contained in Fn , and how these can be represented succinctly in matrix form.

Definition D.4.4 (Generator Matrix, Parity Check Matrix). A matrix G ∈ Fk×n is said to be a gen-
erator matrix of an F-vector space V ⊆ Fn if the rows of G are linearly independent in Fn and
V = {x · G|x ∈ Fk }. The rows of G form a basis of V . A matrix H ∈ Fn×(n−k) is said to be a par-
ity check matrix of an F-vector space V ⊆ Fn if the columns of H are linearly independent and
V = {y ∈ Fn |H · yT = 0}. Given a vector space V with parity check matrix H , its dual space, de-
noted V ⊥ , is the vector space generated by the transpose of H , i.e., V ⊥ = {x · H T |x ∈ Fn−k }.

Our goal below is to show that every space has a generator matrix and a parity check matrix.
The former is obvious from definitions. If V ⊆ Fn is a k-dimensional vector space, then it has
a basis v1 , . . . , vk and if we build a matrix G with these vectors as its rows, then G satisfies the
conditions of the generator matrix.
We sketch the idea for construction of a parity check matrix. We say that a k × k matrix R
forms a row operation if R i i = 1, and R i j = 0 for all must at most one pair i 6= j ∈ [k]. We say that
G̃ is obtained from G by row operations, denoted G ❀ G̃, if G̃ = R m ·R m−1 · · · R 1 ·G where the R i ’s
are row operations. Note that if G is a generator matrix for V then so is G̃. Gaussian elimina-
tion allows us to “simplify” G till its columns are special, and in particular after permuting the
columns G̃ would look like [I k |A] where I k denotes the k × k identity matrix. Assume for sim-
plicity that G̃ = [I k |A] (without permuting columns). Now let H be given by H T = [−A T |I n−k ].
It can be verified that G̃ · H = 0 and so G · H = 0. Furthermore all columns of H are linearly in-
dependent and so H satisfies the conditions of the parity check matrix of V . We conclude with
the following.

Proposition D.4.5. If V ⊆ Fn is a k-dimensional vector space then it has a generator matrix G ∈

Fk×n and a parity check matrix H ∈ Fn×(n−k) . Furthermore its dual V ⊥ is generated by H T , has
dimension n − k, and has G T as its parity check matrix. Finally (V ⊥ )⊥ = V .

Before concluding we mention one important difference from the case of orthoganility of
real vectors. For vector spaces over finite fields it is possible that there are non-zero vectors in
V ∩ V ⊥ and indeed even have V = V ⊥ . (See Exercise 2.29 for more on this.)

D.5 Finite Fields

In this section we describe the existence and uniqueness of finite fields. We also describe the
basic maps going from prime fields to extensions and vice versa. Parts of this section will repeat
material from Section 2.1 and 5.1.

452
D.5.1 Prime Fields
We start by describing a field of size p, for any prime number p. Let Zp be the set of integers
{0, . . . , p − 1}. For integer a and postive integer b, let a mod b denote the unique integer c in
Zp such that b divides a − c. Let +p be the binary operation on Zp that maps a and b to (a + b)
mod p. Let ·p map a and b to (ab) mod p. We have the following (see Section 2.1 for a proof).

Proposition D.5.1. (Zp , +p , ·p ) form a field of cardinality p.

Given a finite field F, its characteristic, denoted char(F), is the smallest positive integer p
such that p · 1 = 1 + 1 + · · · + 1 = 0. (See Exercise D.2 for why such a finite characteristic exists.)

Proposition D.5.2. For every finite field F, char(F) is a prime. Furthermore, F is a Zp -vector space,
where p = char(F). Thus F has cardinality p n for prime p and integer n.

Proof. Let p = char(F). We first note that p is the smallest integer such that p · a = 0 for any
non-zero element of F. This is so since p ·a = p ·1·a = 0, and if p ·a = 0 then so is p ·a ·a −1 = p ·1.
Next we note that if p = qr then for the element w = q ·1 ∈ F, we have w ·r = 0 which contradicts
the minimality of p.
Next we note that (F, +, ◦) satisfy the conditions of a Zp -vector space where i ◦a = (a +· · ·+a)
(i times), for i ∈ Zp and a ∈ F. We conclude that |F| = p n where n is the dimension of the vector
space (F, +, ◦) and p = char(F).

We conclude now by claiming that Zp is the unique field of cardinality p.

Proposition D.5.3. For any prime p, there is a unique field of cardinality p upto isomorphism.

Proof. Let F be a field of cardinality p. By Proposition D.5.2 we have that char(F) = p. It can be
verified that the map 1F → 1 extends to an isomorphism (see Exercise D.3).

The uniqueness of the field of cardinality p allows us to call it Fp in the future.

D.5.2 Extension fields and subfields

We now move towards determining when non-prime fields exists. While the answer is simple
(they exist for every number of the form p n for prime p and positive integer n), proving when
they exist requires some structural understanding of how fields behave.
We will first present a basic property of all finite fields that is crucial when working with
fields.
We recall a basic result about finite groups (see Exercise D.4 for a proof for the abelian case).

Proposition D.5.4. If (G, ·) is a finite group with identity 1, then for every a ∈ G, we have a |G| = 1.

Proposition D.5.5. Let F be a field of cardinality q. The every element α ∈ F is a root of the
Q
polynomial X q − X and so X q − X = α∈F (X − α).

453
Proof. If α = 0, then it is trivial to see that is a root of X q − X . If α 6= 0, then it is a member of
a group (F \ {0}, ·) and so by Proposition D.5.4, satisfies α|F\{0}| = 1. Thus, αq−1 = 1, and finally
αq = α, as desired.

Let K be a field and F ⊆ K be a set that is closed under addition and multiplication. Then
F is itself a field and we denote if F ✁ K to denote that it is a subfield of K . We say K ✄ F to
denote that K extends F.

Proposition D.5.6. If K ✄ F then K is an F-vector space and so |K | = |F|n where n is the dimen-
sion of K as an F-vector space. Furthermore there is a unique copy of F in K .

Proof. The fact that K is a vector space follows from the definitions, and thus the claim about
its cardinality. The fact that there is a unique copy of F follows from the fact that the elements
of F satisfy X q − X = 0, where q = |F| and there can be at most q roots of this polynomial.

D.5.3 Existence of Finite Fields

In what follows we will rely heavily on the modular reduction of polynomials. Following the
notation of previous sections, for field F and f , g ∈ F[X ], we let f mod g be the remainder when
f is divided by g - so deg( f mod g ) < deg(g ) and g divides f − ( f mod g ). Let f +g h = ( f + h)
mod g and let f ·g h = ( f h) mod g . Recall that an irreducible polynomial in Fq [X ] is one that
does not have any non-trivial factor (recall Definition 5.1.4).

Proposition D.5.7. Let F be a finite field of cardinality q and let g ∈ F[X ] be an irreducible poly-
nomial of degree n. Then (F[X ]/g , +g , ·g ) form a field of cardinality q n .

Essentially all fields can be obtained in the above manner, but to prove this fact, we need to
prove that there is an irreducible polynomial of degree n over Fp for every p and unfortunately
this proof is not much simpler than proving the existence of a field of cardinality p n . So we
prove the existence directly, or rather sketch a proof of this fact.
The rough idea of the proof is as follows: First we establish that every polynomial f ∈ F[X ]
splits completely (into linear factors) over some extension K of F. To do this we work slowly,
working away at one irreducible factor of f at a time. If g is such an irreducible factor, we
consider the field2 L = F[Z ]/g (Z ) and note that Z is a root of g ,3 and hence of f , in L and so f
splits more in L. We continue this process till f splits completely in some field K .
n
Now we work with a very special polynomial f , namely f (X ) = X p − X in the ring Fp [X ] and
let K be a field in which f splits completely. Now let S ⊆ K be the set S = {α ∈ K | f (α) = 0}.
We note that this set, miraculously, is closed under addition and multiplication. The latter is
n n n
easy: f (α) = 0 if and only if αp = α. So if f (α) = f (β) = 0 then αp = α and βp = β and so
n n n
(αβ)p = αp βp = αβ and so αβ ∈ S. For the former we explicitly highlight another crucial fact
in finite fields.
2
Recall Theorem 5.1.5.
3
This is because g (Z ) ≡ 0 in L.

454
Proposition D.5.8. Let K be a field of characteristic p and let A, B ∈ K [X , Y ]. Then for all
n n n
positive integers n we have (A + B )p = A p + B p .
¡p ¢
The proof of the lemma above follows immediately from the fact that i mod p is 0 unless
p divides i (see Exercise D.5). And while the lemma is stated for very general A and B , we only
need it for A, B ∈ K itself. However we state it generally since it is fundamental to working over
extension fields and indeed we will see a few applications later.
Returning to our quest to prove that S is closed under addition, let us apply the above propo-
n n n
sition to α, β ∈ S. We get that (α + β)p = αp + βp = α + β and so S is closed under addition as
well. What we will show next is that S has exactly p n elements and so is a field of size p n (it is
closed under addition and multiplication and the rest of the properties follow from the fact that
S is a subseteq of a field K ).
First note that S has all roots of f . We note further that f has no multiple roots. In general
this is proved by looking at derivatives etc., but in this case we can do it by inspection. We wish
n
to show that (X − α)2 does not divide X p − X , but this is the same as showing that Z 2 does not
n n n
divide (Z +α)p −(Z +α) = Z p −Z +αp −α, but the latter polynomial has a coefficient of −1 6= 0
n
for Z and so is not divisible by Z 2 . We conclude that since S has all roots of X p − X and this
polynomial has p n distinct roots, and so |S| ≥ p n . On the other hand since every element of S
n
is a root of X p − X and this polynomial has at most p n roots, we conclude that |S| = p n and so
there exists a field of cardinality p n . Thus we get the following theorem (the first part follows
from Proposition D.5.2 and the second part follows from Proposition D.5.7).

Theorem D.5.9. If F is a finite field, then it has charatestic p for some prime p and its cardinality
is p n for positive integer n. Conversely, for every prime p and positive integer n, there is a field of
cardinality p n .

D.5.4 Uniqueness of finite fields

We start by proving that every finite field has a multiplicative generator. To do so we need to
understand cyclic groups a bit better.
The cyclic group of order n is the group Zn = {0, . . . , n − 1} with addition modulo n being
the binary operation. This group clearly has an element of order n (namely the number 1). Let
N = (G, m) denote the number of elements of order exactly m in G and let N (G, m) denote the
P
number of elements of order dividing m in G. We have N (G.m) = k|m N = (G, k). For the cyclic
group, we have for every k|n, N (Zn , k) = k and N = (Zn , k) ≥ 0. (The latter is trivial and for the
former see Exercise D.6.)
We now turn to understanding (F∗ , ·) the group of non-zero elements of F under multiplica-
tion.

Lemma D.5.10. Let q = |F| and n = q − 1. We claim that for every k dividing n, N (F∗ , k) =
N (Zn , k) and N = (F∗ , k) = N = (Zn , k).

Proof. The claim is straightforward for N (F∗ , k). We have that every α ∈ F∗ is a root of of the

455
polynomial X n − 1 and since X k − 1 divides4 X n − 1, k elements of F∗ must be roots of this
polynomial also. We thus have N (F∗ , k) = k = N (Zn , k).
P
For the claim about N = (F∗ , k), we use induction and the inductive formula. We have ℓ|k N = (F∗ , ℓ) =
P
N (F∗ , k) = k = N (Zn , k) = ℓ|k N = (Zn , ℓ). But since by induction we have N = (F∗ , ℓ) = N = (Zn , ℓ)
for ℓ < k, we may conclude that the remaining term N = (F∗ , k) = N = (Zn , k).

We say that an element ω ∈ F is primitive if ωi 6= 1 for i < |F|−1 and ω|F|−1 = 1. Since N = (F∗ , n)
counts the number of primitive elements, Lemma D.5.10 implies that the number of primi-
tive elements is at least one. Indeed, if p is the smallest prime divisor of n, then we have that
N = (F∗ , n) = N (F∗ , n) − N (F∗ , n/p) − N (F∗ , p) = n − n/p − p > 0, assuming p < n/p. Otherwise if
n = p 2 , then we have N = (F∗ , n) = N (F∗ , n) − N (F∗ , p) = n − p > 0. If n itself is a prime then we
have N = (F∗ , n) = N (F∗ , n) = n > 0.

Proposition D.5.11. Every finite field F has a primitive element. Consequently the multiplicative
group is cyclic.

We now describe a weaker form of special element in F. Let K extend F. We say that α ∈ K
is an F-generator for K if for every element β ∈ K there is a polynomial p ∈ F[X ] such that
β = p(α).

Proposition D.5.12. Let K be a finite field and let ω be a primitive element in K . Then for every
subfield F ✁ K we have that ω is an F-generator of K . As a consequence, for every K ✄ F there is
an F-generator in K .

Proof. Consider the lowest degree polynomial p ∈ F[X ] such that p(ω) = 0. Let |F| = q and
|K | = q n .
We claim that deg(p) = n. If deg(p) > n, we have that 1, ω, ω2 , . . . , ωn are linearly indepen-
dent over F and so K has size strictly larger than q n . Now if deg(p) < n, then consider the
n
polynomials X , X 2 , X 3 , . . . , X q −1 modulo p ∈ F[X ]. Since we have only q deg(p) options for the
residues, two of these must be equal modulo p and so there exist i 6= j and f ∈ F[X ] such that
X i = X j + p · f . Substituting X = ω yields ωi = ω j + p(ω) f (ω) = ω j . But this contradicts the
assumption that ω is a primitive element.
Finally, note that any element β ∈ K can be written as the polynomial q j mod p(X ) evalu-
ated at X = ω for some 0 ≤ j < q n .

Generators are useful in that they show that the only way to construct field extensions is via
irreducible polynomials.

Proposition D.5.13. Let K ✄ F and let α be an F-generator of K . Then, if p is the minimal

polynomial in F[X ] such that p(α) = 0, we have p is irreducible and K is isomorphic to F[X ]/p.

Proof. Irreducibility of p follows from its minimality (see Exercise D.8). The isomorphism is
obtained by fixing F ✁ K and letting α 7→ X . We leave it to the reader to verify that this extends
to an isomorphism (uniquely)– see Exercise D.9.
4
See Exercise D.7.

456
 We are almost ready to prove uniqueness of finite fields. We need one more fact about irre-
ducible polynomials to do so.
n
Proposition D.5.14. If f ∈ Fp [X ] is irreducible of degree n, then f divides X p − X .

Proof. Consider the field K = Fp [X ]/( f ). This is a field of cardinality p n and so every element
n n
α ∈ K satisfies αp = α. In particular X ∈ K also satisfies this, implying that X p − X = 0(
n
mod f ) and so f divides X p − X .

We now turn to proving uniqueness of finite fields.

Theorem D.5.15. For every prime p and integer n, there is a unique field of cardinality p n up to
isomorphism.

Proof. Suppose K , L are both fields of cardinality p n . Both fields contain a unique copy of Fp ,
and by mapping 1K to 1L and extending additively, we get a partial isomorphism between these
copies of Fp . Now we show how to extend it. Let α ∈ K be a Fp -generator and let f ∈ Fp [X ]
be its minimal polynomial. Since f is irreducible of degree n, we have that f (X ) divides the
n
polynomial X p − X (see Proposition D.5.14).
n Q
Using the fact that X p − X = β∈L (X − β), we conclude that L contains a root β of f . We
assert (see Exercise D.10) that the map that sends α 7→ β is an isomorphism from K to L.

D.5.5 The Trace and Norm maps

We conclude this section with two basic polynomials that have some very nice regularity prop-
erty when dealing with finite fields and their extensions.

Definition D.5.16. Let F = Fq and let K = Fq n . Then the Trace function Tr = TrK →F is the func-
2 n−1
tion obtained by the evaluation of the polynomial Tr(X ) = X + X q + X q + · · · + X q . The Norm
2 n−1
function is obtained by evaluation of N (X ) = X 1+q+q +···+q .

The Norm and Trace functions are important because they map elements of K to the sub-
field F and they do so in a nice uniform way. We mention some properties below.

Proposition D.5.17. 1. Trace is a F-linear map, i.e., for every α ∈ F and β, γ ∈ K , we have
Tr(α · β + γ) = α · Tr(β) + Tr(γ).

2. Norm is multiplicative, i.e., N (β · γ) = N (β)N (γ)

3. Trace is a q n−1 -to-one map from K to F.

4. Norm is a (q n − 1)/(q − 1)-to-one map from K ∗ to F∗ .

i i i i i
Proof. 1. The F-linearity follows from the facts that (αβ + γ)q = αq βq + γq and αq = α.

2. The multiplicativity is obvious from definition.

457
 n n−1
3. For β ∈ K we have Tr(β)q = βq + · · · βq = βq + · · · + βq + 1 = Tr(β) and so the range of Tr
is F. Since Tr is a polynomial of degree q n−1 is can take on any value in the range at most
q n−1 times. But it has a domain of size q n and range of size q, so it must take on every
value exactly q n−1 times.

4. The is similar to Part (3) above. By Exercise D.11, we have that N (β)q = N (β) and further-
more note that by definition, N (β) is non-zero iff β 6= 0. We then use the degree of N and
counting to determine that it is a regular function on non-zero values.

The Trace function from K → F is especially important since it captures all F-linear maps
from K → F, as explained below.

Proposition D.5.18. A function L : K → F is F-linear if and only if there exists λ ∈ K such that
L(β) = Tr(λβ) for every β ∈ K .

Proof. First note that f (β) = Tr(λβ) is obviously F-linear since

f (αβ + γ) = Tr(λ(αβ + γ)) = Tr(λαβ) + Tr(λγ) = α Tr(λβ) + Tr(λγ) = α f (β) + f (γ)

for every α ∈ F and β, γ ∈ K (where in the above we used Propositon D.5.17). This concludes
one direction of the proposition.
To see the converse we employ a counting argument. First note that if λ 6= 0 then the func-
tion f λ (β) = Tr(λβ) is not identically zero. (To see this, note that f λ (Z ), viewed as a polynomial
in Z has degree |K |/|F| and it is a non-zero polynomial since the coefficient of Z is non-zero.)
By linearity this implies that f λ 6= f τ if λ 6= τ since f λ − f τ = f λ−τ 6= 0. So, including λ = 0, we
have at least |K | distinct linear functions of the form f λ (·). We now note there are also at
most |K | such functions. To see this let β1 , . . . , βn ∈ K be F-linearly independent elements
P
of K (i.e., ni=1 αi βi 6= 0 if (α1 , . . . , αn ) ∈ Fn \ {0}). Since K is a degree n extension of F we know
such a sequence exists and furthermore the βi ’s generate K in that for every β ∈ K there exist
P
α1 , . . . , αn ∈ F such that β = i αi βi . We note that a linear function L : K → F is completely
P
determined by its values at β1 , . . . , βn , since for every β = i αi βi ∈ K with α1 , . . . , αn ∈ F, we
P P
have L(β) = L( i αi βi ) = i αi L(βi ). Thus the number of linear functions is upper bounded by
|{(L(β1 ), . . . , L(βn )) ∈ Fn }| ≤ |F|n = |K |. We conclude that these are exactly |K | functions that are
F-linear from K → F, and these are exactly the Trace functions.

D.6 Algorithmic aspects of Finite Fields

In this section we show how finite fields may be represented and field operations computed
efficiently.
Let q = p t for prime p and positive integer t . We consider how to work with Fq — the field
on q elements.
We start by noticing that if O(q 2 ) space is not imposing, then four tables — one for addition,
and one for multiplication, and one each for additive and multiplicative inverses would suffice

458
for working with fields, with each field operation now requiring a single table look up. In what
follows we give more succinct descriptions that still allow moderately fast (some polynomial in
log q) operations.

D.6.1 Prime Fields

We start with the case of t = 1. Here there is not much to do. The most natural representa-
tion of the field is by specifying the prime p which takes log2 p + 1 = log q + 1 bits to specify.
The most complex part of addition and multiplication is the computation of the remainder of
the operation modulo p, and this takes at most O((log p)2 ) steps by the naive method. More
sophisiticated algorithms can bring this compexity down to O((log p)(log log p)2 ).

D.6.2 General fields as vectors

For general fields, we can adopt one of two approaches. The first of these uses less of the
knowledge that we have about finite fields, but helps abstract away many issues. In this view
we use the isomorphism between Fp t and Ftp to represent elements of the former as vectors
in Ftp . This, thus represents elements of Fq by O(log q) bits which is nice. This also tells us
how to add in Fq since it is simply coordinatewise Fp -addition. However this representation
by itself is not sufficient to do Fq -multiplication. To multiply elements we enhance this repre-
sentation by maintaining t 2 vectors wi j ∈ Ftp with wi j = ei · e j where the ei ’s are the unit vec-
tors (so ei = (0, . . . , 0, 1, 0, . . . , 0) is 1 in the i th coordinate and zero elsewhere). Now given u =
P P
(u 1 , . . . , u t ) and v = (v 1 , . . . , v t ) we can compute u · v = it =1 tj =1 u i v j wi j . This leads to a roughly
O(t 3 (log p)2 ) = O((log q)3 ) time algorithm for multiplying in Fq while requiring O(t 3 log p) bits
to store p and the vectors wi j . While not the most efficient representation, this may afford a
clean representation that may be sufficient in several settings.

D.6.3 General fields as polynomial rings

Our final representation uses the fact that the field Fp t is isomorphic to Fp [X ]/(g ) for any ir-
reducible polynomial g of degree t . Here, a field element is simply a polynomial in Fp [X ]
of degree strictly less than t which is maintained as a vector of coefficients. Addition is just
coordinate-wise addition, whereas multiplication is polynomial multiplication followed by a
remainder computation modulo g . Thus addition takes time O(t (log p)2 ) while mutliplication
naively takes time O(t 2 (log p)2 ). The only ingredients that need to be remembered to do field
operations are the integer p and the polynomial g ∈ Fp [X ], all of which take O(t log p) bits. So
this representation definitely outperforms the generic representation via vector spaces in al-
most all senses (though we might find the vector space view helpful when discussing certain
operations with codes).

459
D.6.4 Finding primes and irreducible polynomials
The final question that remains to be discussed is how hard is to find the ingredients that de-
scribe a field. Of course, this depends on how the field is described, and the most natural one
may be by giving the cardinality q of the field.
Given q = p t , it is straightforward to enumerate all candidate (p, t ) pairs such that q = p t
— there are only log q possible values of t and thus log q such integers. Only one of these, the
one with the largest t could correspond to prime p. Testing if an integer is prime can be done
efficiently with randomization, and thanks to a recent breakthrough [1] even deterministically
in time polynomial in log q.
When t = 1 no further works needs to be done. If t > 1 one needs to find an irreducible
polynomial g of degree t and this can be a challenge. There are several possible solutions here:

Randomized It is known (and can actually be proved with a little effort, given the ingredients
of this chapter) that a random polynomial g ∈ Fp [X ] of degree t is irreducible with prob-
ability at least 1/t . Furthermore, irreducibility can be tested (see next section) in time
poly(log q). Thus repeatedly sampling random polynomials till an irreducible polynomial
is found takes expected time poly(log q). (See Algorithm 8.)

Deterministic Shoup [116] gave an algorithm to deterministically find an irreducible polyno-

mial of degree t in Fp [X ] in time poly(t , p). Notice that this dependence is slower than
one may hope for in terms of p, but works well when p is small (say, smaller than t ).

Explicit In some rare cases, i.e., a few choices of p and t , explicit polynomials are known that
are irreducible. These may be used when the field size seems appropriate. One such
family of irreducible polynomials is given in the following proposition.

Proposition D.6.1 ([88]). Let p = 2 and t = 2 · 3ℓ for any non-negative integer ℓ. Then the
polynomial X t + X t /2 + 1 is irreducble in F2 [X ].

D.7 Algorithmic aspects of Polynomials

In this section we review basic facts about algorithmic aspects of manipulating polynomials. We
start with basic tasks and move to more complex tasks ending with factoring and root-finding.

D.7.1 Adding, Multiplying, Dividing

Given two polynomials f , g ∈ Fq [X ] of degree at most n, they can be added with O(n) operations
in Fq and no more needs to be said. f and g can also be multiplied with O(n 2 ) operations by the
standard long multiplication. Similarly the quotient and remainder obtained when dividing f
by g can be computed wih O(n 2 ) operations using the long division algorithm. More efficient
algorithms do exist for both these tasks making O(n(log n)c ) field operations, for some constant
c. (See [134] for this and other references for this section.)

460
D.7.2 Greatest Common Divisor
Perhaps the most surprising algorithm in algebra is that of finding greatest common divisors
(of integers or polynomials), and would be even more so, if it were not for over 2000 years of
exposure. To explain, let us look at the definition of the problem.

Definition D.7.1 (Greatest Common Divisor). Given polynomials f , g ∈ F[X ], their greatest com-
mon divisor, denoted gcd( f , g ), is the maximal degree polynomial h(X ) with leading coefficient
being 1 such that h divides f and g .

The natural algorithm for finding gcd( f , g ) would be to factor f and g into irreducible fac-
tors, and then to take all common factors (with multiplicity) and take their product to get h.
Unfortunately this reduces gcd to factoring which goes in the wrong direction. (As we will see
below, factoring can also be solved efficiently for polynomials, but by reduction to gcd compu-
tation.)
But fortunately, we can employ Euclid’s algorithm which uses the following algorithmic re-
duction: If deg(g ) < deg( f ) and g does not divide f , then gcd( f , g ) = gcd(g , r ) where f = q · g +r
with deg(r ) < deg(g ) is as given by the division algorithm. This simple fact turns out to be al-
gorithmically effective reducing the (sum of the) degree of the polynomials in a single step of
polynomial division, and thus leading to a polynomial time algorithm for finding the greatest
common divisor.
Once again the steps of this algorithm can be combined in clever ways to get an implemen-
tation in O(n(log n)c ) time.

D.7.3 Factoring and Root-Finding

Finally, one of the most striking tasks related to polynomials that turns out to have a polynomial
time algorithm is the factorization of polynomials. Polynomials, even multivariate ones, can be
factored extremely efficiently with randomization and this is a consequence of many years of
research in algebraic computing. We won’t give the strongest results here, since even stating the
result is non-trivial. For our purposes it will suffice to know that polynomials in Fq [X ] of degree
n can be factored in time poly(n, log q). We state this general result, and prove a very special
case of it, which will suffice for the algorithms in this book.

Theorem D.7.2. There exists a constant c and a randomized algorithm running in expected time
O((n log q)c ) that factors polynomials of degree n in Fq [X ]. Furthermore, if q = p t for prime t ,
then there is a deterministic algorithm with running time O((npt )c ) for factoring.

To give an idea behind this powerful algorithm, we consider a simple special case of root-
finding.

Definition D.7.3 (Root-Finding Problem). The input to the root finding problem is a polynomial
f ∈ Fq [X ] of degree at most n (given as a list of coefficients f 0 , . . . , f n ∈ Fq ). The task is to find all
α ∈ Fq that are roots of f , i.e., to output the set {α ∈ Fq | f (α) = 0}.

461
 We now turn towards the root-finding algorithm. The algorithm relies crucially on the al-
gorithm for computing greatest common divisors (mentioned in the previous section) and two
Q
additional facts. First we use the fact X q − X = α∈Fq (X −α) to algorithmic advantage as follows.

Lemma D.7.4. A polynomial f ∈ Fq [X ] has a root in Fq if and only if gcd( f , X q − X ) 6= 1.

Proof. The proof is immediate. If f has a root α, then X − α divides gcd( f , X q − X ) and so their
Q
gcd can’t be trivial. Conversely a factor of X q − X is of the form α∈S (X − α) for some S ⊆ Fq ,
and so gcd( f , X q − X ) must be of this form. If the gcd is non-trivial, then S must be non-empty
implying that for every α ∈ S we have X − α divides f and thus f has a root in S ⊆ Fq .

The step above is almost algorithmic, but to verify this, we need to stress that the gcd of
f and X q − X can be computed in time polynomial in deg( f ) and log q. We explain how this
can be done in the next few paragraphs, taking a detour on sparse polynomials. But assuming
this can be done, this provides a natural starting point for a root finding algorithm. Given f
we compute g = gcd( f , X q − X ). If g 6= 1, then we take the set S 1 of roots of g and the set S 2 of
roots of f /g and output S 1 ∪ S 2 . The set S 2 can be computed recursively (since f /g has smaller
degree than f ), but for S 1 we need some new ideas to determine how to compute the roots of
g , when g splits into linear and distinct factors over Fq . To get to this point we will use the fact
that X q − X splits into some high-degree sparse factors and this will turn out to be crucial to
finding S. Indeed the sparsity of X q − X and its factors are heavily used concepts and we now
take a detour to explain these effects.

Sparse high degree polynomials

We start with some terminology. We say that a polynomial h ∈ F[X ] is t -sparse if at most t of its
coefficients are non-zero. Every polynomial h is thus (deg(h) + 1)-sparse, but often the sparsity
can be smaller, and this will be useful. One sparse polynomial that is already motivated by the
earlier discussion is X q − X , which is 2-sparse. We will see a few more below.

Lemma D.7.5. Let f ∈ F[X ] be a polynomial of degree n and let h ∈ F [X ] be a t -sparse polynomial
of degree D. Then h mod f and gcd( f , h) can be computed in time poly(n, t , log D).

Proof. It obviously suffices to compute h mod f in time poly(n, t , log D) and then one can use
Euclid’s algorithm to compute gcd( f , h) = gcd( f , h mod f ) in time poly(n). In turns out that
P
if h = it =1 h i X di and we can compute h i X di mod f in time poly(n, log d i ) for every i , then
we can add the results in time poly(n, t ) to get h mod f . Finally, we note that X d mod f can
Plog d
be computed by repeated squaring. Let d = j =02 d j 2 j . We can first compute the sequence
j
of polynomials g j = X 2 mod f = g 2j −1 mod f by repeatedly squaring the output of the previ-
Qlog d
ous step. Then we can compute X d mod f = j =02 (g j )d j by using log d more multiplications,
yielding the desired result.

The lemma above shows that sparse polynomials can be used effectively. The following
lemma shows that the central sparse polynomial also has sparse factorizations, and this will be
useful later.

462
Proposition D.7.6. 1. Let Fq be a field of odd characteristic (and so q is odd). Then X q − X =
X ·(X (q−1)/2 −1)·(X (q−1)/2 +1). In particular X q − X factors into three 2-sparse polynomials
of degree at most q/2.

2. Let q = 2t for integer t ≥ 2. Then (X q − X ) = Tr(X ) · (Tr(X ) − 1) where Tr(X ) = Tr Fq →F2 (X ) =

r −1
X + X 2 + X 4 + · · · + X 2 is the Trace map from Fq to F2 . In particular X q − X factors into
two (2 + log2 q)-sparse polynomials of degree q/2.

Proof. The case of odd q is obvious by inspection. Only aspect to be stressed is that (q − 1)/2 is
an integer.
For the case of even q, we use the fact that the trace map is a map from Fq to F2 . So every
α ∈ Fq satisfies Tr(α) = 0 or Tr(α) = 1. It follows that X − α divides Tr(X ) · (Tr(X ) − 1) for every
α. Consequently X q − X divides Tr(X ) · (Tr(X ) − 1). The identity X q − X = Tr(X ) · (Tr(X ) − 1) now
follows from the fact that both polynomials have the same degree and have leading coefficient
1.

The existence of such sparse polynomials with many roots is one of the remarkable aspects
of finite fields and leads to many algorithmic effects. We demonstrate this by showing how this
is utilized in root-finding.

Root finding algorithm

We now complete the root-finding algorithm. Recall that by letting g = gcd( f , X q − X ) we can
reduce to the case of polynomials that split into distinct linear factors in Fq . We now focus on
this case. We will also focus on the case of odd q for simplicity, though all we will use is the fact
that X q − X splits into sparse factors of degree at most q/2.
If we were lucky, then g would have two roots α and β with X − α dividing (X (q−1)/2 − 1) and
X − β not dividing it. Then we would have that g 1 = gcd(g , X (q−1)/2 − 1) would be a non-trivial
factor of g and we could recurse on g 1 and g 2 = g /g 1 . The key to the randomized root-finding
is that by an appropriate affine change of variables, we can try to arrange to be “lucky”.
Specifically, fix a ∈ F∗q and b ∈ Fq and let g a,b (X ) = g ((X − a)/b). We have the following
proposition.

Proposition D.7.7. Let g ∈ Fq [X ] have α 6= β as its roots. Then we have:

1. The coefficients of g a,b can be computed efficiently given a, b and the coefficients of g .

2. g a,b has aα + b and aβ + b as its roots.

3. If a ∈ F∗q and b ∈ Fq are chosen uniformly at random independently, then the probability
that exactly one of aα + b and aβ + b is a root of X (q−1)/2−1 is at least 1/2.

Proof. Parts (1) and (2) are straightforward to verify. For part (3) we note that for any pair of
distinct elements γ, δ ∈ Fq there is exactly one pair a ∈ F∗q and b ∈ Fq such that aα + b = γ and
aβ + b = δ. Since the fraction of distinct pairs γ, δ ∈ Fq such that exacty one of them comes

463
from a set of size (q − 1)/2 (the set of roots of X (q−1)/2 − 1) is at least 1/2 (the exact formula
is 1/2 + 1/(2q)) we have that the probability that exactly one of aα + b and aβ + b is a root of
X (q−1)/2−1 is at least 1/2.

We conclude by giving the full root-finding algorithm and summary of analysis of its run-
time.

Algorithm 49 R OOT-F IND (Fq , f )

I NPUT: Fq , f (X ) ∈ Fq [X ]
O UTPUT: Fq roots of f (X )

1: g ← gcd( f , X q − X )
2: IF g = 1 THEN
3: RETURN ;
4: RETURN L INEAR -R OOT-F IND (Fq , g ) ∪ R OOT-F IND (Fq , ( f /g ))

Algorithm 50 L INEAR-R OOT-F IND (Fq , g )

I NPUT: Fq , g (X ) ∈ Fq (X )
O UTPUT: Fq roots of g (X ) if g (X ) divides X q − X

1: IF deg(g ) = 1 THEN
2: RETURN {α} where g = X − α
3: REPEAT
4: Pick a ∈ F∗q and b ∈ Fq uniformly independently
5: g a,b ← g ((X − b)/a)
6: h 1 ← gcd(g a,b , X (q−1)/2−1 )
7: g 1 ← h 1 (a X + b)
8: UNTIL 0 < deg(g 1 ) < deg(g )
9: RETURN L INEAR -R OOT-F IND (Fq , g 1 ) ∪ L INEAR -R OOT-F IND (Fq , (g /g 1 ))

Lemma D.7.8. R OOT-F IND (Fq , f ) outputs the multiset of roots of f in expected time poly(n, log q).

Proof. Let n = deg( f ). It is straightforward to see that R OOT-F IND makes at most n calls to
L INEAR-R OOT-F IND. (This is a very weak estimate, but we leave out optimizations here, in favor
of simplicity.) By Proposition D.7.7, Part (3), we have that the loop in L INEAR-R OOT-F IND will be
executed an expected constant number of times before a non-trivial split is found. Finally, the
degrees of the polynomials in the two recursive calls add up to deg(g ) and so this leads to a tree
of recurvie calls of size at most n with each internal node and leaf performing poly(n, log q) work
(to compute the various gcds, and the transformation of variables). Thus the overall expected
running time is poly(n, log q).

464
D.8 Exercises
Exercise D.1. Let R be a commutative ring. Then prove the following:

1. If a is a unit in R, then b · a = 0 if and only if b = 0.

2. Using the previous part or otherwise, prove Proposition D.3.6.

Exercise D.2. Argue that every finite field F has a finite characteristic char(F).

Exercise D.3. Let F be a field with p elements for prime p. Argue that the map 1F → 1 can be
extended to an isomorphism between F and Zp .

Exercise D.4. Let G be an abelian group with identity 1 and let a ∈ G.

1. Argue that the map x → a · x for x ∈ G is a bijection.

2. Argue that Y Y
x = an · x.
x∈G x∈G

3. Using the previous part or otherwise prove Proposition D.5.4 for abelian groups.

Exercise D.5. Let p be a prime and let 0 ≤ i ≤ p. The show that

à ! (
p 1 if i = p or i = 0
mod p = .
i 0 otherwise

Exercise D.6. In this exercise we will argue that for every k that divides n, we have N (Zn , k) = k,
i.e. show that the number of elements of Zn that have an order that divides k is exactly k. Consider
the following:

1. Prove that n n o
S k = a · |0 ≤ a < k
k
is a sub-group of Zn .

2. Argue that any b ∈ Zn that has an order that divides k satisfies, k · b mod n = 0.

3. Argue that any b ∈ Zn \ S k it must be the case that k · b mod n 6= 0.

4. Argue that any b ∈ S k has an order that divides k.

5. Using the above parts or otherwise, argue that S k contains all elements of Zn with an order
that divides k. Conclude that N (Zn , k) = k.

Exercise D.7. If k divides n, then show that X k − 1 divides X n − 1.

Exercise D.8. Let K ✄ F and let α be an F-generator of K . Let p be the minimal polynomial in
F[X ] such that p(α) = 0. Argue that have p is irreducible.

465
Exercise D.9. Let K ✄ F and let α be an F-generator of K . Let p be the minimal polynomial in
F[X ] such that p(α) = 0. Argue that there is an isomorphism between K and F[x]/p obtained by
fixing F ✁ K and letting α 7→ X , which can be extended to all other elements.

Exercise D.10. Using notation in proof of Theorem D.5.15, prove that the map α 7→ β can be
extended to an isomorphism between K and L.

Exercise D.11. Argue that for any β ∈ Fq n , the norm function satisfies N (β)q = N (β).

466
Appendix E

Some Information Theory Essentials

We used the notions of Shannon entropy and conditional entropy in Chapter 6. This appendix
collects some basic facts relating to entropy and mutual information as a quick refresher. It is
very elementary and can be skipped by readers with basic familiarity with information theory.

E.1 Entropy
Let X be a discrete random variable, say,

 2
a
 3
1
X∼ b 6


c 1
6

and define H (X ) to be the entropy of the random variable X . We’d like the entropy to measure
the amount of information conveyed by the value of the random variable X , where the amount
of information is, roughly speaking, the amount of surprise we get from this random variable.
Suppose we had such a function S : [0, 1] → R+ that takes a probability and maps it to a
non-negative real. Let’s think about some natural properties of S.
Suppose we told you that X is a, b, or c. Are you surprised? No—because this occurs with
probability 1 and we already know this. So therefore we’d like S(1) = 0: flipping a two-headed
coin doesn’t give us any surprise.
Now suppose we told you that X = a. This is a little bit surprising, but X = b is more surpris-
ing because this is a rarer event. So we’d like S to satisfy S(p) > S(q) if p < q.
We’d also like S(x) to be a continuous function of x, because we’d like the surprise to not
exhibit jumps (if we had instead 
 2 −6
a 3 + 10

X ∼ b 61 − 10−6


c 1
6

our impression of the “surprise” of a should not be much different than the original X ).

467
 Now suppose X 1 and X 2 are two independent instantiations of X . It’s natural for our surprise
from X 1 = a and X 2 = b to be additive (as each event “adds” to our surprise):
µ ¶ µ ¶ µ ¶
2 1 2 1
S · =S +S
3 3 3 3
which means we must have S(pq) = S(p) + S(q).
³ ´
Exercise E.1.1. The only S that satisfies the above requirements is S(p) = c log2 p1 , c > 0. A con-
venient normalization constant is that we are unit surprised by a fair coin flip (S(1/2) = 1), which
sets c = 1.
Definition E.1.2 (Entropy). The entropy of a discrete random variable X , denoted H (X ), is the
average surprise for an outcome of X :
µ ¶
1 X 1
Ex log2 = p(x) log2 ,
Pr(X = x) x∈supp(X ) p(x)

where we define 0 log2 01 = 0 and supp (() X ) is the support of X (i.e. the values x such that Pr[X =
x] 6= 0).
We have the following obvious facts:
1. H (X ) ≥ 0; H (X ) = 0 if and only if X is deterministic.

2. Let X ∈ {0, 1} be such that X = 1 with probability p and 0 with probability 1 − p. In this
case µ ¶ µ ¶
1 1
H (X ) = p log2 + (1 − p) log2 = H2 (X ),
p 1−p
which we have seen earlier in the book.

3. Let X be uniform on {a 1 , . . . , a n }. Then, note that

n 1 µ ¶
X 1
H (X ) = · log2 = log2 n.
i =1 n 1/n

Lemma E.1.3. |supp (X ) | = n implies that H (X ) ≤ log2 n.

Proof. We use Jensen’s inequality:
p for convex functions f , we have E[ f (x)] ≤ f (E[x]) (this im-
2 2
p
plies E[X ] ≥ E[X ] and E[ X ] ≤ E[X ].) Since we have
· ¸
1
H (X ) = Ex←X log
p(x)
µ ¶
1
≤ log Ex←X = log n
p(x)
where we have applied Jensen’s inequality to the expression with f (x) = log x while using the
random variable Z ∼ 1/p(x) w.p. p(x):
£ ¤
H (X ) = E Z log Z .

468
Communication. Let’s see if we can derive the binary entropy function in a different setting.
Suppose X ← Bernoulli(1/2), then H (X ) = 1. And if X ← Bernoulli(1), then H (X ) = 0. Now
suppose X ← Bernoulli(p), and we have X 1 , X 2 , . . . , X n iid samples from this distribution, repre-
sented as a bitstring {0, 1}n . A way to communicate this¡in¢ an efficient way is that we first send
k, the number of 1 bits in the string, and then use ⌈log2 nk ⌉ bits to reveal which subset those 1s
go in. The expected number of bits communicated with this scheme is
à ! & à !'
Xn n n
E(number of bits) = ⌈log2 n⌉ + p k (1 − p)n−k log2 .
| {z } k=0 k k
sending k | {z }
number of bits required for each k

What we are interested is the average fraction of bits we need as the number of bits as n grows
large: limn→∞ n1 E(number of bits). Dividing our expression by n, we can omit the first term
(log n/n → 0 as n → ∞) and we can use Stirling’s approximation (or the intuitive concept that if
k is far from pn the term in the sum is close to zero) to obtain that

1 1 1
lim E(number of bits) = h(p) = p log2 + (1 − p) log2 ,
n→∞ n p 1−p

which tells us that we can take H (Bernoulli(p)) bits, on average, to communicate a Bernoulli(p)
random variable.
Non-binary random variable. We can extend this definition of entropy in the communi-
cations context to non-binary random variables. Suppose X ← {a 1 , . . . , a n }. Suppose we have
related variables (
1 X = a1
Z1 =
0 else
and  p2
 a
 2
 1−p 1
..
Z2 = . .


 pn
an 1−p 1

We can break
H (X ) = H (Z1 ) + Pr(Z1 = 0)H (Z2 ),
as we need to communicate Z1 and then, if Z1 is 0, we need to communicate Z2 . Since we
know how to compute H (Z1 ) from the binary case, we can recursively use this to obtain H (X ) =
Pn
i =1 p i log 1/p i , which is the same expression as we got before.

E.2 Joint and conditional entropy

If our variable Z is actually a pair of random variables, i.e. Z = (X , Y ), then we already have
defined H (Z ). However, as it’ll become clear shortly it is beneficial to explicitly (re)define the
joint entropy H (X , Y ):

469
Definition E.2.1 (Joint entropy). Let X and Y be two possibly correlated random variables. The
joint entropy of X and Y , denoted H (X , Y ), is
X 1
H (X , Y ) = p(x, y) log ,
x,y p(x, y)

where p(x, y) is defined to be Pr(X = x ∧ Y = y).

If X and Y are independent, p(x, y) = p(x)p(y) and
µ ¶
X 1 1
H (X , Y ) = p(x)p(y) log + log = H (X ) + H (Y ).
x,y p(x) p(y)

In general,
X 1
H (X , Y ) = p(x, y) log ,
x,y p(x)p(y|x)
where p(y|x) = Pr(Y = y|X = x).
We can then do the following calculation:
X 1
H (X , Y ) = p(x, y) log
x,y p(x)p(y|x)
X 1 X 1
= p(x, y) log + p(x, y) log
x,y p(x) x,y p(y|x)
X 1 X X 1
= p(x) log + p(x) p(y|x) log
x p(x) x y p(y|x)
X
= H (X ) + p(x)H (Y |X = x)
x
= H (X ) + Ex [H (Y |X = x)].

This motivates the definition of conditional entropy:

Definition E.2.2 (Conditional entropy). The conditional entropy of Y given X is

H (Y |X ) = Ex [H (Y |X = x)].

Our calculation then shows this lemma:

Lemma E.2.3. H (X , Y ) = H (X ) + H (Y |X ).
Intuitively, this says that how surprised we are by drawing from the joint distribution of X
and Y is how surprised we are by X plus how surprised we are by Y given that we know X
already.
Note that if X and Y are independent, H (Y |X ) = H (Y ) and H (X , Y ) = H (X ) + H (Y ).
Recall the chain rule for probability: p(x, y) = p(x)p(y|x), or, more generally,

p(x 1 , . . . , x n ) = p(x 1 )p(x 2 |x 1 ) . . . p(x n |x 1 , . . . , x n ).

There is a similar chain rule for entropy:

470
Theorem E.2.4 (Chain rule). For random variables X , Y , and Z ,
H (X , Y , Z ) = H (X ) + H (Y |X ) + H (Z |X , Y ).
For n random variables X 1 , . . . , X n ,
H (X 1 , X 2 , . . . , X n ) = H (X 1 ) + H (X 2 |X 1 ) + · · · + H (X n |X 1 , X 2 , . . . , X n−1 ).
The log in the definition of entropy changes the multiplication in the probability chain rule
to addition. Also, the order of the random variables does not matter. For example, it also holds
that
H (X , Y ) = H (Y ) + H (X |Y ).
Note that H (X |X ) = 0.
Example E.2.5. Let X be a random variable that is uniform on {0, 1, 2, 3}. Let Y = X mod 2.
Clearly, H (X ) = 2.
H (Y ) = 1 since Y is uniform on {0, 1}.
H (X |Y ) = 1 because knowing Y tells us if X is odd or even.
H (Y |X ) = 0 since knowing X tell us the exact value of Y .
H (X , Y ) = 2 because X tells us everything about X and Y .
Intuitively, it seems like conditioning should never increase entropy: knowing more should
never increase our surprise. This is indeed the case:
Lemma E.2.6 (Conditioning cannot increase entropy). H (Y |X ) ≤ H (Y ).
Proof. First, we have that
H (Y |X ) − H (Y ) = H (X , Y ) − H (X ) − H (Y )
X 1 X 1 X 1
= p(x, y) log − p(x) log − p(y) log .
x,y p(x, y) x p(x) y p(y)
P P
Since p(x) = y p(x, y) and p(y) = x p(x, y),
X p(x)p(y)
H (Y |X ) − H (Y ) = p(x, y) log .
x,y p(x, y)
p(x)p(y)
We now define Z to be a random variable taking value p(x,y) with probability p(x, y), so

H (Y |X ) − H (Y ) = Ex,y [log Z ]
≤ log E[Z ] by Jensen’s Inequality
à !
X p(x)p(y)
= log p(x, y)
x,y p(x, y)
õ ¶Ã !!
X X
= log p(x) p(y)
x y

= log 1
= 0.

471
 As a corollary, we have a statement similar to the union bound:

Corollary E.2.7. For random variables X and Y ,

H (X , Y ) ≤ H (X ) + H (Y ).

More generally, for random variables X 1 , . . . , X n ,

n
X
H (X 1 , . . . , X n ) ≤ H (X i ).
i =1

Exercise E.2.8. For a random variable X with support size n, we can think of entropy as a func-
tion from [0, 1]n to R≥0 . If X takes on n different values with probabilities p 1 , · · · , p n , then for
P
p = (p 1 , · · · , p n ), H (p) = ni=1 p i log p1 . Show that H (p) is a concave function, i.e., show
i

H (λp + (1 − λ)q) ≥ λH (p) + (1 − λ)H (q)

for all λ ∈ [0, 1], p, q ∈ [0, 1]n .

E.3 Mutual information

Definition E.3.1 (Mutual information). The mutual information between random variables X
and Y , denoted I (X ; Y ), is
I (X ; Y ) = H (X ) − H (X |Y ).

Intuitively, mutual information is the reduction in the uncertainty of X that comes from
knowing Y .
We can write I (X ; Y ) in several other equivalent ways:

I (X ; Y ) = H (X ) − H (X |Y )
= H (X ) − (H (X , Y ) − H (Y ))
= H (X ) + H (Y ) − H (X , Y )
= H (Y ) − H (Y |X )
= I (X ; Y )

Note that I (X ; Y ) = I (Y ; X ).
The next lemma follows from the fact that conditioning cannot increase entropy.

Lemma E.3.2. I (X ; Y ) ≥ 0.

Also, if X and Y are independent, I (X ; Y ) = 0.

Example E.3.3. Consider X and Y as defined in Example E.2.5. Then

I (X ; Y ) = H (X ) − H (X |Y ) = 2 − 1 = 1.

472
Figure E.1: Relationship between entropy, joint entropy, conditional entropy, and mutual infor-
mation for two random variables.

Example E.3.4. Let the Zi ’s be i.i.d. random variables that are uniform over {0, 1}. Let X =
Z1 Z2 Z3 Z4 Z5 and Y = Z4 Z5 Z6 Z7 . Then I (X ; Y ) = 2 since X and Y have 2 bits in common.

We show the relationship between entropy, joint entropy, conditional entropy, and mutual
information for two random variables X and Y in Figure 5.1.
We can also define a conditional version of mutual information.

Definition E.3.5 (Conditional mutual information). The conditional mutual information be-
tween X and Y given Z is

I (X ; Y |Z ) = H (X |Z ) − H (X |Y , Z )
= H (Y |Z ) − H (Y |X , Z ).

Exercise E.3.6. Prove the chain rule for mutual information:

n
X
I (X 1 , X 2 , . . . , X n ; Y ) = I (X i ; Y |X 1 , X 2 , . . . , X i −1 ).
i =1

Note that the order of the X i ’s does not matter.

Exercise E.3.7. It is not true that conditioning never inreases mutual information. Give an ex-
ampleof random variables X , Y , X where I (X ; Y |Z ) > I (X ; Y ).

473