Randomness-Efficient Constructions of Capacity-Achieving List-Decodable Codes

Jonathan Mosheiff Department of Computer Science, Ben-Gurion University. Research supported by an Alon Fellowship. Part of this work was conducted while the author was visiting the Simons Institute for the Theory of Computing. mosheiff@bgu.ac.il Nicolas Resch Informatics Institute, University of Amsterdam. Research supported by a Veni grant (VI.Veni.222.347) from the Dutch Research Council (NWO). Part of this work was conducted while the author was visiting the Simons Institute for the Theory of Computing. n.a.resch@uva.nl Kuo Shang School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University. billy63878@sjtu.edu.cn Chen Yuan School of Electronic Information and Electrical Engineering, Shanghai Jiao Tong University. chen_yuan@sjtu.edu.cn

(May 15, 2024)

Abstract

In this work, we consider the task of generating list-decodable codes over small (say, binary) alphabets using as little randomness as possible. Specifically, we hope to generate codes achieving what we term the Elias bound, which means that they are $(\rho,L)$ -list-decodable with rate $R\geq 1-h(\rho)-O(1/L)$ . A long line of work shows that uniformly random linear codes (RLCs) achieve the Elias bound: hence, we know $O(n^{2})$ random bits suffice. Prior works (Guruswami and Mosheiff, FOCS 2022; Putterman and Pyne, arXiv 2023) demonstrate that just $O(Ln)$ random bits suffice, via puncturing of low-bias codes. These recent constructions are essentially combinatorial, and rely (directly or indirectly) on graph expansion.

We provide two new constructions, which are algebraic. Compared to prior works, our constructions are considerably simpler and more direct. Furthermore, our codes are designed in such a way that their duals are also quite easy to analyze. Our first construction — which can be seen as a generalization of the celebrated Wozencraft ensemble — achieves the Elias bound and consumes $Ln$ random bits. Additionally, its dual code achieves the Gilbert-Varshamov bound with high probability, and both the primal and dual admit quasilinear-time encoding algorithms. The second construction consumes $2nL$ random bits and yields a code where both it and its dual achieve the Elias bound. As we discuss, properties of a dual code are often crucial for applications of error-correcting codes in cryptography.

In all of the above cases – including the prior works achieving randomness complexity $O(Ln)$ – the codes are designed to “approximate” RLCs. More precisely, for a given locality parameter $L$ we construct codes achieving the same $L$ -local properties as RLCs. This allows one to appeal to known list-decodability results for RLCs and thereby conclude that the code approximating an RLC also achieves the Elias bound (with high probability). As a final contribution, we indicate that such a proof strategy is inherently unable to generate list-decodable codes of rate $R$ over $\mathbb{F}_{q}$ with less than $L(1-R)n\log_{2}(q)$ bits of randomness.

1 Introduction

The basic task of coding theory is to define subsets of ${\mathcal{C}}\subseteq[q]^{n}$ , where $q\in\mathbb{N}$ is the alphabet size and $n\in\mathbb{N}$ is the block-length, that satisfy two conflicting desiderata. Firstly, the code ${\mathcal{C}}$ should be as large as possible, as this corresponds to the amount of information that one transmits in $n$ symbol transmissions. But secondly, the elements of ${\mathcal{C}}$ , termed codewords, should be as spread out as possible in order to minimize the likelihood that two distinct codewords are confused should errors be introduced. In this work, we will focus almost exclusively on linear codes, in which case we require $q$ to be a prime power and insist that ${\mathcal{C}}\leq\mathbb{F}_{q}^{n}$ , i.e., ${\mathcal{C}}$ is a subspace of the vector space $\mathbb{F}_{q}^{n}$ . Unless otherwise mentioned, from now on all codes are linear.

Typically, instead of directly working with the cardinality $|{\mathcal{C}}|$ of a code, one analyzes its rate $R=\frac{\log_{q}|{\mathcal{C}}|}{n}=\frac{\dim({\mathcal{C}})}{n}$ , which measures the amount of information transmitted per codeword symbol. To measure a code’s error-resilience, various metrics can be used. The most basic (at least for the setting of worst-case errors) is ${\mathcal{C}}$ ’s minimum distance $\delta:=\min\{d(\bm{x},\bm{y}):\bm{x},\bm{y}\in{\mathcal{C}},\bm{x}\neq\bm{y}\}$ , where here and throughout $d(\bm{x},\bm{y}):=\frac{1}{n}|\{i\in\{1,2,\dots,n\}:x_{i}\neq y_{i}\}|$ is the (normalized) Hamming distance. A classical observation is that as long as $\rho<\delta/2$ fraction of symbols are corrupted, one can always uniquely-decode¹¹1At least, information-theoretically. Algorithmic decoding is a separate challenge. to recover the original codeword.

The first question one might ask, then, is what sort of tradeoffs one can achieve between rate and distance. A classical result due to Gilbert [Gil52] and Varshamov [Var57] states that, for any $R,\delta$ satisfying $R<1-h_{q}(\delta)$ ,²²2Here, $h_{q}(\cdot)$ denotes the $q$ -ary entropy function, which we define formally in Section 2.1. there exist infinite families of codes of rate at least $R$ and distance at least $\delta$ . We say that codes which achieve this tradeoff (or, in some cases, get $\varepsilon$ -close for some small $\varepsilon$ ) achieve the GV bound.

A natural relaxation of unique-decoding that we focus upon is list-decoding: for a parameter $\rho\in(0,1-1/q)$ and an integer $L\geq 1$ we call a code ${\mathcal{C}}$ $(\rho,L)$ -list-decodable if for any $\bm{z}\in\mathbb{F}_{q}^{n}$ , the number of codewords at distance at most $\rho$ from $\bm{z}$ is less than $L$ . In notation:

\forall\bm{z}\in\mathbb{F}_{q}^{n},\leavevmode\nobreak\ \leavevmode\nobreak\ |% \{\bm{c}\in{\mathcal{C}}:d(\bm{c},\bm{z})\leq\rho\}|<L\ .

Early work due to Elias and Wozencraft [Eli57, Woz58, Eli91] proposed list-decodable codes as an object of study, largely as an intermediate target on the way to unique-decoding. In the past 30 years or so, list-decodable codes have seen increased attention due to their connections to other parts of theoretical computer science, particularly complexity theory, cryptography and pseudorandomness [GL89, BFNW90, Lip90, KM93, Jac97, STV01]. Note that the above discussion of unique-decodability implies that any code with distance $\delta$ is $(\delta/2,1)$ -list-decodable. In particular, by choosing a code ${\mathcal{C}}$ achieving the GV bound, we can have a rate $R<1-h_{q}(2\rho)$ code which is $(\rho,1)$ -list-decodable.

If one allows the list-size parameter $L$ to grow, the list-decoding capacity theorem essentially says that we can correct up to twice as many errors for the same rate. More precisely, there exist $(\rho,L)$ -list-decodable codes of rate $1-h_{q}(\rho)-O(1/L)$ . Informally, one says that a code³³3Technically, one should speak of an infinite family of codes of increasing block-length whose rates have limit $R$ . In this work, we will not be too careful with this formalism, but it should be clear that our constructions lead to such infinite families. achieves list-decoding capacity if its rate is arbitrarily close to $1-h_{q}(\rho)$ with list-size $L\leq\mathrm{poly}(n)$ . For our purposes, we are interested in codes that achieve the tradeoff achieved by random codes. Introducing some terminology, we will say a code construction ${\mathcal{C}}$ achieves the Elias bound if it is $(\rho,L)$ -list-decodable and has rate at least $1-h_{q}(\rho)-O(1/L)$ .

We also mention that a generalization of list-decoding, termed list-recovery, has seen increasing attention in recent years. It was originally abstracted as a useful primitive in list-decoding concatenated codes [GI01, GI02, GI03, GI04]. However, it has recently proved itself to merit investigation in its own right, finding applications in cryptography [HIOS15, HLR21], randomness extraction [GUV09], hardness amplification [DMOZ20], group testing [INR10, NPR11], streaming algorithms [DW22], and beyond. The interested reader is directed to Section 2.3 for the precise definition of list-recovery; for now, suffice it to say that all of the preceding and ensuing discussion generalizes cleanly to list-recovery as well.

An outstanding problem in the theory of error-correcting codes is to provide explicit⁴⁴4While we will not be too precise with the meaning of “explicit” in this work, we informally mean that a description of the code can be constructed deterministically in time polynomial in $n$ . constructions of capacity-achieving list-decodable codes. The problem in the regime of “large alphabet” has seen tremendous progress in the last quarter of a century. Since Guruswami and Rudra demonstrated that folded Reed-Solomon codes achieve list-decoding capacity [GR08], a long line of work has now led to explicit constructions of capacity-achieving codes: namely, codes of rate $R$ which are $(1-R-\varepsilon,\exp(\mathrm{poly}(1/\varepsilon)))$ -list-decodable, assuming $q\geq(1/\varepsilon)^{\Omega(1/\varepsilon^{2})}$ [GRZ21]. While achieving optimal tradeoffs between all the parameters involved is still not completely resolved, it is fair to say that we have very satisfactory constructions, assuming $q$ is sufficiently large. However, when it comes to explicitly constructing list-decodable codes over the binary alphabet, the existing results are quite paltry. The only notable successes concern the regime of very high noise, where one hopes to decode at radius $\frac{1}{2}-\varepsilon$ with codes of rate $\Omega(\varepsilon^{2})$ , matching (up to constant factors) the rate-distance tradeoff achieved by random linear codes. The current state of the art is Ta-Shma’s code [TS17] achieving rate $\Omega(\varepsilon^{2+o(1)})$ , for which we now additionally have efficient unique- and list-decoding [GJQST20, JST21] algorithms.

In light of the difficulty of explicitly constructing list-decodable codes over small alphabets, we focus on a more modest goal: let’s construct them randomly using as little randomness as possible. And in this case, we would like to achieve the Elias bound, i.e., for $(\rho,L)$ -list-decodability the rate $R$ should be at least $1-h_{q}(\rho)-O(1/L)$ . For example, the classical argument of Elias – which argues that random subsets ${\mathcal{C}}\subseteq\{0,1\}^{n}$ of size $2^{Rn}$ are $(\rho,L)$ -list-decodable assuming $R<1-h_{2}(\rho)-1/L$ – shows that with exponentially many random bits we can have such a code. This generalizes to $R<1-h_{q}(\rho)-1/L$ for general alphabet size $q$ .

If rather than a plain random code one instead samples a random linear code (RLC), a long line of works [ZP81, GHSZ02, GHK11, CGV13, Woo13, RW14, RW18, LW21, GLM⁺22, AGL23] shows that they achieve the Elias bound in most parameter regimes. In particular, [LW21, GLM⁺22] settles the binary case. Hence, $O(n^{2})$ random bits are sufficient.

To push beyond this, [MRR⁺20] shows that random low-density parity-check (LDPC) codes also achieve list-decoding capacity efficiently, and such codes can be sampled with $O(n\log n)$ bits of randomness. This work actually argues something stronger: namely, any local property that is satisfied by a random linear code of rate $R$ with high probability is also satisfied by a random LDPC code of rate $R-o(1)$ .

While we precisely define local properties in Section 2.4, for now we give the following intuitive explanation: for a given locality parameter $\ell=O(1)$ , $\ell$ -local properties are defined by excluding a collection of “forbidden subsets” of size $\ell$ . In the case of list-decodability, the collection would be defined as the family of all $L$ -tuples of vectors $\bm{x}_{1},\dots,\bm{x}_{L}$ which all lie in a Hamming ball of radius $\rho$ . That is, $(\rho,L)$ -list-decodability is an $L$ -local property. The same in fact holds for $(\rho,\lambda,L)$ -list-recoverability: it is also an $L$ -local property.

Subsequent work by Guruswami and Mosheiff [GM22] provides a means of sampling codes achieving list-decoding capacity efficiently with only $O(n)$ randomness. In fact, as is the case for LDPC codes, these codes achieve the same local properties as RLCs. First, note that an RLC is nothing but a random puncturing of the Hadamard code.⁵⁵5Recall that the Hadamard code encodes a message $\bm{m}\in\mathbb{F}_{2}^{k}$ into a length- $2^{k}$ codeword by computing $\langle\bm{m},\bm{x}\rangle$ for every $x\in\mathbb{F}_{2}^{k}$ . Observe further that the Hadamard code is optimally balanced, in the sense that every non-zero codeword has weight precisely $1/2$ . Gurusawmi and Mosheiff suggest then puncturing some other explicitly chosen “mother code” of block-length $N$ , and so long as this code is nearly balanced in the sense that all non-zero codewords have weight $\approx 1/2$ , then a random puncturing will again “look like” an RLC from the perspective of local properties. Assuming $N\leq\mathrm{poly}(n)$ , then we need $n\log N=O(n\log n)$ random bits to sample such a code, matching the guarantee for LDPC codes. To achieve $O(n)$ randomness, one must ensure $N\leq O(n)$ (by choosing, e.g., Ta-Shma’s codes [TS17] for the mother code) and then puncturing without replacement: one thus requires only $\log\binom{N}{n}=O(n)$ bits of randomness.

Very recently, another derandomization has been offered. Putterman and Pyne [PP23] demonstrate that instead of choosing each coordinate independently one can choose them via an expander random walk. This then means that we only require $O(n\log d)$ bits of randomness to sample the code, where $d$ is the degree of the expander graph. Assuming $d=O(1)$ – which is achievable if one is interested in local properties – we in particular find that $O(n)$ bits of randomness suffice.

Thus, we currently know how to construct list-decodable binary codes achieving capacity efficiently with $O(n)$ bits of randomness. As elaborated below, this seems like a hard barrier for current techniques.

The above constructions are quite “indirect,” requiring the existence of a sufficiently nice mother code that can then be punctured. While explicit constructions of such highly balanced codes are known, the constructions are all quite nontrivial. This status naturally leads us to wonder if we can provide more “direct” randomness-efficient constructions of binary codes achieving the Elias bound.

Furthermore, we also find motivations stemming from code-based cryptography. In this setting, one would often like to generate codes that “look like” random codes, but in fact admit efficient descriptions, as the description of the code is often some sort of public parameter that must be known by all parties making use of the cryptographic scheme. We elaborate upon this connection below. And in this case, one would often like the dual code to also look random (again, we discuss this motivation further below). We observe that while the dual of an RLC is again an RLC – and hence will also satisfy the Elias bound with high probability – the above constructions (LDPC or puncturing-based) do not have such guarantees. And indeed, the dual of an LDPC code certainly cannot even have linear minimum distance! As for the puncturing-based constructions, it is unclear to us whether random puncturing can yield the Elias bound and good dual distance; at the very least, such a proof would require new techniques.

1.1 Our Results

In this work, we provide two new randomized constructions of codes achieving the Elias bound and consuming only $O(Ln)$ bits of randomness. In fact, for any (constant) locality parameter $\ell$ , we show that these codes are $\ell$ -locally similar (see Definition 2.14) to RLCs, which implies that any $\ell$ -local property satisfied by RLCs with high probability is also satisfied by our codes with high probability (in fact, the success probability will be of the form $1-q^{-\Omega(n)}$ ). In particular, taking $\ell=L$ implies that all our codes achieve list-decoding capacity efficiently with high probability. We provide our constructions for general (but constant) field size $q$ , although we are mostly motivated by the binary case.

The notions of local property and local similarity are thoroughly defined and discussed in section 2.4. For concreteness, we give a shorter and less precise description here, and for simplicity we restrict attention here to the binary case. Fix a locality parameter $\ell\in\mathbb{N}$ and consider the set of all $n\times\ell$ binary matrices. We generally think of $\ell$ as constant while $n$ tends to infinity. A code ${\mathcal{C}}\subseteq\mathbb{F}_{2}^{n}$ is said to contain a matrix $A\in\mathbb{F}_{2}^{n\times\ell}$ if it contains all the columns of $A$ as codewords. We group the matrices in $\mathbb{F}_{2}^{n\times\ell}$ according to their row distribution. More precisely, we associate with $A\in\mathbb{F}_{2}^{n\times\ell}$ a distribution $\mathsf{Emp}_{A}\sim\mathbb{F}_{2}^{\ell}$ that yields a vector $x\in\mathbb{F}_{2}^{\ell}$ proportionally to the number of times that $x$ appears as a row in $A$ , namely, $\tau(x)=\frac{|\{i\in[n]:A_{i}=x\}|}{n}$ , where $A_{1},\dots,A_{n}\in\mathbb{F}_{2}^{\ell}$ denote $A$ ’s rows. We denote the set of all matrices in $\mathbb{F}_{2}^{n\times\ell}$ with row distribution $\tau$ by $\mathcal{M}_{n,\tau}$ . We can now define the notion of local-similarity to an RLC for binary codes.

Definition 1.1 (Local similarity to RLC in the binary case).

Let ${\mathcal{C}}\leq\mathbb{F}_{2}^{n}$ be a linear code sampled from some ensemble. We say that ${\mathcal{C}}$ is $\ell$ -locally-similar to an RLC of rate $R$ if, for every $1\leq b\leq\ell$ and every distribution $\tau\sim\mathbb{F}_{2}^{b}$ with $\dim(\tau)=b$ , we have

\mathop{\mathbb{E}}_{{\mathcal{C}}}\left[|\{A\in\mathcal{M}_{n,\tau}:A% \subseteq{\mathcal{C}}\}|\right]\leq 2^{(H_{2}(\tau)-b(1-R))n}\ .

Above, $H_{2}(\tau)$ denotes the entropy of the distribution $\tau$ , measured in bits.

Less formally, ${\mathcal{C}}$ is locally similar to an RLC if, for every $\tau$ , the expected number of matrices from $\mathcal{M}_{n,\tau}$ in ${\mathcal{C}}$ is not much larger than that in an RLC. The motivation for this definition is that local-similarity of ${\mathcal{C}}$ to an RLC implies that ${\mathcal{C}}$ almost surely satisfies every local property (a notion formulated in Definition 2.9) that is satisfied by an RLC with high probability. As important motivating special cases, we note that list-decodability and list-recoverability are both local properties; this is established in e.g. [MRR⁺20, Res20]. Therefore, we can morally say that any code satisfying Definition 1.1 is likely to be list-decodable and list-recoverable with similar paramters to those of an RLC. In particular, such a code is likely to achieve the Elias bound.

We now turn to describing our constructions. In contrast to prior works, neither of our constructions rely on an explicit “mother code” which we then puncture, but are instead built “from scratch.” Our constructions also have the pleasing property of being rather simple. A final major bonus of our codes is that their duals also satisfy non-trivial properties: for the first construction, its dual achieves the GV bound with high probability; for the second, its dual is also $\ell$ -locally similar to RLCs!

Our first construction, which yields a code over $\mathbb{F}_{q}$ of block-length $n$ , uses linearized polynomials $f(X)$ with $q$ -degree at most $\ell-1$ . That is, $f(X)$ is of the form $\sum_{i=0}^{\ell-1}f_{i}X^{q^{i}}$ where each $f_{i}\in\mathbb{F}_{q^{n}}$ , the degree $n$ extension of $\mathbb{F}_{q}$ . As we review in Section 2.2, such linearized polynomials define $\mathbb{F}_{q}$ -linear maps $\mathbb{F}_{q^{n}}\to\mathbb{F}_{q^{n}}$ . That is, for all $a,b\in\mathbb{F}_{q}$ and $\alpha,\beta\in\mathbb{F}_{q^{n}}$ , we have $f(a\alpha+b\beta)=af(\alpha)+bf(\beta)$ . The code is sampled by sampling the coefficients $f_{i}\in\mathbb{F}_{q^{n}}$ independently and uniformly at random. In particular, this requires only $\ell\lceil n\log_{2}q\rceil$ uniformly random bits.

To provide codes with rate $R=k/n$ , we fix an $\mathbb{F}_{q}$ -linear subspace $V\subseteq\mathbb{F}_{q^{n}}$ of dimension $k$ . The code is then defined as $\{\varphi(f(\alpha)):\alpha\in V\}$ , where $\varphi:\mathbb{F}_{q^{n}}\to\mathbb{F}_{q}^{n}$ is any bijective $\mathbb{F}_{q}$ -linear map. Recall that such a map exists as $\mathbb{F}_{q^{n}}$ is of dimension $n$ as a vector space over $\mathbb{F}_{q}$ , and any two vector spaces over the same field of the same dimension are isomorphic. For example, if $\omega_{1},\dots,\omega_{n}$ is a basis for $\mathbb{F}_{q^{n}}$ over $\mathbb{F}_{q}$ , we could set $\varphi:\sum_{i=1}^{n}x_{i}\omega_{i}\mapsto(x_{1},\dots,x_{n})$ . We say that ${\mathcal{C}}$ is a pseudorandom code from linearized polynomials of rate $R$ and degree $\ell$ , or just $\mathrm{PCLP}(R,\ell)$ for short, if it is sampled according to the above procedure.⁶⁶6The dependence on $V$ and $\varphi$ is not made explicit in this notation, as they will turn out to have no impact on our results regarding ${\mathcal{C}}$ ’s combinatorial properties. Requiring the polynomial $f$ to be linearized guarantees that the resulting code is linear, as desired.

Not only are we able to show that such codes achieve the Elias bound with high probability, we also show that their dual code achieves the GV bound. As we elaborate upon below, for cryptographic applications a code’s dual distance is often a crucial parameter of interest. We remark that, prior to our work, we are not aware of any construction of binary codes consuming $O(n)$ randomness outputting codes with both distance and dual distance lying on the GV bound.

Having realized that with $\ell n$ randomness we can construct a binary code that is $\ell$ -locally similar to RLCs with dual code achieving the GV bound (which informally follows from being $1$ -locally similar to RLCs), it is natural to wonder if it is possible to get both primal and dual code $\ell$ -locally similar to RLCs. We emphasize again that this would imply that both the primal and the dual code achieve the Elias bound for list size $L=\ell$ . The answer to this question is yes: our second construction has exactly this property. We now turn to describing this construction.

First, fix distinct elements $\alpha_{1},\dots,\alpha_{n}\in\mathbb{F}_{q^{n}}$ (they need not be linearly independent over $\mathbb{F}_{q}$ ). Let $\gamma:\mathbb{F}_{q^{n}}\to\mathbb{F}_{q}^{n}$ be a full-rank linear map (as with $\varphi$ before), and let $\eta:\mathbb{F}_{q^{n}}\to\mathbb{F}_{q}^{k}$ be any surjective $\mathbb{F}_{q}$ -linear map. For example, if $\omega_{1},\dots,\omega_{n}$ is a basis for $\mathbb{F}_{q^{n}}$ over $\mathbb{F}_{q}$ , we could set $\gamma:\sum_{i=1}^{n}x_{i}\omega_{i}\mapsto(x_{1},\dots,x_{n})$ and $\eta:\sum_{i=1}^{n}x_{i}\omega_{i}\mapsto(x_{1},\dots,x_{k})$ .

For a given rate $R=k/n$ , we choose independently two polynomials $f(X),g(X)\in\mathbb{F}_{q^{n}}[X]$ uniformly amongst all such polynomials of degree at most $\ell-1$ (unlike in the previous construction, these polynomials need not be linearized). Note that this requires only $2\ell\lceil n\log_{2}q\rceil$ uniformly random bits. We then define the following two matrices $G^{\prime},G^{\prime\prime}\in\mathbb{F}_{q}^{k\times n}$ :

•

For each $i\in[k]$ , the $i$ -th row of $G^{\prime}$ is defined to be $\gamma(f(\alpha_{i}))$ .
•

For each $j\in[n]$ , the $j$ -th column of $G^{\prime\prime}$ is defined to be $\eta(g(\alpha_{j}))$ .

We then define $G:=G^{\prime}+G^{\prime\prime}$ and set ${\mathcal{C}}:=\{\bm{x}G:\bm{x}\in\mathbb{F}_{q}^{k}\}$ . We call a code constructed in this way a pseudorandom code from row and column polynomials of rate $R$ and degree $\ell$ , or just $\mathrm{PCRCP}(R,\ell)$ , if it is sampled according to this procedure.⁷⁷7For reasons analogous to before, this notation omits mention of $\gamma$ , $\eta$ and $\alpha_{1},\dots,\alpha_{n}$ . Informally, the matrix $G^{\prime}$ is responsible for ensuring that the primal code is $\ell$ -locally similar to RLCs, while the matrix $G^{\prime\prime}$ guarantees the same holds for the dual code. In particular, if we had just set $G=G^{\prime}$ then we would have had just the primal code $\ell$ -locally similar to RLCs, while if we just set $G=G^{\prime\prime}$ then only the dual code would be $\ell$ -locally similar to RLCs.

This second construction thus yields the following result.

Theorem 1.2 (Informal; follows from Theorem 4.2).

Let $\ell,n\in\mathbb{N}$ , $R\in(0,1)$ for which $Rn\in\mathbb{N}$ and $q$ is a prime power. Let $\mathcal{P},\mathcal{P}^{\perp}$ be $\ell$ -local properties, and suppose that an $\mathrm{RLC}(R)$ satisfies $\mathcal{P}$ with probability $1-q^{-\Omega(n)}$ and an $\mathrm{RLC}(1-R)$ satisfies $\mathcal{P}^{\perp}$ with probability $1-q^{-\Omega(n)}$ . Then, for sufficiently large $n$ , there exists a randomized procedure consuming $O(\ell n\log q)$ bits of randomness outputting a code ${\mathcal{C}}$ such that, with probability at least $1-q^{-\Omega(n)}$ :

•

${\mathcal{C}}$ has rate $R$ ;
•

${\mathcal{C}}$ satisfies $\mathcal{P}$ ; and
•

${\mathcal{C}}^{\perp}$ satisfies $\mathcal{P}^{\perp}$ , where ${\mathcal{C}}^{\perp}$ is the code dual to ${\mathcal{C}}$ .

As mentioned above, we do know of other code ensembles sampled with linear randomness that share local properties with RLCs. However, we are not aware of any other code ensembles for which the dual code also shares local properties with RLCs.

Lastly, we mention one other pleasing feature of our first construction based on linearized polynomials. Namely, a careful choice of representation for $\mathbb{F}_{q^{n}}$ over $\mathbb{F}_{q}$ allows one to view the task of encoding a message as a constant number of polynomial multiplications, which can be computed in $O(n\log n)$ time via standard FFT-type methods. Thus, we can also claim the following result.

Theorem 1.3 (Informal; follows from Theorem 3.4 and Proposition 3.5).

Let $\ell,n\in\mathbb{N}$ , $R\in(0,1)$ for which $Rn\in\mathbb{N}$ and $q$ a prime power. Let $\mathcal{P}$ be an $\ell$ -local property, and suppose that an $\mathrm{RLC}(R)$ satisfies $\mathcal{P}$ with probability $1-q^{-\Omega(n)}$ . Then, for sufficiently large $n$ , there exists a randomized procedure consuming $O(\ell n\log q)$ bits of randomness outputting a code ${\mathcal{C}}$ such that, with probability at least $1-q^{-\Omega(n)}$ :

•

${\mathcal{C}}$ has rate $R$ ;
•

${\mathcal{C}}$ satisfies $\mathcal{P}$ ;
•

${\mathcal{C}}^{\perp}$ achieves the GV-bound;
•

${\mathcal{C}}$ is encodable in $O(n\log n)$ time.

Cryptographic motivation.

We remark that codes that “look like random linear codes” but are in fact samplable with less randomness are highly motivated by cryptographic considerations. And in fact, achieving good dual distance is often a crucial desideratum: the security of a cryptosystem is typically tied to the dual distance of the code, whether this is provably the case (i.e., with secret-sharing schemes [CDD⁺15],[CXY20]) or plausibly the case (i.e., the linear tests framework for learning parity with noise [BCG⁺22]). However, codes that require less randomness to generate allow for reduced public key sizes: the sizes of keys is typically the major drawback of post-quantum public-key cryptosystems. Hence the popularity of, e.g., quasi-cyclic [MAB⁺18] and moderate-density parity-check codes [ABB⁺22].

While for McEliece-type encryption schemes [McE78] an important requirement is that the code admits an efficient decoding algorithm, this is not in fact required for recent applications of error-correcting codes in multi-party computation – e.g., in the context of pseudorandom correlation generators (PCGs). In fact, one typically hopes that such codes do not admit efficient decoding [BIP⁺18, DGH⁺21]. A current “rule-of-thumb” is that the employed code should have good dual distance. In our view, a much more satisfying guarantee is that the dual code in fact shares more sophisticated properties with random linear codes, e.g., list-decodability/-recoverability, as our techniques can establish.

We further remark that many recent code constructions for PCGs [BCG⁺20, BCG⁺22, RRT23] in fact only admit randomized constructions that fail with probability $1/\mathrm{poly}(n)$ ; that is, they fail with non-negligible probability. This implies that the resulting constructions technically fail to satisfy standard security definitions. In contrast, all of our code constructions satisfy the targeted combinatorial properties with probability at least $1-\exp(-\Omega(n))$ .

Concretely, one can plug the (dual of) our first code construction into the framework of [BCG⁺19] to obtain PCGs for standard correlations like oblivious transfers with quasi-linear computation time for the involved parties. While constructions of such efficiency were known previously, we view our additional guarantee of local-similarity to RLCs as a stronger security guarantee than prior constructions offered (which only promised good minimum distance). Additionally, as emphasized above, ours is the first construction of such efficiency with negligible failure probability (in the randomized construction of the utilized code). We leave further investigation of the PCG implications of our codes for future research.

Finally, we recall that a linear code with large distance and dual distance yields a linear secret sharing scheme with small reconstruction and large privacy, and moreover that an asymptotically good linear code with asymptotically good dual yields an asymptotically good linear secret sharing scheme. The asymptotic linear secret sharing scheme was first considered and realized in [CC06], thereby enabling an “asymptotic version” of the general MPC theorem from [BGW88]. Since 2007, with the advent of the so-called “MPC-in-the-head paradigm” [IKOS09], these asymptotically-good schemes have been further exposed as a central theoretical primitive in numerous constant communication-rate results in multi-party cryptographic scenarios and – perhaps surprisingly – in two-party cryptography as well. Druk and Ishai [DI14] utilize an expander graph to construct a linear time encodable code; such a code combined with a linear-time universal hash function [CDD⁺15] yields an asymptotically good linear secret sharing scheme equipped with a linear time encoding algorithm. Recently, Cramer, Xing and Yuan [CXY20] construct an asymptotically good secret sharing scheme with quasi-linear time encoding and decoding algorithm.

We remark that the privacy and reconstruction of all above mentioned asymptotically good schemes do not achieve the optimal trade-off, i.e., GV bound. In contrast, the linear code derived from our linearized polynomials yields an asymptotically good linear secret sharing scheme with quasi-linear-time encoding algorithm, and moreover the privacy and reconstruction of the resulting scheme achieves the optimal trade-off.

Challenge of sublinear randomness.

As a final contribution, we highlight the inherent challenge of designing code ensembles consuming $o(n)$ random bits outputting codes that achieve the EB bound with high probability – or for that matter, even the GV-bound.⁸⁸8Of course, recent breakthroughs [TS17] provide explicit binary codes of rate nearly $\Omega(\varepsilon^{2})$ with minimum distance $\frac{1}{2}-\varepsilon$ ; however such constructions seem inherently unable to reach the GV bound in other regimes, and even in the $\frac{1}{2}-\varepsilon$ distance regime the constant in front of the rate is unlikely to be pushed to $\frac{2}{\ln 2}$ , as one would hope. More precisely, we observe that any code ensemble that is $\ell$ -locally similar to RLCs requires at least $\ell(1-R)n\log_{2}q$ bits of randomness. This is not much more than an observation – namely, that the granularity required by certain distributions is only achievable with this many bits of randomness – but we nonetheless believe that elucidating this shortcoming is insightful. Note that local similarity to RLC is merely a sufficient condition for a code ensemble to share combinatorial properties with RLCs. However, we emphasize that all the previous works (including our own) rely on local-similarity.

We also observe that our lower bound is tight: a simple twist on our codes from linearized polynomials $\mathrm{PCLP}$ requires only $\ell(1-R)n\log_{2}q$ to sample and is $\ell$ -locally similar to RLCs. In fact, this code is a natural generalization of the famous Wozencraft ensemble [Mas63]. That is, recall that the Wozencraft ensmeble is obtained by uniformly sampling $\beta\in\mathbb{F}_{q^{k}}$ and then defining

{\mathcal{C}}:=\{(\varphi(\alpha),\varphi(\beta\alpha)):\alpha\in\mathbb{F}_{q% ^{k}}\}\ ,

where $\varphi:\mathbb{F}_{q^{k}}\to\mathbb{F}_{q}^{k}$ is a full-rank $\mathbb{F}_{q}$ -linear map. Defining $f(X)=\beta X$ , the codewords of ${\mathcal{C}}$ are thus of the form $(\varphi(\alpha),\varphi(f(\alpha)))$ . Note that $f(X)$ is in fact a uniformly random linearized polynomial of $q$ -degree at most $0$ . The generalization that we consider is thus to allow $f(X)$ to have $q$ -degree at most $\ell-1$ , and we observe that indeed this code ensemble will be $\ell$ -locally similar to RLCs. However, a drawback is that this construction only naturally produces codes of rate $1/2$ ; by sampling $r$ independent linearized polynomials we can also achieve rates of the form $1/r$ for $r\in\mathbb{N}$ , but not any possible rate as we can with $\mathrm{PCLP}$ ’s (which can themselves be similarly considered a different generalization of the Wozencraft ensemble). Further discussion of this construction is provided in Section 3.1.

To conclude this discussion, we provide Figure 1 summarizing our contributions and the prior state-of-the-art.

Source	Code	Randomness	Dual Code
[GLM⁺22]	Random Linear Code	$O(n^{2})$	EB
[MRR⁺20]	Low-Density Parity-Check Codes	$O(Ln\log n)$	✗
[GM22]	Puncturing of Low-Bias Code	$O(Ln)$	✗
[PP23]	Expander-Puncturing of Low-Bias Code	$O(Ln)$	✗
Section 3	Codes from Linearized Polynomials	$Ln$	GV
Section 3	Generalized Wozencraft Ensemble	$L(1-R)n$ , $R=\frac{1}{\text{integer}}$	✗
Section 4	Row-Column Polynomial Codes	$2Ln$	EB
Section 5	Lower Bound for RLC-similarity	$L(1-R-\varepsilon)n$

Figure 1: Randomness requirements for binary codes achieving the Elias Bound. We remark that all the above constructions generalize to larger (but constant)

q

. Regarding the dual code criterion, “EB” means that the dual-code also achieves the Elias Bound (for lists of size

L

), while “GV” means that the dual distance achieves the GV bound. An ✗ means that no guarantees are provided (and, in certain cases, cannot hold). The lower bound applies to all ensembles that achieve similarity to RLC (a stronger property than the Elias bound; see Definitions 1.1, 2.14), including all constructions listed in this table.

1.2 Techniques

Given a random code ${\mathcal{C}}$ of (design) rate $R$ sampled according to either of the above constructions, we wish to demonstrate that it behaves combinatorially much as an RLC $\mathcal{D}$ of rate $R$ . More precisely, we consider any property $\mathcal{P}$ obtained by forbidding $\ell$ -sized sets of vectors and wish to show that ${\mathcal{C}}$ satisfies the property $\mathcal{P}$ with probability roughly the same as $\mathcal{D}$ . As discussed above, these properties capture well-studied notions like list-decodability and list-recoverability.

Fortunately, recent works [MRR⁺20, GM22] have introduced a calculus for making such arguments. Intuitively, a conclusion of these works is that it suffices to argue that, for any $S\subseteq\mathbb{F}_{q}^{n}$ of size $\ell$ , the probability that $S$ is contained in ${\mathcal{C}}$ is roughly the same as the probability this holds for $\mathcal{D}$ . Of course, this latter probability is $q^{-(1-R)n\operatorname{rank}(S)}$ , where $\operatorname{rank}(S)$ denotes the dimension of the vector space spanned by $S$ .⁹⁹9At least, this holds exactly if one samples a RLC by choosing a uniformly random parity-check matrix, which is the model we consider in this work. For other natural models – e.g., sampling a uniformly random generator matrix – $q^{-(1-R)n\operatorname{rank}(S)}$ gives an upper on this probability.

In a bit more detail, these works in fact view such sets as matrices in $\mathbb{F}_{q}^{n\times\ell}$ , and observe that the forbidden matrices for properties like list-decoding are closed under row-permutation. One can thus restrict to the various orbit classes of this action, and study these orbit classes one at a time. The requirement is in fact that, for each orbit class, the expected number of matrices from that class lying in ${\mathcal{C}}$ is roughly the same as the expected number lying in $\mathcal{D}$ . By identifying these orbit classes with row distributions, one obtains Definition 1.1.

For our specific constructions, for fixed vectors $\bm{x}\in\mathbb{F}_{q}^{n}$ we consider event indicator random variables $X_{\bm{x}}$ outputting $1$ if $\bm{x}\in{\mathcal{C}}$ , and observe that, for any $1\leq b\leq\ell$ , a $b$ -tuple of random variables $(X_{\bm{x}_{1}},\dots,X_{\bm{x}_{b}})$ is independent if $\bm{x}_{1},\dots,\bm{x}_{b}$ are linearly independent. Of course, this also holds for random linear codes (in fact, it holds for tuples of all sizes),¹⁰¹⁰10At least, this is true if one defines a random linear code by sampling a uniformly random parity-check matrix, which we here implicitly assume, and this is the sense in which our constructions approximate the “local behaviour” of random linear codes, which we can then bootstrap into full-blown $\ell$ -local similarity via the machinery of [MRR⁺20, GM22].

To analyze our first construction based on linearized polynomials, we exploit the fact that for any fixed tuple of inputs and outputs $(x_{1},y_{1}),\dots,(x_{b},y_{b})$ with $x_{1},\dots,x_{b}\in\mathbb{F}_{q^{n}}$ linearly independent over $\mathbb{F}_{q}$ , over a uniformly random choice of linearized polynomial $f(X)$ of $q$ -degree at most $\ell-1$ , the vector $(f(x_{1}),\dots,f(x_{b}))$ is distributed uniformly at random over $\mathbb{F}_{q^{n}}^{b}$ . This follows readily from properties of the Moore matrix $M=(\alpha_{i}^{q^{j}})_{ij}$ (recalling $b\leq\ell$ ).

Next, we consider the code’s dual. In order to show that the dual of a $\mathrm{PCLP}(R,\ell)$ code achieves the GV-bound with high probably, we exploit a pleasant characterization of its dual. Namely, the dual is of the form $\{\psi(f_{0}^{-1}\cdot\beta):\beta\in W\}$ , where $W$ is connected to the dual of $V$ and $\psi$ is (morally) dual to $\varphi$ .¹¹¹¹11More precisely, if $\{\alpha_{1},\dots,\alpha_{n}\}$ is a basis for $\mathbb{F}_{q^{n}}$ for which $\varphi\left(\sum_{i}x_{i}\alpha_{i}\right)=(x_{1},\dots,x_{n})$ , then $\psi\left(\sum_{i}y_{i}\beta_{i}\right)=(y_{1},\dots,y_{n})$ where $\{\beta_{1},\dots,\beta_{n}\}$ is the dual basis. In particular, the dual is essentially another $\mathrm{PCLP}(1-R,1)$ -code! Hence, the previous discussion implies it is $1$ -locally similar to an RLC, which means in particular that it achieves the GV bound.

For the second construction, i.e., pseudorandom codes from row and column polynomials, upon summing over all choices of (full-rank) sets of message vectors one can observe that the desired behaviour of the random variables $X_{\bm{x}_{i}}$ in fact follows from the following: if $X\in\mathbb{F}_{q}^{b\times k}$ is of rank $b$ , then over the randomness of the generator $G$ , $XG\in\mathbb{F}_{q}^{b\times n}$ is uniformly random. Recalling $G=G^{\prime}+G^{\prime\prime}$ , we just must show $XG^{\prime}$ is uniformly random. Exploiting the requirement that $\gamma:\mathbb{F}_{q^{n}}\to\mathbb{F}_{q}^{n}$ is an isomorphism, it suffices to show that the tuple

\displaystyle\left(\sum_{i=1}^{k}X_{ji}f(\alpha_{i})\right)_{j\in[b]}\in% \mathbb{F}_{q^{n}}^{b}

(1)

is uniformly random over the choice of $f$ . And this follows naturally from properties of the Vandermonde matrix, as the $\alpha_{i}$ ’s are distinct and $f$ is chosen uniformly amongst all polynomials of degree $\leq\ell-1$ (recalling again $b\leq\ell$ ).

The argument establishing $\ell$ -local-similarity for the dual is almost identical to the above argument for the primal. Here, it suffices to consider a matrix $X\in\mathbb{F}_{q}^{n\times b}$ of rank $b$ and argue that over the randomness of $G^{\prime\prime}$ now, $G^{\prime\prime}X$ is uniformly random. And to do this, one reduces to studying a tuple of random variables analogous to those in Equation 1, although in this case the polynomial $g(X)$ will play the starring role. Since $g(X)$ is again uniformly sampled from all polynomials of degree at most $\ell-1$ , the desired conclusion follows.

2 Preliminaries

2.1 Miscellaneous Notation

By default, $\mathbb{N}=\{1,2,\dots,\}$ , i.e., $0\notin\mathbb{N}$ . For a positive integer $n\in\mathbb{N}$ , $[n]:=\{1,\dots,n\}$ . Throughout, $q$ denotes a prime power, $\mathbb{F}_{q}$ denotes a finite field with $q$ elements, and $\mathbb{F}_{q^{n}}$ denotes a degree $n$ extension of $\mathbb{F}_{q}$ (which of course has size $q^{n}$ ). The $q$ -ary entropy function is defined for $x\in(0,1)$ as

\displaystyle h_{q}(x):=x\log_{q}(q-1)+x\log_{q}\frac{1}{x}+(1-x)\log_{q}\frac% {1}{1-x}\

and extended by continuity to $h_{q}(0)=0$ and $h_{q}(1)=\log_{q}(q-1)$ . This function is known to be monotonically increasing from $0$ to $1$ on the interval $[0,1-1/q]$ , and hence we can define its inverse $h_{q}^{-1}:[0,1]\to[0,1-1/q]$ .

Given a discrete distribution $\tau$ and a universe $U$ , we write $\tau\sim U$ to denote that $\tau$ is distributed over $U$ , i.e., that $\tau$ ’s support $\mathrm{supp}(\tau):=\{x:\tau(x)>0\}\subseteq U$ . In general, we write vectors in boldface – e.g., $\bm{x}$ , $\bm{y}$ , etc. – while scalars are unbolded.

2.2 Algebraic Concepts

Let $\operatorname{Tr}:\mathbb{F}_{q^{n}}\rightarrow\mathbb{F}_{q}$ be a trace function, i.e.,

\operatorname{Tr}(\alpha)=\sum_{i=0}^{n-1}\alpha^{q^{i}}.

Lemma 2.1.

Suppose $\alpha_{1},\ldots,\alpha_{n}$ is a basis of $\mathbb{F}_{q^{n}}$ over $\mathbb{F}_{q}$ . We can always find a dual basis $\beta_{1},\ldots,\beta_{n}$ in $\mathbb{F}_{q^{n}}$ such that

\operatorname{Tr}(\alpha_{i}\beta_{j})=\delta_{ij}

(2)

where $\delta_{ij}=0$ for any $i\neq j$ and is otherwise $1$ .

Proof.

We provide the proof for completeness. Write $\beta_{i}=\sum_{r=1}^{n}b_{i,r}\alpha_{r}$ and we consider the equations

\delta_{ji}=\operatorname{Tr}(\alpha_{j}\beta_{i})=\operatorname{Tr}\left(% \alpha_{j}\sum_{r=1}^{n}b_{i,r}\alpha_{r}\right)\ .

Define the $n\times n$ matrix $T=(\operatorname{Tr}(\alpha_{j}\alpha_{r}))_{j,r\in[n]}$ over $\mathbb{F}_{q}$ ; the above $n$ equations can be written as $T(b_{i,1},\ldots,b_{i,n})^{\top}=\bm{e}_{i}$ where $\bm{e}_{i}$ is the $i$ -th vector in the standard basis of $\mathbb{F}_{q}^{n}$ . Since $\alpha_{1},\ldots,\alpha_{n}$ forms a basis of $\mathbb{F}_{q^{n}}$ , $T$ has full rank and there must exists a nonzero solution for $b_{i,1},\ldots,b_{i,n}$ . Thus, we can always find $\beta_{1},\ldots,\beta_{n}$ which satisfy (2). It remains to show that $\beta_{1},\ldots,\beta_{n}$ are $\mathbb{F}_{q}$ -linearly independent. Assume not and without loss of generality we may assume $\beta_{n}$ can be represented as the linear combination of $\beta_{1},\ldots,\beta_{n-1}$ , i.e., $\beta_{n}=\sum_{i=1}^{n-1}\lambda_{i}\beta_{i}$ with $\lambda_{1},\ldots,\lambda_{n-1}\in\mathbb{F}_{q}$ . From (2) we have

1=\operatorname{Tr}(\alpha_{n}\beta_{n})=\sum_{i=1}^{n-1}\lambda_{i}% \operatorname{Tr}(\alpha_{n}\beta_{i})=0\ ,

a clear contradiction. ∎

We now introduce the concept of orthogonality for two $\mathbb{F}_{q}$ -subspaces of $\mathbb{F}_{q^{n}}$ .

Definition 2.2.

Let $V,W\subseteq\mathbb{F}_{q^{n}}$ be a $\mathbb{F}_{q}$ -linear space. $W$ is said to be orthogonal to $V$ if the following holds

\operatorname{Tr}(ab)=0,\quad\forall a\in V,b\in W

We write $W\perp V$ to denote that $W$ is orthogonal to $V$ . If $\dim(W)+\dim(V)=n$ , $W$ is said to be the dual space of $V$ .

Finally, we collect terminology connected to linearized polynomials.

Definition 2.3 (Linearized Polynomial).

We call a polynomial $f(X)\in\mathbb{F}_{q^{n}}[X]$ a linearized polynomial if it is of the form $\sum_{i=0}^{d}f_{i}X^{q^{i}}$ with $f_{i}\in\mathbb{F}_{q^{n}}$ and $d\in\mathbb{N}$ . That is, the only monomials appearing in $f(X)$ have exponent a power of $q$ . Its $q$ -degree is $\max\{i:f_{i}\neq 0\}$ .

Recall that the Frobenius automorphism $\mathrm{Frob}:\mathbb{F}_{q^{n}}\to\mathbb{F}_{q^{n}}$ defined by $\mathrm{Frob}(\alpha)=\alpha^{q}$ is $\mathbb{F}_{q}$ -linear, i.e., it holds that for all $a,b\in\mathbb{F}_{q}$ and $\alpha,\beta\in\mathbb{F}_{q^{n}}$ ,

(a\alpha+b\beta)^{q}=a\alpha^{q}+b\beta^{q}\ .

This readily implies that any linearized polynomial is also an $\mathbb{F}_{q}$ -linear map, justifying the name. We record this fact now.

Proposition 2.4.

Any linearized polynomial defines an $\mathbb{F}_{q}$ -linear map from $\mathbb{F}_{q^{n}}\to\mathbb{F}_{q^{n}}$ .

2.3 Coding Theory

A linear code ${\mathcal{C}}$ is a subspace of $\mathbb{F}_{q}^{n}$ for a prime power $q$ . Such a code may always be presented in terms of its generator matrix, which is a matrix $G\in\mathbb{F}_{q}^{k\times n}$ for which ${\mathcal{C}}=\{\bm{m}G:\bm{m}\in\mathbb{F}_{q}^{k}\}$ . When $q=2$ , a code is called binary. The block-length of the code is $n$ and its rate is $R:=\frac{k}{n}$ , where $k=\dim({\mathcal{C}})$ . We endow $\mathbb{F}_{q}^{n}$ with the (relative) Hamming metric $d(\bm{x},\bm{y}):=\tfrac{1}{n}|\{i\in[n]:x_{i}\neq y_{i}\}|$ for $\bm{x},\bm{y}\in\mathbb{F}_{q}^{n}$ . For a linear code ${\mathcal{C}}\leq\mathbb{F}_{q}^{n}$ , its dual code is defined as ${\mathcal{C}}^{\perp}:=\{\bm{y}\in\mathbb{F}_{q}^{n}:\forall\bm{x}\in{\mathcal% {C}},\leavevmode\nobreak\ \langle\bm{x},\bm{y}\rangle=0\}$ . ¹²¹²12Note the contrast with Definition 2.2: that definition is concerned with $\mathbb{F}_{q}$ -linear subspaces of the ambient space $\mathbb{F}_{q^{n}}$ , which is endowed with a different inner-product than $\mathbb{F}_{q}^{n}$ . The appropriate meaning of $\perp$ can therefore be deduced from the context.

A random linear code ${\mathcal{C}}$ of rate $R=k/n$ – briefly, a RLC $(R)$ – is defined to be the kernel of a uniformly random matrix $H\in\mathbb{F}_{q}^{(n-k)\times n}$ , i.e., ${\mathcal{C}}:=\{\bm{x}\in\mathbb{F}_{q}^{n}:H\bm{x}^{\top}=0\}$ .

This work concerns combinatorial properties of linear codes. The quintessential example of such a property is minimum distance defined as $\delta=\min\{d(\bm{x},\bm{y}:\bm{x}\neq\bm{y},\bm{x},\bm{y}\in{\mathcal{C}}\}$ . Equivalently, it is $\min\{\mathrm{wt}(\bm{x}):\bm{x}\in{\mathcal{C}}\setminus\{0\}\}$ , the minimum weight of a non-zero codeword. By the triangle-inequality for the Hamming metric, it is immediate that $\delta/2$ is the maximum radius at which one can hope to uniquely-decode from worst-case errors. If one relaxes the requirement for unique-decoding and is satisfied with outputting a list of possible messages, then one arrives list-decoding.

Definition 2.5 (List-Decodability).

Let $\rho\in(0,1-1/q)$ and $L\geq 1$ . A code ${\mathcal{C}}\subseteq\mathbb{F}_{q}^{n}$ is $(\rho,L)$ -list-decodable if for all $\bm{z}\in\mathbb{F}_{q}^{n}$ ,

|\{\bm{c}\in{\mathcal{C}}:d(\bm{c},\bm{z})\leq\rho\}|<L\ .

A generalization of list-decoding is proferred by list-recovery. For this notion, we extend the definition of Hamming distance to allow one of the arguments to be a tuple of sets $\bm{S}=(S_{1},\dots,S_{n})$ , where each $S_{i}\subseteq\mathbb{F}_{q}$ , as follows: $d(\bm{x},\bm{S}):=\frac{1}{n}|\{i\in[n]:x_{i}\notin S_{i}\}|$ .

Definition 2.6 (List-Recovery).

Let $\rho\in(0,1-1/q)$ , $1\leq\lambda\leq q-1$ and $L\geq 1$ . A code ${\mathcal{C}}\subseteq\mathbb{F}_{q}^{n}$ is $(\rho,\lambda,L)$ -list-recoverable if for all tuples $\bm{S}=(S_{1},\dots,S_{n})$ with each $S_{i}\subseteq\mathbb{F}_{q}$ satisfying $|S_{i}|\leq\lambda$ ,

|\{\bm{c}\in{\mathcal{C}}:d(\bm{c},\bm{S})\leq\rho\}|<L\ .

These are both special cases of the much more general class of local properties, which we now introduce. The technical terminology takes some time to motivate and define, but will allow for a very clean argument once we have it in place.

2.4 Local Properties

We now introduce the specialized notations and tools that we need in order to apply the machinery of [MRR⁺20, GM22]. Generally speaking, this machinery allows us to efficiently reason about the probability that sets of $\ell$ vectors (for any integer $\ell=O(1)$ ) lie in random ensembles of codes. In fact, it is convenient to (arbitrarily) order these sets and thereby view them as matrices. Thus, for $A\in\mathbb{F}_{q}^{n\times\ell}$ we will talk about events of the form “ $A\subseteq{\mathcal{C}}$ ”, which denotes that event that every column of $A$ is contained in ${\mathcal{C}}$ .

To index these events, we assign to each matrix a type, which is determined by the empirical row distribution of the matrix.

Definition 2.7 (Empirical Row Distribution).

Let $A\in\mathbb{F}_{q}^{n\times\ell}$ . We define its empirical row distribution $\mathsf{Emp}_{A}\sim\mathbb{F}_{q}^{\ell}$