Locally Decodable Codes From Nice Subsets of Finite Fields and Prime Factors of Mersenne Numbers

Locally Decodable Codes From Nice Subsets of Finite Fields and Prime Factors of Mersenne Numbers

Abstract

A -query Locally Decodable Code (LDC) encodes an -bit message as an -bit codeword such that one can probabilistically recover any bit of the message by querying only bits of the codeword , even after some constant fraction of codeword bits has been corrupted. The major goal of LDC related research is to establish the optimal trade-off between length and query complexity of such codes.

Recently [34] introduced a novel technique for constructing locally decodable codes and vastly improved the upper bounds for code length. The technique is based on Mersenne primes. In this paper we extend the work of [34] and argue that further progress via these methods is tied to progress on an old number theory question regarding the size of the largest prime factors of Mersenne numbers.

Specifically, we show that every Mersenne number that has a prime factor yields a family of -query locally decodable codes of length Conversely, if for some fixed and all one can use the technique of [34] to obtain a family of -query LDCs of length then infinitely many Mersenne numbers have prime factors larger than known currently.

1 Introduction

Classical error-correcting codes allow one to encode an -bit string into in -bit codeword in such a way that can still be recovered even if gets corrupted in a number of coordinates. It is well-known that codewords of length already suffice to correct errors in up to locations of for any constant The disadvantage of classical error-correction is that one needs to consider all or most of the (corrupted) codeword to recover anything about Now suppose that one is only interested in recovering one or a few bits of In such case more efficient schemes are possible. Such schemes are known as locally decodable codes (LDCs). Locally decodable codes allow reconstruction of an arbitrary bit from looking only at randomly chosen coordinates of where can be as small as Locally decodable codes have numerous applications in complexity theory [15, 29], cryptography [6, 11] and the theory of fault tolerant computation [24]. Below is a slightly informal definition of LDCs:

A -locally decodable code encodes -bit strings to -bit codewords such that for every the bit can be recovered with probability by a randomized decoding procedure that makes only queries, even if the codeword is corrupted in up to locations.

One should think of and as constants. The main parameters of interest in LDCs are the length and the query complexity Ideally we would like to have both of them as small as possible. The concept of locally decodable codes was explicitly discussed in various papers in the early 1990s [2, 28, 21]. Katz and Trevisan [15] were the first to provide a formal definition of LDCs. Further work on locally decodable codes includes [3, 8, 20, 4, 16, 30, 34, 33, 14, 23].

Below is a brief summary of what was known regarding the length of LDCs prior to [34]. The length of optimal -query LDCs was settled by Kerenidis and de Wolf in [16] and is 1 The best upper bound for the length of -query LDCs was due to Beimel et al. [3], and the best lower bound is  [33]. For general (constant) the best upper bound was due to Beimel et al. [4] and the best lower bound is  [33].

The recent work [34] improved the upper bounds to the extent that it changed the common perception of what may be achievable [12, 11][34] introduced a novel technique to construct codes from so-called nice subsets of finite fields and showed that every Mersenne prime yields a family of -query LDCs of length Based on the largest known Mersenne prime [9], this translates to a length of less than Combined with the recursive construction from [4], this result yields vast improvements for all values of It has often been conjectured that the number of Mersenne primes is infinite. If indeed this conjecture holds, [34] gets three query locally decodable codes of length for infinitely many Finally, assuming that the conjecture of Lenstra, Pomerance and Wagstaff [31, 22, 32] regarding the density of Mersenne primes holds, [34] gets three query locally decodable codes of length for all for every

1.1 Our results

In this paper we address two natural questions left open by [34]:

1. Are Mersenne primes necessary for the constructions of [34]?

2. Has the technique of [34] been pushed to its limits, or one can construct better codes through a more clever choice of nice subsets of finite fields?

We extend the work of [34] and answer both of the questions above. In what follows let denote the largest prime factor of We show that one does not necessarily need to use Mersenne primes. It suffices to have Mersenne numbers with polynomially large prime factors. Specifically, every Mersenne number such that yields a family of -query locally decodable codes of length A partial converse also holds. Namely, if for some fixed and all one can use the technique of [34] to (unconditionally) obtain a family of -query LDCs of length then for infinitely many we have

 P(2t−1)≥(t/2)1+1/(k−2). (1)

The bound (1) may seem quite weak in light of the widely accepted conjecture saying that the number of Mersenne primes is infinite. However (for any ) this bound is substantially stronger than what is currently known unconditionally. Lower bounds for have received a considerable amount of attention in the number theory literature [25, 26, 10, 27, 19, 18]. The strongest result to date is due to Stewart [27]. It says that for all integers ignoring a set of asymptotic density zero, and for all functions where tends to zero monotonically and arbitrarily slowly:

 P(2t−1)>ϵ(t)t(logt)2/loglogt. (2)

There are no better bounds known to hold for infinitely many values of unless one is willing to accept some number theoretic conjectures [19, 18]. We hope that our work will further stimulate the interest in proving lower bounds for in the number theory community.

In summary, we show that one may be able to improve the unconditional bounds of [34] (say, by discovering a new Mersenne number with a very large prime factor) using the same technique. However any attempts to reach the length for some fixed query complexity and all require either progress on an old number theory problem or some radically new ideas.

In this paper we deal only with binary codes for the sake of clarity of presentation. We remark however that our results as well as the results of [34] can be easily generalized to larger alphabets. Such generalization will be discussed in detail in [35].

1.2 Outline

In section 3 we introduce the key concepts of [34], namely that of combinatorial and algebraic niceness of subsets of finite fields. We also briefly review the construction of locally decodable codes from nice subsets. In section 4 we show how Mersenne numbers with large prime factors yield nice subsets of prime fields. In section 5 we prove a partial converse. Namely, we show that every finite field containing a sufficiently nice subset, is an extension of a prime field where is a large prime factor of a large Mersenne number. Our main results are summarized in sections 4.3 and 5.4.

2 Notation

We use the following standard mathematical notation:

• denotes integers modulo

• is a finite field of elements;

• denotes the Hamming distance between binary vectors and

• stands for the dot product of vectors and

• For a linear space denotes the dual space. That is,

• For an odd prime denotes the smallest integer such that

3 Nice subsets of finite fields and locally decodable codes

In this section we introduce the key technical concepts of [34], namely that of combinatorial and algebraic niceness of subsets of finite fields. We briefly review the construction of locally decodable codes from nice subsets. Our review is concise although self-contained. We refer the reader interested in a more detailed and intuitive treatment of the construction to the original paper [34]. We start by formally defining locally decodable codes.

Definition 1

A binary code is said to be -locally decodable if there exists a randomized decoding algorithm such that

1. For all and such that Pr where the probability is taken over the random coin tosses of the algorithm

2. makes at most queries to

We now introduce the concepts of combinatorial and algebraic niceness of subsets of finite fields. Our definitions are syntactically slightly different from the original definitions in [34]. We prefer these formulations since they are more appropriate for the purposes of the current paper. In what follows let denote the multiplicative group of

Definition 2

A set is called combinatorially nice if for some constant and every positive integer there exist two -sized collections of vectors and in such that

• For all

• For all such that

Definition 3

A set is called algebraically nice if is odd and there exists an odd and two sets such that

• is not empty;

• For all and

The following lemma shows that for an algebraically nice set the set can always be chosen to be large. It is a straightforward generalization of [34, lemma 15].

Lemma 4

Let be a algebraically nice set. Let be sets from the definition of algebraic niceness of One can always redefine the set to satisfy

• Proof:   Let be the linear subspace of spanned by the incidence vectors of the sets for and Observe that is invariant under the actions of a -transitive permutation group (permuting the coordinates in accordance with addition in ). This implies that the space is also invariant under the actions of the same group. Note that has positive dimension since it contains the incidence vector of the set The last two observations imply that has full support, i.e., for every there exists a vector such that It is easy to verify that any linear subspace of that has full support contains a vector of Hamming weight at least Let be such a vector. Redefining the set to be the set of nonzero coordinates of we conclude the proof.

We now proceed to the core proposition of [34] that shows how sets exhibiting both combinatorial and algebraic niceness yield locally decodable codes.

Proposition 5

Suppose is combinatorially nice and algebraically nice; then for every positive integer there exists a code of length that is locally decodable for all

• Proof:   Our proof comes in three steps. We specify encoding and local decoding procedures for our codes and then argue the lower bound for the probability of correct decoding. We use the notation from definitions 2 and 3.

Encoding: We assume that our message has length for some value of (Otherwise we pad the message with zeros. It is easy to see that such padding does not not affect the asymptotic length of the code.) Our code will be linear. Therefore it suffices to specify the encoding of unit vectors where has length and a unique non-zero coordinate We define the encoding of to be a long vector, whose coordinates are labelled by elements of For all we set:

 Enc(ej)w={1,if (uj,w)∈S0;0,otherwise. (3)

It is straightforward to verify that we defined a code encoding bits to bits.

Local decoding: Given a (possibly corrupted) codeword and an index the decoding algorithm picks such that uniformly at random, reads coordinates of and outputs the sum:

 ∑λ∈S1yw+λvi. (4)

Probability of correct decoding: First we argue that decoding is always correct if picks such that all bits of in locations are not corrupted. We need to show that for all and such that :

 ∑λ∈S1(n∑j=1xj Enc(ej))w+λvi=xi. (5)

Note that

 ∑λ∈S1(n∑j=1xj Enc(ej))w+λvi=n∑j=1xj∑λ∈S1Enc(ej)w+λvi=n∑j=1xj∑λ∈S1I[(uj,w+λvi)∈S0], (6)

where if and zero otherwise. Now note that

 ∑λ∈S1I[(uj,w+λvi)∈S0]=∑λ∈S1I[(uj,w)+λ(uj,vi)∈S0]={1,if i=j,0,otherwise. (7)

The last identity in (7) for follows from: and is odd. The last identity for follows from and the algebraic niceness of Combining identities (6) and (7) we get (5).

Now assume that up to fraction of bits of are corrupted. Let denote the set of coordinates whose labels belong to Recall that by lemma 4, Thus at most fraction of coordinates in contain corrupted bits. Let be the family of -tuples of coordinates that may be queried by implies that elements of uniformly cover the set Combining the last two observations we conclude that with probability at least picks an uncorrupted -tuple and outputs the correct value of

All locally decodable codes constructed in this paper are obtained by applying proposition 5 to certain nice sets. Thus all our codes have the same dependence of (the probability of the decoding error) on (the fraction of corrupted bits). In what follows we often ignore these parameters and consider only the length and query complexity of codes.

4 Mersenne numbers with large prime factors yield nice subsets of prime fields

In what follows let denote the multiplicative subgroup of generated by In [34] it is shown that for every Mersenne prime the set is simultaneously algebraically nice and combinatorially nice. In this section we prove the same conclusion for a substantially broader class of primes.

Lemma 6

Suppose is an odd prime; then is combinatorially nice.

• Proof:   Let Clearly, divides We need to specify a constant such that for every positive integer there exist two -sized collections of long vectors over satisfying:

• For all

• For all such that

First assume that has the shape for some integer In this case [34, lemma 13] gives us a collection of vectors with the right properties. Observe that for a constant that depends only on and Now assume does not have the right shape, and let be the largest integer smaller than that does have it. In order to get vectors of length we use vectors of length coming from [34, lemma 13] padded with zeros. It is not hard to verify such a construction still gives us large families of vectors for a suitably chosen constant

We use the standard notation to denote the algebraic closure of the field Also let denote the multiplicative subgroup of -th roots of unity in . The next lemma generalizes [34, lemma 14].

Lemma 7

Let be a prime and be odd. Suppose there exist such that

 ζ1+…+ζk=0; (8)

then is algebraically nice.

• Proof:   In what follows we define the set and prove the existence of a set such that that together and yield algebraic niceness of Identity 8 implies that there exists an odd integer and distinct -th roots of unity such that

 ζ′1+…+ζ′k′=0. (9)

Let Observe that Let be a generator of Identity (9) yields for some distinct values of Set

Consider a natural one to one correspondence between subsets of and polynomials in the ring It is easy to see that for all sets and all such that

 ϕα+βS′(x)=xαϕS′(xβ).

Let be a variable ranging over and be a variable ranging over We are going to argue the existence of a set that has even intersections with all sets of the form by showing that all polynomials belong to a certain linear space of dimension less than In this case any nonempty set such that can be used as the set Let Note that since is a common root of and Let be the space of polynomials in that are multiples of Clearly, Fix some and Let us prove that is in

 ϕα+βS1(x)=xαϕS1(xβ)=xα(ϕS1(x))β.

The last identity above follows from the fact that for any and any integer

In what follows we present sufficient conditions for the existence of -tuples of -th roots of unity in that sum to zero. We treat the case separately since in that case we can use a specialized argument to derive a more explicit conclusion.

4.1 A sufficient condition for the existence of three p-th roots of unity summing to zero

Lemma 8

Let be an odd prime. Suppose then there exist three -th roots of unity in that sum to zero.

• Proof:   We start with a brief review of some basic concepts of projective algebraic geometry. Let be a field, and be a homogeneous polynomial. A triple is called a zero of if A zero is called nontrivial if it is different from the origin. An equation defines a projective plane curve . Nontrivial zeros of considered up to multiplication by a scalars are called -rational points of If is a finite field it makes sense to talk about the number of -rational points on a curve.

Let Note that Consider a projective plane Fermat curve defined by

 x(2t−1)/p+y(2t−1)/p+z(2t−1)/p=0. (10)

Let us call a point on trivial if one of the coordinates of is zero. Cyclicity of implies that contains exactly trivial -rational points. Note that every nontrivial point of yields a triple of elements of that sum to zero. The classical Weil bound [17, p. 330] provides an estimate

 |Nq−(q+1)|≤(d−1)(d−2)√q (11)

for the number of -rational points on an arbitrary smooth projective plane curve of degree (11) implies that in case

 2t+1>(2t−1p−1)(2t−1p−2)2t/2+32t−1p (12)

there exists a nontrivial point on the curve (10). Note that (12) follows from

 2t+1>(2tp)(2tp)2t/2−23t/2+1p+3∗2tp, (13)

and (13) follows from

 2t>22t+t/2/p2 and 2t/2+1>3.

Now note that the first inequality above follows from and the second follows from

Note that the constant in lemma 8 cannot be improved to 2: there are no three elements of that sum to zero, even though

4.2 A sufficient condition for the existence of kp-th roots of unity summing to zero

Our argument in this section comes in three steps. First we briefly review the notion of (additive) Fourier coefficients of subsets of Next, we invoke a folklore argument to show that subsets of with appropriately small nontrivial Fourier coefficients contain -tuples of elements that sum to zero. Finally, we use a recent result of Bourgain and Chang [5] (generalizing the classical estimate for Gauss sums) to argue that (under certain constraints on ) all nontrivial Fourier coefficients of are small.

For let denote the trace of It is not hard to verify that for all Characters of are homomorphisms from the additive group of into the multiplicative group There exist characters. We denote characters by where ranges in and set Let denote the incidence function of a set For arbitrary the Fourier coefficient is defined by where the sum is over all Fourier coefficient is called trivial, and other Fourier coefficients are called nontrivial. In what follows stands for summation over all characters of We need the following two standard properties of characters and Fourier coefficients.

 ∑χχ(x)={2t,if x=0;0,otherwise. (14)
 ∑χχ2(C)=2t|C|. (15)

The following lemma is a folklore.

Lemma 9

Let and be a positive integer. Let be the largest absolute value of a nontrivial Fourier coefficient of Suppose

 F|C|<(|C|2t)1/(k−2) (16)

then there exist elements of that sum to zero.

• Proof:   Let  (14) yields

 M(C)=12t∑x1,…,xk∈F2tC(x1)…C(xk)∑χχ(x1+…+xk). (17)

Note that Changing the order of summation in (17) we get

 M(C)=12t∑χ∑x1,…,xk∈F2tC(x1)…C(xk)χ(x1)…χ(xk)=12t∑χχk(C). (18)

Note that

 12t∑χχk(C)=|C|k2t+12t∑χ≠χ0χk(C)≥|C|k2t−Fk−212t∑χχ2(C)=|C|k2t−Fk−2|C|, (19)

where the last identity follows from (15). Combining (18) and (19) we conclude that (16) implies

The following lemma is a special case of [5, theorem 1].

Lemma 10

Assume that and satisfies the condition

 gcd(n,2t−12t′−1)<2t(1−ϵ)−t′,for all \ \ 1≤t′

where is arbitrary and fixed. Then for all

 ∣∣ ∣∣∑x∈F2t(−1)Tr(axn)∣∣ ∣∣

where and are absolute constants.

Below is the main result of this section. Recall that denotes the set of -th roots of unity in

Lemma 11

For every there exists an odd integer such that the following implication holds. If is an odd prime and then some elements of sum to zero.

• Proof:   Note that if there exist elements of a set that sum to zero, where is odd; then there exist elements of that sum to zero for every odd Also note that the sum of all -th roots of unity is zero. Therefore given it suffices to prove the existence of an odd that works for all sufficiently large Let Observe that Assume is sufficiently large so that Next we show that the precondition of lemma 10 holds for and Let and Clearly Therefore

 gcd(2t−1p,2t−12t′−1)=2t−1p(2t′−1)<2t(1−1/c)2t′−1, (21)

where the inequality follows from Clearly, yields Multiplying the right hand side of (21) by and using we get

 gcd(2t−1p,2t−12t′−1)<2t(1−1/(2c))−t′. (22)

Combining (22) with lemma 10 we conclude that there exist and such that for all

 Missing or unrecognized delimiter for \right (23)

Observe that takes every value in exactly times when ranges over Thus (23) implies

 (2t−1)(F/p)

where denotes that largest nontrivial Fourier coefficient of  (24) yields Pick to be the smallest odd integer such that We now have

 Fp<2−(1−1/c)t(k−2) (25)

for all sufficiently large values of Combining with (25) we get

 F|Cp|<(|Cp|2t)1/(k−2),

and the application of lemma 9 concludes the proof.

4.3 Summary

In this section we summarize our positive results and show that one does not necessarily need to use Mersenne primes to construct locally decodable codes via the methods of [34]. It suffices to have Mersenne numbers with polynomially large prime factors. Recall that denotes the largest prime factor of an integer Our first theorem gets -query LDCs from Mersenne numbers with prime factors larger than

Theorem 12

Suppose then for every message length there exists a three query locally decodable code of length

• Proof:   Let Observe that and yield Combining lemmas 8,7 and 6 with proposition 5 we obtain the statement of the theorem.

As an example application of theorem 12 one can observe that yields a family of three query locally decodable codes of length Theorem 12 immediately yields:

Theorem 13

Suppose for infinitely many we have then for every there exists a family of three query locally decodable codes of length

The next theorem gets constant query LDCs from Mersenne numbers with prime factors larger than for every value of

Theorem 14

For every there exists an odd integer such that the following implication holds. Suppose then for every message length there exists a query locally decodable code of length

• Proof:   Let Observe that and yield Combining lemmas 22,7 and 6 with proposition 5 we obtain the statement of the theorem.

As an immediate corollary we get:

Theorem 15

Suppose for some and infinitely many we have then there is a fixed such that for every there exists a family of query locally decodable codes of length

5 Nice subsets of finite fields yield Mersenne numbers with large prime factors

Definition 16

We say that a sequence of subsets of finite fields is -nice if every is algebraically nice and combinatorially nice, for some integer valued monotonically increasing function

The core proposition 5 asserts that a subset that is algebraically nice and combinatorially nice yields a family of -query locally decodable codes of length Clearly, to get -query LDCs of length for some fixed and every via this proposition, one needs to exhibit a -nice sequence. In this section we show how the existence of a -nice sequence implies that infinitely many Mersenne numbers have large prime factors. Our argument proceeds in two steps. First we show that a -nice sequence yields an infinite sequence of primes where every contains a -tuple of elements summing to zero. Next we show that contains a short additive dependence only if is a large factor of a Mersenne number.

5.1 A nice sequence yields infinitely many primes p with short dependencies between p-th roots of unity

We start with some notation. Consider a a finite field where is prime. Fix a basis of over In what follows we often write to denote Let denote the ring Consider a natural one to one correspondence between subsets of and polynomials

 ϕS1(x1,…,xl)=∑(α1,…,αl)∈S1xα11…xαll.

It is easy to see that for all sets and all

 ϕ(α1,…,αl)+βS1(x1,…,xl)=xα11…xαllϕβS1(x1,…,xl). (26)

Let be a family of subsets of It is straightforward to verify that a set has even intersections with every element of if and only if belongs to where is the linear subspace of spanned by Combining the last observation with formula (26) we conclude that a set is algebraically nice if and only if there exists a set of odd size such that the ideal generated by polynomials is a proper ideal of Note that polynomials generate a proper ideal if an only if polynomials generate a proper ideal in Also note that a family of polynomials generates a proper ideal in if and only if it generates a proper ideal in Now an application of Hilbert’s Nullstellensatz [7, p. 168] implies that a set is algebraically nice if and only if there is a set of odd size such that the polynomials and have a common root in

Lemma 17

Let where is prime. Suppose contains a nonempty algebraically nice subset; then there exist such that

• Proof:   Assume is nonempty and algebraically nice. The discussion above implies that there exists of odd size such that all polynomials vanish at some Fix an arbitrary and note that is closed under multiplication. Thus,

 ϕβ0S1(ζ1