## On the list and bounded distance decodability of the Reed-Solomon codes (2004)

Venue: | In Proc. FOCS 2004 |

Citations: | 18 - 8 self |

### BibTeX

@INPROCEEDINGS{Cheng04onthe,

author = {Qi Cheng and Daqing Wan},

title = {On the list and bounded distance decodability of the Reed-Solomon codes},

booktitle = {In Proc. FOCS 2004},

year = {2004},

pages = {335--341},

publisher = {IEEE Computer Society}

}

### OpenURL

### Abstract

For an error-correcting code and a distance bound, the list decoding problem is to compute all the codewords within a given distance to a received message. The bounded distance decoding problem is to find one codeword if there is at least one codeword within the given distance, or to output the empty set if there is not. Obviously the bounded distance decoding problem is not as hard as the list decoding problem. For a Reed-Solomon code [n, k]q, a simple counting argument shows that for any integer 0 < g < n, there exists at least one Hamming ball of radius n−g, which contains at least � � n g−k g /q many codewords. Let ˆg(n, k, q) be the smallest positive integer g such that � � n g−k g /q < 1. One knows that k ≤ ˆg(n, k, q) ≤ √ nk ≤ n. For the distance bound up to n − √ nk, it is well known that both the list and bounded distance decoding can be solved efficiently. For the distance bound between n − √ nk and n − ˆg(n, k, q), we do not know whether the Reed-Solomon code is list, or bounded distance decodable, nor do we know whether there are polynomially many codewords in all balls of the radius. It is generally believed that the answers to both questions are no. There are public key cryptosystems proposed recently, whose security is based on the assumptions. In this paper, we prove: (1) List decoding can not be done for radius n − ˆg(n, k, q) or larger, otherwise the discrete logarithm over F q ˆg(n,k,q)−k is easy. (2) Let h and g be

### Citations

263 | Improved decoding of Reed-Solomon and algebraicgeometry codes
- Guruswami, Sudan
- 1999
(Show Context)
Citation Context ...ly no progress on this problem for radius slightly larger than half of the minimum distance, until Sudan published his influential paper [15]. His result was subsequently improved, the best algorithm =-=[9]-=- solves the list decoding problem for radius as large as n − √ nk. The work sheds new light on the limitation of list decoding of Reed-Solomon codes. To the other extreme, if the radius is greater tha... |

221 | Decoding of Reed-Solomon codes beyond the error-correction bound
- Sudan
- 1997
(Show Context)
Citation Context ...The notion was first introduced by Elias [5]. There was virtually no progress on this problem for radius slightly larger than half of the minimum distance, until Sudan published his influential paper =-=[15]-=-. His result was subsequently improved, the best algorithm [9] solves the list decoding problem for radius as large as n − √ nk. The work sheds new light on the limitation of list decoding of Reed-Sol... |

109 |
Error correction for algebraic block codes
- Welch, Berlekamp
- 1986
(Show Context)
Citation Context ...amming ball is less than half of the minimum distance, there should be at most one codeword in the Hamming ball. Finding the codeword is called unambiguous decoding. It can be efficiently solved, see =-=[2]-=- for a simple algorithm. If we gradually increase the radius, there may be two or more codewords lying in some Hamming balls. Can we efficiently enumerate all the codewords in any Hamming ball of cert... |

99 | List decoding for noisy channels
- Elias
- 1957
(Show Context)
Citation Context ...ying in some Hamming balls. Can we efficiently enumerate all the codewords in any Hamming ball of certain radius? This is the so called list decoding problem. The notion was first introduced by Elias =-=[5]-=-. There was virtually no progress on this problem for radius slightly larger than half of the minimum distance, until Sudan published his influential paper [15]. His result was subsequently improved, ... |

93 | Learning polynomials with queries: the highly noisy case
- Goldreich, Rubinfeld, et al.
- 1995
(Show Context)
Citation Context ... 1 that pass at least g points. In this paper, we only consider the case when the n given points have distinct x-coordinates. If we allow multiple occurrences of x-coordinates, the problem is NP-hard =-=[6]-=-, and it is not relevant to the ReedSolomon decoding problem. If g ≥ (n + k)/2, it corresponds to the unambiguous decoding of Reed-Solomon codes. If g > √ nk, the radius is less than n − √ nk, the pro... |

42 |
Diameters and Eigenvalues
- Chung
- 1989
(Show Context)
Citation Context ... F q h = Fq[α], can Fq + α generate the multiplicative group (F q h) ∗ ? This interesting problem has a lot of applications in graph theory, and it has been studied by several number theorists. Chung =-=[4]-=- proved that if q > (h − 1) 2 , then (F q h) ∗ is generated by Fq + α. Wan [18] showed a negative result that if q h − 1 has a divisor d > 1 and h ≥ 2(q log q d+log q(q +1)), then (F q h) ∗ is not gen... |

41 | Noisy polynomial interpolation and noisy Chinese remaindering
- Bleichenbacher, Nguyen
- 2000
(Show Context)
Citation Context ...eater than n− √ nk and less than n−k. This problem is even used as a hard problem to build public key cryptosystems and pseudorandom generators [12]. A similar problem, noisy polynomial interpolation =-=[3]-=-, was proved to be vulnerable to the attack of lattice reduction techniques, hence is easier than originally thought. This raises concerns on the hardness of polynomial reconstruction problem. Our res... |

39 | Combinatorial bounds for list decoding
- Guruswami, H̊astad, et al.
(Show Context)
Citation Context ...for Reed-Solomon codes and other error-correcting codes. The case of general non-linear codes has been solved [6]. The case for linear codes is much harder. Some partial results have been obtained in =-=[8, 7]-=-. However, none of them applies to Reed-Solomon codes. No negative result is known about the list decoding of Reed-Solomon codes, except for a simple bound given by Justesen and Hoholdt [10], which st... |

28 | Discrete logarithms: The past and the future
- Odlyzko
- 2000
(Show Context)
Citation Context ...rator γ of a subgroup of F ∗ qn and t in the subgroup. The general purpose algorithms to solve the discrete logarithm problem are the number field sieve and the function field sieve (for a survey see =-=[13]-=-). They have time complexity exp(c(log q n ) 1/3 (log log q n ) 2/3 )sfor some constant c, when q is small, or n is small. We prove that if the list decoding of the [n, k]q ReedSolomon code is feasibl... |

19 | Cryptographic hardness based on the decoding of ReedSolomon codes with applications
- Kiayias, Yung
- 2002
(Show Context)
Citation Context ...s are computationally hard if the number of errors is greater than n− √ nk and less than n−k. This problem is even used as a hard problem to build public key cryptosystems and pseudorandom generators =-=[12]-=-. A similar problem, noisy polynomial interpolation [3], was proved to be vulnerable to the attack of lattice reduction techniques, hence is easier than originally thought. This raises concerns on the... |

18 |
Bounds on list decoding of MDS codes
- Justesen, Høholdt
(Show Context)
Citation Context ...ined in [8, 7]. However, none of them applies to Reed-Solomon codes. No negative result is known about the list decoding of Reed-Solomon codes, except for a simple bound given by Justesen and Hoholdt =-=[10]-=-, which states that for any positive integer g < n, there exists at least one Hamming ball of radius n − g, which contains at least � � n g−k g /q many codewords. This bound matches the intuition well... |

17 |
rigorous factorization and discrete logarithm algorithms
- Fast
(Show Context)
Citation Context ...algorithm. We get n independent equations with probability more than 1 − 1 2n after we pick no more than O(n log n) many i’s. Solving the system of equations gives us log b(α − a) for all a ∈ Fq. See =-=[14]-=- for a formal analysis. In the last step, for a random i, we compute b(α) i t(α). If ψ −1 (b(α) i t(α)) is not empty, we can solve log b t immediately. This finishes the proof of Theorem 1. 3.2. The p... |

17 | Generators and irreducible polynomials over finite fields
- Wan
- 1997
(Show Context)
Citation Context ...interesting problem has a lot of applications in graph theory, and it has been studied by several number theorists. Chung [4] proved that if q > (h − 1) 2 , then (F q h) ∗ is generated by Fq + α. Wan =-=[18]-=- showed a negative result that if q h − 1 has a divisor d > 1 and h ≥ 2(q log q d+log q(q +1)), then (F q h) ∗ is not generated by Fq +α for some α. Katz [11] applied the Lang-Weil method, and showed ... |

12 | Coding theory: Tutorial & Survey
- Sudan
- 2001
(Show Context)
Citation Context ...ments of theoretical computer science, notably the Probabilistically Checkable Proofs and de-randomization techniques, rely heavily on the techniques in error-correcting codes. We refer to the survey =-=[16]-=- for details. For the purpose of efficient encoding and decoding, Σ is usually set to be the finite field Fq of q elements, and the map φ is set to be linear. Numerous error correcting codes have been... |

10 | Limits to list decodability of linear codes
- Guruswami
- 2002
(Show Context)
Citation Context ...for Reed-Solomon codes and other error-correcting codes. The case of general non-linear codes has been solved [6]. The case for linear codes is much harder. Some partial results have been obtained in =-=[8, 7]-=-. However, none of them applies to Reed-Solomon codes. No negative result is known about the list decoding of Reed-Solomon codes, except for a simple bound given by Justesen and Hoholdt [10], which st... |

9 | On some subgroups of the multiplicative group of finite rings
- Voloch
(Show Context)
Citation Context ... which will make (the random variants of ) the algorithm comparable to the primality proving algorithm used in practice. However, the best known lower bound is (c|S|/h) h for some absolute constant c =-=[17]-=-. We discover an interesting duality between the group size and the list size in Hamming balls of certain radius. Theorem 5 Let k, n be positive integers and q be a prime power. One of the following s... |

3 |
Factoring polynomials in finite fields: An application of Lang-Weil to a problem of graph theory
- Katz
- 1990
(Show Context)
Citation Context ...hen (F q h) ∗ is generated by Fq + α. Wan [18] showed a negative result that if q h − 1 has a divisor d > 1 and h ≥ 2(q log q d+log q(q +1)), then (F q h) ∗ is not generated by Fq +α for some α. Katz =-=[11]-=- applied the Lang-Weil method, and showed that for every h ≥ 2 there exists a constant B(h) such that for any finite field Fq with q ≥ B(h), any element in (F q h) ∗ can be written as a product of exa... |

1 |
Error correction of algebraic block codes. U.S. Patent Number 4633470
- pdf
- 1986
(Show Context)
Citation Context ... Fq[α] = F q h. What is the order of the subgroup 8generated by α + S for some S ⊆ Fq ? This question has an important application in analyzing the performance of the AKS primality testing algorithm =-=[1]-=-. Experimental data suggests that the order is greater than q h/c for some absolute constant c for |S| ≥ hlog q. If we can prove it, the space complexity of the AKS algorithm can be cut by a factor of... |