Jet list decoding D. J. Bernstein University of Illinois at Chicago - - PDF document

Jet list decoding

• D. J. Bernstein

University of Illinois at Chicago Thanks to: NSF 1018836 NIST 60NANB10D263 No thanks to: IEEE violating IEEE policies and forcing authors to take papers offline; see cr.yp.to/writing/ieee.html

Decoding The ✔✇-error decoding problem for a linear code ❈ ✒ F♥

q :

✎ Output: ❝ ✷ ❈. ✎ Input: ✈ ✷ F♥

q with ❥✈ ❝❥ ✔ ✇.

Note that output is unique if ✇ ❁ 1

2 min❢❥❝❥ : ❝ ✷ ❈ ❢0❣❣.

Notation: ❥✈❥ = #❢✐ : ✈✐ ✻= 0❣ = Hamming weight of ✈; e.g. ❥✈ ❝❥ = #❢✐ : ✈✐ ✻= ❝✐❣ = Hamming distance from ✈ to ❝.

Reed–Solomon decoding Choose integer t ✕ 0, integer ♥ ✕ t, prime power q ✕ ♥, distinct ❛1❀ ✿ ✿ ✿ ❀ ❛♥ ✷ Fq. Define ❈ ✒ F♥

q as the code

✟ ev ❢ : ❢ ✷ Fq[①]❀ deg ❢ ❁ ♥ t ✠ where ev ❢ = (❢(❛1)❀ ✿ ✿ ✿ ❀ ❢(❛♥)). min❢❥❝❥ : ❝ ✷ ❈ ❢0❣❣ = t + 1. Exception: ✶ if t = ♥. 1960 Peterson in some cases, 1961 Gorenstein–Zierler in more, 1965 Forney in general: ✔❜t❂2❝-error decoding for ❈ takes time ♥❖(1) if q ✷ ♥❖(1).

Big research direction #1: Decode faster. 1968 Berlekamp: ✔❜t❂2❝-error decoding for ❈ costs ❖(♥t) operations in Fq plus root-finding in Fq. Time ♥2+♦(1) for typical t❀ q. 1976 Justesen, independently 1977 Sarwate: Faster algorithm for large ♥, ♥(lg ♥)2+♦(1) instead of ❖(♥t). Time ♥1+♦(1) for typical t❀ q. Extensive literature

• n further speedups.

Decoding more codes Big research direction #2: Modify ❈ to expand and improve tradeoffs between q, ♥, #❈, ✇. e.g. Replace ❈ ✒ F♥

q , q = 2♠,

with F2-subfield subcode F♥

2 ❭ ❈.

#❈=q♥t ✮ #(F♥

2 ❭❈)✕2♥♠t.

Any ✔✇-error decoder for ❈ also works for F♥

2 ❭ ❈.

Can take F♥

2 ❭ ❈ where ❈ is RS,

but better to twist carefully. Obtain classical F2 Goppa codes decoding twice as many errors. Better for large ♥: AG codes.

List decoding Big research direction #3: Decode more errors for same ❈. Maybe output ❝ isn’t unique. Decoding problem asks for some ❝ with ❥✈ ❝❥ ✔ ✇. List-decoding problem asks for all ❝ with ❥✈ ❝❥ ✔ ✇. Trivial approach: Brute force. e.g. guess ✇ ❜t❂2❝ errors and use any ✔ ❜t❂2❝-error decoder. (For list decoding, use a covering set of guesses.) Very slow for large ✇ ❜t❂2❝.

Reed–Solomon list decoding 1996 Sudan for smaller ✇, 1998 Guruswami–Sudan in general: If ✇ ❁ ♥ ♣ ♥(♥ t 1) then ✔✇-error list decoding for ❈ = ✟ ev ❢ : ❢ ✷ Fq[①]❀ deg ❢ ❁ ♥ t ✠ takes time ♥❖(1) if q ✷ ♥❖(1).

Reed–Solomon list decoding 1996 Sudan for smaller ✇, 1998 Guruswami–Sudan in general: If ✇ ❁ ♥ ♣ ♥(♥ t 1) then ✔✇-error list decoding for ❈ = ✟ ev ❢ : ❢ ✷ Fq[①]❀ deg ❢ ❁ ♥ t ✠ takes time ♥❖(1) if q ✷ ♥❖(1). 2001 Koetter–Vardy: Assume q = 2♠; write ♥✵ = ♥❂2. If ✇ ❁ ♥✵ ♣ ♥✵(♥✵ t 1) then ✔✇-error list decoding for F♥

2 ❭ ❈

takes time ♥❖(1) if q ✷ ♥❖(1). ♥ ♣ ♥(♥t1) ✙ t❂2 + t2❂8♥. ♥✵ ♣ ♥✵(♥✵t1) ✙ t❂2+t2❂4♥.

Guruswami–Sudan cost analysis: ❖(♥3❵6) operations in Fq where ❵ is an algorithm parameter. Extensive literature on speedups and adaptations to more codes. Critical Howgrave-Graham idea, with state-of-the-art subroutines: ♥1+♦(1)❦1+♦(1)❵❁3 where ❦ is another parameter; ❦ ❁ ❵. For Howgrave-Graham analysis see 2010 Cohn–Heninger (which also adapts to AG etc.), 2011 Bernstein “simplelist” (combining with Koetter–Vardy).

What are these parameters ❦❀ ❵? Obviously critical for speed. Why not take ❦❀ ❵ to be small? Answer: Decreasing ❦❀ ❵ forces gap between ✇ and its limit. Almost all list-decoding methods have essentially the same gap.

What are these parameters ❦❀ ❵? Obviously critical for speed. Why not take ❦❀ ❵ to be small? Answer: Decreasing ❦❀ ❵ forces gap between ✇ and its limit. Almost all list-decoding methods have essentially the same gap. But not all! Much better ❦❀ ❵❀ ✇ tradeoff in “rational” list-decoding methods: 2007 Wu “New list decoding”; 2008 Bernstein “goppalist”; 2011 Bernstein “jetlist”.

Jets The set of 1-jets over R is the quotient ring R[✎]❂✎2. Analogous to the set of complex numbers C = R[✐]❂(✐2 + 1), but ✎2 = 0 while ✐2 = 1. Multiplication of jets: (❛ + ❜✎)(❝ + ❞✎) = ❛❝ + (❛❞ + ❜❝)✎. Typical construction of a jet: differentiable ❢ : R ✦ R induces jet ❢(① + ✎) = ❢(①) + ❢✵(①)✎ for each ① ✷ R. e.g. sin(① + ✎) = sin ① + (cos ①)✎.

Recap for late sleepers 50 years ago: Polynomial-time decoding of ✔ ❜t❂2❝ errors in length-♥ Reed–Solomon code ✟ ev ❢ : ❢ ✷ Fq[①]❀ deg ❢ ❁ ♥ t ✠ . Big research directions since then:

• 3. Decode more errors.

Output might not be unique: have list of possible codewords.

• 2. Improve choice of code:

classical Goppa codes, AG, et al.

• 1. Decode faster.

Lattice-basis reduction Define ▲ = (0❀ 24)Z + (1❀ 17)Z = ❢(❜❀ 24❛ + 17❜) : ❛❀ ❜ ✷ Z❣. What is the shortest nonzero vector in ▲?

Lattice-basis reduction Define ▲ = (0❀ 24)Z + (1❀ 17)Z = ❢(❜❀ 24❛ + 17❜) : ❛❀ ❜ ✷ Z❣. What is the shortest nonzero vector in ▲? ▲ = (0❀ 24)Z + (1❀ 17)Z

Lattice-basis reduction Define ▲ = (0❀ 24)Z + (1❀ 17)Z = ❢(❜❀ 24❛ + 17❜) : ❛❀ ❜ ✷ Z❣. What is the shortest nonzero vector in ▲? ▲ = (0❀ 24)Z + (1❀ 17)Z = (1❀ 7)Z + (1❀ 17)Z

Lattice-basis reduction Define ▲ = (0❀ 24)Z + (1❀ 17)Z = ❢(❜❀ 24❛ + 17❜) : ❛❀ ❜ ✷ Z❣. What is the shortest nonzero vector in ▲? ▲ = (0❀ 24)Z + (1❀ 17)Z = (1❀ 7)Z + (1❀ 17)Z = (1❀ 7)Z + (3❀ 3)Z

Lattice-basis reduction Define ▲ = (0❀ 24)Z + (1❀ 17)Z = ❢(❜❀ 24❛ + 17❜) : ❛❀ ❜ ✷ Z❣. What is the shortest nonzero vector in ▲? ▲ = (0❀ 24)Z + (1❀ 17)Z = (1❀ 7)Z + (1❀ 17)Z = (1❀ 7)Z + (3❀ 3)Z = (4❀ 4)Z + (3❀ 3)Z.

Lattice-basis reduction Define ▲ = (0❀ 24)Z + (1❀ 17)Z = ❢(❜❀ 24❛ + 17❜) : ❛❀ ❜ ✷ Z❣. What is the shortest nonzero vector in ▲? ▲ = (0❀ 24)Z + (1❀ 17)Z = (1❀ 7)Z + (1❀ 17)Z = (1❀ 7)Z + (3❀ 3)Z = (4❀ 4)Z + (3❀ 3)Z. (4❀ 4)❀ (3❀ 3) are orthogonal. Shortest vectors in ▲ are (0❀ 0), (3❀ 3), (3❀ 3).

• ✎

✎

• ✎

✎ ✎

• ✎

✎ ✎ ✎

• ✎

✎ ✎ ✎ ✎

• ✎

✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎

Another example: Define ▲ = (0❀ 25)Z + (1❀ 17)Z. What is the shortest nonzero vector in ▲?

Another example: Define ▲ = (0❀ 25)Z + (1❀ 17)Z. What is the shortest nonzero vector in ▲? ▲ = (0❀ 25)Z + (1❀ 17)Z

Another example: Define ▲ = (0❀ 25)Z + (1❀ 17)Z. What is the shortest nonzero vector in ▲? ▲ = (0❀ 25)Z + (1❀ 17)Z = (1❀ 8)Z + (1❀ 17)Z

Another example: Define ▲ = (0❀ 25)Z + (1❀ 17)Z. What is the shortest nonzero vector in ▲? ▲ = (0❀ 25)Z + (1❀ 17)Z = (1❀ 8)Z + (1❀ 17)Z = (1❀ 8)Z + (3❀ 1)Z.

Another example: Define ▲ = (0❀ 25)Z + (1❀ 17)Z. What is the shortest nonzero vector in ▲? ▲ = (0❀ 25)Z + (1❀ 17)Z = (1❀ 8)Z + (1❀ 17)Z = (1❀ 8)Z + (3❀ 1)Z. Nearly orthogonal. Shortest vectors in ▲ are (0❀ 0), (3❀ 1), (3❀ 1).

• ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎

✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎

Polynomial lattices Define ❘ = F2[①], r0 = (101000)① = ①5 + ①3 ✷ ❘, r1 = (10011)① = ①4 + ① + 1 ✷ ❘, ▲ = (0❀ r0)❘ + (1❀ r1)❘. What is the shortest nonzero vector in ▲?

Polynomial lattices Define ❘ = F2[①], r0 = (101000)① = ①5 + ①3 ✷ ❘, r1 = (10011)① = ①4 + ① + 1 ✷ ❘, ▲ = (0❀ r0)❘ + (1❀ r1)❘. What is the shortest nonzero vector in ▲? ▲ = (0❀ 101000)❘ + (1❀ 10011)❘

Polynomial lattices Define ❘ = F2[①], r0 = (101000)① = ①5 + ①3 ✷ ❘, r1 = (10011)① = ①4 + ① + 1 ✷ ❘, ▲ = (0❀ r0)❘ + (1❀ r1)❘. What is the shortest nonzero vector in ▲? ▲ = (0❀ 101000)❘ + (1❀ 10011)❘ = (10❀ 1110)❘ + (1❀ 10011)❘

Polynomial lattices Define ❘ = F2[①], r0 = (101000)① = ①5 + ①3 ✷ ❘, r1 = (10011)① = ①4 + ① + 1 ✷ ❘, ▲ = (0❀ r0)❘ + (1❀ r1)❘. What is the shortest nonzero vector in ▲? ▲ = (0❀ 101000)❘ + (1❀ 10011)❘ = (10❀ 1110)❘ + (1❀ 10011)❘ = (10❀ 1110)❘ + (111❀ 1)❘.

Polynomial lattices Define ❘ = F2[①], r0 = (101000)① = ①5 + ①3 ✷ ❘, r1 = (10011)① = ①4 + ① + 1 ✷ ❘, ▲ = (0❀ r0)❘ + (1❀ r1)❘. What is the shortest nonzero vector in ▲? ▲ = (0❀ 101000)❘ + (1❀ 10011)❘ = (10❀ 1110)❘ + (1❀ 10011)❘ = (10❀ 1110)❘ + (111❀ 1)❘. (111❀ 1): shortest nonzero vector. (10❀ 1110): shortest independent vector.

Degree of (q❀ r) ✷ F2[①] ✂ F2[①] is defined as max❢deg q❀ deg r❣. Can use other metrics,

• r equivalently rescale ▲.

e.g. Define ▲ ✒ F2[♣①] ✂ F2[♣①] as (0❀ r0 ♣①)❘ + (1❀ r1 ♣①)❘. Successive generators for ▲: (0❀ 101000♣①), degree 5✿5. (1❀ 10011♣①), degree 4✿5. (10❀ 1110♣①), degree 3✿5. (111❀ 1♣①), degree 2.

Warning: Sometimes shortest independent vector is after shortest nonzero vector. e.g. Define r0 = 101000, r1 = 10111, ▲ = (0❀ r0 ♣①)❘ + (1❀ r1 ♣①)❘. Successive generators for ▲: (0❀ 101000♣①), degree 5✿5. (1❀ 10111♣①), degree 4✿5. (10❀ 110♣①), degree 2✿5. (1101❀ 11♣①), degree 3.

For any r0❀ r1 ✷ ❘ = Fq[①] with deg r0 ❃ deg r1: Euclid/Stevin computation: Define r2 = r0 mod r1, r3 = r1 mod r2, etc. Extended: q0 = 0; q1 = 1; q✐+2 = q✐ ❜r✐❂r✐+1❝ q✐+1. Then q✐r1 ✑ r✐ (mod r0). Lattice view: Have (0❀ r0 ♣①)❘ + (1❀ r1 ♣①)❘ = (q✐❀ r✐ ♣①)❘ + (q✐+1❀ r✐+1 ♣①)❘. Can continue until r✐+1 = 0. gcd❢r0❀ r1❣ = r✐❂ leadcoeff r✐.

Reducing lattice basis for ▲ is a “half gcd” computation, stopping halfway to the gcd. deg r✐ decreases; deg q✐ increases; deg q✐+1 + deg r✐ = deg r0. Say ❥ is minimal with deg r❥ ♣① ✔ (deg r0)❂2. Then deg q❥ ✔ (deg r0)❂2 so deg(q❥❀ r❥ ♣①) ✔ (deg r0)❂2. Shortest nonzero vector. (q❥+✎❀ r❥+✎ ♣①) has degree deg r0 ♣① deg(q❥❀ r❥ ♣①) for some ✎ ✷ ❢1❀ 1❣. Shortest independent vector.

Proof of “shortest”: Take any (q❀ r♣①) in lattice. (q❀ r♣①) = ✉(q❥❀ r❥ ♣①) + ✈(q❥+✎❀ r❥+✎ ♣①) for some ✉❀ ✈ ✷ ❘. q❥r❥+✎ q❥+✎r❥ = ✝r0 so ✈ = ✝(rq❥ qr❥)❂r0 and ✉ = ✝(qr❥+✎ rq❥+✎)❂r0. If deg(q❀ r♣①) ❁ deg(q❥+✎❀ r❥+✎ ♣①) then deg ✈ ❁ 0 so ✈ = 0; i.e., any vector in lattice shorter than (q❥+✎❀ r❥+✎ ♣①) is a multiple of (q❥❀ r❥ ♣①).

Classical binary Goppa codes Parameters determining the code: integers ♥ ✕ 0, ♠ ✕ 1, t ✕ 0; distinct ❛1❀ ✿ ✿ ✿ ❀ ❛♥ ✷ F2♠; monic ❣ ✷ F2♠[①] of degree t with ❣(❛1) ✁ ✁ ✁ ❣(❛♥) ✻= 0. The code: Define Γ ✒ F♥

2

as set of (❝1❀ ✿ ✿ ✿ ❀ ❝♥) with P

✐ ❝✐❂(① ❛✐) = 0 in F2♠[①]❂❣.

lg #Γ ✕ ♥ ♠t. min❢❥❝❥ : ❝ ✷ Γ ❢0❣❣ ✕ t + 1. Better bounds in the BCH case ❣ = ①t and in many other cases.

Say we receive ✈ = ❝ + ❡. Define ❉❀ ❊ ✷ F2♠[①] by ❉ = ◗

✐:❡✐✻=0(① ❛✐) and

❊ = P

✐ ❉❡✐❂(① ❛✐).

Say we receive ✈ = ❝ + ❡. Define ❉❀ ❊ ✷ F2♠[①] by ❉ = ◗

✐:❡✐✻=0(① ❛✐) and

❊ = P

✐ ❉❡✐❂(① ❛✐).

Lift P

✐ ✈✐❂(①❛✐) from F2♠[①]❂❣

to s ✷ F2♠[①] with deg s ❁ t. Find shortest nonzero (q❥❀ r❥ ♣①) in the lattice ▲ = (0❀ ❣♣①)F2♠[①] + (1❀ s♣①)F2♠[①].

Say we receive ✈ = ❝ + ❡. Define ❉❀ ❊ ✷ F2♠[①] by ❉ = ◗

✐:❡✐✻=0(① ❛✐) and

❊ = P

✐ ❉❡✐❂(① ❛✐).

Lift P

✐ ✈✐❂(①❛✐) from F2♠[①]❂❣

to s ✷ F2♠[①] with deg s ❁ t. Find shortest nonzero (q❥❀ r❥ ♣①) in the lattice ▲ = (0❀ ❣♣①)F2♠[①] + (1❀ s♣①)F2♠[①]. Fact: If ❥❡❥ ✔ t❂2 then ❊❂❉ = r❥❂q❥ so ❉ is monic denominator of r❥❂q❥.

Say we receive ✈ = ❝ + ❡. Define ❉❀ ❊ ✷ F2♠[①] by ❉ = ◗

✐:❡✐✻=0(① ❛✐) and

❊ = P

✐ ❉❡✐❂(① ❛✐).

Lift P

✐ ✈✐❂(①❛✐) from F2♠[①]❂❣

to s ✷ F2♠[①] with deg s ❁ t. Find shortest nonzero (q❥❀ r❥ ♣①) in the lattice ▲ = (0❀ ❣♣①)F2♠[①] + (1❀ s♣①)F2♠[①]. Fact: If ❥❡❥ ✔ t❂2 then ❊❂❉ = r❥❂q❥ so ❉ is monic denominator of r❥❂q❥. ❡✐ = 0 if ❉(❛✐) ✻= 0. ❡✐ = ❊(❛✐)❂❉✵(❛✐) if ❉(❛✐) = 0.

Why does this work? P

✐ ❡✐❂(① ❛✐) = ❊❂❉ and

P

✐ ❝✐❂(① ❛✐) = 0 in F2♠[①]❂❣

so s = ❊❂❉ in F2♠[①]❂❣ so (❉❀ ❊♣①) ✷ ▲.

Why does this work? P

✐ ❡✐❂(① ❛✐) = ❊❂❉ and

P

✐ ❝✐❂(① ❛✐) = 0 in F2♠[①]❂❣

so s = ❊❂❉ in F2♠[①]❂❣ so (❉❀ ❊♣①) ✷ ▲. (❉❀ ❊♣①) is a short vector: deg(❉❀ ❊♣①) ✔ ❥❡❥ ✔ t❂2 ❁ t + 1❂2 deg(q❥❀ r❥ ♣①).

Why does this work? P

✐ ❡✐❂(① ❛✐) = ❊❂❉ and

P

✐ ❝✐❂(① ❛✐) = 0 in F2♠[①]❂❣

so s = ❊❂❉ in F2♠[①]❂❣ so (❉❀ ❊♣①) ✷ ▲. (❉❀ ❊♣①) is a short vector: deg(❉❀ ❊♣①) ✔ ❥❡❥ ✔ t❂2 ❁ t + 1❂2 deg(q❥❀ r❥ ♣①). Recall “shortest” proof: (❉❀ ❊♣①) ✷ (q❥❀ r❥ ♣①)F2♠[①], so ❊❂❉ = r❥❂q❥. Done! Euclid decoding: 1975 Sugiyama– Kasahara–Hirasawa–Namekawa.

List decoding for these codes What if ❥❡❥ ❃ t❂2? Find shortest nonzero (❉0❀ ❊0 ♣①) and independent (❉1❀ ❊1 ♣①) in (0❀ ❣♣①)F2♠[①] + (1❀ s♣①)F2♠[①], with degrees t❂2 ✍ and t❂2 + 1❂2 + ✍ for some ✍ ✷ ❢0❀ 1❂2❀ 1❀ 3❂2❀ ✿ ✿ ✿❣. Know that (❉❀ ❊♣①) = ✉(❉0❀ ❊0 ♣①) + ✈(❉1❀ ❊1 ♣①); ✈ = ✝(❊❉0 ❉❊0)❂❣ ✷ F2♠[①], ✉ = ✝(❉❊1 ❊❉1)❂❣ ✷ F2♠[①], deg ✈ ✔ ❥❡❥ t❂2 1❂2 ✍, deg ✉ ✔ ❥❡❥ t❂2 + ✍.

Critical facts about ❉: ✎ ❉ = ✉❉0 + ✈❉1 with known ❉0 and ❉1, bounded ✉ and ✈. ✎ ❉ divides known ◆ = ◗

✐(① ❛✐).

Critical facts about ❉: ✎ ❉ = ✉❉0 + ✈❉1 with known ❉0 and ❉1, bounded ✉ and ✈. ✎ ❉ divides known ◆ = ◗

✐(① ❛✐).

Can use these facts to quickly compute all possible ❉ for surprisingly large ❥❡❥.

Critical facts about ❉: ✎ ❉ = ✉❉0 + ✈❉1 with known ❉0 and ❉1, bounded ✉ and ✈. ✎ ❉ divides known ◆ = ◗

✐(① ❛✐).

Can use these facts to quickly compute all possible ❉ for surprisingly large ❥❡❥. This is essentially 2007 Wu. 2008 Bernstein: combine with Patterson. 1998 Guruswami–Sudan: same ❥❡❥ limit but much slower.

Algorithm parameters: “multiplicity” ❦ ✕ 1; “lattice dimension” ❵ ✕ ❦ + 1. Assume gcd❢❉1❀ ◆❣ = 1. Otherwise add constant multiple of ❉0 to ❉1, extending field if necessary; see 2008 Bernstein for analysis. Lift ❉0❂❉1 from F2♠[①]❂◆ to ❙ ✷ F2♠[①] with deg ❙ ❁ ♥. Then ❙✉ + ✈ ✷ ❉F2♠[①]. Note that both ✉ and ①✒✈ have degree ✔ ❜❥❡❥ t❂2 + ✍❝ where ✒ = ❜t❂2 + ✍❝ ❜t❂2 1❂2 ✍❝.

For ❦ = 1: In F2♠(①)[②] define

• 0 = ◆,
• 1 = ❙ + ①✒②,
• 2 = (❙ + ①✒②)①✒②,

. . .,

• ❵1 = (❙ + ①✒②)(①✒②)❵2.

Substituting ② = ①✒✈❂✉ and multiplying by ✉❵1 produces ◆✉❵1❀ (❙✉ + ✈)✉❵2❀ ✿ ✿ ✿ ❀ ❙✉ + ✈, all of which are in ❉F2♠[①]. ✉❵1◗(①✒✈❂✉) ✷ ❉F2♠[①] for any ◗ ✷ ●0F2♠[①]+✁ ✁ ✁+●❵1F2♠[①].

View all of these polynomials as coefficient vectors in F2♠(①)❵.

• 0❀ ●1❀ ✿ ✿ ✿ ❀ ●❵1

have determinant ◆①❵(❵1)✒❂2,

• f degree ♥ ❵(❵ 1)✒❂2.

Use ❵-dim lattice-basis reduction to find short nonzero ◗: deg ◗✐ ✔ ♥❂❵ (❵ 1)✒❂2. If ❥❡❥ ❃ ♥❂❵ + (❵ 1) ❜❥❡❥ t❂2 + ✍ ✒❂2❝ then deg ◗✐(①✒✈)✐✉❵1✐ ❁ ❥❡❥ so deg ✉❵1◗(①✒✈❂✉) ❁ ❥❡❥ so ◗(①✒✈❂✉) = 0. Find ✉❀ ✈ by finding roots of ◗.

For general ❦: Redefine ●✐ to obtain multiples of ❉❦.

• 0 = ◆❦;
• 1 = (❙ + ①✒②)◆❦1;
• 2 = (❙ + ①✒②)2◆❦2;

. . .

• ❦ = (❙ + ①✒②)❦;

. . .

• ❵1 = (❙ + ①✒②)❦(①✒②)❵❦1.

deg ◗✐ ✔ ♥❦(❦+1)❂2❵(❵1)✒❂2. If ❦❥❡❥ ❃ ♥❦(❦ + 1)❂2❵ + (❵ 1) ❜❥❡❥ t❂2 + ✍ ✒❂2❝ then ◗(①✒✈❂✉) = 0.

e.g. t = 0✿1♥, ✇ = 0✿051♥: smallest parameters are ❦ = 4, ❵ = 80. For comparison, Guruswami–Sudan require multiplicity ❦ and lattice dimension ❵ to satisfy ♥❦(❦+1)❂2❵+(❵1)(♥t1)❂2 ❁ ❦(♥ ❥❡❥). e.g. t = 0✿1♥, ✇ = 0✿051♥: smallest parameters are ❦ = 75, ❵ = 80.

Jet list decoding Recall ❉ = ◗

✐:❡✐✻=0(① ❛✐)

and ❊ = P

✐ ❉❡✐❂(① ❛✐).

❡✐ ✷ ❢0❀ 1❣ so ❊ = P

✐ ❉❂(① ❛✐) = ❉✵.

One consequence: Γ2(❣) = Γ2(❣2) if ❣ is squarefree. This doubles t, drastically increasing # errors decoded. But Γ2(❣2) decoders vary in effectiveness and efficiency.

1968 Berlekamp decodes t errors for Γ2(❣2). 1975 Patterson: same, faster. 1998 Guruswami–Sudan: ✙ t + t2❂2♥ errors. 2007 Wu: same, faster; the “rational” speedup. 2008 Bernstein: even faster; “rational” + Patterson.

1968 Berlekamp decodes t errors for Γ2(❣2). 1975 Patterson: same, faster. 1998 Guruswami–Sudan: ✙ t + t2❂2♥ errors. 2007 Wu: same, faster; the “rational” speedup. 2008 Bernstein: even faster; “rational” + Patterson. 2001 Koetter–Vardy: ✙ t + t2❂♥ errors. Can “rational” algorithms correct ❃ t + t2❂2♥ errors?

1968 Berlekamp decodes t errors for Γ2(❣2). 1975 Patterson: same, faster. 1998 Guruswami–Sudan: ✙ t + t2❂2♥ errors. 2007 Wu: same, faster; the “rational” speedup. 2008 Bernstein: even faster; “rational” + Patterson. 2001 Koetter–Vardy: ✙ t + t2❂♥ errors. Can “rational” algorithms correct ❃ t + t2❂2♥ errors? Yes! Jet list decoding.

Works for arbitrary Γ2(❣). Notation: ◆❀ ❉❀ ❊❀ ✿ ✿ ✿ as before. ❉ divides ◆ so the jet ❉(① + ✎) = ❉ + ✎❉✵ = ❉ + ✎❊ divides ◆(① + ✎) = ◆ + ✎◆✵. (❉ + ✎❊)(❉ ✎❊) divides (◆ + ✎◆✵)(❉ ✎❊) so ❉2 divides ◆✵❉ ◆❊. (❉❀ ❊) = ✉(❉0❀ ❊0) + ✈(❉1❀ ❊1) so ◆✵❉ ◆❊ = ✈(◆✵❉1 ◆❊1)+✉(◆✵❉0 ◆❊0). Lift (◆✵❉0 ◆❊0)❂(◆✵❉1 ◆❊1) from F2♠[①]❂◆2 to ❙ ✷ F2♠[①]. Then ❙✉ + ✈ ✷ ❉2F2♠[①].

• 0 = (◆2)❦;
• 1 = (❙ + ①✒②)(◆2)❦1;
• 2 = (❙ + ①✒②)2(◆2)❦2;

. . .

• ❦ = (❙ + ①✒②)❦;

. . .

• ❵1 = (❙ + ①✒②)❦(①✒②)❵❦1.

✉❵1◗(①✒✈❂✉) ✷ ❉2❦F2♠[①] if ◗ ✷ ●0F2♠[①]+✁ ✁ ✁+●❵1F2♠[①]. Roots of shortest nonzero ◗ include ①✒✈❂✉ if 2❦❥❡❥ ❃ ♥❦(❦ + 1)❂❵ + (❵ 1) ❜❥❡❥ t❂2 + ✍ ✒❂2❝.

e.g. t = 0✿1♥, ✇ = 0✿051♥: smallest parameters are ❦ = 1, ❵ = 26. e.g. t = 0✿1♥, ✇ = 0✿0521♥: smallest parameters are ❦ = 4, ❵ = 80. Compared to Koetter–Vardy: same limit on ✇, but much smaller ❦ for each ✇. Same achieved by 2007 Wu in one special case, BCH. Jet list decoding is faster (thanks to Howgrave-Graham) and more general.