Decoding error-correcting codes with Grbner bases Ruud Pellikaan - PowerPoint PPT Presentation

12 Decoding error-correcting codes with Gröbner bases Ruud Pellikaan joint work with Stanislav Bulygin EMS Joint Math Weekend, March 1, 2008 / department of mathematics and computer science 1/39 1/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

Outline • Introduction, motivation • Cyclic codes • Gröbner bases • Unknown syndromes and MDS bases • Decoding up to half the minimum distance • Simulations and experimental results • Conclusion 2/39 2/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

Motivation • Nearest neighbor decoding is NP-hard (Berlekamp-McEliece-Van Tilborg) • Decoding up to half the designed minimum distance has polynomial complexity for BCH, Goppa, Reed-Solomon, Algebraic geometry codes. • Question: Is decoding up to half the minimum distance of polynomial complexity? • McEliece-Niderreiter crypto system assumes the answer is no. • Application of Gröbner bases theory to Coding theory. 3/39 3/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

F q is the finite field with with q = p e elements, p a prime. A subspace of F n q of dimension k is a linear code over F q of length n and dimension k . The weight of y ∈ F n q is wt ( y ) = |{ i : y i � = 0 }| . 4/39 4/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

The minimum distance d of a linear code C is d = min { wt ( c ) : 0 � = c ∈ C } . Parameters of C are denoted by [ n, k, d ] length n , dimension k and minimum distance d . Redundancy is r = n − k . Error-correcting capacity is ⌊ ( d − 1) / 2 ⌋ . 5/39 5/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

The code C can be constructed via a generator matrix G , which is any k × n matrix with as rows a basis of C . Alternatively, one can see C as a null-space of an ( n − k ) × n parity-check matrix H , so c ∈ C ⇔ H c T = 0 . 6/39 6/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

The code C is cyclic, if ( c n − 1 , c 0 , . . . , c n − 2 ) is in C for every codeword c = ( c 0 , . . . , c n − 1 ) in C . ( c 0 , . . . , c n − 1 ) is represented by the polynomial n − 1 c i x i with x n = 1 . � c ( x ) = i =0 So c ( x ) is an element of the factor ring F q [ x ] / � x n − 1 � . Cyclic codes over F q of length n correspond one-to-one to ideals in this factor ring. 7/39 7/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

Assume ( q, n ) = 1 . Let F = F q m be the splitting field of X n − 1 over F q . Then F has a primitive n-th root of unity, denoted by a . Let I be a subset of Z n . The cyclic code with defining set I is given by c ( x ) ∈ C if c ( a i ) = 0 for all i ∈ I. The complete defining set of C is the set of all i ∈ Z n such that c ( a i ) = 0 for all c ( x ) ∈ C . If c ( a i ) = 0 , then c ( a qi ) = ( c ( a i )) q = 0 . 8/39 8/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

If i is in a defining set of C , then (1 , a i , . . . , a ( n − 1) i ) c T = c 0 + c 1 a i + · · · + c n − 1 a ( n − 1) i = c ( a i ) = 0 . Hence (1 , a i , . . . , a ( n − 1) i ) is a parity check of C . Let { i 1 , . . . , i r } be a defining set of C . Then   1 a i 1 a 2 i 1 . . . a ( n − 1) i 1 1 a i 2 a 2 i 2 . . . a ( n − 1) i 2   H =  .  . . . .  ... . . . . . . . .    1 a i r a 2 i r . . . a ( n − 1) i r is a parity check matrix of C . 9/39 9/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

Let y ( x ) = c ( x ) + e ( x ) c ( x ) the transmitted codeword, y ( x ) the received word, e ( x ) the error vector. Then s is the syndrome vector s T := H y T = H ( c T + e T ) = H c T + H e T = H e T , since H c T = 0 . 10/39 10/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

Define s i = y ( a i ) for all i = 1 , . . . , n. The vector s = y H T has entries ( s i 1 , . . . , s i r ) . Then s i = e ( a i ) for all i in the complete defining set. These s i are called the known syndromes. The remaining s i are called the unknown syndromes. 11/39 11/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

If the error vector is of weight t , then e = (0 , . . . , 0 , e j 1 , 0 , . . . , 0 , e j l , 0 , . . . , 0 , e j t , 0 , . . . , 0) , where 1 ≤ j 1 < · · · < j t ≤ n and e j � = 0 if and only if j ∈ { j 1 , . . . , j t } . The error locations are z 1 = a j 1 , . . . , z t = a j t 12/39 12/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

The error-locator polynomial t � σ ( Z ) = ( Z − z l ) . l =1 Expanded σ ( Z ) = Z t + σ 1 Z t − 1 + · · · + σ t − 1 Z + σ t , The coefficients σ i are the elementary symmetric functions in the error locations z 1 , . . . , z t . � σ i = ( − 1) i z j 1 z j 2 . . . z j i , 1 ≤ i ≤ t, 1 ≤ j 1 <j 2 < ··· <j i ≤ t 13/39 13/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

The generalized Newton identities s i + σ 1 s i − 1 + · · · + σ t s i − t = 0 hold for all i . Suppose that the defining set of the cyclic code contains the 2 t consecutive elements 1 , 2 , . . . , 2 t . Algorithm by Peterson, Arimoto and Gorenstein-Zierler s i + σ 1 s i − 1 + · · · + σ t s i − t = 0 , i = t + 1 , . . . , 2 t. are t linear equations in the variables σ 1 , . . . , σ t with the known syndromes s 1 , . . . , s 2 t as coefficients. 14/39 14/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

Generalized Newton identities in matrix form:       s 1 s 2 . . . s t σ t s t +1 s 2 s 3 . . . s t +1 σ t − 1 s t +2        +  = 0  . . .   .   .  ... . . . . . . . . . .           s t s t +1 . . . s 2 t − 1 σ 1 s 2 t s 1 , s 2 , . . . , s 2 t are known. σ 1 , σ 2 , . . . , σ t are variables. 15/39 15/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

Gaussian elimination solves this system of linear equations with complexity O ( n 3 ) . This complexity was improved by the algorithm of Berlekamp-Massey and a variant of the Euclidean algorithm due to Sugiyama et al. Both these algorithms are more efficient and are basically equivalent, but they decode up to the BCH error-correcting capacity, which is often strictly smaller than the true capacity. They do not correct up to the true error-correcting capacity. 16/39 16/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

Gröbner bases techniques were addressed to remedy this problem. These methods can be divided into the following categories: - Unknown syndromes by Berlekamp, Tzeng-Hartmann-Chien and Augot-Charpin-Sendrier - Power sums by Cooper and Chen-Reed-Helleseth-Truong, Orsini-Sala Our method is a generalization of the first one. 17/39 17/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

Generalized Newton identities with unknown syndromes s i + σ 1 s i − 1 + · · · + σ t s i − t = 0 , i = 1 , . . . , n. σ 1 , σ 2 , . . . , σ t are variables, s i are known for i in the complete defining set, and the remaining s i are unknown, these are treated as variables. It is a set of n quadratic equations in k + t variables. 18/39 18/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

The theory of Gröbner basis is about solving systems of polynomial equations in several variables with coefficients in a field. It is as a common generalization of • Linear Algebra, linear systems of equations in several variables, • Euclidean Algorithm, polynomial equations of arbitrary degree in one variable. 19/39 19/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

The polynomial equations are linearized by treating the monomials as new variables. The number of variables grows exponentially in the degree of the polynomials. The complexity of computing a Gröbner basis is doubly exponential in general, and exponential in our case of a finite set of solutions. The complexity of our algorithm is exponential. The complexity coefficient is measured under the assumption that the over-determined system of quadratic equations is semi-regular using the results of Bardet et al. applied to algorithm F5 of Faugère. 20/39 20/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

Let b 1 , . . . , b n be a basis of F n q . B is the n × n matrix with b 1 , . . . , b n as rows. The (unknown) syndrome of a word e with respect to B is the column vector u ( e ) = u ( B, e ) = B e T . with entries u i ( e ) = u i ( B, e ) = b i · e for i = 1 , . . . , n . The matrix B is invertible. So the syndrome u ( B, e ) determines the error vector e uniquely: B − 1 u ( B, e ) = B − 1 B e T = e T . 21/39 21/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

The coordinatewise star product of x , y ∈ F n q by x ∗ y = ( x 1 y 1 , . . . , x n y n ) . Then b i ∗ b j is a linear combination of the basis b 1 , . . . , b n . There are structure constants µ ijl ∈ F q such that n � b i ∗ b j = µ ijl b l . l =1 22/39 22/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮

U ( e ) is the n × n matrix of (unknown) syndromes of a word e with entries u ij ( e ) = ( b i ∗ b j ) · e . The entries of U ( e ) and u ( e ) are related by n � u ij ( e ) = µ ijl u l ( e ) . l =1 Lemma The rank of U ( e ) is equal to the weight of e . 23/39 23/39 ◭ ◭ ◭ ◭ � ◮ ◮ ◭ ◭ � ◮ ◮ ◮ ◮