Efficient List-Decoding with Constant Alphabet and List Sizes
aa r X i v : . [ c s . CC ] N ov Efficient List-Decodingwith Constant Alphabet and List Sizes
Zeyu Guo Noga Ron-Zewi ∗ Department of Computer Science, University of Haifa [email protected] [email protected]
Abstract
We present an explicit and efficient algebraic construction of capacity-achieving list decodable codeswith both constant alphabet and constant list sizes. More specifically, for any R ∈ (0 , and ǫ > ,we give an algebraic construction of an infinite family of error-correcting codes of rate R , over analphabet of size (1 /ǫ ) O (1 /ǫ ) , that can be list decoded from a (1 − R − ǫ ) -fraction of errors with listsize at most exp(poly(1 /ǫ )) . Moreover, the codes can be encoded in time poly(1 /ǫ, n ) , the outputlist is contained in a linear subspace of dimension at most poly(1 /ǫ ) , and a basis for this subspacecan be found in time poly(1 /ǫ, n ) . Thus, both encoding and list decoding can be performed in fullypolynomial-time poly(1 /ǫ, n ) , except for pruning the subspace and outputting the final list which takestime exp(poly(1 /ǫ )) · poly( n ) . In contrast, prior explicit and efficient constructions of capacity-achievinglist decodable codes either required a much higher complexity in terms of /ǫ (and were additionallymuch less structured), or had super-constant alphabet or list sizes.Our codes are quite natural and structured. Specifically, we use algebraic-geometric ( AG ) codes withevaluation points restricted to a subfield, and with the message space restricted to a (carefully chosen)linear subspace. Our main observation is that the output list of AG codes with subfield evaluation pointsis contained in an affine shift of the image of a block-triangular-Toeplitz (BTT) matrix , and that the listsize can potentially be reduced to a constant by restricting the message space to a BTT evasive subspace ,which is a large subspace that intersects the image of any
BTT matrix in a constant number of points.We further show how to explicitly construct such
BTT evasive subspaces, based on the explicit subspacedesigns of Guruswami and Kopparty (
Combinatorica , 2016), and composition. An error-correcting code is a map C : Σ k → Σ n , which encodes a k -symbol message over an alphabet Σ into an n -symbol codeword over Σ . One main parameter of interest of an error-correcting code is the rate R = k/n , which measures the amount of redundancy in the encoding. Naturally, it is desirable that therate R is as large as possible to minimize the overhead in encoding. Another important parameter is the (relative) distance δ , defined as the smallest (relative) Hamming distance dist( C ( x ) , C ( y )) between theencodings of any pair of distinct messages x, y ∈ Σ k . The importance of the distance parameter arises fromthe following observation: if we are given w ∈ Σ n such that dist( w, C ( x )) < δ for some message x ∈ Σ k ,then this x is uniquely determined . Thus, a large distance allows one to unambiguously retrieve the original ∗ Research supported in part by ISF grant 735/20. The (relative) Hamming distance dist( z, w ) between a pair of strings z, w ∈ Σ n is the fraction of coordinates on which z and w differ. constant , independent of the codeword length), and thatit admits efficient ( poly( n ) -time) encoding and decoding algorithms.Clearly, there is a qualitative trade-off between the above parameters: the largest the distance δ is, thesmallest the rate R must be. Quantitatively, the Singleton bound states that any code must satisfy that δ ≤ − R . This bound is precisely matched by the classical family of Reed-Solomon (RS) codes [RS60].Given a finite field F q , and n distinct elements α , α , . . . , α n ∈ F q , the Reed-Solomon code RS q ( n, k ) with evaluation points α , . . . , α n maps a message ( f , f , . . . f k − ) ∈ F kq , viewed as the coefficients of apolynomial f = P k − i =0 f i X i ∈ F q [ X ]
The celebrated work of Guruswami and Sudan [Sud97, GS99]showed that RS codes can be efficiently list decoded beyond half their minimum distance (up to the so-called Johnson bound ), which gave the first family of error-correcting codes that are efficiently list decodable beyondthe unique decoding radius. Only a decade later, the seminal work of Guruswami and Rudra [GR08] showedthat folded Reed-Solomon (FRS) codes – a remarkably simple variant of RS codes – can be efficientlylist decoded up to list-decoding capacity. FRS codes are obtained from RS codes (with the evaluationpoints ordered according to their power in the multiplicative group of the field) by dividing the codewordscoordinates in the latter code into consecutive blocks of length m = Θ(1 /ǫ ) , and then viewing each suchblock of coordinates as a single symbol over a larger alphabet.Once more, a disadvantage of FRS codes is their large alphabet – on the order of n Θ(1 /ǫ ) – which iseven larger than that of the corresponding RS codes. Moreover, the list size obtained by the algorithm ofGuruswami and Rudra was also a very large polynomial on the order of n Θ(1 /ǫ ) , and this also dictated asimilar running time for the list decoding algorithm. Starting with the breakthrough result of Guruswami Note that in the list decoding setting, at least Ω( n/ǫ ) time is required to output the list. Moreover, the alphabet size must be atleast exp(Ω(1 /ǫ )) , and so the bit-length of the input is at least Ω( n/ǫ ) . Reducing list size.
Towards reducing the list size, Guruswami and Wang [GW13] devised a new “linear-algebraic” list decoding algorithm for
FRS codes, with the surprising property that the output list is containedin a low-dimensional subspace of constant dimension O (1 /ǫ ) . In the same work, Guruswami and Wangfurther observed that, utilizing this property, one can potentially reduce the list size to a constant by restrictingthe message space of FRS codes to a subspace evasive set , which is a large set that intersects any constantdimensional subspace in a constant number of points. Guruswami and Wang showed that such objects existprobabilistically, and raised the question of searching for an explicit construction.The above program was subsequently carried out by Dvir and Lovet [DL12], who gave an algebraicconstruction of subspace evasive sets with the required properties. Combined with the linear-algebraic listdecoding algorithm of [GW13], this resulted in a subcode of
FRS codes that can be efficiently encoded (intime poly(1 /ǫ, n ) ), and efficiently list decoded up to capacity with constant list size L = (1 /ǫ ) O (1 /ǫ ) (intime poly( L, n ) ). Lastly, Kopparty, Ron-Zewi, Saraf, and Wootters [KRSW18] have recently shown that infact any linear code of constant distance δ that is list decodable from a ( δ − ǫ ) -fraction of errors with outputlist of constant dimension d has constant list sizes (depending on d , δ , and ǫ ). This shows that, perhapssurprisingly, FRS codes themselves have constant list size (in fact the same list size of L = (1 /ǫ ) O (1 /ǫ ) ),without the need to pass to a subcode (list decoding can be performed probabilistically in time poly( L, n ) ). Reducing alphabet size.
Similarly to the unique decoding setting, one can reduce the alphabet size to aconstant (depending on ǫ ) by considering suitable versions of “folded” AG codes [Gur09, GX12, GX14,GX15]. However, in this setting, the dimension of the output list was too large to apply the above subspaceevasive machinery and obtain small list sizes. To overcome this, Guruswami and Xing [GX13] came-up withan alternative approach for constructing capacity-achieving list decodable codes that is based on restrictingthe evaluation points of “plain” (unfolded) versions of RS or AG codes to a subfield. Specifically, Guruswami and Xing first observed that while RS codes are generally not list decodableup to capacity with non-trivial list sizes [BKR10], for the special case of RS codes with evaluation pointsrestricted to a subfield, it is possible to obtain slightly non-trivial list sizes, and furthermore, the lists satisfy acertain periodic structure. In more detail, consider the RS code RS q,m ( n, k ) , defined over a large extensionfield F q m , with evaluation points coming from a small subfield F q , for m = Θ(1 /ǫ ) . Guruswami andXing showed that in this setting, there exists an F q -linear subspace ˆ V ⊆ F q m of constant dimension O (1 /ǫ ) so that any message ( f , f , . . . f k − ) ∈ F kq m in the output list satisfies that once the first i coefficients f , f , . . . , f i − ∈ F q m are fixed, the next coefficient f i belongs to an affine shift of ˆ V .Note that, indeed, the above structure does not a priori guarantee a small list size. In fact, the only boundon the list size that is implied by the above structure is q O ( k/ǫ ) = q O ( ǫmk ) , which is only slightly smaller thanthe number of possible messages which is q km . However, Guruswami and Xing noticed that, interestingly,the above periodic structure can lead to a list of constant dimension (which also leads in turn to constant listsizes using the machinery of [DL12] or [KRSW18] described above) when the message space is restrictedto a subspace design , and once more, suggested to construct such objects explicitly. In a follow-up work[GK16], Guruswami and Kopparty explicitly constructed such objects, and combined with the approach of A code C : Σ k → Σ n is linear if Σ = F q for some finite field F q , and the map C : F kq → F nq is linear. Guruswami and Xing first came-up with a similar approach in the folded setting [GX12], and only later observed in [GX13]that it also applies to unfolded versions. For simplicity, we only discuss the latter more basic approach. RS codes (with subfieldevaluation points) is list decodable up to capacity, with constant list sizes (see Table 1 for exact parameters).Guruswami and Xing further observed that a similar periodic structure occurs in the AG code setting.However, over constant-size fields, it is impossible to construct subspace designs that lead to constant listsizes. Nevertheless, Guruswami and Xing showed that one can iteratively compose together subspacedesigns of exponentially increasing lengths to obtain extremely slowly growing list sizes (depending on log ∗ n ) over constant-size alphabets (see more discussion in Section 2 below). This led in turn to capacity-achieving list decodable codes with constant alphabet size (1 /ǫ ) O (1 /ǫ ) , extremely slowly growing list size exp(poly(1 /ǫ )) · exp exp exp(log ∗ n ) , and efficient encoding and list decoding algorithms (running in time poly(1 /ǫ, n ) and poly( L, n ) , respectively).Finally, we mention that in [KRSW18], a different approach was given for obtaining both constantlist and constant alphabet sizes, based on multi-level concatenation of FRS codes, and expander-basedamplification. However, the resulting code is arguably more complicated and less natural and structured thanthe aforementioned algebraic constructions, and moreover, has a much higher complexity in terms of /ǫ .Specifically, the list size was quadruply-exponential in poly(1 /ǫ ) , which also dictated a similar running timefor list decoding, , and the encoding time was also pretty large exp(poly(1 /ǫ )) · poly( n ) due to the need tobrute-force search for the inner codes. A main question left open by the above line of work is whether one can come up with constructions ofcapacity-achieving list decodable codes with both constant alphabet and constant list sizes, and admitting fully polynomial-time poly(1 /ǫ, n ) encoding and list-decoding. Our main result (almost) answers thisquestion in the affirmative. Theorem 1.1.
For any R ∈ (0 , and ǫ > , there is an infinite family of error-correcting codes of rateat least R over an alphabet of size (1 /ǫ ) O (1 /ǫ ) that can be encoded in time poly(1 /ǫ, n ) , and can be listdecoded from a (1 − R − ǫ ) -fraction of errors with list size at most L = exp(poly(1 /ǫ )) in time poly( L, n ) .Moreover, the codes, defined over an alphabet F q m , are F q -linear, the output list is contained in an F q -linearsubspace of dimension at most poly(1 /ǫ ) , and a basis for this subspace can be found in time poly(1 /ǫ, n ) . Note that our codes achieve list-decoding capacity with both constant alphabet and constant list sizes, andboth encoding and list decoding can be performed in fully polynomial-time poly(1 /ǫ, n ) , except for pruningthe subspace and outputting the final list which takes time exp(poly(1 /ǫ )) · poly( n ) . Our codes are quitenatural and structured, specifically, we use AG codes with evaluation points restricted to a subfield, and withthe message space restricted to a (carefully chosen) F q -linear subspace. It is our hope that this relativelynatural and simple structure will prove useful in future applications.A barrier to improving the general running time of list-decoding to poly(1 /ǫ, n ) is the exponentialdependency of the list size on /ǫ since, at the very least, such amount of time is required to output the wholelist. However, currently the smallest known list size for explicit capacity-achieving list decodable codes is In [GX12], Guruswami and Xing suggested alternatively using hierarchical subspace evasive sets and showed that utilizingthe above periodic structure, these could potentially lead to constant list sizes over constant-size alphabets. However, it is currentlyunknown how to explicitly construct such objects. The reason for the large list size is that the construction roughly uses four levels of encodings, two of these via
FRS codes,and two other via random linear codes, and for both codes, the best-known list size is exponential in /ǫ . It may be possible toreduce the list size by replacing the random linear codes with other codes of smaller list size and succinct representation, e.g., the pseudo-linear codes of [GI01]. However, the list size would still be at least doubly-exponential in /ǫ . /ǫ ) O (1 /ǫ ) , achieved by FRS codes [KRSW18]. We leave it as an interesting open problem to search forexplicit capacity-achieving list decodable codes (even over large super-constant alphabet) with optimal listsize O (1 /ǫ ) , or even poly(1 /ǫ ) . We further mention that the alphabet size we obtain, on the other hand, isnot much worse than the lower bound of exp(Ω(1 /ǫ )) , and is generally the smallest known alphabet size forexplicit capacity-achieving list decodable codes [GX12, GX13, GX14, GX15].Finally, we note that using the machinery of [HRW20, KRR +
19] (specifically, taking a high-order tensorproduct of the codes given by Theorem 1.1, combined with an expander-based amplification), it is possibleto bring down the dependency on n in the running time of both encoding and list-decoding to nearly-linear ,say n . . However, similarly to the multi-level construction of [KRSW18] mentioned above, the resultingcodes become more complicated and less natural and structured, and also have a much higher complexity interms of /ǫ (see Table 1 below). Obtaining a truly-linear dependency on n in the running time of eitherencoding or list-decoding for capacity-achieving list decodable codes seems to require, as in the uniquedecoding setting, completely different non-algebraic techniques.Table 1 below summarizes the above discussion. In the next section, we shall give an overview of ourtechniques. The starting point for our construction is the aforementioned work of Guruswami of Xing [GX13]. Asdescribed above, in this work it was observed that the output list of RS or AG codes with subfield evaluationpoints satisfy a special periodic structure. Namely, there exists an F q -linear subspace ˆ V ⊆ F q m of constantdimension r = O (1 /ǫ ) so that any message ( f , f , . . . f k − ) ∈ F kq m in the output list satisfies that given thefirst i coefficients f , f , . . . , f i − ∈ F q m , the next coefficient f i belongs to an affine shift of ˆ V . Moreover, itwas shown that one can exploit this structure and reduce the output list size by restricting the message spaceto a subspace design .An ( r, s ) -subspace design over F q m of cardinality k is a collection of k F q -linear subspaces H , . . . , H k ⊆ F q m so that P ki =1 dim( ˆ V ∩ H i ) ≤ s for any F q -linear subspace ˆ V ⊆ F q m of dimension at most r . It followsby definition that, assuming the above periodic structure, when restricting each coefficient f i to the subspace H i , the resulting output list has dimension at most P ki =1 dim( ˆ V ∩ H i ) ≤ s . It can be shown, using theprobabilistic method, that there exists an ( r, s ) -subspace design H , . . . , H k over F q m with k = q Ω( ǫm ) and s = O ( r/ǫ ) , where each subspace H i has co-dimension at most ǫm in F q m . In [GK16], Guruswami andKopparty gave an explicit construction of a subspace design with similar parameters. Theorem 2.1 (Explicit subspace design, [GK16], Theorem 6) . There exists an absolute constant c > ,so that for every ǫ > , positive integers k, m, r with r < ǫm , and a prime power q satisfying q m ≥ max n k c · r/ǫ , (cid:0) rǫ (cid:1) r/ǫ o , there exists an ( r, s ) -subspace design H , . . . , H k over F q m for s = r ǫ , whereeach H i has co-dimension at most ǫm in F q m . Moreover, bases for H , . . . , H k can be found in time poly( q, k, m ) . Thus, by restricting the message coefficients in RS codes with subfield evaluation points to the subspacedesign given by the above theorem, one can reduce the dimension of the output list to O (1 /ǫ ) (and by[KRSW18], this in fact implies that the list is of constant size). Note however that the above theorem couldnot be applied to AG codes, as it requires the number of subspaces k to be smaller than q m , whereas for AG codes the number of message coordinates k (which grows to infinity) is much larger than q m (which isconstant in the AG setting). 5 ode Alphabet size | Σ | List size L Notes
FRS codes [GR08, GW13] n O (1 /ǫ ) n O (1 /ǫ ) Previous codes [KRSW18] n O (1 /ǫ ) (cid:0) ǫ (cid:1) O (1 /ǫ ) Randomizedlist-decodingPrevious codes + subspaceevasive set [DL12] n O (1 /ǫ ) (cid:0) ǫ (cid:1) O (1 /ǫ ) Multi-level concatenation ofprevious codes + expanderamplification [KRSW18] poly(1 /ǫ ) /ǫ ) Encoding time poly(1 /ǫ ) · poly( n )RS codes with subsfield eval-uation points + subspace de-sign [GX13, GK16] n O (1 /ǫ ) n O (1 /ǫ ) Previous codes [KRSW18] n O (1 /ǫ ) (cid:0) ǫ (cid:1) O (1 /ǫ ) Randomizedlist-decodingPrevious codes + subspaceevasive set [DL12] n O (1 /ǫ ) (cid:0) ǫ (cid:1) O (1 /ǫ ) AG codes with subfield eval-uation points + subspace de-sign [GX13, GK16] (cid:0) ǫ (cid:1) O (1 /ǫ ) poly(1 /ǫ ) · O (log ∗ n ) Tensor product of previouscodes + expander amplifica-tion [HRW20, KRR + poly(1 /ǫ ) /ǫ ) · O (log ∗ n ) Encoding time poly(1 /ǫ ) · n . ,list-decoding time poly( L ) · n . This work: AG codes withsubfield evaluation points + BTT evasive subspace (cid:0) ǫ (cid:1) O (1 /ǫ ) poly(1 /ǫ ) Basis for subspacecontaining list canbe found in time poly(1 /ǫ, n ) Tensor product of previouscodes + expander amplifica-tion poly(1 /ǫ ) /ǫ ) Encoding time poly(1 /ǫ ) · n . ,list decoding time poly( L ) · n . Table 1: Capacity-achieving list decodable codes C : Σ k → Σ n of rate R that are list decodable from a (1 − R − ǫ ) -fraction of errors with list size L . All codes can be deterministically encoded in time poly(1 /ǫ, n ) and deterministically list decoded in time poly( L, n ) unless otherwise noted.6o overcome this, Guruswami and Xing suggested the following iterative construction. Suppose that themessage space has the periodic structure described above, and that k ≫ q m . Then Guruswami and Xingsuggested to first divide the k coordinates into kk blocks of k coordinates each, where k ≈ q m , and restricteach such block separately to an identical ( r, s ) -subspace design over F q m of cardinality k that is guaranteedby the above Theorem 2.1. The main observation is that, when viewing each block of length k as a singlecoordinate, the resulting subspace also has a periodic structure, however, with exponentially larger alphabetsize q mk .Thus, one can once more divide the resulting kk coordinates into kk k blocks of length k each, wherenow k ≈ q mk , and restrict to an identical subspace design on each block separately. Continuing this way,and noting that the alphabet size increases exponentially in each iteration, after ≈ log ∗ k iterations, we arriveat alphabet size k , which is sufficiently large for restricting to a single subspace design. Since the dimensionsquares on each invocation of Theorem 2.1, the final dimension is doubly-exponential in log ∗ k , and theresulting output list size is triply-exponential log ∗ k .Our main observation that allows us to obtain both constant alphabet and constant list sizes is that AG (or RS ) codes with subfield evaluation points satisfy yet an even more refined structure, namely, the output listis contained in an affine shift of the image of a block-triangular-Toeplitz (BTT) matrix . We further observethat this structure can potentially lead to constant list sizes over a constant-size alphabet if the message spaceis restricted to an appropriate pseudo-random object that we call a BTT evasive subspace . In what followswe elaborate on these two ingredients.
We start by formally defining the notion of a block-triangular-Toeplitz matrix (see Figure 1 below for anillustration).
Definition 2.2 (Block-triangular-Toeplitz (
BTT ) matrix) . A ( k, m, r ) -block-triangular-Toeplitz ( BTT ) ma-trix over F q is a ( km ) × ( kr ) matrix M over F q so that M = ( M i,j ) i,j ∈ [ k ] , as a ( k × k ) -block matrix with m × r blocks M i,j , satisfies the following conditions:1. M is block-lower-triangular, i.e., M i,j = 0 for i, j ∈ [ k ] with i < j .2. M is block-Toeplitz, i.e., M i,j = M i ′ ,j ′ for i, j, i ′ , j ′ ∈ [ k ] with i − j = i ′ − j ′ .3. M has maximal rank. By the two conditions above, this is equivalent to the statement that M , hasrank min { r, m } .We say that M is ( k, m, r ) - periodic if only blocks on the main diagonal are required to be identical, i.e., thesecond condition above is weakened to M i,i = M i ′ ,i ′ for all i, i ′ ∈ [ k ] . We say that V ⊆ F kmq is a ( k, m, r ) - BTT subspace if V = Image( M ) for some ( k, m, r ) - BTT matrix M (where M is viewed as a linear map from F krq to F kmq , and Image( M ) denotes its image). Similarly, wesay that V ⊆ F kmq is a ( k, m, r ) -periodic subspace if V = Image( M ) for some ( k, m, r ) -periodic matrix M . Note that in this terminology, the periodic structure described above corresponds to the special case ofa ( k, m, r ) -periodic subspace, where ˆ V = Image( M ) . Our first main observation is that the output list of AG (or RS ) codes with subfield evaluation points is in fact contained in an affine shift of a ( k, m, r ) - BTT subspace for r = O (1 /ǫ ) (under a suitable linear map).7 M · · · M M · · · M M M · · · ... ... ... . . . ... M k M k − M k − · · · M Figure 1: A ( k, m, r ) - BTT matrix, where each M i is an m × r matrix and M has maximal rank. Theorem 2.3 (Output list contained in a
BTT subspace) . There exists an absolute constant c > so thatthe following holds for any R ∈ (0 , , ǫ > , q ≥ /ǫ c that is an even power of a prime, and m ≥ /ǫ .There is an infinite family of error-correcting codes { C n } n , where C n satisfies the following properties:1. C n : F kq m → F nq m is a linear code of rate at least R that can be encoded in time poly(log q, m, n ) .2. There exists an injective F q -linear map φ : F kq m → F ˆ kq m , where ˆ k ≤ n , so that C n can be list decodedfrom a (1 − R − ǫ ) -fraction of errors, pinning down the images of the candidate messages under φ (viewed as length ˆ km vectors over F q ) to an affine shift of a (ˆ k, m, ǫm ) - BTT subspace V over F q .Moreover, the map φ , a basis for V , and the affine shift can be computed in time poly(log q, m, n ) . We prove the above theorem in Section 6 using AG codes with subfield evaluation points. As a warm-up,we first prove, in Section 4, that this theorem holds in the more basic setting of RS codes with subfieldevaluation points. In the RS setting, the linear-algebraic approach of [GX13] gives a functional equation ofthe form A ( X ) + A ( X ) f ( X ) + A ( X ) f σ ( X ) + · · · + A s ( X ) f σ s − ( X ) = 0 that any low-degree polynomial f that has large agreement with a received word y must satisfy, where σ denotes the Frobenius automorphism mapping f = P k − j =0 f j X j to f = P k − j =0 f qj X j , and the coefficients of A , . . . , A s depend on the received word y .We observe that the above functional equation quite naturally gives a ( k, m, (1 − ǫ ) m ) - BTT matrix, sothat the solution set is contained in an affine shift of the kernel of this matrix. We then show that the kernelof a ( k, m, r ) - BTT matrix is in fact a ( k, m, m − r ) - BTT subspace (i.e., the image of a ( k, m, m − r ) - BTT matrix), which gives the claimed ( k, m, ǫm ) - BTT subspace containing the list (in this setting, φ is just theidentity map). We further show that a similar reasoning can be applied in the AG code setting. We say that a subspace W ⊆ F kmq is a ( k, m, r, s ) - BTT evasive subspace if dim( V ∩ W ) ≤ s for every ( k, m, r ) - BTT subspace V ⊆ F kmq . Similarly, we say that a subspace W ⊆ F kmq is a ( k, m, r, s ) -periodicevasive subspace if dim( V ∩ W ) ≤ s for every ( k, m, r ) -periodic subspace V ⊆ F kmq . Note that any ( r, s ) -subspace design over F q m of cardinality k is a ( k, m, r, s ) -periodic evasive subspace (see Corollary3.1). We first observe, using the probabilistic method, that there exists a ( k, m, r, s ) - BTT evasive subspace W ⊆ F kmq of co-dimension at most ǫkm and s = O ( r/ǫ ) . Notably, the lemma holds for any field size q andblock length m ! Lemma 2.4.
For every ǫ > , positive integers k, m, r with r < ǫm , and a prime power q , there exists a ( k, m, r, s ) - BTT evasive subspace W ⊆ F kmq of co-dimension at most ǫkm for s = rǫ . BTT evasive subspaces with similar parameters over a fieldof considerably smaller size than the one required in Theorem 2.1.
Theorem 2.5 (Explicit
BTT evasive subspace) . There exists an absolute constant c > , so that for every ǫ > , positive integers k, m, r with r < ǫm , and a prime power q satisfying that q ≥ m c , there exists a ( k, m, r, s ) - BTT evasive subspace W ⊆ F kmq of co-dimension at most ǫkm for s = poly( r/ǫ ) . Moreover,a basis for W can be found in time poly( q, k, m ) . We prove the above theorem in Section 3. To this end, we first observe that the iterative construction of[GX13], described above, implicitly gives the following composition lemma for periodic evasive subspaces.In what follows, for a subspace W ⊆ F nq , and a positive integer k , let W k ⊆ F knq be the subspace containingall vectors ( w , . . . , w k ) ∈ F knq where w i ∈ W for all ≤ i ≤ k . For a pair of subspaces W ⊆ F nq and W ′ ⊆ F knq , we let W ◦ W ′ := W k ∩ W ′ . Lemma 2.6 (Implicit in [GX13]) . Suppose that W is an “inner” ( k, m, r, s ) -periodic evasive subspace over F q , and W ′ is an “outer” ( k ′ , km, s, s ′ ) -periodic evasive subspace over F q . Then W ◦ W ′ = W k ∩ W ′ is a ( k ′ k, m, r, s ′ ) -periodic evasive subspace over F q . Roughly speaking, the above lemma gives a way to combine together an “inner” periodic evasive subspace W with a short block length m (but a relatively small number of blocks k ) with an “outer” periodic evasivesubspace W ′ with a large number of blocks k ′ (but a long block length m ′ ), to obtain a periodic evasivesubspace W ◦ W ′ of both short block length m and large number of blocks ≈ k ′ (see Figure 2 below foran illustration). Applying this lemma iteratively for log ∗ k times, using the explicit subspace design givenby Theorem 2.1 (which is in particular a periodic evasive subspace), gives the main result of [GX13] whichreduces the list size of AG codes with subfield evaluation points to triply-exponential in log ∗ n .. . .. . .. . . x ∈ Wx ∈ W ′ x ∈ W ◦ W ′ k blocks k ′ blocks k ′ k blocks mkmm Figure 2: Illustration of the first two parameters in composition.We further observe that essentially the same composition lemma holds when replacing the inner periodicevasive subspace with a
BTT evasive subspace , in which case the resulting composed subspace is a
BTT evasive subspace as well.
Lemma 2.7.
Suppose that W is an “inner” ( k, m, r, s ) - BTT evasive subspace over F q , and W ′ is an “outer” ( k ′ , km, s, s ′ ) -periodic evasive subspace over F q . Then W ◦ W ′ = W k ′ ∩ W ′ is a ( k ′ k, m, r, s ′ ) - BTT evasivesubspace over F q .
9o prove Theorem 2.5, we first apply the above composition lemma with the inner subspace being thenon-explicit ( k , m, r, s ) - BTT evasive subspace, given by Lemma 2.4, for k ≈ log log k (which can befound efficiently via brute-force search in this setting of parameters), and the outer subspace being the explicit ( k , k m, s , s ) -periodic evasive subspace, given by Theorem 2.1, for k = log k ≈ exp( k ) . Then weapply the above composition lemma once more with the inner subspace being the resulting ( k k , m, r, s ) - BTT evasive subspace, and the outer subspace being yet another explicit ( k , k k m, s , s ) -periodic evasivesubspace, given by Theorem 2.1, for k ≈ k ≈ exp( k ) . As we apply the composition step only twice, thisresults in a ( k, m, r, s ) - BTT evasive subspace for s = poly( r/ǫ ) . A careful choice of parameters givesthe explicit BTT evasive subspace claimed in Theorem 2.5.Finally, we note that the above composition method is reminiscent of the classical technique of codeconcatenation [For66]. Roughly speaking, code concatenation is a technique for reducing the alphabet sizeof a code, where one starts with a long outer code over a large alphabet, and then reduces the alphabet sizeby encoding each large alphabet symbol with a short inner code over a smaller alphabet. Curiously, theparameters obtained by concatenation are very similar to those obtained by the above Composition Lemma2.7, when viewing k as the codeword length and q m as the alphabet size of the code.In particular, a well-known method for constructing asymptotically good codes (i.e., codes with constantrate and distance) over small alphabets (e.g., the binary alphabet) is to first concatenate an inner asymptoticallygood code over a small alphabet of length k ≈ log log k (which can be found via brute-force search) withan outer RS code of alphabet size ≈ exp( k ) and length k ≈ log k ≈ exp( k ) , and then concatenatethe resulting code with another outer RS code of alphabet size ≈ k ≈ exp( k ) and length ≈ k . Ourconstruction of BTT evasive subspaces uses the same two-level construction, with the explicit subspacedesign of Theorem 2.1 playing the role of the RS code over a large alphabet, and the non-explicit BTT evasive subspace of Lemma 2.4 playing the role of the non-explicit asymptotically good code over a smallalphabet. However, despite the technical resemblance, we could not find any formal connection betweencode concatenation and the above composition method for evasive subspaces.
Our main Theorem 1.1 follows as an immediate corollary of the above Theorems 2.3 and 2.5.
Proof of Theorem 1.1.
Let ǫ ′ = ǫ and R ′ = R + 25 ǫ ′ . Let m = 1 / ( ǫ ′ ) , and let q = poly(1 /ǫ ) be an evenpower of a prime so that q ≥ m c , where c > is a sufficiently large constant for which both Theorems 2.3and 2.5 hold. Let { C n } n be the infinite family of codes, guaranteed by Theorem 2.3, with the followingproperties for each C n :1. C n : F kq m → F nq m is a linear code of rate at least R ′ that can be encoded in time poly(1 /ǫ, n ) .2. There exists an injective linear map φ : F kq m → F ˆ kq m , where ˆ k ≤ n , so that C n can be list decodedfrom a (1 − R ′ − ǫ ′ ) -fraction of errors, pinning down the images of the candidate messages under φ (viewed as length ˆ km vectors over F q ) to an affine shift of a (ˆ k, m, ǫ ′ m ) - BTT subspace V over F q .Moreover, the map φ , a basis for V , and the affine shift can be computed in time poly(1 /ǫ, n ) .Fix a code C n as above, and let ǫ ′′ = 25 ǫ ′ . By Theorem 2.5, there exists a (ˆ k, m, ǫ ′ m, s ) - BTT evasivesubspace W ⊆ F ˆ kmq of co-dimension at most ǫ ′′ ˆ km for s = poly(1 /ǫ ) , and a basis for W can be found intime poly(1 /ǫ, n ) . Let C ′ n be the code obtained from C n by restricting the message space to φ − ( W ) . Weclaim that C ′ n satisfies Theorem 1.1. 10ote first that C ′ n is an F q -linear code of rate at least R ′ − ǫ ′′ ˆ k/n ≥ R ′ − ǫ ′′ = R , and alphabet size q m = (1 /ǫ ) O (1 /ǫ ) , that can be encoded in time poly(1 /ǫ, n ) . Moreover, as − R ′ − ǫ ′ = 1 − R − ǫ , thecode C n can be list decoded from a (1 − R − ǫ ) -fraction of errors, pinning down the images of the candidatemessages under φ (viewed as length ˆ km vectors over F q ) to an affine shift u of a (ˆ k, m, ǫ ′ m ) - BTT subspace V over F q . This means that the candidate messages of the code C n are contained in φ − ( u + V ) .As C ′ n is obtained from C n by restricting the message space to φ − ( W ) , the candidate messages of C ′ n are contained in φ − ( u + V ) ∩ φ − ( W ) = φ − (( u + V ) ∩ W ) , which is an affine shift of φ − ( V ∩ W ) (or empty). We can find a basis B for φ − ( V ∩ W ) and a vector u ′ ∈ φ − (( u + V ) ∩ W ) (if such exists) in time poly(1 /ǫ, n ) given the received word. Then the list ofcandidate messages of C ′ n is contained in the subspace spanned by B and u ′ over F q , whose dimension isbounded by dim( V ∩ W ) + 1 ≤ s + 1 = poly(1 /ǫ ) , and a basis for this subspace can be found in time poly(1 /ǫ, n ) . Consequently, the output list size is exp(poly(1 /ǫ )) and the entire list can be output in time exp(poly(1 /ǫ )) · poly( n ) , as claimed. Open problems.
We end this section with a couple of intriguing open problems.1. Is it possible to explicitly construct capacity-achieving list decodable codes with list size poly(1 /ǫ ) (even over a large super-constant alphabet)? As mentioned above, the smallest known list size forexplicit capacity-achieving list decodable codes is (1 /ǫ ) O (1 /ǫ ) , achieved by FRS codes [KRSW18],while potentially the list size could be as small as O (1 /ǫ ) , as is the case for random codes. Such aconstruction could also potentially lead to fully polynomial-time poly(1 /ǫ, n ) list-decoding algorithms.2. Is it possible to obtain capacity-achieving list decodable codes with truly linear-time encoding or listdecoding algorithms? As in the unique decoding setting, this seems to require completely differenttechniques, e.g., graph-based constructions [MRR +
20, RWZ20].3. A question that is still widely open is to explicitly construct capacity-achieving list decodable codes oversmall fixed-size alphabets, e.g., the binary alphabet. Over a q -ary alphabet, the list-decoding capacityis known to be h − q (1 − R ) , where h q ( x ) = x log q ( q −
1) + x log q (1 /x ) + (1 − x ) log q (1 / (1 − x )) isthe q -ary entropy function. Once more, this question seems to require completely different techniques.4. Can our methods be used to construct other pseudo-random objects? In particular, an intriguingquestion is whether these techniques could be used to construct lossless dimension expanders overconstant-size fields, whose state-of-the-art constructions [GRX18] are based on the list-decodingmachinery of [GX13]. Organization.
In Section 3 we present our explicit construction of
BTT evasive subspaces (Theorem 2.5).In Section 4 we first show, as a warm-up, that the output list of RS codes with subfield evaluation points iscontained in an affine shift of a BTT subspace. Then in Section 6, after providing the required AG codepreliminaries in Section 5, we show how to extend the analysis to AG codes with subfield evaluation points(Theorem 2.3). In this section, we prove Theorem 2.5, which is restated below.11 heorem 2.5 (Explicit
BTT evasive subspace) . There exists an absolute constant c > , so that for every ǫ > , positive integers k, m, r with r < ǫm , and a prime power q satisfying that q ≥ m c , there exists a ( k, m, r, s ) - BTT evasive subspace W ⊆ F kmq of co-dimension at most ǫkm for s = poly( r/ǫ ) . Moreover,a basis for W can be found in time poly( q, k, m ) . The first ingredient in our proof is Lemma 2.4, restated below, which shows the existence of a (non-explicit) ( k, m, r, s ) - BTT evasive subspace W ⊆ F kmq of co-dimension at most ǫkm and s = O ( r/ǫ ) .Notably, the lemma holds for any field size q and block length m . Lemma 2.4.
For every ǫ > , positive integers k, m, r with r < ǫm , and a prime power q , there exists a ( k, m, r, s ) - BTT evasive subspace W ⊆ F kmq of co-dimension at most ǫkm for s = rǫ .Proof. Let W ⊆ F kmq be a random linear subspace of co-dimension ǫkm . Fix a ( k, m, r ) - BTT subspace V ⊆ F kmq . We first bound the probability that dim( V ∩ W ) ≥ s . Fix a subspace V ∗ ⊆ V of dimension s .Since W is a random subspace of co-dimension ǫkm , the probability that V ∗ is contained in W is at most Q s − i =0 q (1 − ǫ ) km − q i q km − q i ≤ q − ǫkms . As the number of s -dimensional subspaces V ∗ ⊆ V is at most q krs , by a unionbound, we have that W contains some s -dimensional subspace V ∗ ⊆ V with probability at most q ( r − ǫm ) ks .So dim( V ∩ W ) ≥ s with probability at most q ( r − ǫm ) ks .Next, we observe that the number of ( k, m, r ) - BTT subspaces is at most q rkm , as each such subspace isdetermined by the first r columns of a ( k, m, r ) - BTT matrix. Consequently, by a union bound, we get that dim( V ∩ W ) ≥ s for some ( k, m, r ) - BTT subspace V , with probability at most q rkm +( r − ǫm ) ks . This latterprobability is smaller than since rkm + ( r − ǫm ) ks = rkm + ( r − ǫm ) · krǫ = rk (cid:18) rǫ − m (cid:19) < , where the first equality is by our choice of s = 2 r/ǫ , and the last inequality is by our choice of r < ǫm . Weconclude that there exists a ( k, m, r, rǫ ) - BTT evasive subspace W of co-dimension at most ǫkm . Remark . We further note that to find a
BTT evasive subspace as above, one can enumerate over allsubspaces W ⊆ F kmq of co-dimension at most ǫkm , and over all ( k, m, r ) - BTT subspaces V , and computethe dimension of their intersection, which takes time q O (( km ) ) .Our second ingredient is Theorem 2.1 from [GK16], restated below, which gives an explicit constructionof an ( r, s ) -subspace design over F q m of cardinality k , where each subspace has co-dimension at most ǫm and s = O (cid:16) r ǫ (cid:17) , as long as q m is sufficiently larger than k . Theorem 2.1 (Explicit subspace design, [GK16], Theorem 6) . There exists an absolute constant c > ,so that for every ǫ > , positive integers k, m, r with r < ǫm , and a prime power q satisfying q m ≥ max n k c · r/ǫ , (cid:0) rǫ (cid:1) r/ǫ o , there exists an ( r, s ) -subspace design H , . . . , H k over F q m for s = r ǫ , whereeach H i has co-dimension at most ǫm in F q m . Moreover, bases for H , . . . , H k can be found in time poly( q, k, m ) . For completeness, we sketch the proof of the above theorem in Appendix A. Note that the above theoremin particular gives an explicit periodic evasive subspace with the same parameters.
Corollary 3.1 (Explicit periodic evasive subspace) . There exists an absolute constant c > , so that for every ǫ > , positive integers k, m, r with r < ǫm , and a prime power q satisfying q m ≥ max n k c · r/ǫ , (cid:0) rǫ (cid:1) r/ǫ o , here exists a ( k, m, r, s ) -periodic evasive subspace W ⊆ F kmq of co-dimension at most ǫkm for s = r ǫ .Moreover, a basis for W can be found in time poly( q, k, m ) .Proof. Let H , H , . . . , H k be the ( r, s ) -subspace design over F q m guaranteed by Theorem 2.1 for the samechoice of parameters, and let W = H × H × · · · × H k . Then by Theorem 2.1, we clearly have that a basisfor W is a subspace of F kmq of co-dimension at most ǫkm , and that W can be found in time poly( q, k, m ) .It remains to show that W is a ( k, m, r, s ) -periodic evasive subspace. Let M be a ( k, m, r ) -periodic matrix,and let V = Image( M ) , we would like to show that dim( V ∩ W ) ≤ s .By definition, M is a block-lower-triangular matrix with k copies of an m × r matrix ˆ M on the maindiagonal, and ˆ M has full column rank r . Let ˆ V = Image( ˆ M ) , which is a subspace of F mq of dimension r .For i ∈ [ k ] , choose an m × m matrix R i such that H i = ker( R i ) , and let R ∈ F km × kmq be a ( k × k ) -blockdiagonal matrix with blocks R , R , . . . , R k on the main diagonal. Note that W = ker( R ) , and furthermore, RM ∈ F km × krq is a ( k × k ) -block-lower-triangular matrix with blocks R ˆ M , R ˆ M , . . . , R k ˆ M on the maindiagonal.So we have dim( V ∩ W ) = dim( V ∩ ker( R ))= dim(ker( RM )) ≤ k X i =1 dim(ker( R i ˆ M ))= k X i =1 dim( ˆ V ∩ ker( R i )) = k X i =1 dim( ˆ V ∩ H i ) ≤ s, where the last inequality follows since H , . . . , H k is an ( r, s ) -subspace design.Our last ingredient is Lemma 2.7, restated below, which gives a composition lemma for BTT evasivesubspaces.
Lemma 2.7.
Suppose that W is an “inner” ( k, m, r, s ) - BTT evasive subspace over F q , and W ′ is an “outer” ( k ′ , km, s, s ′ ) -periodic evasive subspace over F q . Then W ◦ W ′ = W k ′ ∩ W ′ is a ( k ′ k, m, r, s ′ ) - BTT evasivesubspace over F q .Proof. Let V be a ( k ′ k, m, r )- BTT subspace. Our goal is to show that dim( V ∩ ( W k ′ ∩ W ′ )) ≤ s ′ . Since W ′ is a ( k ′ , km, s, s ′ ) -periodic evasive subspace, it suffices to show that V ′ := V ∩ W k ′ is contained in a ( k ′ , km, s ) -periodic subspace U , and consequently dim( V ∩ ( W k ′ ∩ W ′ )) = dim(( V ∩ W k ′ ) ∩ W ′ ) ≤ dim( U ∩ W ′ ) ≤ s ′ . Since V is a ( k ′ k, m, r )- BTT subspace, there exists a ( k ′ k, m, r )- BTT matrix M whose image equals V . As a k ′ × k ′ block matrix, M has k ′ copies of a ( km ) × ( kr ) block ˆ M on its main diagonal. Nextobserve that ˆ M itself is a ( k, m, r ) - BTT matrix, and so if we let ˆ V := Image( ˆ M ) , then ˆ V is a ( k, m, r ) - BTT subspace. Recalling our assumption that W is a ( k, m, r, s ) - BTT evasive subspace, this implies inturn that dim( ˆ V ∩ W ) ≤ s . Let H ⊆ F kmq be a subspace of dimension s containing ˆ V ∩ W , and let { b (1) , . . . , b ( s ) } ⊆ F kmq be a basis for H .Next, we introduce a bit of notation. We write a vector x ∈ F k ′ kmq as x = ( x , x , . . . , x k ′ ) where x i ∈ F kmq , and for i = 1 , . . . , k ′ , we let π i ( x ) = x i . For a subspace X ⊆ F k ′ kmq , and i = 0 , , . . . , k ′ , we let X i = { ( x , x , . . . , x k ′ ) ∈ X | x = x = · · · = x i = 0 } . In particular, we have X = X and X k = { } . 13 laim 3.2. For all i = 1 , . . . , k ′ , there exist vectors b ( i, , . . . , b ( i,s ) ∈ F k ′ kmq satisfying the followingconditions:1. For all j = 1 , . . . , s , it holds that ( b ( i,j ) ) = · · · = ( b ( i,j ) ) i − = 0 and ( b ( i,j ) ) i = b ( j ) .2. ( V ∩ W k ′ ) i − ⊆ ( V ∩ W k ′ ) i + span { b ( i, , . . . , b ( i,s ) } .Proof. Fix i ∈ [ k ′ ] , and let H ′ = π i (( V ∩ W k ′ ) i − ) . Note that H ′ ⊆ π i ( V i − ) ∩ π i (( W k ′ ) i − ) = ˆ V ∩ W ⊆ H. Let t = dim H ′ . Fix a basis { v (1) , . . . , v ( t ) } for H ′ and extend it to a basis { v (1) , . . . , v ( s ) } for H . For j = 1 , . . . , t , choose u ( j ) ∈ ( V ∩ W k ′ ) i − such that ( u ( j ) ) i = v ( j ) , which is possible since v ( j ) ∈ H ′ = π i (( V ∩ W k ′ ) i − ) . For j = t + 1 , . . . , s , choose u ( j ) ∈ F k ′ kmq with ( u ( j ) ) = · · · = ( u ( j ) ) i − = 0 such that ( u ( j ) ) i = v ( j ) . Then we have ( V ∩ W k ′ ) i − = ( V ∩ W k ′ ) i + span { u (1) , . . . , u ( t ) } ⊆ ( V ∩ W k ′ ) i + span { u (1) , . . . , u ( s ) } . (1)As { b (1) , . . . , b ( s ) } and { v (1) , . . . , v ( s ) } are both bases of H , there exists a unique invertible s × s matrix A = ( a j,ℓ ) j,ℓ ∈ [ s ] over F q such that b ( j ) = P sℓ =1 a j,ℓ v ( ℓ ) for j ∈ [ s ] . For j ∈ [ s ] , let b ( i,j ) = P sℓ =1 a j,ℓ u ( ℓ ) ,and note that ( b ( i,j ) ) = · · · = ( b ( i,j ) ) i − = 0 and ( b ( i,j ) ) i = s X ℓ =1 a j,ℓ ( u ( ℓ ) ) i = s X ℓ =1 a j,ℓ v ( ℓ ) = b ( j ) . So the first condition of the claim is satisfied. As A is invertible, we have span { b ( i, , . . . , b ( i,s ) } =span { u (1) , . . . , u ( s ) } . Combining this with (1) proves the second condition.Now recall that our goal is to exhibit a ( k ′ , km, s ) -periodic matrix ˜ M so that V ∩ W k ′ ⊆ Image( ˜ M ) . Weconstruct ˜ M as follows. For i = 1 , . . . , k ′ , let M i be a ( k ′ km ) × s matrix whose columns are b ( i, , . . . , b ( i,s ) .Let ˜ M = (cid:0) M M · · · M k ′ (cid:1) . By the first condition of Claim 3.2, we have that ˜ M is a ( k ′ , km, s ) -periodic matrix. By the second conditionof Claim 3.2, we further have that ( V ∩ W k ′ ) i − ⊆ ( V ∩ W k ′ ) i + Image( M i ) for all i = 1 , . . . k ′ , and so V ∩ W k ′ = ( V ∩ W k ′ ) ⊆ Image( ˜ M ) , as claimed. This completes the proof of the lemma.Next, we prove Theorem 2.5 based on the ingredients above. Proof of Theorem 2.5.
Our goal is to construct a ( k, m, r, s ) - BTT evasive subspace W of co-dimension atmost ǫkm for s = poly( r/ǫ ) . We shall construct W by applying two composition steps. In the first step, weshall compose an inner BTT evasive subspace W , given by Lemma 2.4, which can be found via brute-forcesearch, with an outer explicit periodic evasive subspace W , given by Corollary 3.1, to obtain a BTT evasivesubspace W ◦ W . In the second step, we shall compose the resulting BTT evasive subspace W ◦ W withyet another outer explicit periodic evasive subspace W , given by Corollary 3.1, to obtain our final BTT evasive subspace W := ( W ◦ W ) ◦ W . One technical issue is that the desired number of blocks k maynot be a multiple of the number of blocks of the inner subspace. This is solved by first constructing a BTT evasive subspace W ′ in a slightly larger ambient space F k ′ mq ⊇ F kmq and then letting W = W ′ ∩ F kmq (where F kmq is identified with a subspace of F k ′ mq via the map ( x , . . . , x km ) (0 , . . . , , x , . . . , x km ) ).In the following, assume c > is a large enough constant. Let ǫ ′ = ǫ/ . By assumption, we have r < ǫm/
24 = ǫ ′ m/ and q ≥ m c . 14 TT evasive subspace W : Let W be a ( k , m, r, s ) - BTT evasive subspace of co-dimension at most ǫ ′ k m for k = c m · ⌈ log log k log q ⌉ and s = r ǫ ′ ≥ rǫ ′ . Note that such a subspace exists by Lemma 2.4.We further claim that a basis for W can be found in time poly( q, k, m ) . To see this, first note that if m log q ≤ ( c log log k + c ) c +1 , then by Remark 1, a basis for W can be found in time q O (( k · m ) ) = 2 O ( k m log q ) ≤ exp(poly(log log k )) ≤ poly( k ) . (2)On the other hand, if m log q > ( c log log k + c ) c +1 , then either m > c log log k + c or q > log q > ( c log log k + c ) c . In either case, we have q ≥ ( c log log k + c ) c since q ≥ m c . This implies q ≥ q / m (3 / c > (cid:18) c m · (cid:24) log log k log q (cid:25)(cid:19) c/ = k c/ . Therefore, q m ≥ max { k cm/ , m m } ≥ max ( k c · r/ǫ ′ , (cid:18) rǫ ′ (cid:19) r/ǫ ′ ) (3)where we use the facts r < ǫ ′ m/ and q ≥ m c ≥ m . Consequently, by Corollary 3.1, there existsa ( k , m, r, r ǫ ′ ) -periodic evasive subspace W of co-dimension at most ǫ ′ k m , which is in particulara BTT evasive subspace with the same parameters. Moreover, a basis for W can be found in time poly( q, k , m ) = poly( q, k, m ) . Periodic evasive subspace W : Let W be a ( k , k m, s , s ) -periodic evasive subspace of co-dimensionat most ǫ ′ k k m for k = ⌈ log k ⌉ and s = s ǫ ′ = r ( ǫ ′ ) . Note that such a subspace exists by Corollary 3.1 as s = 2 r ǫ ′ < c ǫ ′ m ≤ ǫ ′ k m ,q k m ≥ ⌈ log k ⌉ c m > ⌈ log k ⌉ c ( r/ǫ ′ ) = k c · s /ǫ ′ , (4)and q k m ≥ (cid:18) m (cid:19) m / > (cid:18) r ( ǫ ′ ) (cid:19) r / ( ǫ ′ ) = (cid:18) s ǫ ′ (cid:19) s /ǫ ′ where the inequalities hold by the choice of k = c m · ⌈ log log k log q ⌉ and the assumptions r < ǫ ′ m and q ≥ m c .Moreover, a basis for W can be found in time poly( q, k , k m ) = poly( q, k, m ) . BTT evasive subspace W ◦ W : By Lemma 2.7, we have that W ◦ W = W k ∩ W is a ( k k , m, r, s ) - BTT evasive subspace for s = r ( ǫ ′ ) . Note furthermore that W ◦ W has co-dimension at most ǫ ′ k k m ,and a basis for W ◦ W can be found in time poly( q, k, m ) . Periodic evasive subspace W : Let W be a ( k , k k m, s , s ) -periodic evasive subspace of co-dimensionat most ǫ ′ k k k m for k = ⌈ kk k ⌉ and s = s ǫ ′ = r ( ǫ ′ ) . Note that such a subspace exists by Corollary 3.1as s = 8 r ( ǫ ′ ) < c ǫ ′ m ≤ ǫ ′ k k m , k k m ≥ k c m > k c ( r/ǫ ′ ) ≥ k c · s /ǫ ′ , and q k k m ≥ (cid:18) m (cid:19) m / > (cid:18) r ( ǫ ′ ) (cid:19) r / ( ǫ ′ ) = (cid:18) s ǫ ′ (cid:19) s /ǫ ′ where the inequalities hold once more by the choice of k = c m · ⌈ log log k log q ⌉ and k = ⌈ log k ⌉ together withthe assumptions r < ǫ ′ m/ and q ≥ m c . Moreover, a basis for W can be found in time poly( q, k , k k m ) =poly( q, k, m ) . BTT evasive subspace W ′ = ( W ◦ W ) ◦ W : By Lemma 2.7, we have that W ′ := ( W ◦ W ) ◦ W is a ( k k k , m, r, s ) - BTT evasive subspace for s = r ǫ = poly( r/ǫ ) . Note furthermore that W ′ hasco-dimension at most ǫ ′ k k k m , and a basis for W ′ can be found in time poly( q, k, m ) . BTT evasive subspace W : If k is a multiple of k k , then k k k = k and we may choose W = W ′ asthe desired BTT evasive subspace. Next, we explain how to extend it to arbitrary k .1. First assume k ≥ k k so that k ′ := k k k = k k ⌈ kk k ⌉ satisfies k ′ ≤ k . Then W ′ ⊆ F k ′ mq isa ( k ′ , m, r, s ) - BTT evasive subspace of co-dimension at most ǫ ′ k ′ m ≤ ǫ ′ km = ǫkm . Identify F kmq with a subspace of F k ′ mq via the map ( x , . . . , x km ) (0 , . . . , , x , . . . , x km ) . We let W := W ′ ∩ F kmq , whose co-dimension in F kmq is at most ǫkm since the co-dimension of W ′ in F k ′ mq is atmost ǫkm .Consider any ( k, m, r ) - BTT subspace V ⊆ F kmq . Note that there exists a ( k ′ , m, r ) - BTT subspace V ′ ⊆ F k ′ mq such that V = V ′ ∩ F kmq . As W ′ is a ( k ′ , m, r, s ) - BTT evasive subspace, we have dim( V ′ ∩ W ′ ) ≤ s , which implies dim( V ∩ W ) ≤ s . So W ⊆ F kmq is a ( k, m, r, s ) - BTT evasivesubspace of co-dimension at most ǫkm for s = s = poly( r/ǫ ) .2. Now assume k ≤ k < k k . Let k ′ := ⌈ kk ⌉ ≤ k so that k ′ k ≤ k . By replacing k with k ′ in the construction of W , we may construct a ( k ′ , k m, s , s ) -periodic evasive subspace W ′ ofco-dimension at most ǫ ′ k ′ k m . This is because replacing k by k ′ ≤ k preserves (4). Composing W ′ with W gives a ( k k ′ , m, r, s ) - BTT evasive subspace W ◦ W ′ ⊆ F k k ′ mq of co-dimension at most ǫ ′ k ′ k m ≤ ǫ ′ km ≤ ǫkm . Similarly to the previous case, restricting to the subspace F kmq yields thedesired ( k, m, r, s ) - BTT evasive subspace W of co-dimension at most ǫkm for s = s = poly( r/ǫ ) .3. Finally, assume k < k . By replacing k with k in the construction of W , we may construct the desired ( k, m, r, s ) - BTT evasive subspace W of co-dimension at most ǫ ′ km ≤ ǫkm for s = s = poly( r/ǫ ) .This is because replacing k by k < k preserves (2) and (3). We first show, as a warm-up, that RS codes with evaluation points over a subfield are list decodable up tocapacity with the output list contained in an affine shift of a BTT subspace. Later, in Section 6, we shallshow how the analysis can be extended to AG codes over constant-size alphabets, thus proving Theorem 2.3.We start with the formal definition of RS codes with subfield evaluation points.16 efinition 4.1 ( RS codes with subfield evaluation points) . Let n, k, m ∈ N + be such that k ≤ n , and let q ≥ n be a prime power. The Reed–Solomon code RS q,m ( n, k ) over F q m with evaluation points in F q mapsa polynomial f ∈ F q m [ X ] of degree at most k − (viewed as a length k vector of coefficients over F q m ) tothe codeword C f := ( f ( α ) , f ( α ) , . . . , f ( α n )) ∈ ( F q m ) n , where α , α , . . . , α n are n distinct elements in F q . Note that RS q,m ( n, k ) is a linear code over the alphabet F q m with codeword length n , rate k/n , andminimum distance n − k + 1 . In this section, we show that this code is also list decodable up to its minimumdistance with the output list being contained in an affine shift of a BTT subspace.
Theorem 4.2.
Let ǫ > , let n, k, m ∈ N + be such that k ≤ n and m ≥ /ǫ , and let q ≥ n be a primepower. Then RS q,m ( n, k ) can be list decoded from up to (1 − ǫ )( n − k ) errors, pinning down the candidatemessages (viewed as length km vectors of coefficients over F q ) to an affine shift of a ( k, m, ǫm ) - BTT subspace V over F q . Moreover, a basis for V and the affine shift can be found in time poly(log q, m, n ) . The above theorem is a consequence of the following lemma.
Lemma 4.3.
Let n, k, m ∈ N + be such that k ≤ n , and let q ≥ n be a prime power. Let s ∈ [ m ] and t, d ∈ N + be parameters, satisfying that ( s + 1)( d + 1) + k − > n (5) and t > d + k − . (6) Then RS q,m ( n, k ) can be list decoded from agreement at least t , pinning down the candidate messages(viewed as length km vectors of coefficients over F q ) to an affine shift of a ( k, m, s − - BTT subspace V over F q . Moreover, a basis for V and the affine shift can be found in time poly(log q, m, n ) . Before we prove the above lemma, we show how it implies Theorem 4.2.
Proof of Theorem 4.2.
Let s = ǫ + 1 , let d = n − k +2 s +1 − so that (5) is satisfied, and let t = d + k so that(6) is satisfied. Then with this setting of parameters, RS q,m ( n, k ) can be list decoded from agreement t , orequivalently, from up to n − t = n − d − k = n − k + 1 − n − k + 2 s + 1 ≥ n − k − n − ks − − ǫ )( n − k ) . errors. Moreover, by choice of m ≥ /ǫ , we have that V is a ( k, m, s − - BTT subspace for s − ǫ ≤ ǫm .The rest of this section is devoted to the proof of Lemma 4.3. To prove this lemma, we follow thelinear-algebraic approach of [GX13]. Suppose that y = ( y , y , . . . , y n ) ∈ ( F q m ) n is a received word. Ourgoal is to show that all polynomials f ∈ F q m [ X ] BTT matrix is a BTT subspace, which implies that the solution set is contained in an affine shift of a BTT subspace. Wefurther show that the polynomial Q , a basis for the BTT subspace V , and the affine shift could be foundefficiently. 17 .1 The polynomial Q In what follows, let σ ∈ Gal( F q m / F q ) be the Frobenius automorphism a a q of F q m over F q . It extendsto an automorphism of F q m [ X ] over F q by acting on the coefficients, which we also denote by σ by a slightabuse of notation. For f ∈ F q m [ X ] , denote by f σ the element σ ( f ) .Suppose that y = ( y , y , . . . , y n ) ∈ ( F q m ) n is a received word. We let Q be a nonzero multivariatepolynomial in ( F q m [ X ])[ Y , Y , . . . , Y s ] of the form Q = A + A Y + A Y + · · · + A s Y s , where A , A , . . . , A s ∈ F q m [ X ] , deg( A ) ≤ d + k − , and deg( A i ) ≤ d for i = 1 , , . . . , s . We alsorequire the polynomials A i to satisfy the constraint A ( α i ) + A ( α i ) y i + A ( α i ) y σi + · · · + A s ( α i ) y σ s − i = 0 (7)for all i = 1 , . . . , n , where α , . . . , α n are the evaluation points.We first claim that such a nonzero polynomial Q exists and can be computed efficiently. To see this, thinkof the coefficients of the polynomials A i as unknowns. This gives d + k + s ( d + 1) = ( s + 1)( d + 1) + k − unknowns in total, while (7) gives n homogeneous linear constraints over F q m . By (5), the number ofunknowns is greater than the number of linear constraints which guarantees the existence of a nonzerosolution Q . Moreover, we can find Q in time poly(log q, m, n ) by solving the system of linear equationsrepresented by (7).Next, we show that Q gives a functional equation that any f that has sufficiently large agreement withthe received word y needs to satisfy. Claim 4.4. Let f ∈ F q m [ X ] Define Q ∗ = A + A f + A f σ + · · · + A s f σ s − ∈ F q m [ X ] . We want to prove that Q ∗ = 0 . As deg( f ) ≤ k − , deg( A ) ≤ d + k − , and deg( A i ) ≤ d for i = 1 , , . . . , s , we know that deg( Q ∗ ) ≤ d + k − .Suppose that y agrees with C f in the i -th symbol for some i ∈ [ n ] , i.e., y i = f ( α i ) . By (7), we have A ( α i ) + A ( α i ) y i + A ( α i ) y σi + · · · + A s ( α i ) y σ s − i = A ( α i ) + A ( α i ) f ( α i ) + A ( α i )( f ( α i )) σ + · · · + A s ( α i )( f ( α i )) σ s − = A ( α i ) + A ( α i ) f ( α i ) + A ( α i ) f σ ( α i ) + · · · + A s ( α i ) f σ s − ( α i )= ( A + A f + A f σ + · · · + A s f σ s − )( α i )= Q ∗ ( α i ) . The third equality uses the fact that ( f ( α i )) σ = f σ ( α σi ) = f σ ( α i ) , which holds since α i ∈ F q is fixed by σ .As y and C f agree in at least t symbols, the above argument shows that Q ∗ has at least t zeros. On theother hand, the degree of Q ∗ is at most d + k − , which is less than t by (6). This implies Q ∗ = 0 .18 .2 The BTT subspace V Next, we show that the functional equation (8), given by Claim 4.4 above, implies that the list of candidatemessages is contained in an affine shift of the kernel of a BTT subspace. We start by expanding the functionalequation (8) in terms of the coefficients of the polynomial f and A , A , . . . , A s .As f ∈ F q m [ X ] Let S be the set of all vectors f = ( f , f , . . . , f k − ) ∈ ( F q m ) k satisfying that i X j =0 s X ℓ =1 a ℓ,i − j f σ ℓ − j = 0 , i = 0 , , . . . , k − , (10) where a ℓ,i − j ∈ F q m , and a ℓ, = 0 for some ℓ ∈ [ s ] . Let ¯ S := { ¯ f | f ∈ S } ⊆ F mkq . Then ¯ S ⊆ ker( M ) fora ( k, r, m ) - BTT matrix M over F q with m − s + 1 ≤ r ≤ m . Moreover, M can be constructed in time poly(log q, m, n ) . roof. First note that both the multiplication map m b : F q m → F q m , given by a b · a for a, b ∈ F q m ,and the Frobenius automorphism σ : F q m → F q m , given by a a q for a ∈ F q m , are F q -linear operationsover F q m . Consequently, for all i = 0 , , . . . , k − , there exists an m × m matrix M i over F q so that P sℓ =1 a ℓ,i · b σ ℓ − = M i · ¯ b for every b ∈ F q m . In this notation, we can rewrite (10) as M · ¯ f = 0 , where M = M · · · M M · · · M M M · · · ... ... ... . . . ... M k − M k − M k − · · · M . Then we have that M is a block lower-triangular Toeplitz matrix with blocks of size m × m . To obtain a BTT matrix, we need to further ensure that all matrices M have full rank. For this, we let r := rank( M ) ,and choose a subset B of r linearly independent rows of M . Then in the matrix M , we only keep therows whose projection on the block M belongs to B . This clearly gives a ( k, r, m ) - BTT matrix M so that ¯ S ⊆ ker( M ) . Moreover, M can clearly be constructed in time poly(log q, m, n ) . To conclude the proof ofthe claim, it remains to show that r = rank( M ) ≥ m − s + 1 .To see that rank( M ) ≥ m − s + 1 , we show that dim(ker( M )) ≤ s − . Recall that M representsthe F q -linear map b P sℓ =1 a ℓ, · b σ ℓ − for b ∈ F q m . Recalling our assumption that a ℓ, = 0 for some ℓ ∈ [ s ] , we know that B ( x ) := P sℓ =1 a ℓ, · x σ ℓ − is a nonzero polynomial of degree at most q s − over F q m ,and consequently, it has at most q s − zeros in F q m . Since the map B ( x ) is F q -linear, we conclude that thekernel is an F q -linear subspace of dimension at most s − , and so dim(ker( M )) ≤ s − .By (9) and Claim 4.5 above, we have that all polynomials f = ( f , f , . . . , f k − ) that agree with y on atleast t points are contained in an affine shift of the kernel of a ( k, r, m ) - BTT matrix over F q for r ≥ m − s +1 .In the next section, we prove that the kernel of a ( k, r, m ) - BTT matrix is a ( k, m, m − r ) - BTT subspace.Finally, noting that in our setting m − r ≤ s − , and that a basis for the kernel of M , as well as the desiredaffine shift (which is any valid solution to (9)), can be found in time poly(log q, m, n ) , concludes the proofof Lemma 4.3. In this section, we prove the following lemma. Lemma 4.6. Suppose that M is a ( k, r, m ) - BTT matrix over F q , where r ≤ m . Then ker( M ) is a ( k, m, m − r ) - BTT subspace over F q . To prove the above lemma, let V := ker( M ) , where M = M · · · M M · · · M M M · · · ... ... ... . . . ... M k M k − M k − · · · M is a ( k, r, m ) - BTT matrix. Our goal is to show that V is a ( k, m, m − r ) - BTT subspace, and for this weneed to exhibit a ( k, m, m − r ) - BTT matrix ˜ M so that V = Image( ˜ M ) .20e start by introducing some notation. We write a vector v ∈ F kmq as v = ( v , v , . . . , v k ) where v i ∈ F mq . For i = 0 , , . . . , k , we let V i = { ( v , v , . . . , v k ) ∈ V | v = v = · · · = v i = 0 } . In particular, we have V = V and V k = { } . Finally, define σ : F kmq → F kmq by σ ( v , v , . . . , v k ) = (0 , v , v , . . . , v k − ) . Claim 4.7. For all i = 1 , . . . , k , σ ( V i − ) ⊆ V i ⊆ V i − .Proof. The right-hand containment clearly holds by the definition of V i . To see that the left-hand containmentholds, let v = ( v , . . . , v k ) ∈ V i − , and let u = σ ( v ) = (0 , v , . . . , v k − ) . Our goal is to show that u ∈ V i .First note that since v ∈ V i − , we have that v = · · · = v i − = 0 , and so u = ( u , . . . , u k ) satisfies that u = · · · = u i = 0 . Thus to show that u ∈ V i , it remains to show that u ∈ V , or equivalently that M · u = 0 .To this end, note that by the structure of M , M · u = M · · · M M · · · M M M · · · ... ... ... . . . ... M k M k − M k − · · · M · v ... v k − = M · · · M M · · · ... ... . . . ... M k − M k − · · · M · v ... v k − = 0 , where the last equality follows since v ∈ V , and so M · v = M · · · M M · · · M M M · · · ... ... ... . . . ... M k M k − M k − · · · M · v ... v k = 0 . We also note the following claim which follows by counting the number of linearly-independent con-straints defining V i . Claim 4.8. For all i = 0 , , . . . , k , dim( V i ) = ( k − i )( m − r ) . In particular, dim( V i − ) = dim( V i )+( m − r ) for all i = 1 , . . . , k . The above two claims imply the following. Claim 4.9. The following holds for all i = 1 , . . . , k − . Suppose that b (1) , . . . , b ( m − r ) are m − r linearlyindependent vectors in F kmq so that V i − = V i + span { b (1) , . . . , b ( m − r ) } . (11) Then V i = V i +1 + span n σ ( b (1) ) , . . . , σ ( b ( m − r ) ) o . (12)21 roof. First note that by our assumption (11), we have that b (1) , . . . , b ( m − r ) are contained in V i − . By Claim4.7, this implies in turn that σ ( b (1) ) , . . . , σ ( b ( m − r ) ) ∈ V i and V i +1 ⊆ V i , and consequently we have that theright-hand side of (12) is contained in the left-hand side.To see the containment in the other direction, recall that by Claim 4.8, dim( V i ) − dim( V i +1 ) = m − r , andso it suffices to show that there is no non-trivial linear combination of σ ( b (1) ) , . . . , σ ( b ( m − r ) ) that belongsto V i +1 . Suppose in contradiction that there exists a non-trivial linear combination a := α · σ ( b (1) ) + · · · + α m − r · σ ( b ( m − r ) ) ∈ V i +1 . By the definition of V i +1 , this implies in turn that a i +1 = 0 . But in this case, thenon-trivial linear combination a ′ := α · b (1) + · · · + α m − r · b ( m − r ) satisfies that a ′ i = 0 . Consequently, wehave that a ′ ∈ V i , contradicting our assumption (11).Now we prove Lemma 4.6 using the above claim. Proof of Lemma 4.6. Recall that our goal is to exhibit a ( k, m, m − r ) - BTT matrix ˜ M so that V =Image( ˜ M ) . We construct ˜ M as follows. Since dim( V ) = dim( V ) + ( m − r ) , there exist m − r linearlyindependent vectors b (1) , . . . , b ( m − r ) ∈ F kmq so that V = V + span { b (1) , . . . , b ( m − r ) } . For i = 1 , . . . , k ,let M i be a ( km ) × ( m − r ) matrix whose columns are σ ( i − ( b (1) ) , . . . , σ ( i − ( b ( m − r ) ) . Let ˜ M = (cid:0) M M · · · M k (cid:1) . Then we clearly have that ˜ M is a ( k, m, m − r ) - BTT matrix. Moreover, by Claim 4.9 we further have that V i − = V i + Image( M i ) for all i = 1 , . . . k , and so V = V = Image( ˜ M ) . This concludes the proof ofLemma 4.6. We first give preliminaries and notations about function fields and algebraic-geometric codes. The readermay refer to, e.g., [Sti09] for detailed background. Function fields. Let F q be a finite field. An extension field F of F q is called a function field in onevariable or simply a function field over F q if F is a finite extension of F q ( x ) for some element x ∈ F that istranscendental over F q . The field of constants of F is the algebraic closure of F q in F .In the rest of this section, let F be a function field over F q such that its field of constants is F q , i.e, thealgebraic closure of F q in F is F q itself. Discrete valuations and places. A (normalized) discrete valuation of F is a map v : F → Z ∪ { + ∞} with the following properties: • v ( a ) = + ∞ iff a = 0 . • v ( ab ) = v ( a ) + v ( b ) for a, b ∈ F . • v ( a + b ) ≥ min { v ( a ) , v ( b ) } for a, b ∈ F . • v ( F × ) = Z . 22or a discrete valuation v of F , we associate a pair P = ( O v , m v ) where O v is the ring { a ∈ F : v ( a ) ≥ } and m v is the ideal { a ∈ O v : v ( a ) > } of O v . Call P a place of F . Denote by P ( F ) the set of allplaces of F , i.e., P ( F ) := { ( O v , m v ) : v is a discrete valuation of F } . We may recover the discrete valuation v from a place P = ( O , m ) as follows. Let v (0) = + ∞ . For = a ∈ O , v ( a ) is the largest k ∈ N such that a ∈ m k , where we let m = O . For a ∈ F × \ O , let v ( a ) = − v ( a − ) . This gives a one-to-one correspondence between the set P ( F ) of all places of F and theset of all discrete valuations of F . For a place P ∈ P ( F ) , denote by v P the discrete valuation correspondingto P .Intuitively, v P ( f ) indicates the order of zeros or poles of a function f ∈ F at the place P : If v P ( f ) ≥ ,then v P ( f ) is the order of zeros of f ∈ F at P . Otherwise − v P ( f ) is the order of poles of f at P .It can be shown that for a place P = ( O , m ) of F , the quotient ring κ P := O / m is a finite field extensionof F q , called the residue class field or residue field of P . If [ κ P : F q ] = 1 , we say the place P is F q -rational or simply rational . In this case, we identify F q with κ P via the field isomorphism F q → κ P sending a ∈ F q to a + m .For f ∈ O and a rational place P of F , define f ( P ) := f + m ∈ κ P which we view as an element of F q by identifying F q with κ P as above. Local power series and Laurent series expansion. Let P = ( O , m ) be a rational place of F . An element u ∈ O is called a uniformizing parameter or uniformizer of P if v P ( u ) = 1 , or equivalently, u generates theideal m .Fix u ∈ O to be a uniformizer of P . We may write any f ∈ O as a power series in u over F q f = c + c u + c u + · · · where the coefficients c i ∈ F q may be found as follows: Let f = f . For i = 0 , , , . . . , let c i = f i ( P ) andlet f i +1 = ( f i − c i ) /u ∈ O .A Laurent series is a generalization of a power series, where we allow finitely many terms of negativedegree. Generalizing the above representation by power series, we may write any element of F as aLaurent series in u over F q . Namely, for f ∈ F × , let e = v P ( f ) and f ∗ = f /u e ∈ O . Suppose f ∗ = c + c u + c u + · · · . Then f = u e f ∗ = c u e + c u e +1 + c u e +2 + · · · . Thus, for a rational place P = ( O , m ) and a uniformizer u of P , we have a local expansion of everyelement of O or F as a power series or a Laurent series in u over F q , respectively. Divisors. A divisor of F is a formal sum P P n P P of finitely many places P ∈ P ( F ) , where n P ∈ Z .The set of all divisors of F forms an abelian group Div( F ) , called the divisor group of F .The degree of a divisor D = P P n P P is deg( D ) := P P n P [ κ P : F q ] . The support of D , denotedby Supp( D ) , is the set of places P for which n P = 0 . If n P ≥ for all P ∈ Supp( D ) , we write D ≥ It is common in the literature to define a place to be just the ideal m v associated with a discrete valuation v instead of ( O v , m v ) (see, e.g., [Sti09]). This is equivalent to our definition since O v is determined by m v via O v = { a ∈ F × : a − m v } ∪ { } . D an effective divisor . Note that D ≥ implies deg( D ) ≥ . Let Div ( F ) := { D ∈ Div( F ) :deg( D ) = 0 } , which is a subgroup of Div( F ) .Let f ∈ F × . It can be shown that v P ( f ) = 0 holds for all but finitely many places P ∈ P ( F ) . So div( f ) := P P ∈ P ( F ) v P ( f ) P is a well-defined divisor. Divisors of the form div( f ) are called principaldivisors of F . The degree of a principal divisor is always zero, i.e., div( f ) ∈ Div ( F ) for f ∈ F × . Riemann–Roch spaces. For a divisor D of F , the Riemann–Roch space associated with D is L ( D ) := { f ∈ F × : div( f ) + D ≥ } ∪ { } which is a finite-dimensional vector space over F q . Let ℓ ( D ) := dim F q L ( D ) .By definition, for D = P P n P P , the condition div( f ) + D ≥ is equivalent to v P ( f ) ≥ − n P for P ∈ P ( F ) . So L ( D ) is the space of functions in F whose prescribed zeros and allowed poles are specifiedby D : At a place P , if n P < , then any f ∈ L ( D ) must have a zero of order at least − n P at P . On theother hand, if n P ≥ , then f ∈ L ( D ) is allowed to have a pole of order at most n P at P .Note that if L ( D ) contains a nonzero element f , then div( f ) + D ≥ , which implies deg( D ) = deg(div( f )) + deg( D ) = deg(div( f ) + D ) ≥ . So for any divisor D with deg( D ) < , we have L ( D ) = { } and ℓ ( D ) = 0 . The Riemann–Roch theorem. The Riemann–Roch theorem states that ℓ ( D ) − ℓ ( K − D ) = deg( D ) − g + 1 holds for any divisor D of F , where K is a certain divisor of F called a canonical divisor , and g is anonnegative integer depending only on F called the genus of F .In fact, we only need the following corollary of the Riemann–Roch theorem. Theorem 5.1 (Riemann’s inequality) . ℓ ( D ) ≥ deg( D ) − g + 1 . Algebraic-geometric codes. Let D be a divisor of F and let S = { P , P , . . . , P n } be a set of n distinctrational places of F such that Supp( D ) ∩ S = ∅ . Define the algebraic-geometric ( AG ) code C ( S, D ) := { ( f ( P ) , f ( P ) , . . . , f ( P n )) : f ∈ L ( D ) } ⊆ F nq , (13)which is an F q -linear code of block length n .Let D S = P P ∈ S P ∈ Div( F ) . We have the following theorem. Theorem 5.2 ([Sti09, Theorem 2.2.2]) . The dimension of C ( S, D ) is ℓ ( D ) − ℓ ( D − D S ) , which equals ℓ ( D ) if deg( D ) < deg( D S ) = n . The minimum distance of C ( S, D ) is at least n − deg( D ) . Let F q m / F q be a finite field extension of degree m ∈ N + . Denote by F ( m ) the compositum F F q m of F and F q m . Then F ( m ) is a function field over F q m . Recall that we assume the field of constants of F is F q . Thisimplies that the field of constants of F ( m ) is F q m [Sti09, Proposition 3.6.1].24 laces and divisors of F ( m ) . Let P = ( O , m ) be a rational place of F and v P the corresponding discretevaluation of F . It can be shown that there exists a unique discrete valuation v ′ P of F ( m ) that extends v P .We denote the corresponding place of F ( m ) by P ( m ) = ( O ( m ) , m ( m ) ) , which is an F q m -rational place. As v ′ P extends v P , we have O ⊆ O ( m ) and m ⊆ m ( m ) . So f ( P ( m ) ) = f ( P ) for any f ∈ O ⊆ O ( m ) . And auniformizer u ∈ m of P is also a uniformizer of P ( m ) .Let D = P P n P P be a divisor of F such that every P ∈ Supp( D ) is rational. Then we define D ( m ) := X P ∈ Supp( D ) n P P ( m ) , which is a divisor of F ( m ) . The Riemann-Roch space L ( D ( m ) ) and its dimension ℓ ( D ( m ) ) are defined asbefore, except that the base field is changed to F q m . That is, L ( D ( m ) ) = { f ∈ ( F ( m ) ) × : div( f ) + D ( m ) ≥ } ∪ { } and ℓ ( D ( m ) ) = dim F qm L ( D ( m ) ) .The following lemma is a special case of [Sti09, Theorem 3.6.3 (d)]. Lemma 5.3. Let D be as above. If f , . . . , f k ∈ F form a basis of L ( D ) over F q , then they form a basis of L ( D ( m ) ) over F q m . In particular, ℓ ( D ( m ) ) = ℓ ( D ) .Remark . We only need the definition of D ( m ) for the special case that every P ∈ Supp( D ) is rational, butit can also be defined for a general divisor D . See [Sti09, Definition 3.1.8] for the general definition, whereit is called the conorm of D and denoted by Con F ( m ) /F ( D ) .We also note that P ( m ) and D ( m ) above are simply denoted by P and D respectively in [GX13] by aslight abuse of notation. The Frobenius automorphism. Let σ be the Frobenius automorphism a a q of F q m over F q . As F q is the field of constants of F , we have F ∩ F q m = F q . This implies that Gal( F ( m ) /F ) is isomorphicto Gal( F q m / F q ) via the restriction map τ τ | F qm (see [Lan02, Theorem 1.12]). So σ ∈ Gal( F q m / F q ) uniquely extends to an automorphism of F ( m ) that fixes F , which we also call σ by an abuse of notation.As σ is an automorphism of F ( m ) , it permutes the places of F ( m ) . Let P be any rational place of F . As σ fixes F , it also fixes P . So σ also fixes P ( m ) . We need the following tower of function fields introduced by Garcia and Stichtenoth in [GS96]. Definition 5.4 (Garcia–Stichtenoth tower [GS96]) . Let r > be a prime power and q = r . For i = 1 , , . . . ,let K i = F q ( x , x , . . . , x i ) , where x is transcendental over F q and x i satisfies the following recursiveequation for i > . x ri + x i = x ri − x r − i − + 1 . The Garcia–Stichtenoth tower over F q is the infinite tower of function fields K ⊆ K ⊆ · · · . For each e ∈ N + , we have [ K e : K ] = r e − and the field of constants of K e is F q .25 ational places. Let e ∈ N + . The field K e has at least r e ( r − 1) + 1 rational places. One of themis the place P ∞ “at the infinity,” which is totally ramified over K and is the unique pole of x , i.e., v P ∞ ( x ) = − [ K e : K ] = − r e − . More generally, we have v P ∞ ( x i ) = − r e − i for i ∈ [ e ] . In particular, v P ∞ ( x e ) = − and hence x − e is a uniformizer of P ∞ .In addition, define S e to be the set of all tuples α = ( α , α , . . . , α e ) ∈ F eq such that α r + α = 0 and α ri + α i = α ri − α r − i − +1 for i = 2 , , . . . , e . For each α ∈ S e , there exists a corresponding rational place P α of K e . It is the unique rational place P satisfying v P ( x i ) ≥ and x i ( P ) = α i for i = 1 , , . . . , e .There are precisely r e ( r − elements in S e , corresponding to r e ( r − rational places P α of K e . Genus. For e ∈ N + , the genus g ( K e ) of K e is given by g ( K e ) = ( ( r e/ − e is even, ( r ( e − / − r ( e +1) / − e is odd.In particular, we have g ( K e ) ≤ r e . Explicitness. To construct AG codes using the Garcia–Stichtenoth tower, we need to construct bases forRiemann–Roch spaces of K e . An efficient algorithm of computing such bases was given in [SAK + 01] forone-point divisors kP ∞ . Theorem 5.5 ([SAK + . For k ∈ N and e ∈ N + , a basis B of the Riemann–Roch space L ( kP ∞ ) of K e over F q = F r can be found in time poly( k, r e ) . Moreover, given α ∈ S e and f ∈ L ( kP ∞ ) (represented inthe basis B ), the evaluation f ( P α ) can also be found in time poly( k, r e ) . In addition, it was shown in [GX12] that the Laurent series expansion of f ∈ L ( kP ∞ ) at the place P ∞ in the uniformizer x − e can be computed efficiently. Lemma 5.6 ([GX12]) . Given f ∈ L ( kP ∞ ) and N ∈ N + , the first N coefficients c , c , . . . , c N − ∈ F q ofthe Laurent series expansion f = c T − k + c T − k +1 + c T − k +2 + · · · at the place P ∞ in the uniformizer T = x − e can be found in time poly( k, r e , N ) . In this section, we present the proof of Theorem 2.3, which is restated below. Theorem 2.3 (Output list contained in a BTT subspace) . There exists an absolute constant c > so thatthe following holds for any R ∈ (0 , , ǫ > , q ≥ /ǫ c that is an even power of a prime, and m ≥ /ǫ .There is an infinite family of error-correcting codes { C n } n , where C n satisfies the following properties:1. C n : F kq m → F nq m is a linear code of rate at least R that can be encoded in time poly(log q, m, n ) .2. There exists an injective F q -linear map φ : F kq m → F ˆ kq m , where ˆ k ≤ n , so that C n can be list decodedfrom a (1 − R − ǫ ) -fraction of errors, pinning down the images of the candidate messages under φ (viewed as length ˆ km vectors over F q ) to an affine shift of a (ˆ k, m, ǫm ) - BTT subspace V over F q .Moreover, the map φ , a basis for V , and the affine shift can be computed in time poly(log q, m, n ) . 26t is based on AG codes with subfield evaluation points and closely follows [GX13]. Specifically, we usethe Garcia–Stichtenoth tower of function fields discussed in Subsection 5.2. We note that this frameworkis generic and can be adapted to work for other families of function fields as well. For more details, seeRemark 3 at the end of this section.Our construction is given below as Definition 6.1. It uses the constant field extension K ( m ) e of K e , where K e is the e th field in the Garcia–Stichtenoth tower over F q = F r . Recall that K e has a rational place P ∞ and r e ( r − rational places P α for α ∈ S e . And for each rational place P of K e , there is a corresponding F q m -rational place P ( m ) of K ( m ) e . Definition 6.1 ( AG codes with subfield evaluation points from the Garcia–Stichtenoth tower) . Let r > bea prime power and q = r . Let n, k, m, e ∈ N + be such that k ≤ n and n ≤ r e ( r − . Let α , . . . , α n ∈ S e ⊆ F eq be distinct and let P i = P ( m ) α i for i ∈ [ n ] . The code GS q,m,e ( n, k ) over F q m with evaluationpoints P , . . . , P n maps f ∈ L (( k − P ( m ) ∞ ) ⊆ K ( m ) e to the codeword C f := ( f ( P ) , f ( P ) , . . . , f ( P n )) ∈ ( F q m ) n . Explicitness. By Theorem 5.5, a basis B of L (( k − P ∞ ) over F q can be computed in time poly( k, r e ) =poly( r e ) . Suppose B = { β , β , . . . , β b } , where b = ℓ (( k − P ∞ ) . By Lemma 5.3, B is also a basis of L (( k − P ( m ) ∞ ) over F q m . So we may write f ∈ L (( k − P ( m ) ∞ ) uniquely as a linear combination of β i over F q m : f = b X i =1 c i β i , where c i ∈ F q m . (14)We represent f by the coefficients c , . . . , c b in the basis B . Note f ( P ( m ) ) = b X i =1 c i β i ! ( P ( m ) ) = b X i =1 c i β i ( P ) for any rational place P of K e . So by Theorem 5.5, the encoding map Enc : L (( k − P ( m ) ∞ ) → ( F q m ) n send-ing f to C f = ( f ( P ) , f ( P ) , . . . , f ( P n )) can be computed in time poly( k, r e , n, m log q ) = poly( r e , m ) . Rate and minimum distance. Denote by g the genus of K e . The following theorem bounds the rate andthe minimum distance of the code GS q,m,e ( n, k ) . Theorem 6.2. GS q,m,e ( n, k ) is a linear code over the alphabet F q m with block length n . Its rate is at least ( k − g ) /n and its minimum distance is at least n − k + 1 .Proof. Let S = { P , . . . , P n } and D = ( k − P ( m ) ∞ . Then GS q,m,e ( n, k ) is simply the linear code C ( S, D ) defined in (13) with the base field replaced by F q m . By Theorem 5.2, its dimension is ℓ (( k − P ( m ) ∞ ) and itsminimum distance is at least n − deg(( k − P ( m ) ∞ ) = n − k + 1 . By Lemma 5.3 and Riemann’s inequality(Theorem 5.1), we have ℓ (( k − P ( m ) ∞ ) = ℓ (( k − P ∞ ) ≥ k − g . So the rate of GS q,m,e ( n, k ) is at least ( k − g ) /n . 27 he embedding φ . To list-decode the code GS q,m,e ( n, k ) , we need an embedding (i.e., injective linearmap) φ : L (( k − P ( m ) ∞ ) → F kq m . It is defined to be the F q m -linear map that outputs the first k coefficients of the Laurent series expansion atthe place P ( m ) ∞ in the uniformizer T := x − e . That is, if the Laurent series expansion of f ∈ L (( k − P ( m ) ∞ ) at P ( m ) ∞ in T is f = f T − ( k − + f T − ( k − + f T − ( k − + · · · , with the coefficients f i ∈ F q m , then φ ( f ) = ( f , f , . . . , f k − ) .The kernel of φ is L ( − P ( m ) ∞ ) = { } . So φ is indeed an embedding. Representing a function f ∈ L (( k − P ( m ) ∞ ) in the form (14), we can compute φ ( f ) from f in time poly( r e , m ) by Lemma 5.6. List decoding. Next, we show that for properly chosen parameters, the code GS q,m,e ( n, k ) is list decodableup to the relative distance − R − ǫ and that the image of the output list under the embedding φ is containedin an affine shift of a low-dimensional BTT subspace. Theorem 6.3. Let ǫ > and R ∈ (0 , − ǫ ) . Let e ∈ N + be a growing parameter. Let r ≥ /ǫ + 1 be a prime power and q = r . Choose n, m, k ∈ N + such that m ≥ /ǫ , r e /ǫ ≤ n ≤ ( r − r e and k = ⌈ Rn + r e ⌉ ≤ n . Then GS q,m,e ( n, k ) has rate at least R . And it can be list decoded from up to a (1 − R − ǫ ) -fraction of errors with a list of candidate messages whose images under φ (viewed as length km vectors over F q ) are contained in an affine shift of a ( k, m, ǫm ) -BTT subspace V over F q . Moreover, abasis for V and the affine shift can be found in time poly( n, m ) given the received word. The above theorem is a consequence of the following lemma. Lemma 6.4. Let n, k, m, e, r, q ∈ N + and GS q,m,e ( n, k ) be as in Definition 6.1. Let s ∈ [ m ] and t, d ∈ N + be parameters, satisfying that ( s + 1)( d − g + 1) + k − > n (15) and t > d + k − (16) where g is the genus of K e . Then GS q,m,e ( n, k ) can be list decoded from agreement at least t with a list ofcandidate messages whose images under φ (viewed as length km vectors over F q ) are contained in an affineshift of a ( k, m, s − -BTT subspace V over F q . Moreover, a basis for V and the affine shift can be foundin time poly( r e , m ) . Before we prove the above lemma, we show how it implies Theorem 6.3. Proof of Theorem 6.3. We know g ≤ r e . So the rate of GS q,m,e ( n, k ) is at least ( k − g ) /n ≥ ( k − r e ) /n ≥ R by Theorem 6.2.Let ǫ ′ = ǫ/ . By assumption, we have r e /n ≤ ǫ ′ . Let s = ǫ ′ + 1 , let d = n − k +2 s +1 + g − so that (15)is satisfied, and let t = d + k so that (16) is satisfied. Then with this setting of parameters, we know from28emma 6.4 that GS q,m,e ( n, k ) can be list decoded from agreement t , or equivalently, from up to n − t = n − d − k = n − k + 1 − g − n − k + 2 s + 1 ≥ (cid:18) − s + 1 (cid:19) ( n − k + 1) − g − s + 1 ≥ (1 − ǫ ′ )( n − Rn − r e ) − r e − ǫ ′ ≥ (1 − R − ǫ ′ ) n = (1 − R − ǫ ) n errors. Moreover, as m ≥ /ǫ = 1 / ( ǫ · ǫ ′ ) , we have that V is a ( k, m, s − -BTT subspace for s − ǫ ′ ≤ ǫm . And a basis for V as well as the affine shift can be found in time poly( r e , m ) = poly( n, m ) by Lemma 6.4.Theorem 2.3 follows easily from Theorem 6.3. Proof of Theorem 2.3. Fix a prime power r = O (1 /ǫ ) such that r ≥ /ǫ + 1 . Let q = r and m = ⌈ /ǫ ⌉ .Choose the family of codes to be { GS q,m,e ( n, k ) : e ∈ N + , r e /ǫ ≤ n ≤ ( r − r e , k = ⌈ Rn + r e ⌉} . Then Theorem 2.3 follows from Theorem 6.3.So it remains to prove Lemma 6.4. We prove this lemma in the next two subsections. Q In what follows, let σ be the Frobenius automorphism a a q of F q m over F q . It uniquely extends to anautomorphism of K ( m ) e that fixes K e , which we also call σ by an abuse of notation. The automorphism σ fixes P ( m ) for any rational place P of K e . For f ∈ K ( m ) e , denote by f σ the element σ ( f ) .Suppose that y = ( y , y , . . . , y n ) ∈ ( F q m ) n is a received word. We let Q be a nonzero multivariatepolynomial in K ( m ) e [ Y , Y , . . . , Y s ] of the form Q = A + A Y + A Y + · · · + A s Y s where A , A , . . . , A s ∈ K ( m ) e , A ∈ L (( d + k − P ( m ) ∞ ) , and A i ∈ L ( dP ( m ) ∞ ) for i = 1 , , . . . , s . Wealso require the coefficients A i to satisfy the constraint A ( P i ) + A ( P i ) y i + A ( P i ) y σi + · · · + A s ( P i ) y σ s − i = 0 (17)for all i = 1 , . . . , n , where P , . . . , P n are the evaluation points.We first claim that such a nonzero polynomial Q exists and can be computed efficiently. To see this,write A as a vector over F q m with ℓ (( d + k − P ( m ) ∞ ) coordinates, and write A i as a vector over F q m with ℓ ( dP ( m ) ∞ ) coordinates for i = 1 , . . . , n . Think of the coordinates of these vectors as unknowns. This gives ℓ (( d + k − P ( m ) ∞ ) + s · ℓ ( dP ( m ) ∞ ) ≥ ( d + k − − g + 1 + s ( d − g + 1)= ( s + 1)( d − g + 1) + ( k − unknowns in total, where the first inequality above follows from Riemann’s inequality (Theorem 5.1). On theother hand, (17) gives n homogeneous linear constraints in these unknowns over F q m . By (15), the number29f unknowns is greater than the number of linear constraints which guarantees the existence of a nonzerosolution Q . Moreover, we can find Q in time poly( r e , m ) by constructing and then solving the system oflinear equations represented by (17). (Note d is polynomial in r e since d < t by (16) and the agreement t isbounded by n ≤ ( r − r e .)Next, we show that Q gives a functional equation that any f that has sufficiently large agreement withthe received word y needs to satisfy. Claim 6.5. Let f ∈ L (( k − P ( m ) ∞ ) . Suppose y agrees with the codeword C f = ( f ( P ) , f ( P ) , . . . , f ( P n )) in at least t coordinates. Then f satisfies the functional equation Q ( f, f σ , . . . , f σ s − ) = A + A f + A f σ + · · · + A s f σ s − = 0 . (18) Proof. Define Q ∗ = A + A f + A f σ + · · · + A s f σ s − ∈ K ( m ) e . We want to prove that Q ∗ = 0 . As f ∈ L (( k − P ( m ) ∞ ) , A ∈ L (( d + k − P ( m ) ∞ ) , A i ∈ L ( dP ( m ) ∞ ) for i = 1 , , . . . , s , and σ fixes P ( m ) ∞ , we know Q ∗ ∈ L (( d + k − P ( m ) ∞ ) .Suppose that y agrees with C f in the i -th symbol for some i ∈ [ n ] , i.e., y i = f ( P i ) . By (17), we have A ( P i ) + A ( P i ) y i + A ( P i ) y σi + · · · + A s ( P i ) y σ s − i = A ( P i ) + A ( P i ) f ( P i ) + A ( P i )( f ( P i )) σ + · · · + A s ( P i )( f ( P i )) σ s − = A ( P i ) + A ( P i ) f ( P i ) + A ( P i ) f σ ( P i ) + · · · + A s ( P i ) f σ s − ( P i )= ( A + A f + A f σ + · · · + A s f σ s − )( P i )= Q ∗ ( P i ) . The third equality uses the fact that ( f ( P i )) σ = f σ ( P i ) , which holds since P i = P ( m ) α i is fixed by σ .As y and C f agree in at least t symbols, the above argument shows that there exist i , . . . , i t ∈ [ n ] suchthat Q ∗ vanishes at P i , . . . , P i t . Let D = P tj =1 P i j . Then Q ∗ ∈ L (( d + k − P ( m ) ∞ − D ) . On the otherhand, the degree of the divisor ( d + k − P ( m ) ∞ − D is d + k − − t , which is less than zero by (16). So L (( d + k − P ( m ) ∞ − D ) = { } . This implies Q ∗ = 0 . V Next, we show that the functional equation (18), given by Claim 6.5 above, implies that the image of thelist of candidate messages under the embedding φ is contained in an affine shift of a low-dimensional BTTsubspace. We start by expanding the functional equation (18) in terms of the coefficients of the polynomials f and A , A , . . . , A s .Suppose that f ∈ L (( k − P ( m ) ∞ ) agrees with y in at least t coordinates. Consider the Laurent seriesexpansion of f at P ( m ) ∞ in the uniformizer T = x − e : f = ∞ X i =0 f i T − ( k − i where the coefficients f i are in F q m . As T ∈ K e is fixed by σ , we have f σ j = P ∞ i =0 f σ j i T − ( k − i for anyinteger j . By definition, φ ( f ) = ( f , f , . . . , f k − ) . 30imilarly, expand A ∈ L (( d + k − P ( m ) ∞ ) and A , . . . , A s ∈ L ( dP ( m ) ∞ ) as Laurent series at P ( m ) ∞ inthe uniformizer T : A = ∞ X i =0 a ,i T − ( d + k − i and A ℓ = ∞ X i =0 a ℓ,i T − d + i , ℓ = 1 , . . . , s (19)where the coefficients a ℓ,i are in F q m for ℓ = 0 , , . . . , s and i ∈ N . Choose the largest integer u ≥ suchthat there exists ℓ ∈ { , , . . . , s } satisfying a ℓ ,u = 0 . By (18), we may assume ℓ ∈ [ s ] . (Otherwise,we have a ,u = 0 and a ,u = · · · = a s,u = 0 . Then the LHS of (18), which we denote by Q ∗ , satisfies v P ( m ) ∞ ( Q ∗ ) = − ( d − k + 1) + u < + ∞ , contradicting (18).) Then we have = A ℓ ∈ L (( d − u ) P ( m ) ∞ ) ,which implies u ≤ d .Let ˆ a ℓ,i = a ℓ,i + u for ℓ = 0 , , . . . , s and i ∈ N . So ˆ a ℓ , = a ℓ ,u = 0 . We may rewrite (19) as A = ∞ X i =0 ˆ a ,i T − ( d + k − u + i and A ℓ = ∞ X i =0 ˆ a ℓ,i T − d + u + i , ℓ = 1 , . . . , s. With the notations above, (18) becomes ∞ X i =0 ˆ a ,i T − ( d + k − u + i + s X ℓ =1 ∞ X i =0 ˆ a ℓ,i T − d + u + i ! ∞ X i =0 f σ ℓ − i T − ( k − i ! = ∞ X i =0 ˆ a ,i + s X ℓ =1 i X j =0 ˆ a ℓ,i − j f σ ℓ − j T − ( d + k − u + i . So we obtain the equations i X j =0 s X ℓ =1 ˆ a ℓ,i − j f σ ℓ − j = − ˆ a ,i , i = 0 , , . . . , k − (20)where ˆ a ℓ, = 0 for some ℓ ∈ [ s ] .By Claim 4.5, the solution set of all φ ( f ) = ( f , f , . . . , f k − ) satisfying (20) is contained in an affineshift of the kernel of a ( k, r, m ) -BTT matrix M over F q for some r ≥ m − s + 1 , and M can be constructedin time poly(log q, m, n ) given the coefficients ˆ a ℓ,i . By Lemma 4.6, the kernel of M is a ( k, m, m − r ) -BTTsubspace. It is a subspace of a ( k, m, s − -BTT subspace since m − r ≤ s − .To compute ˆ a ℓ,i for ℓ = 0 , , . . . , s and i = 0 , , . . . , k − , we first find Q in time poly( r e , m ) ,which determines A , A , . . . , A s . Then we compute the coefficients ˆ a ℓ,i = a ℓ,i + u of the Laurent series of A , A , . . . , A s in time poly( r e , m ) .Finally, noting that a basis for the kernel of M , as well as the desired affine shift (which is any validsolution to (20)), can be found in time poly( r e , m ) , concludes the proof of Lemma 6.4. Remarks. We conclude this section with some remarks: Remark . For ease of presentation, we only present the construction from the Garcia–Stichtenoth tower,but this framework is generic and also works for other families of function fields, e.g., the Hermitian towerconsidered in [She93, GX12]. Besides bounds for the genus and the number of evaluation points, we needthe function fields to be explicit in the sense that there should be efficient algorithms for the following31ubroutines: computing a basis of the Riemann–Roch space L ( D ) used in the code, evaluating a function f ∈ L ( D ) at any evaluation point, and computing the Laurent series expansion of f ∈ L ( D ) at a fixedrational place P in a uniformizer that is fixed by the Frobenius automorphism.In particular, if we replace K e by the rational function field F q ( X ) , choose the divisor D to be ( k − P ∞ where P ∞ denotes the unique pole of X , and choose the rational place P for Laurent series expansions tobe the unique zero of X , then we recover the Reed–Solomon codes with subfield evaluation points that havebeen discussed in Section 4. Remark . We have defined two F q m -linear maps, the encoding map Enc : L (( k − P ( m ) ∞ ) → F nq m and theembedding φ : L (( k − P ( m ) ∞ ) → F kq m that outputs the first k coefficients of the Laurent series expansionat P ( m ) ∞ in x − e . See Figure 3. Both of these two maps are efficiently computable. L (( k − P ( m ) ∞ ) F nq m F kq m φ Enc Figure 3: The linear maps Enc and φ .As explained in the proof of Theorem 1.1, the final code is defined to be Enc ( φ − ( W )) for some BTTevasive subspace W ⊆ F kq m . That is, we restrict the message space to φ − ( W ) .We note that [GX13] used a different idea: In [GX13], the map φ was defined on the Riemann-Roch space L ( k ′ P ( m ) ∞ ) with k ′ = k − g ≥ k − . This choice of larger k ′ guarantees that themap φ : L ( k ′ P ( m ) ∞ ) → F kq m is surjective (instead of being injective). Then [GX13] chose a subspace V ⊆ L ( k ′ P ( m ) ∞ ) such that the restriction of φ to V is an isomorphism between V and F kq m . In this way, F kq m may be identified with the message space V . This space V was further replaced by an evasive subspace in[GX13] to reduce the list size.This way of restricting the message space in [GX13] may be used to replace ours. Nevertheless, we feelthat our method is somewhat simpler. In particular, we only need Riemann’s inequality ℓ ( D ) ≥ deg( D ) − g +1 in the analysis, while [GX13] uses the fact that ℓ ( D ) = deg( D ) − g + 1 when deg( D ) ≥ g − , which isderived from the full Riemann–Roch theorem. References [BFNW93] László Babai, Lance Fortnow, Noam Nisan, and Avi Wigderson. BPP has subexponential timesimulations unless EXPTIME has publishable proofs. Computational Complexity , 3(4):307–318, 1993.[BKR10] Eli Ben-Sasson, Swastik Kopparty, and Jaikumar Radhakrishnan. Subspace polynomials andlimits to list decoding of Reed-Solomon codes. IEEE Transactions on Information Theory ,56(1):113–120, 2010.[BW87] E. R. Berlekamp and L. Welch. Error correction of algebraic block codes. US Patent Number4,633,470, 1987. 32CPS99] Jin-Yi Cai, Aduri Pavan, and D. Sivakumar. On the hardness of permanent. In Proceedingsof the 16th Annual Symposium on Theoretical Aspects of Computer Science (STACS) , volume1563 of Lecture Notes in Computer Science , pages 90–99. Springer, 1999.[DKSS13] Zeev Dvir, Swastik Kopparty, Shubhangi Saraf, and Madhu Sudan. Extensions to the methodof multiplicities, with applications to Kakeya sets and mergers. SIAM Journal on Computing ,42(6):2305–2328, 2013.[DL12] Zeev Dvir and Shachar Lovett. Subspace evasive sets. In Proceedings of the 44th Annual ACMSymposium on Theory of Computing (STOC) , pages 351–358. ACM Press, 2012.[For66] David Forney. Concatenated Codes . M.I.T. Press, Cambridge, MA, USA, 1966.[GI01] Venkatesan Guruswami and Piotr Indyk. Expander-based constructions of efficiently decodablecodes. In Proceedings of the 42nd Annual IEEE Symposium on Foundations of ComputerScience (FOCS) , pages 658–667. IEEE Computer Society, 2001.[GK16] Venkatesan Guruswami and Swastik Kopparty. Explicit subspace designs. Combinatorica ,36(2):161–185, 2016.[GL89] Oded Goldreich and Leonid A Levin. A hard-core predicate for all one-way functions. In Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC) , pages25–32. ACM, 1989.[GR08] Venkatesan Guruswami and Atri Rudra. Explicit codes achieving list decoding capacity: Error-correction with optimal redundancy. IEEE Transactions on Information Theory , 54(1):135–150,2008.[GRS00] Oded Goldreich, Dana Ron, and Madhu Sudan. Chinese remaindering with errors. IEEETransactions on Information Theory , 46(4):1330–1338, 2000.[GRX18] Venkatesan Guruswami, Nicolas Resch, and Chaoping Xing. Lossless dimension expandersvia linearized polynomials and subspace designs. In Proceedings of the 33rd ComputationalComplexity Conference (CCC) , volume 102 of LIPIcs , pages 4:1–4:16. Schloss Dagstuhl -Leibniz-Zentrum für Informatik, 2018.[GS96] Arnaldo Garcia and Henning Stichtenoth. On the asymptotic behaviour of some towers offunction fields over finite fields. Journal of Number Theory , 61(2):248–273, 1996.[GS99] Venkatesan Guruswami and Madhu Sudan. Improved decoding of Reed-Solomon and algebraic-geometry codes. IEEE Transactions on Information Theory , 45(6):1757–1767, 1999.[Gur09] Venkatesan Guruswami. Artin automorphisms, cyclotomic function fields, and folded list-decodable codes. In Proceedings of the 41st Annual ACM Symposium on Theory of Computing(STOC) , pages 23–32. ACM Press, 2009.[GUV09] Venkatesan Guruswami, Christopher Umans, and Salil Vadhan. Unbalanced expanders andrandomness extractors from Parvaresh-Vardy codes. Journal of the ACM , 56(4):20:1–20:34,2009. 33GW13] Venkatesan Guruswami and Carol Wang. Linear-algebraic list decoding for variants of Reed-Solomon codes. IEEE Transactions on Information Theory , 59(6):3257–3268, 2013.[GX12] Venkatesan Guruswami and Chaoping Xing. Folded codes from function field towers andimproved optimal rate list decoding. In Proceedings of the 44th Annual ACM Symposium onTheory of Computing (STOC) , pages 339–350. ACM, 2012.[GX13] Venkatesan Guruswami and Chaoping Xing. List decoding Reed-Solomon, Algebraic-Geometric, and Gabidulin subcodes up to the Singleton bound. In Proceedings of the 45thAnnual ACM Symposium on Theory of Computing (STOC) , pages 843–852. ACM Press, 2013.[GX14] Venkatesan Guruswami and Chaoping Xing. Optimal rate list decoding of folded algebraic-geometric codes over constant-sized alphabets. In Proceedings of the 25th Annual ACM-SIAMSymposium on Discrete Algorithms (SODA) , pages 1858–1866. SIAM, 2014.[GX15] Venkatesan Guruswami and Chaoping Xing. Optimal rate algebraic list decoding using narrowray class fields. Journal of Combinatorial Theory, Series A , 129:160–183, 2015.[HRW20] Brett Hemenway, Noga Ron-Zewi, and Mary Wootters. Local list recovery of high-rate tensorcodes and applications. SIAM Journal on Computing , 49(4), 2020.[JLJ + 89] Jørn Justesen, Knud J. Larsen, Helge Elbrønd Jensen, Allan Havemose, and Tom Høholdt.Construction and decoding of a class of algebraic geometry codes. IEEE Transactions onInformation Theory , 35(4):811–821, 1989.[KM93] Eyal Kushilevitz and Yishay Mansour. Learning decision trees using the Fourier spectrum. SIAM Journal on Computing , 22(6):1331–1348, 1993.[KRR + 19] Swastik Kopparty, Nicolas Resch, Noga Ron-Zewi, Shubhangi Saraf, and Shashwat Silas. Onlist recovery of high-rate tensor codes. In Proceedings of the 23rd International Conference onRandomization and Computation (RANDOM) , pages 68:1–68:22. Schloss Dagstuhl - Leibniz-Zentrum fuer Informatik, 2019.[KRSW18] Swastik Kopparty, Noga Ron-Zewi, Shubhangi Saraf, and Mary Wootters. Improved list decod-ing of folded Reed-Solomon and multiplicity codes. In Proceedings of the 59th Annual IEEESymposium on Foundations of Computer Science (FOCS) , pages 212–223. IEEE ComputerSociety, 2018.[Lan02] Serge Lang. Algebra . Springer, 2002.[MRR + 20] Jonathan Mosheiff, Nicolas Resch, Noga Ron-Zewi, Shashwat Silas, and Mary Wootters. LDPCcodes achieve list-decoding capacity. In Proceedings of the 61st Annual IEEE Symposium onFoundations of Computer Science (FOCS) . IEEE Computer Society, 2020.[Pet60] W. Wesley Peterson. Encoding and error-correction procedures for the Bose-Chaudhuri codes. IRE Transactions on Information Theory , 6(4):459–470, 1960.[RS60] Irving S. Reed and Gustave Solomon. Polynomial codes over certain finite fields. SIAM Journalof the Society for Industrial and Applied Mathematics , 8(2):300–304, 1960.34RWZ20] Noga Ron-Zewi, Mary Wootters, and Gilles Zémor. Linear-time erasure list-decoding of ex-pander codes. In Proceedings of the IEEE International Symposium on Information Theory(ISIT) . IEEE, 2020.[SAK + 01] Kenneth W Shum, Ilia Aleshnikov, P Vijay Kumar, Henning Stichtenoth, and Vinay Deolalikar.A low-complexity algorithm for the construction of algebraic-geometric codes better than theGilbert-Varshamov bound. IEEE Transactions on Information Theory , 47(6):2225–2241, 2001.[She93] B. Z. Shen. A Justesen construction of binary concatenated codes that asymptotically meet theZyablov bound for low rate. IEEE Transactions on Information Theory , 39(1):239–242, 1993.[Sti09] Henning Stichtenoth. Algebraic function fields and codes , volume 254. Springer Science &Business Media, 2009.[STV01] Madhu Sudan, Luca Trevisan, and Salil Vadhan. Pseudorandom generators without the XORlemma. Journal of Computer and System Sciences , 62(2):236–266, 2001.[Sud97] Madhu Sudan. Decoding of Reed Solomon codes beyond the error-correction bound. Journalof Complexity , 13(1):180–193, 1997.[Tre03] Luca Trevisan. List-decoding using the XOR lemma. In Proceedings of the 44th Annual IEEESymposium on Foundations of Computer Science (FOCS) , pages 126–135. IEEE ComputerSociety, 2003.[TU12] Amnon Ta-Shma and Christopher Umans. Better condensers and new extractors from Parvaresh-Vardy codes. In Proceedings of the 27th Computational Complexity Conference (CCC) , pages309–315. IEEE Computer Society, 2012.[TZ04] Amnon Ta-Shma and David Zuckerman. Extractor codes. IEEE Transactions on InformationTheory , 50(12):3015–3025, 2004. A The Guruswami–Kopparty explicit subspace design In this section, for completeness, we review the proof of Theorem 2.1, restated below, that gives an explicitconstruction of a subspace design. Theorem 2.1 (Explicit subspace design, [GK16], Theorem 6) . There exists an absolute constant c > ,so that for every ǫ > , positive integers k, m, r with r < ǫm , and a prime power q satisfying q m ≥ max n k c · r/ǫ , (cid:0) rǫ (cid:1) r/ǫ o , there exists an ( r, s ) -subspace design H , . . . , H k over F q m for s = r ǫ , whereeach H i has co-dimension at most ǫm in F q m . Moreover, bases for H , . . . , H k can be found in time poly( q, k, m ) . First, we recall the definition of a subspace design. Definition A.1 (subspace design) . An ( r, s ) -subspace design over F q m of cardinality k is a collection of k F q -linear subspaces H , H , . . . , H k ⊆ F q m so that P ki =1 dim( ˆ V ∩ H i ) ≤ s for any F q -linear subspace ˆ V ⊆ F q m of dimension at most r . r, t, m, q, d ∈ N + be such that q isa prime power and r ≤ t ≤ m < q . Let γ be a generator of the multiplicative group F ∗ q . For α ∈ F q d , define S α = { α q j γ i : 0 ≤ j < d, ≤ i < t } . Lemma A.2. There exists a set F ⊆ F q d of cardinality at least q d − dt that satisfies the following conditions:1. F q ( α ) = F q d for α ∈ F .2. S α ∩ S β = ∅ for distinct α, β ∈ F .3. | S α | = dt for α ∈ F .Moreover, F can be computed in time polynomial in q d . Let V = { f ( X ) ∈ F q [ X ] : deg( f ) < m } ∼ = F q m . For α ∈ F q d , define H α := { P ( X ) ∈ V : P ( α · γ i ) = 0 for j = 0 , , . . . , t − } which is a subspace of V . As shown in [GK16], Theorem 2.1 follows as a consequence of the followingtheorem. Theorem A.3 ([GK16]) . Let F be as in Lemma A.2. Then the collection ( H α ) α ∈F is an ( r, s ) -subspacedesign in V ∼ = F q m for s = ( m − rd ( t − r +1) , such that every subspace H α has co-dimension at most dt . Note that Theorem A.3 requires the field size q to be greater than m while Theorem 2.1 does not, so thelatter does not directly follow from the former. The idea in [GK16] is first using Theorem A.3 to constructa subspace design in F m ′ Q over an extension field F Q , where m ′ = m/ [ F Q : F q ] and Q > m ′ . (Assume m is a multiple of [ F Q : F q ] for simplicity.) Then [GK16] showed that, by identifying F m ′ Q with F mq , this alsoyields a subspace design in F mq with somewhat worse parameters, thereby proving Theorem 2.1. We referthe reader to [GK16] for details. A.1 Proof of Lemma A.2 In [GK16], the set F ⊆ F q d is chosen in the following way: For simplicity, assume d is a prime. For α, β ∈ F ∗ q d , write α ∼ β if β = α q i · δ for some ≤ i < d and δ ∈ F ∗ q . Then ∼ is an equivalence relationon F ∗ q d . For each equivalence class O ⊆ F ∗ q d , choose a representative α ∈ O . For α ∈ O , add α to F if andonly if α = α γ it for some integer i satisfying ≤ i < ⌊ ( q − /t ⌋ .However, we note that this construction of F does not always satisfy the conditions in Lemma A.2 when d > . For example, suppose d is a prime and q − is divisible by d , so that F ∗ q contains all the d th rootsof unity. In this case, F q d is a Kummer extension F q ( α ) over F q where α d = u for some u ∈ F ∗ q \ ( F ∗ q ) d .Then we have that α q − is a d -th root of unity as ( α q − ) d = ( α d ) q − = u q − = 1 . By assumption that F ∗ q contains all d th roots of unity, this implies in turn that α q − ∈ F ∗ q .Let α = α q i · δ be the representative that we chose for the equivalence class of α , where < i < d and δ ∈ F ∗ q . Then we claim that α q − ∈ F ∗ q as α q − = ( α q − ) q i · δ q − = α q − ∈ F ∗ q . Consequently, we have that α q = α γ it + j for some integers i and j with ≤ i < ⌈ ( q − /t ⌉ and ≤ j < t . If < i < ⌊ ( q − /t ⌋ ,36hen α and α γ it are distinct and both added to F . This violates the second condition in Lemma A.2 sincewe have α q ∈ S α and α q = α γ it + j ∈ S α γ it , which implies S α ∩ S α γ it = ∅ . Similarly, if i = 0 , thenthe third condition | S α | = dt does not hold.One way of fixing this problem is ignoring those elements α ∈ F ∗ q d satisfying α q i − ∈ F ∗ q for some < i < d . The next lemma gives an upper bound for the number of those elements. Lemma A.4. Let B = { α ∈ F ∗ q d : α q i − ∈ F ∗ q for some < i < d } . Then | B | ≤ ( q d − / . Proof. If d = 1 , then | B | = 0 ≤ ( q d − / . So assume d ≥ . Consider α ∈ B . We have α q i − = δ forsome < i < d and δ ∈ F ∗ q . Note α q d − i − = (1 /δ ) q d − i = 1 /δ . So by replacing ( i, δ ) with ( d − i, /δ ) ifnecessary, we may assume i ≤ d/ .For any α ′ ∈ F ∗ q d satisfying ( α ′ ) q i − = δ , we have ( α ′ /α ) q i = α ′ /α and hence α ′ /α ∈ F ∗ q i . So thenumber of α ′ ∈ F ∗ q d satisfying ( α ′ ) q i − = δ is at most q i − . Therefore, for fixed δ ∈ F ∗ q , the number of α ∈ F ∗ q d for which there exists an integer < i ≤ d/ satisfying α q i − = δ is bounded by N := ⌊ d/ ⌋ X i =1 ( q i − 1) = ( q ⌊ d/ ⌋ +1 − q ) / ( q − − ⌊ d/ ⌋ . There are q − choices of δ ∈ F ∗ q . So we have | B | ≤ ( q − N = q ⌊ d/ ⌋ +1 − q − ⌊ d/ ⌋ ( q − . When d ≥ , we have q ⌊ d/ ⌋ +1 ≤ q d − ≤ q d / and hence | B | ≤ ( q d − / , as desired.Now assume d = 2 . We need a more careful analysis in this case. Note that if δ ∈ F ∗ q can be written as α q − then δ q +1 = α ( q − q +1) = α q − = 1 , i.e., δ is a ( q + 1) th root of unity. The number of such δ ∈ F ∗ q equals gcd( q + 1 , q − 1) = gcd( q + 1 , . So we have | B | ≤ gcd( q + 1 , N = gcd( q + 1 , · ( q − . (21)It is easy to see that the RHS of (21) is at most ( q − / . So | B | ≤ ( q − / q d − / .We now give a complete proof of Lemma A.2. Proof of Lemma A.2.