Fast list decoding of univariate multiplicity and folded

Reed-Solomon codes
Rohan Goyal∗ Prahladh Harsha† Mrinal Kumar† Ashutosh Shankar†
arXiv:2311.17841v4 [cs.IT] 12 Mar 2024

Abstract

We show that the known list-decoding algorithms for univariate multiplicity and folded Reed-
Solomon (FRS) codes can be made to run in Õ(n) time. Univariate multiplicity codes and FRS
codes are natural variants of Reed-Solomon codes that were discovered and studied for their
applications to list decoding. It is known that for every ε > 0, and rate r ∈ (0, 1), there exist
explicit families of these codes that have rate r and can be list decoded from a (1 − r − ε) fraction
of errors with constant list size in polynomial time (Guruswami & Wang (IEEE Trans. Inform.
Theory 2013) and Kopparty, Ron-Zewi, Saraf & Wootters (SIAM J. Comput. 2023)). In this
work, we present randomized algorithms that perform the above list-decoding tasks in Õ(n),
where n is the block-length of the code.
Our algorithms have two main components. The first component builds upon the lattice-
based approach of Alekhnovich (IEEE Trans. Inf. Theory 2005), who designed a Õ(n) time
list-decoding algorithm for Reed-Solomon codes approaching the Johnson radius. As part of
the second component, we design Õ(n) time algorithms for two natural algebraic problems:
Pm
given a (m + 2)-variate polynomial Q(x, y0 , . . . , ym ) = Q̃(x)+ i=0 Qi (x) · yi the first algorithm
m
df
solves order-m linear differential equations of the form Q x, f (x), dx , . . . , ddxmf ≡ 0 while the
second solves functional equations of the form Q (x, f (x), f (γx), . . . , f (γ m x)) ≡ 0, where m is
an arbitrary constant and γ is a field element of sufficiently high order. These algorithms can be
viewed as generalizations of classical Õ(n) time algorithms of Sieveking (Computing 1972) and
Kung (Numer. Math. 1974) for computing the modular inverse of a power series, and might be
of independent interest.

∗
Chennai Mathematical Institute, Chennai, India, [email protected]. Part of this work was done while visiting
the Tata Institute of Fundamental Research, Mumbai.
†
Tata Institute of Fundamental Research, Mumbai, India. [email protected], [email protected],
[email protected]. Research supported by the Department of Atomic Energy, Government of India, under
project 12-R&D-TFR-5.01-0500. Research of the second author is partially supported by a Google India Research
Award and that of the third author is supported in part by a Google Research grant and a DST-SERB grant.

1
Contents
1 Introduction 3
1.1 Folded Reed-Solomon and univariate multiplicity codes . . . . . . . . . . . . . . . 4
1.2 Our results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

2 Overview of the proofs 9

2.1 Outline of the known algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 A faster algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

3 Notations and Preliminaries 13

3.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.2 Fast polynomial arithmetic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3 Computing shortest vector in polynomial lattices . . . . . . . . . . . . . . . . . . 14

4 Fast construction of the differential equation 16

4.1 Proof of Theorem 4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
4.2 Close enough codewords satisfy the equation . . . . . . . . . . . . . . . . . . . . 20

5 Solving the differential equation in nearly-linear time 20

5.1 Set up for proof of Theorem 5.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
5.2 Algorithm for solving B(x) + Q†n (x, ∂f ) ≡ 0 . . . . . . . . . . . . . . . . . . . . . 24
5.3 Algorithm for solving Q(x, ∂f ) ≡ 0 . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.4 Proofs of technical lemmas (Lemmas 5.5 and 5.6) . . . . . . . . . . . . . . . . . . 26

6 Pruning the list to constant size 30

7 Fast decoding the multiplicity code (Theorems 2.1 and 1.3) 31

8 Fast interpolation for Folded Reed-Solomon codes 32

8.1 Proof of Theorem 8.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
8.2 Close enough codewords satisfy the equation . . . . . . . . . . . . . . . . . . . . 34

9 Solving the functional equation in nearly-linear time 35

m
9.1 Algorithm for solving Q(x, f (x), . . . , f (γ x)) ≡ 0 . . . . . . . . . . . . . . . . . . 39

10 Fast decoding up to the Johnson radius 40

10.1 Proof of Theorem 1.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

References 44

2
1 Introduction
An error-correcting code (or simply a code) C of block length n over an alphabet Σ is a subset
of the set Σn such that any two distinct vectors of C are far from each other in Hamming
distance. The distance δ of C is defined as the minimum fractional distance between any two
distinct vectors (henceforth, referred to as codewords) in C and the rate r of C is defined as
the ratio nlog |C|
log |Σ| and is a measure of the redundancy of the code. It is generally desirable to
have codes C which large distance and high rate, and understanding the tradeoffs between these
two quantities both information theoretically, as well as understanding what can be achieved
by explicit constructions are problems of fundamental interest. Error correcting codes, though
initially invented in the 1940s as a solution to the question of data storage and communication
in the presence of noise have since then found numerous connections and applications to theory
and practice alike. Both directly, and indirectly, ideas in this area continue to find relevance in
complexity theory, pseudorandomness, combinatorics, cryptography and are central objects of
study across these areas.

Decoding and list-decoding If the distance of a code C is δ, then it follows that for
any vector v ∈ Σn , there is at most one codeword c of C at a fractional Hamming distance
less than δ/2 from C, and given v as input, the task of computing c is referred to as (unique)
decoding of C. Designing an efficient decoding algorithm for this task for a code C of interest is
a fundamental problem of interest. If we consider a Hamming ball of radius greater than δ/2
centered at a vector v ∈ Σn , there might now be multiple codewords of C present in this ball, and
for sufficiently large radii, this number may become exponentially large. However, a classical
result in coding theory asserts that this number continues to be polynomially bounded in n as
long as the radius of the Hamming ball is less than the so-called Johnson radius of the code.
The algorithmic task of computing all the codewords within such a Hamming ball is referred to
as list decoding. In general, if the number of codewords of a code C in a Hamming ball of radius
r around any vector v ∈ Σn is at most L, then C is said to be (r, L)-list-decodable. Seeking
efficient algorithms for list decoding well-studied families of codes is again a fundamental line
of enquiry in this area of research, and the focus of this paper.

List-decodable and algebraic codes Algebraic techniques and constructions have tra-
ditionally been of immense significance in the study of error correcting codes, with families
of codes like Reed-Solomon codes and Reed-Muller codes being perhaps one of the most well-
studied families of codes over the years. For Reed-Solomon codes, the alphabet Σ is a finite field
F and the codewords correspond to the evaluations of all univariate polynomials of degree d over
F (or a subset of size n of F). These codes can be seen to have fractional distance δ = 1−d/n and
rate r = (d + 1)/n and are thus optimal in the sense that they achieve the so-called Komamiya-
Joshi-Singleton bound (popularly referenced to as the Singleton bound ). Reed-Muller codes are
the multivariate analogues of Reed-Solomon codes where codewords correspond to the evalua-
tions of multivariate polynomials of low degree over inputs from the underlying field. Some of
these algebraic codes are at the heart of the notions of local decoding, local correction and local
testing that in addition to being fundamental notions on their own, have also found numerous

3
 applications in complexity theory and pseudorandomness.
Yet another example of this fruitful alliance of algebraic techniques and coding theory is in
the study of list decoding of codes. In a beautiful and influential work in 1996, Sudan [Sud97]
showed that Reed-Solomon codes can be efficiently list-decoded when the fraction of errors is less
p
than 1 − 2d/n, which is far beyond the unique decoding regime of (1 − d/n)/2 fraction errors
when d = αn for small enough constant α < 1. Guruswami and Sudan [GS99] subsequently
p
improved this to efficient list decoding with less than 1 − d/n fraction errors which matches
the Johnson radius for these codes. The combinatorial and algorithmic list decodability of Reed-
Solomon codes beyond the Johnson radius is far from understood and continues to be a problem
of great interest, including in the light of some very recent work (e.g., see [ST23, AGL23] and
references therein).
Owing to their central role in coding theory and computer science, the question of de-
signing faster (ideally nearly-linear-time) decoding algorithms for Reed-Solomon codes has also
received considerable attention. In the unique decoding regime, a nearly-linear-time decoder for
Reed-Solomon codes was designed essentially by showing that the classical Berlekamp-Massey
algorithm [Ber67, Mas69] for decoding these codes has a nearly-linear-time implementation (see
[RSTW78] and references therein). In the list-decoding regime, a similar result was shown in
a work of Alekhnovich [Ale05] that gave an algorithm for decoding Reed-Solomon codes from
p
1 − d/n − ε fraction errors in nearly-linear time, for every constant ε > 0. Alekhnovich’s
overall approach and techniques that were based on the study of appropriate lattices 1 over the
univariate polynomial ring are crucial to our work as well. We discuss this in greater detail in
our proof overview (section 2).
In subsequent work towards understanding list decodability beyond the Johnson radius,
natural variants of Reed-Solomon codes, such as the Folded Reed-Solomon (FRS) codes and
Multiplicity codes were studied. In a seminal work, Guruswami & Rudra [GR08], building on
the work of Parvaresh and Vardy [PV05], showed that FRS codes are (algorithmically) list-
decodable far beyond the Johnson radius, in fact all the way upto capacity. In subsequent
works, Guruswami & Wang [GW13] and Kopparty [Kop15] showed that multiplicity codes also
have this amazing list-decoding property upto capacity. More recently, Kopparty, Ron-Zewi,
Saraf & Wootters [KRSW23] showed the surprising fact that these codes are list-decodable with
constant list size even as they approach list-decoding capacity. Moreover, they showed that
the list-decoding algorithm of Guruswami & Wang can be combined with an efficient pruning
procedure that gives an efficient list-decoding algorithm for FRS and multiplicity codes up to
capacity with constant list size. In this work, we design significantly faster algorithms for list
decoding these codes from close to list-decoding capacity.
We start by defining FRS and multiplicity codes, before stating our results formally.

1.1 Folded Reed-Solomon and univariate multiplicity codes

FRS codes are a variant of Reed-Solomon codes, first defined by Krachkovsky [Kra03] and are
the first codes that were shown to be efficiently list-decodable upto capacity by Guruswami and
Rudra [GR08].
1
See Definition 3.3 for a formal definition of a lattice over a univariate polynomial ring.

4
 Definition 1.1 (Folded Reed-Solomon [Kra03, GR08]). Let F be a finite field of size q and let
n, d, s be positive integers satsifying d/s < n < (q − 1)/s. Let γ ∈ F be a primitive element of
F and let α1 , α2 , . . . , αn be distinct elements from the set {γ si : i ∈ {0, 1, . . . , ((q − 1)/s) − 1}}.
Then, an FRS code with folding parameter s for degree d polynomials is defined as follows.
The alphabet of the code is E = Fs and the block length is n, where the coordinates of a
codeword are indexed by 1, 2, . . . , n. The message space is the set of all univariate polynomials of
degree at most d in F[x]. And, the encoding of such a message f ∈ F[x], denoted by FRSs (f ) ∈ E n
is defined as


FRSs (f )|i := f (αi ), f (γαi ), . . . , f (γ s−1 αi ) . y

Univariate multiplicity codes are yet another variant of Reed-Solomon codes and were de-
fined by Rosenbloom & Tsfasman [RT97] and Nielson [Nie01] and were later generalized to the
multivariate setting by Kopparty, Saraf and Yekhanin [KSY14] who studied them from the per-
spective of local decoding. In this paper, we only work with univariate multiplicity codes that
we now formally define.
Definition 1.2 (Multiplicity codes [RT97, Nie01, KSY14]). Let n, d, s be positive integers sat-
isfying ds < n, F be a field of characteristic zero or at least d and size at least n, and let
α1 , α2 , . . . , αn be distinct elements of F. Then, univariate multiplicity codes with multiplicity
parameter s for degree d polynomials is defined as follows.
The alphabet of the code is E = Fs and the block length is n, where the coordinates of a
codeword are indexed by 1, 2, . . . , n. The message space is the set of all univariate polynomials
of degree at most d in F[x]. And, the encoding of such a message f ∈ F[x], denoted by Mults (f ) ∈
E n is defined as
 
Mults (f )|i := f (αi ), f (1) (αi ), . . . , f (s−1) (αi ) ,

where f (j) (αi ) is the evaluation of the j th -order derivative2 of f on the input αi . y
s
Both these families of codes have rate d/sn, alphabet size |F| and distance 1 − d/sn, and
are known to have some remarkable list-decoding properties. In particular, for every ε > 0
and for sufficiently large s = s(ε), these are both known to be efficiently list-decodable from
1 − d/sn − ε fraction of errors. For FRS codes, this was shown by Guruswami & Rudra [GR08]
(also a different analysis by Guruswami & Wang [GW13]) and for multiplicity codes, this was
shown independently by Guruswami & Wang [GW13] and by Kopparty [Kop15]. A recent work
of Bhandari, Harsha, Kumar & Sudan [BHKS24b] shows that the framework of Guruswami &
Wang [GW13] can be abstracted out into a unified algorithm for decoding multiplicity and FRS
codes, as well as some of the other variants, e.g., additive or affine FRS codes.
2
This definition in terms of (standard) derivatives requires the characteristic of the field to be 0 or at least d. All
known capacity-achieving list-decoding results for univariate multiplicity codes require large characteristic (previous
works [Kop15, GW13, KRSW23] as well as our work). For this reason as well as ease of presentation, we work with
standard derivatives. A more general definition, which works for all characteristics, can be given in terms of Hasse
derivaties or using the ideal-theoretic framework as follows: the alphabet E = Fs is interpreted as F<s [x] (polynomials
of degree strictly less than s) and the ith symbol of the encoding Mults (f ) ∈ E n of message f ∈ F[x], is defined as
Mults (f )|i := f (x) mod (x − αi )s .

5
 Kopparty, in his survey on multiplicity codes [Kop14, Section 7, Item (3)] asks the open
question if univariate multiplicity codes can be list decoded in nearly-linear time up to the
Johnson radius? In particular, can one emulate the improvements that Alekhnovich’s algorithm
[Ale05] obtains for the Guruswami-Sudan list-decoding algorithm for Reed-Solomon codes to
the setting of univariate multiplicity codes. A recent work of Kopparty, Saraf, Ron-Zewi and
Wootters [KRSW23] showed that both FRS and univariate multiplicity codes approach list-
decoding capacity while maintaining a constant (depending upon the parameter ε where 1 −
d/sn − ε is the fraction of errors) list size. Given such linear (in fact constant) sized bounds on
the list size, one may ask if the following strengthening of Kopparty’s question also holds true:
can univariate multiplicity and FRS codes be list decoded in nearly-linear time all the way up
to capacity? The main contribution of our work is a positive resolution of these open questions.

1.2 Our results

Results on list decoding Our main results are summarized in the following theorems. We
start with the statement for multiplicity codes.

Theorem 1.3. For every ε > 0, there exists a natural number s0 such that for all s > s0 , degree
parameter d, block length n, field F of characteristic zero or larger than d, the following is true.


There is a randomized algorithm that runs in time O n · poly(s log n log |F|(sn/d)poly(1/ε) )
and with high probability, list decodes univariate multiplicity code with multiplicity parameter s
d


for degree d polynomials over F from 1 − sn − ε fraction of errors.

We now state the analogous result for FRS codes.

Theorem 1.4. For every ε > 0, there exists a natural number s0 such that for all s > s0 , degree
parameter d, block length n, field F such that d/s < n < (|F| − 1)/s, the following is true.


There is a randomized algorithm that runs in time O n · poly(s log n log |F|(sn/d)poly(1/ε) )
and with high probability, list decodes Folded Reed-Solomon codes with folding parameter s for
d


degree d polynomials over F from 1 − sn − ε fraction errors.

Both the above results require the parameter s to be large compared to ε. This constraint
is essentially due to the current state of our understanding of list decoding for these codes. In
particular, we don’t know if these codes are list-decodable up to capacity for small s. As a
warm-up for some of the ideas in our proofs, we show that for all s these codes can be decoded
up to a distance ε of the so-called Johnson radius in nearly-linear time. This algorithm is
a generalization of a result of Alekhnovich [Ale05] for decoding Reed-Solomon codes up to a
distance ε of the Johnson radius.

Theorem 1.5. For every ε > 0, degree parameter d, block length n, multiplicity parameter s,
and field F of any characteristic, the following is true.
There is a deterministic algorithm that runs in time (n · poly(s log n log |F|(sn/d))), and list


decodes order-s, univariate multiplicity code for degree d polynomials over F from 1 − (d/sn)1/2 − ε
fraction errors.

A similar result holds for FRS codes and we skip the formal statement here.

6
 Since s and ε are constants, the algorithms in Theorem 1.3, Theorem 1.4 and Theorem 1.5
run in nearly-linear time in the block length n provided that the rate d/sn of the code is a
constant.

Fast solvers for differential and functional equations On the way to our results,
we design nearly-linear-time algorithms for solving certain linear differential and functional
equations that arise naturally in the context of decoding multiplicity and FRS codes. These
algorithms build upon the techniques like Fast Fourier transform and Newton iteration from
computational algebra and to our knowledge do not appear to be known in literature. We
suspect that these results might be of independent interest and might have applications besides
their current application to list decoding. We state the main theorems starting with the result
on differential equations.

Theorem 1.6. Let F be a finite field of characteristic greater than d or zero, and let
m
X
Q(x, y0 , . . . , ym ) = Q̃(x) + Qi (x)yi
i=0

be a non-zero polynomial with x-degree at most D. Then, the set of polynomials f (x) ∈ F[x] of
degree at most d that satisfy
 
Q x, f, f (1) . . . , f (m) ≡ 0

form an affine space dimension at most m. Furthermore, there is a deterministic algorithm

that when given Q as an input via its coefficient vector, and the parameter d, performs at most
Õ((D + d) poly(m)) field operations and outputs a basis for this affine space.

We now state an analogous result for solving certain functional equations.

Theorem 1.7. Let F be any field, let γ ∈ F be an element of order greater than d, and let
m
X
Q(x, y0 , . . . , ym ) = Q̃(x) + Qi (x)yi
i=0

be a non-zero polynomial with x-degree at most D. Then, the set of polynomials f (x) ∈ F[x] of
degree at most d that satisfy

Q (x, f (x), f (γx), . . . , f (γ m x)) ≡ 0

form an affine space of dimension at most m. Furthermore, there is a deterministic algorithm

that when given Q as an input via its coefficient vector, and the parameter d, performs at most
Õ((D + d) poly(m)) field operations and outputs a basis for this affine space.

Earlier algorithms for solving linear differential equations exist for settings different from
ours or a running time that exceeds our requirements [AK91, Sin91]. These mostly proceed via
finding intermediate power series or rational solutions. Bostan, Cluzeau and Salvy [BCS05] give
a nearly-linear-time algorithm but in the setting where the degree of the coefficients is small

7
and the degree of the solution is growing (in our case, the degree of the coefficients depends on
the block length of the code).

1.3 Related Work

In this section, we review related work in the two different contexts: (a) nearly-linear-time
decoding and (b) list-size bounds.

Nearly-linear-time decoding algorithms: There is a rich literature in coding theory

trying to obtain nearly-linear-time decoding algorithms. As mentioned earlier, the classical
Berlekamp-Massey algorithm [Ber67, Mas69] for unique-decoding Reed-Solomon codes can be
implemented in nearly-linear time [RSTW78]. Alekhnovich [Ale05] obtained a nearly-linear-time
implementation of the Guruswami-Sudan algorithm [GS99] for list decoding Reed-Solomon codes
up to the Johnson radius. Subsequent to the discovery that FRS and univariate multiplicity
codes are list-decodable up to capacity [GR08, Kop15, GW13], Hemenway, Ron-Zewi & Wootters
[HRW20] constructed codes that were list-decodable all the way up to capacity in probabilistic
nearly-linear time, more specifically n1+o(1) time where n is the blocklength of the code. In a
followup work, Kopparty, Resch, Ron-Zewi, Saraf & Silas [KRRSS21] proved a similar result
for codes that were list-decodable all the way up to capacity in deterministic nearly-linear
time. Hemenway, Ron-Zewi & Wootters [HRW20] and Kopparty, Resch, Ron-Zewi, Saraf &
Silas [KRRSS21] obtain such codes by a clever application of expander distance amplification
technique of Alon, Edmonds and Luby [AEL95, AL96] on high-rate list-decodable codes. We
remark that these results which construct the first nearly-linear-time list-decodable codes all the
way upto capacity do so by constructing tailor-made codes (starting from FRS/Multiplicity like
codes of very small block-length) while our nearly-linear-time list-decoding algorithms are for
the standard FRS and univariate multiplicity codes. Furthermore, our algorithms run in time
O(n·poly log n) while to the best of our knowledge, the algorithms of [HRW20, KRRSS21] cannot
be made to run in time O(n · poly log n). That said, while our nearly-linear-time algorithms
are randomized, the nearly-linear-time algorithms of Kopparty, Resch, Ron-Zewi, Saraf & Silas
[KRRSS21] are deterministic.
Sipser and Spielman constructed expander codes, which were the first family of codes that
are unique decodable in linear time [SS96]. Guruswami and Indyk [GI03] used expander-based
constructions to construct the first family of codes that were list-decodable in linear time. It
would be be interesting if similar expander-based constructions can be used to construct codes
that are list-decodable all the way up to the Johnson radius or even capacity in linear time.

Bounds on list size: The initial works on list-decodable codes up to capacity [GR08,
Kop15, GW13] obtained only polynomial-sized list bounds. This was dramatically improved
by Kopparty, Ron-Zewi, Saraf and Wootters [KRSW23] who showed that FRS and univariate
multiplicity codes are list-decodable up to capacity with constant-sized lists. There has been
a lot of work towards improving the list size of list-decodable codes [KRSW23, KRRSS21,
Tam23]. In this work, we do not focus on list-size bounds. The list-size bounds we obtain
are inherited from the results of Kopparty, Ron-Zewi, Saraf and Wootters [KRSW23] (and

8
subsequent improvements due to Tamo [Tam23]). We refer the interested reader to previous
works ([KRSW18, KRRSS21, Tam23]) for a survey on list-size bounds.

2 Overview of the proofs

In this section, we give a short overview of the proofs of our results. Our algorithms and
analysis for multiplicity codes and FRS codes are very similar to each other, and therefore, in
this overview we focus only on multiplicity codes. Even later in this paper, we discuss the proofs
for multiplicity codes in detail, whereas we sketch out the arguments for FRS codes. Moreover,
we focus on the case of capacity-achieving decoding, i.e.,Theorem 1.3 and Theorem 1.4.
Our decoding algorithm for multiplicity codes is essentially a faster implementation of the
list-decoding algorithm of Guruswami & Wang [GW13]. We follow the outline of their algorithm,
observe the computational bottlenecks, and design faster alternatives for those steps. We start
this overview with a brief outline of Guruswami & Wang’s algorithm.
Let R = (αi , βi,0 , . . . , βi,s−1 )ni=1 be the received word that we wish to list decode from. The
algorithm in [GW13] essentially has two main steps, which are the first two steps mentioned
below. The third step below is from a subsequent work of Kopparty, Ron-Zewi, Saraf and
Wootters [KRSW23] (and a follow up work of Tamo [Tam23]) who showed how to reduce the
list size obtained in [GW13] to a constant.

2.1 Outline of the known algorithms [GW13, KRSW23]

Constructing a differential equation : The aim in this step is to find an (m+2)-variate
Pm
non-zero polynomial Q of the form Q(x, y) = Q̃(x)+ i=0 Qi (x)yi , where each Qi has low degree
(denoted by D) and that Q satisfies some interpolation constraints. The parameter m is chosen
carefully depending on s and ε and for this discussion, can just be thought of something smaller
than s. The interpolation constraints are imposed in a way that ensures that for any degree
d univariate f (x) whose multiplicity code encoding is close enough to the received word R, f
satisfies the differential equation
X
Q(x, ∂f ) := Q̃(x) + Qi (x) · f (i) (x) ≡ 0 .
i

To this end, for every j ∈ {1, . . . , n}, we impose constraints of the form
X
Q̃(αj ) + Qi (αj ) · βj,i = 0 , and
i
X (1)

Q̃(1) (αj ) + Qi (αj ) · βj,i + Qi (αj ) · βj+1,i = 0 .
i

The constraints above have been engineered in a way that ensures that if the encoding of f
and R agree at a point αi , then Q(x, ∂f ) vanishes at αi and the first derivative of Q(x, ∂f )
vanishes at αi . More generally, about s − m similar such constraints are imposed for every i
that ensure that every point αi of agreement, Q(x, ∂f ) vanishes with multiplicity at least s − m.
Thus, if the number of points of agreements is sufficiently large as a function of D, d, we get

9
that Q(x, ∂f ) must be identically zero as a polynomial. In particular, in order to solve the
list-decoding question, it suffices to solve the differential equation Q(x, ∂f ) ≡ 0 for solutions of
degree at most d.

Solving the differential equation Q(x, ∂f ) ≡ 0 : Guruswami & Wang then solve this
differential equation, and show that there are at most polynomially many degree-d solutions
to it, and that the list of solutions can be computed in polynomial time. To this end, their
main observation is that the space of solutions is an affine space of dimension at most m, and it
suffices to compute a basis of this subspace. To compute the basis, they open up the structure
of this linear system, and notice that the system is essentially lower triangular with at most m
zeroes on the diagonal.

Pruning to a constant-sized list: In their work [KRSW23], Kopparty, Saraf, Ron-Zewi

and Wootters improved the bound on the size of the list output by Guruswami & Wang to a
constant. They do this by essentially showing that for a code like multiplicity code or an FRS
code that has good distance, a constant dimensional affine subspace can have at most a constant
number of codewords that are close enough to a given received word. In addition to this, they
also gave a simple randomized algorithm to obtain this pruned list.

2.2 A faster algorithm

For our algorithm, we present alternative algorithms that implement the first two steps above
in nearly-linear time. Naively, the first step above involves solving a linear system with at least
n constraints, and the best state of art general purpose linear system solvers can do this is in
roughly matrix multiplication time (so at least Ω(n2 ) time). Similarly it is a priori unclear if the
step on solving differential equations can be done in better than O(n2 ) time. The final pruning
step of Kopparty, Ron-Zewi, Saraf and Wootters [KRSW23] and Tamo [Tam23] happened to
be nearly-linear time as it is, and we use this step off-the-shelf from their work without any
changes. We note that the randomness in our final algorithm only comes from the randomness
in the algorithm of Kopparty, Ron-Zewi, Saraf and Wootters [KRSW23]. As an intermediate
statement, we get the following theorem, which when combined with the aforementioned pruning
procedure gives us Theorem 1.3.

Theorem 2.1. For every ε > 0, there exists a natural number s0 such that for all s > s0 , degree
parameter d, block length n, field F of characteristic zero or larger than d, the following is true.
There is a deterministic algorithm that takes as input a received word R and after at most
O (n · poly(s log n poly(1/ε))) field operations outputs a basis for an affine space A of degree d
polynomials of dimension O(1/ε) such that if Mults (f ) has fractional Hamming distance at most
d


1 − sn + ε from R for a polynomial f of degree at most d, then f is contained in A.

We now briefly discuss the ideas in our faster algorithms for constructing the differential
equation and for solving them.

10
Fast construction of the differential equation: To construct the interpolating poly-
P
nomial Q(x, y) = Q̃(x) + i Qi (x)yi satisfying the linear constraints described above in nearly-
linear time, we rely on the ideas of Alekhnovich [Ale05]. In particular, we define an appropriate
lattice over the polynomial ring F[x] with the properties that any non-zero polynomial in this
lattice satisfies the linear constraints of interest, and moreover that the shortest vector in the
lattice gives us a polynomial Q of low enough degree for our applications. At this point, we
invoke an algorithm of Alekhnovich to exactly compute the shortest vector of this lattice, which
gives us the desired Q. We remark on the two salient points of departure from Alekhnovich’s
algorithm and analysis. First, the definition of the lattice that is suited for decoding multiplicity
codes (both for decoding upto Johnson radius as well as upto capacity) is different from that
of Alekhnovich. Second, Alekhnovich proves that there exists a short vector in the lattice by
demonstrating that the lattice constructed by him is identical to the one constructed by Gu-
ruswami and Sudan which is known to have short vectors. We instead follow a more direct
approach; we demonstrate the existence of a short vector by a direct application of Minkowski’s
theorem. The details can be found in section 4.

Fast solver for linear differential equations: We now outline the main ideas in our
proof of Theorem 1.6. For ease of notation, we confine ourselves to solving an equation of
the form Q(x, ∂f ) = Q̃(x) + Q0 (x)f (x) + Q1 (x)f (1) (x) ≡ 0, i.e.,the parameter m = 1. If the
polynomial Q1 is identically zero, then, we are solving Q̃ + Q0 f ≡ 0. We note that in this case,
Q0 (x) can be assumed to have a non-zero constant term, essentially without loss of generality.
To see this, observe that for any i, if xi divides Q0 (x), then, it must also divide Q̃(x) or else
the equation has no solution. Thus, we can simply divide the whole equation Q̃ + Q0 f ≡ 0
by the largest power of x that divides Q0 , and it can be assumed to have a non-zero constant
term. In this case, the solution f is just equal to f = −Q̃/Q0 . Thus, to compute this, it
suffices to compute the inverse of Q0 in the ring F[[x]] of power series. Moreover, since we are
interested in solutions f of degree at most d, it suffices to compute the inverse modulo xd+1 .
There are classical nearly-linear-time algorithms known for this problem, e.g., see Sieveking
[Sie72] and Kung [Kun74] and over the years, these algorithms have found many applications.
These algorithms are based on ideas like Fast Fourier transform and Newton iteration. In fact
in his work on fast list decoding of Reed-Solomon codes, Alekhnovich uses an algorithm of Roth
& Ruckenstein [RR00] based on very similar ideas to solve the polynomial equations that arise
there.
We would now like to emulate the above approach to larger m, i.e., m > 1. However, it
is unclear to us if the ideas there immediately extend to the case of differential equations that
arise here. The fact that we no longer have unique solutions to the differential equations causes
a problem when one implements the above divide-and-conquer approach in a naive manner for
the following reason. Suppose at each step of the divide-and-conquer the number of solutions
doubles, then the total number of solutions would be prohibitively large if one unravels the
recursion. To get around this issue, we show that given any differential equation Q, there is a
related differential equation Q† which has a unique solution and from whose unique solution we
can construct all the solutions of Q. Below, we give a high-level overview of this approach.

11
 Going forward, we assume that the polynomial Q1 is non-zero. Additionally, up to a trans-
lation of the x variable, we also assume that Q1 has a non-zero constant term. In this case,
Guruswami and Wang had shown that the affine space of solutions has dimension 1 and if we
fix the constant term of any solution, then there is a unique polynomial f of degree d with this
specified constant term that is a solution. Let us fix this constant term to be 1 and look for
solutions of the form f = 1 + xg where g is a polynomial of degree less than d. Thus, it suffices
to solve for g. Using the properties of the derivative operator, we get

Q(x, f, f (1) ) = Q̃ + Q0 · f + Q1 · f (1)

= Q̃ + Q0 · (1 + xg) + Q1 · (g + xg (1) )
 
= Q̃ + Q0 + (x · Q0 + Q1 ) · g + x · Q1 · g (1) .

Thus, if f satisfies Q(x, ∂f ) ≡ 0, it must be the case that g satisfies Q† (x, ∂g) ≡ 0 for
 
Q† (x, y0 , y1 ) := Q̃ + Q0 + (x · Q0 + Q1 ) · y0 + x · Q1 · y1 .

While Q† looks similar to Q in overall form, there are small changes in structure when compared
to Q: for instance, the coefficient x·Q1 of y1 has zero as its constant term. It turns out that these
seemingly small changes in overall structure make Q† much nicer to work with. In particular,
we observe that equations of this form now have unique solutions. Moreover, the uniqueness
of solution and the form of Q† makes it very amenable to a divide-and-conquer-style algorithm
based on Newton iteration. We show that in order to solve Q† (x, ∂g) ≡ 0 for a g of degree less
than d, it suffices (up to some nearly-linear computational overhead) to solve two equations of
a similar form, where we are now looking for solutions of degree d/2. This observation then
immediately gives a recursive algorithm, where the recursion is on the degree of solution of
interest. One slightly technical point to note is that for this recursion to work, we end up
working with the modular equation Q† (x, ∂g) ≡ 0 mod xk for sufficiently large k, which is
also the case for many of the other applications of Newton iteration-like techniques. While the
outline of the above is quite clean, the details end up being slightly technical and we describe
the detailed algorithm and its analysis in section 5.
We also note that attempting a similar strategy while directly working with Q and not Q†
seems like a natural thing to try. However, note that the differential equation for Q (unlike that
for Q† ) does not have a unique solution and hence a recursive approach to solve the differential
equation for Q directly requires a lot of book-keeping and other issues to ensure that the number
of solutions do not blow up. Working with Q† gets around these problems and is crucial for our
proof.

Organization of the paper

The rest of the paper is organized as follows.
We start with some notations and preliminaries in section 3. In section 4, we discuss a
fast algorithm for construction of differential equations for decoding multiplicity codes. Our
algorithm for solving these linear differential equations is discussed in section 5. We combine

12
these results to conclude the proof of Theorem 1.3 in section 7. We also discuss a natural
extension of Alekhnovich’s algorithm in section 10 which gives us a proof of Theorem 1.5.
Finally, in section 8 and section 9, we discuss some of the main ideas needed for the proof
of Theorem 1.4. Since the ideas are quite similar to those in the proof of Theorem 1.3, we focus
on the differences, and some of the proofs in these sections are left as sketches.

3 Notations and Preliminaries

3.1 Notations
We summarise some of the notations that we use.
• We use F to denote a field. Throughout this paper, F is finite, unless otherwise stated.
• We use boldface letters like y to denote a tuple of vectors. The arity of the tuple is
generally clear from the context.
• Given a set of vectors {v0 , v1 , v2 , . . . , vk } ⊆ Fm , their affine span is defined as the set
Pk Pk
{ i=0 αi vi : αi ∈ F, i=0 αi = 1}.
• For an affine space A in Fm , where F is the underlying field, we define the canonical linear
space corresponding to A to be the vector space à over F such that there is a vector
v ∈ Fm with A = v + Ã. The dimension of A is defined to be the dimension of Ã.
• For every affine space A ⊂ Fm of dimension k, there is a set {v0 , v1 , v2 , . . . , vk } of k + 1
vectors in A such that {v1 − v0 , . . . vk − v0 } are linearly independent over the underlying
field F such that A equals the affine span of {v0 , v1 , v2 , . . . , vk }. We refer to any such set
of vectors as a basis of A.
• For a polynomial Q(x, y) in F[x, y], the (a, b)-weighted degree of Q is defined as a degx (Q)+
b degy (Q).

3.2 Fast polynomial arithmetic

Lemma 3.1 (Taylor expansion of polynomials). Let F be a field and d be a natural number such
that the characteristic of F is either zero or larger than d. Then, for every univariate polynomial
f (x) ∈ F[x] of degree d, we have that

f (2) (x)z 2 f (d) (x)z d

f (x + z) = f (x) + f (1) (x)z + + ···+ .
2! d!
The following simple lemma will be useful for our proofs.

Lemma 3.2. Let f (x) be a univariate polynomial over a field F of degree at most d and let
m ≤ d be a natural number. Then, there is an algorithm that requires at most O(dm) field
operations and outputs the coefficient vectors of the derivatives f (1) , . . . , f (m) of f , when given
the coefficient vector of f as input.

Proof. We can compute these derivatives by computing the first m derivatives of each of the
monomials 1, x, . . . , xd . Now, to compute the first m derivatives of a monomial xk requires us to

13
compute the field elements k, k(k − 1), k(k − 1)(k − 2), . . . , k(k − 1)(k − 2) · · · (k − m + 1), which
requires at most O(m) field operations. Thus, all the first m derivatives of f can be computed
using at most O(dm) field operations.

3.3 Computing shortest vector in polynomial lattices

We define polynomial lattices, some associated quantities and a few results that will be useful
for us. In particular, we will discuss Alekhnovich’s shortest vector computation algorithm in
polynomial lattices.
Definition 3.3. Let B = {β1 , β2 , . . . , βℓ } be a set of m-dimensional vectors of polynomials, that
is, βi ∈ F[x]m for all i. The lattice LB generated by this set over the ring F[x] is the set of all
linear combinations

LB := {fi β1 + f2 β2 + · · · + fℓ βℓ : fi ∈ F[x]} .

A basis of a lattice is a set B of vectors of polynomials such that B generates the lattice
in the sense of the above definition and the vectors in B are linearly independent over the field
F(x) of rational functions over F. y
Before proceeding further, we make the following remark regarding the definition of lattices
above.
Remark 3.4. Lattices, as defined above are just finitely generated free modules over the univari-
ate polynomial ring F[x]. However, we stick to the term lattices as opposed to free F[x]-module.
This is partly to be consistent with the convention in the work of Alekhnovich [Ale05], and partly
because of the similarities between some of the properties of finitely generated free modules over
the univariate polynomial ring F[x] those of lattices over the ring of integers.
We also note that for the results of this paper, it is important that we are working with finitely
generated free modules over the univariate polynomial ring, and not the polynomial ring on a
larger number of variables. y
Notice that a basis B can be thought of as an m × ℓ matrix (the ℓ basis vectors written side
by side as columns). When we refer to det B for a basis B we are referring to the determinant of
this matrix. As is the case with lattices over integers, this quantity is independent of which basis
we choose for the lattice L, i.e, if B and B ′ are two bases for the lattice L, then det B = det B ′ ,
which we refer to as the determinant of the lattice L, denoted by det L.
The following is the measure by which we define and seek a shortest vector in the lattice.
Definition 3.5. Let β = (β(1), β(2), . . . , β(m)) ∈ F[X]m be a vector of polynomials. We define

deg β := max deg β(j) .

j∈[m]

The leading coordinate of β is the largest coordinate where this maximum occurs, that is,

LC(β) := max{j : deg β(j) = deg β} . y

The notion of degree above gives us a way of comparing two vectors in F[x]m , which we

14
informally refer to as the degree-norm. We now define the notion of a reduced basis.
Definition 3.6. A reduced basis B of a lattice over LB over the ring F[x] is one where the
leading coordinates are all distinct. That is, for any pair of distinct non-zero elements β1 , β2 ∈ B,
we have LC(β1 ) 6= LC(β2 ). y
Predictably, certain computations become easier when working with a reduced basis. How-
ever, it is unclear if such a basis exists for every lattice. The next proposition, due to Alekhnovich
asserts that this is indeed true, and in fact he gives an algorithm to transform a general basis
to a reduced one.
Proposition 3.7 ([Ale05, Proposition 2.1]). Let L be a lattice over the univariate polynomial
ring F[x]. Then, there exists a basis B for L that is reduced as per Definition 3.6.
With a reduced basis at hand, the following observation of Alekhnovich gives a very simple
algorithm to find a shortest vector.
Proposition 3.8 ([Ale05, Proposition 2.3]). Let B be a reduced basis of a lattice L over the
ring F[x]. Let β be any nonzero vector of minimal degree in B. Then β is a shortest vector in
L.
We will also be using a specific form of Minkowski’s theorem guaranteeing the existence of
a short vector in a lattice. The proof is simple and we give it here.
Theorem 3.9 (Polynomial version of Minkowski’s theorem). Let L be an m-dimensional poly-
nomial lattice. Then, there is a nonzero vector v satisfying

1
deg v ≤ deg det L
m
where deg v is the max-degree norm and det L is the determinant of the lattice basis.

Proof. From above, using elementary matrix operations, we can assume that the basis matrix
is lower triangular and has all the maximum degree elements on the diagonal. Then, the degree
of the determinant is simply the sum of the degrees on the diagonal.
Since it is a reduced basis, by the above proposition, the shortest vector in the lattice is no
shorter than the shortest basis vector. The shortest basis vector has degree at most the average
of the degrees of the basis vectors, which we have ensured to occur on the diagonal. Since the
sum of the degrees equals deg det L, the average of the degrees is (deg det L)/m.

Finally, we state Alekhnovich’s theorem pertaining to the fast algorithm for finding the
shortest vector, that we later use off the shelf. The algorithm proceeds via a basis reduction.
Theorem 3.10 ([Ale05, Theorem 2.1]). Let B be a set of ℓ vectors of dimension m. Let n be
the maximal degree of the polynomials which are entries of the vectors in B. Then, there is an
algorithm that finds the shortest vector in LB , the lattice generated by B, in time Õ(n(ℓ + m)4 ).
Note that the above theorem yields a nearly-linear-time algorithm in the maximal degree
of the polynomials in the basis, albeit a polynomial time in the dimension of the lattice.
Alekhnovich’s key observation is that this suffices to obtain nearly-linear-time algorithms for
several applications, one of which is list-decoding polynomial codes.

15
4 Fast construction of the differential equation
We start with the following definition that will be crucially used in our proof. In this form, this
operator τ defined below and its variants show up naturally in the prior results on list decoding
of multiplicity codes, e.g., [GW13, BHKS24a]. One additional piece of notation that we use
throughout this section that for a polynomial univariate A(x), and non-negative integer k, we
k
use A(k) to denote ddxAk .

Definition 4.1 (Iterated derivative operator). Let s ∈ N be a parameter. Then, for every
m such that 0 ≤ m < s, the function τ is an F-linear map from the set of polynomials in
F[x, y0 , y1 , . . . , ym ] with y-degree 1 to the set of polynomials in F[x, y0 , y1 , . . . , ym+1 ] with y-
degree 1 and is defined as follows.
! m 
m
X X 
(1)
τ Q̃(x) + Qi (x) · yi := Q̃(1) (x) + Qi (x) · yi + Qi (x) · yi+1 .
i=0 i=0

For an integer i ≤ (s − m), we use τ (i) to denote the linear map from F[x, y0 , . . . , ym ] to
F[x, y0 , . . . , ym+i ] obtained by applying the operator τ iteratively i times. y
The operator τ is defined in this strange fashion for the following reason. For any polyno-
mial f ∈ F[x], consider the univariate polynomial P (x) := Q(x, f, f (1) (x), . . . , f (m) (x)). The
derivative of P with respect to x, namely dP dx , is precisely equal to the polynomial obtained by
(m+1)
evaluating τ (Q) on (x, f, . . . , f ).
We now state the main theorem of this section.

Theorem 4.2. Let R = (αi , βi,0 , . . . , βi,s−1 )ni=1 be a received word for a multiplicity code de-
coder, and let m ≤ s be any parameter.
Then, for D ≤ ((n(s − m))/m), there exists a non-zero polynomial Q(x, y0 , y1 , . . . , ym ) of
P
the form Q = Q̃(x) + i Qi (x) · yi , with degree of Q̃ and each Qi being at most D such that for
all i ∈ {0, 1, . . . , s − m − 1},

τ (i) (Q)(αi , βi,0 , . . . , βi,s−1 ) = 0 .

Moreover, there is a deterministic algorithm that when given R as input, runs in time
Õ(n poly(sm)) and outputs such a polynomial Q as a list of coefficients.

4.1 Proof of Theorem 4.2

The proof of Theorem 4.2 follows the high-level strategy in the work of Alekhnovich [Ale05] and
proceeds via setting up the problem as a question of finding the shortest vector in an appropriate
lattice over the ring F[x] and then applying the nearly-linear-time algorithm of Alekhnovich to
find such a vector. The upper bound on the x-degree of Q can once again be viewed as the
consequence of properties of this lattice. We start by building the machinery necessary for the
proof.
Definition 4.3. Let R = (αi , βi,0 , . . . , βi,s−1 )ni=1 be a received word for a multiplicity code de-
coder, and let m ≤ s be any parameter (a positive integer).

16
 For i ∈ {0, 1, . . . , m}, let Ai (z) be the unique univariate polynomial of degree less than n(s−i)
in F[z] such that for every j ∈ {1, 2, . . . , n} and k ∈ {0, , 1, . . . , s − i − 1},

(k)
Ai (αj ) = βj,i+k .

(m)
Let LR be the (m + 2)-dimensional lattice over the ring F[x] defined as
( n m
)
(m)
Y X
s−m
LR := h̃(x) · (x − αi ) + hi (x) · (yi − Ai (x)) : h̃, hi ∈ F[x] . y
i=1 i=0

One crucial bit of fact that we use later in our proof is that the polynomials A0 , A1 , . . . , Am
can be computed quite fast, given the received word as an input. More precisely, we have the
following theorem that constructs a univariate polynomial from its high multiplicity evalua-
tion given at a set of points, also known as Hermite interpolation. We follow the notation in
Definition 4.3.

Theorem 4.4 ([GG13, Algorithm 10.22]). Let m ∈ N be a parameter with m ≤ s. Then, there
is a deterministic algorithm that when given the received word R = (αi , βi,0 , . . . , βi,s−1 )ni=1 as
input, outputs the polynomials A0 , A1 , . . . , Am defined in Definition 4.3 in time Õ(nsm).

The following lemma summarizes some of the crucial properties of the lattice defined in
Definition 4.3 and is the main technical step towards proving Theorem 4.2.

Lemma 4.5. Let R = (αi , βi,0 , . . . , βi,s−1 )ni=1 be a received word for a multiplicity code decoder,
(m)
and let m ≤ s be any parameter, and let LR be the lattice as defined in Definition 4.3. Then,
the following are true.
(m) P
• Any non-zero polynomial Q in LR is of the form Q(x, y0 , y1 , . . . , ym ) = Q̃(x)+ ℓ Qℓ (x)·
yℓ and for all i ∈ {0, 1, . . . , s − m − 1},

τ (i) (Q)(αi , βi,0 , . . . , βi,s−1 ) = 0 .

(m)
• There is a non-zero polynomial in LR with x-degree at most D ≤ (n(s − m)/m).
• Such a polynomial can be found in time Õ(n poly(sm)).

Proof. We prove the lemma one item at a time, starting with the first item which describes the
structure of polynomials in the lattice.

Structure of polynomials in the lattice and behaviour under τ : Let Q be a

(m)
nonzero polynomial in LR . Thus, there are polynomials h̃ and h0 , h1 , . . . , hm in F[x] such that

n
Y m
X
Q = h̃(x) · (x − αℓ )s−m + hℓ (x) · (yℓ − Aℓ (x)) .
ℓ=1 ℓ=0

17
By separating out the terms containing the y variables, we immediately get that Q can be
written as
X
Q(x, y0 , y1 , . . . , ym ) = Q̃(x) + Qℓ (x) · yℓ ,
ℓ

Q P
where for each ℓ, Qℓ = hℓ and Q̃ equals h̃(x) · nℓ=1 (x − αℓ )s−m − j hj Aj .
To prove the second part of the first item in the lemma, we now try to understand the
behaviour of Q under the action of the operator τ . In this context, the following two simple
claims turn out to be useful. We first use the claims to prove the lemma, and then include their
proofs.

Claim 4.6. For every i ∈ {0, 1, . . . , s−m−1} and j ∈ {1, 2, . . . , n}, we have that the polynomial
Qn
τ (i) (h̃(x) · ℓ=1 (x − αℓ )s−m ) when evaluated at (αj , βj,0 , . . . , βj,s ) is zero.

Claim 4.7. For every i ∈ {0, 1, . . . , s − m − 1}, j ∈ {1, 2, . . . , n} and ℓ ∈ {0, 1, . . . , m}, we have
that the polynomial τ (i) (hℓ (x)(yℓ − Aℓ (x))) when evaluated at (αj , βj,0 , . . . , βj,s ) is zero.

From the definition of the operator τ , we get that it is a linear map on the polynomial ring,
and thus for every i ∈ N, τ (i) is also a linear map on the polynomial ring. Thus, for every
i ∈ {0, 1, . . . , s − m − 1}, τ (i) (Q) equals

n
! m
Y X
(i) (i) s−m
τ (Q) = τ h̃(x) · (x − αℓ ) + τ (i) (hℓ (x) · (yℓ − Aℓ (x))) .
ℓ=1 ℓ=0

From Claim 4.6 and Claim 4.7, it follows that each of the summands above vanishes when
evaluated at (αj , βj,0 , . . . , βj,s ) for every j ∈ {1, . . . , n}. This completes the proof of the first
item in the lemma.

Existence of a low-degree polynomial in the lattice: To show that there is a

(m)
low-degree polynomial in the lattice LR , we note that while we have been viewing polynomials
in the lattice as polynomials of degree at most 1 in the variables y0 , y1 , . . . , ym with coefficients
in F[x], we can equivalently view any such polynomial Q as an (m + 2)-dimensional column
vector with entries in the ring F[x], where the coordinates are labelled (0, 1, . . . , m, m + 1)
and for ℓ < m + 1, the ℓth coordinate corresponds to the coefficient of yℓ in the polynomial
Q, and the coordinate labelled (m + 2) stores the y-free part of Q. For instance, if Q =
Pm
Q̃ + ℓ=0 hℓ , then this corresponds to the transpose of (Q0 , Q1 , . . . , Qm , Q̃). Moreover, we note
(m)
that the vectors corresponding to the generators of the lattice LR , namely the polynomials
Qn
(y0 − A0 ), . . . , (ym − Am ) and ℓ=1 (x − αℓ )s−m form a lower triangular matrix with non-zero
(m)
diagonal entries, and hence are linearly independent over F(x). In other words, the lattice LR
is full rank. Moreover, all but one diagonal entries is just 1 and the bottom-most diagonal entry
Qn
is precisely ℓ=1 (x−αℓ )s−m , which is a polynomial of degree n(s−m). Thus, the determinant of
this matrix is a polynomial of degree at most (in fact, it is equal to) n(s− m). From Minkowski’s
(m)
Theorem (Theorem 3.9), we have that there is a vector in the lattice LR with every entry of
degree at most n(s − m)/(m + 2) ≤ n(s − m)/m. This completes the proof of the second item

18
 in the lemma3 .

Constructing a low-degree polynomial efficiently: In order to construct a shortest

vector in the lattice R, we invoke the algorithm of Alekhnovich in Theorem 3.10 that takes the
set of generators for the lattice as input, and outputs a shortest vector in time Õ(n · poly(sm)).
Here, we use the fact that the lattice is given by m + 2 vectors in dimensions m + 2 over the
ring F[x] and each entry of the vectors is a polynomial of degree at most n(s − m) and thus two
such polynomials can be multiplied in time at most Õ(n(s − m)).

Now, to complete the proofs of the lemma, we sketch the proofs of Claim 4.6 and Claim 4.7.

Proof of Claim 4.6. On a polynomial that just depends on x variables, the operator τ operates
by just differentiating it with respect to x once. In particular, this implies that for any i ∈
Qm
{0, 1, . . . , s − m − 1}, and any polynomial h̃ ∈ F[x], τ (i) (h̃ · ℓ=1 (x − αℓ )s−m ) must be divisible
Q
by m ℓ=1 (x − αℓ ),and thus vanishes when the variable x is set to a value in {α1 , . . . , αn }.

Proof of Claim 4.7. For the proof of this claim, the key observation is that for every i < s − m,
Pi (k)
the polynomial τ (i) (hℓ · (yℓ − Aℓ )) is of the form k=0 gk (x) · (yℓ+k − Aℓ ) for some polynomials
g0 , g1 , . . . , gi ∈ F[x]. This can be seen by the definition of the operator τ and an induction on i.
For i = 0, this is vacuously true. Inductively, we assume that i < s − m and τ (i−1) (hℓ · (yℓ − Aℓ ))
P (k)
is of the form i−1 k=0 gk (x) · (yℓ+k − Aℓ ). Now, applying τ to this expression one more time
(and we know that this can be done since i < s − m), we get

i−1
!
X (k)
(i)
τ (hℓ · (yℓ − Aℓ )) = τ gk (x) · (yℓ+k − Aℓ ) .
k=0

By definition of τ , this gives

i−1 
!
X 
(i) (1) (k) (k+1)
τ (hℓ · (yℓ − Aℓ )) = gk · (yℓ+k − Aℓ ) + gk · (yℓ+k+1 − Aℓ ) .
k=0

Thus, by reindexing the summations, we have the desired structure.

Pi
Once we have this structure, we note that evaluating any polynomial of the form k=0 gk (x)·
(k) Pi (k)
(yℓ+k − Aℓ ) at (αj , βj,0 , . . . , βj,s ) gives us k=0 gj (αj ) · (βj,ℓ+k − Aℓ (αj )). But from the
interpolation condition on Aℓ in Definition 4.3, we have that for every j ∈ {1, 2, . . . , n}, (βj,ℓ+k −
(k)
Aℓ (αj )) equals zero. This completes the proof of the claim.

We are now ready to complete the proof of Theorem 4.2.

(m)
Proof of Theorem 4.2. Given the received word R, we construct the basis for the lattice LR in
Definition 4.3. This basis can be constructed in time at most Õ(n poly(sm)) since all the Ai ’s
3
The curious reader familiar with previous list-decoding algorithms for polynomial codes [Sud97, GS99, Ale05,
GR08, Kop14, GW13, BHKS24a, BHKS24b] will notice that the argument presented here is different from the
standard argument which proceeds by constructing a homogenous system of linear equations and showing that a non-
zero solution exists if the number of variables exceeds the number of constraints. The alternate argument presented
here using Minkowski’s Theorem is inspired by a similar argument due to Coppersmith [Cop97] in the context of
finding small integer solutions to polynomial equations.

19
 Q
can be constructed in this time from Theorem 4.4 and the polynomial ni=1 (x − αi )s−m can
also be constructed in this time using the Fast Fourier Transform. We now invoke Lemma 4.5
(m)
and get that there is a non-zero polynomial Q(x, y0 , y1 , . . . , ym ) in LR of the form Q = Q̃ +
Pm
i=0 Qi (x)yi that can be constructed in time Õ(n poly(sm)) such that the x-degree of Q is at
most D ≤ (n(s − m)/m) and it satisfies precisely the linear constraints with respect to R that
the theorem seeks.

4.2 Close enough codewords satisfy the equation

We now prove the following simple lemma that shows that every message polynomial f whose
encoding is close enough to the received word R satisfies the differential equation Q. This step
is identical to that in [GW13].

Lemma 4.8. Let R = (αi , βi,0 , . . . , βi,s−1 )ni=1 be a received word for a multiplicity code decoder,
(m)
m ≤ s be a parameter, and let Q(x, y0 , y1 , . . . , ym ) ∈ LR be a non-zero polynomial with x-degree
at most D ≤ (n(s − m)/m).
Then, for every polynomial f ∈ F[x] of degree at most d such that Mults,α (f ) agrees with R
on more than (D + d)/(s − m) values of i, Q(x, f, f (1) (x), . . . , f (m) (x)) is identically zero.

Proof. Consider the univariate polynomial P (x) = Q(x, f, f (1) (x), . . . , f (m) (x)). The degree of
P is at most D + d ≤ d + n(s − m)/m. Recall that the τ operator was defined such that the
derivative of P with respect to x, dP dx is precisely equal to the polynomial obtained by evaluating
(m+1)
τ (Q) on (x, f, . . . , f ). More generally, for every i ∈ {0, 1, . . . , s − m − 1}, we have that
di P (i)
dxi is precisely equal to the univariate polynomial obtained by evaluating τ (Q) on the input
(m+i) th
((x, f, . . . , f ). Thus, for any j ∈ {1, 2, . . . , n}, if the j coordinate of the encoding of
f agrees with the received word R, i.e.,(αj , f (αj ), . . . , f (s−1) (αj )) equals (αj , βj,0 , . . . , βj,s−1 ),
then, from the above discussion, we have that

di P
(αj ) = τ (i) (Q)(αj , f (αj ), . . . , f (s−1) (αj )) = τ (i) (Q)(αj , βj,0 , . . . , βj,s−1 ) ,
dxi
(m)
which by the constraints imposed on Q in the definition of LR is zero.
Thus, for every point of agreement between R and the encoding of f , P vanishes with
multiplicity at least (s − m). Therefore, if the number of such agreements exceeds (D + d)/(s −
m) ≤ d/(s − m) + n/m, we have that P must be identically zero.

5 Solving the differential equation in nearly-linear time

In this section, we design fast algorithms for solving differential equations of the form
 
Q x, f, . . . , f (m) ≡ 0

obtained in Lemma 4.8. Since the degree of Q in y variables is at most 1, we have that the
solution space of all polynomials of degree at most d satisfying Q(x, f, . . . , f (m) ) = 0 is an affine
space. It was shown by Guruswami & Wang [GW13] that this space has dimension at most m

20
and a basis for this space can be obtained in deterministic polynomial time. In the main theorem
of this section, stated below, we show that such a basis can, in fact be obtained significantly
faster.

Theorem 5.1. Let F be a finite field of characteristic greater than d or zero, and let
m
X
Q(x, y0 , . . . , ym ) = Q̃(x) + Qi (x) · yi
i=0

be a non-zero polynomial with x-degree at most D. Then, the affine space of polynomials f (x) ∈
F[x] of degree at most d that satisfy
 
Q x, f, f (1) . . . , f (m) ≡ 0

has dimension at most m.

Moreover, there is a deterministic algorithm that when given Q as an input via its coefficient
vector, and the parameter d, performs at most Õ((D + d) poly(m)) field operations and outputs
a basis for this affine space.

Since Q is a non-zero polynomial, it follows that at least one of the polynomials Q̃, Q0 , . . . , Qm
is non-zero. If Q̃ is the only non-zero polynomial amongst these, then the space of solutions for
Q(x, f, f (1) (x), . . . , f (m) (x)) ≡ 0 is clearly empty, and this condition can clearly be checked in
linear time since Q is given via its coefficient vector. Therefore, for the rest of this discussion, we
assume that at least one of the Qi ’s is non-zero. Moreover, let m0 be the largest i ∈ {0, 1, . . . , m}
that is non-zero. Thus, Q is only a function of x and y0 , y1 , . . . , ym0 in this case. For simplicity
of notation, we just assume that m0 = m, i.e., Qm (x) is a non-zero polynomial.
For further ease of notation, we also assume in the rest of this section that the constant term
of the polynomial Qm (x), i.e.,Qm (0) is non-zero. Since Qm is assumed to be non-zero, there is
a constant β in F (or an extension of F if the size of F is less than the degree D of Qm ) such
that Qm (β) is non-zero. Up to a translation x → x + β of the x variable, β can also be assumed
to be the origin, and thus, for the rest of this section, we assume without loss of generality that
Qm (0) is non-zero.
Based on the above discussion, in order to prove Theorem 5.1 it suffices to prove the following
theorem.

Theorem 5.2. Let F be a finite field of characteristic greater than d or zero, and let
m
X
Q(x, y0 , . . . , ym ) = Q̃(x) + Qi (x) · yi
i=0

such that its x-degree is at most D and Qm (0) is non-zero. Then, the affine space of polynomials
f (x) ∈ F[x] of degree at most d that satisfy
 
Q x, f, f (1) . . . , f (m) ≡ 0

has dimension at most m.

21
 Moreover, there is a deterministic algorithm that when given Q as an input via its coefficient
vector, and the parameter d, performs at most Õ((D + d) poly(m)) field operations and outputs
a description (at most m + 1 vectors whose affine span is this space) for this affine space.

5.1 Set up for proof of Theorem 5.2

As we alluded to in the previous section, the bound of m on the dimension of the affine space


of solutions of degree at most d of Q x, f, f (1) . . . , f (m) ≡ 0 was already shown by Guruswami
and Wang [GW13]. They showed the following.

Theorem 5.3 ([GW13]). Let k be any natural number, F be a finite field of characteristic at
least k + m or zero, and let
m
X
Q(x, y0 , . . . , ym ) = Q̃(x) + Qi (x) · yi
i=0

be such that its x-degree is at most D and Qm (0) is non-zero. Then, the set of polynomials f
of degree at most (k + m − 1) that satisfy
 
Q x, f, f (1) . . . , f (m) ≡ 0 mod xk .

form an affine space of dimension m.

Moreover, there is a poly(k, D, m) time algorithm that when given the coefficient vector of
Q and the parameter d as inputs, outputs a basis for this affine space.

The proof in Guruswami & Wang [GW13] can be viewed as an application of the widely
used power series based techniques for solving differential equations, and essentially shows that
given the coefficients of x0 , x, x2 , . . . , xm−1 in any solution f of this differential equation, there
is a unique way of recovering the remaining coefficients. In order to improve the computational
efficiency of this algorithm and prove Theorem 5.2, we argue that this iterative procedure can
be implemented faster than just recovering one coefficient at a time.
Our high level idea is essentially a reduction from looking for degree d solutions for this
equation to looking for equations of degree close to d/2 of two closely related equations with
appropriate structure, which are then recursively solved. In spirit, this is similar to the well
known Newton Iteration/Hensel Lifting based algorithm that computes the inverse of a given
univariate polynomial4 modulo xd in nearly-linear time (e.g., see [GG13, Theorem 9.4]), except
for one key difference: in the aforementioned fast algorithm for modular inverse computation in
[GG13], the two instances of roughly half the size generated in the recursive call are precisely
the same. So, effectively, in every recursive call, there is some nearly-linear-time computation
before and after the call, and precisely one recursive call on a problem instance of roughly half
the size. Unfortunately, for our algorithm, the overall structure is not so clean. Things are also
a little more complicated by the fact that unlike for inverse computation,the solution to the
4
Perhaps interestingly, the input polynomial here is also assumed to have a non-zero constant term. This is
essentially for the same reason that we have assumed (without loss of generality here) that Qm has a non-zero
constant term.

22
 equations we are hoping to solve are not really unique. However, as it turns out, the smaller
recursive calls are to problem instances that continue to have some additional structure that
lets us make this outline work.
We start by describing the kind of differential equations that make an appearance in our
recursive calls. But first we set up some necessary notation. For brevity of notation, we denote


a polynomial A x, f, f (1) . . . , f (m) by A(x, ∂f ). Throughout, the field F and the polynomial
Q, Q̃, Q0 , . . . , Qm are as given in the hypothesis of Theorem 5.2, and in particular the constant
term of Qm is non-zero. The following is a crucial definition.
Pm
Definition 5.4. For a polynomial Q(x, y) = Q̃(x) + i=0 Qi (x) · yi , and an n ∈ N, we use Q†n
to denote the polynomial
 
m
X m
X  
n! j
Q†n (x, y) := xi  · xm−j · Qj (x) · yi . y
i=0 j=i
(n + i − j)! i

The polynomial Q† is defined in this strange fashion as it satisfies the property that for
Pm
any m, we have Q†m (x, ∂f ) = i=0 Qi (x) · (xm · f )(i) , a property we will prove and use later.
Before further elaborating on the role Definition 5.4 has to play in our proof of Theorem 5.2, we
state the following lemma that summarises the structure of the solution space of the differential
equation Q†n (x, ∂f ) ≡ 0.
Lemma 5.5. Let n, k ∈ N and char(F) is either zero or greater than or equal to max(n + k, m).
Pm
Let Q(x, y) = Q̃(x) + i=0 Qi (x) · yi ∈ F[x, y] be such that Qm (0) is non-zero. Then, for every
B(x) ∈ F[x], the following are true.


• The differential equation B(x) + Q†n (x, ∂f ) ≡ 0 mod xk has a unique solution modulo
xk .


• For every ℓ ∈ N with ℓ < k, this unique f (x) satisfying B(x) + Q†n (x, ∂f ) ≡ 0 mod xk
can be written as f (x) = h(x) + xℓ g(x) where,


– h is the unique polynomial (modulo xℓ ) that satisfies B(x) + Q†n (x, ∂h) ≡ 0 mod xℓ
 
– g is the unique polynomial (modulo xk−ℓ ) that satisfies B̃(x) + Q†n+ℓ (x, ∂g) ≡ 0 mod xk−ℓ ,
where B̃(x) := x−ℓ · (B(x) + Q†n (x, ∂h)). 5

The relevance of the Definition 5.4 towards the proof of Theorem 5.2 stems from the following
lemma that drives our algorithm.
Lemma 5.6. Let k be a natural number and char(F) is either zero or greater than or equal to
Pm
m + k. Let Q(x, y) = Q̃(x) + i=0 Qi (x) · yi ∈ F[x, y] be such that Qm (0) is non-zero.
Then, for every h ∈ F[x] of degree at most (m − 1), there is a unique g ∈ F[x] of degree less
than k such that the polynomial f := h + xm · g is a solution of Q(x, ∂f ) ≡ 0 mod xk .
Moreover, the polynomial g is the unique solution of B(x) + Q†m (x, ∂g) ≡ 0 mod xk , where
B(x) := Q(x, ∂h).
We recall from Theorem 5.3 that solutions to Q(x, ∂f ) ≡ 0 mod xk form an affine space of
dimension m. Combining this bound on the dimension with Lemma 5.6, we get the following.
5
We recall that since B(x) + Q†n (x, ∂h) ≡ 0 mod xℓ , B̃ as defined here is indeed a polynomial.

23
 Lemma 5.7. Let k be a natural number and char(F) be either zero or greater than or equal
Pm
to m + k. Let Q(x, y) = Q̃(x) + i=0 Qi (x) · yi ∈ F[x, y] be such that Qm (0) is non-zero.
For i ∈ {0, 1, . . . , m} 6 , let gi (x) be the unique polynomial of degree less than k guaranteed by
Lemma 5.6 such that fi := xi + xm · gi is a solution of Q(x, ∂fi ) ≡ 0 mod xk .
Then, f0 , f1 , . . . , fm form a basis of the affine space of solutions of degree at most (m + k − 1)
of Q(x, ∂f ) ≡ 0 mod xk .

Proof sketch. The lemma immediately follows from the fact that f0 −fm , f1 −fm , . . . , fm−1 −fm
are linearly independent over F and the dimension of the solution space of Q(x, ∂f ) ≡ 0 mod xk
is m, as is given by Theorem 5.3.

The basis of the solution space described by Lemma 5.7 is the basis that we construct in our
algorithm. We defer the proofs of Lemma 5.5 and Lemma 5.6 to the end of this section, and
proceed with the discussion and analysis of our algorithms. We start with an algorithm that
uses Lemma 5.5 to solve the equations that appear therein.

5.2 Algorithm for solving B(x) + Q†n (x, ∂f ) ≡ 0

Algorithm 1: SolveQ† (Solving equations of the form B(x) + Q†n (x, ∂f ) ≡ 0)

Input: (Q(x, y), B(x), n, k), where Q(x, y) ∈ F[x, y], B(x) ∈ F[x] are polynomials with
Pm
Q(x, y) = Q̃(x) + i=0 Qi (x) · yi with Qm (0) 6= 0, x-degree at most D, n, k are
natural numbers and char F is either zero or at least n + k.
Output: The unique polynomial f (x) ∈ F[x] of degree less than k that satisfies
B(x) + Q†n (x, ∂f ) ≡ 0 mod xk , where Q†n is defined as in Definition 5.4.

1 if k = 1 then
2 return −B(0)/Qm (0) ;
3 else
4 Set ℓ ← ⌊k/2⌋ ;
5 Recursively run SolveQ† (algorithm 1) on input (Q, B, n, ℓ) to obtain the
polynomial h(x) ;
6 Recursively run SolveQ† (algorithm 1) on input


Q, xℓ · (B(x) + Q†n (x, ∂h)), n + ℓ, k − ℓ to obtain the polynomial g(x) ;
7 return h(x) + xℓ · g(x) .

We now bound the running time of the algorithm, and prove its correctness.

Lemma 5.8 (Time complexity of SolveQ†). SolveQ† (algorithm 1) requires at most Õ(k poly(m))
many field operations in the worst case.

Proof. The algorithm is essentially a divide and conquer, where in order to obtain a solution
of the original differential equation modulo xk , we solve two instances of a related equation
modulo xk/2 if k is even, and modulo x⌊k/2⌋ , x⌈k/2⌉ if k is odd. Moreover, the solutions g, h of
6
We go up till m as it works like plugging in 0 instead of an xi and is cleaner notationally.

24
these smaller instances can be combined into a solution h + x⌊k/2⌋ · g using at most O(k) field
operations. One additional bit of processing that is needed before the second recursive call is in
constructing the polynomial x−ℓ · (B + Q†n (x, ∂h)). We note that we only need to compute this
polynomial modulo x⌈k/2⌉ , thus we can assume without loss of generality that B as well as each
of the Qi s have degree at most x⌈k/2⌉ . Now, given an h of degree at most ℓ, we can compute
the polynomials h, h(1) , . . . , h(m) with at most O(km) field operations using Lemma 3.2. For


i, j ≤ m, computing the binomial coefficients ji takes at most O(m) field operations by just
j! n!
naively expressing this as i!(j−i)! . Similarly, computing (n+i−j)! = n(n−1) · · · (n−i+j +1) takes
P
m−j 
m n! j
at most O(m) field operations for every n ∈ N. Thus, every term j=i (n+i−j)! i x Qj
can be computed using at most O(k poly(m)) field operations, since the degree of each Qi can
be assumed to be at most x⌈k/2⌉ . Finally, to compute
 
m
X Xm  
n! j m−j  (i)
B+ xi  x Qj h ,
i=0 j=i
(n + i − j)! i

we need to additionally perform m polynomial multiplications, m summations of univariates

of degree at most x⌈k/2⌉ and some shifts (corresponding to multiplications by monomials), and
hence the overall complexity of computing x−ℓ (B + Q†n (x, ∂h)) is at most O(k poly(m)) field
operations.
Thus, the total number of field operations in any execution of the algorithm can be bounded
via the recursion

T (k) ≤ 2T (⌈k/2⌉) + O(k poly(m)) ,

which immediately yields T (k) ≤ Õ(k poly(m)).

Lemma 5.9 (Correctness of SolveQ†). For every input (Q, B, n, k), if the underlying field F
of characteristic either zero or greater than or equal to n + k, SolveQ† (algorithm 1) correctly
outputs the unique solution of B + Q†n (x, ∂f ) ≡ 0 mod xk .

Proof. We note that as we make recursive calls in the algorithm, the sum of the parameters ni
and ki for each call continues to be at most n + k. So, the condition on the characteristic of the
field being either zero or greater than n + k continues to hold at each recursive call.
That the base case of the algorithm (k = 1) outputs the correct solution is straightforward
to see. The overall correctness now immediately follows from the second item of Lemma 5.5.

25
5.3 Algorithm for solving Q(x, ∂f ) ≡ 0

Algorithm 2: SolveQ (Solving equations of the form Q(x, ∂f ) ≡ 0)

Input: (Q(x, y), d), where Q(x, y) ∈ F[x, y] is polynomials with
Pm
Q(x, y) = Q̃(x) + i=0 Qi (x) · yi with Qm (0) 6= 0, x-degree D, d is a natural
number and char F is either zero or greater than d.
Output: A basis for the affine space of solutions of degree at most d of Q(x, ∂f ) ≡ 0.
1 for i ← 0 to m do
2 Run SolveQ† (algorithm 1) on inputs (Q, Q(x, ∂xi ), m, d − m + 1) to obtain the
polynomial gi ;
3 Set fi ← xi + xm · gi ;
4 return f0 , f1 , . . . , fm .

Lemma 5.10 (Time complexity of SolveQ). SolveQ (algorithm 2) requires at most Õ((D +
d) poly(m)) many field operations in the worst case.

Proof. The algorithm makes m calls to SolveQ† (algorithm 1), and hence its time complexity
is at most m times the complexity of the most expensive of these calls and the time taken
for preprocessing before making the call. For the ith call, we need to construct the coefficient
representation of the polynomial Q(x, ∂xi ), which takes at most O(D poly(m)) field operations.
Thus, using Lemma 5.8, we have that the overall complexity of the algorithm is at most
O(D poly(m)) + Õ(d poly(m)) ≤ Õ((D + d) poly(m)) many field operations.

Lemma 5.11 (Correctness of SolveQ). For every input Q, d, if the underlying field has charac-
teristic zero or greater than d, then SolveQ (algorithm 2) correctly outputs a basis for the space
of solutions of degree at most d for Q(x, ∂f ) ≡ 0.

Proof. Since we are looking for solutions of degree at most d of Q(x, ∂f ) ≡ 0, we have from
Theorem 5.3 that it suffices to solve Q(x, ∂f ) ≡ 0 modulo xd−m+1 .
From Lemma 5.7, we have that for i = 0, 1, . . . , m, polynomials of the form fi := xi + xm gi
form a basis of the m-dimensional affine space of solutions of degree at most d of Q(x, ∂f ) ≡ 0
mod xd−m+1 , where gi is the unique solution of degree at most d of Q(x, ∂xi ) + Q†m (x, ∂gi ) ≡ 0
mod xd−m+1 . From Lemma 5.8, we have that each gi is computed correctly in the call to
SolveQ† (algorithm 1). The lemma now immediately follows from Lemma 5.7.

5.4 Proofs of technical lemmas (Lemmas 5.5 and 5.6)

Proof of Lemma 5.5. To show the uniqueness of solution of B(x) + Q†n (x, ∂f ) ≡ 0 mod xk , we
view the equation as a linear system in the coefficients of f . We argue that the linear system
we get is square, lower triangular and all the diagonal elements are non-zero, thereby implying
that the solution is unique.
We start by arguing that the system is lower triangular. Let f = f0 + f1 x + · · · + fd xd be a
polynomial, where we think of the coefficients f0 , f1 , . . . , fd as formal variables to be determined.
Pd
Now, we note that for every i ∈ N, the polynomial xi · f (i) equals u=i xu · fu · u(u − 1) · · · (u −

26
 P
i + 1) = du=i (u−i)!u!
· xu · fu . In particular, the coefficient fu always appears with the monomial
xu in xi · f (i) if u ≥ i, and is zero otherwise. Thus, we have that
 
X m
X  
 n! j
Q†n (x, ∂f ) = xm−j Qj (x) xi f (i)
i j=i
(n + i − j)! i
  !
X Xm   X d
 n! j u!
= xm−j Qj (x) · · xu · fu  .
i j=i
(n + i − j)! i u=i
(u − i)!

Based on the expression above, we note that every coefficient of Q†n (x, ∂f ) is a linear function
in the coefficients of f . Moreover, every occurrence of fj in the above expression is in the form
xj fj · U (x) for some polynomial U (x). Therefore, we get that for every i, the coefficient of xi
in Q†n (x, ∂f ) only depends upon f0 , f1 , . . . , fi and does not depend on fj for j > i. Thus, for
any i ≤ k, seeking an f such that B(x) + Q†n (x, ∂f ) ≡ 0 mod xk , gives us k linear constraints
on f0 , f1 , . . . , fd , and moreover the j th such constraint (that equates the coefficient of xj−1 to
zero) only depends on f0 , f1 , . . . , fj−1 . Hence, this linear system is lower triangular. We now
argue that the diagonal entries of this system are all non-zero.
To get a sense of the diagonal entries of the constraint matrix, we note that the diagonal
element in tth row is equal to the coefficient of ft in the linear form that corresponds to the
coefficient of xt in Q†n (x, ∂f ). We note from the expression for Q†n that this entry precisely
equals
 
max(t,m)     max(t,m)  
X n! m t! X n! m t!
Qm (0) = Qm (0)  .
i=0
(n + i − m)! i (t − i)! i=0
(n + i − m)! i (t − i)!

By expanding the binomial coefficients, and reorganizing, we get

 
n! m t! n! m! t!
= · ·
(n + i − m)! i (t − i)! (n − (m − i))! i!(m − i)! (t − i)!
n! t!
= · m! ·
(n − (m − i))!(m − i)! i!(t − i)!
  
n t
= m! · · .
m−i i

Now, summing over i from i = 0 to max(m, t), we get

max(m,t)
X     
n t n+t
m! · · = m! ,
i=0
m−i i m

P
t

as the sum max(m,t)
i=0
n
m−i · i is precisely counting the number of ways of choosing m distinct
n+t


elements from a collection of n+t distinct elements, which equals m . The diagonal element of


the (t + 1)st row of the constraint matrix equals m! n+t m Qm (0), which is non-zero since Qm (0) is
non-zero, and the characteristic of the the field is either zero or exceeds max(n + k, m). Finally,
we note that the coefficients of x0 , x, x2 , . . . , xk−1 in Q†n (x, ∂f ) only depend on the coefficients

27
f0 , f1 , . . . , fk−1 of f , and thus the constraint matrix is actually k × k. Thus, the solution to the
equation B + Q†n (x, ∂f ) ≡ 0 mod xk is unique modulo xk .
The above proof for the first item in the conclusion of the lemma also sheds light on the
proof of the second part. For any solution f of B + Q†n (x, ∂f ) ≡ 0 mod xk , and ℓ < k, let us
decompose f as f = h + xℓ · g, where h consists of monomials of f of degree less than ℓ and
xℓ g consists of monomials of f of degree at least ℓ. From the structure of the linear system
discussed in the proof of uniqueness above, we immediately get that h must be the unique
solution of B + Q†n (x, ∂h) ≡ 0 mod xℓ . Now, by the linearity of the derivative operator and
that of Q, we have

B + Q(x, ∂f ) = B + Q†n (x, ∂h + ∂(xℓ g))

= B + Q(x, ∂h) + Q†n (x, ∂(xℓ g)) .

Since h is a solution for B + Q†n (x, ∂h) ≡ 0 mod xℓ , we have that there is a polynomial B̃(x)
such that

xℓ B̃ = B + Q†n (x, ∂h) .

Thus, if f is a solution of B + Q†n (x, ∂f ) ≡ 0 mod xk , we get that the function f satisfies
xℓ B̃ + Q†n (x, ∂(xℓ g)) ≡ 0 mod xk . To complete the proof of the lemma, we now need to deduce
that g satisfies B̃ + Q†n+ℓ (x, ∂g) ≡ 0 mod xk−ℓ , which we do now.

 
m
X m
X  
 n! j
Q†n (x, ∂(xℓ g)) = xm−j Qj (x) xi (xℓ g)(i)
i=0 j=i
(n + i − j)! i
  !
Xm Xm   X i  
 n! j i
= x m−j
Qj (x) x i ℓ
(x ) (i−u)
g (u)

i=0 j=i
(n + i − j)! i u=0
u
  
Xm Xm   Xm  
i n! j
= g (u)  xi (xℓ )(i−u)  xm−j Qj (x)
u=0 i=u
u j=i
(n + i − j)! i
 
Xm Xm X m   
n! i j
= g (u)  xm−j+i (xℓ )(i−u) Qj (x)
u=0 i=u j=i
(n + i − j)! u i
 
Xm Xm X m   
n! i j ℓ!
= g (u)  xm−j+u+ℓ Qj (x)
u=0 i=u j=i
(n + i − j)! u i (ℓ − (i − u))!
  
X m Xm X m   
n! i j ℓ!
= xℓ  xu g (u)  xm−j Qj (x)
u=0 i=u j=i
(n + i − j)! u i (ℓ − (i − u))!
  
X m Xm X m   
ℓ n j!
= xℓ  xu g (u)  xm−j Qj (x)
u=0 i=u j=i
i − u j − i u!

28
   
m
X m
X Xj   !
j! ℓ n
= xℓ  xu g (u)  xm−j Qj (x) ·  .
u=0 j=u
u! i=u
i − u j − i

Pj ℓ

n

n+ℓ


Now, simplifying this further by using i=u i−u j−i = j−u , we get
  
m
X m
X  
j! n + ℓ
Q†n (x, ∂(xℓ g)) = xℓ  xu g (u)  xm−j Qj (x) · 
u=0 j=u
u! j − u
  
Xm m
X  
(n + ℓ)! j
= xℓ  xu g (u)  xm−j Qj (x) ·  .
u=0 j=u
(n + ℓ − j + u)! u

Rearranging and re-indexing by using i for u, we get that

xℓ B̃ + Q†n (x, ∂(xℓ g)) ≡ 0 mod xk

  
X m Xm  
(n + ℓ)! j m−j 
⇐⇒ xℓ B̃ + xi g (i)  x Qj ≡ 0 mod xk .
i=0 j=i
(n + ℓ + i − j)! i

Clearly, this happens if and only if

  
m
X Xm  
B̃ + (n + ℓ)! j m−j 
xi g (i)  x Qj ≡ 0 mod xk−ℓ
i=0 j=i
(n + ℓ + i − j)! i

or, equivalently, g is the solution for B̃ + Q†n+ℓ (x, ∂g) ≡ 0 mod xk−ℓ , which is what we set out
to prove. This completes the proof of the lemma.

Proof of Lemma 5.6. Like the proof of the second part of Lemma 5.5, the proof of this lemma
again involves relying on the structure of the differential equations and some arithmetic based
on properties of binomial coefficients. We start with an arbitrary h of degree less than m and
seek to find a g such that f := h + xm g is a solution of the equation Q(x, ∂f ) ≡ 0 mod xk .
Moreover, we need to argue that this g must have the properties asserted in the lemma.
By the linearity of Q in y variables, and the linearity of the derivative operator, we have
that for any f of the form h + xm g,
m
X
Q(x, ∂f ) = Q(x, ∂(h + xm g)) = Q(x, ∂h) + Qi (x) · (xm g)(i) .
i=0

Now, we reorganise the expression Q(x, xm g) a bit in a more usable form.

 
m
X m
X X i  
i
Qi (x)(xm g)(i) = Qi (x) ·  (xm )(i−j) g (j) 
i=0 i=0 j=0
j

29
  
m
X m
X  
 i
= Qi (x) · (xm )(i−j)  g (j)
j=0 i=j
j
 
m
X m
X  
 i m!
= Qi (x) · xm−i+j  g (j)
j=0 i=j
j (m − i + j)!
 
Xm Xm  
j i m!
= x xm−i Qi  g (j)
j=0 i=j
j (m − i + j)!

= Q†m (x, ∂g) .

From Lemma 5.5, we know that for every polynomial B, and natural numbers m, k if the under-
lying field has characteristic zero or larger than m + k, then the equation B(x) + Q†m (x, ∂g) ≡ 0
mod xk has a unique solution. So, if we set B = Q(x, ∂h), and consider the unique solution g
of B(x) + Q†m (x, ∂g) ≡ 0 mod xk , we have that Q(x, h + xm g) = Q(x, ∂h) + Q†m (x, ∂g), which
is zero modulo xk by the choice of g. This completes the proof of the lemma.

6 Pruning the list to constant size

In this section, we recall a beautiful recent result of Kopparty, Ron-Zewi, Saraf and Wootters
[KRSW23] and a subsequent improvement to it due to Tamo [Tam23], who showed that for
any constant ε > 0, univariate multiplicity codes (and folded Reed-Solomon codes) can be list
decoded with fractional agreement (1 − δ + ε) with constant list size in polynomial time, where
δ is the relative distance of the code. One of their main technical insights is a property of these
codes, which essentially shows that any low-dimensional affine space cannot contain too many
codewords that are close to a received word. Moreover, they give a randomized algorithm that
given a low-dimensional subspace via its basis, and a received word, output this constant-size
list in polynomial time. We use this algorithm off-the-shelf for our algorithm. We describe
the algorithm, and state the main technical theorem (or rather, a special case for univariate
multiplicity codes) that we use, and refer the interested reader to [Tam23, KRSW23] for the
general statement and a proof.

30
 Algorithm 3: Prune (Reducing to constant list size [KRSW23])
Input: Codewords c0 , c1 , . . . , cm and received word R = (αj , βj,0 , . . . , βj,s−1 )nj=1 for
univariate multiplicity codes of degree d, block length n and multiplicity
parameter s and natural numbers t, k.
Output: A list L of codewords in the affine span of c0 , c1 , . . . , cm .

1 Set L ← ∅ (empty set) ;

2 for j ← 1 to k do
3 Pick i1 , i2 , . . . , it ∈ {1, 2, . . . n} independently and uniformly at random ;
4 if there is exactly one codeword c̃ in the affine span of c0 , c1 , . . . , cm that agrees with
R on coordinates i1 , i2 , . . . , it then add c̃ to L;
5 return L .
The main theorem about the algorithm that we use in our proof is the following. The
statement below is a quantitative strengthening of the statement of Kopparty, Ron-Zewi, Saraf
and Wootters due to Tamo.

Theorem 6.1 ([Tam23, Lemma 3.1]). Let ε > 0 be an arbitrary constant, C be the affine span
of independent codewords c0 , c1 , . . . , cm of univariate multiplicity codes of degree d, block length
n and multiplicity s. Let δ = 1 − d/sn be the fractional distance of the code.
If
 m
log (1/ε)
t=m and k=O
εm

then, with with high probability, the list L output by Prune (algorithm 3) on input c0 , . . . , cm ,
and R, k, t includes all codewords of C that have fractional agreement at least (1 − δ + ε) with
the received word R.
Moreover, the algorithm requires at most poly(mtk) field operations in the worst case.

We refer to [Tam23, KRSW23] for a proof of the first part of the theorem. The bound on
the time complexity follows from the fact that the algorithm essentially solves k instances of a
linear system with m + 1 variables and t constraints each.

7 Fast decoding the multiplicity code (Theorems 2.1 and 1.3)

We are now ready to prove the main theorems for fast list decoding of multiplicity codes.

Proof of Theorem 2.1. Let the parameter s0 in the theorem be set to ⌈(1 + 2/ε)2 ⌉, and let s
be any integer greater than s0 . Let m be set to ⌈2/ε⌉, which, by the choice of s satisfies that
s/m − 1 ≥ 2/ε.
Given the received word R the decoder uses Theorem 4.2 to construct a non-zero polynomial
Q(x, y) explaining the received word, with its x-degree being at most D ≤ n(s − m)/m and y
degree 1. This takes time at most Õ(n poly(s)).

31
 Now, by Lemma 4.8, we have for the above Q and any message polynomial f whose encoding
agrees with the received word R on at least (D+d)/(s−m) coordinates, the polynomial Q(x, ∂f )
is identically zero.
From the discussion at the beginning of section 5, we have that Qm (0) can be assumed to
be non-zero without loss of generality.
From Theorem 5.2, we have that the space of degree d solutions of Q(x, ∂f ) is an affine
space of dimension m, and SolveQ (algorithm 2) outputs a basis for this affine space using at
most Õ((D + d) poly(m)) ≤ Õ(n + d) poly(s) many field operations. This concludes the proof
of Theorem 2.1.

Proof of Theorem 1.3. Finally, Theorem 2.1 using Theorem 6.1, we have that a list of codewords


consisting of all the true solutions can be output in time O n(sn/d)poly(1/ε) with probability at
least 0.99. This includes the time to compute the parameters t, k required by Prune (algorithm 3)


as inputs. The size of the list of codewords is at most O (d/sn)poly(1/ε) .
Moreover, we have that the above algorithm works as long as the agreement between the
received word and the codewords is larger than

(D + d)/(s − m) ≤ d/(s − m) + D/(s − m)

≤ d/(s − m) + n/m
≤ d/s + (dm)/(s(s − m)) + n/m

Thus the fractional agreement needed is at least d/sn + (d/n)(m/(s(s − m))) + 1/m. By the
choice of parameters, this is at most d/sn + ε, as stated in the theorem.

8 Fast interpolation for Folded Reed-Solomon codes

We start with the following definition that the natural analogue of Definition 4.1 in the context
of Folded Reed-Solomon codes and was defined in this form in [GW13]. γ is a field element of
sufficiently high order throughout this section.
Definition 8.1 (Iterated folding operator). Let s ∈ N be a parameter. Then, for every m
such that 0 ≤ m < s, the function ψ is an F-linear map from the set of polynomials in
F[x, y0 , y1 , . . . , ym ] with y degree 1 to the set of polynomials in F[x, y0 , y1 , . . . , ym+1 ] with y
degree 1 and is defined as follows.
m
! m
X X
ψ Q̃(x) + Qi (x) · yi := Q̃(γx) + Qi (γx) · yi+1 .
i=0 i=0

For an integer i ≤ (s − m), we use ψ (i) to denote the linear map from F[x, y0 , . . . , ym ] to
F[x, y0 , . . . , ym+i ] obtained by applying the operator ψ iteratively i times. y
We now state the main theorem of this section.

Theorem 8.2. Let R = (αi , βi,0 , . . . , βi,s−1 )ni=1 be a received word for a FRS code decoder, and
let m ≤ s be any parameter.

32
 Then, for D ≤ ((n(s − m))/m), there exists a non-zero polynomial Q(x, y0 , y1 , . . . , ym ) of
P
the form Q = Q̃(x) + i Qi (x)yi , with degree of Q̃ and each Qi being at most D such that for
all i ∈ {0, 1, . . . , s − m − 1},

ψ (i) (Q)(αj , βj,0 , . . . , βj,s−1 ) = 0 ∀j ∈ {1, 2, . . . , n}.

Moreover, there is a deterministic algorithm that when given R as input, runs in time
Õ(n poly(sm)) and outputs such a polynomial Q as a list of coefficients.

8.1 Proof of Theorem 8.2

The proof of Theorem 8.2 is exactly on the same lines as that of Theorem 4.2, upto some variation
in the details. We start with the definition of an appropriate lattice, whose shortest vector would
ultimately give us the polynomial Q that we are looking for. Owing to the similarities to the
proofs in the algorithm for multiplicity codes, we try to keep this presentation short and succinct,
and take the liberty to skip a few details.
We start by defining the lattice.
Definition 8.3. Let R = (αi , βi,0 , . . . , βi,s−1 )ni=1 be a received word for an FRS code decoder,
and let m ≤ s be any parameter.
For i ∈ {0, 1, . . . , m}, let Ai (z) be a univariate polynomial of degree at most n(s + 1 − i) in
F[z] such that for every j ∈ {1, 2, . . . , n} and k ∈ {0, , 1, . . . , s − m − 1},

Ai (γ k αj ) = βj,i+k .

(m)
Let LR be the (m + 2)-dimensional lattice over the ring F[x] defined as
 
 n s−m−1
Y Y m
X 
(m)
LR := h̃(x) · (x − γ j αi ) + hi (x) · (yi − Ai (x)) : h̃, hi ∈ F[x] . y
 
i=1 j=0 i=0

The following lemma asserts that the polynomials A′i s can be computed in nearly-linear time,
via an off-the-shelf application of fast polynomial interpolation, e.g., [GG13, Algorithm 10.11].

Theorem 8.4 ([GG13, Algorithm 10.11]). Let m ∈ N be a parameter with m ≤ s. Then, there
is a deterministic algorithm that when given the received word R = (αi , βi,0 , . . . , βi,s−1 )ni=1 as
input, outputs the polynomials A0 , A1 , . . . , Am defined in Definition 8.3 in time Õ(nsm).

The following lemma summarizes some of the crucial properties of the lattice defined in
Definition 8.3.

Lemma 8.5. Let R = (αi , βi,0 , . . . , βi,s−1 )ni=1 be a received word for a FRS code decoder, and
(m)
let m ≤ s be any parameter, and let LR be the lattice as defined in Definition 8.3. Then, the
following are true.
(m) P
• Any non-zero polynomial Q in LR is of the form Q(x, y0 , y1 , . . . , ym ) = Q̃(x)+ ℓ Qℓ (x)·

33
 yℓ and for all i ∈ {0, 1, . . . , s − m − 1},

ψ (i) (Q)(αj , βj,0 , . . . , βj,s−1 ) = 0 ∀j ∈ {1, 2, . . . , n} .

(m)
• There is a non-zero polynomial in LR with x-degree at most D ≤ (n(s − m)/m).
• Such a polynomial can be found in time Õ(n poly(sm)).

Proof sketch. The proof follows the proof of Lemma 4.5 in general, and in particular, the proofs
of the second and the third item are exactly the same. For the first item, we briefly sketch some
of the details.
(m)
Let Q be a nonzero polynomial in LR . Thus, there are polynomials h̃ and h0 , h1 , . . . , hm
in F[x] such that

n s−m−1
Y Y m
X
Q = h̃(x) · (x − γ j αℓ ) + hℓ (x) · (yℓ − Aℓ (x)) .
ℓ=1 j=0 ℓ=0

By rearranging and separating out the terms depending on the y variables, we get the desired
form. Now, just from its definition, it is quite clear that for every i ∈ {0, 1, . . . , s − m − 1}, and
Qn Qs−m−1
for every ℓ ∈ {1, 2, . . . , n}, the polynomial ℓ=1 j=0 (x − γ j αℓ ) vanishes on γ i αℓ , and thus,
Q Qs−m−1 
n
ψ (i) ℓ=1 j=0 (x − γ j αℓ ) vanishes on input αℓ .
The following claim, whose proof is immediate from the definition of the operator ψ and the
polynomials Ai , together with the linearity of the operator ψ then completes the proof of the
first item.

Claim 8.6. For every i ∈ {0, 1, . . . , s − m − 1}, j ∈ {1, 2, . . . , n} and ℓ ∈ {0, 1, . . . , m}, we have
that the polynomial ψ (i) (hℓ (x)(yℓ − Aℓ (x))) when evaluated at (αj , βj,0 , . . . , βj,s ) is zero.

Proof sketch of Theorem 8.2. The proof of Theorem 8.2 is an immediate consequence of Defini-
tion 8.3, Theorem 8.4 and Lemma 8.5. We skip the details.

8.2 Close enough codewords satisfy the equation

We end this section with the following lemma, which is an analogue of Lemma 4.8 and notes
all message polynomials whose encoding is close enough to the received word satisfy a natural
functional equation. Thus, solving this equation fast is sufficient for FRS list decoding.

Lemma 8.7. Let R = (αi , βi,0 , . . . , βi,s−1 )ni=1 be a received word for a multiplicity code decoder,
(m)
m ≤ s be a parameter, and let Q(x, y0 , y1 , . . . , ym ) ∈ LR be a non-zero polynomial with x-degree
at most D ≤ (n(s − m)/m).
Then, for every polynomial f ∈ F[x] of degree at most d such that its FRS encoding (with fold-
ing parameter s) agrees with R on more than (D+d)/(s−m) values of i, Q(x, f, f (γx), . . . , f (γ m x))
is identically zero.

34
9 Solving the functional equation in nearly-linear time
In this section, we design faster algorithms for solving functional equations of the form

Q (x, f (x), . . . , f (γ m x)) ≡ 0

obtained in Lemma 8.7. Since the degree of Q in y variables is at most 1, we have that the
solution space of all polynomials of degree at most d satisfying the above equation is an affine
space. The following theorem of Guruswami & Wang [GW13] bounds the dimension of this
space by m and outputs a basis efficiently. The main content of the theorem below is that this
basis can be obtained quite fast.

Theorem 9.1. Let F be any field, let γ ∈ F be an element of order greater than d, and let
m
X
Q(x, y0 , . . . , ym ) = Q̃(x) + Qi (x) · yi
i=0

be a non-zero polynomial with x-degree at most D. Then, the affine space of polynomials f (x) ∈
F[x] of degree at most d that satisfy

Q (x, f (x), f (γx), . . . , f (γ m x)) ≡ 0

has dimension at most m.

Moreover, there is a deterministic algorithm that when given Q as an input via its coefficient
vector, and the parameter d, performs at most Õ((D + d) poly(m)) field operations and outputs
a basis for this affine space.

Before proceeding further, we set up some notations and conventions that will simplify our
presentation.
Pm
For any polynomial Q(x, y) = Q̃(x) + i=0 Qi (x) · yi that is non-zero, we note that we can
assume without loss of generality that there exists an i such that the constant term of Qi , or
in other words, Qi (0) is non-zero. If this is not the case, that means that for every i, Qi must
be divisible by x, and thus, for a solution of the equation Q(x, f (x), f (γx), . . . , f (γ m x)) ≡ 0 to
exist, it must be the case that Q̃ is also divisible by x. Thus, in this case, we can instead just
work with the polynomial Q/x. Peeling out common factors of x in this way eventually leads us
to the case that at least one of the Qi s has a non-zero constant term. Moreover, this procedure
can be done in linear time in the length of the coefficient vector of Q. Thus, going forward, we
assume that there is at least one i such that Qi (0) is non-zero.
More generally, let BQ ⊆ {0, 1, . . . , m} be the (non-empty) subset of all indices i such that
Pm
Qi (0) is non-zero. Moreover, for a given polynomial Q(x, y) = Q̃(x) + i=0 Qi (x) · yi , we denote
by PQ (z) the univariate polynomial defined as follows.
X
PQ (z) := Qi (0)z i .
i∈BQ

From everything discussed in the previous paragraph, we have that PQ is a non-zero zero poly-

35
nomial of degree max BQ ≤ m. Thus, it has at most m zeros in the field F and in particular, in
the subset {1, γ, γ 2, . . . , γ d } of the field. Let ZQ,k denote the set

ZQ,k := {i : i ∈ {0, 1, . . . , k − 1} such that PQ (γ i ) = 0} .

We now state a result of Guruswami & Wang [GW13] about structure of solutions of the equation
Q(x, f (x), f (γx) . . . , f (γ m x)) ≡ 0.

Theorem 9.2 ([GW13]). Let k be any natural number, F be any field and γ be an element of
order at least d. Let
m
X
Q(x, y0 , . . . , ym ) = Q̃(x) + Qi (x) · yi
i=0

be such that its x-degree is at most D and Qi (0) is non-zero for some i ∈ {0, 1, . . . , m}. Then,
the following are true.
• The set of polynomials f of degree at most (k − 1) that satisfy

Q(x, f (x), f (γx) . . . , f (γ m x)) ≡ 0 mod xk .

form an affine space of dimension m.

• There is a poly(k, D, m) time algorithm that when given the coefficient vector of Q and
the parameter d as inputs, outputs a basis for this affine space.

The following technical lemma is implicit in the work of Guruswami & Wang, and essentially
drives the proof of their theorem stated above. This also turns out to be crucial to our proof.

Lemma 9.3 (Implicit in [GW13]). Let k be any natural number, F be any field and γ be an
element of order at least d. Let
m
X
Q(x, y0 , . . . , ym ) = Q̃(x) + Qi (x) · yi
i=0

be such that its x-degree is at most D and Qi (0) is non-zero for some i ∈ {0, 1, . . . , m}. Let PQ
and ZQ,k be as defined earlier in this section. Then, the following are true.
• For every polynomial h of degree less than k − 1 that is supported only on monomi-
als xi with i ∈ ZQ,k , there is a unique polynomial f of degree less than k such that
Q(x, f (x), f (γx) . . . , f (γ m x)) ≡ 0 mod xk and for all i ∈ ZQ,k , the coefficient of xi in h
equals the coefficient of xi in f .
• For every i ∈ ZQ,k , there is a unique polynomial gi (x) of degree less than k, supported
on monomials in the set {xi : i ∈ {0, 1, . . . , d} \ ZQ,k } such that the set {fi : i ∈ ZQ,k } of
polynomials forms a basis of this affine space of solutions, where fi := xi + gi .
• There is a poly(k, D, m) time algorithm that when given the coefficient vector of Q and
the parameter d as inputs, outputs {fi : i ∈ ZQ,k }.

36
 Our main result in this section is an algorithm that improves the running time of the algo-
rithm of Guruswami & Wang in Theorem 9.2 from poly(k, D, m) to Õ((D + k) poly(m)). As in
the fast list decoder for solving differential equations in section 5, our algorithm proceeds via
divide and conquer.
The following technical lemma provides the set up for the algorithm based on the divide and
conquer paradigm.

Lemma 9.4. Let k be any natural number, F be any field and γ be an element of order at least
Pm
d. Let Q(x, y0 , . . . , ym ) = Q̃(x)+ i=0 Qi (x)·yi be such that its x-degree is at most D and Qi (0)
is non-zero for some i ∈ {0, 1, . . . , m}. Let PQ and ZQ,k be as defined earlier in this section. Let
f (x) be a polynomial of degree at most k−1 that is a solution of Q(x, f (x), f (γx) . . . , f (γ m x)) ≡ 0
mod xk , and let ℓ ∈ {0, 1, . . . , k − 1} be any natural number.
Then, there exist polynomials h(x), g(x) of degree less than ℓ and k − ℓ respectively, satisfying
f = h(x) + xℓ · g(x) such that the following are true.
• h is the unique solution of

Q(x, h(x), h(γx) . . . , h(γ m x)) ≡ 0 mod xℓ

that has the same coefficient as f on all monomials xi , with i ∈ {0, 1, . . . , ℓ − 1} ∩ ZQ,k .
• g is the unique solution of
m
X
x−ℓ Q (x, h(x), h(γx) . . . , h(γ m x)) + γ jℓ Qj (x) · g(γ j x) ≡ 0 mod xk−ℓ
j=0

such that for all i ∈ {ℓ, ℓ + 1, . . . , k − 1} ∩ ZQ,k , the coefficient of xi−ℓ in g equals the
coefficient of xi in f .

Proof. We set h to be the unique polynomial of degree than ℓ that agrees with f on all monomials
of degree less than ℓ and we define g to be equal to x−ℓ (f − h). Since f and h agree on all
monomials of degree less than ℓ, (f − h) is divisible by xℓ and g as defined here is indeed a
polynomial and has degree less than k − ℓ. In the rest of this proof we argue that these g, h
have the properties stated in the lemma.

Properties of h: Since Q(x, f (x), f (γx) . . . , f (γ m x)) ≡ 0 mod xk , and ℓ < k, we have
that Q(x, f (x), f (γx) . . . , f (γ m x)) ≡ 0 mod xℓ . Now, substituting f by h + xℓ g, we get that h
must satisfy Q(x, h(x), f (γx) . . . , h(γ m x)) ≡ 0 mod xℓ . By definition, f and h have the same
coefficient for all monomials of degree less than ℓ and in particular for all monomials xi where
i ∈ {0, 1, . . . , ℓ − 1} ∩ ZQ,k . Furthermore, from the first item in Lemma 9.3, we have that once
we fix the coefficients for monomials with degree i in {0, 1, . . . , ℓ − 1} ∩ ZQ,k , the solution is
unique. This completes the proof of the first item.

37
Properties of g: From Q(x, f (x), f (γx) . . . , f (γ m x)) ≡ 0 mod xk and f = h + xℓ · g, we
get


Q x, h(x) + xℓ · g(x), . . . , h(γ m x) + (γ m x)ℓ · g(γ m x) ≡ 0 mod xk
m
X

Q̃(x) + Qj (x) · h(γ j x) + (γ j x)ℓ · g(γ j x) ≡ 0 mod xk
j=0
m
X

Q (x, h(x), h(γx) . . . , h(γ m x)) + Qj (x) · (γ j x)ℓ · g(γ j x) ≡ 0 mod xk
j=0
 
m
X

Q (x, h(x), h(γx) . . . , h(γ m x)) + xℓ ·  Qj (x) · (γ j )ℓ · g(γ j x)  ≡ 0 mod xk
j=0
 
Xm
Q (x, h(x), h(γx) . . . , h(γ m x)) + xℓ ·  γ jℓ · Qj (x) · g(γ j x) ≡ 0 mod xk .
j=0

Now, since h satisfies Q (x, h(x), h(γx) . . . , h(γ m x)) ≡ 0 mod xℓ , we have that the polynomial
Q (x, h(x), h(γx) . . . , h(γ m x)) is divisible by xℓ . Thus, g must satisfy
m
X
x−ℓ · Q (x, h(x), h(γx) . . . , h(γ m x)) + γ jℓ · Qj (x) · g(γ j x) ≡ 0 mod xk−ℓ .
j=0

Clearly from its definition, for every i ∈ {ℓ, ℓ + 1, . . . , k − 1} ∩ ZQ,k , the coefficient of xi−ℓ in g
equals the coefficient of xi in f . To complete the proof of the lemma, it suffices to show that
there is a unique solution of the above function equation that satisfies this. Let Q̂(x, y) denote
Pm
the polynomial x−ℓ · Q (x, h(x), f (γx) . . . , h(γ m x)) + j=0 γ jℓ · Qj (x) · yj . Then, we have that
set BQ equals the set BQ̂ . To argue the uniqueness condition, it suffices to show that the set
ZQ̂,k−ℓ is a subset of {i − ℓ : i ∈ {ℓ, ℓ + 1, . . . , k − 1} ∩ ZQ,k }. From the structure of Q̂, we have
that
X
PQ̂ (z) = Qj (0)γ jℓ z j .
j∈BQ

Thus, for any i ∈ N, we have

X
PQ̂ (γ i ) = Qj (0)γ (ℓ+i)j .
j∈BQ

Thus, γ i is a root of PQ̂ (z) if and only if γ ℓ+i is a root of PQ (z). Now, since the order of γ
exceeds k, we get that ZQ̂,k−ℓ equals {i − ℓ : i ∈ {ℓ, ℓ + 1, . . . , k − 1}} ∩ ZQ,k . Therefore, from the
first item in Lemma 9.3, we have that once we fix the coefficients of monomials with degrees in
ZQ̂,k−ℓ , the solution to Q̂(x, g(x), . . . , g(γ m x)) ≡ 0 mod xk−ℓ is unique, and g as defined above
is that unique solution by its definition.
This completes the proof of the lemma.

We are now ready to describe and analyse our algorithm. We first describe the recursive

38
subroutine that we use and then the main algorithm that invod.

9.1 Algorithm for solving Q(x, f (x), . . . , f (γ mx)) ≡ 0

Algorithm 4: FuncRSolveQ (Solving Q(x, f (x), . . . , f (γ m x)) ≡ 0 recursively)

Input: (Q(x, y), k, t), where Q(x, y) ∈ F[x, y] is polynomials with
P
Q(x, y) = Q̃(x) + m i=0 Qi (x) · yi with Qm (0) 6= 0, x-degree D, natural
numbers k, t with either t ∈ {0, 1, . . . , k − 1} ∩ ZQ,k or t = −1. γ ∈ F is an
element of order at least k.
Output: The unique polynomial f (x) ∈ F[x] of degree less than k supported on the
set {xi : i ∈ {0, 1, . . . , k − 1} \ ZQ,k } ∪ {xt } of monomials such that the
coefficient of xt in f is one if t ≥ 0 and zero if t < 0 and f satisfies
Q(x, f (x), . . . , f (γ m x)) ≡ 0 mod xk .

1 Set ℓ ← ⌊k/2⌋ ;
2 if k = 1 then
3 if 0 ∈
/ ZQ,1 then P 
4 return −Q̃(0)/ i∈BQ Qi (0) ;
5 else
6 if t 6= 0 then return 0 else return 1;
7 else
8 if t < ℓ then
9 Run FuncRSolveQ (algorithm 4) on inputs (Q, ℓ, t) to obtain the polynomial
h(x);  
10 Run FuncRSolveQ (algorithm 4) on inputs Q̂, k − ℓ, −1 to obtain the
polynomial g(x) where
Pm
Q̂(x, y) := x−ℓ · Q (x, h(x), h(γx) . . . , h(γ m x)) + j=0 γ jℓ · Qj (x) · yj ;
11 else
12 Run FuncRSolveQ (algorithm 4) on inputs (Q, ℓ, −1) to obtain polynomial h(x);
 
13 Run FuncRSolveQ (algorithm 4) on inputs Q̂, k − ℓ, t − ℓ to obtain the
polynomial g(x) where
Pm
Q̂(x, y) := x−ℓ · Q (x, h(x), h(γx) . . . , h(γ m x)) + j=0 γ jℓ · Qj (x) · yj ;
14 return h(x) + xℓ · g(x).

39
 Algorithm 5: FuncSolveQ (Solving Q(x, f (x), . . . , f (γ m x)) ≡ 0)
Input: (Q(x, y), k), where Q(x, y) ∈ F[x, y] is polynomials with
Pm
Q(x, y) = Q̃(x) + i=0 Qi (x) · yi with Qi (0) 6= 0 for some i ∈ {0, 1, . . . , m},
x-degree D, k is a natural number and γ ∈ F is an element of order at least k.
Output: A basis for the affine space of solutions of degree at most d of
Q(x, f (x), . . . , f (γ m x)) ≡ 0 mod xk .

1 for t ∈ ZQ,d ∪ {−1} do

2 Run FuncRSolveQ (algorithm 4) on inputs (Q, d, t) to obtain polynomial ft (x);
3 return f−1 , f0 , f1 , . . . , fm−1 .
The time complexity of FuncSolveQ (algorithm 5) is clearly dominated by the time complex-
ity of the m recursive calls to FuncRSolveQ (algorithm 4), which in-turn is a divide and conquer
algorithm, where the preprocessing and post-processing cost are both at most Õ((D+k) poly(m))
field operations, and thus the overall cost is also at most Õ((D + k) poly(m)).
The correctness of FuncRSolveQ (algorithm 4) follows from the second and the third item
of Lemma 9.4 and the correctness of FuncSolveQ (algorithm 5) follows from the correctness of
FuncRSolveQ (algorithm 4) and the first two items of Lemma 9.3.
We summarise these claims in the following lemma, but skip the formal proof.

Lemma 9.5 (Time complexity of FuncSolveQ). FuncSolveQ (algorithm 5) requires at most

Õ((D + k) poly(m)) many field operations in the worst case, and correctly outputs a basis for
the solution space of degree d polynomials f satisfying Q(x, f (x), . . . , f (γ m x)) ≡ 0.

Given the results in section 8 and section 9, it is fairly straightforward to combine them
(precisely along the lines of the proof of Theorem 2.1) to get Theorem 1.4. We note that while
Theorem 6.1 is stated for multiplicity codes, it also holds with the same parameters in a more
general sense, and in particular for FRS codes. We skip the details.

10 Fast decoding up to the Johnson radius

In this section, we discuss the main ideas in the proof of Theorem 1.5. In particular, this yields
a nearly-linear-time implementation of Nielsen’s algorithm [Nie01] for list decoding univariate
multiplicity up to the Johnson radius. The outline of the algorithm is again similar to the poly-
nomial method arguments for decoding Reed-Solomon codes due to Sudan [Sud97]. The main
difference between this algorithm and that in the proof of Theorem 1.3 is that we interpolate
a bivariate polynomial and not an (m + 2)-variate polynomial. As a consequence, the error
tolerance of the algorithm is low, and we can only decode upto the Johnson radius. One advan-
tage though is that this works for all multiplicities and not just large enough multiplicities as in
Theorem 1.3. Another technical difference is that we only have to solve a bivariate polynomial
equation here to recover all the low-degree roots of it. In particular, we do not need to work with
differential equations. While the proof is written for univariate multiplicity codes, we remark
at the end of the section how the exact same proof works also for folded-RS codes (in fact, any
polynomial ideal code).

40
 The main steps of the algorithm involve constructing a bivariate polynomial that explains
the received word, showing that all close enough codewords satisfy a polynomial equation based
on the interpolated bivariate polynomial, and solving these equations to obtain a list of all close
enough codewords. We use an algorithm of Roth & Ruckenstein [RR00] and Alekhnovich [Ale05]
in a blackbox way to solve the equations that appear in this algorithm and our novelty is in
constructing the interpolating polynomial in nearly-linear time. The main differences between
our algorithm and that of of Alekhnovich [Ale05] are in the precise definition of lattices that we
work with, and use of Minkoswki’s theorem to demonstrate the existence of a short vector in
the lattice.
Now, we describe the details of the interpolation step.

10.1 Proof of Theorem 1.5

The algorithm will proceed broadly as follows. We first find a low-degree “explanation” bivariate
polynomial Q for the received word. We then show that Q(x, f (x)) is identically zero for any
polynomial f whose encoding is “close” to the received word. Then, the list-decoding problem
reduces to finding factors of Q of the form y − f (x).
Let R = (αi , βi (x))ni=1 be a received word7 . To define our notion of an “interpolation”
polynomial, first we lay out an interpolating polynomial for the received word as it is.
Let A(x) be the unique univariate polynomial of degree less than ns in F[x] such that for
every i ∈ {1, 2, . . . , n},

A(x) = βi (x) mod (x − αi )s . (10.1)

The problem of finding A efficiently is nothing but fast Chinese Remainder Algorithm, which
has a nearly-linear-time algorithm (essentially the same argument as Theorem 4.4).

Proposition 10.2 ([GG13, Algorithm 10.22]). The interpolating polynomial A can be found in
time (Õ(ns)).

Let r ∈ N be a positive integer (that we will fix later). Now, we want a Q of (1, d)-weighted
degree at most some D, that satisfies the following.

(x − αi )s·r | Q(x, A(x)) , ∀ i ∈ {1, 2, . . . , n} .

A natural space to look for such a Q is in the F[x]-linear span of polynomials (y − A(x))j ·
Qn s·(r−j)
i=1 (x − αi ) for j ∈ {0, 1, . . . , r}. For reasons that will become clear later, we will search
in a slightly larger space8 . More formally, we consider the following lattice.
Definition 10.3. Let R = (αi , βi (x))ni=1 be a received word for a multiplicity code decoder.
(r,u)
For two positive integers r ≤ u, let LR be the u-dimensional lattice defined as the F[x]-span
7
This algorithm works for all characteristics. For this reason, we work with the ideal-theoretic definition of
multiplicity codes given in Footnote 2
8
The choice of this larger space is inspired by a similar lattice construction due to Coppersmith [Cop97] in the
context of finding small integer solutions to polynomial equations.

41
of the polynomial vectors B0 , B1 , . . . , Bu defined as follows:

(y − A(x))j · Qn (x − α )s·(r−j) , if 0 ≤ j ≤ r,
i=1 i
Bj (x, y) :=
(y − A(x))j , if r < j ≤ u .

or equivalently
 
Xr n
Y u
X 
(r,u)
LR := gj (x)(y − A(x))j (x − αi )s·(r−j) + gj (x)(y − A(x))j : g0 , g1 , . . . , gu ∈ F[x] .y
 
j=0 i=1 j=r+1

p
We will eventually be setting u ≈ r · ns/d, more precisely we set u such that nsr(r + 1)/(u +
p
1) = du which would imply that the degree D is bounded above by nsdr(r + 1). We now
state the main theorem of this section.

Theorem 10.4. Let R = (αi , βi (x))ni=1 be a received word for a multiplicity code decoder. Let
A be a univariate polynomial of degree at most ns in F[x] such that for every i ∈ {1, 2, . . . , n},
A(x) = βi (x) mod (x − αi )s .
Then, for positive integers
 r ≤ u, there exists a non-zero polynomial Q(x, y), with (1, d)-
(r,u)
weighted degree D ≤ 21 nsr(r+1)
u+1 + du such that Q(x, y) ∈ LR .
Moreover, there is a deterministic algorithm that when given R as input, runs in time Õ(ns ·
poly(u, ns/d)) and outputs such a polynomial Q as a list of coefficients.

The proof proceeds along the lines of Alekhnovich’s proof. We first use Minkowski’s theorem
Theorem 3.9 to show that there exists a non-zero polynomial with small (1, d)-weighted degree
and then use Alekhnovich’s algorithm (Theorem 3.10) to compute this polynomial.
The following proposition shows the existence of a non-zero polynomial of low (1, d)-weighted
degree in the lattice.
(r,u)
Proposition 10.5. Let LR be the lattice constructed as in Definition 10.3 for some received
(r,u)
word R and parameters r ≤ u. Thenthere exists a non-zero polynomial Q in the lattice LR
with (1, d)-weighted degree at most 21 nsr(r+1)
u+1 + du .

(r,u)
Proof. It will be convenient to work with the (u + 1)-dimensional lattice LbR spanned by the
following (u + 1) polynomial vectors.

(y · xd − A(x))j · Qn (x − α )s·(r−j) , if 0 ≤ j ≤ r,
i=1 i
B̂j (x, y) := (10.6)
(y · xd − A(x))j , if r < j ≤ u .

(r,u)
There is a natural 1-1 correspondence between the polynomials in the two lattices LR and
b(r,u) d b(r,u)
LR given by y ←→ y · x . Clearly, the non-zero polynomial in LR with smallest x-degree
(r,u)
corresponds to the non-zero polynomial in LR with smallest (1, d)-weighted  degree. We now 
b(r,u) 1 nsr(r+1)
show that there exists a non-zero polynomial Q̂ ∈ LR with x-degree at most 2 u+1 + du
which by the above correspondence implies that
 there is a non-zero
 polynomial Q in the lattice
(r,u)
LR with (1, d)-weighted degree at most 21 nsr(r+1)
u+1 + du . We note that while we have been

42
viewing polynomials in the lattice as bivariate polynomials, we can equivalently view any such
polynomial Q̂ as an (u + 1)-dimensional column vector with entries in the ring F[x], where
the coordinates are labelled (0, 1, . . . , u) and for j ≤ u, the j th coordinate corresponds to the
Pu
coefficient of y j in the polynomial Q̂. For instance, if Q̂(x, y) = j
j=0 qj (x) · y , then this
corresponds to the transpose of (q0 , q1 , . . . , qu ). Moreover, we note that the vectors corresponding
(r,u) Qn
to the generators of the lattice LbR , namely the polynomials (y ·xd −A(x))j · i=1 (x−αi )s·(r−j)
for 0 ≤ j ≤ r and (y · xd − A(x))j for r < j ≤ u form a lower triangular matrix with non-zero
(r,u)
diagonal entries, and hence are linearly independent over F(x). In other words, the lattice LbR
is full rank. We also know the diagonal entries precisely, the x-degree of the j th diagonal entry is
exactly ns(r − j) + dj for 0 ≤ j ≤ r and dj for r < j ≤ u. Hence, the determinant of this matrix
is a polynomial of degree at most (in fact, it is equal to) nsr(r + 1)/2 + du(u + 1)/2. From
Minkowski’s Theorem (Theorem 3.9), we have that there is a non-zero vector Q̂(x, y)in the
(r,u)
(u + 1)-dimensional lattice LbR with every entry of degree at most 1/2 nsr(r+1) u+1 + du . The
(r,u)
corresponding
 non-zero polynomial
 Q(x, y) in the lattice LR then has (1, d)-weighted degree
nsr(r+1)
at most /2
1
u+1 + du .

We are now ready to prove the main theorem of the section.

Proof of Theorem 10.4. The existence of a non-zero Q with small (1, d)-weighted degree follows
from Proposition 10.5. We can then invoke Alekhnovich’s algorithm (Theorem 3.10) on the set
(r,u)
of generators Bˆ0 , B̂1 , . . . , Bˆu for the lattice LbR (as given by (10.6)) to construct the non-zero
Q̂ of least x-degree in time Õ(nsr · poly(u)). Here, we use the fact that the lattice is given
by (u + 1) vectors in dimensions (u + 1) over the ring F[x] and each entry of the vectors is
a polynomial of degree at most nsr. The corresponding non-zero polynomial Q in the lattice
(r,u)
LR has the least  (1, d)-weighted degree which by the first part of the theorem is at most
1/2 nsr(r+1) + du .
u+1

It remains to be shown that codewords f close to the received word cause Q(x, f (x)) to be
identically zero and we do this in the next lemma.

Lemma 10.7. Let R = (αi , βi (x))ni=1 be a received word for a multiplicity code decoder, and
(r,u)
let Q(x, y) ∈ LR be a non-zero polynomial with (1, d)-weighted degree at most D for some
positive integers r ≤ u.
Then, for every polynomial f ∈ F[x] of degree at most d such that Mults,~α (f ) agrees with R
on more than D/s · r values of i, Q(x, f (x)) is identically zero.

Proof. Define P (x) := Q(x, f (x)). Since Q(x, y) has (1, d)-weighted degree at most D and f
has degree d, P (x) must have x-degree at most D.
We first show that for every point (αi , βi (x)) of agreement between the received word R and
Mults,~α (f ), we have (x − αi )s·r divides Q(x, f (x)). To see this, first notice that A(x) = βi (x)
mod (x − αi )2 as well as f (x) = βi (x) mod (x − αi )s and hence, (x − αi )s divides (f (x) − A(x)).
′ Qn ′
Hence, (x − αi )s(j+j ) divides (f (x) − A(x))j · i=1 (x − αi )s·j for any pair of non-negative
integers j and j ′ . Hence, (x − αi )sr divides Bj (x, f (x)) for each basis vector Bj of the lattice
(r,u) P
LR . Since Q(x, f (x)) = gj (x) · Bj (x, f (x)) we have that (x − αi )sr divides Q(x, f (x)).

43
 Thus, if R and Mults,~α (f ) have at least t > D/rs agreement points, then P has a total of
t · rs > D zeros (counting multiplicities). However, from earlier, P has degree at most D, so it
must be identically zero.

Then, the final step is to find factors of Q(x, y), which are of the form (y − f (x)). For this,
we invoke an algorithm of Roth & Ruckenstein [RR00] and Alekhnovich [Ale05].
Theorem 10.8 ([RR00], [Ale05, Theorem 1.2]). There is a deterministic algorithm that given
a bivariate polynomial Q(x, y) finds all polynomials f (x) such that Q(x, f (x)) ≡ 0 in time
Õ(D · poly(ℓ)), where D is the x-degree of Q and ℓ is the y-degree of Q.
The proof of Theorem 1.5 now immediately follows from a combination of Theorem 10.4,
Lemma 10.7 and Theorem 10.8 by setting r, u such that u(u + 1) = r(r + 1)ns/d and r = O(1/ε).
We skip the details.
This proof verbatim extends for any polynomial ideal code [BHKS24b]. A polynomial ideal
code is specified by a family of n univariate monic polynomials E1 , E2 , . . . , En of degree exactly
n
s and the n-symbol encoding of a polynomial f ∈ F≤d [x] is specified by (f (x) mod Ei (x))i=1 . A
polynomial ideal code is thus a common generalization of Reed-Solomon codes (Ei (x) = (x−αi )),
Qs−1
folded-RS codes (Ei (x) = j=0 (x−γ j αi )) and univariate multiplicity codes (Ei (x) = (x−αi )s ).
The only difference in the proof is replacing (10.1) by A(x) = βi (x) mod Ei (x).

Acknowledgements
Some of the discussions of the second and the third authors leading up to this work happened
while they were visiting the Homi Bhabha Center for Science Education (HBCSE), Mumbai.
We are thankful to Arnab Bhattacharya and the HBCSE staff for their warm and generous
hospitality and for providing an inviting and conducive atmosphere for these discussions.
We are also thankful to Madhu Sudan for comments and suggestions on an earlier draft
of the paper that helped improve the writing. We thank Noga Ron-Zewi for bringing to our
attention the work on nearly-linear-time list-decoding algorithms for certain families of tensor-
product codes [HRW20, KRRSS21]. We thank Swastik Kopparty for many helpful discussions
on the theme of list decoding over the years, and in particular, for patiently answering our many
questions related to the results in [HRW20, KRRSS21].
Finally, we are thankful to the anonymous reviewers at STOC 2024, whose comments were
helpful in cleaning up parts of the presentation of the paper.

References
[AEL95] Noga Alon, Jeff Edmonds, and Michael Luby. Linear time erasure codes
with nearly optimal recovery. In Prabhakar Raghavan, ed., Proc. 36th IEEE
Symp. on Foundations of Comp. Science (FOCS), pages 512–519. 1995.
(Referenced on page 8.)

[AGL23] Omar Alrabiah, Venkatesan Guruswami, and Ray Li. Randomly punctured
Reed-Solomon codes achieve list-decoding capacity over linear-sized fields, 2023.

44
 (manuscript). arXiv:2304.09445, eccc:2023/TR23-125.
(Referenced on page 4.)

[AK91] Sergei A. Abramov and K. Yu. Kvashenko. Fast algorithms to search for
the rational solutions of linear differential equations with polynomial coefficients.
In Stephen M. Watt, ed., Proc. International Symp. Symbolic and Algebraic
Computation (ISSAC), pages 267–270. ACM, 1991.
(Referenced on page 7.)

[AL96] Noga Alon and Michael Luby. A linear time erasure-resilient code with nearly
optimal recovery. IEEE Trans. Inform. Theory, 42(6):1732–1736, 1996. (Preliminary
version in 36th FOCS, 1995).
(Referenced on page 8.)

[Ale05] Michael Alekhnovich. Linear Diophantine equations over polynomials and soft
decoding of reed-solomon codes. IEEE Trans. Inform. Theory, 51(7):2257–2265,
2005. (Preliminary version in 43rd FOCS, 2002).
(Referenced on pages 4, 6, 8, 11, 14, 15, 16, 19, 41, and 44.)

[BCS05] Alin Bostan, Thomas Cluzeau, and Bruno Salvy. Fast algorithms for poly-
nomial solutions of linear differential equations. In Manuel Kauers, ed., Proc.
International Symp. Symbolic and Algebraic Computation (ISSAC), pages 45–52.
ACM, 2005.
(Referenced on page 7.)

[Ber67] Elwyn R. Berlekamp. Nonbinary BCH decoding. In Proc. IEEE International

Symposium on Information Theory (ISIT). 1967.
(Referenced on pages 4 and 8.)

[BHKS24a] Siddharth Bhandari, Prahladh Harsha, Mrinal Kumar, and Madhu Su-
dan. Decoding multivariate multiplicity codes over product sets. IEEE Trans. In-
form. Theory, 70(1):154–169, 2024. (Preliminary version in 53rd STOC, 2021).
arXiv:2012.01530, eccc:2020/TR20-179.
(Referenced on pages 16 and 19.)

[BHKS24b] ———. Ideal-theoretic explanation of capacity-achieving decoding. IEEE Trans.

Inform. Theory, 70(2):1107–1123, 2024. (Preliminary version in 25th RANDOM,
2021). arXiv:2103.07930, eccc:2021/TR21-036.
(Referenced on pages 5, 19, and 44.)

[Cop97] Don Coppersmith. Small solutions to polynomial equations, and low exponent
RSA vulnerabilities. J. Cryptol., 10(4):233–260, 1997. (Preliminary version in
EUROCRYPT, 1996).
(Referenced on pages 19 and 41.)

[GG13] Joachim von zur Gathen and Jürgen Gerhard. Modern Computer Algebra.
Cambridge University Press, 3 edition, 2013.
(Referenced on pages 17, 22, 33, and 41.)

[GI03] Venkatesan Guruswami and Piotr Indyk. Linear time encodable and list de-
codable codes. In Lawrence L. Larmore and Michel X. Goemans, eds., Proc.

45
 35th ACM Symp. on Theory of Computing (STOC), pages 126–135. 2003.
(Referenced on page 8.)

[GR08] Venkatesan Guruswami and Atri Rudra. Explicit codes achieving list de-
coding capacity: Error-correction with optimal redundancy. IEEE Trans. In-
form. Theory, 54(1):135–150, 2008. (Preliminary version in 38th STOC, 2006).
arXiv:cs/0511072, eccc:2005/TR05-133.
(Referenced on pages 4, 5, 8, and 19.)

[GS99] Venkatesan Guruswami and Madhu Sudan. Improved decoding of Reed–

Solomon and algebraic-geometry codes. IEEE Trans. Inform. Theory, 45(6):1757–
1767, 1999. (Preliminary version in 39th FOCS, 1998). eccc:1998/TR98-043.
(Referenced on pages 4, 8, and 19.)

[GW13] Venkatesan Guruswami and Carol Wang. Linear-algebraic list decoding for
variants of Reed-Solomon codes. IEEE Trans. Inform. Theory, 59(6):3257–3268,
2013. (Preliminary version in 26th IEEE Conference on Computational Complexity,
2011 and 15th RANDOM, 2011). eccc:2012/TR12-073.
(Referenced on pages 4, 5, 8, 9, 16, 19, 20, 22, 32, 35, and 36.)

[HRW20] Brett Hemenway, Noga Ron-Zewi, and Mary Wootters. Local list recovery
of high-rate tensor codes and applications. SIAM J. Comput., 49(4), 2020. (Pre-
liminary version in 58th FOCS, 2017). arXiv:1706.03383, eccc:2017/TR17-104.
(Referenced on pages 8 and 44.)

[Kop14] Swastik Kopparty. Some remarks on multiplicity codes. In Alexander

Barg and Oleg R. Musin, eds., Discrete Geometry and Algebraic Combina-
torics, volume 625 of Contemporary Mathematics, pages 155–176. AMS, 2014.
arXiv:1505.07547.
(Referenced on pages 6 and 19.)

[Kop15] ———. List-decoding multiplicity codes. Theory of Computing, 11:149–182, 2015.

eccc:2012/TR12-044.
(Referenced on pages 4, 5, and 8.)

[Kra03] Victor Yu. Krachkovsky. Reed-Solomon codes for correcting phased error
bursts. IEEE Trans. Inform. Theory, 49(11):2975–2984, 2003.
(Referenced on pages 4 and 5.)

[KRRSS21] Swastik Kopparty, Nicolas Resch, Noga Ron-Zewi, Shubhangi Saraf,

and Shashwat Silas. On list recovery of high-rate tensor codes. IEEE Trans. In-
form. Theory, 67(1):296–316, 2021. (Preliminary version in 23rd RANDOM, 2019).
eccc:2019/TR19-080.
(Referenced on pages 8, 9, and 44.)

[KRSW18] Swastik Kopparty, Noga Ron-Zewi, Shubhangi Saraf, and Mary Woot-
ters. Improved decoding of Folded Reed-Solomon and Multiplicity codes. In
Mikkel Thorup, ed., Proc. 59th IEEE Symp. on Foundations of Comp. Science
(FOCS), pages 212–223. 2018. arXiv:1805.01498, eccc:2018/TR18-091.
(Referenced on page 9.)

46
[KRSW23] ———. Improved list decoding of Folded Reed-Solomon and Multiplicity codes.
SIAM J. Comput., 52(3):794–840, 2023. (Preliminary version in 59th FOCS, 2018).
arXiv:1805.01498, eccc:2018/TR18-091.
(Referenced on pages 4, 5, 6, 8, 9, 10, 30, and 31.)

[KSY14] Swastik Kopparty, Shubhangi Saraf, and Sergey Yekhanin. High-rate codes
with sublinear-time decoding. J. ACM, 61(5):28:1–28:20, 2014. (Preliminary version
in 43rd STOC, 2011). eccc:2010/TR10-148.
(Referenced on page 5.)

[Kun74] Hsiang-Tsung Kung. On computing reciprocals of power series. Numer. Math.,

22(5):341–348, 1974.
(Referenced on page 11.)

[Mas69] James L. Massey. Shift-register synthesis and BCH decoding. IEEE Trans. Inform.
Theory, 15(1):122–127, 1969.
(Referenced on pages 4 and 8.)

[Nie01] Rasmus Refslund Nielsen. List decoding of linear block codes. Ph.D. thesis,
Technical University of Denmark, 2001.
(Referenced on pages 5 and 40.)

[PV05] Farzad Parvaresh and Alexander Vardy. Correcting errors beyond the Gu-
ruswami-Sudan radius in polynomial time. In Éva Tardos, ed., Proc. 46th IEEE
Symp. on Foundations of Comp. Science (FOCS), pages 285–294. 2005.
(Referenced on page 4.)

[RR00] Ron M. Roth and Gitit Ruckenstein. Efficient decoding of Reed-Solomon

codes beyond half the minimum distance. IEEE Trans. Inform. Theory, 46(1):246–
257, 2000.
(Referenced on pages 11, 41, and 44.)

[RSTW78] Irving S. Reed, Robert A. Scholtz, Trieu-Kien Truong, and Lloyd R.

Welch. The fast decoding of Reed-Solomon codes using Fermat theoretic trans-
forms and continued fractions. IEEE Trans. Inform. Theory, 24(1):100–106, 1978.
(Referenced on pages 4 and 8.)

[RT97] M. Yu Rosenbloom and Michael Anatolévich Tsfasman. Коды для

m-метрики (Russian) [Codes for the m-metric] . Probl. Peredachi Inf., 33(1):55–63,
1997. (English translation in Problems Inform. Transmission, 33(1):45–52, 1997).
(Referenced on page 5.)

[Sie72] Malte Sieveking. An algorithm for division of powerseries. Computing, 10(1-

2):153–156, 1972.
(Referenced on page 11.)

[Sin91] Michael F. Singer. Liouvillian solutions of linear differential equations with

Liouvillian coefficients. J. Symb. Comput., 11(3):251–273, 1991. (Preliminary
version in 3rd Computers and Mathematics 1989).
(Referenced on page 7.)

47
[SS96] Michael Sipser and Daniel A. Spielman. Expander codes. IEEE Trans. Inform.
Theory, 42(6):1710–1722, November 1996. (Preliminary version in 35th FOCS,
1994).
(Referenced on page 8.)

[ST23] Chong Shangguan and Itzhak Tamo. Generalized Singleton bound and
list-decoding Reed-Solomon codes beyond the Johnson radius. SIAM J. Com-
put., 52(3):684–717, 2023. (Preliminary version in 52nd STOC, 2020).
arXiv:1911.01502.
(Referenced on page 4.)

[Sud97] Madhu Sudan. Decoding of Reed-Solomon codes beyond the error-correction

bound . J. Complexity, 13(1):180–193, 1997. (Preliminary version in 37th FOCS,
1996).
(Referenced on pages 4, 19, and 40.)

[Tam23] Itzhak Tamo. Tighter list-size bounds for list-decoding and recovery of folded
Reed-Solomon and multiplicity codes, 2023. (manuscript). arXiv:2312.17097.
(Referenced on pages 8, 9, 10, 30, and 31.)

48