SLIDE 1
Simplified high-speed high-distance list decoding for alternant codes cr.yp.to/papers.html #simplelist
- D. J. Bernstein
Simplified high-speed high-distance list decoding for alternant - - PDF document
Simplified high-speed high-distance list decoding for alternant - - PDF document
Simplified high-speed high-distance list decoding for alternant codes cr.yp.to/papers.html #simplelist D. J. Bernstein University of Illinois at Chicago Thanks to: Cisco University Research Program And thanks to: NIST grant 60NANB10D263
SLIDE 2
SLIDE 3
Goal: Correct ✇ errors in ❈. Assume q(♥❂t) lg q♠ ✷ (lg ♥)❖(1). Any ✇ ✔ ❜t❂2❝, cost ♥❖(1): 1960 Peterson.
SLIDE 4
Goal: Correct ✇ errors in ❈. Assume q(♥❂t) lg q♠ ✷ (lg ♥)❖(1). Any ✇ ✔ ❜t❂2❝, cost ♥❖(1): 1960 Peterson. Big speedups— ♥2(lg ♥)❖(1): 1968 Berlekamp; ♥(lg ♥)❖(1), using FFT etc.: 1976 Justesen, 1977 Sarwate.
SLIDE 5
Goal: Correct ✇ errors in ❈. Assume q(♥❂t) lg q♠ ✷ (lg ♥)❖(1). Any ✇ ✔ ❜t❂2❝, cost ♥❖(1): 1960 Peterson. Big speedups— ♥2(lg ♥)❖(1): 1968 Berlekamp; ♥(lg ♥)❖(1), using FFT etc.: 1976 Justesen, 1977 Sarwate. Any ✇ ❁ ♥ ♣ ♥(♥ t 1), cost ♥❖(1): 1998 Guruswami– Sudan, improving on 1997 Sudan. Many subsequent speedups.
SLIDE 6
Goal: Correct ✇ errors in ❈. Assume q(♥❂t) lg q♠ ✷ (lg ♥)❖(1). Any ✇ ✔ ❜t❂2❝, cost ♥❖(1): 1960 Peterson. Big speedups— ♥2(lg ♥)❖(1): 1968 Berlekamp; ♥(lg ♥)❖(1), using FFT etc.: 1976 Justesen, 1977 Sarwate. Any ✇ ❁ ♥ ♣ ♥(♥ t 1), cost ♥❖(1): 1998 Guruswami– Sudan, improving on 1997 Sudan. Many subsequent speedups. Any ✇ ❁ ♥✵ ♣ ♥✵(♥✵ t 1), cost ♥❖(1): 2000 Koetter–Vardy. Here ♥✵ = ♥(q 1)❂q.
SLIDE 7
Example of recent speedups, JSC 2010 Beelen–Brander: any ✇ ❁ ♥ ♣ ♥(♥ t 1), cost ❵5♥(lg ♥)❖(1) for output list size ❵.
SLIDE 8
Example of recent speedups, JSC 2010 Beelen–Brander: any ✇ ❁ ♥ ♣ ♥(♥ t 1), cost ❵5♥(lg ♥)❖(1) for output list size ❵. 2011 Bernstein “Simplified high- speed high-distance list decoding for alternant codes”: any ✇ ❁ ♥✵ ♣ ♥✵(♥✵ t 1), cost ❵❁3✿5♥(lg ♥)❖(1) for output list size ❵. Cost ❖(♥❁4✿5) for any ✇ ❁ ♥✵ ♣ ♥✵(♥✵ t 1) + ♦((lg ♥)❂ lg lg ♥).
SLIDE 9
CRT codes Fix distinct primes ♣1❀ ✿ ✿ ✿ ❀ ♣♥ and a positive integer ❍. For ❢ ✷ Z define ev(❢) = (❢ mod ♣1❀ ✿ ✿ ✿ ❀ ❢ mod ♣♥). The CRT code for ♣1❀ ✿ ✿ ✿ ❀ ♣♥❀ ❍ is ❈ = ❢ev(❢) : ❢ ✷ Z❀ ❥❢❥ ✔ ❍❣.
SLIDE 10
CRT codes Fix distinct primes ♣1❀ ✿ ✿ ✿ ❀ ♣♥ and a positive integer ❍. For ❢ ✷ Z define ev(❢) = (❢ mod ♣1❀ ✿ ✿ ✿ ❀ ❢ mod ♣♥). The CRT code for ♣1❀ ✿ ✿ ✿ ❀ ♣♥❀ ❍ is ❈ = ❢ev(❢) : ❢ ✷ Z❀ ❥❢❥ ✔ ❍❣. What you’re probably thinking: “Yeah, I know this pointless number-theoretic analogue
- f Reed–Solomon codes.
Anything you can do with these, you can do better with RS.”
SLIDE 11
One standard multiplicity-2 CRT list-decoding algorithm: Receive word (r1❀ ✿ ✿ ✿ ❀ r♥). Find small nonzero ◗ ✷ Z[②] having multiplicity ✕ 2 at each (♣✐❀ r✐): i.e., ◗ ✷ (♣✐Z[②] + (② r✐)Z[②])2 = ♣2
✐ Z[②]+♣✐(②r✐)Z[②]+(②r✐)2Z[②].
Find all ❢ ✷ Z, ❥❢❥ ✔ ❍ such that ② ❢ divides ◗, i.e., ◗(❢) = 0. Fact: This finds all ❢ with ev(❢) close to (r1❀ ✿ ✿ ✿ ❀ r♥).
SLIDE 12
List-size-3 definition of “small”: deg ◗ ✔ 3: i.e., ◗ = ◗0 + ◗1② + ◗2②2 + ◗3②3 for some ◗0❀ ◗1❀ ◗2❀ ◗3 ✷ Z; and coefficients are small: i.e., ❥◗0❥ ✔ 2P 3❂4❍3❂2, ❥◗1❥ ✔ 2P 3❂4❍1❂2, ❥◗2❥ ✔ 2P 3❂4❍1❂2, ❥◗3❥ ✔ 2P 3❂4❍3❂2, where P = ♣1 ✁ ✁ ✁ ♣♥. Then ❥◗(❢)❥ ✔ 8P 3❂4❍3❂2 but ◗(❢) ✷ ◗
✐:❢ mod ♣✐=r✐ ♣2 ✐ Z.
◗(❢) must be 0 if ◗
✐:❢ mod ♣✐=r✐ ♣2 ✐ ❃ 8P 3❂4❍3❂2.
SLIDE 13
Can start with generators ♣2
✐ ❀ ♣✐(② r✐)❀ (② r✐)2❀ ②(② r✐)2
for the lattice ▲✐ = ❢◗ ✷ Z + Z② + Z②2 + Z②3 : ◗ ✷ (♣✐Z[②] + (② r✐)Z[②])2❣. Obtain generators for lattice ▲ = ❢◗ ✷ Z + Z② + Z②2 + Z②3 : ✽✐ : ◗ ✷ (♣✐Z[②] + (② r✐)Z[②])2❣ = ❚
✐ ▲✐ using standard methods.
Find small nonzero ◗ ✷ ▲ by lattice-basis reduction (LLL). FOCS 2000 Guruswami–Sahai– Sudan: this algorithm (for arbitrary multiplicities, list size).
SLIDE 14
Simpler, faster, more streamlined construction of same lattice: Start with 0-error interpolation— i.e., compute ❘ ✷ Z such that ❘ mod ♣✐ = r✐ for all ✐. Write down generators for ▲❄: ▲ is exactly the set of ◗0 + ◗1② + ◗2②2 + ◗3②3 ✷ Z[②] such that ◗0 + ◗1❘ + ◗2❘2 + ◗3❘3 ✷ P 2Z and ◗1 + 2◗2❘ + 3◗3❘2 ✷ PZ. From these linear equations find generators for ▲ using standard methods.
SLIDE 15
Even simpler, even faster, even more streamlined: Write down generators for ▲. ▲ = P 2Z + P(② ❘)Z + (② ❘)2Z + ②(② ❘)2Z. Find small nonzero ◗ ✷ ▲. Find all ❢ ✷ Z with ◗(❢) = 0.
SLIDE 16
Even simpler, even faster, even more streamlined: Write down generators for ▲. ▲ = P 2Z + P(② ❘)Z + (② ❘)2Z + ②(② ❘)2Z. Find small nonzero ◗ ✷ ▲. Find all ❢ ✷ Z with ◗(❢) = 0. 1997 Howgrave-Graham: exactly this algorithm (for arbitrary multiplicity, list size) to find all big ❢ ❘ dividing P. STOC 2000 Boneh: This finds all big gcd❢P❀ ❢ ❘❣. Use for CRT list decoding.
SLIDE 17
Sensible alternant list decoding Use fast multiplication: 1866 Gauss, 1963 Karatsuba, etc. Use fast root-finding for ◗: 1969 Zassenhaus. Use fast lattice-basis reduction: 2003 Giorgi–Jeannerod–Villard. Increase multiplicity as needed: 1996 Coppersmith. Write down lattice generators directly: 1997 Howgrave-Graham. Tweak lattice to correct more errors: 2000 Koetter–Vardy.
SLIDE 18
Main contribution of this paper: writing down generators directly for the Koetter–Vardy lattice. Brings the Howgrave-Graham simplicity and speed up to ♥✵ ♣ ♥✵(♥✵ t 1) errors. For “wild Goppa codes”: correct more errors via 1975 Sugiyama– Kasahara–Hirasawa–Namekawa.
SLIDE 19
Main contribution of this paper: writing down generators directly for the Koetter–Vardy lattice. Brings the Howgrave-Graham simplicity and speed up to ♥✵ ♣ ♥✵(♥✵ t 1) errors. For “wild Goppa codes”: correct more errors via 1975 Sugiyama– Kasahara–Hirasawa–Namekawa. Is this the end? No! Want “rational” list decoding— reuse partial information from attempted unique decoding; reduces multiplicities; faster!
SLIDE 20