Linear-algebraic list decoding of folded Reed-Solomon codes

Linear-algebraic list decoding of folded Reed-Solomon codes V E N K AT E S A N G U R U S W A M I ∗ Computer Science Department Carnegie Mellon University Pittsbur gh, P A 15213 Abstract Folded Reed-Solomon codes are an explicit family of c o des that achieve the optimal tra de- off between rate and error-corr ection capability: specifically , for any ε > 0 , the author a nd Rudra (2006,08) presented an n O (1 /ε ) time algorithm to list dec ode ap p ropriate folded RS codes of rate R from a fra ctio n 1 − R − ε of er rors. The a lgo rithm is based on multivariate polynomial interpolation and root-finding over extension fields. It was noted by V a dhan that interpolating a linear polynomial suffices if one settles f or a smaller decoding ra dius (but still enough f o r a statement of the above form). Here we give a simple linear-algebra based analysis of this vari- ant that e li minates the need for the computationally expensive root-finding step over ex ten- sion fields (a nd indeed a n y mention of extension fields). The entire list de codin g a lg orithm is linear-algebraic, solving one linear system for the interpolation step, a nd another linear system to find a small subspac e of candidate solutions. Except for the step of pruning this subspace, the algorithm can be implemented to run in quadratic time. The theoretical drawba c k of folded RS codes are that both the decoding complexity and proven worst-case list-size bound are n Ω(1 /ε ) . By c o mbining the above idea with a pseudo- random subset of a ll polynomials as messages, we get a Monte Carlo construction achieving a list size bound of O (1 /ε 2 ) which is quite close to the existential O (1 /ε ) b ound (however , the decoding complexity remains n Ω(1 /ε ) ). Our work highlights that constructin g an explicit subspace-evasive subset tha t has small in- tersection with low-dimensional subspaces — a n interesting problem in pseudorandomness in its own right — could lea d to ex p licit codes with be tter list-decoding guara ntees. 1 Introduction Reed-Solomon (RS ) codes ar e an important family of error -corr ecting codes with many applica- tions in theo ry and practice. An [ n, k ] q RS code over the fie ld F q with q elements encode s poly- nomials f ∈ F q [ X ] of degree at most k − 1 by its evaluations at n distinct eleme nts from F q . The encodings of any t w o distinct polynomials diff er on at least n − k + 1 pos i tions, which bestow s the ∗ Research supported in part by a Packard Fe llowship and NSF g ran ts CCF -09 53155 and CCF-0963975. Email: guruswami@cmu .edu. Any opinions, findings, and conclusions o r recommendations express ed in this material are those of the author(s) and do not necessarily reflect the vie w s of the National Science F oundat ion. RS code with an error -corr ection capability of ( n − k ) / 2 wors t-ca se errors. Classical algorithms, the firs t one due to Peterson [ 20 ] over 50 years ago, are able to decode such a RS code from up to ( n − k ) / 2 e rr ors (i.e., a fraction (1 − R ) / 2 of e rr ors whe r e R = k /n is th e rate code) in polynomial time. Decoding bey ond th e radius (1 − R ) / 2 is not pos sibl e if the decode r is required to always identify t he correct message unambiguously . Ho w ever , allowing the decod er to out put a small list in the worst-case e nab les decoding well be y ond this bound . This no t i on is called list de coding, and h as bee n an actively researc hed t opic in th e last de ca de. It has found many app l ications in complexity theory and pseudo ra ndomness (see [ 23 , 24 , 26 ] for some surveys ) beyond its direct releva nce to e r ror-corr ection and communication. For RS codes, Sudan [ 22 ] gave a list decod ing algorithm to d e code be y ond the (1 − R ) / 2 radius for rates R < 1 / 3 . For rates R → 0 , t he algorithm could correct a fraction o f er rors approaching 1 , a rema rkable feature that led to many complexity -t h e or etic applications. The author and S udan [ 14 ] impr oved the error -corr ection radius to 1 − √ R , matching the so-called “Johnson radius,” which is the a priori low e r bound on list-decoding radius of a code as a function of its distance alone. This result improved upon t he traditional (1 − R ) / 2 bound for all rate s . The 1 − √ R bo u nd remains the best error- correction radius achievable t o date for list d ecoding RS cod e s. A standard random coding ar gument, howe ve r , s h o ws the existence of rate R codes C ⊆ Σ n list-decodable even up to radius 1 − R − ε . S p ecific ally , C has the combinatorial property that for every y ∈ Σ n , there are at most L = O (1 / ε ) code wor ds o f C within Hamming distance (1 − R − ε ) n fr om y . H e r e ε > 0 can be an arbitraril y small constant. The qu a ntity L is referr ed to as the list- size . Note that 1 − R is a clear information-theoretic limit for er ror-corr ection, since at least ≈ R n receiv ed symbols must be correct to h ave any hope of recovering the R n message sy m bols. A few ye a rs back th e author and Rud ra, building up on the work of Parvaresh and V ardy [ 19 ], gave an explicit const ruction of cod es of rate R which are list-decod a ble in p olynomia l time up to radius 1 − R − ε , with a list-size o f n O (1 /ε ) [ 13 ]. The se code s wer e a “folded” ve r s ion of Reed - Solomon codes, defin e d below . Definition 1 ( m -folded Reed-Solomon code) . Let γ ∈ F q be a primitiv e element of F q . Let n 6 q − 1 be a multiple of m , and let 1 6 k < n be the degree paramete r . The folded Reed-Solomon (FRS) code FRS ( m ) q [ n, k ] is a code over alphabet F m q that encodes a polynomial f ∈ F q [ X ] of degr ee k − 1 as 1 f ( X ) 7→           f (1) f ( γ ) . . . f ( γ m − 1 )      ,      f ( γ m ) f ( γ m +1 ) . . . f ( γ 2 m − 1 )      , . . . ,      f ( γ n − m ) f ( γ n − m +1 ) . . . f ( γ n − 1 )           . (1) Observe th at the FRS code has block length N = n/m and rate R = k /n (eq u a l t o the rate of the original, u n fo lde d Reed -Solomon cod e, which correspond s to the choice m = 1 ). F or any integ er 1 The actual code d epends also on the choice of the primitive element γ . But the results hold for any choice of primitive γ , so fo r notational convenience we suppress the dependence on γ and assume s ome canonical choice o f γ is fixed. 2 s , 1 6 s 6 m , a list decoding algorithm for th e above FRS codes for a fraction ≈ 1 −  mR m − s +1  s/ ( s +1) of errors is p r e sented in [ 13 ], with de c oding complexity q O ( s ) and list-size q s . The result of [ 13 ] can also be viewed as a bett e r algorithm for d ecoding R eed-Solomon cod es when the errors occur in bursts, since the evaluation points o f the RS en cod ing are usually ordered as powers of γ for some primitive γ . For suitably lar ge cons tants s, m depend i ng on ε , the above list d ecoding radius for FRS codes exceeds 1 − R − ε . Howe v er , the list-size bound then becomes n Ω(1 /ε ) which has a rather poor depend ence on the distance ε to the opt i mal t ra de-off. Improving the list-size is therefore an important open ques t i on. Recall t ha t existentially a list-size as s ma ll as O (1 /ε ) is possible. The decoding algorithms in [ 19 , 13 ] consist of two ste ps (se e Section 2.1 for more de t a ils): (i) multivari- ate po lyn o mi al interpo l ation (to find an algebraic equation that candidate message polynomials f must satisfy), and (ii) so lving this equation via root-finding over extension fields. The interpola- tion step reduces to finding a nonzero s olution to a homoge neous linear sy stem, and th e or eticall y the second ste p is the computationally more expens i ve one. V adhan showed recently that a weaker decod ing radius (which how ever still suf fices t o list decode up t o radius 1 − R − ε ) can be achieved by a simplified interpolation ste p that only inter- polates a degree 1 multivariate polyno mi al [ 25 ]. Further , there is n o need to u se multiplicities in the interpolation as in the earlier algorithms [ 14 , 19 , 13 ]. 2 This offers a clean and simple exp osition of a list de c oding algorithm for FRS codes (that can be viewed as a multidimensional vers i on of the W elch-Berlekamp decoder for RS codes) for a fraction ≈ s s +1  1 − mR m − s +1  of errors [ 10 ] (see Section 2.2 ). The s econd root-finding s tep of the de c oder , howe ver , remained unchanged. Contributions of this work. Here, we note th at this W elch-Berlek am p sty l e “degree 1 ” list de - coder , no t only o f fers a simpler exposition, but also offers some promi sing advantages . Our start- ing p oint is the s i mple o bservation that in t h is case the candidate solutions to the algebraic e qua- tion form an affine subspace (of the full mes sage space F k q ). This implies that the second step of the list de coding can also be t a ckled by so l ving a linear sys tem! By insp ecting the st r ucture of this linear syste m, we give an elementary linear-algebrai c proof (Lemma 6 ) that the su bs pac e of solutions has dimension at most s − 1 , a fact that w as earlier proved by root count i ng over ext e nsion fie lds in [ 13 , 25 ]. This s hows that the expo nential depend ence in s of t he list-size bound was inherently because of the dimension of the interpo l ation (and it wasn’t crucia l that we had th e identity f ( γ s − 1 X ) = f ( X ) q s − 1 over some ext ension field 3 ). The linear-algebrai c proof also g iv es a quadratic time algorithm t o find a basis for the subsp a ce (instead of the cubic time of Gaussian elimination). This leads t o a q u a dratic runtime for the list decoder , except for the final step of pruning th e s ubspace to actually find th e close-by code wor ds (formal statement in The or em 7 ). This p runing s tep needs t o check each element o f t he subspace and thus unfortunately could st ill take q s time. However , in practice (o r when errors occur ran- domly), the d i mension o f the output subs pac e will likely be very small, probably even 0 (implying a unique solution), and in such cases we get significant gains in effici ency compared to [ 13 ]. 2 However , the method of multipli cit ies is still crucial if one wants a s oft-decision list decod e r , which, at l e a st for Reed-Solomon codes, has been a ver y influential devel o pment [ 17 ], with many s ub sequent papers looking at pr ac tical decoding architectures. 3 This identity , however , seems to be the only known way to bound the list-size when higher de g r ees are used in the interpolation. 3 Better list-s ize via subspace-evasi ve sets. Our s econd contribution is to exploit the s ubspace structure of t he candidate solutions to improve the list-size bound. The idea is to restrict the co- effic ient vectors of t he mes sage polyno m ial to a lar ge “subspace-evasive” subset t ha t h as small intersection with s u b spaces of low dimension. Subsp a ce-evasive sets se em like fundamental com- binatorial objects inte r e sting in their own right. They are rela ted to affine extractors , and also have applications to const ructing bipartite R amse y graphs [ 21 ]. As one would expe c t, a random set has excellent subsp a ce-evasiveness, but finding good explicit constructions is wide open. Our application to list decoding in this work provides another motivation for the interesting probl em of constructing subspace-evasive se t s. Using a pseud orandom cons t r uction of su bs pac e-evasive subsets (in fact, algebraic varieties) based on limited indepe ndence, we give a Monte Carlo con s tr uction (succeeding with high p r o b- abili ty) of rate R codes list-decodable up to a fraction 1 − R − ε of errors w ith a list-size o f O (1 / ε 2 ) (Theorem 10 gives th e exact state m ent). Due t o the pruning ste p, the wors t-ca se runtime is how- ever still n Ω(1 /ε ) . Nevertheless , t hi s is t he firs t construction with a better than n Ω(1 /ε ) list-size for decoding up to the information-theoretic limit o f 1 − R − ε fraction of e rr ors. For this construction, we do no t know a po l ynomial time computable encod i ng function that maps mess a ges to polynomials in t he subspace-evasive subs et. H owever , if we settle for a list-size of O ( n ) — still much better than the e a rlier n Ω(1 /ε ) bound — a p olynomia l time e ncoder can also be obtained. W e stress that only our code construction is randomized, and once it succeed s (which happens w .h.p.), the list de cod ing properties ho l d for every received word and the e ncoding and list decod ing procedures run in de terministic polynomial time. Organization. W e des cri be the list decoding algorithm for FRS codes and our linear-al gebraic analysis of it in Se ction 2 . W e make some related remarks about t he linear algebra approach in Section 3 . W e us e subspace-evasive se ts to give our Monte Carlo construction o f cod es achieving list decod ing capacity w ith improved list-size in Section 4 . 2 List decoding f o lded Reed-Solomon codes Suppose a code wor d of t he m -folded RS cod e (Definition 1 ) was transmitted and we receiv ed a string in y ∈ ( F m q ) N which we view as an m × N matrix over F q :          y 0 y m y n − m +1 y 1 y m +1 . . . y 2 y m +2 . . . . . . y m − 1 · · · y n − 1          (2) W e would li ke to r ecover a list of al l polynomials f ∈ F q [ X ] of d e gr ee k − 1 whose folded RS encoding ( 1 ) agrees with y in at least N − e columns, for some error bound e . Note that an agreement means that all m val ues in that particular column match. The following theorem is fr om [ 13 ]. Theorem 2. For every integer s , 1 6 s 6 m and any constant δ > 0 , there is a list decoding algorithm for 4 the folded Reed-Solomon code FRS ( m ) q [ n, k ] that list decodes fro m u p to e errors as long as e 6 N − (1 + δ ) ( k s N ( m − s + 1)) 1 / ( s +1) m − s + 1 wher e N = n/m is the block length of the code. The algorithms runs in ( O δ ( q )) O ( s ) time and outputs a list of size at m o st q s . Note that the fraction of errors corrected by this algorithm as a function of t he rate R = k/n = k / ( N m ) is 1 − (1 + δ )  mR m − s + 1  s/ ( s +1) . (3) By p i cking δ ≈ ε , s ≈ 1 /ε and m ≈ 1 /ε 2 , the above quantity is at least 1 − R − ε , and the decoding complexity and list size are ≈ q O (1 /ε ) . 2.1 Overview of above decoding algorithm W e b riefly recap the high level st r ucture of this decoding algorithm. The quantity s is a pa- rameter of the algorithm. In the first step, t he algorithm interpolates a multivariate p olynomia l Q ∈ F q [ X, Y 1 , Y 2 , . . . , Y s ] of low weighted degr ee (whe r e the Y i ’s have weight k − 1 and X has w eight 1 ) such that, for every i , 0 6 i 6 n − s , Q ( X , Y 1 , . . . , Y s ) vanishes at ( γ i , y i , y i +1 , . . . , y i + s − 1 ) ∈ F s +1 q with high multiplicity (rela ted t o the o ther parameter δ of the algorithm) . This ste p can be accom- plished by solving a homogene ous linear s ystem over F q . The d egr ee and multiplicity parameters in the interp ola tion step are carefully picked to ensure the following two properties: (i) a nonzero Q meet i ng the interpolation requir ements exist s, and (ii) e v ery f ∈ F q [ X ] of degree at most ( k − 1) whose FRS encoding agrees with y on at least N − e places (and which, therefor e, mus t be output by the list de coder) satisfies the functional e quation Q  X, f ( X ) , f ( γ X ) , · · · , f ( γ s − 1 X )  = 0 . In the s econd step of the decod e r , all solutions f to the above equation are found. This is done by observing that f ( γ X ) = f ( X ) q (mo d E ( X )) where E ( X ) = ( X q − 1 − γ ) , and ther efore f mo d E ( X ) can be found by finding the roots of the univariate polynomial T ( Y ) = Q ( X, Y , Y q , . . . , Y q s − 1 ) mo d E ( X ) with coefficients from L = F q [ X ] / ( E ( X )) . The polyno m ial E ( X ) is irreducibl e over F q and t her e- fore L is an extension field . The parameter choices ensure that T 6 = 0 , and thus T c annot have too many roots and thes e roots may all be found in polynomial time. Finally , this list is pruned t o only output those polyn o mi als whose FRS en cod ing is in fact close to the received w or d y . 2.2 A W elch-Berlekamp style interpolation W e w i ll n o w d escribe a variant of the above scheme w her e the interpolation s tep will fit a non- zero “linear ” p olynomia l Q ( X , Y 1 , Y 2 , . . . , Y s ) (with d e gr ee 1 in the Y i ’s). This can be viewed as a 5 higher-dimensional ge nerali zation of the W elch-Berlekamp algorithm [ 27 , 8 ]. This elegant version is du e t o V adhan and is d escribed in his monog r aph [ 25 , Chap. 5] (and also used in t h e author ’s lecture no tes [ 10 ]). For completeness , and because it will be convenien t to refer to it in t h e second step, we give a self-contained presentation he r e . The original motivation for this variant was that it had s im pler paramete r choices and an easier exposition (even though the error -corr ection gu a rantee worse ned, it st i ll allowed approac hing a decoding radius of 1 − R in the limit). In particular , it has the advantage o f not requiring the use of multiplicities in the interpolation. (Essentially , the fr eedom to do s -varia te inte r p ola tion for a parameter s of our choosing allows us to work with simple interp o l ation while still g ai ning in error -corr ection radius with increasing s . Th is pheno menon also occurred in one of t he algorithms in [ 12 ] for list decoding correlated algebraic-geometric cod es.) In t his work, our contribution is to put the simple linear st r ucture of the inte rpolated po l y- nomial to g ood use and exploit it to substitute the root-finding st e p with a more efficient ste p of solving a linear sy stem. Given a received word as in ( 2 ) we will interpolate a nonzero po l ynomial Q ( X, Y 1 , Y 2 , . . . , Y s ) = A 0 ( X ) + A 1 ( X ) Y 1 + A 2 ( X ) Y 2 + · · · + A s ( X ) Y s (4) over F q with the deg r ee restrictions deg ( A i ) 6 D for i = 1 , 2 , . . . , s and deg( A 0 ) 6 D + k − 1 , whe re the deg ree p ara meter D is cho s en to be D =  N ( m − s + 1) − k + 1 s + 1  . (5) The number of mono mi als in a polynomial Q with the se degree restrictions e qual s ( D + 1) s + D + k = ( D + 1)( s + 1) + k − 1 > N ( m − s + 1) (6) for the above choice ( 5 ) of D . The interpolation requir e ments on Q ∈ F q [ X, Y 1 , . . . , Y s ] ar e the following: Q ( γ im + j , y im + j , y im + j +1 , · · · , y im + j + s − 1 ) = 0 for i = 0 , 1 , . . . , n/m − 1 , j = 0 , 1 , . . . , m − s . ( 7) Since the number of interpolation conditions ( n/m ) · ( m − s + 1) is less t han the number of d e gr ees of fr eedom (monomia ls) in Q , we can conclude the following. The claim about the near-l inear runtime has been shown in [ 4 ] (see Proposition 5.11 in Chapter 5). Lemma 3. A nonzer o Q ∈ F q [ X, Y 1 , . . . , Y s ] of the for m ( 4 ) satisfying the interpolation conditions ( 7 ) can be foun d by solving a homogeneous linear system over F q with at most N m constraints an d variables. Further this interpolation can be performed in O ( N m log 2 ( N m ) log log ( N m )) operat ions over F q . The following lemma shows that any su ch polynomial Q g i ves an algebraic condition that the message polynomials f ( X ) we are interested in list decoding must s a tisfy . Lemma 4. If f ∈ F [ X ] is a polynomial of degre e at most k − 1 whose F RS encoding ( 1 ) agr ees with the r eceived word y in at least t columns for t > D + k − 1 m − s +1 , then Q ( X, f ( X ) , f ( γ X ) , . . . , f ( γ s − 1 X )) = 0 . (8) 6 Pro of. Define R ( X ) = Q ( X , f ( X ) , f ( γ X ) , . . . , f ( γ s − 1 X )) . Due to the d egr ee restrictions on Q , the degree of R ( X ) is easily se e n to be at most D + k − 1 . If the FRS encoding of f agr ees with y in the i ’th column (for s ome i ∈ { 0 , 1 , . . . , N − 1 } ), we have f ( γ im ) = y im , f ( γ im +1 ) = y im +1 , · · · , f ( γ im + m − 1 ) = y im + m − 1 . T oge t her with the interpolation conditions ( 7 ), this implies R ( γ im + j ) = 0 for j = 0 , 1 , . . . , m − s . In other words R p i cks up at least m − s + 1 dist inc t roots for each such column i . Thus R must have at least t ( m − s + 1) roots in all. Since deg ( R ) 6 D + k − 1 , if t > ( D + k − 1) / ( m − s + 1) , we must have R = 0 . For the choice of D in ( 5 ) , the requirement o n t in L emma 4 is met if t ( m − s + 1) > N ( m − s +1)+ s ( k − 1) s +1 , and hence if t > N s + 1 + s s + 1 k m − s + 1 = N  1 s + 1 + s s + 1 mR m − s + 1  . (9) In other words, the fractional agreement needed is 1 s +1 + s s +1 mR m − s +1 . Not e that by the A M-G M inequality , this agreement is always highe r t ha n the agreement fraction  mR m − s +1  s/ ( s +1) needed in ( 3 ). 4 Thus this variant corrects a smaller fraction of errors. Neverthe l ess, with the choice s ≈ 1 /ε and m ≈ 1 /ε 2 , the fraction of errors corrected can still ex ce e d 1 − R − ε . Further , as w e see next, it off ers some advantages when it comes t o retrieving the solutions f to ( 8 ). 2.3 Retrieving candidate polynomials f By the preceding section, to complete the list decoding we need to find all polynomials f ∈ F q [ X ] of deg r e e at mos t k − 1 that satisfy A 0 ( X ) + A 1 ( X ) f ( X ) + A 2 ( X ) f ( γ X ) + · · · + A s ( X ) f ( γ s − 1 X ) = 0 . (10) W e note the following simple but very us eful fact: Observation 5. The above is a system of linear equations over F q in the coefficients f 0 , f 1 , · · · , f k − 1 of the polynomial f ( X ) = f 0 + f 1 X + · · · + f k − 1 X k − 1 . Thus, the solutions ( f 0 , f 1 , . . . , f k − 1 ) of ( 10 ) form an affine subspace of F k q . In particular , t h e above immediately gives an e fficient algorithm to find a compact repr esen- tation of all the solutions to ( 10 ) — simply solve the linear syste m ! This simple observation is the starting point driving t his work. W e n e xt prove that w hen γ is primitive, the space of solutions has dimens i on at mos t s − 1 . Note th at we alrea dy k new this by the earlier argument o v er the extens ion field F q [ X ] / ( X q − 1 − γ ) . But it is instructive t o give a d i rect proof of this work i ng on ly over F q . The proof in fact works when the o r der of γ is at least k . Furthe r , it ex p oses t h e simple st r ucture of the linear sy stem which can be use d t o find a basis for the so l utions in quadratic t i me. 4 Recall that for Reed-Solomon codes ( m = 1 ) this was also exactly the case: the classical algorithms unique decoded the code w ord when the agreement fr ac tion was at least 1+ R 2 , and the list decoding algor ith m in [ 14 ] list decoded from agreement f r act ion √ R . 7 Lemma 6. If the order of γ is at least k (in particula r when γ is primitive), the affine space of solutions to ( 10 ) has dimension d at most s − 1 . Further , one can compute using O (( N m ) 2 ) field opera tions over F q a matrix M ∈ F k × d q (for some d 6 s − 1 ) and a vector z ∈ F k q such that the solutions are contained in the affine space M x + z for x ∈ F d q . Also, the matrix M can be assumed to have the d × d identity matrix as a submatrix (without any extra computation). Pro of. F irs t , by factoring out a common p owers of X that divide all of A 0 ( X ) , A 1 ( X ) , . . . , A s ( X ) , we can assume that at least one A i ∗ ( X ) for some i ∗ ∈ { 0 , 1 , . . . , s } is not divisible by X , and has nonzero constant term. Further , if A 1 ( X ) , . . . , A s ( X ) are all divisible by X , then so is A 0 ( X ) , so we can take i ∗ > 0 . Let us de note A i ( X ) = P D + k − 1 j =0 a i,j X j for 0 6 i 6 s . (W e kno w that the degree of A i ( X ) for i > 1 is at most D , so a i,j = 0 when i > 1 and j > D , but for not a tional ease let us introduce these coeffic ients.) Defin e the polynomial B ( X ) = a 1 , 0 + a 2 , 0 X + a 3 , 0 X 2 + · · · + a s, 0 X s − 1 . W e know that a i ∗ , 0 6 = 0 , and therefor e B 6 = 0 . W e will prove our uppe r bound on the rank of the solution space by examining the condition that the coefficients of X r of the p o l ynomial Λ( X ) = A 0 ( X ) + A 1 ( X ) f ( X ) + A 2 ( X ) f ( γ X ) + · · · + A s ( X ) f ( γ s − 1 X ) on the left h and s ide of ( 10 ) equals 0 for r = 0 , 1 , 2 , . . . . The constant term of Λ( X ) e qual s a 0 , 0 + a 1 , 0 f 0 + a 2 , 0 f 0 + · · · + a s, 0 f 0 = a 0 , 0 + B (1) f 0 . Thus if B (1) 6 = 0 , t hen f 0 is uniquely d etermined as − a 0 , 0 /B (1) . I f B (1) = 0 , then a 0 , 0 = 0 or else there will be no s olutions to ( 10 ) and in that case f 0 can take an arbitrary value in F q . The coefficient o f X r of Λ( X ) equals a 0 ,r + f r · ( a 1 , 0 + a 2 , 0 γ r + · · · + a s, 0 γ ( s − 1) r ) + f r − 1 · ( a 1 , 1 + a 2 , 1 γ r − 1 + · · · + a s, 1 γ ( s − 1)( r − 1) )+ (11) · · · + f 1 · ( a 1 ,r − 1 + a 2 ,r − 1 γ + · · · + a s,r − 1 γ s − 1 ) + f 0 · ( a 1 ,r + · · · + a s,r ) = B ( γ r ) f r +  r − 1 X i =0 b ( r ) i f i  + a 0 ,r (12) for some coefficients b ( r ) i ∈ F q . The linear form ( 12 ) must t h u s equal 0 . The key point is t hat if B ( γ r ) 6 = 0 , the n this implies t h at f r is an affine combination of f 0 , f 1 , . . . , f r − 1 and in particular is uniquely dete r mined given values o f f 0 , f 1 , . . . , f r − 1 . Thus the dimension of the space of solutions is at most the number of r , 0 6 r < k , for which B ( γ r ) = 0 . Since γ has order at least k , the powers γ r for 0 6 r < k ar e all distinct. Also we know that B is a nonzero polyno mi al of d egr ee at most s − 1 . Thus B ( γ r ) = 0 for at most s − 1 values of r . W e have t hus proved that the so l ution space has d im ension at most s − 1 . The claim about quadratic complexity and the structure of the matrix M follows since the equations ( 12 ) of the linear syste m have a simple “lower-triangular ” form. 8 Combining Lemmas 3 and 6 and the decoding bound ( 9 ), we can conclude the following. Theorem 7. For the folded Reed-Solomon code FRS ( m ) q [ n, k ] of block length N = n /m and rate R = k /n , the following holds for all integers s , 1 6 s 6 m . Given a r eceived word y ∈ ( F m q ) N , in O (( N m log q ) 2 ) time, one can fin d a basis for a subspace of dimension at most s − 1 that contains all message polynomials f ∈ F q [ X ] of degr ee less than k whose FRS encoding ( 1 ) differs fro m y in at most a fraction s s + 1  1 − mR m − s + 1  of the N codeword positions. Note : When s = m = 1 , th e above just reduces to a unique decod i ng algorithm up to a fraction (1 − R ) / 2 of errors. Comment on runtime and list size. T o get the actual list of close-by codewo r d s, o n e can prune the solution s ubspace, which unfortunate ly may take q s time in the worst-case. This quantity is about n O (1 /ε ) for t he parameter choices which achieve a list decoding radius of 1 − R − ε . Theoreticall y , we are not able to impr ove the wo r s t-ca se list size bo u nd of ≈ n 1 /ε in this regime. This motivates our results in Section 4 whe re we show that using a carefully chosen subset of all pos s ib le deg r e e k − 1 polynomials as message s , one can ensu re that the list-size is much smaller while losing o nl y a tiny amount in the rate. Except for fin al ste p of pruning the subspace of candidate so l utions, the decoding takes only quadratic time (and is perhaps e ve n practical, as it just involves solving two st ructured linear s ys- tems). In pr actice, for e xa mple when errors occur randomly , the dimens i on o f the outpu t subspace will likely be ver y small, probably even 0 leading to a unique solution. If some s ide information about the true message f is availa ble th at d isam biguates t he true message in the list [ 9 ], that might also be useful to spee d up the p r uning. 3 Some furt he r comments about the proof method W e now make s ome salient r emarks about the above linear -algebra based metho d to retrieve the space of polyn o mi als f . T ightness of q s − 1 bound . The upper bo u nd o f q s − 1 on the number of solutions f to the Equation ( 10 ) cannot be improved in ge neral. Indeed , let A 0 = 0 , and A i for 1 6 i 6 s be the coe fficients of Y i − 1 in the polyn o mi al ( Y − 1)( Y − γ ) · · · ( Y − γ s − 2 ) . Then for 0 6 ℓ 6 s − 2 , we have A 1 X ℓ + A 2 ( γ X ) ℓ + · · · + A s ( γ s − 1 X ) ℓ = X ℓ ·  A 1 + A 2 γ ℓ + A 3 ( γ ℓ ) 2 + · · · + A s ( γ ℓ ) s − 1  = 0 . By linearity , every polynomial f ∈ F q [ X ] o f degree at most s − 2 satisfies ( 10 ). W e s hould add that this does not lead to any no n -t r ivial list-size lower bound fo r d ecoding folded RS codes, as we do not know if such a bad po l ynomial can o c cur as the output of the interp ola tion s tep, and moreover the pruning step could p otentially reduce t he s iz e of the list further . Requirement on γ . The ar gument in Lemma 6 only required that the order of γ is at least k , and not that γ is primitive. The p olynomia l X q − 1 − γ is irreducible if and only if γ is p r imitive, and 9 therefor e t he approach based on extens ion fields d i scussed in Section 2.1 requires γ t o be pr imitive. Usually in constructions of Reed-Solomon codes, one t ake s t h e block length n ≈ q and the r e for e the dimension k is linear in q (for constant rate codes). So th is weake n e d requirement on γ does not buy much flexibility in t hi s case . However , if fo r some reason, one uses RS codes over much lar ger fields, t hen the ne w ar gument applies to a broader set of choices of evaluation points for the RS code s . Linear (instea d of af fine) space of solutions. W ith a slight w o rsening of parameters , we can ensure that the space of solutions is in fact a linear space of dimension at mos t s − 1 , instead of the affine space ensured by Lemma 6 . The idea is to not use A 0 ( X ) in t he inte r p ola tion (or r athe r set A 0 = 0 ), so that Q ( X, Y 1 , Y 2 , . . . , Y s ) = A 1 ( X ) Y 1 + A 2 ( X ) Y 2 + · · · + A s ( X ) Y s . W ith the degree of each A i equal to D , this gives us ( D + 1) s mon o mi als in Q , and therefor e con d iti on ( 6 ) that guarantees the existence of a nonzero Q meeting the inte r p ola tion requir ements ( 7 ) now becomes ( D + 1) s > N ( m − s + 1) . T hus one can take D = j N ( m − s +1) s k . The condition t ( m − s + 1) > D + k that e na bles s ucc essful list decoding is thus met when the agreement parameter t s atisfie s t > N s + k m − s +1 = N  1 s + mR m − s +1  . This is s l ightly wor s e than ( 9 ), but still allows for d ecoding fr om agreement ( R + ε ) N by s etting s ≈ 1 /ε and m ≈ 1 /ε 2 . Hensel lifting. An alternate approach (to root-finding over extension fields ) fo r finding the low- degree so lut ions f to the equation Q ( X , f ( X ) , f ( γ X ) , . . . , f ( γ s − 1 X )) = 0 is based on Hense l- lifting. Here the idea is to s olv e for f mo d X i for i = 1 , 2 , ... i n turn. Fo r example, the con- stant term f 0 of f ( X ) must satisfy Q (0 , f 0 , f 0 , . . . , f 0 ) = 0 . If Q (0 , Y , Y , . . . , Y ) is a nonzero po l y- nomial, then this will restrict the number of choices for f 0 . For each such choice f 0 , solving Q ( X, f ( X ) , . . . , f ( γ s − 1 X )) mo d X 2 = 0 gives a p olynomial equation for f 1 , and so on. This approac h is discussed in [ 1 ] and [ 4 , Chap. 5]. I t is mentioned that this algorithm is very fast experimentally and almost never explores t oo many candidate so l utions. A similar approach was also cons i dered in [ 16 ] for folded versions o f algebraic-geometric code s . Howe ve r , theoretically it has not bee n possible to de r ive any polynomial g ua rantees on the size of the list returned by this approach o r its running t i me (the obvious iss ue is that in each step the r e may be more t ha n one candidate value o f f i , leading to an exponen t i al product bound on the runtime). Polynomial bounds in s pecia l cases (e g . when s = 2 ) ar e presente d in [ 4 ], and obtaining such t heor etical bounds is p o sed as an interesting challenge for future work. Our Lemma 6 p r ovides an analysis of the Hens e l- lifting approach when t he interpolated polyno mi al is linear in the Y i ’s. Additive fo ld i ng? Let p be a prime. Over F p , one can also consider additive folding schemes , whe r e the value f ( a ) is bundled toget h e r with f ( a + 1) , f ( a + 2) , . . . , f ( a + m − 1) , in a construction similar to ( 1 ). The approac h using extension fields can be used to s h o w that t he number of polynomials f ∈ F p [ X ] of degree les s than p s atisfy ing Q ( X , f ( X ) , f ( X + 1) , . . . , f ( X + s − 1)) = 0 for Q ∈ F p [ X, Y 1 , Y 2 , . . . , Y s ] that is linear in the Y i ’s is at most p s − 1 . This follows by go ing modulo the polynomial X p − X − 1 which is irr educible over F p and not i ng t ha t f ( X + 1) = f ( X ) p mo d ( X p − X − 1) . 5 Is there a linear-al gebraic proof similar to Lemma 6 for t h is case? The map f ( X ) 7→ f ( γ X ) acts d i agonally on the standard basis { 1 , X , . . . , X k − 1 } for degree k − 1 polynomials, and this led to the nice structur e for the li near system ( 10 ). The linear t r ans fo r mation f ( X ) 7→ f ( X + 1) is not diagonalizable so the up per bound o n the rank of t he solution s p a ce may need a more careful 5 The author first heard this argument for add itive folding from Swastik Kopparty . 10 inspection of the structure of t h e sy stem A 0 ( X ) + A 1 ( X ) f ( X ) + A 2 ( X ) f ( X + 1) + · · · + A s ( X ) f ( X + s − 1) = 0 . Derivative codes. Continuing the the me of th e previous remark, when char( F q ) > k , an analog of Lemma 6 for the differ ential equation A 0 ( X ) + A 1 ( X ) f ( X ) + A 2 ( X ) f ′ ( X ) + A 3 ( X ) f ′′ ( X ) + · · · + A s ( X ) f ( s − 1) ( X ) = 0 is proved in [ 15 ] (here f ′ ( X ) denot es the derivative of f and f ( i ) ( X ) the i ’th derivative of f ). This is t hen us ed in [ 15 ] to s how t ha t derivative codes over fields o f lar ge characteristic can also achieve list decoding capacity . Th at is, t h e y allow list decoding a fraction 1 − R − ε o f err ors with rate R , for a suitable choice o f p aramete rs. Inde pendently , Bo mb ieri and Kopp a rty [ 3 ] have given an algorithm for list decoding derivative cod es up to a fraction ≈ 1 − R s/ ( s +1) of errors u sing s + 1 - variate interpo l ation, matching the performance of the author and Rud ra ’s algorithm for folded RS codes [ 13 ]. Derivative code s (o r un iv ariate multiplicity code s) are the variant o f R eed-Solomon codes whe r e the i ’th codeword sy mb ol consists of not o nl y the value f ( a i ) at the i ’th e va luation point, but also the values of its firs t m − 1 d eriva tives (for some p aramete r m > 1 ). Over lar ge characteristic, t hi s is the s a me (up to so me constant factors) as the residue of f mo d ( X − a i ) m . Multivariate vers i ons of multiplicity cod es we r e stu died in the recent work of Kopparty , Saraf, and Y e k hani n [ 18 ] wh e r e they were u sed to give a s urprising con s tr uction of codes of rate 1 − ε locally decodable in O ( n γ ) time for any ε, γ > 0 . Multiplicities , so ft decoding, and list recovery . Fo r the linear interpolation of the form ( 4 ), using multiplicties in the interpolation stage, as in [ 14 ], only hurts the performance. This is because the d egr ee of the Y i ’s cannot be incr eased to meet t he ne eds of the lar ger number of interpolation conditions. Thus in order to get a good decoder than can handle soft information on reliab ilities of various s y mb ols [ 14 , 17 ], one has t o resort to the method behind the original algorithm in [ 13 ]. A weaker form of soft decod ing is t he problem o f list recov ery , where for each pos ition i of the code the input is a set S i of up t o ℓ pos sibl e values, and the goal is to find all codewords whose i ’th symbol belongs to S i for at least t values o f i . For this problem, a straightforward ext ension of the method of Section 2.2 gives an algorithm that works for agr eement fraction τ = t N satisfying τ > ℓ s + 1 + s s + 1 mR m − s + 1 . The crucial point is that fo r any fixe d ℓ , by picking s ≈ ℓ/ε and m ≈ ℓ/ε 2 , we can list recover with agreement fraction τ = R + ε — t he agreement fraction required does not d egrade with increasing ℓ . Such a list recovery gu a rantee is very u seful in list decoding concatenated codes , for example to cons tr uct binary codes list-decodable up to the Zyablov radius, o r cod e s list-decodable up to radius 1 − R − ε over alphabets of fixe d size inde pendent of n ; see [ 13 , Sect. V]. 4 Improving list size via pseudorandom subspace-evasive subsets Based o n The o r em 7 , in this s ection we pursue one possible approach to impr ove the pr ovable worst-case list size bound for list d ecoding up to a fraction 1 − R − ε o f errors. Instead o f allowing 11 all po l ynomials f 0 + f 1 X + · · · + f k − 1 X k − 1 of deg r ee les s than k as mes sages, the idea is to restrict the coe f ficient vector ( f 0 , f 1 , . . . , f k − 1 ) to belong to some special subset V ⊆ F k q , satisfying the following two conflicting d ema nds: Largeness: The set V must be lar g e, say |V | > q (1 − ε ) k , so that t he rate is r educed by at most a (1 − ε ) factor . Low intersection with subspaces: For e very subspace S ⊂ F k q of dimension s , | S ∩ V | 6 L . (Let us call t h is property o f V as ( s, L ) -subspace-evasi ve for easy reference. The fie l d F q and ambient dimension k will be fixed in our discussion. ) Using such a se t V will ensure that after p runing the af fine subspace outpu t by the algorithm of Theorem 7 , the number o f codewords will be at most L . (Note that an affine subspace of dimension s − 1 is contained in a subsp a ce of dimension s . ) Thus the list size will go d own from q s − 1 to L . Subspace-evasive subsets we r e use d in [ 21 ] to construct bipartite Ramsey graphs, and in fact we borr owed the term eva sive from t hat work. In their w ork, the underlying field was F 2 and the subsets had to be e va sive for dimension s ≈ k/ 2 . Our interest is in a dif fer ent (and hope- fully easier?) r egime — we can work over la rge fields, and ar e interested in evasivenes s w . r .t. s -dimensional subspaces for con s tant s . Subspace-evasive subsets are also conn e cted to certain well-studied o bj ects called affine extrac- tors ; see the d i scussion at the en d of this se c tion. A random lar g e subset of F k q meets the low subspace interse ction requir ement very well, as shown below . The argument is straightforward; a s i milar bound appears in [ 5 ] in t he ge ometric context of point-s u b space incidences. Lemma 8. Let W be a random subset of F k q chosen by including each x ∈ F k q in W with pr obabilit y q − s − α for some α > 0 . Then with proba bility at least 1 − q − Ω( k ) , W satis fies both the following conditions: (i ) |W | > q k − s − α / 2 , and (ii) W is ( s, 2 sk / α ) -subspace -evasiv e. Pro of. The first p a rt follows by a standard Chernoff boun d calculation. F or the second part, fix a subspace S ⊆ F k q of d im ension s , and a subset T ⊆ S of size t = ⌈ 2 k s/α ⌉ . The probability t ha t W ⊇ T equals q − ( s + α ) t . By a union bound over the at most q k s choices for the s -dimensional subspace S , and the at most q st choices of t -element subsets T of S , we get that the probabili ty th at W is no t ( s, t − 1) -subspace-evasive is at most q k s + st · q − ( s + α ) t 6 q − k s since t > 2 k s/α . Picking α ≈ εk , the above guarantee s the exist ence of s ubsets W of F k q of size q (1 − ε ) k which ar e ( s, O ( s/ε )) -subspace-evasive. Restricting the coe f ficient vecto r ( f 0 , f 1 , . . . , f k − 1 ) of the message polynomial to belong to su ch a subset will guarantee a list-size upper bound of O ( s/ε ) in Theo- rem 7 . This list-size bound is a constant independent of n , and for the choice s ≈ 1 /ε which enables list d ecoding a fraction 1 − R − ε of errors, it is O (1 /ε 2 ) . This is q u i te close to the bound of O (1 /ε ) achieved by random cod es [ 11 ]. Unfortunately , an exp l icit construction of s ubspace-eva sive subsets with anywhe r e close to t h e trade-off guarantee d by the p r o ba bilistic cons tr uction o f Lemma 8 is not kno wn. This appears t o be a challenging and extremely interesting que stion. One natural choice fo r such a s ubset wou ld be some variety V ⊆ F k q defined by a collection of polyno mi al equations, i.e., V = { a ∈ F k q | g 1 ( a ) = g 2 ( a ) = · · · = g l ( a ) = 0 } for some polynomials g 1 , g 2 , . . . , g l ∈ F q [ Z 1 , Z 2 , . . . , Z k ] . Indeed for s = 1 12 and s = k − 1 , varieties in F k q (the modular moment surface and modular moment curve) with low intersection with s -dimens i onal af fine su bs pac es are known [ 5 ]. Connection to affine extrac tors. The problem of constructing subsp ace-evasive subset s is related to the well-studied p r o bl em of constructing affine extractors . An af fine e xtractor is an M -coloring of F k q with th e property that every s -dimensional affine subspace of F k q has bet w een (1 / M − δ ) q s and (1 / M + δ ) q s elements belong i ng to each o f the M color classes. He r e δ is t he error and log 2 M is t he number of output bits of t he e x t rac tor . If we had an af fine extractor with a lar ge number of outputs (say M > q (1 − ε ) s for arbitrarily small cons tants ε > 0 ) and very small er ror ( δ 6 O (1 / M ) , in ot her words a small rela tive error instead of an additive error), the n the s ubset correspond ing to a single color class will be su b space-evasive. Known e xpli cit constructions of affine e xtractors fall s hort of meet i ng the se requirements. The constructions in t he literature either require lar ge dimens i ons s (and therefore are not app l icable in our sett i ng of s = O (1) ) , or have too lar ge an error to be us eful for u s. Fo r inst a nce, the ex t rac tor o f Gabizon and R a z [ 7 ], which works over large fields and any s > 1 (both aspects being perfect for us), has an error δ ≈ 1 / √ q , due to the application o f the W eil bounds o n character sums. On the other hand, an extractor satisfies a stronger property than what is neede d in a subspace-evasive subset, s o we hope that go o d explicit constructions of subspace-evasive su bsets will be easier to obtain. 4.1 Pseudorandom construction of subspace-evasive subsets The construction of Lemma 8 takes exp onential time and produces a random uns tr uctured set that takes expone n t i al space to s tor e. I n this s e ction, we show t hat a subset with similar guarantees can be constructed in pr obabilistic polynomial time, producing a polynomial size repr esentation of the cons tr ucted s ubspace-evasiv e set. The idea is to note that the p robabilistic argument to argue about ( s, t ) -subsp a ce-evasiveness only needed t - wise independence and not complete indepen- dence of differ ent element s of F k q landing in the random s ubset W . Fix an arbitrary basis 1 , β , β 2 , . . . , β k − 1 of F k q over F q . Also de note K = F q k . For a polynomial P ∈ K [ X ] and an inte ger r ( 1 6 r 6 k ), de fin e the s ubset S ( P , r ) ⊆ F k q as fo llows : S ( P , r ) = { ( a 0 , a 1 , . . . , a k − 1 ) ∈ F k q | P ( a 0 + a 1 β + a 2 β + · · · + a k − 1 β k − 1 ) ∈ F q -span (1 , β , · · · , β r − 1 ) } . Lemma 9. Let q be a prime power , k > 1 an integer , and denote K = F q k . Let ζ ∈ (0 , 1) and s be an integer satisfy ing 1 6 s 6 ζ k / 2 . L e t P ∈ K [ X ] be a random polynomial of degr ee t and define V = S ( P , (1 − ζ ) k ) . Then, pr ovide d t > Ω( s / ζ ) , w it h probab ility at least 1 − q − Ω( k ) over the choice of P , V is a ( s, t ) -subspace- evasiv e subset of F k q of size at least q (1 − ζ ) k / 2 . Pro of. F o r each x ∈ F k q , note that x ∈ S ( P, r ) with proba bility q − ζ k . Further , s i nce the values of P at any t distinct po i nts in K are indep endent, the events x ∈ S ( P , r ) for various x ∈ F k q ar e t -wise independe nt. The argument in L emma 8 only relied o n the t -wise indep e ndence of t hese e ve n t s, and the r efor e one can conclude that V = S ( P, r ) is ( s, O ( s/ζ )) -subspace-evasive with probabi lity at least 1 − q − Ω( ks ) . The expecte d size of V is E [ V ] = q (1 − ζ ) k . Since th e e vents x ∈ V ar e pairwise independe n t , by Chebyshev’s inequality , Pr  |V | < E [ V ] / 2  < 4 / E [ V ] . Hence |V | > q (1 − ζ ) k / 2 except with probabil ity at most q − Ω( k ) . 13 Note that t he set S ( P , r ) has a compact representation, and given P , members h ip in S ( P , r ) can be checked efficiently . In fact, it is easy t o se e that S ( P , r ) is a variety in F k q . In d eed, P ( a 0 + a 1 β + · · · + a k − 1 β k − 1 ) can be expanded out a s p 0 ( a 0 , a 1 , . . . , a k − 1 ) + p 1 ( a 0 , . . . , a k − 1 ) β + · · · + p k − 1 ( a 0 , . . . , a k − 1 ) β k − 1 for polyno m ials p 0 , p 1 , . . . , p k − 1 ∈ F q [ Z 1 , Z 2 , . . . , Z k ] , and t her efor e S ( P , r ) = { a = ( a 0 , a 1 , . . . , a k − 1 ) ∈ F k q | p r ( a ) = p r +1 ( a ) = · · · = p k − 1 ( a ) = 0 } . (13) Combining this with Theorem 7 , we can conclude the following. Theorem 10. For an y ζ > 0 , th er e is a Monte C ar lo construction of a subcode C of FRS ( m ) q [ n, k ] , con- sisting of encodings of polynomia ls whose coefficients belong to a variety V ⊂ F k q , such that with hig h pr obabili ty C has rate at least (1 − ζ ) k /n and can be list decoded fro m a fraction s s +1  1 − mR m − s +1  for an y 1 6 s 6 m in q O ( s ) time with an output list size of at most O ( s/ζ ) . In particular , picking ζ = Θ( ε ) , s = Θ(1 /ε ) and m = Θ(1 /ε 2 ) , the construction yields codes of rate R which can be list decode d from a fraction 1 − R − ε of error s in polynomial time, w it h at most O (1 /ε 2 ) codewords output in the list. Encoding complexity . I n the above construction, the code can be succinctly st or ed and member- ship in the cod e e fficiently tested . However , we do not know a way to output the i ’th codeword in the code (i.e., to perform encoding) in polynomial time. W e now show that effici ent encoding can also be achieved if we se ttle for a list size of O ( k ) (which is st ill much better than the q Ω(1 /ε ) bound). The idea is to apply Le m ma 9 with the parameter choice ζ = 2 s/k and t = O ( k ) , and taking V = S ( P , k − 2 s ) for a random degree t polynomial P . Now with very high probabili ty o ve r t he choice of P , standar d tail inequalities for t -wise inde pendent rand o m variables (eg . [ 2 ]) imply that for every choice of f 0 , f 1 , . . . , f k − 3 s − 1 , there are at least q s / 2 elements ( a 0 , a 1 , . . . , a k − 1 ) ∈ S ( P , r ) such that a i = f i for 0 6 i < k − 3 s . In particular such a k -tuple can be fo u nd in q O ( s ) time by searchi ng over all possible values of ( a k − 3 s , . . . , a k − 1 ) . W e can use an arbitrary s uch tup le ( a ′ k − 3 s , . . . , a ′ k − 1 ) (say th e lexicographically smallest) as the 3 s highest d egr ee coefficients and encode the message ( f 0 , f 1 , . . . , f k − 3 s − 1 ) ∈ F k − 3 s q by t h e folded RS encoding ( 1 ) o f t he polynomial f 0 + f 1 X + · · · + f k − 3 s − 1 X k − 3 s − 1 + a ′ k − 3 s X k − 3 s + · · · + a ′ k − 1 X k − 1 . Note th at we only pu rge 3 s sy mb ols fr om F q in the messages so the r ate is R − o (1) . The list de cod er can s i mply d i scar d the top (highest deg r e e) 3 s coefficients of any recover ed polynomial to find the actual message tuple. One obvious op en question r aised by t h e above is to construct the claimed variety (even with a somewhat worse list size guarantee ) exp l icitly . This wo ul d make t h e code explicit, and if the vari- ety is suffici ently well-structured, also imply a nice encoding function. Even more exciting would be to construct a subspace-evasive s ubset for which the interse c tion with an s - dimensional sub- space can be compute d e fficiently , in time polynomial in the size of t he intersection. This wo uld avoid the ne ed for the q s runtime bott len e ck arising from exhaustively checking all candidates in the subspace for members h ip in the variety . One p oint worth noting is t ha t the d egr ee of each of the polynomials p i ∈ F q [ Z 1 , Z 2 , . . . , Z k ] defining t he variety ( 13 ) is Ω( s/ζ ) and ther e are ζ k of them, so bounding the size of the variety by the p r o duct of the deg r ees via Bezout’s the or em wo uld lead t o use les sly large bounds. Even 14 the existence of a variety cut out by say O ( s ) polynomials each with de gr ee at mos t O ( s ) t ha t is ( s, s O ( s ) ) -subspace-evasive does not app e ar to be k nown. Acknowledgments I am grateful to Salil V adhan for telling me about the e l egant deg r e e 1 interpolation metho d for list d ecoding folded RS codes. I thank Car ol W ang for u s eful discussions and A tri Rudra for valuabl e comments on the write-up. I thank Noga Alon, Swastik Kopparty , Po -Shen Loh, and David Zucker man for t h e ir input on the l iterature o n subsp a ce-evasive sets, and Ran Raz for discussions about their construction. Thanks to Swastik for pointing me to [ 21 ], and t o Po for pointers to work on rela ted concept s in geomet ri c sett ings [ 6 ]. References [1] P . Beelen and K. B r and e r . Decoding Folded Re ed-Solomon codes using Hensel-lifting. I n Gr ¨ obner Bases, Coding, and Cryptog raphy , pages 389–394 . S p ringer -V erlag, 2009. 10 [2] M. Bellare and J. Rompel. Randomness-efficient oblivious sampling. In Proce edings of the 35th Annual Symposium on Foun d ations of Computer Science , p a ges 276–287, 1994. 14 [3] E . Bombieri and S. Kopparty . List decoding multiplicity codes , 2011. Manuscript. 11 [4] K. Brande r . In t erpolat ion and list decoding of algebraic codes . PhD t h e sis, T echnical University o f Denmark, 2010. 6 , 10 [5] P . Braß and C. Knauer . On counting po i nt-hyperp l ane incidences. Comput. Geom. , 25(1-2):13– 20, 2003. 12 , 13 [6] P . Brass, W . Moser , and J. Pach. Resea r ch Probl ems in Discre te Geometry . Springe r , N e w Y ork, 2005. 15 [7] A . Gabizon and R. Raz. Det ermini stic extractors for af fine sources over lar ge fields. Combina- torica , 28(4):415 –440, 2008. 13 [8] P . Gemmell and M. Sudan. Highly resilient correctors for multivariate polynomials. Informa- tion Proce ssing L et ters , 43(4):169 –174, 1992. 6 [9] V . Guruswami. List decoding with side information. In P r oceedings of the 18th IE EE Confer ence on Computational Complexity (CC C) , pages 300–309 , 2003. 9 [10] V . Guruswami. L ist decoding Folded Ree d-Solomon codes, 2010. Lecture notes, avail able at http ://www.cs .cmu.edu/˜ venka tg/teachi n g/codingtheory/notes/notes11.pdf . 3 , 6 [11] V . Guruswami, J. H ˚ astad, M. S u dan, and D. Zu ck e rma n. Combinatorial bounds for list de- coding. IEEE T ransactions on Information Theory , 48(5):102 1–103 5, 2002. 12 15 [12] V . Guruswami and A. Patthak. Correlated Algebraic-Geometric cod es: Improved list de c od- ing over bound ed alphabets. Mathemat ics of Computation , 77(261):447 –473, 2008. 6 [13] V . Guruswami and A. R udra. E xplic it codes achieving list d e coding capaci ty: Error -corr ection up to the S i ngleton bound. IEEE T ransactions on Information T h eory , 54(1):13 5–150 , 2008. 2 , 3 , 4 , 11 [14] V . Guruswami and M. Sud a n. Improved de c oding of Reed -Solomon and Algebraic-geometric codes. IEEE T ransactions on In f ormation Theory , 45(6):1757 –1767, 1999. 2 , 3 , 7 , 11 [15] V . Guruswami and C. W ang. Optimal rate li st decoding via derivative codes, 2011. Manuscript. 11 [16] M. D. Huang and A. K. Narayanan. F olded algebraic geometric codes from Galois ex t ensions. ArXiv CoRR, ht tp://arxi v.org/abs/0901.1162 , 2009. 10 [17] R. Koet ter and A. V ardy . Alge braic soft-de c ision decod i ng of reed-solomon codes . IEEE T ransactions on Information Theory , 49(11):280 9–282 5, 2003. 3 , 11 [18] S. Kopparty , S. S a raf, and S. Y ekhanin. High-rate codes with sublinear- time decoding. Elec- tr onic Colloquium on C o mputational Complexity , T R 1 0-148 , 2010. 11 [19] F . Parvaresh and A. V ar dy . Corr ecting errors beyo nd the Guruswami-Sudan radius in p oly- nomial time. In Pro ceedings of the 46th Annual IEEE Symposium on Foundations of C o mputer Science , pages 285–294, 2005. 2 , 3 [20] W . W . Pe terson. Encoding and error- correction procedures for B o se-Chaudhuri codes. IEEE T ransactions on Information Theory , 6:459–470 , 1960. 2 [21] P . Pu d l ´ ak and V . R ¨ odl. Pseud o random se t s and explicit constructions of Ramsey g ra phs. In Complexity of Computations and Proofs. Quad. Mat., 13, Dept. Math., Seconda Univ . Napoli, Caserta , pages 327–346, 2004. 4 , 12 , 15 [22] M. Su dan. Decoding o f Reed -So l omon codes beyond the error-c orrection bound . Journal of Complexity , 13(1):180 –193, 1997. 2 [23] M. Su d an. List d e coding: Algo rithms and applications. SIGACT News , 31:16–27, 2000. 2 [24] L. T revi san. Some applications of coding theo ry in computational complexity . Quaderni di Matematica , 13:347– 424, 2004. 2 [25] S. V adhan. Pseudorandomness . Fo undations and T r ends in Theo retical Com- puter Science (FnT -TCS). NOW publishers, 2010. T o appear . Draft available at http: //people. s eas.harvard.edu/˜ sal il/pseudo randomness/ . 3 , 6 [26] S. P . V adhan. The unified theo ry of pseudorando mness. In Pr oceedi ngs of the International Congr ess of M athematicians , 2010. 2 [27] L. R. W elch and E. R. Berlekamp. Er ror correction of algebraic block cod es. U S Patent Number 4,633,47 0 , December 1986. 6 16