Quantum List Decoding of Classical Block Codes of Polynomially Small Rate from Quantumly Corrupted Codewords

Given a classical error-correcting block code, the task of quantum list decoding is to produce from any quantumly corrupted codeword a short list containing all messages whose codewords exhibit high"presence"in the quantumly corrupted codeword. Efficient quantum list decoders have been used to prove a quantum hardcore property of classical codes. The code rates of all known families of efficiently quantum list-decodable codes, unfortunately, are too small for other practical applications. To improve those known code rates, we prove that a specific code family of polynomially small code rate over a fixed code alphabet, obtained by concatenating generalized Reed-Solomon codes as outer codes with Hadamard codes as inner codes, has an efficient quantum list-decoding algorithm if its codewords have relatively high codeword presence in a given quantumly corrupted codeword. As an immediate application, we use the quantum list decodability of this code family to solve a certain form of quantum search problems in polynomial time. When codeword presence becomes arbitrarily smaller, however, we show that the quantum list decodability of generalized Reed-Solomon codes with high confidence is closely related to the efficient solvability of the following two problems: noisy polynomial interpolation problems and bounded distance vector problems. Moreover, assuming that NP is not included in BQP, we prove that there is no efficient quantum list decoder for the generalized Reed-Solomon codes.


Introduction
Classical list decoding, which was rooted in the late 1950s by Elias [3] and Wozencraft [18], has drawn significant attention since Sudan's [15] discovery of an efficient list decoding algorithm for Reed-Solomon codes beyond its "traditional" error-correction radius. List decoding has since then found useful applications to cryptography as well as complexity theory (see, e.g., a survey article [16]).
Quantum list decoding dealing with classical block codes first arose in connection to quantum hardcore functions in a seminal paper by Kawachi and Yamakami [12] (following an early result of Adcock and Cleve [1] on biased oracles) in the so-called implicitinput explicit-output model, in which we wish to output a list of messages with oracle access to a quantum encoding procedure which produces a quantum superposition of corrupted codewords. This model differs from the conventional error-correction model between a sender and a receiver through a noisy channel. In contrast, we are given a (possibly) faulty quantum algorithm (known as a quantum-computationally corrupted codeword or quantumly corrupted codeword) which encodes a classical message to a certain quantum state representing a quantum corruption of the correct codeword. It is in general hard to recover the original message from such a quantumly corrupted codeword; however, we may be able to produce a reasonably small list that contains all messages whose codewords are close proximity to the given quantumly corrupted codeword. This closeness is scaled by the notion of presence, which expresses the average probability of obtaining each block of the target codeword from the quantumly corrupted codeword. (See [12] for an intuition behind this notion.) This is the primary purpose of quantum list decoding. A natural question is: what types of classical block codes are efficiently quantum list decodable?
There are known families of block codes that are efficiently quantum list decodable with arbitrary presence. The first known example is Hadamard codes. In classical list decoding, Goldreich and Levin [5] showed the classical list decodability of the binary Hadamard codes and subsequently Goldreich, Rubinfeld, and Sudan [6] gave a general list decoding algorithm for the q-ary Hadamard codes. Concerning quantum list decoding, Adcock and Cleve [1] essentially proved that the binary Hadamard codes are quantum list decodable in polynomial time. For the q-ary Hadamard codes, a fast quantum list decoding algorithm was recently given by Kawachi and Yamakami [12]. They also presented two additional quantum list decodable codes: shifted Legendre symbol codes and pairwise equality codes. All these codes, nonetheless, have exponentially-small rate, where the (message) rate of a code is a ratio of message length and codeword's block length. This paper is motivated by the question of whether there exists a family of efficiently quantum list decodable codes of polynomially-small rate and constant codeword alphabet size, because such a code family finds useful applications to quantum complexity theory (an example will be seen in Section 5). Natural candidates are well-studied Reed-Solomon codes. They have relatively large rate; however, they usually have large alphabet size. A standard way to build a code of large rate but small alphabet size is to concatenate two codes of good properties. We claim that concatenating generalized Reed-Solomon codes with Hadamard codes gives the desired codes, assuming that the generalized Reed-Solomon codes are efficiently quantum list decodable. This claim is proven by employing in Section 3 a technique of constructing a "quantum reduction" between two quantumly corrupted codewords. Note that this technique requires no soft information, which is a key ingredient in the classical case of [7,8].
Are the generalized Reed-Solomon codes efficiently quantum list decodable? A direct and simple approach toward their quantum list decoding is an application of the polynomial reconstruction algorithm of Guruswami and Sudan [7]. When codeword presence in a quantumly corrupted codeword is relatively high, we can show in Section 4 how to construct a quantum list decoding algorithm for the generalized Reed-Solomon codes. As the presence becomes lower, however, it seems harder to solve efficiently the quantum list decoding problem for the generalized Reed-Solomon codes, because its efficient list decod-ing leads to the unexpected consequence that every NP-problem can be efficiently solved on a quantum computer with high success probability. There is also a direct connection between quantum list decodability of the generalized Reed-Solomon codes and quantum solvability of two classical problems: the noisy polynomial interpolation problem (NPIP) [13] and the bounded distance vector problem (BDVP).
To a certain type of application, our quantum list decoding algorithm for the aforementioned concatenated code is still applicable. Our example is the QCMA search problem, in which we want to find a classical witness of polynomial size that forces a given polynomial-time quantum algorithm to accept with high probability. We show in Section 5 that solving this search problem on average implies solving it in worst case.
Finally, we make a brief discussion on the notion of local quantum list decoding based on an implicit-input implicit-output model where an outcome of a list decoder is a list of descriptions of quantum circuit listdecoders. Similar to the classical case of [17], we can apply our quantum list decoder for the generalized Reed-Solomon codes to do local quantum list decoding for Reed-Müller codes from quantumly corrupted codewords. As an immediate consequence, we can prove the so-called hardness amplification of quantum circuits, following the argument of [17].

Foundations of Quantum List Decoding
This section explains basic notions and notation concerning quantum list decoding. Throughout this paper, let N denote the set of all nonnegative integers and set N + = N − {0}. For any positive integers m, n with m ≤ n, let [m, n] Z denote the set {m, m+ 1, m+ 2, . . . , n} and let [n] be short for [1, n] Z if n ≥ 1.

Classical Block Codes
We briefly explain classical block (error-correcting) codes, which are objects of our interest. Roughly speaking, a code is a set of strings of the same length over a finite alphabet Σ and each string of a code is indexed by a message and is called a codeword. In this paper, we are mostly focused on a family of codes, each of which corresponds to a different message length n in N. Such a code family is in general specified by a series (Σ n , I n , Γ n ) of message space Σ n , index set I n , and code alphabet Γ n for each message length n (which serves as a "basis parameter" in this paper).
As standard in complexity theory, a code C is viewed as a function that, for each message length n, maps Σ n × I n to Γ n . Let N (n) = |Σ n | and q(n) = |Γ n |. It is convenient to assume that Σ n = (Σ ′ n ) n so that n actually represents the length of messages in Σ n over the message alphabet Σ ′ n ; in this case, n = ⌈log |Σ ′ n | N (n)⌉ for each n ∈ N. By abbreviating C(x, y) as C x (y), we treat C x (·) as a function mapping I n to Γ n and is called a codeword, where the block length M (n) of such a codeword is |I n |. For simplicity, we often assume that I n = {0, 1, . . . , M (n) − 1} so that each element of I n can be expressed in ⌈log 2 M (n)⌉ bits. We freely identify C x with the vector (C x (0), C x (1), · · · , C x (M (n) − 1)) in the ambient space (Γ n ) M(n) of dimension M (n). We mainly work on a finite field and we often regard Γ n as the finite field F q(n) (= GF(q(n))) of order q(n).
The (message) rate of C is defined to be the ratio n/M (n). The (Hamming) distance d(C x , C y ) between two codewords C x and C y is the number of non-zero components in the vector C x − C y . The minimal distance d(C) of a code C is the smallest distance between any pair of distinct codewords in C. In contrast, ∆(C x , C y ) denotes the relative (Hamming) distance d(C x , C y )/M (n). The abovedescribed code is simply called a (M (n), n) q(n) -code * (or (M (n), n, d(n))-code if the minimal distance d(n) of the code of message length n is emphasized). We may drop a length parameter n from both subscript and argument place whenever we discuss a set of codewords with a "fixed" n.
Hadamard Codes HAD. Let n be any message length, used as a parameter, and let q be any prime number. A q-ary Hadamard code family HAD (q) = {HAD (q,n) } n∈N consists of (q n , n, q n − q n−1 ) q -codes obtained as follows. For each message Let q be any prime and let k, n be any positive integers with n ≤ k ≤ q. A (normalized) generalized Reed-Solomon code family GRS = {GRS (k,n,q) } n,k∈N consists of all (k, n, k − n + 1) q -codes obtained as follows. Let x = (x 1 , x 2 , . . . , x n ) ∈ (F q ) n be any message and let D k be a set of k distinct elements (called code locators) in F q . Let GRS (k,n,q) x (r) = n i=1 x i r i−1 mod q be the polynomial of degree at most n − 1 for each r ∈ D k .

Quantumly Corrupted Codewords and Codeword Presence
We are mostly concerned with a quantum corruption that occurs during a quantum procedure of encoding messages into codewords. The process of such a quantum corruption can be described as a certain type of unitary map. Formally, a quantum-computationally corrupted codeword (or quantumly corrupted codeword) is a unitary operatorÕ, with two fixed function parameters l(n) and m(n) mapping N to N, that satisfies the following condition: for any three strings r ∈ Σ n , s ∈ Σ l(n) , and t ∈ Σ m(n) , there exists a unit vector |φ r,z of length m(n) such that O|r |s |t = z α r,z |r |s ⊕ z |t ⊕ φ r,z , where the notation |t ⊕ φ r,z is shorthand for w∈Σ m(n) w|φ r,z |t ⊕ w and ⊕ is the bitwise XOR. The presence of codeword C x inÕ, denoted PreÕ(C x ), is the average probability of obtaining the correct values C x (r) over all indices r ∈ I n ; namely, PreÕ(C x ) = 1 M r |α r,Cx(r) | 2 . See [12] for an intuition behind these notions.
We further expand the notions of presence and distance. Let n be any message length. Define W n to be the set of all vectors w = (w r,z ) r,z ∈ [0, 1] q(n)M(n) (which is viewed as a "measured" quantumly corrupted codeword) such that z∈[0,q(n)−1] Z w r,z = 1 for each index r ∈ [0, M (n) − 1] Z . Notice that r z w r,z = M (n) for any w ∈ W n . Next, consider the set V n of all codewords a = (a r ) r ∈ ([0, q(n) − 1] Z ) M(n) . We embed this codeword a into W n in the following way. Define v(a) = (δ r,z = 1 if a(r) = z and 0 otherwise. Moreover, for any code (i.e., a subset of V n ) * In some literature, the notation (M(n), Γn) q(n) is used instead.
First, we expand the notion of presence. For any a ∈ V n and any vector w ∈ W n , define Pre w (a) = 1 M(n) v(a)|w , where ·|· denotes the standard inner product. Second, we expand the notion of the (Hamming) distance. For any pair v, w ∈ W n , define d(v, w) = M (n) − v|w . This new definition clearly expands the standard notion of the distance d(·, ·) because, for any a, b ∈ V n , we have Notice that, for any a ∈ V n and any vector w ∈ W n ,

Presence Versus Minimal Distance
A relatively good upper bound on the value of presence is shown in [12] by following a geometric method of Guruswami and Sudan [9], who gave a q-ary extension of Johnson bound. Let C be any (M (n), n, d(n)) q(n) -code family with message space Σ n and define P q(n) (M (n), d(n), ε(n)) as supÕ {|{x ∈ Σ n | PreÕ(C x ) ≥ ε(n)}|}, where "sup" is taken over all quantumly corrupted wordÕ for C.
To derive an asymptotic bound from this lemma, we introduce QL poly (λ), which indicates the minimal possible presence for a family of quantum list decodable codes of minimal relative distance λ having only a polynomial-size message list. Let C = {C (n) } n∈N be any (M (n), n, d(n)) q(n) -code family.

Proof.
Consider the case where the upper bound given in Lemma 2.1 is at most an c . For readability, we omit the parameter "n" in the following calculation.
We then obtain the inequality which is equivalent to The term |ε − 1/q| is thus lower-bounded by Assuming that ε ≥ 1/q, the proposition follows immediately from the relation It is still open whether the equality QL poly (λ) = 1/q

Implicit-Input Explicit-Output Model
List decoding has been modeled in several different ways in the past literature. This paper chiefly uses the model that takes quantumly corrupted codewords implicitly as an oracle and outputs hidden messages explicitly. Upon this implicit-input explicit-output model, the quantum list decoding problem (QLDP) for a code C is described in the following fashion. First, let C be any (M (n), n, d(n)) q(n) -code family with message space Σ n and let O be any set of quantumly corrupted codewords for C. Take a bias parameter ε(n).
• Input: a message length n and a value 1/ε(n).
• Implicit Input: an oracleÕ ∈ O representing a quantumly corrupted codeword for C. • Output: a list of messages including all messages x ∈ Σ n that satisfy the inequality PreÕ(C x ) ≥ 1/q(n) + ε(n). For convenience, we refer to such a list as a valid list for the ε-QLDP.
Our goal is to solve this ε-QLDP using quantum computation with oracle access to a quantumly corrupted codeword in O with success probability at least δ(n), which is given as a confidence parameter. Now, let us introduce the notion of quantum list decoding algorithm that works with bias ε and confidence δ. Definition 2.3 (quantum list decoding) Let C be any code family, let ε(n) be any bias parameter, and let δ(n) be any confidence parameter. A quantum list decoding algorithm (or a quantum list decoder) for C with bias ε and confidence δ is a quantum algorithm A that solves the ε-QLDP for C with success probability at least δ(n). If A also runs in time polynomial in (n, 1/ε(n), 1/δ(n)), it is called a polynomial-time quantum list decoding algorithm for C.
The list size of a quantum list decoding algorithm refers to the maximal size of a valid list produced by the algorithm.
Remark: In certain applications, list size plays a crucial role. For instance, if a quantum list decoder produces a valid list L with probability at least δ(n), it is possible to specify a hidden message x uniquely with the same success probability with help of "advice" of log |Σ| |L| size over message alphabet Σ.
In the rest of this subsection, we discuss a simple connection between one-way functions and the QLDPs. To begin with, we introduce the notion of a one-way function of the strong form, which we preferably call super one-way.

Definition 2.4 (quantum super one-wayness)
A function f is called quantum super one-way if (i) there exists a polynomial-time quantum algorithm A such that A|x |0 = |x |f (x) |φ x for a certain quantum state |φ x and (ii) for any positive polynomial p and any polynomial-time quantum algorithm B, the probability that B|f (x) |φ x outputs x is at most 1/p(n).

Remark:
The "standard" one-wayness requires that B|f (x) outputs x with negligible probability whereby the information |φ x is hidden from the adversary B who tries to invert f . Our new notion indicates that B hardly outputs x even though |φ x is given besides f (x) as supplemental information.
A typical example of a quantum super one-way function is a quantum one-way permutation because, for a permutation, we can replace |φ x in Definition 2.4 with |0 m by uncomputing a deterministic procedure that computes f (x) from x.

Lemma 2.5 No polynomial-time quantum list decodable code with polynomially-small confidence is quantum super one-way.
Proof. Let f be a quantum super one-way function with its length function m(n) ∈ n O(1) (i.e., |f (x)| = m(|x|)). Consider an (m(n), n, d(n)) q(n) -code C and let C x (r) denote the rth bit (f (x)) r of f (x).
Take a polynomial-time quantum algorithm A computing C and assume that A|x |r |0 m(n) |0 m = |x |r |C x (r) |φ x for a certain quantum state |φ x . Fix x arbitrarily and defineÕ|r |s |t = |r |s ⊕ C x (r) |t ⊕ φ x for each pair (s, t) of strings. Toward a contradiction, assume that C has a polynomial-time quantum list decoder B with polynomially-small confidence. Without loss of generality, we can assume that Prob B [BÕ(0 n ) = x] ≥ 1/p(n) for a certain fixed positive polynomial p. Convert this B to an algorithm that inverts f as follows. On input |f (x) |φ x , where y ∈ range(f ), run B. Whenever B makes an oracle call with a query |r |s |t , generate its answer |r |s ⊕ (f (x)) r |t ⊕ φ x from the input information. Finally, output an outcome of B. This implies that f is not quantum super one-way, a contradiction. 2

Codes of Polynomially-Small Rate
A family of polynomial-time classical list decodable codes of polynomially-small rate and binary codeword alphabet finds numerous applications in the fields of cryptography and complexity theory (see, e.g., [16]). Since all known efficiently quantum list decodable code families have exponentially-small rate, it is natural to ask whether there is any quantum list decodable code of polynomially-small rate and small alphabet size for any given bias parameter.

Concatenated Codes
A standard way of building a family of classical block codes of polynomially-small rate and small codeword alphabet size is to concatenate two codes of good properties: for instance, a generalized Reed-Solomon code and a Hadamard code. We can build a similar code under the assumption that the generalized Reed-Solomon codes are efficiently quantum list decodable for a certain bias value.
We first explain Forney's [4] notion of concatenated codes. Let us consider two codes C (1) and C (2) such that C (1) is an (M 1 , n 1 , d 1 ) q n 2 -code and C (2) is an (M 2 , n 2 , d 2 ) q -code. Let x = (x 1 , x 2 , . . . , x n1 ) be any message of length n 1 , where each x i is taken from Σ n2 over a q-letter alphabet Σ. Since x i can be expressed as a n 2 -letter string, x can be viewed as a string of total length n 1 n 2 over a q-letter alphabet. The code C = C 2 ⊙ C 1 , given by the inner code For our purpose, we choose the concatenated code C GRS-H [n, q, θ] explained in [8].
This is the concatenated code obtained by a certain generalized Reed-Solomon code as an outer code with a Hadamard code as an inner code. Following [8], we choose three parameters (q, n, θ) with n, q ∈ N and θ ∈ [0, 1] such that n ≥ 1, q ≥ 2, n = mq m θ, and q m θ ∈ N for a certain number m ∈ N. Here, we use the (q m , q m θ, (1 − θ)q m + 1) q m generalized Reed-Solomon code GRS (q m ,q m θ,q m ) as an outer code and the (q m , m, We have the bound log(1/θ) log q ≤ m ≤ n, which further implies that q m ≤ n log q θ log(1/θ) . Therefore, as far as θ = O(1/p(n)) and q = O(2 p(n) ) for a certain polynomial p, q m is upper-bounded by O(n 2 p(n) 2 ). Now, we claim that C GRS-H [n, q, θ] is quantumly list decodable for an appropriate choice of parameters (n, q, θ), assuming that the generalized Reed-Solomon codes are quantumly list decodable for a specific bias parameter. Reed-Solomon code has a quantum list decoder with bias ε ′ and confidence δ running in time polynomial in (n, q, 1/ε ′ , 1/δ, 1/θ), then C GRS-H [n, q, θ] has a quantum list decoding algorithm with bias ε and confidence δ running in time polynomial in (n, q, 1/ε ′ , 1/δ, 1/θ).
In this lemma, the value δ of the confidence of the generalized Reed-Solomon code is transferred to the concatenated code C GRS-H [n, q, θ]. The proof of the lemma is given in the subsequent subsection.

Quantum Reduction Technique
For the proof of Lemma 3.1, we wish to construct a "quantum reduction" between two quantumly corrupted codewords. It is useful to describe such a reduction, say, fromÕ toÕ ′ , as a quantum algorithm that, on each input |r |s |t , computes the outcome Õ ′ |r |s |t by making oracle calls toÕ. This can be seen as a strong form of well-known Turing reduction between two languages.
As a key lemma, we show a general result concerning the q-ary Hadamard code used as an inner code for an arbitrary outer code C. Now, let C be any (q m , n) q m -code, which is treated as a function C(x, r) mapping from (F q m ) n × (F q ) m to (F q ) m . The concatenated code D = HAD (q) ⊙ C therefore satisfies that D(x, r, s) = C(x, r) · s mod q for r ∈ (F q ) m and s ∈ (F q ) m . Our goal is to construct a quantum reduction between quantumly corrupted codewordsÕ C andÕ D associated with C and D, respectively. For any unitary transform U , we conveniently say that a quantum algorithm A realizes U if, for any basis state |r , A on input |r produces the state U |r exactly.
We have the following key lemma on the code D.
Lemma 3.2 Let C and D be the codes given as above and letÕ D be any quantumly corrupted codeword for D. There exist a polynomial-time quantum algorithm B and a quantumly corrupted codewordÕ C for C such that ; and 2. B realizesÕ C with access toÕ D as an oracle.
From the above lemma, Lemma 3.1 follows easily. We quickly sketch its proof.
Proof of Lemma 3.1. Let (q, n, θ, m, ε, ε ′ , δ) be the parameters given in the lemma. For simplicity, write M = q m . Assume that the (M, M θ, (1 − θ)M + 1) M generalized Reed-Solomon code has a polynomialtime quantum list decoder A with bias ε ′ and confidence δ. LetÕ be any quantumly corrupted codeword for C GRS-H [n, q, θ]. We want to find all messages x that satisfy the inequality PreÕ(C GRS-H [n, q, θ] x ) ≥ 1/q + ε. By Lemma 3.2, we can reduceÕ to another quantumly corrupted codewordÕ C for the outer code GRS (M,Mθ,M) with the following presence condition: where the last inequality follows from the bound ε 2 ≥  The proof of our key lemma (Lemma 3.2) is much more involved. We note that a simple approach using the following relation C x (r) = D x (r, s (1) )D x (r, s (2) ) · · · D x (r, s (m) ), where s (i) = 0 i−1 10 l−i , does not give the desired presence value for C x .
Proof of Lemma 3.2. Let C be any (q m , n) q m -code and let D be the concatenated code HAD (q) ⊙ C. Assume that, for any r, s ∈ (F q ) m ,Õ D |r, s |0 |0 d = z∈Fq α r,s,z |r, s |z |φ r,s,z . The desired quantumly corrupted codewordÕ C can be realized by the following quantum algorithm usingÕ D as an oracle.

Quantum Algorithm B:
(1) Starting with |r |0 |0 d+1 (a general case is similar), move the last register to the leftmost location and then generate the state can be expressed as s z β k,r,s,z |k |r |s |0 |0 d + |k |∆ k,r with certain amplitudes β k,r,s,z and a certain vector |∆ k,r whose last two registers contain no |0 |0 d . The amplitude β k,r,s,z is calculated as Therefore, our state |ψ ′ k is written in the form 1 q m/2 s z ω k·z q |α r,s,z | 2 |k |r |s |0 |0 d + |k |∆ k,r .
What is the norm of |∆ k,r ? Since s,z |β k,r,s,z | 2 + |∆ k,r 2 = 1, the squared norm of |∆ k,r satisfies 1 − q −m ≤ |∆ k,r 2 ≤ 1 − q −(2m+1) . (6) If the last two registers contain |0 |0 d , multiply the content s of the third register by k to obtain k · s; otherwise, do nothing. Note that k·s is in (F q ) m since so is s. (7) Similarly, exactly when |0 |0 d is in the last two registers, apply the inverse Fourier transform (F −1 q ) m over F q to the second register. This produces the state |ψ ′′ k = w∈(Fq) m γ k,r,w |k |r |w |0 |0 d + |k |∆ k,r , where γ k,r,w is the complex number defined by γ k,r,w = 1 q m s z ω k(z−w·s) q |α r,s,z | 2 . (8) Prepare two new registers |0 |0 for |∆ k,r and then generate q −m/2 w∈(Fq) m |r |w so that we have the state q −m/2 w∈(Fq) m |k |r |w ⊗ |∆ k,r . (9) Finally, output the state This ends the description of B.
To complete the proof, we need to evaluate the value of the presence of C x inÕ C , i.e., PreÕ C (C x ) = 1 q m (q−1) r∈F q m ,k∈[q−1] |γ k,r,Cx(r) | 2 + q −m |∆ k,r 2 .
Note that z |α r,s,z | 2 = 1 for each pair (r, s). Recall that PreÕ D (D x ) = q −2m r,s∈(Fq) m |α r,s,Dx(r,s) | 2 . It thus follows that, for each k ∈ [q − 1], where χ k = q −2m r,s z =Dx(r,s) ω k(z−Dx(r,s)) q |α r,s,z | 2 . An argument similar to [12] shows that, for a certain This completes the proof of Lemma 3.2. 2 Lemma 3.2 gives a fast quantum reduction from O D toÕ C . By contrast, there also exists a quantum reduction fromÕ C toÕ D with the following conditions. Proof Sketch. GivenÕ C , the following quantum algorithm A realizes the desiredÕ D .
(2) Change the register order to obtain the state |r |0 l |0 d |s |0 l .
(3) InvokeÕ C . Assume that we obtain the state |ψ 1 = z∈F q m α r,z |r |z |φ r,z |s |0 l . (4) Compute deterministically z · s mod q from (s, z) to obtain |ψ 2 = z α r,z |r |z |φ r,z |s |z · s mod q |φ ′ s,z , where |φ ′ s,z is the garbage produced while simulating the deterministic computation in a reversible fashion. (5) Change the register order so that we obtain |ψ 3 = z α r,z |r |s |z · s mod q |z |φ r,z |φ ′ s,z . It is not difficult to evaluate the value PreÕ D (D x ) using PreÕ C (C x ).

Complexity of generalized Reed-Solomon Codes
We turn our interest to the question of whether the generalized Reed-Solomon codes are efficiently quantum list decodable against a given bias parameter.
We point out that a classical approach works well when the bias is relatively large; however, for smaller bias, there seems little hope in search of an efficient quantum list decoder. We also show that the generalized Reed-Solomon codes have natural connections to the noisy polynomial interpolation problem (NPIP) of Naor and Pinkas [13] and a lattice problem, which we call the bounded distance vector problem (BDVP).

A Direct and Simple Approach
A direct and simple approach toward the quantum list decoding of the (q, n, q − n + 1) q generalized Reed-Solomon codes is the use of the Guruswami-Sudan polynomial reconstruction algorithm [7]. This approach works well after performing measurement on all oracle answers when bias is relatively large.

Proof.
Choose numbers n, q ∈ N and ε, ε ′ , δ ∈ (0, 1) to satisfy the premise of the lemma. Let O be any quantumly corrupted codeword for the GRS (q,n,q) . Now, we want to find all messages x satisfying the inequality PreÕ(GRS (q,n,q) x ) ≥ 1/q + ε. Fix such a message x arbitrarily in the following argument. Let Initially, set r to be 0. UsingÕ as an oracle, we iterate the following procedure by incrementing r by one. First, we make a query on r to the oracle T times, where T is the minimal integer satisfying Notice After receiving each answer fromÕ, we perform a measurement on the computational basis over F q and store a pair (r, y) if y is a result of this measurement. Since there are at most q/(1 + qε ′ ) values y with |α r,y | 2 ≥ 1/q + ε ′ , the probability P r of obtaining all such y's is bounded by where the last inequality follows from the choice of T . After the qth iteration, we can store at most q 2 /(1 + qε ′ ) points. Let S ε ′ be the set of all stored points. The probability that S ε ′ contains all the points (r, y) that satisfy |α r,y | 2 ≥ 1/q + ε ′ is at least r∈Fq P r ≥ Lastly, we should find all univariate polynomials p of degree at most n − 1 that lie on at least |A ε ′ | points in S ε ′ . For this purpose, we run the wellknown Guruswami-Sudan polynomial reconstruction algorithm. Guruswami and Sudan [7] gave a deterministic algorithm A that solves in time polynomial in (m, log q) the following polynomial reconstruction problem: on input of integers m, n ′ , t and m points {(x i , y i )} i∈[m] ⊆ F q × F q , find all univariate polynomials p of degree at most n ′ which lie on at least t points, provided that t > √ mn ′ . The choice of our parameters implies that Therefore, the Guruswami-Sudan algorithm correctly produces a list † that includes all the polynomials p of degree at most n − 1 that satisfy |α r,p(r) | 2 ≥ 1/q + ε ′ for at least (1 − γ ε,ε ′ )q indices r. Hence, the list also includes all messages x for which PreÕ(GRS (q,n,q) Combining the above lemma with Lemma 3.1, we obtain the proposition below.
To use the Guruswami-Sudan algorithm in the proof of Lemma 4.1, we make the bias ε relatively large. Is there any other way to list decode the generalized Reed-Solomon codes from a quantumly corrupted codeword even for relatively small bias? We can show in the next proposition that an efficient quantum list decoder for the generalized Reed-Solomon codes with arbitrary bias and high confidence can be used to solve all NP-problems efficiently on a quantum computer with high success probability. Proof. We want to give a reduction from a certain NP-complete problem to the QLDP with a specific quantumly corrupted codeword. To make our proof simple, we use the following restricted form of the interpolation problem discussed in [6].

Constrained Interpolation Problem (CIP)
• Input: three numbers d, e, m ∈ N, a prime q, a set A = {(x 1 , y 1 ), . . . , (x m , y m )} of m points in F q × F q , given in binary. This problem is clearly in NP and is also proven to be NP-hard ‡ [6]. Now, let d, e, m ∈ N, let q be a † Actually, to obtain an output of a unique list, we need to repeat the above process.
‡ This fact is observed by examining the reduction constructed in [6] from the subset sum problem. prime, and let A = {(x 1 , y 1 ), . . . , (x m , y m )} be any set of m points in F q × F q . Define D as the set {x 1 , . . . , x m } of code locators and write ℓ = |D|. Note that ℓ = (m − 1)/2 by the given condition.
Using A, we define a quantumly corrupted code-wordÕ of the formÕ|x |s |t = y∈Fq α x,y |x |y ⊕ s |t for every x ∈ F q . Let (x, y) be any point in F q × F q . If (x, y) ∈ A, let α x,y = 1/ d A (x); otherwise, let α x,y = 0. Finally, let ε = ε(e, m, q) = e+2 2ℓ − 1 q . Note that ε > 0 since ℓ ≤ q. Now, we claim the following: a polynomial p of degree d passes on at least e points in A as well as the point (x 1 , y 1 ) if and only if the presence of p inÕ satisfies Therefore, solving the CIP can be reduced to solving the ε-QLDP withÕ. Note that it takes only quantum polynomial time to realizeÕ from the set A (which is given as an input). Applying a t(n)-time quantum list decoder for the ε-QLDP with confidence 2/3, we obtain a valid list of polynomials p. The list size is at most t(n). Since the list may contain illegitimate polynomials, we need to check if each p passes on at least e + 1 different points in A including (x 1 , y 1 ). This quantum algorithm solves the CIP with success probability at least 2/3. 2 Since the inclusion NP ⊆ BQP seems unlikely, there is little hope to find a "polynomial-time" quantum list decoder for the generalized Reed-Solomon code with relatively small bias.

Noisy Polynomial Interpolation Problem
We point out that quantum list decoding of the generalized Reed-Solomon code is closely related to the noisy polynomial interpolation problem § introduced by Naor and Pinkas [13].

Noisy Polynomial Interpolation Problem (NPIP)
• Input: three numbers k, m, n ∈ N, a prime q, n distinct points {x 1 , x 2 , . . . , x n } in F q , and n sets S 1 , . . . , S n , each of which consists of exactly m elements from F q . • Promise: there exists a unique polynomial p of degree at most k such that, for each i ∈ [n], there exists exactly one element y ∈ S i satisfying p(x i ) = y. • Output: the hidden polynomial p.
Naor and Pinkas used the NPIP as an intractable assumption for a cryptographic primitive, called oblivious polynomial evaluation. Now, we prove the following. Proof. Take n distinct elements X = {x 1 , . . . , x n } and n sets S 1 , . . . , S n of m elements each. Assume that the promise of the NPIP holds with a unique polynomial, say, p of degree at most k. We set the bias ε to be n q (1/m − 1/q) and let S = i∈[m] S i . Note that k, m, n ≤ q.
Let us define a quantumly corrupted codeword O as follows.
For any element x in X, say x = x i for a certain i ∈ [m], letÕ|x i |s |t = 1 √ m y∈Si δ i,y |x i |s ⊕ y |t , where δ i,y = 1 if y ∈ S i and 0 otherwise. For the other elements x outside of X, letÕ|x |s |t = 1 √ q y∈Fq |x |s ⊕ y |t . We claim that the unique polynomial p satisfies the condition PreÕ(p) ≥ 1/q+ε. Since |X| = n and |F q −X| = q−n, it follows that Hence, we conclude that PreÕ(p) ≥ 1/q + ε. Now, consider the ε-QLDP for the GRS (n,k,q) with O. By our assumption, there exists a quantum list decoder A that solves this ε-QLDP with high confidence. To apply this A to find the hidden polynomial p, we need to realizeÕ from the given inputs (x 1 , . . . , x n , S 1 , . . . , S n ). This is done by generating the stateÕ|x i |s |t as follows: choose y in S i randomly and then generate the amplitude δ i,y / √ m. Therefore, we can solve the NPIP with high success probability.

Bounded Distance Vector Problem
To construct a quantum list decoder for the generalized Reed-Solomon code against relatively small bias, it suffices to give a quantum algorithm to the following lattice problem.

Bounded Distance Vector Problem (BDVP)
• Input: m basis vectors b 1 , b 2 , . . . , b m ∈ Z n and a radius ξ ∈ Q. • Oracle: given a vector v ∈ Z n , returns the value v 2 = j∈[n] λ 2 j v 2 j , where v = (v 1 , . . . , v n ) and λ = (λ j ) j ∈ [0, 1] n is a weight vector.  Proof. The following argument is owing to [2]. We want to construct an efficient quantum reduction to the BDVP from the QLDP for the (M, n, M − n + 1) q generalized Reed-Solomon code. This proves the proposition. Fix a set D M = {x 1 , x 2 , . . . , x M } of M distinct code locators in F q and consider the product set Let ε be any bias and assume that a quantumly corrupted codewordÕ for the generalized Reed-Solomon code Note that every L i (x) satisfies the following property: c ik x k−1 for certain constants c ik ∈ F q . Let a = (a 1 , a 2 , . . . , a n ) ∈ (F q ) n be any message and let p a (x) = n k=1 a k x k−1 be its codeword, i.e., the polynomial over F q of degree at most n − 1. Now, we assume that PreÕ(p a ) ≥ 1/q + ε. Note that p a satisfies the Lagrange's interpolation formula: where δ It is not difficult to show that L forms a lattice. Notice that the target vector δ (a) belongs to L. A set of basis vectors {b 1 , b 2 , . . . , b m } for L can be found easily (see, e.g., [2]).
To solve the QLDP, we first compute a basis vectors b 1 , . . . , b m and a radius ξ. We then solve the BDVP using the weight vector (given by an oracle).
Let v 1 , . . . , v k be the resulted list of vectors in L. For each v i , find a i ∈ (F q ) n such that v i = δ (ai) by solving a set of linear equations.  p ′ (n)(p(n)+2) such that the relative distance ∆(y, f (x)) is at most 1/2 − 1/p(n).
Proof. Assume that QCMA = BQP. Assume also that, for every QCMA search problem, there exist its solution function f and a polynomial-time quantum algorithm A that finds a string y, on each input x, with probability at least 1 − 2p(n) Consider the following algorithm B: on input (x, 1 i ), run A on input x and then output the ith bit of its outcome. The success probability of B is lower-bounded by (1 − max{∆(y, f (x)))}) Now, choose a polynomial s satisfying that 1/s(n) ≤ 1/p(n) − 1/p ′ (n) for all n ∈ N. By Proposition 5.1, we have a polynomial-time quantum algorithm that computes a certain solution function with probability at least 3/4. This means that QCMA is included in BQP, a contradiction. 2 Finally, we give the proof of Proposition 5.1.
Proof of Proposition 5.1. Let s be any positive polynomial. Take two positive polynomials q, t and a (t(n), n) 2 -code family C that is polynomial-time classically list decodable and has a polynomial-time quantum list decoder D with bias 1/s(t −1 (n)) and confidence 2/3, producing a list of size at most q(n), where n is message length. Without loss of generality, we can assume that t(n) ≥ n for all n ∈ N. The implication (2) ⇒ (1) is trivial. Next, we assume (1) and want to show (2). Let P = (L, M, p) be any QCMA search problem. Assume also that p(n) ≥ n for all n ∈ N. Note that a standard majority vote technique can reduce the bounded error probability of a quantum algorithm exponentially small (without changing the witness size) by polynomiallymany repetitions. Therefore, we can assume from (1) that 1. for every x ∈ L, there exists a witness y ∈ Σ p(|x|) such that Prob M [M (x, y) = 1] ≥ 1−2 −r(|x|) ; and 2. for every x ∈ L and for every y ∈ Σ p(|x|) , we have Prob M [M (x, y) = 0] ≥ 1 − 2 −r(|x|) , where r(n) = t(p(n)) + 3 and M is a certain polynomial-time quantum algorithm that depends on (p, r, L). Now, we define another QCMA search problem P ′ as follows. Let C y denote the codeword, to which y is encoded, of block length t(|y|). Consider the quantum algorithm M ′ that behaves as follows.
On input (x, z), first run the classical list decoding algorithm in polynomial time to produce with probability at least 5/6 a list S of candidates for C using z as a classically corrupted codeword (or a received word). Next, check if z = C y for a certain y ∈ S. If there is no such y, reject immediately. Assuming z = C y , run M (x, y) and outputs its outcome.
Let P ′ = (L, M ′ , p). We then claim that P ′ is a QCMA search problem. Take any n ∈ N and any x ∈ Σ n . Consider the case where x ∈ L. Since there exists a witness y ∈ Σ p(n) , the corresponding codeword z = C y forces M ′ to accept (x, z) with probability at least 5 6 (1 − 2 −r(|x|) ) ≥ 2/3. For the other case where x ∈ L, let z be any string in Σ t(p(n)) . If z = C y for all y ∈ S, then M ′ accepts (x, z) with probability ≤ 1/6. On the contrary, if z = C y for a certain y ∈ S, then M ′ accepts (x, z) with probability ≤ 5 6 2 −r(|x|) ≤ 1/3. Again, by the majority vote technique, we can reduce the error probability of M ′ to 2 −r(n) . Abusing the notation, we use M ′ to denote this new algorithm. By our assumption (1), there exist a solution function g for P ′ and a polynomial-time quantum algorithm A such that, for every x ∈ Σ n , where |φ x,b = 1 for any choice b ∈ {0, 1}, and Prob A,i [A(x, 1 i ) = (g(x)) i ] ≥ 1/2 + 1/s(n).
We fix an arbitrary x and, for the meantime, we omit subscript x. Let us define the oracleÕ as follows: If there exists a string y satisfying C y = g(x), then the presence of C y inÕ is Recall that D produces a list of size at most t(n) for message length n. We assume the standard order in Σ p(n) . Consider the following algorithm B.
On input x (n = |x|), run D usingÕ as an oracle to produce a list S ′ of t(p(n)) candidates (since the message size is p(n)), which include the above y (if x ∈ L), with probability ≥ 1 − 2 −r(n) . Run M ′ (x, z) sequentially for all z ∈ S ′ in order. Output the first z ∈ S ′ such that M ′ (x, z) outputs 1. If there is no such z, output ⊥.

Further Discussion
In the previous sections, we have used the model of implicit inputs and explicit outputs. When the running time of a quantum list decoder is limited to sublinear, it becomes impossible to explicitly output a list of messages. Instead, we may allow a quantum list decoder to produces a list of "oracle quantum circuits," each of which output each block element of a specific message with oracle access to a quantumly corrupted codeword. Such a model is called an implicit-output model. We briefly discuss a realm of quantum list decoding on this implicit-input implicit-output model. Let us introduce the notion of local quantum list decoding, analogous to local list decoding. Definition 6.1 Let C be any (M (n), n, d(n)) q(n)code family with message alphabet Σ. We say that C is locally quantum list decodable with bias ε and confidence δ if there exists a quantum algorithm A such that, for any message length n ∈ N (given in binary, not in unary), anyÕ for C, and any x ∈ Σ n with PreÕ(C x ) ≥ 1/q + ε(n), the following happens with probability at least 3/4: 1. A(n) outputs a list of descriptions of oracle quantum circuits D 1 , D 2 , . . . , D ℓ ; and 2. there exists an index j ∈ [ℓ] such that, for every i ∈ [n], DÕ j (i) outputs x i with probability at least δ(n) Similar to C GRS-H , we can define the concatenated code C RM-H using an appropriate Reed-Müller code and a proper Hadamard code. Following an argument of [17], we can easily prove that, using Lemmas 3.2 and 4.1, the code C RM-H is efficiently locally quantum list decodable with polynomially-small bias and confidence 2/3. Hence, we can conclude: Lemma 6.2 There exists a code family of polynomially-small rate and constant codeword alphabet size that are efficiently locally quantum list decodable with confidence 2/3 for polynomially-small bias.
An immediate consequence of this lemma is the hardness amplification of quantum circuits, again following an argument of [17]. Corollary 6.3 There exists a constant d > 0 for which the following is true. Let ε ∈ (0, 1) and let f be any Boolean function from {0, 1} k(n) . If no quantum circuit of size s computes f with probability at least δ, then there exists a Boolean function g mapping {0, 1} ℓ•k(n) with ℓ(n) ∈ O(n) such that no quantum circuit C of size s ′ = (k(n)/ε) d · s satisfies Prob C,x [C(x) = g(x)] ≥ 1/2 + ε, where C(x) denotes the random variable indicating the observed outcome bit of C on input x.

Concluding Remarks and Open Problems
The theme of this paper is an exploration of quantum list decodable code families of polynomially-small rate and constant codeword alphabet size. We have shown that certain generalized Reed-Solomon codes concatenated with Hadamard codes achieving such requirement are efficiently quantum list decodable when the bias of presence is relatively large. Even with such large bias, this helps us show the local quantum list decodability of Reed-Müller codes. Notice that a core part of the proofs of these results heavily relies on classical list decoding algorithms of [7,17]. Among codes of polynomially-small rate, is there any code whose quantum list decoding algorithm is in essence different from its classical one? Is there any quantum list decodable code that is not even classically list decodable? Does a generalized Reed-Solomon code have a subexponential-time quantum list decoder against arbitrary bias? Another important open problem is to find useful applications of quantum list decoding to a wide range of quantum information processing.