Fast Kötter–Nielsen–Høholdt Interpolation over Skew Polynomial Rings

Hannes Bartz Thomas Jerkovits Institute of Communications and Navigation,
German Aerospace Center (DLR), D-82234 Oberpfaffenhofen, Germany (e-mail: {hannes.bartz, thomas.jerkovits}@dlr.de)

Abstract

Skew polynomials are a class of non-commutative polynomials that have several applications in computer science, coding theory and cryptography. In particular, skew polynomials can be used to construct and decode evaluation codes in several metrics, like e.g. the Hamming, rank, sum-rank and skew metric.

In this paper we propose a fast divide-and-conquer variant of the Kötter–Nielsen–Høholdt (KNH) interpolation over free modules over skew polynomial rings. The proposed KNH interpolation can be used to solve the interpolation step of interpolation-based decoding of (interleaved) Gabidulin, linearized Reed–Solomon and skew Reed–Solomon codes efficiently, which have various applications in coding theory and code-based quantum-resistant cryptography.

keywords:

Kötter interpolation, skew polynomial rings, divide-and-conquer

TOP: term-over-position
DaC: divide-and-conquer
KNH: Kötter–Nielsen–Høholdt
LCLM: least common left multiple
SRS: skew Reed–Solomon
ISRS: interleaved skew Reed–Solomon
LRS: linearized Reed–Solomon
LLRS: lifted linearized Reed–Solomon
ILRS: interleaved linearized Reed–Solomon
LILRS: lifted interleaved linearized Reed–Solomon
MSRD: maximum sum-rank distance
MSD: maximum skew distance
MRD: maximum rank distance
$\mathbf{w}$ -owPB: $\mathbf{w}$ -ordered weak-Popov Basis

^†^†thanks: The authors would like to thank Johan Rosenkilde for valuable and fruitful discussions.

1 Introduction

Skew polynomials are a class of non-commutative polynomials, that were introduced by Ore (1933b) and that have a variety of applications in computer science, coding theory and cryptography. The non-commutativity stems from the multiplication rule, which involves both, a field automorphism $\sigma$ and a field derivation $\delta$ . Unlike ordinary polynomials, there exist several ways to evaluate skew polynomials. In Lam (1985); Lam and Leroy (1988) general results regarding the so-called remainder evaluation of skew polynomials were defined. First results on the generalized operator evaluation were derived in Leroy et al. (1995). Depending on the choice of the automorphism $\sigma$ and the derivation $\delta$ , skew polynomial rings include several polynomial rings as a special case, such as the ordinary polynomial ring as well as the linearized polynomial ring Ore (1933a, b). This property along with the different ways to evaluate skew polynomials make them a very versatile tool with many different applications.

One important application of skew polynomials is the construction of evaluation codes, that have distance properties in several decoding metrics, including the Hamming, rank, sum-rank, skew and other related metrics such as the (sum-)subspace metric Boucher and Ulmer (2014); Martínez-Peñas (2018); Martínez-Peñas and Kschischang (2019b); Caruso (2019).

In general, evaluation codes can be decoded via efficient interpolation-based decoding algorithms, like e.g. the Welch and Berlekamp (1986) and Sudan (1997) algorithms for decoding Reed–Solomon codes. In Kötter (1996) a bivariate interpolation algorithm for Sudan-like decoding of Reed–Solomon codes Kötter (1996) (over ordinary polynomial rings) was presented that since then is often referred to as the Kötter interpolation. The Kötter interpolation as it is known today was first stated by Nielsen and Høholdt in Nielsen and Høholdt (2000) as a generalization of Kötter’s algorithm Kötter (1996). To acknowledge the contribution by Nielsen and Høholdt we refer to the algorithm as Kötter–Nielsen–Høholdt (KNH) interpolation. A fast divide-and-conquer variant of the KNH interpolation for the Guruswami–Sudan algorithm for decoding Reed–Solomon codes was presented in Nielsen (2014).

A multivariate generalization of the KNH interpolation Wang et al. (2005) for free modules over ordinary polynomial rings was proposed in Wang et al. (2005). This approach was generalized to free modules over linearized polynomial rings by Xie et al. (2011). A further generalization to free modules over skew polynomial rings was proposed by Liu et al. (2014), which contains the variants over ordinary polynomial rings Wang et al. (2005) and linearized polynomial rings Xie et al. (2011) as special cases.

The evaluation and interpolation of multivariate skew polynomials was also considered in Martínez-Peñas and Kschischang (2019a); here with the main motivation to construct Reed-Muller-like codes (see also Geiselmann and Ulmer (2019); Martínez-Peñas (2020)).

In this paper, we propose a fast divide-and-conquer (DaC) variant of the KNH interpolation over skew polynomial rings Liu et al. (2014), that uses ideas from Nielsen (2014). The main idea of the proposed algorithm (Algorithm 3) is, that the interpolation problem is divided into smaller sub-problems, that can be solved and merged efficiently. In particular, the update operations in each loop of the KNH interpolation are “recorded” and then applied to a degree-reduced basis in the merge step rather than to a non-reduced basis. This allows to restrict the degree of the polynomials during the interpolation procedure which in turn results in a lower computational complexity.

We state the interpolation problem and the fast skew KNH interpolation algorithm in a general way using linear functionals over skew polynomial rings with arbitrary automorphisms and derivations. The proposed framework can be used for interpolation-based decoding of skew evaluation codes such as (linearized) Reed–Solomon and Gabidulin codes in several decoding metrics by an appropriate choice of the automorphism/derivation and definition of the linear functionals. The correctness proofs are omitted due to space restrictions and will be provided in a future full version of the paper.

The considered interpolation problem can also be solved using the skew minimal approximant bases methods from Bartz et al. (2020). Compared to the proposed approach, the approach from Bartz et al. (2020) requires the quite involved theory of minimal approximant bases in skew polynomial rings, whereas the proposed approach uses ideas from the well-known KNH interpolation which is simpler and therefore easier to understand.

2 Preliminaries

Let $\mathbb{F}_{q}$ be a finite field and denote by $\mathbb{F}_{q^{m}}$ the extension field of degree $m$ . Let $\sigma:\mathbb{F}_{q^{m}}\mapsto\mathbb{F}_{q^{m}}$ be a field automorphism of $\mathbb{F}_{q^{m}}$ and let $\delta:\mathbb{F}_{q^{m}}\mapsto\mathbb{F}_{q^{m}}$ be a $\sigma$ -derivation such that

\displaystyle\delta(a+b)\!=\!\delta(a)\!+\!\delta(b)\quad\text{and}\quad\delta(ab)\!=\!\delta(a)b\!+\!\sigma(a)\delta(b).

(1)

Skew polynomials are non-commutative polynomials that were introduced by Ore Ore (1933b). The set of all polynomials of the form

f(x)=\sum_{i}f_{i}x^{i}\qquad\text{with }f_{i}\in\mathbb{F}_{q^{m}}

(2)

together with the ordinary polynomial addition and the multiplication rule

xa=\sigma(a)x+\delta(a)

(3)

forms the non-commutative ring of skew polynomials that is denoted by $\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ . The degree of a polynomial $f\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ is defined as $\deg(f)\overset{\operatorname{def}}{=}\max_{i}\{i:f_{i}\neq 0\}$ for $f\neq 0$ and $-\infty$ else. Further, by $\mathbb{F}_{q^{m}}[x;\sigma,\delta]_{<n}$ we denote the set of skew polynomials from $\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ of degree less than $n$ .

The monic least common left multiple (LCLM) of some polynomials $p_{0},p_{1},\dots,p_{n-1}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ is denoted by

\text{lclm}\left(p_{i}\right)_{0\leq i\leq n-1}\overset{\operatorname{def}}{=}\text{lclm}\left(p_{0},p_{1},\dots,p_{n-1}\right).

(4)

The skew polynomial ring $\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ is a left and right Euclidean domain. Efficient Euclidean-like algorithms for performing left/right skew polynomial division exist (see Caruso and Le Borgne (2017b, a); Puchinger and Wachter-Zeh (2018)). For two skew polynomials $f,g\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ , denote by $f\;\mathrm{mod}_{\mathrm{r}}\;g$ the remainder of the right division of $f$ by $g$ .

Skew polynomial rings include several polynomial rings as special cases, like e.g. ordinary polynomial rings and linearized polynomial rings.

The generalized operator evaluation defined in Leroy et al. (1995) allows to $\mathbb{F}_{q}$ -linearize the skew polynomial evaluation and therefore establishes the link between the skew polynomial ring and the linearized polynomial ring (cf. Ore (1933a, b)).

2.0.1 Skew Polynomial Vectors and Matrices

For two vectors $\mathbf{a},\mathbf{b}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{n}$ we denote by $\text{lclm}\left(\mathbf{a},\mathbf{b}\right)$ the element-wise LCLM of the elements in $\mathbf{a}$ and $\mathbf{b}$ and by $\mathbf{a}\;\mathrm{mod}_{\mathrm{r}}\;\mathbf{b}$ the element-wise right modulo operation, respectively. For a vector $\mathbf{a}=\left(a_{0},a_{1},\dots,a_{n-1}\right)\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{n}$ and a vector $\mathbf{w}=(w_{0},w_{1},\dots,w_{n-1})\in\mathbb{Z}_{+}^{n}$ we define its $\mathbf{w}$ -weighted degree as

\deg_{\mathbf{w}}(\mathbf{a})\overset{\operatorname{def}}{=}\max_{0\leq j\leq n-1}\{\deg(a_{j})+w_{j}\}.

(5)

Further, we define the $\mathbf{w}$ -weighted monomial ordering $\prec_{\mathbf{w}}$ on $\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{n}$ such that we have

x^{\ell}\mathbf{e}_{j}\prec_{\mathbf{w}}x^{\ell^{\prime}}\mathbf{e}_{j^{\prime}}

(6)

if $\ell+w_{j}<\ell^{\prime}+w_{j^{\prime}}$ or if $\ell+w_{j}=\ell^{\prime}+w_{j^{\prime}}$ and $j<j^{\prime}$ , where $\mathbf{e}_{j}$ denotes the $j$ -th unit vector over $\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ . The definition of $\prec_{\mathbf{w}}$ coincides with the $\mathbf{w}$ -weighted term-over-position (TOP) ordering as defined in Adams et al. (1994).

For a vector $\mathbf{a}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{n}\setminus\{\mathbf{0}\}$ and weighting vector $\mathbf{w}=(w_{0},\dots,w_{n-1})\in\mathbb{Z}_{+}^{n}$ , we define the $\mathbf{w}$ -pivot index $\textrm{Ind}_{\mathbf{\mathbf{w}}}(\mathbf{a})$ of $\mathbf{a}$ to be the largest index $j$ with $0\leq j\leq n-1$ such that $\deg(a_{j})+w_{j}=\deg_{\mathbf{w}}(\mathbf{a})$ . A matrix $\mathbf{A}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{a\times b}$ with $a\leq b$ is in (row) $\mathbf{w}$ -ordered weak Popov form if the $\mathbf{w}$ -pivot indices of its rows are strictly increasing in the row index.

A free $\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ -module is a module that has a basis consisting of $\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ -linearly independent elements. The rank of this module equals the cardinality of that basis. In the following we consider particular bases for (left) $\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ -modules.

Definition 1

Consider a left $\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ -submodule $\mathcal{M}$ of $\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{b}$ . For $\mathbf{w}\in\mathbb{Z}^{a}$ , a left $\mathbf{w}$ -ordered weak-Popov Basis ( $\mathbf{w}$ -owPB) is a full-rank matrix $\mathbf{A}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{a\times a}$ such that

1.

$\mathbf{A}$ is in $\mathbf{w}$ -ordered weak Popov form,
2.

the rows of $\mathbf{A}$ are a basis of $\mathcal{M}$ .

We now consider the skew KNH interpolation from Liu et al. (2014), which is the skew polynomial analogue of the KNH interpolation over ordinary polynomial rings in Wang et al. (2005). Note, that due to the isomorphism between $\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ and the ring of linearized polynomials for $\sigma$ being the Frobenius automorphism and $\delta=0$ (zero derivations), the KNH variant over linearized polynomial rings in Xie et al. (2011) can be seen as a special case of Liu et al. (2014).

Define the $\mathbb{F}_{q^{m}}$ -linear functionals $\mathscr{E}_{i}$

	$\displaystyle\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{s+1}$	$\displaystyle\mapsto\mathbb{F}_{q^{m}}$
	$\displaystyle\mathbf{Q}$	$\displaystyle\mapsto\mathbb{F}_{q^{m}}$		(7)

and the kernels

\mathcal{K}_{i}\overset{\operatorname{def}}{=}\{\mathbf{b}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{s+1}:\mathscr{E}_{i}(\mathbf{b})=0\}

(8)

for all $i=0,\dots,n-1$ . For $0\leq i\leq n-1$ the intersection $\overline{\mathcal{K}}_{i}\overset{\operatorname{def}}{=}\mathcal{K}_{0}\cap\mathcal{K}_{1}\cap\dots\cap\mathcal{K}_{i}$ contains all vectors from $\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{s+1}$ that are mapped to zero under $\mathscr{E}_{0},\mathscr{E}_{1},\dots,\mathscr{E}_{i}$ , i.e.

\overline{\mathcal{K}}_{i}=\{\mathbf{b}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{s+1}:\mathscr{E}_{j}(\mathbf{b})=0,\forall j=0,\dots,i\}.

(9)

Under the assumption that the $\overline{\mathcal{K}}_{i}$ are $\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ -submodules for all $i=0,\dots,n-1$ (see Liu et al. (2014)) we can state the general skew polynomial vector interpolation problem.

Problem 2 (General Vector Interpolation Problem)

Given the integer $s\in\mathbb{Z}_{+}$ , a set of $\mathbb{F}_{q^{m}}$ -linear functionals $\mathcal{E}=\{\mathscr{E}_{0},\dots,\mathscr{E}_{n-1}\}$ and a vector $\mathbf{w}\in\mathbb{Z}_{+}^{s+1}$ compute a $\mathbf{w}$ -owPB for the left $\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ -module $\overline{\mathcal{K}}_{n-1}$ .

Problem 2 can be solved using a slightly modified variant of the multivariate skew KNH interpolation from Liu et al. (2014). Since the solution of Problem 2 is a $\mathbf{w}$ -owPB for the interpolation module $\overline{\mathcal{K}}_{n-1}$ instead of a single minimal polynomial vector, we modified the output of (Liu et al., 2014, Algorithm 1) such that it returns a whole basis for the interpolation module $\overline{\mathcal{K}}_{n-1}$ . A similar approach was used in Bartz (2017) to construct a basis for the interpolation module over linearized polynomial rings.

In the description of the algorithms we denote by $\text{TOP-}{\arg\min}\{d_{j}\}$ the $\arg\min$ operator that returns the smallest possible index $j$ to break ties, where $\{d_{j}\}$ is a set of integers. This property is needed to comply with the $\prec_{\mathbf{w}}$ -ordering described in (6). It is well-known that the Kötter interpolation computes a $\mathbf{w}$ -owPB (i.e. a minimal Gröbner basis w.r.t. the monomial ordering $\prec_{\mathbf{w}}$ ) for the left $\mathbb{F}_{q^{m}}[x;\sigma,\delta]$ -submodule $\overline{\mathcal{K}}_{n-1}$ . The modified multivariate skew KNH interpolation is summarized in Algorithm 1.

Input : A set

\{\mathscr{E}_{0},\mathscr{E}_{1},\dots,\mathscr{E}_{n-1}\}

of vector evaluation maps

A “weighting” vector

\mathbf{w}\in\mathbb{Z}_{+}^{s+1}

Output : A

\mathbf{w}

-owPB

\mathbf{B}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{(s+1)\times(s+1)}

for

\overline{\mathcal{K}}_{n-1}

1 Initialize:

\mathbf{B}=\mathbf{I}_{s+1}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{(s+1)\times(s+1)}

3for $i\leftarrow 0$ to $n-1$ do

4 for $j\leftarrow 0$ to $s$ do

\Delta_{j}\leftarrow\mathscr{E}_{i}(\mathbf{b}_{j})

\mathcal{J}\leftarrow\{j:\Delta_{j}\neq 0\}

7 if $\mathcal{J}\neq\emptyset$ then

j^{*}\leftarrow\text{TOP-}\underset{j\in J}{\arg\min}\{\deg_{\mathbf{w}}(\mathbf{b}_{j})\}

\mathbf{b}^{*}\leftarrow\mathbf{b}_{j^{*}}

10 for $j\in\mathcal{J}$ do

11 if $j=j^{*}$ then

\mathbf{b}_{j}\leftarrow\left(x-\frac{\mathscr{E}_{i}(x\mathbf{b}^{*})}{\Delta_{j^{*}}}\right)\mathbf{b}^{*}

;

/* degree-increasing step */

13 else

\mathbf{b}_{j}\leftarrow\mathbf{b}_{j}-\frac{\Delta_{j}}{\Delta_{j^{*}}}\mathbf{b}^{*}

;

/* cross-evaluation step */

return $\mathbf{B}$

Algorithm 1 Modified Skew KNH Interpolation

In each iteration of Algorithm 1 (and so (Liu et al., 2014, Algorithm 1)) there are three possible update steps:

No update: The vector $\mathbf{b}_{j}$ is not updated if $\mathbf{b}_{j}$ is in the kernel

\overline{\mathcal{K}}_{i}=\{\mathbf{b}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{s+1}:\mathscr{E}_{i}(\mathbf{b})=0,\forall i=0,\dots,i\}

already, i.e. if $\Delta_{j}=\mathscr{E}_{i}(\mathbf{b}_{j})=0$ .

Cross-evaluation (or order-preserving Liu et al. (2014)) update: For any $\mathbf{b}_{j}$ that is not minimal w.r.t. $\prec_{\mathbf{w}}$ (i.e. $j\neq j^{*}$ ) the cross-evaluation update (Line 1) is performed such that

\displaystyle\mathscr{E}_{i}\left(\mathbf{b}_{j}-\frac{\Delta_{j}}{\Delta_{j^{*}}}\mathbf{b}^{*}\right)=\mathscr{E}_{i}(\mathbf{b}_{j})-\frac{\mathscr{E}_{i}(\mathbf{b}_{j})}{\mathscr{E}_{i}(\mathbf{b}_{j^{*}})}\mathscr{E}_{i}(\mathbf{b}_{j^{*}})=0.

Note, that the ( $\mathbf{w}$ -weighted) degree of $\mathbf{b}_{j}$ is not increased by this update.

Degree-increasing (or order-increasing Liu et al. (2014)) update: For the minimal vector $\mathbf{b}_{j^{*}}\overset{\operatorname{def}}{=}\mathbf{b}^{*}$ w.r.t. $\prec_{\mathbf{w}}$ the degree-increasing update (Line 1) is performed such that

\displaystyle\mathscr{E}_{i}\left(\!\left(x\!-\!\frac{\mathscr{E}_{i}(x\mathbf{b}^{*})}{\Delta_{j^{*}}}\right)\mathbf{b}^{*}\right)\!=\!\mathscr{E}_{i}(x\mathbf{b}^{*})\!-\!\frac{\mathscr{E}_{i}(x\mathbf{b}^{*})}{\mathscr{E}_{i}(\mathbf{b}^{*})}\mathscr{E}_{i}(\mathbf{b}^{*})\!=\!0.

The ( $\mathbf{w}$ -weighted) degree of $\mathbf{b}^{*}$ is increased by one in this case.

The different update steps are illustrated in (Liu et al., 2014, Figure 1).

3 Fast Kötter–Nielsen–Høholdt Interpolation over Skew Polynomial Rings

In Nielsen (2014) a fast DaC variant of the Kötter interpolation over ordinary polynomial rings for the Guruswami–Sudan decoder was presented. We now use ideas from Nielsen (2014) to speed up the skew KNH interpolation from Liu et al. (2014). The main idea is to split up Problem 2 into smaller subproblems and to consider degree-reduced skew polynomial matrices rather than the full matrices as in Liu et al. (2014). In the following, we describe the general framework for the fast skew KNH interpolation algorithm w.r.t. to general vector evaluation maps based on e.g. the generalized operator evaluation and remainder evaluation.

The operations performed on the basis $\mathbf{B}$ in the inner loop of the $i$ -th iteration of Algorithm 1 can be represented by the matrix

\mathbf{U}_{i}=\left(\begin{array}[]{ccc|c|ccc}1&&&-\frac{\Delta_{0}}{\Delta_{j^{*}}}&&&\\[-3.0pt] &\ddots&&\vdots&&&\\ &&1&-\frac{\Delta_{j^{*}-1}}{\Delta_{j^{*}}}&&&\\ &&&x-\frac{\mathscr{E}_{i}(x\mathbf{b}_{j^{*}})}{\Delta_{j^{*}}}&&&\\ &&&-\frac{\Delta_{j^{*}+1}}{\Delta_{j^{*}}}&1&&\\[-3.0pt] &&&\vdots&&\ddots&\\ &&&-\frac{\Delta_{s}}{\Delta_{j^{*}}}&&&1\end{array}\right)

(10)

Note, that if $\Delta_{j}=0$ no update on the row $\mathbf{b}_{j}$ is performed since $\Delta_{j}/\Delta_{j^{*}}=0$ .

To describe the following algorithms we introduce some notations. $\mathbf{M}_{[i,j]}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{s+1}$ denotes a polynomial vector that is dependent on the index set $\{i,i+1,\ldots,j-1,j\}$ with $j\geq i$ and $\mathbf{M}_{[i,i]}=\mathbf{M}_{i}$ . The set $\mathcal{M}$ is globally available for all algorithms and is defined as

	$\displaystyle\mathcal{M}=\{$	$\displaystyle\mathbf{M}_{[0,n-1]},\mathbf{M}_{[0,\lfloor n/2\rfloor-1]},\mathbf{M}_{[\lfloor n/2\rfloor,n-1]},\ldots$
		$\displaystyle\ldots,\mathbf{M}_{0},\mathbf{M}_{1},\ldots,\mathbf{M}_{n-1}\}\subseteq\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{s+1}$		(11)

for an integer $n\in\mathbb{Z}_{+}$ . For a set of evaluation maps $\mathcal{E}=\{\mathscr{E}_{0},\ldots,\mathscr{E}_{n-1}\}$ we use a similar notation to access a subset of $\mathcal{E}$ as $\mathcal{E}_{[i,j]}=\{\mathscr{E}_{i},\dots,\mathscr{E}_{j}\}$ .

In order to describe a general framework for the fast skew KNH interpolation, we need the following assumption for the linear functionals.

Assumption 1

Let $\mathcal{E}=\{\mathscr{E}_{0},\ldots,\mathscr{E}_{n-1}\}$ be a set of linear functionals as defined in (2.0.1) and let $\mathcal{E}_{[i,j]}=\{\mathscr{E}_{i},\ldots,\mathscr{E}_{j}\}\subseteq\mathcal{E}$ . We assume that for all $0\leq i\leq j\leq n-1$ there exits a skew polynomial vector ${\mathbf{M}}_{[i,j]}\in\mathcal{M}$ (which contains minimal skew polynomials that depend on $\mathcal{E}_{[i,j]}$ ) such that

\mathscr{E}_{l}(\mathbf{Q})=\mathscr{E}_{l}(\mathbf{Q}\;\mathrm{mod}_{\mathrm{r}}\;{\mathbf{M}}_{[i,j]}),\quad\forall l=i,\dots,j.

(12)

Input : A skew vector evaluation map

\mathscr{E}_{i}

\mathbf{B}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{(s+1)\times(s+1)}

\mathbf{d}\in\mathbb{Z}_{+}^{s+1}

s.t.

d_{j}=\deg_{\mathbf{w}}(\mathbf{b}_{j}),\,\forall j=0,\dots,s

Output :

\mathbf{T}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{(s+1)\times(s+1)}

s.t. the rows of

\mathbf{\hat{B}}\overset{\operatorname{def}}{=}\mathbf{TB}

is a

\mathbf{w}

-owPB for

\langle\mathbf{B}\rangle\cap\mathcal{K}_{i}

\mathbf{\hat{d}}\in\mathbb{Z}_{+}^{s+1}

s.t.

\hat{d}_{j}=\deg_{\mathbf{w}}(\mathbf{\hat{b}}_{j}),\,\forall j=0,\dots,s

\mathbf{\hat{d}}\leftarrow\mathbf{{d}}

3 for $j\leftarrow 0$ to $s$ do

\Delta_{j}\leftarrow\mathscr{E}_{i}(\mathbf{b}_{j})

\mathcal{J}\leftarrow\{j:d_{j}\neq 0\}

\mathbf{T}\leftarrow\mathbf{I}_{s+1}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{(s+1)\times(s+1)}

7 if $\mathcal{J}\neq\emptyset$ then

j^{*}\leftarrow\text{TOP-}\underset{l\in J}{\arg\min}\{d_{l}\}

\mathbf{T}\leftarrow\mathbf{U}_{i}

where

\mathbf{U}_{i}

is as in (10)

\hat{d}_{j^{*}}\leftarrow\hat{d}_{j^{*}}+1

return $(\mathbf{T},\mathbf{\hat{d}})$

Algorithm 2 SkewInterpolatePoint

Equipped with the routine SkewInterpolatePoint in Algorithm 2 to solve the basic step we can now state a DaC variant of the skew KNH interpolation from Liu et al. (2014), which is given in Algorithm 3.

Input : linear functionals

\mathcal{E}_{[i_{1},i_{2}]}=\{\mathscr{E}_{i_{1}},\dots,\mathscr{E}_{i_{2}}\}

\mathbf{B}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{(s+1)\times(s+1)}

\mathbf{d}\in\mathbb{Z}_{+}^{s+1}

s.t.

d_{j}=\deg_{\mathbf{w}}(\mathbf{b}_{j}),\,\forall j=0,\dots,s

Output : A matrix

\mathbf{T}\in\mathbb{F}_{q^{m}}[x;\sigma,\delta]^{(s+1)\times(s+1)}

s.t.

\mathbf{\hat{B}}\!\overset{\operatorname{def}}{=}\!\mathbf{TB}

is a

\mathbf{w}

-owPB

for

\langle\mathbf{B}\rangle\!\cap\!\mathcal{K}_{i_{1}}\!\!\cap\!\dots\!\cap\!\mathcal{K}_{i_{2}}

\mathbf{\hat{d}}\in\mathbb{Z}_{+}^{s+1}

s.t.

\hat{d}_{j}=\deg_{\mathbf{w}}(\mathbf{\hat{b}}_{j}),\,\forall j=0,\dots,s

3if $i_{1}=i_{2}$ then

4 return $\textsf{SkewInterpolatePoint}(\mathscr{E}_{i_{1}},{\mathbf{B}},\mathbf{d})$

5else

z\leftarrow\left\lfloor\frac{i_{1}+i_{2}}{2}\right\rfloor

{\mathbf{B}}_{1}\leftarrow{\mathbf{B}}\;\mathrm{mod}_{\mathrm{r}}\;{\mathbf{M}}_{[i_{1},z]}

(\mathbf{T}_{1},\mathbf{d}_{1})\leftarrow\textsf{SkewInterpolateTree}(\mathcal{E}_{[i_{1},z]},{\mathbf{B}}_{1},\mathbf{d})

{\mathbf{B}}_{2}\leftarrow\mathbf{T}_{1}{\mathbf{B}}\;\mathrm{mod}_{\mathrm{r}}\;{\mathbf{M}}_{[z+1,i_{2}]}

(\mathbf{T}_{2},\mathbf{d}_{2})\leftarrow\textsf{SkewInterpolateTree}(\mathcal{E}_{[z+1,i_{2}]},{\mathbf{B}}_{2},\mathbf{d}_{1})

11 return $(\mathbf{T}=\mathbf{T}_{2}\mathbf{T}_{1},\mathbf{\hat{d}}=\mathbf{d}_{2})$

Algorithm 3 SkewInterpolateTree

An essential part in Algorithm 3 is the degree-reduction via the minimal skew polynomial vectors ${\mathbf{M}}_{[i,j]}$ from the globally available set $\mathcal{M}$ defined in (11). We now sketch a generic procedure to pre-compute the set $\mathcal{M}$ efficiently. We consider minimal polynomials which can be constructed by means of the LCLM of polynomial sequences, such as minimal skew polynomials with respect to the generalized operator and remainder evaluation (see (Caruso and Le Borgne, 2017a, Theorem 3.2.7)).

The DaC structure of the proposed procedure is illustrated in Figure 1 for an example of $\kappa=4$ . The initial minimal polynomial vectors ${\mathbf{M}}_{0},{\mathbf{M}}_{1},\ldots,{\mathbf{M}}_{\kappa-1}$ from which all other minimal polynomials are computed via the LCLM, are computed w.r.t. to the generalized operator or remainder evaluation depending on the application.

Figure 1: Illustration of the computation tree to precompute all minimal polynomial vectors in the set

\mathcal{M}

for

\kappa=4

4 Applications in Coding and Cryptography

Efficient methods for solving instances of Problem 2 are essential for several applications in coding theory and code-based quantum-resistant cryptography.

For $\delta=0$ , instances of Problem 2 correspond to the complexity-dominating interpolation problem of interpolation-based decoding of (interleaved/folded) linearized Reed–Solomon codes in the sum-rank metric (see Martínez-Peñas (2018); Caruso (2019); Bartz and Puchinger (2022); Hörmann and Bartz (2022)). Compared to the original skew KNH interpolation by Liu et al. (2014), which requires at most $\mathcal{O}({s^{2}n^{2}})$ operations in $\mathbb{F}_{q^{m}}$ , Algorithm 3 can solve the corresponding interpolation problem requiring only at most $\widetilde{O}\mathopen{}\left(s^{\omega}\mathfrak{M}(n)\right)\mathclose{}$ operations in $\mathbb{F}_{q^{m}}$ , where $s\ll n$ is the interleaving order (or the decoding parameter for folded codes), $\omega$ the matrix multiplication exponent (currently $\omega<2.37286$ ), $n$ the length of the code and $\widetilde{O}\mathopen{}\left(\cdot\right)\mathclose{}$ the soft- $O$ notation which neglects log factors.

As (interleaved/folded) linearized Reed–Solomon codes include (interleaved/folded) Reed–Solomon codes (see Bleichenbacher et al. (2003); Guruswami and Rudra (2008)) in the Hamming metric and (interleaved/folded) Gabidulin codes (see Overbeck (2006); Mahdavifar and Vardy (2012)) in the rank metric as special cases, the interpolation steps in the respective interpolation-based decoders (see e.g. Guruswami and Rudra (2008); Wachter-Zeh and Zeh (2014); Mahdavifar and Vardy (2012)) can be sped-up by Algorithm 3 to at most $\widetilde{O}\mathopen{}\left(s^{\omega}\mathfrak{M}(n)\right)\mathclose{}$ operations in $\mathbb{F}_{q^{m}}$ .

Similarly, the interpolation step in the interpolation-based decoder for ( $s$ -interleaved) skew Reed–Solomon codes in the skew metric can be solved using Algorithm 3 requiring at most $\widetilde{O}\mathopen{}\left(s^{\omega}\mathfrak{M}(n)\right)\mathclose{}$ operations in $\mathbb{F}_{q^{m}}$ .

Apart from error correction in communication systems, variants of (linearized) Reed–Solomon and Gabidulin codes are used to design quantum-resistant code-based cryptosystems (see e.g. Melchor et al. (2018, 2017); Loidreau (2017); Renner et al. (2021); Puchinger et al. (2020)). In order to obtain a good encryption/decryption performance of the corresponding cryptosystems, fast decoding algorithms for the respective codes are required. As in general the interpolation step dominates the overall complexity of interpolation-based decoders, the proposed fast skew KNH interpolation algorithm is an important factor for developing high-performance code-based cryptosystems.

In order to prevent side-channel attacks that exploit correlations between the error patterns and the runtime of the interpolation algorithm, future work will consider constant-time variants of the proposed algorithm in the spirit of Bettaieb et al. (2019).

5 Conclusion

We presented a fast divide-and-conquer variant of the Kötter–Nielsen–Høholdt (KNH) interpolation over free modules over skew polynomial rings. The proposed algorithm divides the interpolation problem into smaller sub-problems, which can be solved and merged efficiently, and uses degree-restricted polynomials for the intermediate steps to reduce the computational complexity. The fast interpolation algorithm can be used to speed up existing interpolation-based decoders for variants of linearized and skew Reed–Solomon codes in the Hamming, (sum-)rank and skew metric.

References

Adams et al. (1994) Adams, W.W., Adams, W.W., ADAMS, W.H., Loustaunau, P., and Adams, W.W. (1994). An Introduction to Gröbner Bases. 3. American Mathematical Soc.
Bartz (2017) Bartz, H. (2017). Algebraic Decoding of Subspace and Rank-Metric Codes. Ph.D. thesis, Technische Universität München.
Bartz et al. (2020) Bartz, H., Jerkovits, T., Puchinger, S., and Rosenkilde, J. (2020). Fast Decoding of Codes in the Rank, Subspace, and Sum-Rank Metric. arXiv preprint arXiv:2005.09916.
Bartz and Puchinger (2022) Bartz, H. and Puchinger, S. (2022). Fast Decoding of Interleaved Linearized Reed–Solomon Codes and Variants. submitted to: IEEE Transactions on Information Theory.
Bettaieb et al. (2019) Bettaieb, S., Bidoux, L., Gaborit, P., and Marcatel, E. (2019). Preventing Timing Attacks against RQC using Constant Time Decoding of Gabidulin Codes. In International Conference on Post-Quantum Cryptography, 371–386. Springer.
Bleichenbacher et al. (2003) Bleichenbacher, D., Kiayias, A., and Yung, M. (2003). Decoding of Interleaved Reed Solomon Codes Over Noisy Data. In International Colloquium on Automata, Languages, and Programming, 97–108. Springer.
Boucher and Ulmer (2014) Boucher, D. and Ulmer, F. (2014). Linear Codes using Skew Polynomials with Automorphisms and Derivations. Designs, codes and cryptography, 70(3), 405–431.
Caruso (2019) Caruso, X. (2019). Residues of Skew Rational Functions and Linearized Goppa Codes. arXiv preprint arXiv:1908.08430.
Caruso and Le Borgne (2017a) Caruso, X. and Le Borgne, J. (2017a). A New Faster Algorithm for Factoring Skew Polynomials Over Finite Fields. Journal of Symbolic Computation, 79, 411–443.
Caruso and Le Borgne (2017b) Caruso, X. and Le Borgne, J. (2017b). Fast Multiplication for Skew Polynomials. In International Symposium on Symbolic and Algebraic Computation (ISSAC).
Geiselmann and Ulmer (2019) Geiselmann, W. and Ulmer, F. (2019). Skew Reed Muller Codes.
Guruswami and Rudra (2008) Guruswami, V. and Rudra, A. (2008). Explicit Codes achieving List Decoding Capacity: Error-Correction with Optimal Redundancy. IEEE Transactions on Information Theory, 54(1), 135–150.
Hörmann and Bartz (2022) Hörmann, F. and Bartz, H. (2022). Efficient Decoding of Folded Linearized Reed-Solomon Codes in the Sum-Rank Metric. accepted at: The Twelfth International Workshop on Coding and Cryptography (WCC).
Kötter (1996) Kötter, R. (1996). On Algebraic Decoding of Algebraic-Geometric and Cyclic Codes. Dissertation, Linköping University of Technology.
Lam (1985) Lam, T.Y. (1985). A General Theory of Vandermonde Matrices. Center for Pure and Applied Mathematics, University of California, Berkeley.
Lam and Leroy (1988) Lam, T.Y. and Leroy, A. (1988). Vandermonde and Wronskian Matrices over Division Rings. Journal of Algebra, 119(2), 308–336.
Leroy et al. (1995) Leroy, A. et al. (1995). Pseudolinear Transformations and Evaluation in Ore Extensions. Bulletin of the Belgian Mathematical Society-Simon Stevin, 2(3), 321–347.
Liu et al. (2014) Liu, S., Manganiello, F., and Kschischang, F.R. (2014). Kötter interpolation in skew polynomial rings. Designs, codes and cryptography, 72(3), 593–608.
Loidreau (2017) Loidreau, P. (2017). A new rank metric codes based encryption scheme. In 8th Int. Conf. on Post-Quantum Cryptography (PQCrypto).
Mahdavifar and Vardy (2012) Mahdavifar, H. and Vardy, A. (2012). List-Decoding of Subspace Codes and Rank-Metric Codes up to Singleton Bound. In 2012 IEEE International Symposium on Information Theory Proceedings, 1488–1492. IEEE.
Martínez-Peñas (2018) Martínez-Peñas, U. (2018). Skew and Linearized Reed–Solomon Codes and Maximum Sum Rank Distance Codes over any Division Ring. Journal of Algebra, 504, 587–612.
Martínez-Peñas (2020) Martínez-Peñas, U. (2020). Theory and Applications of Linearized Multivariate Skew Polynomials. arXiv preprint arXiv:2001.01273.
Martínez-Peñas and Kschischang (2019a) Martínez-Peñas, U. and Kschischang, F.R. (2019a). Evaluation and Interpolation over Multivariate Skew Polynomial Rings. Journal of Algebra, 525, 111–139.
Martínez-Peñas and Kschischang (2019b) Martínez-Peñas, U. and Kschischang, F.R. (2019b). Reliable and Secure Multishot Network Coding using Linearized Reed-Solomon Codes. IEEE Transactions on Information Theory, 65(8), 4785–4803.
Melchor et al. (2018) Melchor, C.A., Aragon, N., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J.C., Gaborit, P., Persichetti, E., Zémor, G., and Bourges, I. (2018). Hamming Quasi-Cyclic (HQC).
Melchor et al. (2017) Melchor, C.A., Aragon, N., Bettaieb, S., Bidoux, L., Blazy, O., Deneuville, J.C., Gaborit, P., and Zémor, G. (2017). Rank quasi-cyclic (rqc).
Nielsen (2014) Nielsen, J.S. (2014). Fast Kötter-Nielsen-Høholdt Interpolation in the Guruswami-Sudan Algorithm. In 14th International Workshop on Algebraic and Combinatorial Coding Theory (ACCT).
Nielsen and Høholdt (2000) Nielsen, R.R. and Høholdt, T. (2000). Decoding Reed-Solomon Codes Beyond Half the Minimum Distance. In Coding Theory, Cryptography and Related Areas, 221–236. Springer.
Ore (1933a) Ore, Ø. (1933a). On a Special Class of Polynomials. Trans. Amer. Math. Soc., 35, 559–584.
Ore (1933b) Ore, O. (1933b). Theory of Non-Commutative Polynomials. Annals of Mathematics, 480–508.
Overbeck (2006) Overbeck, R. (2006). Decoding interleaved gabidulin codes and ciphertext-security for gpt variants. IACR Cryptol. ePrint Arch., 2006, 222.
Puchinger et al. (2020) Puchinger, S., Renner, J., and Rosenkilde, J. (2020). Generic Decoding in the Sum-Rank Metric. arXiv preprint arXiv:2001.04812.
Puchinger and Wachter-Zeh (2018) Puchinger, S. and Wachter-Zeh, A. (2018). Fast Operations on Linearized Polynomials and their Applications in Coding Theory. Journal of Symbolic Computation, 89, 194–215.
Renner et al. (2021) Renner, J., Puchinger, S., and Wachter-Zeh, A. (2021). LIGA: A Cryptosystem based on the Hardness of Rank-Metric List and Interleaved Decoding. Designs, Codes and Cryptography, 89(6), 1279–1319.
Sudan (1997) Sudan, M. (1997). Decoding of Reed Solomon Codes Beyond the Error-Correction Bound. Journal of complexity, 13(1), 180–193.
Wachter-Zeh and Zeh (2014) Wachter-Zeh, A. and Zeh, A. (2014). List and Unique Error-Erasure Decoding of Interleaved Gabidulin Codes with Interpolation Techniques. Designs, Codes and Cryptography, 73(2), 547–570.
Wang et al. (2005) Wang, B., McEliece, R.J., and Watanabe, K. (2005). Kötter Interpolation over Free Modules. In Proceedings of, 2197–2206.
Welch and Berlekamp (1986) Welch, L.R. and Berlekamp, E.R. (1986). Error Correction for Algebraic Block Codes. US Patent 4,633,470.
Xie et al. (2011) Xie, H., Yan, Z., and Suter, B.W. (2011). General Linearized Polynomial Interpolation and its Applications. In 2011 International Symposium on Networking Coding, 1–4. IEEE.