Jet list decoding D. J. Bernstein University of Illinois at Chicago - PDF document

Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF 1018836 NIST 60NANB10D263 No thanks to: IEEE violating IEEE policies and forcing authors to take papers offline; see cr.yp.to/writing/ieee.html

Decoding The ✔ ✇ -error decoding problem for a linear code ❈ ✒ F ♥ q : ✎ Output: ❝ ✷ ❈ . ✎ Input: ✈ ✷ F ♥ q with ❥ ✈ � ❝ ❥ ✔ ✇ . Note that output is unique if ✇ ❁ 1 2 min ❢❥ ❝ ❥ : ❝ ✷ ❈ � ❢ 0 ❣❣ . Notation: ❥ ✈ ❥ = # ❢ ✐ : ✈ ✐ ✻ = 0 ❣ = Hamming weight of ✈ ; e.g. ❥ ✈ � ❝ ❥ = # ❢ ✐ : ✈ ✐ ✻ = ❝ ✐ ❣ = Hamming distance from ✈ to ❝ .

Reed–Solomon decoding Choose integer t ✕ 0, integer ♥ ✕ t , prime power q ✕ ♥ , distinct ❛ 1 ❀ ✿ ✿ ✿ ❀ ❛ ♥ ✷ F q . Define ❈ ✒ F ♥ q as the code ✟ ✠ ev ❢ : ❢ ✷ F q [ ① ] ❀ deg ❢ ❁ ♥ � t where ev ❢ = ( ❢ ( ❛ 1 ) ❀ ✿ ✿ ✿ ❀ ❢ ( ❛ ♥ )). min ❢❥ ❝ ❥ : ❝ ✷ ❈ � ❢ 0 ❣❣ = t + 1. Exception: ✶ if t = ♥ . 1960 Peterson in some cases, 1961 Gorenstein–Zierler in more, 1965 Forney in general: ✔❜ t❂ 2 ❝ -error decoding for ❈ takes time ♥ ❖ (1) if q ✷ ♥ ❖ (1) .

Big research direction #1: Decode faster. 1968 Berlekamp: ✔❜ t❂ 2 ❝ -error decoding for ❈ costs ❖ ( ♥t ) operations in F q plus root-finding in F q . Time ♥ 2+ ♦ (1) for typical t❀ q . 1976 Justesen, independently 1977 Sarwate: Faster algorithm for large ♥ , ♥ (lg ♥ ) 2+ ♦ (1) instead of ❖ ( ♥t ). Time ♥ 1+ ♦ (1) for typical t❀ q . Extensive literature on further speedups.

Decoding more codes Big research direction #2: Modify ❈ to expand and improve tradeoffs between q , ♥ , # ❈ , ✇ . e.g. Replace ❈ ✒ F ♥ q , q = 2 ♠ , with F 2 -subfield subcode F ♥ 2 ❭ ❈ . # ❈ = q ♥ � t ✮ #( F ♥ 2 ❭ ❈ ) ✕ 2 ♥ � ♠t . Any ✔ ✇ -error decoder for ❈ also works for F ♥ 2 ❭ ❈ . Can take F ♥ 2 ❭ ❈ where ❈ is RS, but better to twist carefully. Obtain classical F 2 Goppa codes decoding twice as many errors. Better for large ♥ : AG codes.

List decoding Big research direction #3: Decode more errors for same ❈ . Maybe output ❝ isn’t unique. Decoding problem asks for some ❝ with ❥ ✈ � ❝ ❥ ✔ ✇ . List-decoding problem asks for all ❝ with ❥ ✈ � ❝ ❥ ✔ ✇ . Trivial approach: Brute force. e.g. guess ✇ � ❜ t❂ 2 ❝ errors and use any ✔ ❜ t❂ 2 ❝ -error decoder. (For list decoding, use a covering set of guesses.) Very slow for large ✇ � ❜ t❂ 2 ❝ .

Reed–Solomon list decoding 1996 Sudan for smaller ✇ , 1998 Guruswami–Sudan in general: ♣ If ✇ ❁ ♥ � ♥ ( ♥ � t � 1) then ✔ ✇ -error list decoding for ❈ = ✟ ✠ ev ❢ : ❢ ✷ F q [ ① ] ❀ deg ❢ ❁ ♥ � t takes time ♥ ❖ (1) if q ✷ ♥ ❖ (1) .

Reed–Solomon list decoding 1996 Sudan for smaller ✇ , 1998 Guruswami–Sudan in general: ♣ If ✇ ❁ ♥ � ♥ ( ♥ � t � 1) then ✔ ✇ -error list decoding for ❈ = ✟ ✠ ev ❢ : ❢ ✷ F q [ ① ] ❀ deg ❢ ❁ ♥ � t takes time ♥ ❖ (1) if q ✷ ♥ ❖ (1) . 2001 Koetter–Vardy: Assume q = 2 ♠ ; write ♥ ✵ = ♥❂ 2. If ✇ ❁ ♥ ✵ � ♥ ✵ ( ♥ ✵ � t � 1) then ♣ ✔ ✇ -error list decoding for F ♥ 2 ❭ ❈ takes time ♥ ❖ (1) if q ✷ ♥ ❖ (1) . ♥ ( ♥ � t � 1) ✙ t❂ 2 + t 2 ❂ 8 ♥ . ♣ ♥ � ♥ ✵ � ♥ ✵ ( ♥ ✵ � t � 1) ✙ t❂ 2+ t 2 ❂ 4 ♥ . ♣

Guruswami–Sudan cost analysis: ❖ ( ♥ 3 ❵ 6 ) operations in F q where ❵ is an algorithm parameter. Extensive literature on speedups and adaptations to more codes. Critical Howgrave-Graham idea, with state-of-the-art subroutines: ♥ 1+ ♦ (1) ❦ 1+ ♦ (1) ❵ ❁ 3 where ❦ is another parameter; ❦ ❁ ❵ . For Howgrave-Graham analysis see 2010 Cohn–Heninger (which also adapts to AG etc.), 2011 Bernstein “simplelist” (combining with Koetter–Vardy).

What are these parameters ❦❀ ❵ ? Obviously critical for speed. Why not take ❦❀ ❵ to be small? Answer: Decreasing ❦❀ ❵ forces gap between ✇ and its limit. Almost all list-decoding methods have essentially the same gap.

What are these parameters ❦❀ ❵ ? Obviously critical for speed. Why not take ❦❀ ❵ to be small? Answer: Decreasing ❦❀ ❵ forces gap between ✇ and its limit. Almost all list-decoding methods have essentially the same gap. But not all! Much better ❦❀ ❵❀ ✇ tradeoff in “rational” list-decoding methods: 2007 Wu “New list decoding”; 2008 Bernstein “goppalist”; 2011 Bernstein “jetlist”.

Jets The set of 1-jets over R is the quotient ring R [ ✎ ] ❂✎ 2 . Analogous to the set of complex numbers C = R [ ✐ ] ❂ ( ✐ 2 + 1), but ✎ 2 = 0 while ✐ 2 = � 1. Multiplication of jets: ( ❛ + ❜✎ )( ❝ + ❞✎ ) = ❛❝ + ( ❛❞ + ❜❝ ) ✎ . Typical construction of a jet: differentiable ❢ : R ✦ R induces jet ❢ ( ① + ✎ ) = ❢ ( ① ) + ❢ ✵ ( ① ) ✎ for each ① ✷ R . e.g. sin( ① + ✎ ) = sin ① + (cos ① ) ✎ .

Recap for late sleepers 50 years ago: Polynomial-time decoding of ✔ ❜ t❂ 2 ❝ errors in length- ♥ Reed–Solomon code ✟ ✠ ev ❢ : ❢ ✷ F q [ ① ] ❀ deg ❢ ❁ ♥ � t . Big research directions since then: 3. Decode more errors. Output might not be unique: have list of possible codewords. 2. Improve choice of code: classical Goppa codes, AG, et al. 1. Decode faster.

Lattice-basis reduction Define ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ❢ ( ❜❀ 24 ❛ + 17 ❜ ) : ❛❀ ❜ ✷ Z ❣ . What is the shortest nonzero vector in ▲ ?

Lattice-basis reduction Define ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ❢ ( ❜❀ 24 ❛ + 17 ❜ ) : ❛❀ ❜ ✷ Z ❣ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z

Lattice-basis reduction Define ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ❢ ( ❜❀ 24 ❛ + 17 ❜ ) : ❛❀ ❜ ✷ Z ❣ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ( � 1 ❀ 7) Z + (1 ❀ 17) Z

Lattice-basis reduction Define ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ❢ ( ❜❀ 24 ❛ + 17 ❜ ) : ❛❀ ❜ ✷ Z ❣ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ( � 1 ❀ 7) Z + (1 ❀ 17) Z = ( � 1 ❀ 7) Z + (3 ❀ 3) Z

Lattice-basis reduction Define ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ❢ ( ❜❀ 24 ❛ + 17 ❜ ) : ❛❀ ❜ ✷ Z ❣ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ( � 1 ❀ 7) Z + (1 ❀ 17) Z = ( � 1 ❀ 7) Z + (3 ❀ 3) Z = ( � 4 ❀ 4) Z + (3 ❀ 3) Z .

Lattice-basis reduction Define ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ❢ ( ❜❀ 24 ❛ + 17 ❜ ) : ❛❀ ❜ ✷ Z ❣ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ( � 1 ❀ 7) Z + (1 ❀ 17) Z = ( � 1 ❀ 7) Z + (3 ❀ 3) Z = ( � 4 ❀ 4) Z + (3 ❀ 3) Z . ( � 4 ❀ 4) ❀ (3 ❀ 3) are orthogonal. Shortest vectors in ▲ are (0 ❀ 0), (3 ❀ 3), ( � 3 ❀ � 3).

� � ✎ ✎

� � ✎ ✎ ✎

� � ✎ ✎ ✎ ✎

� � ✎ ✎ ✎ ✎ ✎

� � ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎

Another example: Define ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z . What is the shortest nonzero vector in ▲ ?

Another example: Define ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z

Another example: Define ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z = ( � 1 ❀ 8) Z + (1 ❀ 17) Z

Another example: Define ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z = ( � 1 ❀ 8) Z + (1 ❀ 17) Z = ( � 1 ❀ 8) Z + (3 ❀ 1) Z .

Another example: Define ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z = ( � 1 ❀ 8) Z + (1 ❀ 17) Z = ( � 1 ❀ 8) Z + (3 ❀ 1) Z . Nearly orthogonal. Shortest vectors in ▲ are (0 ❀ 0), (3 ❀ 1), ( � 3 ❀ � 1).

� � ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎

Polynomial lattices Define ❘ = F 2 [ ① ], r 0 = (101000) ① = ① 5 + ① 3 ✷ ❘ , r 1 = (10011) ① = ① 4 + ① + 1 ✷ ❘ , ▲ = (0 ❀ r 0 ) ❘ + (1 ❀ r 1 ) ❘ . What is the shortest nonzero vector in ▲ ?

Polynomial lattices Define ❘ = F 2 [ ① ], r 0 = (101000) ① = ① 5 + ① 3 ✷ ❘ , r 1 = (10011) ① = ① 4 + ① + 1 ✷ ❘ , ▲ = (0 ❀ r 0 ) ❘ + (1 ❀ r 1 ) ❘ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 101000) ❘ + (1 ❀ 10011) ❘