Jet list decoding D. J. Bernstein University of Illinois at Chicago - - PDF document

Jet list decoding

• D. J. Bernstein

University of Illinois at Chicago Thanks to: NSF (1018836) NIST (60NANB10D263) Cisco (University Research Program)

Interpolation Fix coprime ♣1❀ ✿ ✿ ✿ ❀ ♣♥ ✷ Z❃0. Remainder repn of t ✷ Z: ev t = (t mod ♣1❀ ✿ ✿ ✿ ❀ t mod ♣♥). Chinese remainder theorem: ev t determines t mod ◆ where ◆ = ♣1 ✁ ✁ ✁ ♣♥. Very fast computation: If 0 ✔ t ❁ ◆ then t ◆ = ✒❳

✐

tq✐ mod ♣✐ ♣✐ ✓ mod 1 where q✐ = (◆❂♣✐)1 mod ♣✐.

Decoding Fix ❍ ❁ ◆. Assume 0 ✔ t ❁ ❍. Remainder repn is redundant. Given any vector ✈ ✙ ev t can reconstruct t. Traditional definition of “✙”: ◗

✐:✈✐✻=(ev t)✐ ♣✐ ✔

♣ ◆❂❍. Surprisingly fast ✈ ✼✦ t methods. Proof that ✈ determines t: if ✈ ✙ ev ✉ and ✈ ✙ ev t then ◗

✐:(ev ✉)✐✻=(ev t)✐ ♣✐ ✔ ◆❂❍ so

◗

✐:(ev ✉)✐=(ev t)✐ ♣✐ ✕ ❍ but

◗

✐:(ev ✉)✐=(ev t)✐ ♣✐ divides t ✉.

List decoding What if we know ❥✈ ev t❥ ✔ ❲ where ❲ is above ♣ ◆❂❍? Traditional answer: Give up. No guarantee that t is unique. Modern answer: ❲ determines a list

• f possibilities for t.

How quickly can we compute list? How does speed degrade with ❲? 1957 Elias, 1958 Wozencraft: bounds on list size, but no fast algorithms.

Reed–Solomon decoding Fix prime power q, distinct ❛1❀ ✿ ✿ ✿ ❀ ❛♥ ✷ Fq. Remainder repn of t ✷ Fq[①]: ev t = (t(❛1)❀ ✿ ✿ ✿ ❀ t(❛♥)). Given any vector ✈ ✙ ev t can reconstruct t, assuming deg t ❁ ❤. Traditional “✙”: #❢✐ : ✈✐ ✻= (ev t)✐❣ ✔ (♥ ❤)❂2. List decoding: compute list of possibilities for t given larger bound on ❥✈ ev t❥.

Jets The algebra of 1-jets over R is the quotient ring R[✎]❂✎2. Analogous to the set of complex numbers C = R[✐]❂(✐2 + 1), but ✎2 = 0 while ✐2 = 1. Multiplication of jets: (❛ + ❜✎)(❝ + ❞✎) = ❛❝ + (❛❞ + ❜❝)✎. Typical construction of a jet: differentiable ❢ : R ✦ R induces jet ❢(① + ✎) = ❢(①) + ❢✵(①)✎ for each ① ✷ R. e.g. sin(① + ✎) = sin ① + (cos ①)✎.

Lattice-basis reduction Define ▲ = (0❀ 24)Z + (1❀ 17)Z = ❢(❜❀ 24❛ + 17❜) : ❛❀ ❜ ✷ Z❣. What is the shortest nonzero vector in ▲?

Lattice-basis reduction Define ▲ = (0❀ 24)Z + (1❀ 17)Z = ❢(❜❀ 24❛ + 17❜) : ❛❀ ❜ ✷ Z❣. What is the shortest nonzero vector in ▲? ▲ = (0❀ 24)Z + (1❀ 17)Z

Lattice-basis reduction Define ▲ = (0❀ 24)Z + (1❀ 17)Z = ❢(❜❀ 24❛ + 17❜) : ❛❀ ❜ ✷ Z❣. What is the shortest nonzero vector in ▲? ▲ = (0❀ 24)Z + (1❀ 17)Z = (1❀ 7)Z + (1❀ 17)Z

Lattice-basis reduction Define ▲ = (0❀ 24)Z + (1❀ 17)Z = ❢(❜❀ 24❛ + 17❜) : ❛❀ ❜ ✷ Z❣. What is the shortest nonzero vector in ▲? ▲ = (0❀ 24)Z + (1❀ 17)Z = (1❀ 7)Z + (1❀ 17)Z = (1❀ 7)Z + (3❀ 3)Z

Lattice-basis reduction Define ▲ = (0❀ 24)Z + (1❀ 17)Z = ❢(❜❀ 24❛ + 17❜) : ❛❀ ❜ ✷ Z❣. What is the shortest nonzero vector in ▲? ▲ = (0❀ 24)Z + (1❀ 17)Z = (1❀ 7)Z + (1❀ 17)Z = (1❀ 7)Z + (3❀ 3)Z = (4❀ 4)Z + (3❀ 3)Z.

Lattice-basis reduction Define ▲ = (0❀ 24)Z + (1❀ 17)Z = ❢(❜❀ 24❛ + 17❜) : ❛❀ ❜ ✷ Z❣. What is the shortest nonzero vector in ▲? ▲ = (0❀ 24)Z + (1❀ 17)Z = (1❀ 7)Z + (1❀ 17)Z = (1❀ 7)Z + (3❀ 3)Z = (4❀ 4)Z + (3❀ 3)Z. (4❀ 4)❀ (3❀ 3) are orthogonal. Shortest vectors in ▲ are (0❀ 0), (3❀ 3), (3❀ 3).

• ✎

✎

• ✎

✎ ✎

• ✎

✎ ✎ ✎

• ✎

✎ ✎ ✎ ✎

• ✎

✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎

Another example: Define ▲ = (0❀ 25)Z + (1❀ 17)Z. What is the shortest nonzero vector in ▲?

Another example: Define ▲ = (0❀ 25)Z + (1❀ 17)Z. What is the shortest nonzero vector in ▲? ▲ = (0❀ 25)Z + (1❀ 17)Z

Another example: Define ▲ = (0❀ 25)Z + (1❀ 17)Z. What is the shortest nonzero vector in ▲? ▲ = (0❀ 25)Z + (1❀ 17)Z = (1❀ 8)Z + (1❀ 17)Z

Another example: Define ▲ = (0❀ 25)Z + (1❀ 17)Z. What is the shortest nonzero vector in ▲? ▲ = (0❀ 25)Z + (1❀ 17)Z = (1❀ 8)Z + (1❀ 17)Z = (1❀ 8)Z + (3❀ 1)Z.

Another example: Define ▲ = (0❀ 25)Z + (1❀ 17)Z. What is the shortest nonzero vector in ▲? ▲ = (0❀ 25)Z + (1❀ 17)Z = (1❀ 8)Z + (1❀ 17)Z = (1❀ 8)Z + (3❀ 1)Z. Nearly orthogonal. Shortest vectors in ▲ are (0❀ 0), (3❀ 1), (3❀ 1).

• ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎

✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎

Polynomial lattices Define ❘ = F2[①], r0 = (101000)① = ①5 + ①3 ✷ ❘, r1 = (10011)① = ①4 + ① + 1 ✷ ❘, ▲ = (0❀ r0)❘ + (1❀ r1)❘. What is the shortest nonzero vector in ▲?

Polynomial lattices Define ❘ = F2[①], r0 = (101000)① = ①5 + ①3 ✷ ❘, r1 = (10011)① = ①4 + ① + 1 ✷ ❘, ▲ = (0❀ r0)❘ + (1❀ r1)❘. What is the shortest nonzero vector in ▲? ▲ = (0❀ 101000)❘ + (1❀ 10011)❘

Polynomial lattices Define ❘ = F2[①], r0 = (101000)① = ①5 + ①3 ✷ ❘, r1 = (10011)① = ①4 + ① + 1 ✷ ❘, ▲ = (0❀ r0)❘ + (1❀ r1)❘. What is the shortest nonzero vector in ▲? ▲ = (0❀ 101000)❘ + (1❀ 10011)❘ = (10❀ 1110)❘ + (1❀ 10011)❘

Polynomial lattices Define ❘ = F2[①], r0 = (101000)① = ①5 + ①3 ✷ ❘, r1 = (10011)① = ①4 + ① + 1 ✷ ❘, ▲ = (0❀ r0)❘ + (1❀ r1)❘. What is the shortest nonzero vector in ▲? ▲ = (0❀ 101000)❘ + (1❀ 10011)❘ = (10❀ 1110)❘ + (1❀ 10011)❘ = (10❀ 1110)❘ + (111❀ 1)❘.

Polynomial lattices Define ❘ = F2[①], r0 = (101000)① = ①5 + ①3 ✷ ❘, r1 = (10011)① = ①4 + ① + 1 ✷ ❘, ▲ = (0❀ r0)❘ + (1❀ r1)❘. What is the shortest nonzero vector in ▲? ▲ = (0❀ 101000)❘ + (1❀ 10011)❘ = (10❀ 1110)❘ + (1❀ 10011)❘ = (10❀ 1110)❘ + (111❀ 1)❘. (111❀ 1): shortest nonzero vector. (10❀ 1110): shortest independent vector.

Degree of (q❀ r) ✷ F2[①] ✂ F2[①] is defined as max❢deg q❀ deg r❣. Can use other metrics,

• r equivalently rescale ▲.

e.g. Define ▲ ✒ F2[♣①] ✂ F2[♣①] as (0❀ r0 ♣①)❘ + (1❀ r1 ♣①)❘. Successive generators for ▲: (0❀ 101000♣①), degree 5✿5. (1❀ 10011♣①), degree 4✿5. (10❀ 1110♣①), degree 3✿5. (111❀ 1♣①), degree 2.

Warning: Sometimes shortest independent vector is after shortest nonzero vector. e.g. Define r0 = 101000, r1 = 10111, ▲ = (0❀ r0 ♣①)❘ + (1❀ r1 ♣①)❘. Successive generators for ▲: (0❀ 101000♣①), degree 5✿5. (1❀ 10111♣①), degree 4✿5. (10❀ 110♣①), degree 2✿5. (1101❀ 11♣①), degree 3.

For any r0❀ r1 ✷ ❘ = Fq[①] with deg r0 ❃ deg r1: Euclid/Stevin computation: Define r2 = r0 mod r1, r3 = r1 mod r2, etc. Extended: q0 = 0; q1 = 1; q✐+2 = q✐ ❜r✐❂r✐+1❝ q✐+1. Then q✐r1 ✑ r✐ (mod r0). Lattice view: Have (0❀ r0 ♣①)❘ + (1❀ r1 ♣①)❘ = (q✐❀ r✐ ♣①)❘ + (q✐+1❀ r✐+1 ♣①)❘. Can continue until r✐+1 = 0. gcd❢r0❀ r1❣ = r✐❂ leadcoeff r✐.

Reducing lattice basis for ▲ is a “half gcd” computation, stopping halfway to the gcd. deg r✐ decreases; deg q✐ increases; deg q✐+1 + deg r✐ = deg r0. Say ❥ is minimal with deg r❥ ♣① ✔ (deg r0)❂2. Then deg q❥ ✔ (deg r0)❂2 so deg(q❥❀ r❥ ♣①) ✔ (deg r0)❂2. Shortest nonzero vector. (q❥+✎❀ r❥+✎ ♣①) has degree deg r0 ♣① deg(q❥❀ r❥ ♣①) for some ✎ ✷ ❢1❀ 1❣. Shortest independent vector.

Proof of “shortest”: Take any (q❀ r♣①) in lattice. (q❀ r♣①) = ✉(q❥❀ r❥ ♣①) + ✈(q❥+✎❀ r❥+✎ ♣①) for some ✉❀ ✈ ✷ ❘. q❥r❥+✎ q❥+✎r❥ = ✝r0 so ✈ = ✝(rq❥ qr❥)❂r0 and ✉ = ✝(qr❥+✎ rq❥+✎)❂r0. If deg(q❀ r♣①) ❁ deg(q❥+✎❀ r❥+✎ ♣①) then deg ✈ ❁ 0 so ✈ = 0; i.e., any vector in lattice shorter than (q❥+✎❀ r❥+✎ ♣①) is a multiple of (q❥❀ r❥ ♣①).

Higher-rank lattices If ▼ ✷ Fq[①]❵✂❵ has det ▼ ✻= 0 then the columns of ▼ have a nonzero linear combination ◗ with deg ◗ ✔ (deg det ▼)❂❵. Can compute ◗ with similar speed to matrix mult. (2003 Giorgi–Jeannerod–Villard + small fix from 2011 Bernstein) ▼ ✷ Z❵✂❵: loosen bound on ◗. (1982 Lenstra–Lenstra–Lovasz: polynomial time; ✿ ✿ ✿ ; 2011 Novocin–Stehl´ e–Villard: almost as fast as Fq[①] case)

Divisors in intervals Classic problem: Find all divisors of ◆ in [❆ ❍❀ ❆ + ❍], given positive integers ◆❀ ❆❀ ❍ with ❆ ❃ ❍. Reformulation: In Q[②] define ❣ = ❍② and ❢ = (❆ + ❍②)❂◆. Want all r ✷ Q with ❥r❥ ✔ 1, ❣(r) ✷ Z, numerator(❢(r)) = 1. Classic solution for many cases: Find small nonzero polynomial ✬ ✷ Z + Z❢ + Z❢❣ ✚ Q[②]. For each rational root r of ✬, check whether ❆ + ❍r divides ◆.

Understanding this solution for ❍ ❁ (❆ ❍)❂6◆1❂3:

Understanding this solution for ❍ ❁ (❆ ❍)❂6◆1❂3: ❢ = ✁ ✁ ✁ + ❍②❂◆, ❢❣ = ✁ ✁ ✁ + ❍2②2❂◆, so det(1❀ ❢❀ ❢❣) = ❍3❂◆2. Lattice-basis reduction finds ✬ with coeffs ✔ 2❍❂◆2❂3.

Understanding this solution for ❍ ❁ (❆ ❍)❂6◆1❂3: ❢ = ✁ ✁ ✁ + ❍②❂◆, ❢❣ = ✁ ✁ ✁ + ❍2②2❂◆, so det(1❀ ❢❀ ❢❣) = ❍3❂◆2. Lattice-basis reduction finds ✬ with coeffs ✔ 2❍❂◆2❂3. Take divisor of ◆ in [❆❍❀ ❆+❍]. Write as ❆ + ❍r; r ✷ Q, ❥r❥ ✔ 1. Then ❥✬(r)❥ ✔ 6❍❂◆2❂3.

Understanding this solution for ❍ ❁ (❆ ❍)❂6◆1❂3: ❢ = ✁ ✁ ✁ + ❍②❂◆, ❢❣ = ✁ ✁ ✁ + ❍2②2❂◆, so det(1❀ ❢❀ ❢❣) = ❍3❂◆2. Lattice-basis reduction finds ✬ with coeffs ✔ 2❍❂◆2❂3. Take divisor of ◆ in [❆❍❀ ❆+❍]. Write as ❆ + ❍r; r ✷ Q, ❥r❥ ✔ 1. Then ❥✬(r)❥ ✔ 6❍❂◆2❂3. 1❀ ❢(r)❀ ❢(r)❣(r) ✷ ((❆+❍r)❂◆)Z so ✬(r) ✷ ((❆ + ❍r)❂◆)Z. But (❆ + ❍r)❂◆ ❃ 6❍❂◆2❂3 so ✬(r) must be 0.

Classic generalization: Find all divisors of ◆ in ❢❆ ❇❍❀ ✿ ✿ ✿ ❀ ❆ ❇❀ ❆❀ ❆ + ❇❀ ✿ ✿ ✿ ❀ ❆ + ❇❍❣, given positive integers ◆❀ ❆❀ ❇❀ ❍ with ❆ ❃ ❇❍. Mediocre approach: Define ❣ = ❍② and ❢ = (❆ + ❇❍②)❂◆. Proceed as before. Loses factor ❇2 in det.

Classic generalization: Find all divisors of ◆ in ❢❆ ❇❍❀ ✿ ✿ ✿ ❀ ❆ ❇❀ ❆❀ ❆ + ❇❀ ✿ ✿ ✿ ❀ ❆ + ❇❍❣, given positive integers ◆❀ ❆❀ ❇❀ ❍ with ❆ ❃ ❇❍. Mediocre approach: Define ❣ = ❍② and ❢ = (❆ + ❇❍②)❂◆. Proceed as before. Loses factor ❇2 in det. Much better approach: Define ❣ = ❍② and ❢ = (❯❆ + ❍②)❂◆, assuming ❯ ✷ Z, ❯❇ 1 ✷ ◆Z. If ❍r ✷ Z and ❆ + ❇❍r divides ◆ then ❢(r) ✷ ((❆ + ❇❍r)❂◆)Z.

Linear combinations as divisors Further generalization: Find all divisors ❆s + ❇t of ◆ with 1 ✔ s ✔ ❏; ❥t❥ ✔ ❍; gcd❢s❀ t❣ = 1. Generalization of classic solution: Define ❣ = (❍❂❏)②; ❯ as before; ❢ = (❯❆ + (❍❂❏)②)❂◆. As before find small nonzero ✬ ✷ Z + Z❢ + Z❢❣. Write each rational root of ✬ as ❏t❂❍s with gcd❢s❀ t❣ = 1, s ❃ 0. Check whether ❆s + ❇t divides ◆ with s ✔ ❏ and ❥t❥ ✔ ❍.

Understanding this solution for ❍❏ ❁ (❆ ❇❍)❂6◆1❂3: det(1❀ ❢❀ ❢❣) = ❍3❂❏3◆2. Lattice-basis reduction finds ✬ with coeffs ✔ 2❍❂❏◆2❂3. If 1 ✔ s ✔ ❏ and ❥t❥ ✔ ❍ and r = ❏t❂❍s then ☞ ☞s2✬(r) ☞ ☞ = ☞ ☞✬0s2 + ✬1st❏❂❍ + ✬2t2❏2❂❍2☞ ☞ ✔ 3(2❍❂❏◆2❂3)❏2 = 6❍❏❂◆2❂3. If also ❆s + ❇t divides ◆ then s❢(r) = (❯❆s + t)❂◆ ✷ ((❆s + ❇t)❂◆)Z and s❣(r) ✷ Z so s2✬(r) ✷ ((❆s + ❇t)❂◆)Z.

1984 Lenstra: ❆ + ❇t algorithm, for proving primality. 1986 Rivest–Shamir: ❆ + t, for attacking constrained RSA. Many subsequent generalizations. 2003 Bernstein: projective view, but only affine applications. Projective applications: 2007 Wu, 2008 Bernstein (including this ❆s+❇t algorithm), 2009 Castagnos–Joux– Laguillaumie–Nguyen.

Higher multiplicities Generalization of ❆ + t algorithm: Choose a multiplicity ❦ and a lattice dimension ❵. Find small nonzero ✬ ✷ Z + Z❢ + Z❢2 + ✁ ✁ ✁ + Z❢❦ +Z❢❦❣+Z❢❦❣2+✁ ✁ ✁+Z❢❦❣❵❦1. det = (❍❂◆)❵(❵1)❂2◆(❵❦)(❵❦1)❂2 so ❥✬❥ ✔ ✁ ✁ ✁ (❍❂◆)(❵1)❂2◆(❵❦)(❵❦1)❂2❵. But ✬(r) ✷ (divisor❂◆)❦Z.

Optimize: large ❵ with ❦ ✙ ✒❵ if ❆ ❍ = ◆✒. #❢t possibilities searched❣ ✙ ◆✒2. Same for ❆ + ❇t etc. 1996 Coppersmith: ❆ + t with multiplicities; ◆✒2; various generalizations. But algorithm was slower: identified lattice via dual. 1997 Howgrave-Graham: this algorithm; skip dualization; simply write down ❢❦ etc.

The gcd tweak Minor tweak: Find all ❆ + t with ❥t❥ ✔ ❍ and gcd❢❆ + t❀ ◆❣ ✕ ◆✒. These t’s include previous t’s: if ❆ + t divides ◆ and ❆ + t ✕ ◆✒ then gcd❢❆ + t❀ ◆❣ ✕ ◆✒. Solution: Compute the same ✬ from the same lattice as before. For each rational root r of ✬, check gcd❢❆ + ❍r❀ ◆❣ ✕ ◆✒.

1997 Sudan: Fq[①] instead of Z, ◆ = (① ❛1) ✁ ✁ ✁ (① ❛♥), multiplicity 1, dual algorithm, for list decoding. 1999 Guruswami–Sudan: same with high multiplicity. 1999 Goldreich–Ron–Sudan: Z, multiplicity 1, dual. 2000 Boneh: Z, high multiplicity.

“The GS decoder”: Reconstruct t ✷ Fq[①] given (t(❛1)❀ ✿ ✿ ✿ ❀ t(❛♥)) + errors; distinct ❛1❀ ✿ ✿ ✿ ❀ ❛♥ ✷ Fq; #errors ❁ (1 ✒)♥; deg t ✔ ✒2♥. Reconstruct t ✷ Fq[①] given (☞1t(❛1)❀ ✿ ✿ ✿ ❀ ☞♥t(❛♥)) + errors; distinct ❛1❀ ✿ ✿ ✿ ❀ ❛♥ ✷ Fq; nonzero ☞1❀ ✿ ✿ ✿ ❀ ☞♥ ✷ Fq; #errors ❁ (1 ✒)♥; deg t ✔ ✒2♥.

Higher-degree polynomials gcd❢◆❀ ♣(t)❣ ✕ ◆✒: #❢t possibilities searched❣ ✙ ◆✒2❂❞ if ♣ monic, deg ♣ = ❞. 1988 H˚ astad: ✒ = 1, ❦ = 1. 1989 Vall´ ee–Girault–Toffin: ✒ = 1, ❦ = 1, dual. 1996 Coppersmith: ✒ = 1, high multiplicity, dual. 1997 Howgrave-Graham: ✒ = 1, high multiplicity. 2000 Boneh: any ✒, high multiplicity.

Gaussian divisors in intervals New (?) problem: Find all t ✷ ❢❍❀ ✿ ✿ ✿ ❀ 1❀ 0❀ 1❀ ✿ ✿ ✿ ❀ ❍❣ with ❆0+t+❆1✐ dividing ◆0+◆1✐ in Z[✐]❂(✐2 + 1); assume ❆0 ❃ ❍. One approach: Take norms. (❆0 + t)2 + ❆2

1 divides ◆2 0 + ◆2 1.

Use standard degree-2 algorithm. Works for ❍ ✙ (◆2

0 + ◆2 1)✒2❂2

if (❆0 ❍)2 + ❆2

1 = (◆2 0 + ◆2 1)✒.

Worse: Find divisor of ◆2

0 + ◆2 1

in [(❆0❍)2+❆2

1❀ (❆0+❍)2+❆2 1],

using degree-1 algorithm. Works for ❆0❍ ✙ (◆2

0 + ◆2 1)✒2.

Another approach: lattice-basis reduction over Z[✐]. Works, but searches t ✷ Z[✐], again wasting time.

Another approach: lattice-basis reduction over Z[✐]. Works, but searches t ✷ Z[✐], again wasting time. Better approach: (❆0 + t)2 + ❆2

1 divides

(❆0 + t ❆1✐)(◆0 + ◆1✐) so it divides (❆0 + t)◆1 ❆1◆0. Also divides ◆2

0 + ◆2 1.

gcd ✟ (❆0 + t)◆1 ❆1◆0❀ ◆2

0 + ◆2 1

✠ ✕ (◆2

0 + ◆2 1)✒.

Works for ❍ ✙ (◆2

0 + ◆2 1)✒2,

assuming gcd❢◆0❀ ◆1❣ = 1.

Jet divisors Easily generalize: ❆0s + ❇0t, other algebras, etc. My main interest today: the 1-jet algebra Z[✎]❂✎2. To search for small (s❀ t) ✷ Z ✂ Z with (❆0 + ❆1✎)s + (❇0 + ❇1✎)t dividing ◆0 + ◆1✎ in Z[✎]❂✎2: use gcd ✟ ∆❀ ◆2 ✠ ✕ (◆2

0)✒ where ∆ =

(❆0◆1❆1◆0)s+(❇0◆1❇1◆0)t. #❢(s❀ t) searched❣ ✙ (◆2

0)✒2,

assuming gcd❢◆0❀ ❇0◆1❣ = 1. Searching for ❆0s + ❇0t dividing ◆0 would search only ◆✒2

0 .

Classical binary Goppa codes Fix integers ♥ ✕ 0, ♠ ✕ 1; distinct ❛1❀ ✿ ✿ ✿ ❀ ❛♥ ✷ F2♠; monic ❣ ✷ F2♠[①] with ❣(❛1) ✁ ✁ ✁ ❣(❛♥) ✻= 0. The code: Define Γ ✒ F♥

2

as set of (❝1❀ ✿ ✿ ✿ ❀ ❝♥) with P

✐ ❝✐❂(① ❛✐) = 0 in F2♠[①]❂❣.

min❢❥❝❥ : ❝ ✷ Γ ❢0❣❣ ✕ deg ❣+1; lg #Γ ✕ ♥ ♠ deg ❣. Better bounds in the BCH case ❣ = ①❦ and in many other cases.

Say we receive ✈ = ❝ + ❡. Define ❉❀ ❊ ✷ F2♠[①] by ❉ = ◗

✐:❡✐✻=0(① ❛✐) and

❊ = P

✐ ❉❡✐❂(① ❛✐).

Say we receive ✈ = ❝ + ❡. Define ❉❀ ❊ ✷ F2♠[①] by ❉ = ◗

✐:❡✐✻=0(① ❛✐) and

❊ = P

✐ ❉❡✐❂(① ❛✐).

Lift P

✐ ✈✐❂(①❛✐) from F2♠[①]❂❣

to s ✷ F2♠[①] with deg s ❁ deg ❣. Find shortest nonzero (q❥❀ r❥ ♣①) in the lattice ▲ = (0❀ ❣♣①)F2♠[①] + (1❀ s♣①)F2♠[①].

Say we receive ✈ = ❝ + ❡. Define ❉❀ ❊ ✷ F2♠[①] by ❉ = ◗

✐:❡✐✻=0(① ❛✐) and

❊ = P

✐ ❉❡✐❂(① ❛✐).

Lift P

✐ ✈✐❂(①❛✐) from F2♠[①]❂❣

to s ✷ F2♠[①] with deg s ❁ deg ❣. Find shortest nonzero (q❥❀ r❥ ♣①) in the lattice ▲ = (0❀ ❣♣①)F2♠[①] + (1❀ s♣①)F2♠[①]. Fact: If ❥❡❥ ✔ (deg ❣)❂2 then ❊❂❉ = r❥❂q❥ so ❉ is monic denominator of r❥❂q❥.

Say we receive ✈ = ❝ + ❡. Define ❉❀ ❊ ✷ F2♠[①] by ❉ = ◗

✐:❡✐✻=0(① ❛✐) and

❊ = P

✐ ❉❡✐❂(① ❛✐).

Lift P

✐ ✈✐❂(①❛✐) from F2♠[①]❂❣

to s ✷ F2♠[①] with deg s ❁ deg ❣. Find shortest nonzero (q❥❀ r❥ ♣①) in the lattice ▲ = (0❀ ❣♣①)F2♠[①] + (1❀ s♣①)F2♠[①]. Fact: If ❥❡❥ ✔ (deg ❣)❂2 then ❊❂❉ = r❥❂q❥ so ❉ is monic denominator of r❥❂q❥. ❡✐ = 0 if ❉(❛✐) ✻= 0. ❡✐ = ❊(❛✐)❂❉✵(❛✐) if ❉(❛✐) = 0.

Why does this work? P

✐ ❡✐❂(① ❛✐) = ❊❂❉ and

P

✐ ❝✐❂(① ❛✐) = 0 in F2♠[①]❂❣

so s = ❊❂❉ in F2♠[①]❂❣ so (❉❀ ❊♣①) ✷ ▲.

Why does this work? P

✐ ❡✐❂(① ❛✐) = ❊❂❉ and

P

✐ ❝✐❂(① ❛✐) = 0 in F2♠[①]❂❣

so s = ❊❂❉ in F2♠[①]❂❣ so (❉❀ ❊♣①) ✷ ▲. (❉❀ ❊♣①) is a short vector: deg(❉❀ ❊♣①) ✔ ❥❡❥ ✔ (deg ❣)❂2 ❁ deg ❣ + 1❂2 deg(q❥❀ r❥ ♣①).

Why does this work? P

✐ ❡✐❂(① ❛✐) = ❊❂❉ and

P

✐ ❝✐❂(① ❛✐) = 0 in F2♠[①]❂❣

so s = ❊❂❉ in F2♠[①]❂❣ so (❉❀ ❊♣①) ✷ ▲. (❉❀ ❊♣①) is a short vector: deg(❉❀ ❊♣①) ✔ ❥❡❥ ✔ (deg ❣)❂2 ❁ deg ❣ + 1❂2 deg(q❥❀ r❥ ♣①). Recall “shortest” proof: (❉❀ ❊♣①) ✷ (q❥❀ r❥ ♣①)F2♠[①], so ❊❂❉ = r❥❂q❥. Done! Euclid decoding: 1975 Sugiyama– Kasahara–Hirasawa–Namekawa.

List decoding for these codes What if ❥❡❥ ❃ (deg ❣)❂2? Find shortest nonzero (❉0❀ ❊0 ♣①) and independent (❉1❀ ❊1 ♣①) in (0❀ ❣♣①)F2♠[①] + (1❀ s♣①)F2♠[①], with degrees (deg ❣)❂2 ✍ and (deg ❣)❂2 + 1❂2 + ✍ for some ✍ ✷ ❢0❀ 1❂2❀ 1❀ 3❂2❀ ✿ ✿ ✿❣. Know that (❉❀ ❊♣①) = ✉(❉0❀ ❊0 ♣①) + ✈(❉1❀ ❊1 ♣①); ✈ = ✝(❊❉0 ❉❊0)❂❣ ✷ F2♠[①], ✉ = ✝(❉❊1 ❊❉1)❂❣ ✷ F2♠[①], deg ✈ ✔ ❥❡❥ (deg ❣)❂2 1❂2 ✍, deg ✉ ✔ ❥❡❥ (deg ❣)❂2 + ✍.

Critical facts about ❉: ✎ ❉ = ✉❉0 + ✈❉1 with known ❉0 and ❉1, bounded ✉ and ✈. ✎ ❉ divides known ◆ = ◗

✐(① ❛✐).

Critical facts about ❉: ✎ ❉ = ✉❉0 + ✈❉1 with known ❉0 and ❉1, bounded ✉ and ✈. ✎ ❉ divides known ◆ = ◗

✐(① ❛✐).

This is exactly the “linear combinations as divisors” problem! Solve with lattices. Reach same ❥❡❥ as GS, but much smaller ❦. (2007 Wu: dual of essentially this algorithm; see 2008 Bernstein for coprimality)

Jet list decoding Recall ❉ = ◗

✐:❡✐✻=0(① ❛✐)

and ❊ = P

✐ ❉❡✐❂(① ❛✐).

❡✐ ✷ ❢0❀ 1❣ so ❊ = P

✐ ❉❂(① ❛✐) = ❉✵.

One consequence: Γ2(❣) = Γ2(❣2) if ❣ is squarefree. This doubles deg ❣, drastically increasing # errors decoded. But Γ2(❣2) decoders vary in effectiveness and efficiency.

1968 Berlekamp decodes deg ❣ errors for Γ2(❣2). 1975 Patterson: same, faster. 1998 Guruswami–Sudan: ✙ deg ❣ + (deg ❣)2❂2♥ errors. 2007 Wu: same, faster; the “rational” speedup. 2008 Bernstein: even faster; “rational” + Patterson.

1968 Berlekamp decodes deg ❣ errors for Γ2(❣2). 1975 Patterson: same, faster. 1998 Guruswami–Sudan: ✙ deg ❣ + (deg ❣)2❂2♥ errors. 2007 Wu: same, faster; the “rational” speedup. 2008 Bernstein: even faster; “rational” + Patterson. 2001 Koetter–Vardy: ✙ deg ❣ + (deg ❣)2❂♥ errors. Can “rational” algorithms correct this many errors?

1968 Berlekamp decodes deg ❣ errors for Γ2(❣2). 1975 Patterson: same, faster. 1998 Guruswami–Sudan: ✙ deg ❣ + (deg ❣)2❂2♥ errors. 2007 Wu: same, faster; the “rational” speedup. 2008 Bernstein: even faster; “rational” + Patterson. 2001 Koetter–Vardy: ✙ deg ❣ + (deg ❣)2❂♥ errors. Can “rational” algorithms correct this many errors? Yes! Jet list decoding.

Works for arbitrary Γ2(❣). Notation: ◆❀ ❉❀ ❊❀ ✿ ✿ ✿ as before. ❉ divides ◆ so the jet ❉(① + ✎) = ❉ + ✎❉✵ = ❉ + ✎❊ divides ◆(① + ✎) = ◆ + ✎◆✵. ❉ + ✎❊ = ✉(❉0 + ✎❊0) + ✈(❉1 + ✎❊1). Apply the jet-divisors idea: find large gcd ✟ ◆✵❉ ◆❊❀ ◆2✠ . 2007 Wu reaches same ❥❡❥ in one special case, BCH. Jet list decoding is faster, more general. Generalize F2 to Fq: use gcd ✟ (◆✵❉)q1 (◆❊)q1❀ ◆q✠ .