Complexity of Decoding Positive-Rate Reed-Solomon Codes

Complexit y of Deco ding P ositiv e-Rate Reed-Solomon Co des Qi Cheng 1 and Daqing W an 2 1 School of Computer Science The Un iv ersity of Oklahoma Norman, OK73019 Email: qcheng@cs.ou.edu 2 Department of Mathematics Universit y of California Irvine, CA 92697 -3875 Email: dwan@math.uci.edu Abstract. The complexity of ma ximal likeli ho o d decod ing of the Reed- Solomon co des [ q − 1 , k ] q is a well known open p rob lem. The only kn o wn result [4] in this direction states that it is at least as hard as th e discrete logarithm in some cases where the information rate un fo rtunately go es to zero. In this pap er, w e remo v e the rate restriction and prov e t h at the same complexit y res ult holds for a ny p osi tive information rate. In partic- ular, this resolves an open problem left in [4], and rules out th e possibilit y of a polynomial time algorithm for maximal likelihoo d deco ding p roblem of Reed-Solomon codes of any rate under a w ell kno wn cryptographical hardness assumption. As a side result, we give an explicit construct ion of Hamming balls of radius b ounded aw ay from the minimum d istance, whic h contain exponentially many cod ew ords for Reed-Solomon co de of any p ositiv e rate less th an one. The previous constructions in [2][7] only apply to Reed-Solomon co des of diminishing rates. W e also give an ex- plicit construction of Hamming balls of relativ e radius less than 1 which conta in sub exp onen tially man y codewords for Reed-S olo mon cod e of rate approac hing one. 1 In tro duction Let F q be a finite field of q elemen ts a nd of characteristic p . A linear err or- correcting [ n, k ] q co de is defined to b e a linear subspace o f dimension k in F n q . Let D = { x 1 , · · · , x n } ⊆ F q be a subset o f cardina lit y | D | = n > 0. F or 1 ≤ k ≤ n , let f run ov er all p olynomials in F q [ x ] of deg r ee at most k − 1, the vectors o f the form ( f ( x 1 ) , · · · , f ( x n )) ∈ F n q constitute a linear err or-corre c ting [ n , k ] q co de. If D = F ∗ q , it is famous ly k no wn as the Reed-Solomon co de. If D = F q , it is known as the extended Reed-Solomon co de. W e denote them by RS q [ q − 1 , k ] and RS q [ q , k ] res pectively . W e simply call it a generaliz e d Reed-Solomon co de if D is an arbitr a ry subset of F q . R emark 1. In some co de theory litera ture, RS q [ q − 1 , k ] is c a lled primitive Ree d- Solomon co de, and a generalized Reed-Solomo n co de [ n, k ] q is defined to b e { ( y 1 f ( x 1 ) , · · · , y n f ( x n )) | f ∈ F q [ x ] , deg ( f ) < k } , where y 1 , y 2 , · · · , y n are nonzero elements in F q . The minimal distance of a gener alized Reed-Solomo n [ n, k ] q co de is n − k + 1 bec ause a non-zer o p olynomial of degree at most k − 1 has at most k − 1 zero es. The ultimate deco ding problem for an erro r-correcting [ n, k ] q co de is the maximal likelihoo d deco ding: giv en a receiv ed word u ∈ F n q , find a codeword v such that the Ha mming distance d ( u , v ) is minimal. When the num ber of error s is reasona bly small, s a y , smaller than n − √ nk , then the list deco ding algor ithms of Guruswami-Sudan [8] giv es a polyno mial time algorithm to find all the co dew ords for the genera lized Reed-Solomon [ n, k ] q co de. When the num b er of errors increase s beyond n − √ nk , it is no t kno wn whether there exists a po lynomial time deco ding algor ithm. The maxima l likelihoo d de- co ding o f a generalized Reed-Solomon [ n, k ] q co de is known to b e NP -co mplete [6]. The difficult y is ca used b y the c om bina torial complica tion of the subset D with no str uctures. In fact, there is a straig h tfor ward w ay to reduce the subset sum problem in D to the deep ho le pro blem o f a gener alized Reed-Solo mon co de, which can then b e reduced to the maximal likelihoo d deco ding problem [3]. Note that the subset s um problem for D ⊆ F q is har d only if | D | is m uc h smaller than q . In practical applications, one ra rely us e s the case o f a r bitrary subset D . The most widely used case is when D = F ∗ q with rich algebra ic structures. This case is ess en tially equiv alent to the case D = F q . F or simplicity , we fo cus o n the extended Reed-So lomon co de R S q [ q , k ] in this pap er, all our results can be applied to the Reed-Solomon co de RS q [ q − 1 , k ] with little mo dification. The maximal likelihoo d deco ding problem of R S q [ q , k ] is considered to b e hard, but the attempts to prov e its N P -completeness hav e failed s o far. The metho ds in [6][3] ca n not b e s p ecialized to R S q [ q , k ] b ecause we hav e lost the freedom to select D . The only known complexity result [4] in this direction says that the deco ding of R S q [ q , k ] is at lea st as har d as the discrete logarithm in F ∗ q h for h satisfying h ≤ √ q − k, h ≤ q 1 2+ ǫ + 1 and h ≤ k − 4 ǫ − 2 4 ǫ + 1 for any ǫ > 0. The main weakness of this result is that √ q has to b e g r eater than k , which implies that the information rate k /q go es to zero . But in the rea l world, w e tend to use the Reed-Solomon co des of high rates. O ur main res ult of this pap er is to remov e this re s triction. Pre c is ely , w e sho w that Theorem 1. F or any c ∈ [0 , 1] , ther e exists an infinite ex pli cit family of R e e d- Solomon c o des { RS q 1 [ q 1 , k 1 ] , RS q 2 [ q 2 , k 2 ] , · · · , RS q i [ q i , k i ] , · · ·} with q i = Θ ( i 2 log 2 i ) and k i = ( c + o (1)) q i such that if t her e is a p olynomial time r andomize d a lgorithm solving t he maximal likeliho o d de c o ding pr oblem for t he ab ove family of c o des, then t her e is a p olynomial time r andomize d algorithm solv- ing the discr ete lo garithm pr oblem over al l the fields in { F q h 1 1 , F q h 2 2 , · · · , F q h i i , · · ·} , wher e h i is any int e ger less than q 1 / 4+ o (1) i . The discrete logar ithm problem ov er finite fields is well studied in c o mputa- tional num b er theory . It is not b elieved to hav e a p olynomial time alg orithm. Many cr yptographical proto cols base their secur it y on this assumption. The fastest general purpos e alg orithm [1] solves the dis c rete lo g arithm problem ov er finite field F ∗ q h in conjectured time exp ( O ((log q h ) 1 / 3 (log log q h ) 2 / 3 )) . Thu s, in the ab ov e theorem, it is b est to take h i as la rge as p ossible (close to q 1 / 4+ o (1) i ) in or der for the disc rete log a rithm to be hard. If h = q 1 / 4+ o (1) , this complexity is sube xponential on q . The a bov e theorem rules out a p olynomial time algorithm for the maxima l likelihoo d decoding problem of Reed-Solomon co de of any rate under a cry ptographical hardness assumption. Our earlier pap er [4] prov ed the theorem for c = 0 (in that case we hav e h i ≤ q 1 / 2+ o (1) i ). In this pap er, we sha ll b e concentrating on 0 < c ≤ 1. The results in this pap er are built on the metho ds and r esults of our earlier pap er. W e shall show tha t the case c = 1 follows from the case c = 0 by a dual a rgumen t. The main new idea for the case 0 < c < 1 is to exploit the r ole of subfields contained in F q . Assume that q = ˜ q 2 and h = q 1 / 4+ o (1) is a p ositiv e integer. W e hav e F ˜ q ⊆ F q ⊆ F q h . Let α b e an element in F q h such that F ˜ q [ α ] = F q [ α ] = F q h . W e o bserve that if e very element in F q h can b e written as a pro duct o f g 1 many distinct α + a with a ∈ F ˜ q , then for any nonnegative integer g 2 ≤ q − ˜ q , every element in F q h can b e written as a pr oduct of g 1 + g 2 many distinct α + a with a ∈ F q . This observ ation enables us to prove the main tec hnical lemma that for any constant 0 < c < 1, any element in F q h can be written as a pr oduct of ⌊ cq ⌋ distinct factors in { α + a | a ∈ F q } for q lar ge enough. By a direct c o un ting ar gumen t, fo r a n y p ositive in teger r < q − k , there exists a Hamming ba ll of ra dius r containing at least  q r  /q q − r − k many co dewords in Reed-Solomon co de RS q [ q , k ]. Thus, if k = ⌊ cq ⌋ for a consta nt 0 < c < 1, we set r = ⌊ q − k − q 1 / 4 ⌋ a nd the n um ber of co de words in the Hamming ball will be e xponential in q . How e v er , finding such a Hamming ball deterministically is a hard problem. There are some work done on this problem [7][2], but a ll the results ar e for codes of diminishing rates. Our co ntribution to this problem is to remov e the ra te res tr iction. Theorem 2. F or any c ∈ (0 , 1) , ther e exists a deterministic algorithm that given a p ositive inte ger i , outputs a prime p ower q , a p ositive inte ger k and a ve ctor v ∈ F q q such that – q = Θ ( i 2 log 2 i ) and k = ( c + o (1)) q , and – the Hamming b al l c enter e d at v and of r adius q − k − q 1 / 4+ o (1) c ontains exp ( Ω ( q )) many c o dewor ds in R S q [ q , k ] , and – the algorithm ru ns in time i O (1) . In our co nstruction, the ratio b et w een the Hamming ba ll radius q − k − q 1 / 4+ o (1) and the minimum distance q − k + 1, which is known as the r e lativ e radius of the Hamming ball, is a pproaching 1. The same pro ble m was enco un- tered in [7][2], where there is the further r estriction that the information rate go es to z e ro. In co ntrast, the ab o ve theorem allows the information rate to be po sitiv e. The following result shows that we ca n dec r ease the r elativ e radius to a consta nt less than 1 if we work with co des with information ra te g oing to one. Theorem 3. F or any r e al nu mb er ρ ∈ (2 / 3 , 1) , ther e is a deterministic algo- rithm that, given a p ositive inte ger i , output s a prime p ower q = i O (1) , a p ositive inte ger k = q − o ( √ q ) and a ve ctor v ∈ F q q such that the Hamming b al l c en- ter e d at v and of r adius [ ρ ( q − k + 1)] c ontains at le ast q i many c o dewor ds in RS q [ q , k ] . The algorithm has t ime c omplexity i O (1) . Note that the information r ate is 1 − o (1) . It would b e int eresting for future r esearch to extend the res ult to a ll ρ ∈ (1 / 2 , 1), and to prove a similar result with the informa tion r ate p ositive a nd the relative radius less than 1. Given a r eal num b er ρ ∈ (0 , 1), the co des wher e s ome Hamming ball of relative r adius ρ contains s uperp olynomially many codewords are called ρ -dens e . It was known in [5] how to efficiently construct such co des for any ρ ∈ (1 / 2 , 1), but finding the center of s uc h a Hamming ball in deterministic p olynomial time is an op en problem. In this pap er, w e solve this pro blem if the relative radius falls in the rang e (2 / 3 , 1) using Reed- Solomon co des of rate approaching o ne. This result derandomizes an impo rtan t step in the inapproximability result for minim um distance problem of a linear co de in [5]. T o co mpletely derandomize the reduction there, how ever, one nee ds to find a linear map from a dense Hamming ball in to a linear subspace. This is a gain an in teresting future re s earch direction. 2 Previous w ork for rate c = 0 F or reader’s co n venience, in this se c tio n, we sketc h the main ideas in o ur earlier pap er [4]. This will b e the sta rting p oin t of our new results in the present pap er. Let h ≥ 2 be a p ositive integer. L et h ( x ) b e a monic irreducible p olynomial in F q [ x ] of degree h . Let α b e a ro ot of h ( x ) in an extensio n field. Then, F q [ α ] = F q h is a finite field of q h element. W e hav e Theorem 4. L et h < g < q b e p ositive int e gers. If every element of F ∗ q h c an b e written as a pr o duct of exactly g distinct line ar factors of the form α + a with a ∈ F q , then the discr ete lo garithm in F ∗ q h c an b e efficiently r e duc e d in r andom time q O (1) to the maximal likeliho o d de c o ding of t he R e e d-Solomon c o de RS q [ q , g − h ] . Pro of . In [4], the same result was stated for the w eaker b ounded distance de- co ding. Since the sp ecific words used in [4] hav e exact distance q − g to the co de R S q [ q , g − h ], the bo unded distance deco ding and the maximal likeliho od deco ding a re equiv ale nt for those spec ia l words. Th us, we may replace b ounded distance deco ding by the maximal likelihoo d deco ding in the a bov e statement. W e now s k e tch the main ideas. Let h ( x ) b e a monic ir reducible polyno mial o f deg r ee h in F q [ x ]. W e s ha ll ident ify the extens ion field F q h with the residue field F q [ x ] / ( h ( x )). Let α b e the class o f x in F q [ x ] / ( h ( x )). Then, F q [ α ] = F q h . Cons ider the Reed-Solo mo n co de RS q [ q , g − h ]. F or a poly nomial f ( x ) ∈ F q [ x ] of deg ree a t most h − 1, let u f be the received w ord u f = ( f ( a ) h ( a ) + a g − h ) a ∈ F q . By assumption, we can write f ( α ) = g Y i =1 ( α + a i ) , where a i ∈ F q are distinct. It follows that as po lynomials, w e hav e the identit y g Y i =1 ( x + a i ) = f ( x ) + t ( x ) h ( x ) , where t ( x ) ∈ F q [ x ] is some monic p olynomial of degr e e g − h . Thus, f ( x ) h ( x ) + x g − h + ( t ( x ) − x g − h ) = Q g i =1 ( x + a i ) h ( x ) , where t ( x ) − x g − h ∈ F q [ x ] is a p olynomial of degree at most g − h − 1 and th us co rrespo nds to a co deword. This equatio n implies that the dis tance of the received word u f to the c o de RS q [ q , g − h ] is at most q − g . If the distance is smaller than q − g , then one gets a monic p olynomial of degree g with more than g distinct r oots. Thus, the distance of u f to the co de is exactly q − g . Let C f be the set of codewords in RS q [ q , g − h ] which has distance exactly q − g to the received w ord u f . The cardinality o f C f is then equal to 1 g ! times the n um ber of ordered w a ys that f ( α ) ca n b e written as a pro duct o f exa ctly g distinct linear factors of the form α + a with a ∈ F q . F or error radius q − g , the maxima l likelihoo d deco ding of the received w ord u f is the same as finding a solution to the equa tion f ( α ) = g Y i =1 ( α + a i ) , where a i ∈ F q being dis tinct. T o show that the disc r ete logar ithm in F ∗ q h can b e reduced to the deco ding of the words of the t ype u f , w e apply the index ca lc ulus alg o rithm. Let b ( α ) b e a primitive element of F ∗ q h . T a king f ( α ) = b ( α ) i for a ra ndom 0 ≤ i ≤ q h − 2 , the maximal likelihoo d deco ding o f the word u f gives a relatio n b ( α ) i = g Y j =1 ( α + a j ( i )) , where a j ( i ) ∈ F q are distinct for 1 ≤ j ≤ g . This gives the cong ruence equatio n i ≡ g X j =1 log b ( α ) ( α + a j ( i )) (mo d q h − 1 ) . Repe a ting the deco ding and let i v ary , this would give enough linea r equations in the q v ariables log b ( α ) ( α + a ) ( a ∈ F q )). Solving the linear s y stem modulo q h − 1 , one finds the v alues of log b ( α ) ( α + a ) for all a ∈ F q . T o compute the discrete logarithm o f an ele men t v ( α ) ∈ F ∗ q h with res pect to the base b ( α ), one applies the deco ding to the element v ( α ) and finds a relatio n v ( α ) = g Y j =1 ( α + b j ) , where the b j ∈ F q are distinct. Then, log b ( α ) v ( α ) ≡ g X j =1 log b ( α ) ( α + b j ) (mo d q h − 1 ) . In this w ay , the discrete lo garithm of v ( α ) is computed. The detailed analysis can be found in [4].  The above theo r em is the s ta rting p oin t of our method. In order to use it, one ne e ds to ge t go od information on the integer g s atisfying the assumption of the theorem. This is a difficult theoretical pro blem in general. It can be done in some cases, with the help of W eil’s c haracter s um es tima te to g ether with a simple sieving. Pr ecisely , the following result was pr o v ed for g in [4]. Theorem 5. L et h < g b e p ositive inte gers. L et N ( g , h ) = 1 g ! q g −  g 2  q g − 1 q h − 1 − (1 +  g 2  )( h − 1) g q g/ 2 ! . Then every element in F ∗ q h c an b e written in at le ast N ( g , h ) ways as a pr o duct of exactly g distinct line ar factors of t he form α + a with a ∈ F q . If for some c onstant ǫ > 0 , we have q ≥ max( g 2 , ( h − 1) 2+ ǫ ) , g ≥ ( 4 ǫ + 2 )( h + 1) , then N ( g , h ) ≥ q g/ 2 /g ! > 0 . The ma in draw back of the ab o v e theor em is the co nditio n q ≥ g 2 which translates to the condition that the information r ate ( g − h ) /q g oes to zero in applications. 3 The r esult for rate c = 1 Now we show that Theorem 1 holds when infor ma tion ra te appr o ac hes one. Prop osition 6 L et g , h b e p ositive inte gers such t ha t for some c onstant ǫ > 0 , we have q ≥ max( g 2 , ( h − 1) 2+ ǫ ) , g ≥ ( 4 ǫ + 2 )( h + 1) . Then, every element in F ∗ q h c an b e written in at le ast N ( g , h ) ways as a pr o duct of exactly q − g distinct line ar factors of the form α + a with a ∈ F q . T o prov e this pr opositio n, w e observe that the map that sends β ∈ F ∗ q h to Q a ∈ F q ( α + a ) /β is one-to-o ne from F ∗ q h to itself. Pro of: Note that Y a ∈ F q ( α + a ) 6 = 0 . Given an element β ∈ F ∗ q h , from Theo rem 5, we have that Q a ∈ F q ( α + a ) /β can be written in at least N ( g , h ) ways as a pro duct of exactly g distinct linear factors of the form α + a with a ∈ F q , hence β can b e wr itten in at lea st N ( g , h ) wa ys as a pr oduct of exactly q − g distinct linear factors of the form α + a with a ∈ F q .  It follows from Theore m 4 that we hav e the following tw o results. Prop osition 7 Supp ose that q ≥ max( g 2 , ( h − 1) 2+ ǫ ) , g ≥ ( 4 ǫ + 2 )( h + 1) . Then the maximal likeliho o d de c o ding RS q [ q , q − g − h ] is as har d as the discr ete lo garithm over the finite field F ∗ q h . Note that the r ate ( q − g − h ) /q a pproaches 1 as q increase s for g = O ( √ q ) and h = O ( g ) = O ( √ q ). Prop osition 8 Supp ose that q ≥ max( g 2 , ( h − 1) 2+ ǫ ) , g ≥ ( 4 ǫ + 2 )( h + 1) . L et h ( x ) b e an irr e ducible p olynomial of de gr e e h over F q and let f ( x ) b e a nonzer o p olynomial of de gr e e less than h over F q . Then in R e e d-Solomon c o de RS q [ q , q − g − h ] , the Hamming b al l c enter e d at ( f ( a ) h ( a ) + a q − g − h ) a ∈ F q of r adius g c ontains at le ast q g/ 2 g ! many c o dewor ds. Note if w e set g = ⌈ √ q ⌉ , then the n um ber o f co dew ords is greater than 2 √ q , which is sub exp o nen tia l. Pro of of Theorem 3: The relative radius of the Hamming ba ll in the ab o v e pro position is g g + h +1 . If g = ⌈ ( 4 ǫ + 2)( h + 1) ⌉ , then the rela tiv e radius is approaching to 4 ǫ +2 4 ǫ +3 = 2 ǫ +4 3 ǫ +4 . Select ǫ such that ρ = 2 ǫ + 4 3 ǫ + 4 . Note that ǫ can be lar ge if ρ is close to 2 / 3. If g = ⌈ q 1 2+ ǫ ⌉ , the num ber of co dew ords is a t lea st q g/ 2 g ! > ( √ q /g ) g = q ǫg 2(2+ ǫ ) . T o make sure that this num ber is greater than q i , we need g > 2(2+ ǫ ) i ǫ . It is satisfied if we let q to b e the least prime power which is greater than ( 2(2 + ǫ ) i ǫ ) 2+ ǫ = i O (1) . W e then ca lculate g = ⌈ q 1 2+ ǫ ⌉ and solve h from the equa tio n g = ⌈ ( 2 ǫ + 2 )( h + 1 ) ⌉ . Finally we find an irreducible p olynomial h ( x ) of degr ee h ov er F q using the algorithm in [9].  4 The r esult for rate 0 < c < 1 W e now consider the p ositiv e ra te ca se with 0 < c < 1. F or this purp ose, we take q = q m 1 with m ≥ 2. Let α b e an element in F q h with F q 1 [ α ] = F q h . Since F q 1 [ α ] ⊆ F q [ α ] ⊆ F q h , we also have F q h = F q [ α ]. Theorem 9. L et q = q m 1 with m ≥ 2 . L et g 1 and g 2 b e non-ne gative inte gers with g 2 ≤ q − q 1 . L et N ( g 1 , g 2 , h, m ) = 1 g 1 ! q g 1 1 −  g 1 2  q g 1 − 1 1 q mh 1 − 1 − (1 +  g 1 2  )( mh − 1) g 1 q g 1 / 2 1 !  q − q 1 g 2  Then, every element in F ∗ q h c an b e written in at le ast N ( g 1 , g 2 , h, m ) ways as a pr o duct of exactly g 1 + g 2 distinct line ar factors of the form α + a with a ∈ F q . If for some c onstant ǫ > 0 , we have q 1 ≥ max( g 2 1 , ( mh − 1) 2+ ǫ ) , g 1 ≥ ( 4 ǫ + 2 )( mh + 1) then N ( g 1 , g 2 , h, m ) ≥ q g 1 / 2 1 g 1 !  q − q 1 g 2  > 0 . Pro of . Since g 2 ≤ q − q 1 , we ca n choos e g 2 distinct elements b 1 , · · · , b g 2 from the set F q − F q 1 . F or any elemen t β ∈ F ∗ q h = F ∗ q mh 1 , since F q 1 [ α ] = F q mh 1 , we can apply Theorem 2.2 to deduce that β ( α + b 1 ) · · · ( α + b g 2 ) = ( α + a 1 ) · · · ( α + a g 1 ) , where the a i ∈ F q 1 are distinct. T he nu m be r o f s uc h sets { a 1 , a 2 , a 3 , · · · , a g 1 } ⊆ F q 1 is greater than 1 g 1 ! q g 1 1 −  g 1 2  q g 1 − 1 1 q mh 1 − 1 − (1 +  g 1 2  )( mh − 1) g 1 q g 1 / 2 1 ! . Since F q 1 and its complement F q − F q 1 are disjoint, it follows that β = ( α + b 1 ) · · · ( α + b g 2 )( α + a 1 ) · · · ( α + a g 1 ) is a pro duct of exactly g 1 + g 2 distinct linear facto r s of the for m α + a with a ∈ F q .  W e now take g 1 = ⌊ q 1 / 2 m ⌋ = ⌊ √ q 1 ⌋ and g 2 = ⌊ cq ⌋ − g 1 in the ab o ve theorem. Thu s, g 1 + g 2 = ⌊ cq ⌋ . W e nee d g 2 satisfying the inequalities 0 ≤ g 2 ≤ q − q 1 = q − q 1 /m . That is, 0 ≤ ⌊ cq ⌋ − ⌊ q 1 / 2 m ⌋ ≤ q − q 1 /m . The left side ine q ualit y is s atisfied if q 1 ≥ c − 2 / (2 m − 1) . The right side inequality is satisfied if q 1 ≥ (1 − c ) − 1 / ( m − 1) . Thus, we obtain Theorem 10. Le t m ≥ 2 and h ≥ 2 b e two p ositive inte gers such t hat q = q m 1 . L et 0 < c < 1 b e a c onstant such that q 1 ≥ max(( mh − 1) 2+ ǫ , ( 4 ǫ + 2 )( mh + 1) 2 , c − 2 2 m − 1 , (1 − c ) − 1 m − 1 ) for some c onstant ǫ > 0 . Then, every element in F ∗ q h c an b e written as a pr o duct of exactly ⌊ cq ⌋ distinct line ar factors of the form α + a with a ∈ F q . Combining this theorem to gether with Theor em 2.1 , we deduce Theorem 11. Le t m ≥ 2 and h ≥ 2 b e two p ositive inte gers such t hat q = q m 1 . L et 0 < c < 1 b e a c onstant such that q 1 ≥ max(( mh − 1) 2+ ǫ , ( 4 ǫ + 2 )( mh + 1) 2 , c − 2 2 m − 1 , (1 − c ) − 1 m − 1 ) for some c onst ant ǫ > 0 . Then, the maximal likeliho o d de c o ding of the R e e d- Solomon c o de RS q [ q , ⌊ c q ⌋ − h ] is at le ast as har d (in r andom t ime q O (1) r e duct io n) as the discr ete lo garithm in F ∗ q h . T aking m = 2 in this theor em, we deduce Theorem 1.1. Prop osition 12 L et h b e a p ositive int e ger and 0 < c < 1 b e a c onstant . L et q 1 b e a prime p ower such that q 1 ≥ max((2 h − 1) 2+ ǫ , ( 4 ǫ + 2 )(2 h + 1) 2 , c − 2 / 3 , (1 − c ) − 1 ) (1) for some c onstant ǫ > 0 . L et q = q 2 1 . L et h ( x ) b e an irr e ducible p olynomial of de gr e e h over F q whose r o ot α satisfies that F q 1 [ α ] = F q h . L et f ( x ) b e a nonzer o p olynomial over F q of de gr e e less than h . Then in the R e e d-Solomon c o de RS q [ q , ⌊ c q ⌋ − h ] , the Hamming b al l c enter e d at ( f ( a ) h ( a ) + a ⌊ cq ⌋− h ) a ∈ F q of r adius q − ⌊ cq ⌋ c ontains at le ast exp ( Θ ( q )) many c o dewor ds. Pro of: The num ber of co dew ords in the ball is grea ter than q ⌊ √ q 1 ⌋ / 2 1 ⌊ √ q 1 ⌋ !  q − q 1 ⌊ cq ⌋ − √ q 1  , which is gr eater than  q − q 1 ⌊ cq ⌋− √ q 1  = exp ( Θ ( q )).  Pro of of Theorem 2 . Let q to b e the squa re of the i -th pr ime p o w er (listed in increa s ing or de r ). Assume that i is la rge eno ugh s uc h that √ q ≥ max( c − 2 / 3 , (1 − c ) − 1 ). W e then let ǫ to be 1 / lo g q and h to b e the larg e st integer satisfying (1). It remains to find an irr educible p olynomial o f degree h over F q , whose ro ot α satisfies that F q 1 [ α ] = F q h . Let p b e the characteristic of F q . W e can use α s uch that F p [ α ] = F q h . W e need to find an irreducible po lynomial of degree h log p q ov er F p . It can b e done in time p olynomial in p and the degre e [9]. Then we factor the p olynomial ov er F q and take any factor to b e h ( x ). As for f ( x ), we may simply let f ( x ) = 1.  5 Conclusion and future research In this pap er, we show that the ma x imal likeliho od deco ding of the Reed- Solomon code is at le ast as ha rd as the discrete log arithm for any given infor- mation r ate. In our res ult, w e a s sumed that the cardina lity of the finite field is not a prime. While this is not a problem in pr a ctical applications, e.g. q = 256 is quite p opular, it would be in teresting to remov e this restric tion, that is, allowing prime finite fields as well. Many imp ortant ques tions ab out deco ding Reed-So lomon c o des r e main op en. F or example, little is known a bout the exact list deco ding r adius of Reed-Solomo n co des. In pa rticular, do es there exist a Hamming ball of relative radius less than one which contains sup er-po lynomial many co dew o rds in Reed-So lomon co des of rate less than one? References 1. Nigel Smart Antoine Joux, Reynald Lercier and F rederik V ercauteren . The num b er field sieve in the medium prime case. In Adv ances in Cryp tolo gy - CR YPTO 2006 , vol ume 4117 of Lecture Notes in Computer Science , p ages 326–344 . S pringer-V erlag, 2006. 2. Eli Ben-Sasson, Sw astik Kopparty , and Jaikumar Radhakrishnan. Subspace p oly- nomials and list deco ding of reed-solomon codes. In 47th A nn ual IEEE Symp osium on F oundations of Computer Science (FOCS) , pages 207–216 , 2006. 3. Qi Cheng and Elizab eth Mu rray . On d eciding deep holes of reed-solomon cod es. In Proceedings of Annual Conference on Theory and Applications of Models of Computation(T AMC) , volume 4484 of Lecture Notes in Computer Science , p ag es 296–305 . Springer-V erlag, 2007. 4. Qi Cheng and D aqing W an. On the list and b ounded distance decodability of Reed- Solomon co d es. SIAM Journal on Computing , 37(1):195–209, 2007. Sp ecial Issue on FOCS 2004. 5. Ilya Dumer, Daniele Micciancio, and Madhu Sudan. Hardness of appro ximating the minim um distance of a linear co de. IEEE T ransactions on Information Theory , 49(1):22–3 7, 2003. 6. V. Guruswa mi and A . V ardy . Maximum-lik elihoo d d ecoding of R eed-Solomon cod es is N P-hard. IEEE T ransactions on Information Theory , 51(7):22 49–225 6, 2005. 7. V enk atesan Guruswa mi and Atri Rud ra. Limits to list decod in g R eed-Solomon codes. IEEE T ransactions on Information Theory , 52(8):3642–3649, 2006. 8. V enk atesan Gurusw ami and Madhu Sudan. Improv ed decoding of Reed-Solomon and al gebraic-geometry codes. IEEE T ransactions on Information Theory , 45(6):1757 –1767, 1999. 9. Victor Shoup. New algorithms for finding irreducible polyn omials o ver finite fields. Mathematics of Computation , 54:435–4 47, 1990.