Power Error Locating Pairs
Alain Couvreur, Isabella Panaccione

TL;DR
This paper introduces a new decoding algorithm based on error locating pairs that surpasses traditional error correction limits, unifying algebraic decoding approaches and applicable to various codes, with potential cryptanalysis applications.
Contribution
It presents a novel decoding framework that generalizes power decoding, correcting errors beyond half the minimum distance for codes with error locating pairs.
Findings
Corrects errors up to Sudan's radius asymptotically.
Unifies decoding of algebraic codes using linear algebra.
Applicable to codes without explicit algebraic structure.
Abstract
We present a new decoding algorithm based on error locating pairs and correcting an amount of errors exceeding half the minimum distance. When applied to Reed--Solomon or algebraic geometry codes, the algorithm is a reformulation of the so--called {\em power decoding} algorithm. Asymptotically, it corrects errors up to Sudan's radius. In addition, this new framework applies to any code benefiting from an error locating pair. Similarly to Pellikaan's and K\"otter's approach for unique algebraic decoding, our algorithm provides a unified point of view for decoding codes with an algebraic structure beyond the half minimum distance. It permits to get an abstract description of decoding using only codes and linear algebra and without involving the arithmetic of polynomial and rational function algebras used for the definition of the codes themselves. Such algorithms can be valuable for…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
11affiliationtext: Inria22affiliationtext: LIX, CNRS UMR 7161École Polytechnique,91128 Palaiseau Cedex, France
Power error locating pairs
Alain Couvreur [email protected]
Isabella Panaccione [email protected]
Abstract
We present a new decoding algorithm based on error locating pairs and correcting an amount of errors exceeding half the minimum distance. When applied to Reed–Solomon or algebraic geometry codes, the algorithm is a reformulation of the so–called power decoding algorithm. Asymptotically, it corrects errors up to Sudan’s radius. In addition, this new framework applies to any code benefiting from an error locating pair. Similarly to Pellikaan’s and Kötter’s approach for unique algebraic decoding, our algorithm provides a unified point of view for decoding codes with an algebraic structure beyond the half minimum distance. It permits to get an abstract description of decoding using only codes and linear algebra and without involving the arithmetic of polynomial and rational function algebras used for the definition of the codes themselves. Such algorithms can be valuable for instance for cryptanalysis to construct a decoding algorithm of a code without having access to the hidden algebraic structure of the code.
**Key words : ** Error correcting codes; Reed–Solomon codes; algebraic geometry codes; decoding algorithms; power decoding; error correcting pairs; cyclic codes.
**MSC : ** 94B35, 94B27, 11T71,14G50.
Introduction
Algebraic codes such as Reed–Solomon codes or algebraic geometry codes are of central interest in coding theory because, compared to random codes, these structured codes benefit from polynomial time decoding algorithms that can correct a significant amount of errors. The decoding of Reed–Solomon and algebraic geometry codes is a fascinating topic at the intersection of algebra, algorithms, computer algebra and complexity theory.
Decoding of Reed–Solomon codes
Reed–Solomon codes benefit from an algebraic structure coming from univariate polynomial algebras. Thanks to this structure, one can easily prove that they are maximum distance separable (MDS). In addition, one can design an efficient unique decoding algorithm based on the resolution of a so–called key equation [Ber68, Ber15, WB83, GS92] and correcting up to half the minimum distance. This decoding algorithm is sometimes referred to as Welch–Berlekamp algorithm in the literature.
In the late nineties, two successive breakthroughs due to Sudan [Sud97] and Guruswami and Sudan [GS99] permitted to prove that Reed–Solomon codes and algebraic geometry codes can be decoded in polynomial time with an asymptotic radius reaching the so–called Johnson bound [Joh62]. These algorithms have decoding radius exceeding half the minimum distance at the price that they may return a list of codewords instead of a single one. This drawback has actually a very limited impact since in practice, the list size is almost always less than or equal to (see [McE03a] for further details). Note that decoding Reed–Solomon codes beyond the Johnson bound remains a fully open problem: it is proved in [GV05] that the maximum likelihood decoding problem for Reed–Solomon codes is NP–hard but the possible existence of a theoretical limit between the Johnson bound and the covering radius under which decoding is possible in polynomial time remains an open question with only partial answers as in [RW14].
All the previously described decoders are worst case, i.e. correct any corrupted codeword at distance less than or equal to some fixed bound . On the other side, some probabilistic algorithms may correct more errors at the cost of some rare failures. For instance, it is known for a long time that the classical Welch–Berlekamp algorithm applied to interleaved Reed–Solomon is a probabilistic decoder reaching the channel capacity [SSB09] when the number of interleaved codewords tends to infinity. Inspired by this approach Bossert et. al. [SSB10] proposed a probabilistic decoding algorithm for decoding genuine Reed–Solomon codes by interleaving the received word and some of its successive powers with respect to the component wise product. This algorithm has been called power decoding in the sequel. A striking feature of this power decoding is that it has the same decoding radius as Sudan algorithm. Moreover an improvement of the algorithm due to Rosenkilde [RnN18] permits to reach Guruswami–Sudan radius, that is to say the Johnson bound.
However, compared to Sudan algorithm which is worst case and returns always the full list of codewords at bounded distance from the received word, the power decoding algorithm returns at most one element and might fail. The full analysis of its failure probability and the classification of failure cases is still an open problem but practical experimentations give evidences that this failure probability is very low.
Decoding of algebraic geometry codes
All the previously described decoding algorithms for Reed–Solomon codes have natural extensions to algebraic geometry codes at the cost of a slight deterioration of the decoding radius which is proportional to the curve’s genus. The problem of decoding algebraic geometry codes motivated hundreds of articles in the last three decades. The story starts in the late 80’s with an article of Justesen, Larsen, Jensen, Havemose and Høholdt [JLJ*+*89] proposing a syndrome based decoding algorithm for codes from plane curves. The algorithm has then been extended to arbitrary curves by Skorobogatov and Vlăduţ [SV90]. The original description of these algorithms was strongly based on algebraic geometry. However, subsequently, Pellikaan [Pel88, Pel92] and independently Kötter [Köt92] proposed an abstract description of these algorithms expurgated from the formalism of algebraic geometry. This description was based on an object called error correcting pair . An error correcting pair for a code is a pair of codes satisfying some dimension and minimum distance constraints and such that the space spanned by the component wise products of words of and is contained in . The existence of such a pair
Problem 1** (Bounded decoding).**
Let , and . Return (if exists) a word such that .
Definition 0.1**.**
For an algorithm solving Problem 1, the largest possible such that the algorithm succeeds is referred to as the decoding radius of the algorithm.
When , then the solution, if exists, is unique and the corresponding problem is sometimes referred to as the unambiguous decoding problem. For larger values of , the set of codewords at distance less than or equal to from might have more than one element. To solve the bounded decoding problem in such a situation, various decoders exist. Some of them return the closest codeword (if unique), while other ones return the whole list of codewords at distance less than or equal to . The algorithm of the present article, either returns a unique solution or fails.
To conclude this section, let us state an assumption which we suppose to be satisfied for any decoding problems considered in the sequel.
Assumption 1**.**
In the following, given a code and a positive integer , when considering Problem 1, we always suppose that the received vector is of the form where and . Equivalently, we always suppose that the bounded decoding problem has at least one solution.
0.1 Reed–Solomon codes
The space of polynomials with coefficients in and degree less than is denoted by . Given an integer and a vector whose entries are distinct, the Reed–Solomon code of length and dimension is the image of the space by the map
[TABLE]
This code is denoted by or when there is no ambiguity on the vector . That is:
[TABLE]
One can actually consider a larger class of codes called generalised Reed–Solomon codes and defined as:
[TABLE]
where . Such a code has length , dimension and minimum distance . In this article, for the sake of simplicity, we focus on the case of Reed–Solomon codes () with , i.e. the so–called full–support Reed–Solomon codes. This context is much more comfortable for duality since we can assert that
[TABLE]
In the general case, the above statement remains true by replacing Reed–Solomon codes by generalised Reed–Solomon codes with a specific choice of . Indeed, it holds , where
[TABLE]
See for instance [Rot06, Problem 5.7]. Actually, the results of the present article extend straightforwardly to generalised Reed–Solomon codes at the cost of slightly more technical proofs.
0.2 Algebraic geometry codes
In what follows, by curve we always mean a smooth projective geometrically connected curve defined over . Given such a curve , a divisor on and a sequence of rational points of avoiding the support of , one can define the code
[TABLE]
where denotes the Riemann–Roch space associated to . When , such a code has dimension where denotes the genus of and minimum distance . We refer the reader to [TVN07, Sti09] for further details on algebraic geometry, function fields and algebraic geometry codes.
0.3 Star product of words and codes
The space is a product of fields and hence has a natural structure of ring. We denote by the component wise product of vectors
[TABLE]
Given a vector , the –th power of is defined as .
Remark 0.2*.*
This product should not be confused with the canonical inner product in defined by . Note that these two operations are related by the following adjunction property
[TABLE]
In particular .
Definition 0.3**.**
Given two codes , the star product is the code spanned by all the products for and . If , the product is denoted by . Inductively, one defines for all .
0.3.1 Star products of algebraic codes
Algebraic codes satisfy peculiar properties with respect to the star product.
Proposition 0.4** (Star product of Reed–Solomon codes).**
Let be a vector with distinct entries and be positive integers such that . Then,
[TABLE]
Remark 0.5*.*
Actually Proposition 0.4 holds true even if but in this situation the right–hand side becomes .
Proposition 0.6** (Star product of AG codes).**
Let be a curve of genus , be a sequence of rational points of and be two divisors of such that and . Then,
[TABLE]
Proof.
This is a consequence of [Mum70, Theorem 6]. For instance, see [CMCP17, Corollary 9]. ∎
0.3.2 A Kneser–like theorem
We conclude this section with a result which will be useful in the sequel and can be regarded as a star product counterpart of the famous Kneser Theorem in additive combinatorics (see [TV06, Theorem 5.5]). We first have to introduce a notion.
Definition 0.7**.**
Let be a code, the stabiliser of is defined as
[TABLE]
Theorem 0.8**.**
Let be two codes. Then,
[TABLE]
Proof.
See [MZ15, Theorem 18] or [BL17, Theorem 4.1]. ∎
For any code , the stabiliser of has dimension at least since it contains the span of the vector . On the other hand, it has been proved in [KS80, Theorem 1.2] that a code has a stabiliser of dimension if and only if it is degenerated, i.e. if and only if either it is a direct sum of subcodes with disjoint supports or any generator matrix of has a zero column. This leads to the following analog of Cauchy–Davenport Theorem ([TV06, Theorem 5.4]).
Corollary 0.9**.**
Let be two codes such that is non degenerated, then
[TABLE]
1 Former decoding algorithms for Reed–Solomon and
algebraic geometry codes
It is known that several different decoding algorithms have been designed for Reed–Solomon and algebraic geometry codes. In particular, depending on the algorithm, we are able to solve either Problem 1 up to half the minimum distance, or to the Johnson bound.
In this section, we recall several decoding algorithms for Reed–Solomon codes. For all of them, a natural extension to algebraic geometry codes is known. Recall that, whenever we discuss a decoding problem we suppose Assumption 1 to be satisfied, i.e. we suppose that the decoding problem has at least one solution. Hence, we can write
[TABLE]
for some and with . Note that since , the codeword can be written as the evaluation of a polynomial with . The vector is called the error vector. Moreover, we define
[TABLE]
Hence, we have .
1.1 Welch–Berlekamp algorithm
Welch–Berlekamp algorithm boils down to a linear system based on key equations. In this case the decoding radius is given by a sufficient condition, i.e. if there is a solution, the algorithm will find it.
Definition 1.1**.**
Given and as above we define
- •
the error locator polynomial as ;
- •
.
Hence, for any , the polynomials and verify
[TABLE]
The aim of the algorithm is then to solve the following
Key Problem 1**.**
Find a pair of polynomials such that , and
[TABLE]
Remark 1.2*.*
Actually, the degrees of and are related by
[TABLE]
With this constraint the problem can be solved using Berlekamp–Massey algorithm. Though in this paper we chose to consider the simplified constraints of Key Problem 1 in order to have linear constrains, which makes the analysis of the decoding radius easier. By the following lemma it will be clear that making this choice has no consequence on the decoding radius of Welch–Berlekamp algorithm.
The system () is linear and has equations in unknowns. We know that the pair is in its solutions space. The following result proves that, for certain values of , actually it is not necessary to find exactly that solution to solve the decoding problem.
Lemma 1.3**.**
Let . If is a nonzero solution of (), then and .
For the proof we refer for instance to [JH04, Theorem 4.2.2]. We can finally write the algorithm (see Algorithm 1). Its correctness is entailed by Lemma 1.3 whenever , that is, the decoding radius of Welch–Berlekamp algorithm is
1.2 Power decoding algorithm
Introduced by Sidorenko, Schmidt and Bossert, [SSB09], power decoding is inspired from a decoding algorithm for interleaved Reed–Solomon codes. It consists in considering several “powers” (with respect to the star product) of the received vector in order to have more relations to work on. Given the vector we want to correct, we consider the –th powers of for (see § 0.3 for the definition of ). In this section, we only present the case for simplicity. We have
[TABLE]
We then rename by and by and get
[TABLE]
One can see as a perturbation of a word by the error vector . Hence is an instance of another decoding problem. In addition, we have the following elementary result which is the key of power decoding.
Proposition 1.4**.**
It holds .
It asserts that on and , the errors are localised at the same positions. More precisely, error positions on are error positions on . Hence, we are in the error model of interleaved codes: equations (7) and (8) can be regarded as a decoding problem for the interleaving of two codewords with errors at most at positions. Therefore, errors can be decoded simultaneously using the same error locator polynomial. To do that, we consider the error locating polynomial as for Welch–Berlekamp algorithm and the polynomials
[TABLE]
Thanks to Proposition 1.4, it is possible to write the key equations
[TABLE]
Consequently, the Power decoding algorithm consists in solving the following problem.
Key Problem 2**.**
Given and , find which fulfill
[TABLE]
with and for .
Remark 1.5*.*
Key Problem 2 is slightly different from the problem faced in the original paper describing Power Decoding ([SSB10]). We used a key equation formulation of the problem instead of the syndrome one. The two formulations are equivalent if the right bounds on polynomials’ degrees are taken (see [RnN15]). In particular, one should look for such that for all . However, similarly as for Welch–Berlekmap algorithm, we consider two weaker constraints which allow to reduce the problem to a linear system to solve. The price is that our Key Problem could get more failure cases than problem in [SSB10]. However, we observed experimentally that these cases are really rare.
The vector is a solution of the linear system (). Though, at the moment there is no guaranteed method to recover it among all the solutions. We only know that, if is a polynomial such that and , then there exists an error locator polynomial of the error with respect to , such that the vector
[TABLE]
is solution of (). Among all solutions like that, we want to pick the one that gives the closest codeword, that is the one such that is minimal (see pt.1 in Algorithm 2).
Remark 1.6*.*
The equations we obtain in Key Problem 2, consist in the key equations for and the key equations for , that is two simultaneous decoding problems. Indeed, the important aspect is that these two decoding problems share the error locator polynomial . Hence, by adding relations, we only add unknowns instead of .
Remark 1.7*.*
To compute the decoding radius of the Power Decoding algorithm we look for a condition on the size of the system (). Note that the algorithm gives one solution or none, hence there cannot be a sufficient condition for the correctness of the algorithm as soon as . For this reason, we look for a necessary condition for the system () to have a solution space of dimension .
The general case with an arbitrary .
For an arbitrary , Key Problem 2 is replaced the following system:
[TABLE]
with and for all .
1.2.1 Decoding radius
Under Assumption 1, we know that is a solution for () and hence, the algorithm returns if and only if the solution space of () has dimension one.
Let us define the polynomial
[TABLE]
and consider the bounds in Key Problem 2 on the degrees of and . If , then we would have . For a larger this condition becomes
[TABLE]
However, bound (10) is actually much larger than the decoding radius. We look then for a stricter bound on . Another necessary condition to have a solution space of dimension one for (), is:
[TABLE]
which gives
Remark 1.8*.*
Actually, starting from , Algorithm 2 could return another word which would be closer to . In such a situation, the solution space of () will not have dimension since it will contain a triple associated to and a vector associated to which can be proved to be linearly independent. Therefore, the algorithm may return the closest codeword even in situations when the dimension of the solutions space of () has dimension larger than . The analysis consists in giving a necessary condition for the algorithm to return .
Finally, the same process can be used for a general and we obtain the following decoding radius
[TABLE]
1.3 The error correcting pairs algorithm
The Error Correcting Pairs (ECP) algorithm has been designed by Pellikaan [Pel92] and independently by Kötter [Köt92]. Its formalism gives an abstract description of a decoding algorithm originally arranged for algebraic geometry codes [SV90] and whose description required notions of algebraic geometry. In their works, Pellikaan and Kötter, simplified the instruments needed in the original decoding algorithm and made the algorithm applicable to any linear code benefiting from a certain elementary structure called error correcting pair and defined in Definition 1.9 below. Given a code and a received vector where and for some positive integer , the ECP algorithm consists in two steps:
- (1)
find such that , where denotes the support of ; 2. (2)
recover the nonzero entries of .
As said before, these steps can be solved if the code has a -error correcting pair where is small enough.
Definition 1.9**.**
Given a linear code , a pair of linear codes, with is called -error correcting pair for if
- (ECP1)
; 2. (ECP2)
; 3. (ECP3)
; 4. (ECP4)
.
Remark 1.10*.*
One can observe that, thanks to Remark 0.2,
[TABLE]
Since this notion does not look very intuitive, an example of error correcting pair for Reed–Solomon codes is given further in § 1.4 and an interpretation of the various hypotheses above is given in light of this example in § 1.5. For now, we want to explain more precisely how the ECP algorithm works.
1.3.1 First step of the error correcting pair algorithm
In Step (1) of the ECP algorithm, we wish to find a set which contains . A good candidate for could then be , indeed the following result (see [Pel92]), entails that (see Definition LABEL:def:short_punct).
Proposition 1.11**.**
If , then .
Though, since we do not know , we do not have any information about . That is why a new vector space is introduced:
[TABLE]
The key of the algorithm is in the following result.
Theorem 1.12**.**
Let , and as above. If , then
- (1)
; 2. (2)
if , then ;
Proof.
See [Pel92]. ∎
Therefore, if the pair fulfills (ECP1-3) in Definition 1.9, then is non trivial and contains . Therefore, Step (1) of the algorithm consists in computing .
1.3.2 Second step of the error correcting pair algorithm
Step (2) is nothing but the resolution of a linear system depending on and the syndrome of . First, some notation is needed.
Notation*.*
Let be a matrix having columns and . We denote by the submatrix of whose columns are those with index .
Suppose we have computed in Step (1) of the algorithm. Consider a full rank–parity check matrix for . The vector satisfies and we want then to recover by solving the linear system
[TABLE]
Though, a priori, the solution may not be unique. Condition (ECP4) in Definition 1.9 yields the following result.
Lemma 1.13**.**
If , and , then .
Proof.
By Proposition 1.11, there exists . Now, since , we get
[TABLE]
∎
Theorem 1.14**.**
Given and with , then there exists at most one solution for (13).
This is a well-known result of coding theory and it is easy to prove. This theorem, together with Lemma 1.13, entail that if contains the support of the error, is the unique solution to system (13). Then, the second step of the algorithm consists in finding by solving system (13) and recovering from imposing for all . The entire algorithm is described in Algorithm 3.
The correctness of the algorithm is proved in [Pel92]. It is straightforward to see that the algorithm returns a unique solution and that a sufficient condition for the algorithm to correct errors, is the existence of an error correcting pair with parameter . This consideration, leads to the following result.
Corollary 1.15** ([Pel92, Corollary 2.15]).**
If a linear code has a -error correcting pair, then
[TABLE]
1.4 Error correcting pairs for Reed–Solomon
codes
For an arbitrary code, there is no reason that an error correcting pair exists. Indeed, the existence of an ECP for a given code relies on the existence of a pair of codes, both having a sufficiently large dimension and satisfying , which is actually a very restrictive condition. Among the codes for which an ECP exists, there are Reed–Solomon codes. Indeed, given , consider the pair :
[TABLE]
Recall that thanks to Proposition 0.4, we have
Lemma 1.16**.**
Given as above, it holds
[TABLE]
Proposition 1.17**.**
The pair of (14) is a -error correcting pair for for any
[TABLE]
Proof.
We have to prove that (16) is a necessary and sufficient condition for (ECP1–4) in Definition 1.9 to hold. First of all, by Lemma 1.16 we have (ECP3). Moreover by definition of and this gives (ECP2). By Proposition 0.4, as seen above, the codes verify , then by Remark 0.2 we obtain . Finally, it is easy to see that . Hence if t\leqslant\Bigl{\lfloor}\frac{\operatorname{d}(C)-1}{2}\Bigr{\rfloor}, (ECP1–4) hold and conversely. ∎
Remark 1.18*.*
In § 2, we are going to work with structures which are slightly different from error correcting pairs, that is, we will still require (ECP1, 2) and (ECP4) to hold together with other conditions. Note that, given and as in (14) Conditions (ECP1, 2) and (ECP4) hold if and only if .
1.5 ECP and Welch–Berlekamp key equations
The example of Reed–Solomon also permits to understand the rationale behind EPC’s in light of Welch–Berlekamp algorithm. Indeed, we now show that the choice of we made in the ECP algorithm, if one looks at the key equations of Welch–Berlekamp algorithm, appears to be really natural. Let us consider and the pair we defined in § 1.4. We can write (4) for any using the star product in this way
[TABLE]
From that, we can deduce
- •
;
- •
;
- •
Moreover .
In other words, the vector belongs to the space we are looking for in the ECP algorithm. Moreover it fulfills a property which characterises a space , that is exactly the space we define in the ECP algorithm and that turns to be equal to under certain conditions.
2 Power error locating pairs algorithm
We now present the Power Error Locating Pairs (PELP) algorithm. As for the error correcting pairs algorithm, we first give a generic description of the algorithm and later some examples of its application. In order to generalise the ECP algorithm to correct more errors, we introduce a new parameter we call power and define a slightly different structure from error correcting pairs. As in the previous paragraphs, we first describe that structure and the algorithm for and then explain how to generalise it.
2.1 The case
In Pellikaan’s paper, a structure called error locating pairs is already defined. It is a pair of codes which satisfy (ECP1, 2) and (ECP4). In particular it is shown that, without changing anything in the algorithm, with such a structure it is possible to correct errors if the support of the error vector is an independent -set of error position with respect to the code (see [Pel92]).
In the present article, in order to correct beyond half the designed distance, we do not consider particular error supports, but we rather choose to work with a more particular structure than error locating pairs and change the first step of the algorithm.
Definition 2.1** (–Power error locating pairs).**
Given a linear code , a pair of linear codes with is a –power –error locating pair for if
- (–PELP1)
; 2. (–PELP2)
; 3. (–PELP3)
; 4. (–PELP4)
; 5. (–PELP5)
.
Compared to the definition of error correcting pairs, we removed (ECP 3) which is too restrictive to correct errors beyond half the minimum distance. Instead, in the same spirit as the power decoding, we look for a necessary condition for the algorithm to succeed. In this context, under Condition (–PELP3), Condition (–PELP5) provides this necessary condition together with the key tool for the analysis of the decoding radius of our algorithm.
Remark 2.2*.*
In the transition between ECP algorithm and –PELP algorithm, it is very important to get rid of the property . Indeed, since we want , if we had , then, assuming that is non degenerate (see § 0.3.2) we would get
[TABLE]
where the second inequality is due to Corollary 0.9. This entails that , which does not represent an improvement of the decoding radius in every situation (see §3).
Let us consider a code , a word such that with and and let be a –power –error locating pair for .
Definition 2.3**.**
Let us look for a necessary condition for this generalised algorithm to return . It can be proven that Theorem LABEL:corrPELP can be adapted to the generalised notion (LABEL:eq:newM) of . The following theorem gives the necessary condition we look for.
Theorem 2.4**.**
If , then
Again, in order to prove this Theorem, we study the condition , since it is equivalent to by Lemma LABEL:cond_eq_M.
Theorem 2.5**.**
It holds
[TABLE]
where is such that for all .
To prove this result, it is possible to adapt the proof of Theorem LABEL:scritM_I and observe that it still holds . We will use the following remark.
Remark 2.6*.*
Given a vector space with and , we have
[TABLE]
in addition, it is easy to see that and
[TABLE]
Now, it is possible to prove Theorem 2.4.
Proof Theorem 2.4.
It holds
[TABLE]
Now, thanks to Remark 2.6, one can easily see that (17) implies
[TABLE]
∎
2.2 Complexity
To conclude this section, let us discuss the complexity of the algorithm. We denote by the exponent of the complexity of matrix multiplications. First, recall that the computation of the star product of two codes of length costs arithmetic operations in using a deterministic algorithm and using a probabilistic algorithm (see for instance [COT17, § VI.A and D]).
The evaluation of the complexity of the power error locating pairs algorithm should be divided in two parts:
- •
the pre-computation phase, that should be done once for good and is independent from the error and the corrupted codeword;
- •
the online phase, which depends on the corrupted codeword.
2.2.1 The precomputation phase
This phase consists essentially in computing generator matrices for the codes for . Each new calculation consists in the computation of a –product and a dual. This yields an overall cost of operations in using a probabilistic algorithm and operations using a deterministic one.
2.2.2 The online phase
- •
The computation of each space boils down to the resolution of a linear system with variables and equations. Hence a cost of operations in .
- •
The computation of consists in the calculation of intersections of spaces. Since the cost of the calculation of an intersection is operations, the cost of the computation of from the knowledge of the ’s is in
In summary, the overall complexity of the online phase is in operations in .
Remark 2.7*.*
Note that the previous complexity analysis is purely generic and does not take into account that codes with an error locating pair such as Reed–Solomon code may be described by structured matrices permitting faster linear algebra.
3 –PELP algorithm for Reed–Solomon codes
We now give some applications of the –PELP algorithm, starting with Reed–Solomon codes. For these codes, the algorithm is much more intuitive. Indeed, as for the error correcting pairs algorithm, it is possible to deduce the PELP algorithm from a former decoding algorithm for Reed–Solomon codes: the power decoding.
Let us consider the code and the pair , where and . We look for the values of for which is an –power –error locating pair for . One can see that, since we no longer ask for , by Lemma 1.16, can be larger than . About the conditions to fulfill, we already have seen that properties (–PELP1, 2, 4) hold for any (see §1.4). Let us find the values of which verify
(–PELPLABEL:item:pelp3g)
;
(–PELPLABEL:item:pelp5g)
.
Property (–PELP3) holds for any since Reed–Solomon codes are MDS and has dimension . Let us now focus on property (–PELP5). By Proposition 0.4, we know that and these codes are not equal to as soon as
[TABLE]
If (18) is satisfied, then the bound in property (–PELP5) becomes
[TABLE]
which is the decoding radius for the power decoding algorithm for a general (see (11)).
Remark 3.1*.*
Note that (19) came in power decoding as a necessary condition to have a unique solution for a linear system. Here instead, it comes up as a necessary condition for an intersection of some vector spaces to be .
3.1 The space and the key equations of power decoding
In § 1.5, we have seen that it is possible to relate the definition of with the key equations of Welch–Berlekamp algorithm. One can do the same with the definition of in the power error locating pairs algorithm and the key equations of the –power decoding algorithm. Here, we only consider the case , since it is easy to generalise the idea for a larger . It is possible to write (9) in this way
[TABLE]
where is the evaluation map introduced in (1). Hence, we can deduce
- •
;
- •
;
- •
;
- •
, where is the set defined in the –power error locating pairs algorithm. Indeed we recall that , where
[TABLE]
In other words, in the power decoding algorithm one works with polynomials, while in the power error locating pairs algorithm one works with their evaluations.
3.2 Equivalence of the two algorithms for Reed–Solomon codes
Thanks to the link presented in the previous subsection, it is possible to find an isomorphism between the solution space of power decoding and the space . For the sake of simplicity, we explicit this isomorphism in the case . The general case can easily be deduced from the following study.
Theorem 3.2**.**
Let and a positive integer and suppose we run both the power decoding algorithm and the power error locating pairs algorithm with the same and . Denote by the solution space of the linear system () in the power decoding. Then the linear map
[TABLE]
is bijective.
Proof.
For the sake of simplicity, we provide the proof in the case . The proof in the general case is easy to deduce at the cost of heavier notation. First, let us show that is well defined. Let belong to . Then, it holds
[TABLE]
As we have seen in § 3, these two conditions are equivalent to the statement
[TABLE]
Conversely, given , there exists with such that . Moreover, since , we have
[TABLE]
Thus, there exist with , and
[TABLE]
We can then define another map
[TABLE]
where and are the polynomials associated to as before. It is easy to prove that, under the condition111That is again bound (10).
[TABLE]
it holds and . ∎
In summary, for Reed–Solomon codes, power decoding and power error locating pairs algorithms are equivalent. In particular they succeed or fail for the same instances.
4 PELP algorithm for algebraic
geometry codes
As said previously, the power error locating pairs algorithm can be run on any code with a PELP. We have seen that Reed–Solomon codes belong to this class of codes. In the sequel, we show that algebraic geometry codes also belong to it. Similarly to the case of Reed–Solomon codes, this algorithm can be compared with the power decoding algorithm. Power decoding extends naturally from Reed–Solomon codes to algebraic geometry codes. However, its use for decoding AG codes in the literature concerns mainly one–point codes from the Hermitian curve (see [NB15, PRB19]). For this reason, we give a brief presentation together with an analysis of its decoding radius in Appendix A.
In the sequel, we show that the analysis of the power decoding provides a decoding radius which is slightly below that of the power error locating pairs algorithm. Moreover, we observed experimentally that the decoding radius given by the analysis of the PELP algorithm is optimal for both the PELP and the power decoding algorithms. Probably, a more detailed analysis of the power decoding would provide a sharper estimate of the decoding radius, but the point is that the analysis of the PELP algorithm provides an optimal radius in a very elementary manner.
4.1 Context
Let be a smooth projective geometrically connected curve of genus over . Let be a divisor on and be an ordered –tuple of pairwise distinct rational points of avoiding the support of . We denote by and respectively the dimension and the minimum distance of the code . Moreover, we denote by the divisor and by the divisor where is a rational differential form such that and for any . We now introduce an extra divisor on and the pair with
[TABLE]
This pair of codes is our candidate to be a power error locating pair for . We analyse the case for simplicity (it is easy to generalise what we are going to see).
4.2 Decoding Radius
In order to find the decoding radius of the –power error correcting pairs algorithm for algebraic geometry codes, we follow the same path as for Reed–Solomon codes. That is, we look for the pairs that satisfy properties (–PELP1–5) in Definition 2.1. To do so, we write some additional conditions on the degree of the divisor and and on the number of errors . First, note that Property (–PELP1) holds by construction of and . In order to have properties (–PELP2, 3) and to know the structure of the code , we ask for the two following conditions
Additional Condition 1**.**
.
Additional Condition 2**.**
.
In particular, it is easy to verify that under these two additional conditions, we have by Proposition 0.6
[TABLE]
Let us fix then the value of to be . We now consider the bound given by Condition (–PELP5) for
[TABLE]
We need to know the exact dimension of these spaces, hence we impose some more conditions on the degree of the divisor222Remember that if with , then . . We ask for
Additional Condition 3**.**
.
Finally, we get the following result.
Proposition 4.1**.**
Let , and . Then admits a –PELP as in (25), if
[TABLE]
In this case, bound (27) gives the decoding radius of the –PELP algorithm.
Proof.
Condition (–PELP1) is obviously satisfied by the codes defined in (25). Moreover, since , we get , i.e. Property (–PELP2). Property (–PELP4) is a consequence of the condition , which indeed entails
[TABLE]
Thanks to Additional Condition 1, we have (–PELP3). Finally one notes that bound in (–PELP5) becomes the bound on in (27) thanks to the additional conditions and the property . ∎
Remark 4.2*.*
As for Reed–Solomon codes, we want to have . Indeed in this case if and are as in Definition 2.3, we get and the decoding radius in (27) is usually achieved according to our tests. That is why it is important also to ask
[TABLE]
Note that this bound is achieved whenever we are in the hypothesis of Proposition 4.1 and .
The decoding radius can be computed even for arbitrary values of . Indeed, if we impose , we get
[TABLE]
4.3 Comparison with decoding radii of other algorithms for
algebraic geometry codes
We can now compare this decoding radius with the decoding radii of Sudan algorithm and the power decoding algorithm for algebraic geometry codes. We have (see [SW99, Theorem 2.1] and Appendix A):
[TABLE]
First, note that if
[TABLE]
then the decoding radius of the –PELP algorithm (28) is even larger than Sudan’s algorithm decoding radius. Furthermore, one can see that for algebraic geometry codes, the power decoding algorithm and the power error locating pairs algorithm no longer have the same decoding radius, but the second one is larger. Actually the implementation of the algorithms put in evidence that power decoding algorithm is actually able to correct more than what expressed by its decoding radius, and up to the recoding radius of the –PELP algorithm. It is possible to explain this by considering that in the power decoding algorithm something changes once we pass to algebraic geometry codes from Reed–Solomon codes. Indeed, in both cases, the decoding radius comes as a necessary condition for a vector space to have dimension one. But for Reed–Solomon codes, this is equivalent to have a necessary condition for the algorithm to succeed, while for algebraic geometry codes this is no longer true.
By the tests we made, it seems that the bound (28) is optimal. Though we should precise that we run the algorithms with . Actually experimentally we have seen that it is possible to run power decoding algorithm with and obtain an empirical decoding radius
[TABLE]
which indeed corresponds to the empirical result obtained in [NB15].
4.4 Cryptanalytic application
In the last fourty years, many attempts for instantiating McEliece encryption scheme [McE78] using algebraic codes have been proposed in the literature. The use of generalised Reed–Solomon codes is known to be unsecure since Sidelnikov and Shestakov’s attack [SS92] permitting to recover the whole structure of such a code from the very knowledge of a generator matrix. Note that actually, a procedure to recover the structure of a generalised Reed–Solomon code from the data of a generator matrix was already known by Roth and Seroussi [RS85]. Sidelnikov–Shestakov attack has been extended to algebraic geometry codes from curves of genus 1 and 2 [Min07, FM08]. For general algebraic geometry codes, an attack has been given [CMCP17] that permits to recover an error correcting pair or an error correcting array from the knowledge of a generating matrix. This attack does not permits to recover the curve, the divisor and the evaluation points but is enough to break the system as soon as the decoder corrects at most half the designed distance.
In a nutshell, this attack of [CMCP17] consists in computing some filtered sequences of codes from the knowledge of a generator matrix of . Namely, the codes computed are of the form and for a given rational point and for any integer . For large enough, the pair yields an error correcting pair.
Suppose now that McEliece scheme is instantiated with an algebraic geometry code and whose decryption step requires to correct beyond half the designed distance by using Sudan’s or power decoding algorithm. Stricto sensu, such a scheme is out of reach by the attack [CMCP17]. However, the very same approach permits to design a power error locating pair. Then, Algorithm LABEL:algoPELP2 can be run without requiring any further knowledge on the curve and the divisor. This yields an interesting application of this abstract formulation of decoding beyond half the minimum distance. Note that no such cryptographic proposal exists in the literature but [ZZ18] which is unfortunately out of reach of power error locating pairs since it requires the use of a Guruswami–Sudan like decoder yielding a decoding radius close to Johnson bound.
5 PELP algorithm for cyclic
codes
In this section, we give an application of the PELP algorithm for some cyclic codes. In 1994, Duursma and Kötter showed in [DK94] that an ECP algorithm can correct up to half the BCH bound and, in particular cases, also half the Roos bound (see Theorem 5.9 for a definition and [Roo83] for details).
First, we recall the main notions and fix some notation (for more details see [DK94]). Let us consider a field and an integer with . Given a vector , we denote by the image of by the following linear map:
[TABLE]
It is known that cyclic codes of length over are in correspondence with the factors of the polynomial . In particular, given in , the cyclic code associated to is
[TABLE]
In the same way, the roots of determine in a unique way the code . Hence, let us consider an extension such that contains the –th roots of unity and let be a primitive –th root of unity.
Definition 5.1**.**
Given , we define the matrix
[TABLE]
To any subset , one can then associate two cyclic codes.
Definition 5.2**.**
is called defining set for the code if
[TABLE]
Remark 5.3*.*
One can see that if is defined as in (29), then is a cyclic code. Indeed, we have , where and is the minimal polynomial of on . Note that different defining sets can define the same cyclic code . By applying several times Frobenius morphism to the set , one can find the maximal defining set, also called complete. In this paper we will treat a general situation, where a defining set will not necessarily be complete.
Remark 5.4*.*
Note that, if is a defining set for a code , then , where is a cyclic code with parity check matrix . If we denote by the minimum distance of the code , we get .
Definition 5.5**.**
is called generating set for the code if
[TABLE]
We stress that if is a generating set for a code , then is a code with coefficients in the larger alphabet and has generating matrix . In particular, .
Remark 5.6*.*
Note that a code as in (30) is a cyclic code. Indeed is the dual code of the cyclic code with defining set and it is known that the dual of a cyclic code is cyclic itself.
5.1 Roos bound
There are cases where it is possible to bound the minimum distance of a cyclic code. Apart from the BCH bound, another and more general bound has been given by Roos ([Roo83]).
Definition 5.7**.**
Given , denote by the smallest set made of consecutive indices modulo that contains . Moreover, if is another subset of , we can define the sum set
[TABLE]
Finally, given , we define the set .
It is possible to relate the star product of two cyclic codes to the sum of their generating sets.
Proposition 5.8**.**
Let , and be three cyclic codes with generating sets respectively , and . Then,
[TABLE]
Proof.
First, note that for any we get by Definition 5.7
[TABLE]
for some and . Hence,
[TABLE]
Now, it is easy to see that the set of generators of
[TABLE]
is equal to the set composed by the rows of the matrix (see Definition 5.1). Since, by Definition 5.5, this is a generator matrix for the code , we get that is a set of generators for both and , hence . ∎
Theorem 5.9** (Roos bound).**
Let such that . Then,
[TABLE]
Proof.
See [Roo83]. ∎
Remark 5.10*.*
In the hypothesis of Theorem 5.9, if is the cyclic code with defining set , since , then as well.
Remark 5.11*.*
One can note that in the same hypothesis of Theorem 5.9, the proof given in [Roo83] can be adapted to prove that
[TABLE]
for any with .
5.2 –PELP algorithm and Roos bound
We now focus on cyclic codes with defining set with and satisfying the hypothesis of Roos bound (Theorem 5.9). Actually, we will work with the code in for the sake of simplicity.
Theorem 5.12**.**
Let with and let be cyclic codes with generating sets respectively and , where
[TABLE]
Let be the cylic code with parity check matrix and . Let us suppose that
- (i)
for any we have ; 2. (ii)
any nonzero cyclic subcode of is non degenerated.
Then is an –power –error locating pair for the code with
[TABLE]
where and fulfill
[TABLE]
Remark 5.13*.*
Note that if is an –power –error locating pair for , then it is an –power –error locating pair for the cyclic code with defining set as well. Actually it is a standard procedure for cyclic codes (see for instance [DK94]). In particular, that is why if is a Reed–Solomon code, the optimised choice of PELP for with , will give the decoding radius found in § 3.
Remark 5.14*.*
Condition (ii) on can be reformulated as follows: for any non empty subset of , there does not exist such that .
Before proving Theorem 5.12, we need the two following lemmas on the notion of degenerated codes (see § 0.3.2).
Lemma 5.15**.**
Let be a degenerated code. Then for any code , the code is degenerated too.
Proof.
It suffices to observe that . ∎
Lemma 5.16**.**
A code is degenerated if and only if is degenerated.
Proof.
Using the adjunction property (2) of the star product, one proves that . ∎
Proof of Theorem 5.12.
We treat the case , the general case being an easy generalisation. We have by hypothesis . Next, from Proposition 5.8, . Furthermore, we have . Hence, properties (–PELPLABEL:item:pelp1g), (–PELPLABEL:item:pelp2g) and (–PELPLABEL:item:pelp3g) are satisfied.
Now, let us focus on property (–PELPLABEL:item:pelp4g). We have that is contained in the code with generating set , whose distance is (note that it is a generalised Reed–Solomon code). Hence, we get , which, together with Roos bound, gives
[TABLE]
In order to check Property (–PELPLABEL:item:pelp5g), we first consider the case . Set . Then,
[TABLE]
From Condition (ii) on , the code is non degenerated. This last observation, together with inclusion (34) and Corollary 0.9 yield
[TABLE]
for some nonnegative integer . Next, since is non degenerated, from Lemmas 5.15 and 5.16, the code is non degenerated too. Thus, we get
[TABLE]
Now, since , using Corollary 0.9 again, we know that there exists such that
[TABLE]
Hence, by (35) and (36), property (–PELP5) is equivalent to
[TABLE]
It is now easy to generalise the proof for . Indeed if we consider and , we have as before
[TABLE]
From Condition (ii) together with Lemma 5.15, we deduce that is non degenerated. Then, by applying Corollary 0.9 iteratively and thanks to Condition (ii) again, we know that there exist two nonnegative integers and such that
[TABLE]
Note that these two equations give (33) with . Finally, by combining (33) and (36), we get that Property (–PELPLABEL:item:pelp5g) for is equivalent to the bound in (32). ∎
Remark 5.17*.*
Note that and the ’s do not depend only on the choice of and but also on the parameters . Hence, in particular, the decoding radius depends as well on .
5.3 Comparison with Roos bound
We now would like to compare the obtained decoding radius to Roos bound. To do so, we consider a particular case of cyclic code. Let such that , and . Let us denote by the decoding radius (32) for and by the amount . By the equality , that is , we get
[TABLE]
Remark 5.18*.*
Observe that, if , Roos bound holds even for and . Hence (37) gives an useful information about the behaviour of for any with .
Equivalence (37) gives a good information about the parameters to have in order to cross half the Roos bound. Indeed by some tests we made it has been possible to see that the decoding radius is achieved really often.
Example 5.19**.**
We now give an easy example of a –PELP algorithm’s application on a cyclic code (which is not BCH) where . Let us consider , and the sets , . According to Remark 5.14, one can check that Condition (ii) of Theorem 5.12 is satisfied by . We now consider the cyclic code with parity check matrix . Since we are in the hypothesis of Roos bound and , we obtain , while . In fact, the true minimum distance of can be computed to be 45. Hence we get
[TABLE]
Conclusion
We proposed a unified framework for a decoder that can correct beyond half the minimum distance. Exactly as error correcting pairs can be regarded as an abstraction of Welch–Berlekamp algorithm, our approach called power error locating pairs is an abstraction of power decoding for Reed–Solomon and algebraic geometry codes. This algorithm applies to any code equipped to a power error locating pair structure such as some cyclic codes for instance. In addition our results turn out to have interesting consequences on code based cryptography since we proved that a McEliece like system using algebraic geometry codes with a secret decoder correcting up to Sudan’s radius is unsecure.
On the other hand, our algorithm does not decode Reed–Solomon or algebraic geometry codes up to the Johnson radius. In this direction, finding an abstraction of Rosenkilde’s extension of power decoding [RnN18] would represent an interesting challenge. Such a result would for instance yield an attack to any cryptosystem like the one introduced in [ZZ18].
Acknowledgements
The authors express their gratitude to the anonymous referees for their careful work and their many relevant comments permitting a significant improvement of this article. This work was supported by French Agence Nationale de la Recherche Manta : ANR-15-CE39-0013.
Appendix A Power decoding for algebraic geometry
codes
We show how the power decoding algorithm adapts to arbitrary algebraic geometry codes. Let and the word we want to correct, where . We have then
[TABLE]
Furthermore, as in the previous sections, we suppose that and denote the support of e by . We keep the same idea we used in the version of the algorithm for Reed–Solomon codes. Indeed, let us suppose to have such that for all . Then, given we get
[TABLE]
We would like then to find as above. It is easy to see that such a has to be searched in for a certain such that . (we will give a better bound for that soon). It is possible to see as a solution of
[TABLE]
that is, a system of equations whose unknowns are the coordinates of and in the basis of respectively and . System (39) is not linear in the unknowns though, hence we linearise it by considering a new function for any equation. For all , we get
[TABLE]
In order to use Theorem 0.6, let us fix and suppose . We get then the following problem.
Key Problem 3**.**
Given and , look for such that
- •
with ;
- •
for all ;
- •
for all and .
Therefore, even this case, the power decoding algorithm consists in solving a linear system and we will just consider a nonzero solution.
Decoding Radius.
As in the case of Reed–Solomon codes, we would like to have a solution space of dimension one. A necessary condition for that, is
[TABLE]
The number of equations is . For the number of unknowns, we need to know the dimension of the spaces for all . The bounds we have set in the hypothesis give
[TABLE]
Hence by condition (40) we get the following decoding radius
[TABLE]
Remark A.1*.*
This bound is not a sufficient condition to have a solution, but it is not even a necessary condition. In fact, as for the power decoding algorithm for Reed–Solomon codes, we could find a good solution even for a larger value of and on the other hand the algorithm could fail even if fulfills condition (41).
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[Ber 68] Elwyn R. Berlekamp. Algebraic coding theory . Mc Graw-Hill Book Co., New York-Toronto, Ont.-London, 1968.
- 2[Ber 15] Elwyn R. Berlekamp. Algebraic coding theory . World Scientific Publishing Co. Pte. Ltd., Hackensack, NJ, revised edition, 2015.
- 3[BH 08] Peter Beelen and Tom Høholdt. The decoding of algebraic geometry codes. In Advances in algebraic geometry codes , volume 5 of Ser. Coding Theory Cryptol. , pages 49–98. World Sci. Publ., Hackensack, NJ, 2008.
- 4[BL 17] Vincent Beck and Cédric Lecouvey. Additive combinatorics methods in associative algebras. Confluentes Math. , 9(1):3–27, 2017.
- 5[CMCP 17] Alain Couvreur, Irene Márquez-Corbella, and Ruud Pellikaan. Cryptanalysis of Mc Eliece Cryptosystem Based on Algebraic Geometry Codes and Their Subcodes. IEEE Trans. Inform. Theory , 63(8):5404–5418, Aug 2017.
- 6[COT 17] Alain Couvreur, Ayoub Otmani, and Jean-Pierre Tillich. Polynomial time attack on wild Mc Eliece over quadratic extensions. IEEE Trans. Inform. Theory , 63(1):404–427, Jan 2017.
- 7[DK 94] Iwan M. Duursma and Ralf Kötter. Error-locating pairs for cyclic codes. IEEE Trans. Inform. Theory , 40(4):1108–1121, July 1994.
- 8[Duu 93] Iwan M. Duursma. Decoding codes from curves and cyclic codes . Ph D thesis, Technische Universiteit Eindhoven, 1993.
