Optimal rate list decoding via derivative codes

Optimal rate list decoding via derivative codes V E N K AT E S A N G U R U S W A M I ∗ C A R O L W AN G † Computer Science Department Carnegie Mellon University Pittsbur gh, P A 15213 Abstract The classical family of [ n, k ] q Reed-Solomon codes over a field F q consist of the eva luation s of polyno mials f ∈ F q [ X ] of degree < k at n d istinct field elements. In this work, we consider a closely related fa mil y of codes, ca ll ed ( or der m ) derivative codes and defined over fields of large characteristic, which consist of the evaluations of f as well a s its first m − 1 formal de rivatives at n distinct field ele ments. For large e n ough m , we show that these codes can be list-decoded in polynomial time from an er r or f raction approaching 1 − R , where R = k / ( nm ) is the rate of the code . This gives an alternate construction to folded Reed-S olomon codes for achieving the optimal trade-off between rate and list error-correction r adius. Our decoding algorith m is linear-algebraic, and involves solving a linear system to inter- polate a multivariate polynomial, and then solving another structured linear system to retrieve the list of candidate polynomials f . The algorithm for derivative codes offers some advantages compared to a similar one for folded Reed-S olomon codes in terms of efficient unique d ecoding in the presence of side information. Keywords. Reed-Solomon codes, list error-correction , noisy polynomial interpolation, de- coding with side information, multiplicity codes, subspace-ev a sive sets, pseud o randomness. 1 Introduction Consider t he task of communica ting information via t ra nsmission o f n sy mbols fr om a large al- phabet Σ over an adversarial channel that can arbitrarily corrupt any subse t of up to pn symbols (for s ome error parameter p ∈ (0 , 1) ). Err or-corr ecting codes can be used t o communicate reliabl y over such a channel. A code C is a judiciously chosen subset of Σ n that enables recovery of any c ∈ C from its distorted vers ion c + r so long as r has at most p n nonzero entries. The rate R of the code C equals log | C | n log Σ , which is the ratio of number of bits of information in t he mes sage to th e total n u m ber of bits transmitted . A basic trade-off in this setting is the one betw een rate R and error fraction p . Clearly , R ≤ 1 − p , since t he channel can always zero-out the last pn sy mbols. ∗ Supported in part by a Packard Fellowship and NSF grants CC F 0953155 and CCF 0963975. Email: guruswami@cmu .edu † Supported in part by NSF CCF 0963975 and M SR-CMU Center for Computational Thinking. wangc@cs. cmu.edu 1 1.1 Background Perhaps s urprisingly , the above s im ple limit can in fact be met, in the mod e l of list decoding. Under list decoding, the error- correction algorithm is all owed to output a list of all codewords within the target e rr or bound pn fr om the noisy received word. If this output list-size is small, say a constant or some p olynomia lly g r owing function of the block leng th, then this is still useful information to have in the wo rst-case inst ead of just sett ling for de cod ing failur e. For a survey of algorithmic results in list decoding, see [ 4 ]. List d ecoding allows one to decode from an error fraction appr oaching the optimal limit of 1 − R . In fact, there exist codes of rate R that enable decod i ng up to a fraction 1 − R − ε of errors with a list-size bound of O (1 /ε ) (this follows fr om standard random coding arguments). However , this is a no n con s tr uctive result, with no d e terministic way t o const r uct a g o od cod e or an efficient algorithm to list decod e it. Recent ly , it was sho wn that list d e coding from an error rate approac hing 1 − R is poss i ble cons tr uctively , with an explicit code (the folded Reed-Solomon code ) and a po l ynomial time decoding algorithm [ 8 ]. H owever , the list-size guarantee is much larger than the O (1 /ε ) bound achieved by r and o m codes , and is a lar ge polynomial in th e block length. Before we state the result, let us firs t recall the definition of the well-known Reed-Solomon codes . For intege r parameters 1 < k < n , a field F of s iz e ≥ n , and a se quence S = ( a 1 , . . . , a n ) of n distinct elements of F , the associated Re ed-Solomon (RS ) code is RS F ,S [ n, k ] = {  p ( a 1 ) , . . . , p ( a n )  | p ∈ F [ X ] of d e gr ee < k } . The cod e RS F ,S [ n, k ] has rate R = k /n , and can be list-decode d from up to a 1 − √ R fraction of errors [ 12 , 9 ]. It is not known if list decoding some instantiation of Reed-Solomon codes from a larger radius is pos sibl e. At th e same time, it is also not k nown if there are some R S code s for which the list-size could grow super-polynomiall y beyond this radius. For a more general problem called “list recovery ,” it is kno wn that t he error fraction cannot be impr oved for certain RS codes [ 7 ]. It turns out one can decod e bey ond t he 1 − √ R bound by augmenting t he RS encoding with some extra information. Parvaresh and V ardy used the evaluations of po lyn o mi als car efully cor- rela ted with the message polynomial p also in the encoding [ 11 ]. However , th e encod i ngs o f the extra polynomial(s) cost a lot in terms o f rate, so their impr ovement is confined to low rates (at most 1 / 16 ) and do es n o t achieve the optimal 1 − R radius . Later , Guruswami and Rud ra cons id- ered a “folded” ver s ion of RS cod es [ 8 ], which is r eally just the R S code viewed as a code over a lar ger alphabet. More precisely , the order- m folded Re ed-Solomon cod e is define d as follows. Definition 1. L et F be a field of size q with nonzero elements { 1 , γ , . . . , γ n − 1 } for n = q − 1 , wh e r e γ is a primitive element of F . Let m ≥ 1 be an intege r which divides n . Let 1 ≤ k < n be the degree parameter . The folded Ree d-Solomon code FRS ( m ) F [ k ] is a code o ve r alphabet F m that e nc odes a polynomial f ∈ F [ X ] of degree k as f ( X ) 7→           f (1) f ( γ ) . . . f ( γ m − 1 )      ,      f ( γ m ) f ( γ m +1 ) . . . f ( γ 2 m − 1 )      , . . . ,      f ( γ n − m ) f ( γ n − m +1 ) . . . f ( γ n − 1 )           . (1) 2 It is s h o wn in [ 8 ] that the above code can be decod ed up to an error fraction ≈ 1 −  mR m − s +1  s s +1 for any parameter s , 1 ≤ s ≤ m , where R = k /n is t he rate of the code. (For s = 1 , the pe rforma nce ratio is t he 1 − √ R bound , but the radius improves for lar ge s and m ≫ s . F or example, picking s ≈ 1 /ε and m ≈ 1 /ε 2 , the list decoding radius exceeds 1 − R − ε .) The bound on list-size is q s − 1 , and the d ecoding complexity is of t he same or der . Getting around this exponential depe n d ence on s remains an important theo r e tic al question. The above algorithm involved find i ng roots of a univariate p olynomial over an extens ion fie l d of lar ge degree over the base fie l d F . Recent l y , an entirely linear-algebrai c algorithm was discov- ered in [ 6 ] w hi ch avoids t he use of extens i on fields . Althoug h the error fraction decode d by the linear -algebraic algorithm is smaller — it is s s +1  1 − mR m − s +1  for th e above folded RS cod es — it can still be made t o exceed 1 − R − ε for any ε > 0 by the choices s ≈ 1 /ε and m ≈ 1 /ε 2 . The advantage o f the algorithm in [ 6 ] is that except for the step o f pruning an ( s − 1) -dimensional subspace to filter the close-by codewords, it has quadratic running time. 1.2 This work In this work, we consider another natural variant of Ree d-Solomon codes (over fields of lar ge char - acteristic), called derivative codes , defined formally in Section 2 . Informally , rather than bundling togeth e r e va luations of the me ssage po l ynomial at consecutive pow e rs of γ , in an order- m deriva- tive code, we bundle toge ther the evaluations o f f as we l l as its first ( m − 1) derivatives at each point. This might appear to cause a loss in rate (similar to the Parvar esh-V ardy construction [ 11 ]), but it d oes not, as o ne can pick higher degree polynomials while still maintaining the distance. (For two distinct degree ℓ po l ynomials, there can be at most ℓ/m points where they and their firs t ( m − 1) de ri vatives agree.) In Theorem 6 and Coroll ary 7 , we show our main result that derivative codes also achieve list-decoding capacity; that is, for any ε > 0 , for the choice m ≈ 1 /ε 2 , we can list decode order - m derivative codes of rate R from a 1 − R − ε fraction of e rr o rs. The list-size and running time behavior is simila r to the linear -algebraic algorithm for folded RS codes [ 6 ], and once again one can find, by just solving two linear s ystems, a low-dimensional space that contains all the close-by codewords. Recently , multivariate versions of derivative codes were u s ed in [ 10 ] to give locally decodable codes. In that wo rk, thes e code s were referr ed t o as multiplicity codes , but we r efer to o ur cod es as derivative codes t o emphasize ou r use of formal derivatives rather t ha n Hasse der ivatives in the encoding. A side benefit of the changed t e rmi nology is to single out the important univariate case with a differ ent name. Motivation. Prior t o this w o rk, the only known exp l icit codes list decodable up t o the o p tima l 1 − R bound were based on folded R eed-Solomon codes (or with s maller alphabets, certain folde d algebraic-geometric codes [ 5 ], though these are not fully explicit). It seems like a natural ques- tion to see k alternate algebraic const r uctions of such cod es. In addition, there is the p ossibili ty that a differ ent construction would have better complexity or list-size guarantee s, or of fer oth e r advantages. The de ri vative code construction is ar guably just as natural as t he folde d Re ed-Solomon one . 3 Interestingly , it falls in the framework of Parvaresh-V ar dy cod es, where th e correlated p olynomia ls ar e formal derivatives. Th e s pecia l properties of de riv atives ensures that one nee d not suffer any loss in rate , and at the same time enable list decoding u p to a much lar ger radius than the bound for RS codes. Furt her , our algorithm for list decoding derivative codes has some nice properties with respect to de c oding with side information, and might have some bene fits in practice as well. However , as with the case of folded RS codes, the proven bound on the worst-case list size has an exponent i al de pendence on ε (when the decoding radius is 1 − R − ε ), and it remains a challenge to improve this. W e s h o uld not e t hat we cannot rule out the pos sibi lity that a better analysis can impr ove the bound; in gene ra l it is a very har d probl em to s how list-size lower bounds for thes e algebraic codes. W e end the introduction with a brief overview of the algorithm, and sp e cul ate on a poss ible benefit it offers compared to the folde d RS case. At a high level, our d e coding algorithm is similar to those used for Reed - Solomon and folded Re ed-Solomon cod es — it consists of an inter p ola tion step, and then a second step to r etrieve the list of all polynomials satisfying a certain algebraic condition. The interp ola tion step cons ists of fitting a p olynomia l o f the form A 0 ( X ) + A 1 ( X ) Y 1 + A 2 ( X ) Y 2 + · · · + A s ( X ) Y s . (Note t h at t he total degree in the Y i ’s is 1 , and we do no t use “mul- tiplicities” in the interpo lation.) The s econd s tep consist s of solving t h e “dif ferential equation” A 0 ( X ) + A 1 ( X ) f ( X ) + A 2 ( X ) f ′ ( X ) + . . . + A s ( X ) f ( s − 1) ( X ) = 0 for low-deg r e e polynomials f . (Independ ently , a list decoding guarantee similar to the Guruswami-Rudra boun d for folded RS codes has been obtained by B ombi eri and Kopparty [ 1 ] based on using higher power s of Y i as well as multiplicities in t he interpo lation.) The d i ff erential equation impos es a sys t em of linear equations on the coefficients of f . The specific structure of this linear sy stem is dif ferent fr om the one for folded R S cod es in [ 6 ]. In par- ticular , once the values of f and its first s − 2 de ri vatives at some point α (at which t he interpolated polynomial A s doesn’t vanish) are kno wn, the rest are de termined by the syste m. This has two ad- vantages. First , having the s e values (at a random α ) as side information immediately leads t o an effic ient unique de coding algorithm. Second , in practice, A s may not have many zeroes amongst the evaluation points, in which case we can obtain the values of f ( a i ) , . . . , f ( s − 2) ( a i ) from the re- ceived word (instead of trying all q s − 1 possibilities). While we have not been able t o leverage this structure to improve the worst-case list-size bound, it is conceivable that additional ideas could lead to so m e improvements. 2 Derivative codes W e de n o te by F q the field o f q elements. For a polyno mi al f ∈ F q [ X ] , we de note by f ′ its formal derivative, i.e . if f ( X ) = f 0 + f 1 X + . . . + f ℓ X ℓ , the n f ′ ( X ) = P ℓ i =1 if i X i − 1 . W e deno t e by f ( i ) the formal i ’th de riv ative of f . Definition 2 ( m ’th o r d er derivative code) . Let 0 ≤ m ∈ Z . Let a 1 , . . . , a n ∈ F q be distinct, and let the parameters satisfy m ≤ k < nm ≤ q . F u rther assume that c h a r( F q ) > k . The de ri vative code Der ( m ) q [ n, k ] over the alphabet F m q encodes a polynomial f ∈ F q [ X ] of 4 degree k − 1 by f 7→           f ( a 1 ) f ′ ( a 1 ) . . . f ( m − 1) ( a 1 )      ,      f ( a 2 ) f ′ ( a 2 ) . . . f ( m − 1) ( a 2 )      , . . . ,      f ( a n ) f ′ ( a n ) . . . f ( m − 1) ( a n )           . (2) Remark 1 . N ote that the case m = 1 is a Ree d-Solomon code. This code has block len g th n and rate R = k nm . The minimum dist a nce is n − ⌊ k − 1 m ⌋ ≈ (1 − R ) n . 3 List decoding derivative codes Suppose we have received the corrupte d ver s ion of a codeword from the derivative code Der ( m ) q [ n, k ] as a str ing y ∈ ( F m q ) n , which we w i ll naturally conside r as an m × n matrix over F q :      y 11 y 12 . . . y 1 n y 21 y 22 . . . y 2 n . . . . . . . . . . . . y m 1 y m 2 . . . y mn      . (3) The goal is t o recover all p olynomia ls f of degree k − 1 who se e ncoding ( 2 ) agrees with y in at least t columns. This corresponds to de c oding from n − t symbol er rors for t he derivative code Der ( m ) q [ n, k ] . When t > ( n + k /m ) / 2 , the polyn o mi al f , if it exists , is u ni que, and in this regime an efficient d ecoding algorithm was given in [ 10 ] by adapt ing the W elch-Berlekamp algorithm for Reed-Solomon codes [ 14 , 2 ]. W e adapt the algebraic list-decoding met hod used for R eed-Solomon and fo lde d R eed-Solomon codes to the derivative code setting. The d ecoding algorithm consists of two steps — (i) interpo - lation of an algebraic condition (that must be obeyed by all candidate polynomials f ), and (ii) retrieving the list of candidate solutions f (from the algebraic condition found by the interpola- tion step). Our algorithm can be viewed as a higher dimensional analog of the W elch-Berlekamp algo- rithm, where we use multivariate polynomials instead o f bivariate polynomials in the interpola- tion. This has been us e d in the context of folded Re ed-Solomon codes in [ 13 , Chap. 5] and [ 6 ], and here we sh o w that derivative code s can also be list d ecoded in this framework . 3.1 Interpolation Let W denot e t he F q -linear s ubspace of F q [ X, Y 1 , . . . , Y m ] consisting of po lynomia ls that have total degree at most 1 in the Y i ’s, i.e, W contains polynomials of the form B 0 ( X ) + B 1 ( X ) Y 1 + B 2 ( X ) Y 2 + · · · + B m ( X ) Y m for some polynomials B i ∈ F q [ X ] . Let D be the F q -linear map on W d efined as follows: F or p ∈ F q [ X ] , and 1 ≤ i ≤ m , D ( p )( X, Y 1 , . . . , Y m ) = p ′ ( X ) (4) 5 and D ( pY i )( X, Y 1 , . . . , Y m ) = p ′ ( X ) Y i + p ( X ) Y i +1 . (5) where we t ake Y m +1 = Y 1 . Let s , 1 ≤ s ≤ m , be an intege r parameter in the de cod ing algorithm. The go a l in t he interpo- lation step is to interpolate a no nze ro polynomial Q ∈ F q [ X, Y 1 , Y 2 , . . . , Y s ] of the form A 0 ( X ) + A 1 ( X ) Y 1 + A 2 ( X ) Y 2 + · · · + A s ( X ) Y s (6) satisfying the following cond iti ons for each i , 1 ≤ i ≤ n : Q ( a i , y 1 i , . . . , y si ) = 0 and ( D k Q )( a i , y 1 i , . . . , y mi ) = 0 ( k = 1 , . . . , m − s ) , (7) where D k denote s the k -fold composition of the map D . Observation. For each i , the conditions ( 7 ) are a collection of ( m − s + 1) homogeneous linear constraints on the coefficients of the polynomial Q . The following sho ws w h y the interpolation conditions are use ful in t h e decoding context. Lemma 1. Suppose Q of the form ( 6 ) satisfies the conditions ( 7 ). If the re ceived word ( 3 ) agr ees with the encoding of f at location i , that is, f ( j ) ( a i ) = y j +1 ,i for 0 ≤ j < m , then the univariate polynomia l ˆ Q ( X ) := Q ( X , f ( X ) , . . . , f ( s − 1) ( X )) satisfies ˆ Q ( a i ) = 0 as well as ˆ Q ( k ) ( a i ) = 0 for k = 1 , . . . , m − s , wher e ˆ Q ( k ) ( X ) is that the k ’ th derivativ e of ˆ Q . Pro of. Notice the form that our definition of the map D take s when Y i = f ( i − 1) ( X ) for 1 ≤ i ≤ m . W e have D ( p ) = p ′ for p ∈ F q [ X ] , and D ( pf ( i − 1) ) = p ′ f ( i − 1) + pf ( i ) , which is simply th e product rule for d eriva tives. Thus when ( y 1 i , y 2 i , . . . , y mi ) = ( f ( a i ) , f ′ ( a i ) , . . . , f ( m − 1) ( a i )) , the conditions ( 7 ) enforce t ha t ˆ Q and its first m − s de ri vatives vanish at a i . W e next argue that a no n zero interpolation polynomial Q exist s and can be found effic iently . Lemma 2. L e t d =  n ( m − s + 1) − k + 1 s + 1  . (8) Then, a n onze ro Q of the form ( 6 ) satisfying the conditions ( 7 ) with d eg( A 0 ) ≤ d + k − 1 and d eg( A j ) ≤ d for 1 ≤ j ≤ s exists and can be found in O (( nm ) 3 ) field operati ons over F q . Pro of. Under the st a ted degree restrictions, the number of monomials in Q is ( d + 1) s + d + k = ( d + 1)( s + 1) + k − 1 > n ( m − s + 1) . where the last inequality follows from t he choice ( 8 ) of d . The number of homogeneous linear equations imposed on the coeffici ents of Q in o r d e r to mee t the interpolation conditions ( 7 ) is n ( m − s + 1) . As this is less than the number of mono m ials in Q , the existence of a nonzero Q follows, and it can be found by so l ving a linear sy stem over F q with at most nm con s traints. 6 3.2 Retrieving candidate polynomials Suppose we have a polynomial Q ( X, Y 1 , . . . , Y s ) satisfying the interpolation conditions ( 7 ). The following lemma g i ves an ident i ty satisfie d by any f which has good agreement with t he receiv ed word. Lemma 3. If f ∈ F [ X ] has degr ee at most k − 1 and an encoding ( 2 ) agre eing with the r eceived w o rd y in at least t columns for t > d + k − 1 m − s +1 , then Q  X, f ( X ) , f ′ ( X ) , . . . , f ( s − 1) ( X )  = 0 . Pro of. Let ˆ Q ( X ) = Q ( X , f ( X ) , . . . , f ( s − 1) ( X )) . By Lemma 1 , an agreement in column i means that ˆ Q ( X ) satisfie s ˆ Q ( a i ) = 0 and that the k th derivative ˆ Q ( k ) ( a i ) is also zero for k = 1 , . . . , m − s . In particular , t column agreements yield at least t ( m − s + 1) roots (counting multiplicities) for ˆ Q . The d e gr ee of ˆ Q is at most d + k − 1 , as f and each of its de riv atives has degree at most k − 1 . Then as ˆ Q is univariate o f d egr ee at most d + k − 1 , ˆ Q has at mo s t d + k − 1 roots if it is nonzero. Thus if t > ( d + k − 1) / ( m − s + 1) , it must be that ˆ Q ( X ) = 0 . W ith our chos en value of d fr om ( 8 ), this means that any f which agrees with y on more t ha n n s + 1 + s s + 1 k − 1 m − s + 1 (9) columns satisfies Q  X, f ( X ) , f ′ ( X ) , . . . , f ( s − 1) ( X )  = 0 . So in the se con d s tep, ou r goal is t o find all polynomials f of degree at most k − 1 such that A 0 ( X ) + A 1 ( X ) f ( X ) + A 2 ( X ) f ′ ( X ) + . . . + A s ( X ) f ( s − 1) ( X ) = 0 (10) Let A i ( X ) = P deg( A i ) j =0 a ij X j for each i . Note that the above constraint ( 10 ) gives a linear syste m over F in the coe f ficients of f = f 0 + f 1 X + · · · + f k − 1 X k − 1 . In particular , the se t of solutions ( f 0 , f 1 , . . . , f k − 1 ) is an affine space, and we can find it by solving the linear syste m. Our goal now is to bound the dimension of the space of solut ions by e x p osing its special structure and also use this to efficiently find an explicit basis for the sp ace. Lemma 4. It su ffices to give an algorithm in the case that the constant term a s 0 of A s is nonzer o. Pro of. If A s ( X ) 6≡ 0 , since deg( A s ) ≤ d < nm ≤ q , then there is some α ∈ F q such that A s ( α ) 6 = 0 , so we can consider a “translate” of th is p r o blem by α ; that is, A s ( X + α ) has nonzero constant term, so we can so l ve the sy stem with t he translated polynomial Q ( X + α, Y 1 , . . . , Y m ) and recover candidate message s by t ransla ting each solution g ( X ) t o f ( X ) = g ( X − α ) . If A s ( X ) = 0 , we simply reduce the problem to a smaller o ne with s rather than s + 1 interpo- lation variabl es. Not e th at this must terminate since Q is n o nzer o and so at least one A i for i ≥ 1 is nonzero. W e can now sho w : Lemma 5. If a s 0 6 = 0 , the solution space to ( 10 ) has dimension at most s − 1 . 7 Pro of. For each powe r X i , the coefficient of X i in A 0 ( X ) + A 1 ( X ) f ( X ) + · · · + A s ( X ) f ( s − 1) ( X ) is a 0 i +  a 10 f i + a 11 f i − 1 + · · · + a 1 i f 0  +  a 20 ( i + 1) f i +1 + a 21 if i + · · · + a 2 i f 1  + · · · +  a s 0 ( i + s − 1)( i + s − 2) · · · ( i + 1) f i + s − 1 + · · · + a si ( s − 1)! f s − 1  = a 0 i + s X j =1 i X k =0 ( k + j − 1)! k ! a j ( i − k ) f k + j − 1 . If ( f 0 , . . . , f k − 1 ) is a s olution to ( 10 ), then t h is coe f ficient is zero for every i . The coefficient of X i for each i depend s o nly on f j for j < i + s , and the coefficient of f i + s − 1 is a s 0 ( i + s − 1)( i + s − 2) · · · ( i + 1) , which is nonzero when i + s ≤ k since char( F q ) > k . Thus, if we fix f 0 , f 1 , . . . , f s − 2 , the rest of the coefficients f s − 1 , . . . , f k − 1 ar e uniquely determined . In p a rticular , the dimension of the s olution space is at most s − 1 . Remark 2 . T he bound of Le mm a 5 is t i ght for arbitrary linear syste ms. Indee d, if Q ( X, Y 1 , . . . , Y s ) = s − 1 X i =0 ( − 1) i i ! X i Y i +1 , then any polyno mi al of deg r e e less t han s with zero const a nt te rm satisfies Q ( X , f ( X ) , . . . , f ( s − 1) ( X )) = 0 . This is because any monomial f ( X ) = X j for 0 < j ≤ s − 1 is a so lut ion, and our solution sp ac e is linear . Of course, we do not know if such a bad polynomial can occur as the output of the interpolation step when d ecoding a noisy code wor d of t h e derivative code. Combining these lemmas and r ecalling the bound ( 9 ) on the number of agreements for suc- cessful decoding, we have o ur main result. Theorem 6 (Main) . For every 1 ≤ s ≤ m , the derivative code D e r ( m ) q [ n, k ] (wher e c har( F q ) > k ) satisfies the prope rty tha t for every rece ived word y ∈ F nm q , an affine subspace S ⊆ F q [ X ] of dimension at most s − 1 can be found in polynomial time such that every f ∈ F q [ X ] of degr ee less than k whose derivati ve encoding differs from y in at most s s + 1  n − k ( m − s + 1)  positio ns belongs to S . Now by setting s ≈ 1 /ε and m ≈ 1 /ε 2 , and recalli ng that the rate of Der ( m ) q [ n, k ] equals k / ( nm ) , we can conclude t he following. Corollary 7. F or all R ∈ (0 , 1) and all ε > 0 , for a suitable choice of parameters, ther e are derivati ve codes Der ( m ) q [ n, k ] of rate at least R which can be list decoded from a fraction 1 − R − ε of err ors with a list-size of q O (1 /ε ) . 4 Some remarks W e now make a couple of remarks on cop ing with th e large list-size bound in our de c oding algo- rithms. 8 4.1 Reducing the list size One app r oach t o avoid the lar ge list size bound of ≈ q s for t he number of codewords near f is to draw codew or d s from s o-c alled subspace-evasiv e subsets of F k q rather than all of F k q . This approach was us ed in [ 6 ] t o reduce t he list-size for folded R e ed-Solomon codes, and we can gain a similar benefit in the context o f list decoding de ri vative codes. A subse t of F k q is ( s, L ) -subspace-evasive if it interse c ts with every linear subspace S ⊆ F k q of d im ension at mos t s in at most L p o ints. For any ε > 0 , a pr obabilistic ar g ument shows th at there exist ( s, O ( s/ε ) ) -subspace-evasive subsets o f F k q of s iz e q (1 − ε ) k . In fact, we have the following st ronger st a tement, proved in [ 6 ]. Fix a basis 1 , β , . . . , β k − 1 of F k q over F q and denot e K = F q k . For P ∈ K [ X ] and an inte ger r , 1 ≤ r ≤ k , define S ( P , r ) = { ( a 0 , . . . , a k − 1 ) ∈ F k q | P ( a 0 + a 1 β + · · · + a k − 1 β k − 1 ) ∈ F q - span(1 , β , . . . , β r − 1 ) } . Lemma 8 ([ 6 ]) . Let q be a prime power , k ≥ 1 an integer . Let ζ ∈ (0 , 1) and s ∈ Z satisfying 1 ≤ s ≤ ζ k / 2 . Let P ∈ K [ X ] be a random polynomial of degree t and define V = S ( P , (1 − ζ ) k ) . Then for t ≥ Ω( s/ζ ) , with pr obability at least 1 − q − Ω( k ) over the choice of P , V is an ( s, t ) -subspace-e vasive subset of F k q of size at least q (1 − ζ ) k / 2 . By taking messages from V rather than all of F k q , we suf fer a small loss in rate, but g i ve a substantial improvement to the list size bound; since o ur solution space is linear , the number of candidate mess age s is reduced fr om ≈ q s to O ( s/ε ) . In particular , setting our parameters as in The or em 6 , we can li st-decod e from a 1 − R − ε fraction of errors with a list s i ze of at most O (1 / ε 2 ) . Howe v er , the code construction is no t explicit but only a randomized (Monte Carlo) one that satisfies the claim ed guarantees on list-de cod ing with high probabili ty . 4.2 Decoding with side informa tion The decoding described in the previous s ection consist s of trying all choices for the coeffici ents f 0 , . . . , f s − 2 and using e a ch to unique l y det e rmi ne a candidate for f . Note however that for e a ch i , the f i is e ssentially the i th d eriva tive of f evaluated at 0 , and can be r ecovered as f ( i ) (0) /i ! . Thus if the d ecoder s omehow kn e w t h e correct values of f and its firs t s − 1 de ri vatives at 0 , f could be recover ed uniquely (as long as A s (0) 6 = 0 ). Now , sup pose the encoder could se nd a s ma ll amount of information along a noise l ess side channel in add iti on t o sending the (much longer) codeword on t h e original channel. In such a case, the encoder could choos e α ∈ F q uniformly at random and transmit f ( α ) , f ′ ( α ) , . . . , f ( s − 1) ( α ) on the noiseles s channel. The de cod ing th e n fails only if A i ( α ) = 0 for i which is the largest index such that A i ( X ) 6 = 0 . As t he A i ( X ) have bound ed deg r e e, by increasing the field size q , f can be uniquely recover ed with probabil ity arbitrarily close to 1 . More precisely , we have the following claim. Theorem 9. Given a uniformly random α ∈ F q and the values f ( α ) , f ′ ( α ) , . . . , f ( s − 1) ( α ) of the message polynomial f , the derivative code Der ( m ) q [ n, k ] can be uniquely decoded from up to s s + 1  n − k m − s + 1  9 err ors with pr obability at least 1 − nm sq over the choice of α . Pro of. As in the proof o f Lemma 4 , as long as A s ( α ) 6 = 0 , we may trans late the p r o blem by α and use the values f ( α ) , f ′ ( α ) , . . . , f ( s − 1) ( α ) to uniquely dete rmi ne the shifted coefficients g 0 , . . . , g s − 1 . As A s 6 = 0 , and A s is univariate of de gr ee at most d , A s has at most d roots, and s o t he proba- bility that A s ( α ) 6 = 0 is at least 1 − d/q ≥ 1 − nm sq , where the last inequality follows from our choice of d ≤ n m/s in ( 8 ). Remark 3 . In the context of communicating with side information, the r e is a generic, black-box solution combining list-d e codabl e cod es with hashing to guarantee unique recovery of t he correct message with high proba bility [ 3 ]. In such a scheme , the s ide information consists of a random hash function h and its value h ( f ) o n the me ssage f . The advantage of the s olution in Theo r e m 9 is t ha t there is no n ee d t o compu t e t h e full list (which is the computationally expensive step, s i nce the list s i ze bound de p ends e xponentially on s ) and then prune it to the unique s olution. Rather , we can uniquely identify t he first ( s − 1) coefficients of the polynomial f ( X + α ) in the linear syste m ( 10 ), after applying the shift X 7→ X + α , as f ( α ) , f ′ ( α ) , . . . , f ( s − 2) ( α ) . Then, as argued in the proof of Lemma 5 , the remai ning coefficients are dete rmi ned as linear combinations of the s e s − 1 coefficients. So the whole algorithm can be implemented in quadratic time. Remark 4 . The decoder cou ld us e the columns of the received word y as a guess for the s i de information f ( a i ) , f ′ ( a i ) , . . . , f ( s − 2) ( a i ) for i = 1 , 2 , . . . , n . Since f agrees with y on more than t > Rn pos iti ons, as long as A s ( a i ) = 0 for les s than t of t he evaluation points a i , we will recover every solution f this way . T h is w ould lead t o a list size bound of at most n − t < n . Unfort unately , however , the r e seems to be no way to ensure that A s does not vanish at most (or e ven all) of the points a i used for e nc oding. But p er haps some additional ide a s can be use d to make the list size polynomial in both q , s , or at least exp( O ( s )) q c for some absolute constant c . References [1] E. Bombieri and S. Kopparty . List decoding multiplicity code s, 2011. Manuscript. 4 [2] P . Gemmell and M. S u dan. Highly resilient correctors for multivariate polyn o mi als. In forma- tion Proce ssing Letters , 43(4):169 –174, 1992. 5 [3] V . Guruswami. List d ecoding with side information. In Proceed ings of the 18th IEEE Confer ence on Computational Complexity (CC C) , pages 300–309 , 2003. 10 [4] V . Gur uswami. Algorithmic Results in List Decoding , volume 2 of Foundations and T re nds in Theor etical C o mputer Science (FnT -TCS) . N OW publishers, January 2007. 2 [5] V . Guruswami. Cyclotomic function fields, Artin-Frobenius automorphisms, and list error - correction with op tima l rate. Algebra and Nu mber T h eory , 4(4):433–4 63, 2010. 3 [6] V . Guruswami. Line ar-algebraic list decoding o f folde d Re ed-Solomon cod es. In Pro ceedings of the 26th IEEE Confer ence on Computational Complexity , June 2011. 3 , 4 , 5 , 9 10 [7] V . Guruswami and A. Rudra. Limits to list decoding Reed - Solomon code s . IEE E T ransacti ons on Information Theory , 52(8):3642–3 649, August 2006. 2 [8] V . Guruswami and A. Rud ra . E xpli cit codes achieving list decod i ng capacity: Error -correction with optimal redundancy . IEEE T ransacti ons on Information Theory , 54(1):135 –150, 2008 . 2 , 3 [9] V . Guruswami and M. Sudan. Improved decoding of Reed -Solomon and Algebraic-geometric codes. IEEE T ransactions on Information T he ory , 45(6):1757 –1767, 1999. 2 [10] S. Kopparty , S. Saraf, and S. Y ek hani n. H i gh-rate code s with sublinear -time decoding. E lec- tr onic Colloquium on Computational Complexity , TR 1 0-148 , 2010. 3 , 5 [11] F . Parvaresh and A. V ardy . Correcting errors beyond the Guruswami-Sudan radius in poly- nomial time. In Proce edings of the 46 th Annual IEEE S y mposium on Fou n da tions of Computer Science , pages 285–294, 2005. 2 , 3 [12] M. Su dan. Decoding of Reed -So l omon codes beyond the error-c orrection bo u nd. Journal of Complexity , 13(1):180– 193, 1997. 2 [13] S. V adhan. Pseudorandomness . Foundations and T r ends in Theo r e tic al Com- puter Science (FnT -TCS). NOW publishers, 2010. T o appear . Draft avail able at http: //people. s eas.harvard.edu/˜ salil/p seudorandomness/ . 5 [14] L. R . W elch and E. R . Be rlekamp. Error correction of algebraic block code s. US P at ent Num be r 4,633,47 0 , December 1986. 5 11