Artin automorphisms, Cyclotomic function fields, and Folded list-decodable codes

AR TIN A UTOMORPHISMS, CYCLOTOMIC FUNCTION FIELDS, AND F OLDED LIST-DECODABLE CODES VENKA TE SAN GURUSW AMI Abstra ct. Algebraic codes that ac hieve li st deco ding capacit y were recen tly constructed by a careful “folding” of the Reed- Solomon co de. The “low-degree” nature of th is folding operation w as crucial to the list d eco ding algorithm. W e show how such folding schemes conducive to list decod ing arise out of the A rtin-F rob enius automorphism at primes in Galois extensions. U sing this approac h, we constru ct new folded algebraic-geometric cod es for list decod ing based on cyclotomic function fields with a cyclic Galois group. Such function fields are obtained by adjoining torsion p oints of the Carlitz action of an irreducible M ∈ F q [ T ]. The Reed-Solomon case correspond s to the simplest such extension (correspond ing to t h e case M = T ). In th e general case, w e need to descend to t h e fixed field of a suitable Galoi s subgroup in order to ensure the existence of many degree one places that can b e used for encod ing. Our methods shed new ligh t on algebraic co des and their list decoding, and lead to new codes ac hieving list deco ding capacity . Quantita tively , these codes p ro vide list deco ding (and list recov ery/soft d ecoding) guarantees similar to folded R eed-Solomon cod es bu t with an alphab et size th at is on ly polylogarithmic in the block length. In comparison, fo r fol ded RS codes, the alph ab et size is a large p olynomial in th e blo ck length. This has applications to fully exp licit (with no brute- force searc h) binary concatenated codes for list decod ing up to the Zyablo v radius. Contents 1. Int ro duction 2 2. Background o n Cyclotomic function fields 4 3. Reed-Solomon co des as cyclotomic function field codes 6 4. Subfield co nstruction from cyclic cyclotomic function fields 7 5. Co de constructio n from cyc lotomic function field 11 6. List deco ding algorithm 15 7. Long co des ac hieving list deco ding capacity 20 Ac knowledgment s 23 References 23 Appendix A. T able of parameters used 24 Appendix B. Algebraic pr eliminaries 25 Researc h sup ported in p art by NSF CCF-0343672, a David and Lucile P ack ard F ellowship, and NS F gran t CCR-0324906 to the IA S. 2 1. Intr oduction 1.1. C on t ext and Motiv ation. Rece nt progress in a lgebraic co ding theory [ 16 , 6 ] h as led to the constr u ction of explicit co des ov er large alphab ets that ac h ieve list decod ing capacit y — namely , they ad m it efficien t algo rithms to corr ect close to the optimal fraction 1 − R of errors with rate R . The alg ebraic codes constructed in [ 6 ] are folde d Reed-Solomon codes, where th e Reed-Solomon (RS) enco ding ( f (1) , f ( γ ) , · · · , f ( γ n − 1 )) of a lo w-degree p olynomial f ∈ F q [ T ] is viewe d as a co dew ord of length N = n/m o v er the alphab et F m q b y id en tifying successiv e blo c ks of m symb ols. Here γ is a pr im itive elemen t of the fi eld F q . Simplifying matters s omewhat, the principal algebraic engine b ehind the list d ecod in g algo- rithm in [ 6 ] was the identit y f ( γ T ) ≡ f ( T ) q (mo d ( T q − 1 − γ )), and the fact that ( T q − 1 − γ ) is irreducible ov er F q . This ga v e a low-degree algebraic relation b et w een f ( T ) an d f ( γ T ) in the residue fi eld F q [ T ] / ( T q − 1 − γ ). This tog ether with an algebraic relatio n foun d by the “in- terp olation step” of the deco ding enabled find ing the list of all relev ant message p olynomials f ( T ) efficien tly . One of th e m ain motiv ations of this wo rk is to gain a deep er u nderstanding of the general algebraic p rinciples un derlying the ab o v e folding, with the hop e of extend ing it to more general algebraic-g eometric (A G) cod es. T h e latter questio n is an in teresting algebraic question in its o wn right , but is also imp ortan t for p oten tially imp r o ving the alphab et size of th e co des, as w ell as the d ecodin g complexit y and output list size of the d ecod in g algorithm. (The large complexit y and list size of the folded RS deco ding algo rithm in [ 6 ] are a direct consequ ence of the large degree q in the ident it y relating f ( γ T ) and f ( T ).) An extension of the Parv aresh-V ardy co des [ 16 ] (whic h were the pr ecursor to the folded RS co des) to arbitrary algebraic-g eometric codes w as ac hieve d in [ 5 ]. But in these co des the enco ding includes the ev aluations of an add itional fu nction explicitly pic k ed to satisfy a low- degree r elatio n o ver some residue fi eld. This leads to a su bstan tial loss in r ate. The crucial insigh t in the construction of folded RS co des w as th e fact that this additional function co uld just b e the closely related function f ( γ T ) — the image of f ( T ) under the automorph ism T 7→ γ T of F q ( T ). 1.2. Summary of our con tribut ions. W e explain how folding schemes conducive to list deco ding (suc h as the ab o v e relation b et w een f ( γ T ) and f ( T )) arise out of the Artin-F r ob enius automorp hism at primes in Galois extensions. With th e b enefi t of hindsight, the role of suc h automorphisms in f olding algebraic codes is quite natural. I n terms of tec hnical con tributions, w e use this app roac h to construct new list-deco dable folded algebraic-geo metric cod es based on cyclotomic function fields with a cyclic Galois group. Cycloto mic fu nction fields [ 1 , 9 ] are obtained by adjoinin g torsion p oin ts of the Carlitz action of an irreducible M ∈ F q [ T ]. The Reed-Solomon case corresp on d s to the simplest suc h extension (corresp onding to the case M = T ). In the general case, we need to descend to the fixed field of a suitable Galois su bgroup in order to ensure the existence of m any d egree one places that can b e used for enco ding. W e establish some k ey algebraic lemmas that c haracterize the desired su b field in terms of th e appropriate generator µ in the algebraic closure of F q ( T ) and its minimal p olynomial ov er F q ( T ). W e then tackl e the computational algebra challe nge of computing a repr esentati on of the sub field and its rational places, and the message space, that is conduciv e for efficient enco ding and deco ding of the asso ciated algebraic-g eometric co de. 3 Our constructions lead to some sub stan tial quan titativ e impro v emen ts in the alphab et size whic h we d iscuss b elo w in Sectio n 1.4 . W e also make some simplifications in the list deco ding algorithm and a v oid the n eed of a zero-increasing basis at eac h code place (Lemma 6.2 ). This, together with sev eral other ideas, lets us implement the list d ecodin g algorithm in p olynomial time assuming only th e n atural representat ion of the co de needed for efficien t enco ding, namely a basis for the message space. Computing suc h a basis r emains an interesting question in computational function field theory . Our description and analysis of the list deco ding algo rithm in this w ork is self-con tained, though it builds strongly on the framew ork of the algorithms in [ 23 , 16 , 5 , 6 ]. 1.3. Galois extensions and Artin automorphisms. W e n o w briefly discuss ho w and wh y Artin-F rob en iu s automorph isms arise in the seemingly distant world of list d ecodin g. In order to generalize the Reed-Solomon case, w e are after function fields w hose automorphisms w e ha v e a reasonable understanding of. Galois ext ensions are a natural sub class of function fi elds to consider, with the hop e that s ome automorphism in the Galois group will giv e a low-deg ree relation ov er some r esidue field. Unfortunately , the explicit constru ctions of go o d AG co des are t ypically based on a tow er of fun ction fi elds [ 3 , 4 ], wh ere eac h step is Galois, bu t th e wh ole extension is not. (Stic h tenoth [ 22 ] recen tly sho w ed the existence of a Galois extension with the optimal trade-off b et w een gen us and n umb er of rational places, but this extension is not, and cannot b e, cyclic, as w e require.) In Galois extensions K /F , for eac h place A ′ in the extension field K , there is a sp ecial and imp ortan t automorphism called the Artin-F rob en iu s automorphism (see, eg. [ 13 , C hap. 4]) that simply p o w ers the residue of an y (regular) function at th at place. T h e exp onen t or d egree of th is map is the n orm of th e place A of F lyin g b elo w A ′ . Since the degree d ictate s the complexit y of decod ing, w e wo uld lik e this n orm to b e small. On the other hand, th e residue field at A ′ needs to b e large enough so that the message functions can b e uniquely id entified b y their residue mo dulo A ′ . The most app ealing w a y to realize th is is if the place A is iner t, i.e., has a u nique A ′ lying ab o v e it. Ho wev er, this condition can only h old if the Galois group is cyclic, a r ather strong restricti on. F or example, it is kno wn [ 2 ] that ev en ab elian extensions m ust b e asymptotic al ly b ad . In order to construct AG co des, w e also n eed to ha v e a goo d control of ho w certain primes split in the extension. F or cycloto mic function fields, and of course their b etter kn own num b er- theoretic counterparts Q ( ω ) obtained b y adjoining a ro ot of unit y ω , this theory is well deve l- op ed. As m entioned earlier, the cyclotomic function field we use itself h as ve ry few r ational places. S o we need to descend to an appropriate sub field wher e man y degree one places of F q ( T ) split completely , and devel op some un d erlying th eory concerning th e structure of th is subfield. The Artin-F r ob enius automorph ism 1 is a fundamenta l n otion in algebraic n u m b er theory , pla ying a role in Chebatorev d ensit y theorem and Diric hlet’s theorem on infinitude of primes in arithmetic progressions, as we ll as qu ad r atic and more general recipro cit y laws. W e fi nd 1 F ollo wing Rosen [ 18 ], we will henceforth refer to th e Artin-F rob enius automorphisms as simply Artin automorphisms. Man y texts (eg. [ 13 ]) actually refer to these as F rob enius automorphisms. Since th e latter term is most commonly associated with automorphism x 7→ x q of F q m , we prefer the term A rtin automorphism to refer to th e general notion that applies to all Galoi s extensions. The association of a place with its Artin- F roben iu s automorphism is called the Artin map. 4 it r ather intriguing that this notion ends up p la yin g an imp ortan t r ole in algorithmic co ding theory as we ll. 1.4. Long co des ac hieving list deco ding capacit y and explicit binary concatenated co des. Quan titativ ely , our cyclot omic fu n ction field cod es ac hiev e list deco ding (and list reco v ery) guarante es similar to folded RS codes b ut with an alphab et size that is only p olylo g- arithmic in the blo c k length. In comparison, f or folded RS co des, the alphab et size is a large p olynomial in the blo c k length. W e n ote that Gurus w ami and Rudra [ 6 ] also p resen t capacit y- ac h ieving co des of rate R for list deco ding a fraction (1 − R − ε ) of errors with alph ab et size | Σ | = 2 (1 /ε ) O (1) , a fixed constan t dep ending only on ε . But these co des do not h a ve the strong “list reco v ery” (or more generally , soft deco ding) prop ert y of folded RS co des. Our cod es inherit the p ow erfu l list reco v ery pr op ert y of folded RS co des, w hic h mak es them v ery useful as outer cod es in concatenation schemes. In fact, du e to their small alphab et size, they are ev en b etter in this role. Indeed, th ey can serve as outer co des for a family of concatenate d co des list-deco dable up to the Zy ablov radiu s, with no brute-for c e se ar ch for the inner cod es. This is the first such constru ction for list deco ding. It is simila r to the “Ju stesen- st yle” explicit constructions for rate vs. d istance from [ 11 , 20 ], exce pt ev en easier, as one can use the ensem ble of al l line ar c o des in s tead of th e succinct W ozencraft ensem ble at the inner lev el of the concatenated sc heme. 1.5. Related wo rk. Co des based on cyclotomic fu nction fields h a v e b een considered p revi- ously in the literature. Some sp ecific (non-asymptotic) constru ctions of function fields with man y rational p laces ov er small fields F q ( q 6 5) app ear in [ 14 , 15 ]. Cyclotomic co des b ased on the action of p olynomials T a for small a app ear in [ 17 ], b ut deco ding algorithms are not discussed for these codes, nor are these extensions cycl ic as we r equire. O ur app r oac h is more general and wo rks b ased on the action of an arb itrary irreducible p olynomial. Exploiting the Artin automorphism of cyclotomic fields for an algorithmic p urp ose is also new to th is w ork. Indep end en t of our wo rk, Hu ang and Nara y anan [ 10 ] also consider A G co des constructed from Galois extensions, a nd obs er ve ho w automorp h isms of large ord er can b e used for folding suc h co des. T o our kno wledge, the only instan tiation of this appr oac h that impr o v es on folded RS cod es is the one based on cyclotomic fu nction fields from our wo rk. As an alternate approac h, they also prop ose a deco ding metho d that works with folding via automorphisms of small order. This inv olves computing several co efficien ts of the p o w er series expansion of the message function at a lo w-degree p lace. Unfortunately , piecing together these co efficien ts in to a fu nction could lead to an exp onentia l list size b ound . The authors suggest a heuristic assumption under whic h they can sho w that for a r andom receiv ed w ord, the exp ected list size and runnin g time are p olynomially b oun ded. 2. Ba ckgr ound on Cyclotomic f unction fields Some basic pr eliminaries on function fields, v aluations and places, Galois extensions, decom- p osition of primes, Artin-F rob eniu s automorphism, etc. are discussed in App end ix B . In this section, we will fo cus on bac kground material concerning cycloto mic function fields. These are the function-field analog of the classic cyclotomic n umber fields from algebraic num b er theory . This theory was d evelo p ed b y Ha y es [ 9 ] in 1974 building u p on ideas due to Carlitz [ 1 ] 5 from the late 1930’s. The ob j ectiv e w as to develo p an explicit class field theory classifying all ab elian extensions of th e rational function field F q ( T ), analogous to classic results for Q and imaginary quadratic extensions of Q . The common idea in these results is to allo w a ring of “in tegers” in th e ground field to act on p art of its algebraic closure, and obtain ab elian extensions by adjoining torsion p oint s of this action. W e w ill now describ e these extensions of F q ( T ). Let T b e an indeterminate o v er the fin ite field F q . Let R T = F q [ T ] d enote the p olynomial ring, and F = F q ( T ) the fi eld of rational functions. Let F ac b e a fixed algebraic closur e of F . L et End F q ( F ac ) b e the rin g of F q -endomorphisms of F ac , thought of as a F q -v ector space. W e consider t wo sp ecial element s of En d F q ( F ac ): (i) the F rob enius automorph ism τ defined b y τ ( z ) = z q for all z ∈ F ac , and (ii) the m ap µ T defined b y µ T ( z ) = T z for all z ∈ F ac . The subs titution T → τ + µ T yields a ring homomorp hism from R T to En d F q ( F ac ) give n by: f ( T ) 7→ f ( τ + µ T ). Using this, we can d efi ne the Carlitz action of R T on F ac as follo ws: F or M ∈ R T , C M ( z ) = M ( τ + µ T )( z ) for all z ∈ F ac . This action endo ws F ac the structure of an R T -mo dule, whic h is called the Carlitz mo dule. F or a nonzero p olynomial M ∈ R T , defin e th e set Λ M = { z ∈ F ac | C M ( z ) = 0 } , to consist of th e M -torsion p oint s of F ac , i.e., the elements annihilated b y the Carlitz action of M (this is also the set of zero es of the p olynomial C M ( Z ) ∈ R T [ Z ]). Since R T is commutat iv e, Λ M is in fact an R T -submo du le of F ac . It is in fact a cyclic R T -mo dule, naturally isomo rph ic to R T / ( M ). The cyclotomic f unction field F (Λ M ) is obtained b y adjoining th e set Λ M of M -torsion p oin ts to F . 2 The f ollo wing result from [ 9 ] summarizes some fu ndamen tal facts ab out cycloto mic function fi elds, stated for the sp ecial case w hen M is irred ucible (w e will only use su ch ex- tensions). Pro ofs can also b e found in the graduate texts [ 18 , Chap. 12] or [ 19 , Chap. 12]. In w hat follo ws, w e will often u se th e con v en tion th at an irreducible p olynomial P ∈ R T is iden tified with the place of F whic h is the zero of P , and also denote this p lace by P . Recall that these are all the p laces of F , with the exception of the p lace P ∞ , whic h is the unique p ole of T . Prop osition 2.1. L et M ∈ R T b e a nonzer o de gr e e d monic p olynomial that is irr e ducib le over F q . L et K = F (Λ M ) . Then (i) C M ( Z ) is a sep ar able p olynomial in Z of de gr e e q d over R T , of the form P d i =0 [ M , i ] Z q i wher e the de gr e e of [ M , i ] as a p olynomial i n T is q i ( d − i ) . The p olynomial ψ M ( Z ) = C M ( Z ) / Z is irr e ducible in R T [ Z ] . The field K is e qual to the splitting field of ψ M ( Z ) , and is gener ate d by any nonzer o element λ ∈ Λ M , i.e., K = F ( λ ) . (ii) K /F is a Galois extension of de gr e e ( q d − 1) and Gal( K/F ) is isomorph ic to ( R T / ( M )) ∗ , the cyclic multiplic ative gr oup of units of the fie ld R T / ( M ) . The Galois automorph ism σ N asso ciate d with ¯ N ∈ ( R T / ( M )) ∗ is given by σ N ( λ ) = C N ( λ ) . 2 It is instructive to compare this with the more familiar setting of cyclotomic num b er fields. There, one lets Z act on the m ultiplicative group ( Q ac ) ∗ with th e endomorph ism corresponding to n ∈ Z sendin g ζ 7→ ζ n for ζ ∈ Q ac . The n -torsion p oints now equ al { ζ ∈ Q ac | ζ n = 1 } , i.e., the n ’th ro ots of un it y . Adjoining these gives the vari ous cyclotomic num b er fields. 6 The Galois automorp hisms c ommute with the Carlitz action: for any σ ∈ Gal( K/F ) and A ∈ R T , σ ( C A ( x )) = C A ( σ ( x )) for al l x ∈ K . (iii) If P ∈ R T is a monic irr e ducible p olynomia l differ ent fr om M , then the Artin auto- morphism at the plac e P is e qual to σ P . (iv) The inte g r al closur e of R T in F ( λ ) e quals R T [ λ ] . (v) The genus g M of F (Λ M ) satisfies 2 g M − 2 = d ( q d − 2) − q q − 1 ( q d − 1) . The splitting b eha vior of primes in the extension F (Λ M ) /F will b e cru cial for our construction. W e r ecord this as a separate pr op osition b elo w. Prop osition 2.2. L et M ∈ R T , M 6 = 0 , b e a monic, irr e ducib le p olynomial of de gr e e d . (i) (R amific ation at M ) The plac e M is total ly r amifie d in the extension F (Λ M ) /F . If λ ∈ Λ M is a r o ot of C M ( z ) /z and ˜ M is the unique plac e of F (Λ M ) lying ab ove M , then λ is a ˜ M -prime element, i . e., v ˜ M ( λ ) = 1 . (ii) (R amific ation at P ∞ ) The infinite pla c e P ∞ of F , i. e., the p ole of T , splits into ( q d − 1) / ( q − 1) pla c es of de g r e e one in F (Λ M ) /F , e ach with r amific ation index ( q − 1) . Its de c omp osition gr oup e quals F ∗ q . (iii) (Splitting at other plac es) If P ∈ R T is a monic irr e ducible p olynomial differ ent f r om M , then P is unr amifie d in F (Λ M ) /F , and splits into ( q d − 1) /f primes of de gr e e f · deg ( P ) wher e f is the or der of P mo dulo M (i.e., the smal lest p ositive inte ger e such that P e ≡ 1 (mod M ) ). 3. Reed-Solomon code s as cyclotom ic fun ction field codes W e n o w discuss how Ree d-Solomon codes arise out of the simplest cyclotomic extension F (Λ T ) /F . Th is serv es b oth as a warm-up for our later resu lts, and as a metho d to illustrate that one can view th e foldin g employ ed by Guruswami and Rudra [ 6 ] as arising natur ally from the Artin automorphism at a certain prime in the extension F (Λ T ) /F . W e ha v e Λ T = { u ∈ F ac | u q + T u = 0 } . Pic k a nonzero λ ∈ Λ T . By P r op osition 2.2 , the only ramified p laces in F (Λ T ) /F are T , and the p ole P ∞ of T . Bot h of these are totally ramified and hav e a unique place ab ov e them in F (Λ T ). Denote b y Q ∞ the place ab ov e P ∞ in F (Λ T ). W e ha v e λ q − 1 = − T , so λ has a p ole of order one at Q ∞ , and no p oles elsewhere. The place T + 1 sp lits completely int o n = q − 1 places of degree one in F (Λ T ). The ev aluation of λ at these places corresp ond to the ro ots of x q − 1 = 1, i.e., to nonzero elements of F q . Thus the places abov e T + 1 can b e describ ed as P 1 , P γ , · · · , P γ q − 2 where γ is a primitiv e elemen t of F q and λ ( P γ i ) = γ i for i = 0 , 1 , . . . , q − 2. F or k < q − 1, defin e M k = { P k − 1 i =0 β i λ i | β i ∈ F q } . M k has q k elemen ts, eac h with at most ( k − 1) p oles at Q ∞ and n o p oles elsewhere. Cons id er the F q -linear map E RS : M k → F n q defined as E RS ( f ) =  f ( P 1 ) , f ( P γ ) , · · · , f ( P γ q − 2 )  . Clearly the abov e just defi nes an [ n, k ] q Reed-Solomon co de, consisting of ev aluations of p oly- nomials of degree < k at elements of F ∗ q . 7 Consider the place T + γ of F . The cond ition ( T + γ ) f ≡ 1 (mo d T ) is satisfied iff γ f = 1, whic h h app ens iff ( q − 1) | f . Therefore, the place T + γ remains inert in F (Λ T ) /F . L et A denote the uniqu e p lace ab o v e T + γ in F (Λ T ). The degree of A equals q − 1. The Artin automorphism at A , σ A , is give n b y σ A ( λ ) = C T + γ ( λ ) = C γ ( λ ) = γ λ . Note that th is implies f ( P γ i +1 ) = σ A ( f )( P γ i ) for 0 6 i < q − 2. By the prop ert y of the Artin automorphism, w e hav e σ A ( f ) ≡ f q (mo d A ) for all f ∈ R T [ λ ]. No te th at this is same as the condition f ( γ λ ) ≡ f ( λ ) q (mo d ( λ q − 1 − γ )) treating f as a p olynomial in λ . This corresp onds to the algebraic r elatio n b et w een f ( X ) and f ( γ X ) in the r ing F q [ X ] that w as u sed b y Gu ruswa mi and Rudra [ 6 ] in their deco ding algorithm, sp ecifically in the task of fin ding all f ( X ) of degree less than k satisfying Q ( X, f ( X ) , f ( γ X )) = 0 for a given Q ∈ F q [ X, Y , Z ]. In the cyclotomic language, th is corresp onds to finding all f ∈ R T [ λ ] with < k p oles at Q ∞ satisfying Q ( f , σ A ( f )) = 0 for Q ∈ R T [ λ ]( Y , Z ). Since deg( A ) = q − 1 > k , f is determined b y its residue at A , and we know σ A ( f ) ≡ f q (mo d A ). Therefore, w e can fi n d all su c h f b y finding the ro ots of the univ ariate p olynomial Q ( Y , Y q ) mo d A o v er the residue field O A / A . 4. Subfield construction from cyclic cy clotomic fun ction fields In this section, we will construct the function field construction that will b e used for our algebraic-g eometric co des, and establish the ke y algebraic facts concerning it. Th e app r oac h will b e to tak e cyclotomic field K = F (Λ M ) w here M is an irred u cible of degree d > 1 and get a co de o ver F q . But the only places of degree 1 in F (Λ M ) are the ones a b ov e the p ole P ∞ of T . Th ere are only ( q d − 1) / ( q − 1) suc h places ab o v e P ∞ , w hic h is m uch smaller than the gen us. So w e d escend to a subfi eld wh ere man y degree 1 places split completely . Th is is done b y taking a subgroup H of ( F q [ T ] / ( M )) ∗ with man y degree 1 p olynomials and considering the fixed field E = K H . F or ev ery irreducible N ∈ R T suc h that ¯ N = N mo d M ∈ H , th e place N splits completely in the extension E /F ( this follo ws fr om the fact that C N is the Artin automorp h ism at the place N ). This tec hniqu e has also b een used in the p revious works [ 17 , 14 , 15 ] mentio ned in Section 1.5 , though our approac h is more general and w orks w ith an y irreducible M . The stu dy of algorithms for cyclotomic co des and the role pla y ed by the Artin automorphism in th eir list deco ding is also n ov el to our work. 4.1. T able of pa rameters. S ince there is an un a voidable sur feit of notation and parameters used in this section an d Section 5 , we summarize them for easy referen ce in App endix A . 4.2. F unction field construction. Let F r b e a subfi eld of F q . L et M ∈ F r [ T ] b e a monic p olynomial that is ir r educible ov er F q (note that w e require M ( T ) to ha v e co efficien ts in the smaller fi eld F r , but demand irr educibilit y in the ring F q [ T ]). The f ollo wing lemma follo ws from the general charact erization of when b inomials T m − α are irredu cible in F q [ T ] [ 12 , Chap. 3]. Lemma 4.1. L et d > 1 b e an o dd inte ger such that e v ery prime factor of d divides ( r − 1) and gcd( d, ( q − 1) / ( r − 1)) = 1 . L e t γ b e a primitive element of F r . Then T d − γ ∈ F r [ T ] is irr e ducible in F q [ T ] . A simple choice for w h ic h the ab ov e conditions are met is r = 2 a , q = r 2 , and d = r − 1 (w e will need a more complicated c hoice for our list d ecodin g r esult in T heorem 7.1 ). F or the 8 sak e of generalit y as well as clarit y of exp osition, we will d ev elop the theory without making sp ecific c hoices for the p arameters, a somewhat intricat e task w e will undertak e in Section 7 . F or the rest of this section, fi x M ( T ) = T d − γ a s guarantee d by th e ab ov e lemma. W e contin ue with the notatio n F = F q ( T ), R T = F q [ T ], and K = F (Λ M ). Fix a generator λ ∈ Λ M of K /F so that K = F ( λ ). Let G b e the Galois group of K /F , w hic h is isomorphic to the cyclic multiplica tiv e group ( F q [ T ] / ( M )) ∗ . Let H ⊂ G b e the sub group F ∗ q · ( F r [ T ] / ( M )) ∗ . Th e cardinalit y of H is ( r d − 1) · q − 1 r − 1 . Note th at sin ce G is cyclic there is a unique subgroup H of this size. Ind eed, if Γ ∈ G is an arb itrary generator of G , then H = { 1 , Γ b , Γ 2 b , . . . , Γ q d − 1 − b } where (4.1) b = | G | | H | = q d − 1 r d − 1 · r − 1 q − 1 . Let A ∈ R T b e an arbitrary p olynomial such that A mo d M is a generator of ( F q [ T ] / ( M )) ∗ . W e can th en tak e Γ so that Γ( λ ) = C A ( λ ). (W e fi x a c hoice of A in the sequel and assum e that A is p re-computed and kn o wn. W e will later, in S ection 5.3 , pic k suc h an A of appropriately large degree.) Note that b y part (2) of Prop osition 2.1 , the Galois action comm utes with the Carlitz action and therefore Γ j ( λ ) = C A j ( λ ) for all j > 1. T h us kno wing the p olynomial A lets us compute the actio n of the automorphisms of H on an y desired elemen t of K = F ( λ ). Let E ⊂ K b e the su b field of K fixed by the sub group H , i.e., E = { x ∈ K | σ ( x ) = x ∀ σ ∈ H } . The field E w ill b e the one u sed to constr u ct our codes. W e first reco rd some basic p rop erties of the extension E /F , and ho w certain places d ecomp ose in this extension. Prop osition 4.2. F or E = F (Λ M ) H , the fol lowing pr op erties hold: (i) E /F is a Galois e xtension of de gr e e [ E : F ] = b . (ii) The pl ac e M is the only r amifie d pla c e in E /F , and it is total ly r amifie d with a unique plac e (c al l it M ′ ) ab ove it in E . (iii) The infinite plac e P ∞ of F , i.e., the p ole of T , splits c ompletely into b de gr e e one plac es in E . (iv) The genus g E of E e quals d ( b − 1) 2 + 1 . (v) F or e ach β ∈ F r , the plac e T − β of F splits c ompletely into b de gr e e one plac es in E . (vi) If A ∈ R T is irr e ducib le of de gr e e ℓ > 1 and A mo d M is a pr imitive element of R T / ( M ) , then the plac e A is inert in E /F . The Artin automorphism σ A at A satisfies (4.2) σ A ( x ) ≡ x q ℓ (mo d A ′ ) for al l x ∈ O A ′ , wher e A ′ is the unique plac e of E lying ab ove A . Pr o of. By Galois theory , [ E : F ] = | G | / | H | = b . Since G is abelian, E /F is Galois with Galois group isomorph ic to G/H . Since E ⊂ K , and M is totally ramified in K , it must also b e totally ramified in E . The only other place ramified in K is P ∞ , and since H con tains the decomp osition group F ∗ q of P ∞ , P ∞ m ust split completely in E /F . The genus of E is easily computed since E /F is a tamely ramified extension [ 21 , Sec. I I I.5]. Since only the place M of d egree d is ramified, we ha v e 2 g E − 2 = d ( b − 1). 9 Since H ⊃ F r [ T ], for β ∈ F r , the Artin automorph ism σ T − β of the place T − β in K /F b elongs to H . The Artin automorph ism of T − β in the extension E /F is the r estriction of σ T − β to E , whic h is trivial since H fixes E . It f ollo ws that T − β splits completely in E . F or an irreducible p olynomial A ∈ R T whic h has order q d − 1 mo dulo M , by part (3) of Prop osition 2.2 , the place A r emains iner t in the extension K/F , and therefore also in the sub-extension E /F . Since the degree of the place A equals ℓ , ( 4.2 ) follo ws from the definition of the Artin automorph ism at A .  4.3. A generator for E and it s prop erties. W e w ou ld lik e to represen t elemen ts of E and b e able to ev aluate them at the places ab o v e T − β . T o this end, we w ill exhibit a µ ∈ F ac suc h that E = F ( µ ) alo ng with defin ing equation for µ (whic h will then aid in the ev aluations of µ at the r equ isite places). Theorem 4.3. L et λ b e an arbitr ary nonzer o element of Λ M (so that K = F ( λ ) ). Define (4.3) µ def = Y σ ∈ H σ ( λ ) = C A b ( λ ) C A 2 b ( λ ) · · · C A q d − 1 ( λ ) . Then, the fixe d field K H e quals E = F ( µ ) . The minimal p olynomial h ( Z ) ∈ R T [ Z ] of µ over F is gi ven by h ( Z ) = b − 1 Y j =0 ( Z − Γ j ( µ )) . F urther , the p olynomial h ( Z ) c an b e c ompute d i n q O ( d ) time. Pr o of. By defin ition µ is fixed by eac h π ∈ H an d so µ ∈ E . Ther efore F ( µ ) ⊆ E . T o sh o w E = F ( µ ), w e will argue that [ F ( µ ) : F ] = b , wh ic h in turn follo ws if we sh ow that h ( Z ) has co efficien ts in F and is irreducible o v er F . Sin ce Γ b ( µ ) = µ and thus Γ j ( µ ) only dep ends on j mo d b , all symmetric fu nctions of { Γ j ( µ ) } b − 1 j =0 are fi xed by Γ, and thus also b y all of Gal( K/F ). The co efficien ts of h ( Z ) m ust therefore b elong to F . The lemma actually claims that the co efficien ts lie in R T . T o see this, note that f or j = 0 , 1 , . . . , b − 1, (4.4) Γ j ( µ ) = Y 0 6 i 1, let L ( ℓM ′ ) b e the space of functions in E th at ha v e no p oles outside M ′ and at most ℓ p oles at M ′ . L ( ℓM ′ ) is an F q -v ector space, and by the Riemann- Ro c h th eorem, d im( L ( ℓM ′ )) > ℓd − g + 1, where g = d ( b − 1) / 2 + 1 is the gen us of E . W e will assume that ℓ > b , in whic h case d im( L ( ℓM ′ )) = ℓd − g + 1. W e will r ep resen t the cod e b y a basis of L ( ℓM ′ ) o v er F q . Of course, w e first need to un derstand ho w to represen t a single function in L ( ℓM ′ ). The follo win g lemma suggest a representat ion for elemen ts of L ( ℓM ′ ) that we can use. Theorem 5.1. A function f in E with p oles only at M ′ has a uniq ue r epr esentation of the form (5.1) f = P b − 1 i =0 a i µ i M e wher e e > 0 is an inte ger, e ach a i ∈ R T , and not al l the a i ’s ar e divisible by M (as p olynomia ls in T ). Pr o of. If f has p oles only at M ′ , there m ust b e a s m allest int eger e > 0 such that M e f has no p oles outside the p laces ab ov e P ∞ . This means that M e f must b e in the integ ral closure (“ring of intege rs”) of R T in E , i.e., the minimal p olynomial of M e f o ver R T is monic. The claim will follo w on ce we establish th at the in tegral closure of R T in E equals R T [ µ ], w hic h w e sho w n ext in Prop osition 5.2 . The u n iqueness follo ws since { 1 , µ, . . . , µ b − 1 } forms a b asis of E o v er F .  Prop osition 5.2. The inte gr al closur e of R T in E e quals R T [ µ ] = n P b − 1 i =0 a i µ i | a i ∈ R T o . Pr o of. The minimal p olynomial h ( Z ) of µ ov er R T is monic (Theorem 4.3 ). T h us µ is int egral o v er R T , and so R T [ µ ] is con tained in the in tegral clo sure of R T in E . W e turn to p ro ving the rev erse inclusion. The pro of follo ws along the lines of a s im ilar argum en t u s ed to pr o ve th at 12 the inte gral closure of R T in K = F ( λ ) equals R T [ λ ] [ 18 , P rop. 12.9]. Let ω ∈ E b e in tegral o v er R T . W e know that { 1 , µ, µ 2 , . . . , µ b − 1 } is a basis for E o v er F . Also µ , and th erefore eac h µ i , is integral o v er F . By virtue of these facts, it is kn o wn (see, for example, [ 13 , C hap. 2]) that th er e exist a i ∈ R T suc h th at ω = 1 ∆ P b − 1 i =0 a i µ i where ∆ ∈ R T is the discriminant of the extension E /F . As M is the only r amifi ed place in the extension E /F , th e discrimin an t ∆ is a p o w er of M up to units, and by assuming wlog that ∆ is monic, w e can conclude that ∆ = M e ′ for some exp onent e ′ > 0. T h us we ha ve (5.2) M e ′ ω = b − 1 X i =0 a i µ i with a i ∈ R T , and not all th e a i ’s are divisible b y M . Our goal is to show that e ′ = 0. W e will do this b y comparin g the v aluations v M ′ of the b oth sides of ( 5.2 ). W e ha v e (5.3) v M ′ ( M e ′ ω ) = v M ′ ( M e ′ ) + v M ( ω ) = be ′ + v M ( ω ) > be ′ . Let i 0 , 0 6 i 0 < b , b e th e smallest v alue of i suc h that v M ( a i ) = 0. Such an i 0 m ust exist s in ce not all the a i ’s are divisible b y M . By Lemma 4.4 , v M ′ ( µ ) = 1, an d so v M ′ ( a i µ i ) = v M ′ ( a i ) + i = bv M ( a i ) + i . F or i = i 0 , v M ′ ( a i 0 µ i 0 ) = i 0 . F or i < i 0 , v M ′ ( a i µ i ) > bv M ( a i ) > b > i 0 (since v M ( a i ) > 1 for i < i 0 ). F or i > i 0 , v M ′ ( a i µ i ) > v M ′ ( µ i ) = i > i 0 . It follo ws th at (5.4) v M ′  b − 1 X i =0 a i µ i  = min 0 6 i 6 b − 1 v M ′ ( a i µ i ) = i 0 Com bining ( 5.3 ) and ( 5.4 ), we conclude b > i 0 > be ′ whic h implies e ′ = 0.  5.2. Succinctness of represen tation. In ord er to b e able to efficien tly compute with the represent ation ( 5.1 ) of functions in L ( ℓM ′ ), w e need the guarant ee that the r epresen tation will b e suc ci nct , i.e., of size p olynomial in the co de length. W e sh o w that this will b e the case b y obtaining an upp er b oun d on the degree of the co efficien ts a i ∈ R T in Lemma 5.3 b elo w. This is not as str aigh tforward as one might hop e, and we thank G. Anderson and D. Th akur for help with its pro of. F or the c h oice of p arameters w e will make (in Theorems 6.10 and 7.1 ), this upp er b ound w ill b e p olynomially b oun ded in the co de length. Therefore, the assumed represent ation of the b asis functions is of p olynomial size. Lemma 5.3. Supp ose f ∈ L ( ℓM ′ ) is gi v en by f = 1 M e P b − 1 i =0 a i µ i for a i ∈ R T (not al l divisible by M ) and e > 0 . Then the de gr e e of e ach a i is at most ℓ + q d b . Pr o of. Let g = M e f = P b − 1 i =0 a i µ i . W e kn ow that g has at most eb p oles at eac h p lace of E that lies ab ov e P ∞ (since f h as n o p oles at these places). Using th e fact that f has at most ℓ p oles a t M ′ , and the uniqueness of the repr esen tatio n f = 1 M e P b − 1 i =0 a i µ i , it is ea sy to argue that eb 6 ℓ + b . So, g h as at most ℓ + b p oles at eac h place of E lying ab ov e P ∞ . Let σ = σ A ; w e know that σ is a generator of Gal( E /F ). F or j = 0 , 1 , . . . , b − 1, w e ha v e σ j ( g ) = P b − 1 i =0 a i σ j ( µ i ). Let a = ( a 0 , a 1 , . . . , a b − 1 ) T b e the (column) v ector of co efficients, 13 and let g = ( g , σ ( g ) , . . . , σ b − 1 ( g )) T . Denoting b y Φ the b × b matrix with Φ j i = σ j ( µ i ) for 0 6 i, j 6 b − 1, we ha v e the system of equations Φ a = b . W e can thus determine the co efficien ts a i b y solving this linear sy s tem. By Cr amer’s ru le, a i = det(Φ i ) / det(Φ) where Φ i is obtained by r eplacing the i ’th column of Φ by the column v ector g . The s q u are of the denominator det(Φ) is the discriminant of the fi eld extension E /F , and b elongs to R T . Thus the degree of a i is at most the p ole order of det(Φ i ) at an arbitrary place, sa y ˜ P , ab o v e P ∞ . By the defin ition ( 4.3 ) of µ , and the fact that λ and its conjugates ha v e at most one p ole at the places ab o v e P ∞ in F (Λ M ), it follo ws that µ has at most ( q d − 1) /b p oles at ˜ P . The same holds for all its conjugates σ j ( µ ). The function g and its conjugates σ j ( g ) hav e at most ℓ + b p oles at ˜ P . I n all, this yields a crude upp er b oun d of q d − 1 b ( b − 1) b 2 + ℓ + b 6 ℓ + q d b for the p ole order of d et(Φ i ) at ˜ P , and hence also the d egree of the p olynomial a i ∈ R T .  5.3. Rational places for enco ding and their ordering. So far, the p olynomial A ∈ R T w as an y monic irred ucible p olynomial that w as a pr imitiv e element mo dulo M , so that its Artin automorphism σ A generates Gal( E /F ). W e will now pic k A to hav e degree D sati sfying D > ℓd b . This can b e done by a Las V egas algorithm in ( D q d ) O (1) time b y pic king a random p olynomial and chec king that it wo rks, or deterministically b y br ute f orce in q O ( d + D ) time. Either of these lies w ithin the deco ding time claimed in Theorem 6.10 , a nd w ill b e p olynomial in the blo c k length for our parameter c hoices in Theorem 7.1 . By Prop osition 2.1 , A remains inert in E /F , and let us denote b y A ′ the unique place of E that lies o ver A . The degree of A ′ equals D b . F or eac h β ∈ F r , fix an arbitrary place P ( β ) 0 lying ab o v e T − β in E . F or j = 0 , 1 , . . . , b − 1, define (5.5) P ( β ) j = σ − j A ( P ( β ) 0 ) . Since Gal( E /F ) acts transitiv ely on the set of primes ab o v e a p rime, and σ A generates Gal( E /F ), these constitute all the places ab o v e T − β . Lemm a 4.5 already tells u s the set of ev aluations of µ at these places, but not wh ic h ev aluation corresp onds to which p oint. W e ha v e µ ( σ − j A ( P ( β ) 0 )) = σ j A ( µ )( P ( β ) 0 ); hence, to co mpu te the ev aluatio ns of µ at all these b places as p er the ordering ( 5.5 ), it suffi ces to kno w (i) the v alue at µ ( P ( β ) 0 ), whic h w e can fin d b y simply p ic king one one of the r o ots from Lemma 4.5 arbitrarily , and (ii) a represen tation of σ A ( µ ) as an elemen t of R T [ µ ] (since σ A ( µ ) is integral o v er R T , it b elongs to R T [ µ ] b y virtue of Prop osition 5.2 ). Note that T ( P ( β ) 0 ) = β , so once w e kno w µ ( P ( β ) 0 ), we can ev aluate any elemen t of R T [ µ ] at P ( β ) 0 . W e n o w sho w that σ A ( µ ) ∈ R T [ µ ] can b e computed efficien tly . Lemma 5.4. (i) The values of σ j A ( µ ) for 0 6 j 6 b − 1 as elements of R T [ µ ] c an b e c ompute d in q O ( d ) time. 14 (ii) The values µ ( P ( β ) j ) for β ∈ F r and j = 0 , 1 , . . . , b − 1 c an b e c ompute d in q O ( d ) time. Knowing these values, we c an c ompute any fu nction in the message sp ac e L ( ℓM ′ ) r epr esente d in the form ( 5.1 ) at the plac es P ( β ) j in p oly( ℓ, q d ) time. Pr o of. P art (ii) follo ws fr om P art (i) and the d iscussion ab o v e. T o prov e P art (i), note that once w e compu te σ A ( µ ), w e can recur siv ely compu te σ j A ( µ ) for j > 2, u sing the relation h ( µ ) = 0 to replace µ b and higher p o we rs of µ in terms of 1 , µ, . . . , µ b − 1 . By definition ( 4.3 ), w e ha v e µ = Q 0 6 i< ( q d − 1) /b C A ib mod M ( λ ). Thus one can compute an expr ession µ = P q d − 2 i =0 e i λ i ∈ R T [ λ ] with co efficien ts e i ∈ R T in q O ( d ) time. By successiv e m ultiplication in the ring R T [ λ ] (us ing the relation C M ( λ ) = 0 to express λ q d − 1 and higher p o w ers in terms of 1 , λ, . . . , λ q d − 2 ), w e can compute, for l = 0 , 1 , . . . , b − 1, expr essions µ l = P q d − 2 i =0 e il λ i with e il ∈ R T in q O ( d ) time. W e ha v e σ A ( µ ) = P q d − 2 i =0 e i σ A ( λ ) i = P q d − 2 i =0 e i C A mo d M ( λ ) i . S o one can likewise compute an expression σ A ( µ ) = P q d − 2 i =0 f i λ i with f i ∈ R T in q O ( d ) time. The ta sk now is to re-express this expression for σ A ( µ ) as an elemen t of R T [ µ ], of the form P b − 1 l =0 a l µ l , for “unkno wns” a l ∈ R T that are to b e determined. W e will argue that th is can b e accomplished by solving a linear system. Indeed, using the ab o v e expressions µ l = P q d − 2 i =0 e il λ i , the co efficien ts a l satisfy the follo wing system of linear equations ov er R T : (5.6) b − 1 X l =0 e il a l = f i for i = 0 , 1 , . . . , q d − 2 . Since the represen tation σ A ( µ ) = P b − 1 l =0 a l µ l is unique, the system has a unique solution. By Cramer’s r ule, th e degree of eac h a l is at most q O ( d ) . T herefore, we can exp ress the system ( 5.6 ) as a lin ear sys tem of s ize q O ( d ) o v er F q in u nkno wns the co efficien ts of all the p olynomials a l ∈ R T . By solving this s y s tem in q O ( d ) time, w e can compute the representa tion of σ A ( µ ) as an elemen t of R T [ µ ].  5.4. The basic cyclotomic AG co de. The basic AG co de C 0 based on su bfield E of the cyclotomic fun ction field F (Λ M ) is defin ed as (5.7) C 0 =   f ( P ( β ) j )  β ∈ F r , 0 6 j b . C 0 is an F q -line ar c o de of blo c k length n = rb , dimension k = ℓd − d ( b − 1) / 2 , and distanc e at le ast n − ℓd . Lemma 5.4 , Pa rt (ii), implies the follo wing. 15 Lemma 5.6 (Efficien t enco ding) . Given a b asis for the message sp ac e L ( ℓM ′ ) r epr esente d in the form ( 5.1 ), the g e ner ator matrix of the cyclotomic c o de C 0 c an b e c ompute d in p oly( ℓ, q d , q D ) time. 5.5. The folded cyclotomic code . Let m > 1 b e an int eger. F or con v enience, we assume m | b (though this is not really necessary). An alogo us to the construction of folded Reed- Solomon co des [ 6 ], the folded cyclotomic cod e C is obtained from C 0 b y b undling together successiv e m -tuples of sym b ols into a sin gle sy mb ol to giv e a co de of length N = n/m o v er F m q . F ormally , (5.8) C =   f ( P ( β ) mı ) , f ( P ( β ) mı +1 ) , · · · , f ( P ( β ) mı + m − 1 )  β ∈ F r , 0 6 ı ℓd . This immediately implies a message in L ( ℓM ′ ) is uniquely determined b y its ev aluation at A ′ . Lemma 5.7. The map ev A ′ : L ( ℓM ′ ) → K A ′ given by ev A ′ ( f ) = f ( A ′ ) is one-one. The k ey algebraic prop ert y of our folding is the follo w in g. Lemma 5.8. F or every f ∈ L ( ℓM ′ ) : (i) F or every β ∈ F r and 0 6 j < b − 1 , σ A ( f )( P ( β ) j ) = f ( P ( β ) j +1 ) . (ii) σ A ( f )( A ′ ) = f ( A ′ ) q D . Pr o of. The first part follo ws since w e ordered the p laces ab ov e T − β suc h that P ( β ) j +1 = σ − 1 A ( P ( β ) j ). The second part follo ws from the prop erty of the Artin automorphism at A , sin ce the n orm of the place A equals q deg( A ) = q D . (A n ice discussion of th e Artin-F rob enius automorphism, alb eit in the setting of n um b er fields, app ears in [ 13 , Chap. 4].)  6. List decoding algorithm W e n o w turn to list deco ding the folded cyclotomic co de C defined in ( 5.8 ). The un derlying approac h is similar to that of the algorithm for list deco ding folded RS cod es [ 6 ] and algebraic- geometric ge neralizations of P arv aresh-V ardy co des [ 16 , 5 ]. W e will therefore not rep eat the en tire rationale and motiv ation b ehind the algorithm deve lopment . But our tec hnical 16 present ation and analysis is self-con tained. In fact, our presen tation here do es offer some simplifications o ver previous d escriptions of AG list deco ding algorithms from [ 7 , 8 , 5 ]. A principal strength of the new d escription is that it a v oids the use of zero-increasing bases at eac h co de place P ( β ) j . This simplifi es the algorithm as w ell as the repr esen tation of the co de needed for deco ding. The list deco ding problem for C up to e errors corresp onds to solving the follo wing function reconstruction pr oblem. Recall that the length of the co de is N = n/m = r b/m , and the co dew ord p ositions are ind exed b y F r × { 0 , 1 , . . . , b m − 1 } . Input: Collectio n T of N tuples  y ( β ) mı , y ( β ) mı +1 , · · · , y ( β ) mı + m − 1  ∈ F m q for β ∈ F r and 0 6 ı < b/m Output: A list of all f ∈ L ( ℓM ′ ) whose enco ding as p er C agrees with the ( β , ı )’th tuple for at least N − e cod ew ord p ositions. 6.1. Algorithm description. W e d escrib e the algorithm at a h igh lev el b elo w and later justify ho w the in dividual steps can b e implemen ted efficientl y , and u nder what condition the deco ding will succeed. W e s tr ess that regardless of complexit y considerations, ev en the c ombinatorial list-deco dabilit y prop erty “pro ved” b y the algorithm is non-trivial. Algo rithm List-Deco de( C ): (u ses the follo win g parameters): • an integ er parameter s , 2 6 s 6 m , for s -v ariate inte rp olation • an in teger parameter w > 1 that go v erns the zero order (m ultiplicit y) guaran teed by in terp olation • an int eger parameter ∆ > 1 wh ic h is the total degree of the in terp olated s -v ariate p olynomial Step 1: (Interp olatio n) Find a nonzero p olynomial Q ( Z 1 , Z 2 , . . . , Z s ) of total d egree at most ∆ with co efficien ts in L ( ℓM ′ ) such that for eac h β ∈ F r , 0 6 ı < b/m , and j ′ ∈ { 0 , 1 , . . . , m − s } , the shifted p olynomial (6.1) Q  Z 1 + y ( β ) mı + j ′ , Z 2 + y ( β ) mı + j ′ +1 , · · · , Z s + y ( β ) mı + j ′ + s − 1  has the prop erty that th e coefficient of the m onomial Z n 1 i Z n 2 2 · · · Z n s s v anishes at P ( β ) mı + j ′ whenev er its total degree n 1 + n 2 + · · · + n s < w . Step 2: (Ro ot-findin g) Find a list of all f ∈ L ( ℓM ′ ) satisfying Q ( f , σ A ( f ) , . . . , σ A s − 1 ( f )) = 0 . Output those w hose enco ding as p er th e co de C agrees with at least N − e of the m -tuples in T . 6.2. Analysis of error-correction ra dius. Lemma 6.1. If k (∆ + 1) s > N ( m − s + 1)( w + s − 1) s (wher e, r e c al l, k = ℓd − d ( b − 1) / 2 is the dimension of L ( ℓM ′ ) ), then a nonzer o p olynomial Q with the state d pr op erties exists. If we know the evaluations of the functions in a b asis { φ 1 , φ 2 , . . . , φ k } of L ( ℓM ′ ) at the plac es 17 P ( β ) j , then such a Q c an b e found by solving a homo gene ous system of line ar e quations over F q with at most N m ( w + s ) s e quations and unknowns. Pr o of. The pro of is standard and follo ws b y coun ting degrees of freedom vs. num b er of constrain ts. One can expr ess the desired p olynomial as P n 1 ,n 2 ,...,n s q ( n 1 ,...,n s ) Z n 1 1 · · · Z n s s with unknowns q ( n 1 ,...,n s ) ∈ F q . Th e num b er of co efficien ts is k  ∆+ s s  > k (∆ + 1) s /s !. F or eac h place P ( β ) mı + j ′ , one can express the requir ed condition at th at place b y  w + s − 1 s  linear conditions (this quan tit y is the n um b er of mon omials of total degree < w ), for a total of N ( m − s + 1)  w + s − 1 s  < N ( m − s + 1) ( w + s − 1) s s ! constrain ts. When the n umber of unkn o wns exceeds the n um b er of constrain ts, a n onzero solution m ust exist. A s olution can also b e f ound efficiently once the linear system is set up, whic h can clearly b e d one if we know the ev aluations of φ i ’s at the co de places (i.e., a “generator matrix” of the cod e).  Lemma 6.2. L et Q b e the p olynomial found in Step 1. If the enc o ding of some f as p er C agr e es with  y ( β ) mı , y ( β ) mı +1 , · · · , y ( β ) mı + m − 1  for some p osition ( β , ı ) , then Q ( f , σ A ( f ) , . . . , σ A s − 1 ( f )) has at le ast w zer o es at e ach of the ( m − s + 1) plac es P ( β ) mı + j ′ for j ′ = 0 , 1 , . . . , m − s . Pr o of. The pro of differs sligh tly from earlier p ro ofs of similar statement s (eg. , [ 5 , Lemma 6.6]) in that it a v oids the use of zero-increasing bases and is thus simp ler. W e will pro v e the claim for j ′ = 0, and the s ame pro of w orks for any j ′ 6 m − s . Note that a greemen t on the m -tuple at p osition ( b, ı ) implies that f ( P ( β ) mı ) = y ( β ) mı , f ( P ( β ) mı +1 ) = y ( β ) mı +1 , · · · , f ( P ( β ) mı + s − 1 ) = y ( β ) mı + s − 1 . By Lemma 5.8 , P art (i), th is implies f ( P ( β ) mı ) = y ( β ) mı , σ A ( f )( P ( β ) mı ) = y ( β ) mı +1 , · · · , σ A s − 1 ( f )( P ( β ) mı ) = y ( β ) mı + s − 1 . Denote b y Q ∗ the shifted p olynomial ( 6.1 ) for the triple ( β , ı, 0). W e hav e Q  f , σ A ( f ) , . . . , σ A s − 1 ( f )  = Q ∗  f − y ( β ) mı , σ A ( f ) − y ( β ) mı +1 , · · · , σ s − 1 A ( f ) − y ( β ) mı + s − 1  = X n 1 ,n 2 ,...,n s w 6 n 1 + ··· + n s 6 ∆ q ∗ ( n 1 ,...,n s )  f − f ( P ( β ) mı )  n 1  σ A ( f ) − σ A ( f )( P ( β ) mı )  n 2 · · ·  σ A s − 1 ( f ) − σ A s − 1 ( f )( P ( β ) mı )  n s . for some co efficien ts q ∗ ( n 1 ,...,n s ) ∈ F q . Eac h term of the fun ction in the last exp ression clearly has v aluation at least w at P ( β ) mı , and hence so d o es Q  f , σ A ( f ) , . . . , σ A s − 1 ( f )  .  Lemma 6.3. If the enc o ding of f ∈ L ( ℓM ′ ) has at le ast N − e agr e ements with the input tuples T , and ( N − e )( m − s + 1) w > dℓ (∆ + 1) , then Q ( f , σ A ( f ) , . . . , σ A s − 1 ( f )) = 0 . Pr o of. Since f has no p oles outsid e M ′ , n either d o σ A i ( f ) for 1 6 i < s . Moreo ver, v M ′ ( σ A ( f )) = v σ − 1 A ( M ′ ) ( f ) = v M ′ ( f ) (since M ′ is the unique place ab o v e M and is thus fixed b y ev ery Galois automorph ism). Since f ∈ L ( ℓM ′ ), this implies σ A i ( f ) ∈ L ( ℓM ′ ) for ev er y i . Since eac h co efficien t of Q also b elongs to L ( ℓM ′ ), we conclude that Q ( f , σ A ( f ) , . . . , σ A s − 1 ( f )) ∈ L (( ℓ + ℓ ∆ ) M ′ ). O n the other hand, by Lemma 6.2 , Q ( f , σ A ( f ) , . . . , σ A s − 1 ( f )) has at least 18 ( N − e )( m − s + 1) w zeroes. If ( N − e )( m − s + 1) w > ℓ (∆ + 1) d , then Q ( f , σ A ( f ) , . . . , σ A s − 1 ( f )) has more zero es than p oles and m ust thus equal 0.  Putting together the ab o ve lemmas, we can conclude th e f ollo wing ab out the list d ecodin g radius guaran teed b y the algorithm. Note that we ha ve not y et discussed ho w Step 2 may b e implemen ted, or wh y it implies a r easonable b ou n d on the output list size. W e will do this in Section 6.3 . Theorem 6.4. F or eve ry s , 2 6 s 6 m , and any ζ > 0 , for the choic e w = ⌈ s/ζ ⌉ and a suitable c hoic e of the p ar ameter ∆ , the algorithm List-Decod e( C ) suc c essfu l ly list de c o des up to e err ors whenever (6.2) e < ( N − 1) − (1 + ζ )  k m − s + 1  1 − 1 /s N 1 /s  1 + d ( b − 1) 2 k  . Pr o of. Pic king w = ⌈ s/ζ ⌉ and ∆ + 1 =   N ( m − s +1) k  1 /s ( w + s − 1)  , the requ iremen t of Lemma 6.1 is met. By Lemma 5.5 , th e dimension k sat isfies ℓd = k + d ( b − 1) / 2. A straightfo r- w ard compu tation rev eals that for this c hoice, the b ou n d ( 6.2 ) implies the decoding co ndition ( N − e )( m − s + 1) w > ℓd (∆ + 1) under whic h Lemma 6.3 guarant ees successful deco ding.  Remark 6.5. The ab ov e err or-correctio n r adius is non -trivial only w h en s > 2. W e will see later h o w to pick parameters so that the error fractio n app r oac hes 1 − R 1 − 1 /s . F or A G codes, ev en s = 1 led to a non-trivial guaran tee o f ab out 1 − √ R in [ 7 ], and for folded Ree d-Solomon co des th e error fraction with s -v ariate inte rp olation wa s 1 − R s/ ( s +1) . The weak er b ound we get is due to restricting the p ole ord er of co efficien ts of Q to at most ℓ , the num b er of p oles allo wed for messages. Th is is similar to the algorithm in [ 5 , Sec. 5]. Since we let grow s an yw a y , this d o es not h urt u s . It also a vo ids some difficult te c hnical complicat ions that w ould arise otherwise (discussed, eg. in [ 5 ]), and allo ws implementing the in terp olation step just using the natural generator matrix of the co de. 6.3. Ro ot-finding using the Artin automorphism. So far we h a v e not discussed ho w Step 2 of deco ding can b e p erform ed, and why in particular it implies a reasonably small upp er b ound on the num b er of solutions f ∈ L ( ℓM ′ ) th at it may fin d in the worst-ca se. W e address this no w. This is where the pr op erties of the Artin automorphism σ A will pla y a crucial r ole. Recall (i) K A ′ = O A ′ / A ′ denotes the residue fi eld at the place A ′ of E lying ab o v e A , and (ii) we pic ked A so that D = deg( A ) ob ey ed D b > ℓd . Lemma 6.6. Supp ose f ∈ O A ′ satisfies Q ( f , σ A ( f ) , . . . , σ A s − 1 ( f )) = 0 for some Q ∈ O A ′ [ Z 1 , Z 2 , . . . , Z s ] . L et Q ∈ K A ′ [ Z 1 , Z 2 , . . . , Z s ] b e the p olynomial obtaine d by r e ducing the c o efficie nts of Q mo dulo A ′ . Then f ( A ′ ) ∈ K A ′ ob eys (6.3) Q  f ( A ′ ) , f ( A ′ ) q D , f ( A ′ ) q 2 D , · · · , f ( A ′ ) q D ( s − 1)  = 0 . Pr o of. If Q ( f , σ A ( f ) , . . . , σ A s − 1 ( f )) = 0, then su rely Q  f ( A ′ ) , σ A ( f )( A ′ ) , · · · , σ A s − 1 ( f )( A ′ )  = 0. The claim ( 6.3 ) no w follo ws immediately fr om L emm a 5.8 , P art (ii).  19 Lemma 6.7. If Q ( Z 1 , . . . , Z s ) is a nonzero p olynomial of total de gr e e at most ∆ < q D al l of whose c o efficients b elong to L ( ℓM ′ ) , then the p olynom ial Φ ∈ K A ′ [ Y ] define d as Φ( Y ) def = Q  Y , Y q D , · · · , Y q D ( s − 1)  is a n onzero p olynomial of de gr e e at most ∆ · q D ( s − 1) . Pr o of. If ψ ∈ L ( ℓM ′ ) is n onzero, then ψ ( A ′ ) 6 = 0. (Otherwise, the degree of zero divisor of ψ will b e at least d eg( A ′ ) = bD > ℓd , and thus exceed the degree of the p ole divisor of ψ .) It follo ws that if Q 6 = 0, then Q ( Z 1 , . . . , Z s ) obtained b y reducing co efficien ts of Q mo dulo A ′ is also non zero. 3 Since the degree of Q in eac h Z i is at most ∆ < q D , it is easy to see that Φ( Y ) = Q  Y , Y q D , · · · , Y q D ( s − 1)  is also nonzero. The degree of Φ is at q D ( s − 1) times the total degree of Q , which is at most ∆.  By the ab o v e tw o lemmas, we see that one can compu te the set of r esidues f ( A ′ ) of all f satisfying Q ( f , σ A ( f ) , . . . , σ A s − 1 ( f )) = 0 by computing the ro ots in K A ′ of Φ( Y ). Since ev A ′ is injectiv e on L ( ℓM ′ ) (Lemma 5.7 ), this also lets us reco v er the message f ∈ L ( ℓM ′ ). Lemma 6.8. Given a nonzer o p olynomial Q ( Z 1 , . . . , Z s ) with c o efficients fr om L ( ℓM ′ ) and de gr e e ∆ < q D , the set of functions S = { f ∈ L ( ℓM ′ ) | Q  f , σ A ( f ) , . . . , σ A s − 1 ( f )  = 0 } has c ar dinality at most q D s . Mor e over, knowing the evaluations of a b asis B = { φ 1 , φ 2 , . . . , φ k } of L ( ℓM ′ ) at the plac e A ′ , one c an c ompute the c o efficients expr essing e ach f ∈ S in the b asis B in q O ( Ds ) time. Pr o of. As argued ab o v e, an y desired f ∈ L ( ℓM ′ ) has the p rop ert y that Φ( f ( A ′ )) = 0, so the ev aluations of functions in S take at most degree(Φ) 6 ∆ q D ( s − 1) 6 q D s v alues. Since ev A ′ is injectiv e on S , this imp lies |S | 6 q D s . T he second part follo ws since w e can compute the ro ots of Φ in K A ′ in time p oly ( q D s , log | K A ′ | ) 6 q O ( Ds ) . Kno wing f ( A ′ ), we ca n reco v er f (in terms o f the basis B ) by solving a linear system if w e k n o w the ev aluations of the functions in the basis B at A ′ . The n ext s ection discuss es a con v enien t representa tion for computations in K A ′ .  6.3.1. R epr esentation of the r esidue field K A ′ . The follo wing giv es a conv enient r epresen tation for elemen ts of K A ′ whic h can b e used in computations inv olving this field. Lemma 6.9. The elements { 1 , µ ( A ) , . . . , µ ( A ) b − 1 } form a b asis for K A ′ over the field R T / ( A ) ≃ F q D . In other wor ds, e lements of K A ′ c an b e expr esse d in a unique way as b − 1 X i =0 b i ( T ) µ ( A ) i wher e e ach b i ∈ R T has de gr e e less than D . 3 This is simplicit y w e gain by restricting the coefficients of Q t o also b elong to L ( ℓM ′ ). 20 Pr o of. Since A is inert in E /F , the minimal p olynomial h ( Z ) of µ ov er F h as the pr op ert y that h ( Z ), obtained b y redu cing the coefficien ts of h mod ulo A , is irreducible o ver the residue field R T / ( A ) . Thus µ ( A ) generates K A ′ o v er R T / ( A ), and in fact minimal p olynomial of µ ( A ) w.r.t to K A equals h ( Z ). Note that th e co efficients of h , which b elong to R T / ( A ), ha v e a natural representati on as a p olynomial in R T of degree < deg( A ) = D .  W e note that giv en the represent ation of the b asis B = { φ 1 , φ 2 , . . . , φ k } in the form guaran teed b y Th eorem 5.1 , one can trivially compute the ev aluations of φ i ( A ′ ) in the ab o v e form. There is no need to exp licitly compute µ ( A ) ∈ O A / A . T herefore, the d ecodin g algorithm requires no additional pre-pro cessed information b eyo nd a basis f or the message space L ( ℓM ′ ) — the rest can all b e compu ted efficien tly from the b asis alone. 6.4. W ra p-up. W e are no w ready to state our final deco ding claim. Theorem 6.10. F or any s , 2 6 s 6 m , and ζ > 0 , the folde d cyclotomic c o de C ⊆ ( F m q ) N define d in ( 5.8 ) c an b e list de c o de d in time ( N m ) O (1) ( s/ζ ) O ( s ) + q O ( Ds ) fr om a fr action ρ of err ors (6.4) ρ = 1 − (1 + ζ )  R 0 m m − s + 1  1 − 1 /s  1 + d 2 R 0 r  , wher e R 0 = k /n is the r ate of the c o de. The size of the output list is at most q D s . The de c o ding algorithm assumes p olynomial amount of pr e-pr o c esse d inform ation c onsisting of b asis functions { φ 1 , . . . , φ k } for the messa ge sp ac e L ( ℓM ′ ) r epr esente d in the form ( 5.1 ). (Note tha t this is the same r epr esentation use d for enc o ding, and it is suc cinct by L emma 5.3 .) Pr o of. W e fir st note th at b oun d on fr actio n of errors follo ws from T heorem 6.4 , and the fact that k = R 0 n = R 0 N m = R 0 br . By Lemma 6.1 and its pro of, in S tep 1 of th e algorithm w e can find a n onzero p olynomial Q (of degree < q D ) such that for an y f ∈ L ( ℓM ′ ) that needs to b e output by the list decod er, w e must ha ve Q ( f , σ A ( f ) , · · · , σ A s − 1 ( f )) = 0. W e can ev aluate the basis functions φ i at P ( β ) j in ( ℓq d ) O (1) time by Lemma 5.4 , an d with this in f or- mation, the r unning time of this in terp olatio n step can b e b ound ed by ( N m ) O (1) ( w + s ) O ( s ) = ( N m ) O (1) ( s/ζ ) O ( s ) (since w = O ( s/ζ )). W e can also efficien tly compute the ev aluations of φ i at A ′ in the representat ion suggested by Lemma 6.9 . Therefore, by Lemma 6.8 , w e can then find a list of the at most q D s functions f satisfying Q ( f , σ A ( f ) , · · · , σ A s − 1 ( f )) = 0 in q O ( Ds ) time.  Remark 6.11 (List Reco very) . A simila r claim holds for the more general list r e c overy prob- lem, where for eac h p osition we are giv en as input a set of up to l elemen ts of F m q , and the goal is to fi nd all co dewo rds whic h agree w ith some element of the inp ut sets for at least a fraction (1 − ρ ) of p ositions. In this case, 1 − ρ only needs to be only a fac tor l 1 /s larger than the b ound ( 6.4 ). By pic kin g s ≫ l , the effect of l ca n b e made negligible. This feature is v ery useful in concatenation schemes; see Section 7.1 and [ 6 ] f or further details. 7. Long codes achieving l ist deco ding cap acity W e no w describ e th e parameter c hoices w h ic h leads to capacit y-ac hieving list- deco dable co des, i.e., co des of rate R 0 that can correct a fraction 1 − R 0 − ε of errors (for any desired 0 < R 0 < 1), 21 and whose alphab et size is p olylogarithmic in the blo c k length; the formal s tatemen t app ears in Theorem 7.1 b elo w. (Recall th at for folded RS co des, the alphab et size is a large p olynomial in the blo c k length.) Using concate nation and expand er-based ideas, Gur usw ami and Rud ra [ 6 ] also present capacit y-ac hieving co des ov er a fi xed alphab et size (that dep ends on the distance ε to capacit y alone). T he adv an tage of our co des is th at they inherit strong list reco v ery prop erties similar to the folded RS codes (Remark 6.11 ). This is v ery usefu l in concate nation sc hemes, and indeed our co des can b e used as outer co des for an explicit family of binary concatenate d co des list-deco dable up to the Zy ablov radiu s, with no brute-for c e se ar ch for the inner co de (see Section 7.1 b elo w). W e n o w describ e our main result on ho w to obtain the desired co des from the construction C and Theorem 6.10 . Th e underlying parameter choic es to ac h iev e this require a fair b it of care. Theorem 7.1 (Main) . F or every R 0 , 0 < R 0 < 1 , and every c onstant ε > 0 , the fol lowing holds for infinitely many inte gers q which ar e p owers of two. Ther e is a c o de of r ate at le ast R 0 over an alphab et of size q with blo ck length N > 2 q Ω( ε 2 / l og(1 /R 0 )) that c an b e list de c o de d up to a fr action 1 − R 0 − ε of e rr ors in time b ounde d by ( N log (1 /R 0 ) /ε 2 ) O (1 / ( R 0 ε ) 2 ) . Pr o of. Supp ose R 0 , 0 < R 0 < 1, and ε > 0 are giv en. Let c = 2 ⌊ 10 R 0 ε ⌋ + 1, and φ ( c ) denote the Euler’s totien t fu nction of c . Let u > 1 b e an arbitrary in teger; w e w ill get a family of co des by v arying u . The co de we construct will b e a folded cyclotomic co de C defi n ed in Eq . ( 5.8 ). Let x = φ ( c ) u . Note that 2 x ≡ 1 (mo d c ). W e first pic k q , r , d as follo ws: r = 2 x , q = r 2 , and d = (2 x − 1) /c . F or this c hoice, d | r − 1 and ( q − 1) / ( r − 1) = r + 1 is coprime to d , as required in Lemma 4.1 . So we can tak e M ( T ) = T d − γ ∈ F r [ T ] for γ primitiv e in F r as the irredu cible p olynomial o v er F q . F or the ab o v e c hoice d/r < 1 /c 6 εR 0 / 20, so that d 2 R 0 r < ε 10 . By pic king s = Θ( ε − 1 log(1 /R 0 )) , m = Θ( s/ε ) , and ζ = ε/ 20, we can ensu re that the deco ding r adius ρ guaran teed in Eq. ( 6.4 ) by Th eo- rem 6.10 is at least 1 − (1 + ε ) R 0 . The d egree b of the extension E /F (Eq. ( 4.1 )) is giv en by b = r d +1 r +1 . The length of the unfolded cyclotomic co de C 0 (defined in ( 5.7 )) equals n = r b > r d / 2. W e need to ensur e that the rate of C 0 , w hic h is equal to the r ate of the f olded cyclotomic co de C , is at least R 0 . T o this end, w e will pick (7.1) ℓ =  b 2 + R 0 r b d  . It is easily chec ke d that for our choic e of parameters ℓ > b . By Lemma 5.5 , the rate of C 0 equals d ( ℓ − ( b − 1) / 2) r b , whic h is at least R 0 for the ab o v e choice of ℓ . W e next pic k the v alue of D , th e degree of the irr educible A , which is the key quan tit y go verning the list size and deco ding complexit y . W e need D > ℓd/b . F or th e ℓ chosen ab o v e, this condition is sur ely m et if D > 2 r . But there m ust also b e an irreducible A of d egree D that is a primitiv e ro ot m o d ulo M . S ince we kno w the Riemann hypothesis for function fields, there is an effectiv e Diric hlet theorem on the densit y of irr educibles in arithmetic progressions 22 (see [ 18 , Thm 4.8]). T his implies that w h en D ≫ 2 d , such a p olynomial A m u st exist (in fact ab out a φ ( q d − 1) D ( q d − 1) fraction of degree D p olynomials satisfy the needed pr op ert y). W e can th us pic k D = Θ( r ) = Θ( dc ) = Θ( d/ ( R 0 ε )) . The ru nning time of the list decod ing algorithm is dominated by the q O ( Ds ) term, and for the ab o v e c hoice of parameters can b e b oun ded by q O ( d/ ( R 0 ε ) 2 ) . T he b lock length of the co de N satisfies N = n m > r d 2 m = q d/ 2 2 m = Ω ε 2 q d/ 2 log(1 /R 0 ) ! . As a function of N , the deco ding complexity is therefore b oun ded b y ( N log(1 /R 0 ) /ε 2 ) O (1 / ( R 0 ε ) 2 ) . The alphab et size of the folded cyclotomic co de is q = q m , and we can b ound the block length N from b elo w as a f unction of q as: N > q d/ 2 2 m > q Ω( r/c ) 2 m > q Ω( εR 0 √ q ) 2 m > 2 √ q (for large enough q compared to 1 /R 0 , 1 /ε ) = 2 q 1 / (2 m ) > 2 q Ω( ε 2 / l og(1 /R 0 ))) . This establishes the claimed lo w er b ound on blo c k length, and completes the pro of of the theorem.  7.1. C oncatenated co des list-deco dable up to Zyablo v radius. Using the str ong list reco v ery p rop ert y of folded R S co des, a p olynomial time construction of binary co des list- deco dable u p to the Zy ablo v radiu s wa s giv en in [ 6 , Thm 5.3]. The constru ction u sed folded RS co d es as outer co des in a concatenation sc heme, and inv olv ed an un d esirable brute-force searc h to find a binary inner cod e that achiev es list d eco ding capacit y . The time to co nstruct the co de grew faster th an N Ω(1 /ε ) where ε is the distance of the decod ing radius to the Zy ablo v radius. This resu lt as we ll as our r esu lt b elo w hold not only for b inary cod es but also co des o v er an y fixed alphab et; for sak e of clarit y , w e state resu lts only for binary co des. Since the folded cyclotomic co des from Theorem 7.1 are muc h longer than the alphab et size, b y using them as outer co des, it is p ossible to ac hiev e a similar result w ithout having to searc h for an inner co de, by using as inner co des al l p ossible binary line ar c o des of a certain rate! Theorem 7.2. L e t 0 < R 0 , r < 1 and ε > 0 . L et C b e a folde d cyclotomic c o de gu ar ante e d by The or em 7.1 with r ate at le ast R 0 and a lar ge e nough blo ck length N . L et C ∗ b e a b i nary c o de obtaine d by c onc atenating C with al l p ossible binary line ar maps of r ate r (e ach one use d a r oughly e qual numb er of times). Then C ∗ is binary line ar c o de of r ate at le ast R 0 · r that c an b e list de c o de d fr om a fr action (1 − R 0 ) H − 1 (1 − r ) − ε of err ors in N (1 /ε ) O (1) time. W e briefly discuss the idea b ehind pr oving th e ab ov e claim. As the alphab et size of folded cyclotomic codes is p olyloga rithmic in N , eac h outer cod ew ord sym b ol can b e expressed using O ε (log log N ) bits. Hence th e total n um b er of suc h inner codes S w ill b e at most 2 O ε ((log l og N ) 2 ) ≪ N for large en ou gh N . The N outer co dewo rd p ositions will b e partitioned in to S (roughly) equal p arts in an arbitrary w a y , and eac h inner co de used to enco de all the outer co deword sym b ols in one of th e parts. Most of the inner co des ac h iev e list deco ding 23 capacit y — if their rate is r , they can list deco de H − 1 (1 − r ) − ε fraction of err ors w ith constan t sized lists (of size 2 O (1 /ε ) ). T his s uffices f or analyzing the s tandard algorithm for deco ding concatenate d co des (namely , list deco de the in ner co des to pro duce a small set of candidate sym b ols for eac h p osition, and then list reco v er the outer co de based on these sets). Arguing as in [ 6 , Thm 5.3], w e can th us p r o v e Theorem 7.2 . A cknowledgments Man y thanks to Dinesh Thakur for several illuminating d iscussions ab out Carlitz-Ha yes theory and cyclotomic function fields. I thank Dinesh Th akur and Greg Anderson for helping me with th e pr oof of Lemma 5.3 . Thanks to An drew Granvill e f or p ointing me to Diric hlet’s theorem for p olynomials. Referen ces [1] L. Carlitz. A class of p olynomials. T r ans. Amer. Math. So c. , 43:167–18 2, 1938. [2] G. F rey , M. P erret, and H . St ic htenoth. On the different of ab elian ex t ensions of global fields. In Co d- ing the ory and algebr aic ge ometry , volume 1518 of L e ctur e Notes in Mathematics , pages 26–32. Springer Berlin/Heidelberg, 199 2. [3] A. Garcia and H. Stich tenoth. A to wer of Artin-S c hreier extensions of function fi elds attaining the Drinfeld- Vl˘ adut boun d. Inventiones Mathematic ae , 121 :211–222, 1995. [4] A. Garcia and H. S tic htenoth. On t he asymptotic b eha vior of some to wers of function fields ov er finite fields. Journal of Numb er The ory , 61(2):248–2 73, 1996. [5] V. Gurusw ami and A. Patthak. Correlated Algebraic-Geometric codes: I mpro ved list deco ding ov er b ounded alphabets. Mathematics of Computation , 77(261):447–47 3, 2008. [6] V. Guruswa mi and A. Rudra. Explicit codes achieving list d ecoding capacity: Error-correction with optimal redundancy . IEEE T r ansactions on Information T he ory , 54(1):135–150 , 2008. [7] V. Guruswami and M. Sudan. Improve d deco ding of Reed- Solomon and al gebraic-geometric codes. I EEE T r ansactions on I nformation The ory , 45:17 57–1767, 1999. [8] V. Guru sw ami and M. Su d an. O n represen tations of algebraic-geometry co des. IEEE T r ansact ions on Information The ory , 47(4):1610 –1613, 2001. [9] D. R. Ha yes. Explicit class field theory for rational function fields. T r ans. Amer . Math. So c. , 189:77 –91, Marc h 1974. [10] M.-D. Huang and A. K. Naray anan. F olded algebraic geometric co des from Galois extensions. Personal comm unication, 2008. [11] J. Justesen. A class of constructive asymptotically go od algebraic codes. I EEE T r ansactions on Information The ory , 18: 652–656, 1972. [12] R. Lidl and H. Niederreiter. Intr o duction to Fini te Fields and their appli c ations . Cambridge Universi ty Press, Cam bridge, MA, 1986. [13] D. A. Marcus. Num b er Fields . S pringer-V erlag, New Y ork Inc., 1977. [14] H. Niederreiter and C. P . Xing. Explicit global fun ction fields ov er the binary field with many rational places. A cta Ar ithmetic a , 75:383– 396, 1996. [15] H. Niederreiter an d C. P . Xing. Cyclotomic function fields, Hilbert class fields and gl obal function fields with man y rational places. A cta Ar ithmetic a , 79:59–7 6, 1997 . [16] F. Pa rv aresh and A. V ardy . Correcting errors b eyo nd the Guruswa mi-Sud an radius in p olynomial time. In Pr o c e e dings of the 43nd Annual Symp osium on F oundations of Com puter Scienc e (F OCS) , pages 285–294, 2005. [17] H.-G. Quebb emann. Cyclotomic Goppa co des. IEEE T r ans. Info. The ory , 34: 1317–1320 , 1988. [18] M. Rosen. Numb er The ory in F unction Fi elds . S pringer-V erlag N ew Y ork, Inc., 2002. [19] G. D. V. Salv ador. T opics in the the ory of algebr aic f unction fields . Birkhauser, Boston, 2006. [20] B.-Z. Shen. A Justesen construction of binary concatenated co des that asymptotically meet the Zyablo v b ound for lo w rate. IEEE T r ansactions on Information The ory , 39(1):239–24 1, 1993. 24 [21] H. Stich tenoth. Algebr aic function fields and c o des . Sp ringer, Berlin, 1993. [22] H. Stich tenoth. T ransitiv e and self-dual co des attaining th e Tsfasman-Vladut-Zink b oun d. IEEE T r ansac- tions on I nformation The ory , 52(5):2218 –2224, 2006. [23] M. Su dan. Decod ing of Reed-S olomon co des beyond the error-correction b ound . Journal of Complexity , 13(1):180– 193, 1997. Appendix A. T ab le of p aramete rs used Since the construction of the cyclotomic function field and the asso ciated error-correcting cod e used a large num b er of parameters, we summarize them b elo w for easy reference. W e b egin b y recalling the parameters concerning the fu nction field construction: q size of the ground finite field r size of the sub fi eld F r ⊂ F q F the field F q ( T ) of rational fun ctions R T the ring of p olynomials F q [ T ] P ∞ the place of F that is the uniqu e p ole of T M p olynomial T d − γ ∈ F r [ T ], irreducible o v er F q d degree of the irr educible p olynomial M C M the Carlitz action corresp onding to M Λ M the M -torsion p oints in F ac under the action C M K the cyclotomic f u nction field F (Λ M ) λ nonzero elemen t of Λ M that generates K o v er F ; K = F ( λ ) G the Galois group of K/F , naturally isomorphic to ( R T / ( M )) ∗ H the subgroup F ∗ q · F r [ T ] of G E the fixed field K H of H µ primitiv e elemen t for E /F ; E = F ( µ ) b the degree [ E : F ] of the extension E /F g the genus of E /F , equ als d ( b − 1) / 2 + 1 The construction of the co de C 0 (Eqn. ( 5.7 )) and its f olded ve rsion C (Eqn. ( 5.8 )) used further parameters, listed b elo w: M ′ the unique place of E lyin g ab o v e M ℓ maxim um p ole order at M ′ of message fun ctions; ℓ > b L ( ℓM ′ ) F q -linear space of messages of the co des n blo c k length of C 0 , n = br k dimension of the F q -linear co de C , k = ℓd − g + 1 m folding parameter N blo c k length of folded cod e C , N = n/m P ( β ) j for β ∈ F r and 0 6 j < b , th ese are the rational p laces lying ab o v e T − β in E A an irreducible p olynomial (p lace of F ) that remains inert in E /F D the degree of the p olynomial A ; satisfies D b > ℓd σ A the Artin automorph ism of the extension E /F at A A ′ the unique place of E lyin g ab o v e A 25 Appendix B. Algebraic p reliminaries W e review some basic bac kground material concerning global fields and their extensions. T he term global field refers to either a num b er field, i.e., a finite extension of Q , or the fu n ction field L of an algebraic curve ov er a finite field, i.e., a finite extension of F = F q ( T ). While we are only in terested in th e latte r, m uc h of the theo ry app lies in a unified w a y to b oth sett ings. Go od references for this m aterial are the texts by Marcus [ 13 ] and Stic h tenoth [ 21 ]. B.1. V aluations and Places. A sub ring X of L is said to b e a valuation ring if for ev ery z ∈ L , either z ∈ X or z − 1 ∈ X . Eac h v aluation ring is a lo c al ring , i.e., it has a u n ique maximal ideal. T he set of plac es of L , denoted P L , is the set of maximal ideals of all the v aluation rings of L . Geometrically , this corresp ond s to the set of all (non-singular) p oints on the algebraic curve corresp ond in g to L . T h e v aluation r ing corresp onding to a place P is called the ring of r e gular functions at P and is denoted O P . Asso ciated w ith a p lace P is a valuation v P : L → Z ∪ {∞} , that measures the order of zero es or p oles of a fun ction at P , a negativ e v aluation implies the fun ction has a p ole at P (by con v en tion we set v P (0) = ∞ ). In terms of v P , w e h a ve O P = { x ∈ L | v P ( x ) > 0 } and P = { x ∈ L | v P ( x ) > 0 } . The v aluation v P satisfies v P ( xy ) = v P ( x ) + v P ( y ) and the triangle inequalit y v P ( x + y ) > min { v P ( x ) , v P ( y ) } (and equalit y holds if v P ( x ) 6 = v P ( y )). The quotient O P /P is a field since P is a maximal ideal and it is called the r esidue field at P . The r esid ue fi eld O P /P is a finite extension field of F q ; the degree of this extension is called the de gr e e of P . W e will also sometimes use the termin ology primes to refer to places — the terms primes and places will b e used in terc hangeably . B.2. Decomp osition of primes in Galois extensions. W e now d iscuss how p rimes de- comp ose in fi eld extensions. Let K/L b e a fin ite, separable exte nsion of global fi elds of degree [ K : L ] = n . W e will restrict our attent ion of Galois extensions. Let P b e a place of L . L et O ′ P b e the integ ral closure of O P in K , i.e., the set of all z ∈ K whic h satisfy a mon ic p olynomial equation with co efficien ts in O P . The ideal P O ′ P can b e written as the pro du ct of prime id eals of O ′ P as P O ′ P = ( P 1 P 2 . . . P r ) e . Here P 1 , P 2 , . . . , P r are said to b e th e places of K lying ab o v e P (and P is said to b e lie b elo w eac h P i ). On e has the equ alit y P i ∩ L = P for every i . The ring O ′ P is the fact the in tersection of O P i for i = 1 , 2 , . . . , r . The quanti t y e is called the r amific ation index , and when e = 1, P (as w ell as the P i ) are said to b e unr amifie d . F or x ∈ L , one has v P i ( x ) = e · v P ( x ). The residue field O P i /P i is a finite extension of O P /P ; the degree f of this extension is called the inertia degree of P . The r amification index e , inertia degree f , and num b er r of pr imes abov e P satisfy ef r = n = [ K : L ]. If e = n and f = r = 1, the p r ime P is said to b e total ly r amifie d . If r = n and e = f = 1, the prime P is said to split c ompletely . If f = n and e = r = 1, the prime P is said to b e inert . B.3. Galois action on primes a nd the Artin automorphism. The Galois group G = Gal( K/L ) acts trans itively on the pr im es P 1 , P 2 , . . . , P r of K lying ab o v e P ∈ P L . F or eac h P i , there is a subgroup D ( P i | P ) ⊆ G that fixes P i ; this is called th e de c omp osition gr oup of P i . It is kno wn th at the decomp osition is isomorph ic to the Galois group of the fi n ite field extension ( O P i /P i ) / ( O P /P ) of the residue fields. Note that the latter group is cyclic and generated by 26 the F rob enius automorphism F rob mapping x 7→ x q . T he elemen t of D ( P i | P ) corresp onding to F rob is called the Artin automorp h ism A ( P i | P ) of P i o v er P . When G is ab elian (which co v ers the cases w e are interested in), th e decomp osition group D ( P i | P ) and the Artin automorphism A ( P i | P ) are the same f or ev ery P i , and they dep en d only on the p rime P b elo w. Denote the Artin automorphism at P by A P . Th is has the follo w ing imp ortant prop ert y: A P ( x ) ≡ x k P k (mo d P i ) for eve ry x ∈ O ′ P and every p rime P i lying ab o v e P . If P is unr amified, then A P is the only elemen t of G with this p rop ert y . In the unramified case, by Chinese Remaindering the ab ov e also implies A P ( x ) ≡ x k P k (mo d P O ′ P ) for ev ery x ∈ O ′ P . Note that if P is inert with a unique prime P ′ lying ab o v e it, then D ( P ′ | P ) = G , and th us G m ust b e cyclic. Thus, only cyclic extensions can h av e an inert p rime. Dep ar tment of Computer Scien ce an d Engi neering, Un iversity of W ashington. Currentl y vis- iting the Computer Science Dept., Carnegie Mellon U niversity. Some of this work w as done when the autho r w as a member i n the School of Ma thema tics, Institute for Adv anced Study. E-mail addr ess : venkat@cs.was hington.edu