Jet list decoding D. J. Bernstein University of Illinois at Chicago - PDF document

Jet list decoding D. J. Bernstein University of Illinois at Chicago Thanks to: NSF (1018836) NIST (60NANB10D263) Cisco (University Research Program)

Interpolation Fix coprime ♣ 1 ❀ ✿ ✿ ✿ ❀ ♣ ♥ ✷ Z ❃ 0 . Remainder repn of t ✷ Z : ev t = ( t mod ♣ 1 ❀ ✿ ✿ ✿ ❀ t mod ♣ ♥ ). Chinese remainder theorem: ev t determines t mod ◆ where ◆ = ♣ 1 ✁ ✁ ✁ ♣ ♥ . Very fast computation: If 0 ✔ t ❁ ◆ then ✒❳ ✓ t tq ✐ mod ♣ ✐ ◆ = mod 1 ♣ ✐ ✐ where q ✐ = ( ◆❂♣ ✐ ) � 1 mod ♣ ✐ .

Decoding Fix ❍ ❁ ◆ . Assume 0 ✔ t ❁ ❍ . Remainder repn is redundant. Given any vector ✈ ✙ ev t can reconstruct t . Traditional definition of “ ✙ ”: ♣ ◗ ✐ : ✈ ✐ ✻ =(ev t ) ✐ ♣ ✐ ✔ ◆❂❍ . Surprisingly fast ✈ ✼✦ t methods. Proof that ✈ determines t : if ✈ ✙ ev ✉ and ✈ ✙ ev t then ◗ ✐ :(ev ✉ ) ✐ ✻ =(ev t ) ✐ ♣ ✐ ✔ ◆❂❍ so ◗ ✐ :(ev ✉ ) ✐ =(ev t ) ✐ ♣ ✐ ✕ ❍ but ◗ ✐ :(ev ✉ ) ✐ =(ev t ) ✐ ♣ ✐ divides t � ✉ .

List decoding What if we know ❥ ✈ � ev t ❥ ✔ ❲ ♣ where ❲ is above ◆❂❍ ? Traditional answer: Give up. No guarantee that t is unique. Modern answer: ❲ determines a list of possibilities for t . How quickly can we compute list? How does speed degrade with ❲ ? 1957 Elias, 1958 Wozencraft: bounds on list size, but no fast algorithms.

Reed–Solomon decoding Fix prime power q , distinct ❛ 1 ❀ ✿ ✿ ✿ ❀ ❛ ♥ ✷ F q . Remainder repn of t ✷ F q [ ① ]: ev t = ( t ( ❛ 1 ) ❀ ✿ ✿ ✿ ❀ t ( ❛ ♥ )). Given any vector ✈ ✙ ev t can reconstruct t , assuming deg t ❁ ❤ . Traditional “ ✙ ”: # ❢ ✐ : ✈ ✐ ✻ = (ev t ) ✐ ❣ ✔ ( ♥ � ❤ ) ❂ 2. List decoding: compute list of possibilities for t given larger bound on ❥ ✈ � ev t ❥ .

Jets The algebra of 1-jets over R is the quotient ring R [ ✎ ] ❂✎ 2 . Analogous to the set of complex numbers C = R [ ✐ ] ❂ ( ✐ 2 + 1), but ✎ 2 = 0 while ✐ 2 = � 1. Multiplication of jets: ( ❛ + ❜✎ )( ❝ + ❞✎ ) = ❛❝ + ( ❛❞ + ❜❝ ) ✎ . Typical construction of a jet: differentiable ❢ : R ✦ R induces jet ❢ ( ① + ✎ ) = ❢ ( ① ) + ❢ ✵ ( ① ) ✎ for each ① ✷ R . e.g. sin( ① + ✎ ) = sin ① + (cos ① ) ✎ .

Lattice-basis reduction Define ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ❢ ( ❜❀ 24 ❛ + 17 ❜ ) : ❛❀ ❜ ✷ Z ❣ . What is the shortest nonzero vector in ▲ ?

Lattice-basis reduction Define ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ❢ ( ❜❀ 24 ❛ + 17 ❜ ) : ❛❀ ❜ ✷ Z ❣ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z

Lattice-basis reduction Define ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ❢ ( ❜❀ 24 ❛ + 17 ❜ ) : ❛❀ ❜ ✷ Z ❣ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ( � 1 ❀ 7) Z + (1 ❀ 17) Z

Lattice-basis reduction Define ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ❢ ( ❜❀ 24 ❛ + 17 ❜ ) : ❛❀ ❜ ✷ Z ❣ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ( � 1 ❀ 7) Z + (1 ❀ 17) Z = ( � 1 ❀ 7) Z + (3 ❀ 3) Z

Lattice-basis reduction Define ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ❢ ( ❜❀ 24 ❛ + 17 ❜ ) : ❛❀ ❜ ✷ Z ❣ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ( � 1 ❀ 7) Z + (1 ❀ 17) Z = ( � 1 ❀ 7) Z + (3 ❀ 3) Z = ( � 4 ❀ 4) Z + (3 ❀ 3) Z .

Lattice-basis reduction Define ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ❢ ( ❜❀ 24 ❛ + 17 ❜ ) : ❛❀ ❜ ✷ Z ❣ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 24) Z + (1 ❀ 17) Z = ( � 1 ❀ 7) Z + (1 ❀ 17) Z = ( � 1 ❀ 7) Z + (3 ❀ 3) Z = ( � 4 ❀ 4) Z + (3 ❀ 3) Z . ( � 4 ❀ 4) ❀ (3 ❀ 3) are orthogonal. Shortest vectors in ▲ are (0 ❀ 0), (3 ❀ 3), ( � 3 ❀ � 3).

� � ✎ ✎

� � ✎ ✎ ✎

� � ✎ ✎ ✎ ✎

� � ✎ ✎ ✎ ✎ ✎

� � ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎

Another example: Define ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z . What is the shortest nonzero vector in ▲ ?

Another example: Define ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z

Another example: Define ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z = ( � 1 ❀ 8) Z + (1 ❀ 17) Z

Another example: Define ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z = ( � 1 ❀ 8) Z + (1 ❀ 17) Z = ( � 1 ❀ 8) Z + (3 ❀ 1) Z .

Another example: Define ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 25) Z + (1 ❀ 17) Z = ( � 1 ❀ 8) Z + (1 ❀ 17) Z = ( � 1 ❀ 8) Z + (3 ❀ 1) Z . Nearly orthogonal. Shortest vectors in ▲ are (0 ❀ 0), (3 ❀ 1), ( � 3 ❀ � 1).

� � ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎ ✎

Polynomial lattices Define ❘ = F 2 [ ① ], r 0 = (101000) ① = ① 5 + ① 3 ✷ ❘ , r 1 = (10011) ① = ① 4 + ① + 1 ✷ ❘ , ▲ = (0 ❀ r 0 ) ❘ + (1 ❀ r 1 ) ❘ . What is the shortest nonzero vector in ▲ ?

Polynomial lattices Define ❘ = F 2 [ ① ], r 0 = (101000) ① = ① 5 + ① 3 ✷ ❘ , r 1 = (10011) ① = ① 4 + ① + 1 ✷ ❘ , ▲ = (0 ❀ r 0 ) ❘ + (1 ❀ r 1 ) ❘ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 101000) ❘ + (1 ❀ 10011) ❘

Polynomial lattices Define ❘ = F 2 [ ① ], r 0 = (101000) ① = ① 5 + ① 3 ✷ ❘ , r 1 = (10011) ① = ① 4 + ① + 1 ✷ ❘ , ▲ = (0 ❀ r 0 ) ❘ + (1 ❀ r 1 ) ❘ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 101000) ❘ + (1 ❀ 10011) ❘ = (10 ❀ 1110) ❘ + (1 ❀ 10011) ❘

Polynomial lattices Define ❘ = F 2 [ ① ], r 0 = (101000) ① = ① 5 + ① 3 ✷ ❘ , r 1 = (10011) ① = ① 4 + ① + 1 ✷ ❘ , ▲ = (0 ❀ r 0 ) ❘ + (1 ❀ r 1 ) ❘ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 101000) ❘ + (1 ❀ 10011) ❘ = (10 ❀ 1110) ❘ + (1 ❀ 10011) ❘ = (10 ❀ 1110) ❘ + (111 ❀ 1) ❘ .

Polynomial lattices Define ❘ = F 2 [ ① ], r 0 = (101000) ① = ① 5 + ① 3 ✷ ❘ , r 1 = (10011) ① = ① 4 + ① + 1 ✷ ❘ , ▲ = (0 ❀ r 0 ) ❘ + (1 ❀ r 1 ) ❘ . What is the shortest nonzero vector in ▲ ? ▲ = (0 ❀ 101000) ❘ + (1 ❀ 10011) ❘ = (10 ❀ 1110) ❘ + (1 ❀ 10011) ❘ = (10 ❀ 1110) ❘ + (111 ❀ 1) ❘ . (111 ❀ 1): shortest nonzero vector. (10 ❀ 1110): shortest independent vector.

Degree of ( q❀ r ) ✷ F 2 [ ① ] ✂ F 2 [ ① ] is defined as max ❢ deg q❀ deg r ❣ . Can use other metrics, or equivalently rescale ▲ . e.g. Define ▲ ✒ F 2 [ ♣ ① ] ✂ F 2 [ ♣ ① ] ♣ ① ) ❘ + (1 ❀ r 1 ♣ ① ) ❘ . as (0 ❀ r 0 Successive generators for ▲ : (0 ❀ 101000 ♣ ① ), degree 5 ✿ 5. (1 ❀ 10011 ♣ ① ), degree 4 ✿ 5. (10 ❀ 1110 ♣ ① ), degree 3 ✿ 5. (111 ❀ 1 ♣ ① ), degree 2.

Warning: Sometimes shortest independent vector is after shortest nonzero vector. e.g. Define r 0 = 101000, r 1 = 10111, ♣ ① ) ❘ + (1 ❀ r 1 ♣ ① ) ❘ . ▲ = (0 ❀ r 0 Successive generators for ▲ : (0 ❀ 101000 ♣ ① ), degree 5 ✿ 5. (1 ❀ 10111 ♣ ① ), degree 4 ✿ 5. (10 ❀ 110 ♣ ① ), degree 2 ✿ 5. (1101 ❀ 11 ♣ ① ), degree 3.

For any r 0 ❀ r 1 ✷ ❘ = F q [ ① ] with deg r 0 ❃ deg r 1 : Euclid/Stevin computation: Define r 2 = r 0 mod r 1 , r 3 = r 1 mod r 2 , etc. Extended: q 0 = 0; q 1 = 1; q ✐ +2 = q ✐ � ❜ r ✐ ❂r ✐ +1 ❝ q ✐ +1 . Then q ✐ r 1 ✑ r ✐ (mod r 0 ). Lattice view: Have ♣ ① ) ❘ + (1 ❀ r 1 ♣ ① ) ❘ = (0 ❀ r 0 ♣ ① ) ❘ + ( q ✐ +1 ❀ r ✐ +1 ♣ ① ) ❘ . ( q ✐ ❀ r ✐ Can continue until r ✐ +1 = 0. gcd ❢ r 0 ❀ r 1 ❣ = r ✐ ❂ leadcoeff r ✐ .

Reducing lattice basis for ▲ is a “half gcd” computation, stopping halfway to the gcd. deg r ✐ decreases; deg q ✐ increases; deg q ✐ +1 + deg r ✐ = deg r 0 . Say ❥ is minimal with ♣ ① ✔ (deg r 0 ) ❂ 2. deg r ❥ Then deg q ❥ ✔ (deg r 0 ) ❂ 2 so ♣ ① ) ✔ (deg r 0 ) ❂ 2. deg( q ❥ ❀ r ❥ Shortest nonzero vector. ♣ ① ) has degree ( q ❥ + ✎ ❀ r ❥ + ✎ ♣ ① � deg( q ❥ ❀ r ❥ ♣ ① ) deg r 0 for some ✎ ✷ ❢� 1 ❀ 1 ❣ . Shortest independent vector.

Proof of “shortest”: Take any ( q❀ r ♣ ① ) in lattice. ( q❀ r ♣ ① ) = ✉ ( q ❥ ❀ r ❥ ♣ ① ) ♣ ① ) + ✈ ( q ❥ + ✎ ❀ r ❥ + ✎ for some ✉❀ ✈ ✷ ❘ . q ❥ r ❥ + ✎ � q ❥ + ✎ r ❥ = ✝ r 0 so ✈ = ✝ ( rq ❥ � qr ❥ ) ❂r 0 and ✉ = ✝ ( qr ❥ + ✎ � rq ❥ + ✎ ) ❂r 0 . If deg( q❀ r ♣ ① ) ♣ ① ) ❁ deg( q ❥ + ✎ ❀ r ❥ + ✎ then deg ✈ ❁ 0 so ✈ = 0; i.e., any vector in lattice ♣ ① ) shorter than ( q ❥ + ✎ ❀ r ❥ + ✎ ♣ ① ). is a multiple of ( q ❥ ❀ r ❥