Optimal rate list decoding via derivative codes
aa r X i v : . [ c s . I T ] J un Optimal rate list decoding via derivative codes V ENKATESAN G URUSWAMI ∗ C AROL W ANG † Computer Science DepartmentCarnegie Mellon UniversityPittsburgh, PA 15213
Abstract
The classical family of [ n, k ] q Reed-Solomon codes over a field F q consist of the evaluationsof polynomials f ∈ F q [ X ] of degree < k at n distinct field elements. In this work, we consider aclosely related family of codes, called (order m ) derivative codes and defined over fields of largecharacteristic, which consist of the evaluations of f as well as its first m − formal derivativesat n distinct field elements. For large enough m , we show that these codes can be list-decodedin polynomial time from an error fraction approaching − R , where R = k/ ( nm ) is the rate ofthe code. This gives an alternate construction to folded Reed-Solomon codes for achieving theoptimal trade-off between rate and list error-correction radius.Our decoding algorithm is linear-algebraic, and involves solving a linear system to inter-polate a multivariate polynomial, and then solving another structured linear system to retrievethe list of candidate polynomials f . The algorithm for derivative codes offers some advantagescompared to a similar one for folded Reed-Solomon codes in terms of efficient unique decodingin the presence of side information. Keywords.
Reed-Solomon codes, list error-correction, noisy polynomial interpolation, de-coding with side information, multiplicity codes, subspace-evasive sets, pseudorandomness.
Consider the task of communicating information via transmission of n symbols from a large al-phabet Σ over an adversarial channel that can arbitrarily corrupt any subset of up to pn symbols(for some error parameter p ∈ (0 , ). Error-correcting codes can be used to communicate reliablyover such a channel. A code C is a judiciously chosen subset of Σ n that enables recovery of any c ∈ C from its distorted version c + r so long as r has at most pn nonzero entries. The rate R ofthe code C equals log | C | n log Σ , which is the ratio of number of bits of information in the message to thetotal number of bits transmitted. A basic trade-off in this setting is the one between rate R anderror fraction p . Clearly, R ≤ − p , since the channel can always zero-out the last pn symbols. ∗ Supported in part by a Packard Fellowship and NSF grants CCF 0953155 and CCF 0963975. Email: [email protected] † Supported in part by NSF CCF 0963975 and MSR-CMU Center for Computational Thinking. [email protected] .1 Background Perhaps surprisingly, the above simple limit can in fact be met, in the model of list decoding.Under list decoding, the error-correction algorithm is allowed to output a list of all codewordswithin the target error bound pn from the noisy received word. If this output list-size is small,say a constant or some polynomially growing function of the block length, then this is still usefulinformation to have in the worst-case instead of just settling for decoding failure. For a survey ofalgorithmic results in list decoding, see [4].List decoding allows one to decode from an error fraction approaching the optimal limit of − R . In fact, there exist codes of rate R that enable decoding up to a fraction − R − ε oferrors with a list-size bound of O (1 /ε ) (this follows from standard random coding arguments).However, this is a nonconstructive result, with no deterministic way to construct a good code oran efficient algorithm to list decode it. Recently, it was shown that list decoding from an error rateapproaching − R is possible constructively, with an explicit code (the folded Reed-Solomon code )and a polynomial time decoding algorithm [8]. However, the list-size guarantee is much largerthan the O (1 /ε ) bound achieved by random codes, and is a large polynomial in the block length.Before we state the result, let us first recall the definition of the well-known Reed-Solomon codes .For integer parameters < k < n , a field F of size ≥ n , and a sequence S = ( a , . . . , a n ) of n distinct elements of F , the associated Reed-Solomon (RS) code isRS F ,S [ n, k ] = { (cid:0) p ( a ) , . . . , p ( a n ) (cid:1) | p ∈ F [ X ] of degree < k } . The code RS F ,S [ n, k ] has rate R = k/n , and can be list-decoded from up to a − √ R fraction oferrors [12, 9]. It is not known if list decoding some instantiation of Reed-Solomon codes froma larger radius is possible. At the same time, it is also not known if there are some RS codesfor which the list-size could grow super-polynomially beyond this radius. For a more generalproblem called “list recovery,” it is known that the error fraction cannot be improved for certainRS codes [7].It turns out one can decode beyond the − √ R bound by augmenting the RS encoding withsome extra information. Parvaresh and Vardy used the evaluations of polynomials carefully cor-related with the message polynomial p also in the encoding [11]. However, the encodings of theextra polynomial(s) cost a lot in terms of rate, so their improvement is confined to low rates (atmost / ) and does not achieve the optimal − R radius. Later, Guruswami and Rudra consid-ered a “folded” version of RS codes [8], which is really just the RS code viewed as a code over alarger alphabet. More precisely, the order- m folded Reed-Solomon code is defined as follows. Definition 1.
Let F be a field of size q with nonzero elements { , γ, . . . , γ n − } for n = q − , where γ is a primitive element of F . Let m ≥ be an integer which divides n . Let ≤ k < n be the degreeparameter.The folded Reed-Solomon code FRS ( m ) F [ k ] is a code over alphabet F m that encodes a polynomial f ∈ F [ X ] of degree k as f ( X ) f (1) f ( γ ) ... f ( γ m − ) , f ( γ m ) f ( γ m +1 ) ... f ( γ m − ) , . . . , f ( γ n − m ) f ( γ n − m +1 ) ... f ( γ n − ) . (1)2t is shown in [8] that the above code can be decoded up to an error fraction ≈ − (cid:16) mRm − s +1 (cid:17) ss +1 for any parameter s , ≤ s ≤ m , where R = k/n is the rate of the code. (For s = 1 , the performanceratio is the − √ R bound, but the radius improves for large s and m ≫ s . For example, picking s ≈ /ε and m ≈ /ε , the list decoding radius exceeds − R − ε .) The bound on list-size is q s − ,and the decoding complexity is of the same order. Getting around this exponential dependenceon s remains an important theoretical question.The above algorithm involved finding roots of a univariate polynomial over an extension fieldof large degree over the base field F . Recently, an entirely linear-algebraic algorithm was discov-ered in [6] which avoids the use of extension fields. Although the error fraction decoded by thelinear-algebraic algorithm is smaller — it is ss +1 (cid:16) − mRm − s +1 (cid:17) for the above folded RS codes — itcan still be made to exceed − R − ε for any ε > by the choices s ≈ /ε and m ≈ /ε . Theadvantage of the algorithm in [6] is that except for the step of pruning an ( s − -dimensionalsubspace to filter the close-by codewords, it has quadratic running time. In this work, we consider another natural variant of Reed-Solomon codes (over fields of large char-acteristic), called derivative codes , defined formally in Section 2. Informally, rather than bundlingtogether evaluations of the message polynomial at consecutive powers of γ , in an order- m deriva-tive code, we bundle together the evaluations of f as well as its first ( m − derivatives at eachpoint. This might appear to cause a loss in rate (similar to the Parvaresh-Vardy construction [11]),but it does not, as one can pick higher degree polynomials while still maintaining the distance.(For two distinct degree ℓ polynomials, there can be at most ℓ/m points where they and their first ( m − derivatives agree.)In Theorem 6 and Corollary 7, we show our main result that derivative codes also achievelist-decoding capacity; that is, for any ε > , for the choice m ≈ /ε , we can list decode order- m derivative codes of rate R from a − R − ε fraction of errors. The list-size and running timebehavior is similar to the linear-algebraic algorithm for folded RS codes [6], and once again onecan find, by just solving two linear systems, a low-dimensional space that contains all the close-bycodewords.Recently, multivariate versions of derivative codes were used in [10] to give locally decodablecodes. In that work, these codes were referred to as multiplicity codes , but we refer to our codesas derivative codes to emphasize our use of formal derivatives rather than Hasse derivatives in theencoding. A side benefit of the changed terminology is to single out the important univariate casewith a different name. Motivation.
Prior to this work, the only known explicit codes list decodable up to the optimal − R bound were based on folded Reed-Solomon codes (or with smaller alphabets, certain foldedalgebraic-geometric codes [5], though these are not fully explicit). It seems like a natural ques-tion to seek alternate algebraic constructions of such codes. In addition, there is the possibilitythat a different construction would have better complexity or list-size guarantees, or offer otheradvantages.The derivative code construction is arguably just as natural as the folded Reed-Solomon one.3nterestingly, it falls in the framework of Parvaresh-Vardy codes, where the correlated polynomialsare formal derivatives. The special properties of derivatives ensures that one need not suffer anyloss in rate, and at the same time enable list decoding up to a much larger radius than the boundfor RS codes. Further, our algorithm for list decoding derivative codes has some nice propertieswith respect to decoding with side information, and might have some benefits in practice as well.However, as with the case of folded RS codes, the proven bound on the worst-case list size has anexponential dependence on ε (when the decoding radius is − R − ε ), and it remains a challengeto improve this. We should note that we cannot rule out the possibility that a better analysis canimprove the bound; in general it is a very hard problem to show list-size lower bounds for thesealgebraic codes.We end the introduction with a brief overview of the algorithm, and speculate on a possiblebenefit it offers compared to the folded RS case. At a high level, our decoding algorithm is similarto those used for Reed-Solomon and folded Reed-Solomon codes — it consists of an interpolationstep, and then a second step to retrieve the list of all polynomials satisfying a certain algebraiccondition. The interpolation step consists of fitting a polynomial of the form A ( X ) + A ( X ) Y + A ( X ) Y + · · · + A s ( X ) Y s . (Note that the total degree in the Y i ’s is , and we do not use “mul-tiplicities” in the interpolation.) The second step consists of solving the “differential equation” A ( X ) + A ( X ) f ( X ) + A ( X ) f ′ ( X ) + . . . + A s ( X ) f ( s − ( X ) = 0 for low-degree polynomials f .(Independently, a list decoding guarantee similar to the Guruswami-Rudra bound for folded RScodes has been obtained by Bombieri and Kopparty [1] based on using higher powers of Y i as wellas multiplicities in the interpolation.)The differential equation imposes a system of linear equations on the coefficients of f . Thespecific structure of this linear system is different from the one for folded RS codes in [6]. In par-ticular, once the values of f and its first s − derivatives at some point α (at which the interpolatedpolynomial A s doesn’t vanish) are known, the rest are determined by the system. This has two ad-vantages. First, having these values (at a random α ) as side information immediately leads to anefficient unique decoding algorithm. Second, in practice, A s may not have many zeroes amongstthe evaluation points, in which case we can obtain the values of f ( a i ) , . . . , f ( s − ( a i ) from the re-ceived word (instead of trying all q s − possibilities). While we have not been able to leverage thisstructure to improve the worst-case list-size bound, it is conceivable that additional ideas couldlead to some improvements. We denote by F q the field of q elements. For a polynomial f ∈ F q [ X ] , we denote by f ′ its formalderivative, i.e. if f ( X ) = f + f X + . . . + f ℓ X ℓ , then f ′ ( X ) = P ℓi =1 if i X i − . We denote by f ( i ) theformal i ’th derivative of f . Definition 2 ( m ’th order derivative code) . Let ≤ m ∈ Z . Let a , . . . , a n ∈ F q be distinct, and letthe parameters satisfy m ≤ k < nm ≤ q . Further assume that char( F q ) > k .The derivative code Der ( m ) q [ n, k ] over the alphabet F mq encodes a polynomial f ∈ F q [ X ] of4egree k − by f f ( a ) f ′ ( a ) ... f ( m − ( a ) , f ( a ) f ′ ( a ) ... f ( m − ( a ) , . . . , f ( a n ) f ′ ( a n ) ... f ( m − ( a n ) . (2) Remark . Note that the case m = 1 is a Reed-Solomon code.This code has block length n and rate R = knm . The minimum distance is n − ⌊ k − m ⌋ ≈ (1 − R ) n . Suppose we have received the corrupted version of a codeword from the derivative code Der ( m ) q [ n, k ] as a string y ∈ ( F mq ) n , which we will naturally consider as an m × n matrix over F q : y y . . . y n y y . . . y n ... ... . . . ... y m y m . . . y mn . (3)The goal is to recover all polynomials f of degree k − whose encoding (2) agrees with y inat least t columns. This corresponds to decoding from n − t symbol errors for the derivative codeDer ( m ) q [ n, k ] . When t > ( n + k/m ) / , the polynomial f , if it exists, is unique, and in this regimean efficient decoding algorithm was given in [10] by adapting the Welch-Berlekamp algorithm forReed-Solomon codes [14, 2].We adapt the algebraic list-decoding method used for Reed-Solomon and folded Reed-Solomoncodes to the derivative code setting. The decoding algorithm consists of two steps — (i) interpo-lation of an algebraic condition (that must be obeyed by all candidate polynomials f ), and (ii)retrieving the list of candidate solutions f (from the algebraic condition found by the interpola-tion step).Our algorithm can be viewed as a higher dimensional analog of the Welch-Berlekamp algo-rithm, where we use multivariate polynomials instead of bivariate polynomials in the interpola-tion. This has been used in the context of folded Reed-Solomon codes in [13, Chap. 5] and [6], andhere we show that derivative codes can also be list decoded in this framework. Let W denote the F q -linear subspace of F q [ X, Y , . . . , Y m ] consisting of polynomials that have totaldegree at most in the Y i ’s, i.e, W contains polynomials of the form B ( X )+ B ( X ) Y + B ( X ) Y + · · · + B m ( X ) Y m for some polynomials B i ∈ F q [ X ] .Let D be the F q -linear map on W defined as follows: For p ∈ F q [ X ] , and ≤ i ≤ m , D ( p )( X, Y , . . . , Y m ) = p ′ ( X ) (4)5nd D ( pY i )( X, Y , . . . , Y m ) = p ′ ( X ) Y i + p ( X ) Y i +1 . (5)where we take Y m +1 = Y .Let s , ≤ s ≤ m , be an integer parameter in the decoding algorithm. The goal in the interpo-lation step is to interpolate a nonzero polynomial Q ∈ F q [ X, Y , Y , . . . , Y s ] of the form A ( X ) + A ( X ) Y + A ( X ) Y + · · · + A s ( X ) Y s (6)satisfying the following conditions for each i , ≤ i ≤ n : Q ( a i , y i , . . . , y si ) = 0 and ( D k Q )( a i , y i , . . . , y mi ) = 0 ( k = 1 , . . . , m − s ) , (7)where D k denotes the k -fold composition of the map D . Observation.
For each i , the conditions (7) are a collection of ( m − s + 1) homogeneous linear constraintson the coefficients of the polynomial Q . The following shows why the interpolation conditions are useful in the decoding context.
Lemma 1.
Suppose Q of the form (6) satisfies the conditions (7). If the received word (3) agrees with theencoding of f at location i , that is, f ( j ) ( a i ) = y j +1 ,i for ≤ j < m , then the univariate polynomial ˆ Q ( X ) := Q ( X, f ( X ) , . . . , f ( s − ( X )) satisfies ˆ Q ( a i ) = 0 as well as ˆ Q ( k ) ( a i ) = 0 for k = 1 , . . . , m − s ,where ˆ Q ( k ) ( X ) is that the k ’th derivative of ˆ Q .Proof. Notice the form that our definition of the map D takes when Y i = f ( i − ( X ) for ≤ i ≤ m .We have D ( p ) = p ′ for p ∈ F q [ X ] , and D ( pf ( i − ) = p ′ f ( i − + pf ( i ) , which is simply the productrule for derivatives. Thus when ( y i , y i , . . . , y mi ) = ( f ( a i ) , f ′ ( a i ) , . . . , f ( m − ( a i )) , the conditions(7) enforce that ˆ Q and its first m − s derivatives vanish at a i .We next argue that a nonzero interpolation polynomial Q exists and can be found efficiently. Lemma 2.
Let d = (cid:22) n ( m − s + 1) − k + 1 s + 1 (cid:23) . (8) Then, a nonzero Q of the form (6) satisfying the conditions (7) with deg( A ) ≤ d + k − and deg( A j ) ≤ d for ≤ j ≤ s exists and can be found in O (( nm ) ) field operations over F q .Proof. Under the stated degree restrictions, the number of monomials in Q is ( d + 1) s + d + k = ( d + 1)( s + 1) + k − > n ( m − s + 1) . where the last inequality follows from the choice (8) of d . The number of homogeneous linearequations imposed on the coefficients of Q in order to meet the interpolation conditions (7) is n ( m − s + 1) . As this is less than the number of monomials in Q , the existence of a nonzero Q follows, and it can be found by solving a linear system over F q with at most nm constraints.6 .2 Retrieving candidate polynomials Suppose we have a polynomial Q ( X, Y , . . . , Y s ) satisfying the interpolation conditions (7). Thefollowing lemma gives an identity satisfied by any f which has good agreement with the receivedword. Lemma 3. If f ∈ F [ X ] has degree at most k − and an encoding (2) agreeing with the received word y inat least t columns for t > d + k − m − s +1 , then Q (cid:0) X, f ( X ) , f ′ ( X ) , . . . , f ( s − ( X ) (cid:1) = 0 . Proof.
Let ˆ Q ( X ) = Q ( X, f ( X ) , . . . , f ( s − ( X )) . By Lemma 1, an agreement in column i means that ˆ Q ( X ) satisfies ˆ Q ( a i ) = 0 and that the k th derivative ˆ Q ( k ) ( a i ) is also zero for k = 1 , . . . , m − s . Inparticular, t column agreements yield at least t ( m − s + 1) roots (counting multiplicities) for ˆ Q .The degree of ˆ Q is at most d + k − , as f and each of its derivatives has degree at most k − .Then as ˆ Q is univariate of degree at most d + k − , ˆ Q has at most d + k − roots if it is nonzero.Thus if t > ( d + k − / ( m − s + 1) , it must be that ˆ Q ( X ) = 0 .With our chosen value of d from (8), this means that any f which agrees with y on more than ns + 1 + ss + 1 k − m − s + 1 (9)columns satisfies Q (cid:0) X, f ( X ) , f ′ ( X ) , . . . , f ( s − ( X ) (cid:1) = 0 . So in the second step, our goal is to findall polynomials f of degree at most k − such that A ( X ) + A ( X ) f ( X ) + A ( X ) f ′ ( X ) + . . . + A s ( X ) f ( s − ( X ) = 0 (10)Let A i ( X ) = P deg( A i ) j =0 a ij X j for each i . Note that the above constraint (10) gives a linear system over F in the coefficients of f = f + f X + · · · + f k − X k − . In particular, the set of solutions ( f , f , . . . , f k − ) is an affine space, and we can find it by solving the linear system. Our goal nowis to bound the dimension of the space of solutions by exposing its special structure and also usethis to efficiently find an explicit basis for the space. Lemma 4.
It suffices to give an algorithm in the case that the constant term a s of A s is nonzero.Proof. If A s ( X ) , since deg( A s ) ≤ d < nm ≤ q , then there is some α ∈ F q such that A s ( α ) = 0 ,so we can consider a “translate” of this problem by α ; that is, A s ( X + α ) has nonzero constantterm, so we can solve the system with the translated polynomial Q ( X + α, Y , . . . , Y m ) and recovercandidate messages by translating each solution g ( X ) to f ( X ) = g ( X − α ) .If A s ( X ) = 0 , we simply reduce the problem to a smaller one with s rather than s + 1 interpo-lation variables. Note that this must terminate since Q is nonzero and so at least one A i for i ≥ is nonzero.We can now show: Lemma 5. If a s = 0 , the solution space to (10) has dimension at most s − . roof. For each power X i , the coefficient of X i in A ( X ) + A ( X ) f ( X ) + · · · + A s ( X ) f ( s − ( X ) is a i + (cid:0) a f i + a f i − + · · · + a i f (cid:1) + (cid:0) a ( i + 1) f i +1 + a if i + · · · + a i f (cid:1) + · · · + (cid:0) a s ( i + s − i + s − · · · ( i + 1) f i + s − + · · · + a si ( s − f s − (cid:1) = a i + s X j =1 i X k =0 ( k + j − k ! a j ( i − k ) f k + j − . If ( f , . . . , f k − ) is a solution to (10), then this coefficient is zero for every i .The coefficient of X i for each i depends only on f j for j < i + s , and the coefficient of f i + s − is a s ( i + s − i + s − · · · ( i + 1) , which is nonzero when i + s ≤ k since char( F q ) > k . Thus, if wefix f , f , . . . , f s − , the rest of the coefficients f s − , . . . , f k − are uniquely determined. In particular,the dimension of the solution space is at most s − . Remark . The bound of Lemma 5 is tight for arbitrary linear systems. Indeed, if Q ( X, Y , . . . , Y s ) = s − X i =0 ( − i i ! X i Y i +1 , then any polynomial of degree less than s with zero constant term satisfies Q ( X, f ( X ) , . . . , f ( s − ( X )) =0 . This is because any monomial f ( X ) = X j for < j ≤ s − is a solution, and our solution spaceis linear. Of course, we do not know if such a bad polynomial can occur as the output of theinterpolation step when decoding a noisy codeword of the derivative code.Combining these lemmas and recalling the bound (9) on the number of agreements for suc-cessful decoding, we have our main result. Theorem 6 (Main) . For every ≤ s ≤ m , the derivative code Der ( m ) q [ n, k ] (where char( F q ) > k ) satisfiesthe property that for every received word y ∈ F nmq , an affine subspace S ⊆ F q [ X ] of dimension at most s − can be found in polynomial time such that every f ∈ F q [ X ] of degree less than k whose derivativeencoding differs from y in at most ss + 1 (cid:18) n − k ( m − s + 1) (cid:19) positions belongs to S . Now by setting s ≈ /ε and m ≈ /ε , and recalling that the rate of Der ( m ) q [ n, k ] equals k/ ( nm ) ,we can conclude the following. Corollary 7.
For all R ∈ (0 , and all ε > , for a suitable choice of parameters, there are derivative codesDer ( m ) q [ n, k ] of rate at least R which can be list decoded from a fraction − R − ε of errors with a list-sizeof q O (1 /ε ) . We now make a couple of remarks on coping with the large list-size bound in our decoding algo-rithms. 8 .1 Reducing the list size
One approach to avoid the large list size bound of ≈ q s for the number of codewords near f is todraw codewords from so-called subspace-evasive subsets of F kq rather than all of F kq . This approachwas used in [6] to reduce the list-size for folded Reed-Solomon codes, and we can gain a similarbenefit in the context of list decoding derivative codes. A subset of F kq is ( s, L ) -subspace-evasiveif it intersects with every linear subspace S ⊆ F kq of dimension at most s in at most L points.For any ε > , a probabilistic argument shows that there exist ( s, O ( s/ε )) -subspace-evasivesubsets of F kq of size q (1 − ε ) k . In fact, we have the following stronger statement, proved in [6]. Fix abasis , β, . . . , β k − of F kq over F q and denote K = F q k . For P ∈ K [ X ] and an integer r , ≤ r ≤ k ,define S ( P, r ) = { ( a , . . . , a k − ) ∈ F kq | P ( a + a β + · · · + a k − β k − ) ∈ F q - span(1 , β, . . . , β r − ) } . Lemma 8 ([6]) . Let q be a prime power, k ≥ an integer. Let ζ ∈ (0 , and s ∈ Z satisfying ≤ s ≤ ζk/ .Let P ∈ K [ X ] be a random polynomial of degree t and define V = S ( P, (1 − ζ ) k ) . Then for t ≥ Ω( s/ζ ) ,with probability at least − q − Ω( k ) over the choice of P , V is an ( s, t ) -subspace-evasive subset of F kq of sizeat least q (1 − ζ ) k / . By taking messages from V rather than all of F kq , we suffer a small loss in rate, but give asubstantial improvement to the list size bound; since our solution space is linear, the numberof candidate messages is reduced from ≈ q s to O ( s/ε ) . In particular, setting our parameters asin Theorem 6, we can list-decode from a − R − ε fraction of errors with a list size of at most O (1 /ε ) . However, the code construction is not explicit but only a randomized (Monte Carlo) onethat satisfies the claimed guarantees on list-decoding with high probability. The decoding described in the previous section consists of trying all choices for the coefficients f , . . . , f s − and using each to uniquely determine a candidate for f . Note however that for each i ,the f i is essentially the i th derivative of f evaluated at , and can be recovered as f ( i ) (0) /i ! . Thusif the decoder somehow knew the correct values of f and its first s − derivatives at , f could berecovered uniquely (as long as A s (0) = 0 ).Now, suppose the encoder could send a small amount of information along a noiseless sidechannel in addition to sending the (much longer) codeword on the original channel. In such acase, the encoder could choose α ∈ F q uniformly at random and transmit f ( α ) , f ′ ( α ) , . . . , f ( s − ( α ) on the noiseless channel. The decoding then fails only if A i ( α ) = 0 for i which is the largest indexsuch that A i ( X ) = 0 . As the A i ( X ) have bounded degree, by increasing the field size q , f can beuniquely recovered with probability arbitrarily close to . More precisely, we have the followingclaim. Theorem 9.
Given a uniformly random α ∈ F q and the values f ( α ) , f ′ ( α ) , . . . , f ( s − ( α ) of the messagepolynomial f , the derivative code Der ( m ) q [ n, k ] can be uniquely decoded from up to ss + 1 (cid:18) n − km − s + 1 (cid:19) rrors with probability at least − nmsq over the choice of α .Proof. As in the proof of Lemma 4, as long as A s ( α ) = 0 , we may translate the problem by α anduse the values f ( α ) , f ′ ( α ) , . . . , f ( s − ( α ) to uniquely determine the shifted coefficients g , . . . , g s − .As A s = 0 , and A s is univariate of degree at most d , A s has at most d roots, and so the proba-bility that A s ( α ) = 0 is at least − d/q ≥ − nmsq , where the last inequality follows from our choiceof d ≤ nm/s in (8). Remark . In the context of communicating with side information, there is a generic, black-boxsolution combining list-decodable codes with hashing to guarantee unique recovery of the correctmessage with high probability [3]. In such a scheme, the side information consists of a randomhash function h and its value h ( f ) on the message f . The advantage of the solution in Theorem 9is that there is no need to compute the full list (which is the computationally expensive step, sincethe list size bound depends exponentially on s ) and then prune it to the unique solution. Rather,we can uniquely identify the first ( s − coefficients of the polynomial f ( X + α ) in the linearsystem (10), after applying the shift X X + α , as f ( α ) , f ′ ( α ) , . . . , f ( s − ( α ) . Then, as argued inthe proof of Lemma 5, the remaining coefficients are determined as linear combinations of these s − coefficients. So the whole algorithm can be implemented in quadratic time. Remark . The decoder could use the columns of the received word y as a guess for the sideinformation f ( a i ) , f ′ ( a i ) , . . . , f ( s − ( a i ) for i = 1 , , . . . , n . Since f agrees with y on more than t > Rn positions, as long as A s ( a i ) = 0 for less than t of the evaluation points a i , we will recoverevery solution f this way. This would lead to a list size bound of at most n − t < n . Unfortunately,however, there seems to be no way to ensure that A s does not vanish at most (or even all) of thepoints a i used for encoding. But perhaps some additional ideas can be used to make the list sizepolynomial in both q, s , or at least exp( O ( s )) q c for some absolute constant c . References [1] E. Bombieri and S. Kopparty. List decoding multiplicity codes, 2011. Manuscript. 4[2] P. Gemmell and M. Sudan. Highly resilient correctors for multivariate polynomials.
Informa-tion Processing Letters , 43(4):169–174, 1992. 5[3] V. Guruswami. List decoding with side information. In
Proceedings of the 18th IEEE Conferenceon Computational Complexity (CCC) , pages 300–309, 2003. 10[4] V. Guruswami.
Algorithmic Results in List Decoding , volume 2 of
Foundations and Trends inTheoretical Computer Science (FnT-TCS) . NOW publishers, January 2007. 2[5] V. Guruswami. Cyclotomic function fields, Artin-Frobenius automorphisms, and list error-correction with optimal rate.
Algebra and Number Theory , 4(4):433–463, 2010. 3[6] V. Guruswami. Linear-algebraic list decoding of folded Reed-Solomon codes. In
Proceedingsof the 26th IEEE Conference on Computational Complexity , June 2011. 3, 4, 5, 9107] V. Guruswami and A. Rudra. Limits to list decoding Reed-Solomon codes.
IEEE Transactionson Information Theory , 52(8):3642–3649, August 2006. 2[8] V. Guruswami and A. Rudra. Explicit codes achieving list decoding capacity: Error-correctionwith optimal redundancy.
IEEE Transactions on Information Theory , 54(1):135–150, 2008. 2, 3[9] V. Guruswami and M. Sudan. Improved decoding of Reed-Solomon and Algebraic-geometriccodes.
IEEE Transactions on Information Theory , 45(6):1757–1767, 1999. 2[10] S. Kopparty, S. Saraf, and S. Yekhanin. High-rate codes with sublinear-time decoding.
Elec-tronic Colloquium on Computational Complexity, TR10-148 , 2010. 3, 5[11] F. Parvaresh and A. Vardy. Correcting errors beyond the Guruswami-Sudan radius in poly-nomial time. In
Proceedings of the 46th Annual IEEE Symposium on Foundations of ComputerScience , pages 285–294, 2005. 2, 3[12] M. Sudan. Decoding of Reed-Solomon codes beyond the error-correction bound.
Journal ofComplexity , 13(1):180–193, 1997. 2[13] S. Vadhan.
Pseudorandomness . Foundations and Trends in Theoretical Com-puter Science (FnT-TCS). NOW publishers, 2010. To appear. Draft available at http://people.seas.harvard.edu/˜ salil/pseudorandomness/ . 5[14] L. R. Welch and E. R. Berlekamp. Error correction of algebraic block codes.