Decoding error-correcting codes with Grbner bases Ruud Pellikaan - - PowerPoint PPT Presentation
12 Decoding error-correcting codes with Grbner bases Ruud Pellikaan joint work with Stanislav Bulygin EMS Joint Math Weekend, March 1, 2008 / department of mathematics and computer science 1/39 1/39
◭ ◭ ◭ ◮ ◮ ◮
1/39
◭ ◭ ◭ ◮ ◮ ◮
1/39
joint work with
EMS Joint Math Weekend, March 1, 2008
◭ ◭ ◭ ◮ ◮ ◮
2/39
◭ ◭ ◭ ◮ ◮ ◮
2/39
◭ ◭ ◭ ◮ ◮ ◮
3/39
◭ ◭ ◭ ◮ ◮ ◮
3/39
(Berlekamp-McEliece-Van Tilborg)
polynomial complexity for BCH, Goppa, Reed-Solomon, Algebraic geometry codes.
◭ ◭ ◭ ◮ ◮ ◮
4/39
◭ ◭ ◭ ◮ ◮ ◮
4/39
Fq is the finite field with with q = pe elements, p a prime. A subspace of Fn
q of dimension k is a
linear code over Fq of length n and dimension k. The weight of y ∈ Fn
q is
wt(y) = |{i : yi = 0}|.
◭ ◭ ◭ ◮ ◮ ◮
5/39
◭ ◭ ◭ ◮ ◮ ◮
5/39
The minimum distance d of a linear code C is d = min{wt(c) : 0 = c ∈ C}. Parameters of C are denoted by [n, k, d] length n, dimension k and minimum distance d. Redundancy is r = n − k. Error-correcting capacity is ⌊(d − 1)/2⌋.
◭ ◭ ◭ ◮ ◮ ◮
6/39
◭ ◭ ◭ ◮ ◮ ◮
6/39
The code C can be constructed via a generator matrix G, which is any k × n matrix with as rows a basis of C. Alternatively, one can see C as a null-space of an (n − k) × n parity-check matrix H, so c ∈ C ⇔ HcT = 0.
◭ ◭ ◭ ◮ ◮ ◮
7/39
◭ ◭ ◭ ◮ ◮ ◮
7/39
The code C is cyclic, if (cn−1, c0, . . . , cn−2) is in C for every codeword c = (c0, . . . , cn−1) in C. (c0, . . . , cn−1) is represented by the polynomial c(x) =
n−1
cixi with xn = 1. So c(x) is an element of the factor ring Fq[x]/xn − 1. Cyclic codes over Fq of length n correspond one-to-one to ideals in this factor ring.
◭ ◭ ◭ ◮ ◮ ◮
8/39
◭ ◭ ◭ ◮ ◮ ◮
8/39
Assume (q, n) = 1. Let F = Fqm be the splitting field of Xn − 1 over Fq. Then F has a primitive n-th root of unity, denoted by a. Let I be a subset of Zn. The cyclic code with defining set I is given by c(x) ∈ C if c(ai) = 0 for all i ∈ I. The complete defining set of C is the set of all i ∈ Zn such that c(ai) = 0 for all c(x) ∈ C. If c(ai) = 0, then c(aqi) = (c(ai))q = 0.
◭ ◭ ◭ ◮ ◮ ◮
9/39
◭ ◭ ◭ ◮ ◮ ◮
9/39
If i is in a defining set of C, then (1, ai, . . . , a(n−1)i)cT = c0 + c1ai + · · · + cn−1a(n−1)i = c(ai) = 0. Hence (1, ai, . . . , a(n−1)i) is a parity check of C. Let {i1, . . . , ir} be a defining set of C. Then H = 1 ai1 a2i1 . . . a(n−1)i1 1 ai2 a2i2 . . . a(n−1)i2 . . . . . . . . . ... . . . 1 air a2ir . . . a(n−1)ir . is a parity check matrix of C.
◭ ◭ ◭ ◮ ◮ ◮
10/39
◭ ◭ ◭ ◮ ◮ ◮
10/39
Let y(x) = c(x) + e(x) c(x) the transmitted codeword, y(x) the received word, e(x) the error vector. Then s is the syndrome vector sT := HyT = H(cT + eT) = HcT + HeT = HeT, since HcT = 0.
◭ ◭ ◭ ◮ ◮ ◮
11/39
◭ ◭ ◭ ◮ ◮ ◮
11/39
Define si = y(ai) for all i = 1, . . . , n. The vector s = yHT has entries (si1, . . . , sir). Then si = e(ai) for all i in the complete defining set. These si are called the known syndromes. The remaining si are called the unknown syndromes.
◭ ◭ ◭ ◮ ◮ ◮
12/39
◭ ◭ ◭ ◮ ◮ ◮
12/39
If the error vector is of weight t, then e = (0, . . . , 0, ej1, 0, . . . , 0, ejl, 0, . . . , 0, ejt, 0, . . . , 0), where 1 ≤ j1 < · · · < jt ≤ n and ej = 0 if and only if j ∈ {j1, . . . , jt}. The error locations are z1 = aj1, . . . , zt = ajt
◭ ◭ ◭ ◮ ◮ ◮
13/39
◭ ◭ ◭ ◮ ◮ ◮
13/39
The error-locator polynomial σ(Z) =
t
(Z − zl). Expanded σ(Z) = Zt + σ1Zt−1 + · · · + σt−1Z + σt, The coefficients σi are the elementary symmetric functions in the error locations z1, . . . , zt. σi = (−1)i
zj1zj2 . . . zji, 1 ≤ i ≤ t,
◭ ◭ ◭ ◮ ◮ ◮
14/39
◭ ◭ ◭ ◮ ◮ ◮
14/39
The generalized Newton identities si + σ1si−1 + · · · + σtsi−t = 0 hold for all i. Suppose that the defining set of the cyclic code contains the 2t consecutive elements 1, 2, . . . , 2t. Algorithm by Peterson, Arimoto and Gorenstein-Zierler si + σ1si−1 + · · · + σtsi−t = 0, i = t + 1, . . . , 2t. are t linear equations in the variables σ1, . . . , σt with the known syndromes s1, . . . , s2t as coefficients.
◭ ◭ ◭ ◮ ◮ ◮
15/39
◭ ◭ ◭ ◮ ◮ ◮
15/39
Generalized Newton identities in matrix form: s1 s2 . . . st s2 s3 . . . st+1 . . . . . . ... . . . st st+1 . . . s2t−1 σt σt−1 . . . σ1 + st+1 st+2 . . . s2t = 0 s1, s2, . . . , s2t are known. σ1, σ2, . . . , σt are variables.
◭ ◭ ◭ ◮ ◮ ◮
16/39
◭ ◭ ◭ ◮ ◮ ◮
16/39
Gaussian elimination solves this system of linear equations with complexity O(n3). This complexity was improved by the algorithm of Berlekamp-Massey and a variant of the Euclidean algorithm due to Sugiyama et al. Both these algorithms are more efficient and are basically equivalent, but they decode up to the BCH error-correcting capacity, which is often strictly smaller than the true capacity. They do not correct up to the true error-correcting capacity.
◭ ◭ ◭ ◮ ◮ ◮
17/39
◭ ◭ ◭ ◮ ◮ ◮
17/39
Gröbner bases techniques were addressed to remedy this problem. These methods can be divided into the following categories:
and Augot-Charpin-Sendrier
Orsini-Sala Our method is a generalization of the first one.
◭ ◭ ◭ ◮ ◮ ◮
18/39
◭ ◭ ◭ ◮ ◮ ◮
18/39
Generalized Newton identities with unknown syndromes si + σ1si−1 + · · · + σtsi−t = 0, i = 1, . . . , n. σ1, σ2, . . . , σt are variables, si are known for i in the complete defining set, and the remaining si are unknown, these are treated as variables. It is a set of n quadratic equations in k + t variables.
◭ ◭ ◭ ◮ ◮ ◮
19/39
◭ ◭ ◭ ◮ ◮ ◮
19/39
The theory of Gröbner basis is about solving systems of polynomial equations in several variables with coefficients in a field. It is as a common generalization of
linear systems of equations in several variables,
polynomial equations of arbitrary degree in one variable.
◭ ◭ ◭ ◮ ◮ ◮
20/39
◭ ◭ ◭ ◮ ◮ ◮
20/39
The polynomial equations are linearized by treating the monomials as new variables. The number of variables grows exponentially in the degree of the polynomials. The complexity of computing a Gröbner basis is doubly exponential in general, and exponential in our case of a finite set of solutions. The complexity of our algorithm is exponential. The complexity coefficient is measured under the assumption that the over-determined system of quadratic equations is semi-regular using the results of Bardet et al. applied to algorithm F5 of Faugère.
◭ ◭ ◭ ◮ ◮ ◮
21/39
◭ ◭ ◭ ◮ ◮ ◮
21/39
Let b1, . . . , bn be a basis of Fn
q.
B is the n × n matrix with b1, . . . , bn as rows. The (unknown) syndrome of a word e with respect to B is the column vector u(e) = u(B, e) = BeT. with entries ui(e) = ui(B, e) = bi · e for i = 1, . . . , n. The matrix B is invertible. So the syndrome u(B, e) determines the error vector e uniquely: B−1u(B, e) = B−1BeT = eT.
◭ ◭ ◭ ◮ ◮ ◮
22/39
◭ ◭ ◭ ◮ ◮ ◮
22/39
The coordinatewise star product of x, y ∈ Fn
q by
x ∗ y = (x1y1, . . . , xnyn). Then bi ∗ bj is a linear combination of the basis b1, . . . , bn. There are structure constants µijl ∈ Fq such that bi ∗ bj =
n
µijlbl.
◭ ◭ ◭ ◮ ◮ ◮
23/39
◭ ◭ ◭ ◮ ◮ ◮
23/39
U(e) is the n × n matrix of (unknown) syndromes of a word e with entries uij(e) = (bi ∗ bj) · e. The entries of U(e) and u(e) are related by uij(e) =
n
µijlul(e). Lemma The rank of U(e) is equal to the weight of e.
◭ ◭ ◭ ◮ ◮ ◮
24/39
◭ ◭ ◭ ◮ ◮ ◮
24/39
Let Br be the r × n sub matrix of B with b1, . . . , br as rows. b1, . . . , bn is called an MDS basis and B an MDS matrix if all the t × t sub matrices of Bt have rank t for all t = 1, . . . , n. Let Ct be the code with Bt as parity check matrix. Proposition B is an MDS matrix if and only if Ct is an [n,n-t,t+1] code for all t.
◭ ◭ ◭ ◮ ◮ ◮
25/39
◭ ◭ ◭ ◮ ◮ ◮
25/39
MDS bases are known to exist if n ≤ q. Let x = (x1, . . . , xn) be n mutually distinct elements in Fq. Define bi = (xi−1
1
, . . . , xi−1
n ).
Then b1, . . . , bn with matrix B(x) are MDS and are called a Vandermonde basis and matrix, resp. If α ∈ F∗
q is an element of order n and xj = αj−1,
then we get a Reed-Solomon (RS) basis and matrix with bi ∗ bj = bi+j−1 and uij(e) = ui+j−1(e).
◭ ◭ ◭ ◮ ◮ ◮
26/39
◭ ◭ ◭ ◮ ◮ ◮
26/39
Proposition Suppose that B is an MDS matrix. Let Uu,v(e) be the u × v sub matrix of U(e) consisting of the first u rows and v columns. Then rank(Unv(e)) = v if v ≤ wt(e), wt(e) if v > wt(e).
◭ ◭ ◭ ◮ ◮ ◮
27/39
◭ ◭ ◭ ◮ ◮ ◮
27/39
Let C be an Fq-linear code of length n, dimension k, minimum distance d, and redundancy r = n − k. Choose a parity check matrix H of C. Let h1, . . . , hr be the rows of H. There are constants aij ∈ Fq such that hi =
n
aijbj. Let A be the r × n matrix with entries aij. Then H = AB.
◭ ◭ ◭ ◮ ◮ ◮
28/39
◭ ◭ ◭ ◮ ◮ ◮
28/39
Let y = c + e be a received word with c ∈ C a code word and e an error vector. The syndromes of y and e with respect to H are equal and known si(y) := hi · y = hi · e = si(e) Expressed in the unknown syndromes of e with respect to B: si(y) =
n
aijuj(e).
◭ ◭ ◭ ◮ ◮ ◮
29/39
◭ ◭ ◭ ◮ ◮ ◮
29/39
The system E(y) of equations in the variables U1, . . . , Un: n
l=1 ajlUl = sj(y) for j = 1, . . . , r.
It consists of r = n − k independent linear equations in n variables.
◭ ◭ ◭ ◮ ◮ ◮
30/39
◭ ◭ ◭ ◮ ◮ ◮
30/39
Let Uij =
n
µijlUl The system E(t) in the variables U1, . . . , Un and V1, . . . , Vt: t
j=1 UijVj = Uit+1 for i = 1, . . . , n.
It consists of n quadratic equations in n + t variables.
◭ ◭ ◭ ◮ ◮ ◮
31/39
◭ ◭ ◭ ◮ ◮ ◮
31/39
The system of equations E(t, y) is the union of E(t) and E(y). It consists of n − k linear equations in n variables and n quadratic equations in n + t variables. The linear equations are independent and used to eliminate n − k variables. Thus we get a system of n quadratic equations in k + t variables.
◭ ◭ ◭ ◮ ◮ ◮
32/39
◭ ◭ ◭ ◮ ◮ ◮
32/39
Linear equations n
l=1 ajlUl = sj(y) for j = 1, . . . , r.
Quadratic equations in matrix form with B Reed-Solomon U1 U2 . . . Ut U2 U3 . . . Ut+1 . . . . . . ... . . . Ut Ut+1 . . . U2t−1 Ut+1 Ut+2 . . . U2t . . . . . . ... . . . Un U1 . . . Ut V1 V2 . . . Vt = Ut+1 Ut+2 . . . U2t U2t+1 . . . Ut−1
◭ ◭ ◭ ◮ ◮ ◮
33/39
◭ ◭ ◭ ◮ ◮ ◮
33/39
Special case of cyclic code with defining set {1, 2, . . . , 2t} Uj = sj(y) for j = 1, . . . , 2t. Quadratic equations in matrix form with B Reed-Solomon s1 s2 . . . st s2 s3 . . . st+1 . . . . . . ... . . . st st+1 . . . s2t−1 st+1 st+2 . . . s2t st+2 st+3 . . . U2t+1 . . . . . . ... . . . Un s1 . . . st V1 V2 . . . Vt = st+1 st+2 . . . s2t U2t+1 U2t+2 . . . st−1
◭ ◭ ◭ ◮ ◮ ◮
34/39
◭ ◭ ◭ ◮ ◮ ◮
34/39
Theorem Let B be an MDS matrix with structure constants µijl. Let H be a parity check matrix of the code C such that H = AB. Let y = c + e be a received word with c in C the codeword sent and e the error vector. Suppose that the weight of e is not zero and at most (d − 1)/2. Let t be the smallest positive integer such that E(t, y) has a solution (u, v) over some extension Fqm of Fq. Then wt(e) = t and the solution is unique satisfying u = u(e).
◭ ◭ ◭ ◮ ◮ ◮
35/39
◭ ◭ ◭ ◮ ◮ ◮
35/39
Let J(t, y) be the ideal generated by E(t, y). Let 0 < wt(e) ≤ (d − 1)/2 and and let (u, v) be the unique solution of E(t, y). Then J(t, y) has multiplicity one and the Gröbner basis of J(t, y) is Ui − ui, i = 1, . . . , n, Vj − vj, j = 1, . . . , t.
◭ ◭ ◭ ◮ ◮ ◮
36/39
◭ ◭ ◭ ◮ ◮ ◮
36/39
Experiments were done on an AMD Opteron Processor 242 (1.6MHz), 8GB RAM under Linux. The computations of Gröbner bases were realized in SINGULAR 3-0-1. Download the SINGULAR library Err.lib to experiment. Also MAGMA was used.
◭ ◭ ◭ ◮ ◮ ◮
37/39
◭ ◭ ◭ ◮ ◮ ◮
37/39
Code
[25,11,4] 1 2.99 1.10 300 0.0037 [25,11,5] 2 21.58 2.89 300 0.0096 [25,8,5] 2 0.99 1.84 300 0.0061 [25,8,6] 2 3.38 1.79 300 0.0060 [25,8,7] 3 12.26 6.94 300 0.0231 [31,15] 2
300 0.0359 [31,15] 3
10 1.119
◭ ◭ ◭ ◮ ◮ ◮
38/39
◭ ◭ ◭ ◮ ◮ ◮
38/39
[120,40] [120,30] [120,20] [120,10] [150,10] 2 1 1 1 1 1 1 1 1 1 1 3 22 7 1 1 1 1 1 1 1 1 4 172 64 5 14 1 1 1 1 1 1 5 804 228 31 36 1 1 1 1 1 1 6
63 3 9 1 1 2 1 7
7 15 1 1 2 1 8
25 1 1 2 1 9
38 1 1 2 1 10
51 1 1 2 1 11
84 1 1 3 1 12
2 8 3 1 13
9 4 1 14
11 4 1 15
13 5 20 16
16 5 22 17
19 8 26 18
23 8 30
◭ ◭ ◭ ◮ ◮ ◮
39/39
◭ ◭ ◭ ◮ ◮ ◮
39/39
very much on how well the MDS matrix B matches the code C.
n quadratic equations in k + t variables.