Improved Power Decoding of
Algebraic Geometry Codes

Sven Puchinger, Johan Rosenkilde, Grigory Solomatov Department of Applied Mathematics and Computer Science,
Technical University of Denmark (DTU), Denmark

Abstract

Power decoding is a partial decoding paradigm for arbitrary algebraic geometry codes for decoding beyond half the minimum distance, which usually returns the unique closest codeword, but in rare cases fails to return anything. The original version decodes roughly up to the Sudan radius, while an improved version decodes up to the Johnson radius, but has so far been described only for Reed–Solomon and one-point Hermitian codes. In this paper we show how the improved version can be applied to any algebraic geometry code.

Index Terms:

Algebraic Geometry Codes, Power Decoding

I Introduction

I-A Related work

Power decoding was originally proposed in [1] and [2] as a method for decoding Reed–Solomon codes beyond half the minimum distance, achieving roughly the same decoding radius as Sudan’s list decoder [3]. It is a partial unique decoder, meaning that it either returns a unique decoding solution, or declares failure. It has been demonstrated through numerical simulations that power decoding has a very low probability of failure for random errors; there are proofs of this for small parameter choices [2, 4], but the general case remains to be an open problem.

In [5] it was shown how to incorporate a multiplicity parameter into power decoding, similar to that of Guruswami–Sudan (GS) algorithm [6], thereby matching the latter’s decoding radius, called the Johnson radius. Both the original and the improved power decoding with multiplicity has been applied to one-point Hermitian codes, which belong to the large family of algebraic geometry (AG) codes that were introduced by Goppa in 1981 [7, 8]. They are a natural generalization of Reed–Solomon codes and some of their subfamilies have been shown to have minimal distance that beats the Gilbert–Varshamov bound [9].

At the heart of power decoding lies a set of “key equations”, which can be solved by linear algebra, or by faster, more structured approaches, e.g. by generalizing the Berlekamp–Massey or Euclidean algorithm, see e.g. [10, 11] and their references. This step is algebraically connected with to the “interpolation step” of the GS algorithm, which may be computed in similar complexity [12, 11].

After interpolation, the GS algorithm proceeds with a “root-finding step”, which is not required by power decoding. For Reed–Solomon and one-point Hermitian codes, root-finding is asymptotically faster than the interpolation step¹¹1Except if the code length is very short compared to the field size: a sub-routine of the root-finding step is to find $\mathbb{F}_{q}$ -roots in $\mathbb{F}_{q}[x]$ polynomials. [13, 12, 14], but in hardware-implementations root-finding can take up significant circuit area [15]. For more general AG codes, the root-finding step is not widely studied, and it is unclear whether it is faster than interpolation; e.g. [16] describes root-finding for one-point codes which is not superior to performing interpolation using linear algebra. Further, both power decoding and the GS algorithm generalize to interleaved codes, and here the root-finding step is currently the bottleneck in the GS algorithm [17], and so power decoding is asymptotically faster [18].

Recently, [19] generalized the original power decoding to apply to general AG codes. Their work was principally motivated by their new variant of (the original) power decoding, called power error-locating pairs, which may be applied to attack AG-code-based cryptosystems in a setting where it seems the GS decoder can not be used.

I-B Contributions

In this paper we:

•

formulate improved power decoding [5] in the language of function fields and adapt it to general AG codes,
•

show how the resulting key equations can be solved using linear algebra, and
•

derive the decoding radius for the proposed method under mild assumptions on the code and verify it using numerical simulations.

The most important takeaway is that our decoding radius coincides with the one from [20] for Reed–Solomon codes and the one from [21] for one-point Hermitian codes, achieving the Johnson radius for suitable decoding parameters. Though the computational complexity of our decoder can likely be improved by replacing linear algebra with more advanced techniques, this remains outside of the scope of this paper.

Our function field modelling revolves around “using an extra place” $P_{\infty}$ as in Pellikaan [22], which allows controlling the “size” of functions by their pole order at $P_{\infty}$ . Our key equations are in the style of Gao [23], as introduced for power decoding in [4].

We present evidence supporting that our decoder achieves a decoding radius similar to the GS algorithm in two ways: we theoretically derive a radius at which the decoder will surely fail, and then we see in simulations that for fewer random errors, the decoder seems to almost always succeed. We have no theoretic bound on this failure probability, which has so far proved very challenging even in the case of Reed–Solomon codes, see e.g. [20]. On the other hand, advantages of the power decoding compared to GS algorithm include:

•

The power decoder is structurally simpler than the GS algorithm since it does not have a root-finding step, making it easier to implement, possibly faster, and with less footprint in hardware.
•

It is reasonable that a generalization to interleaved AG codes is possible as in [18, 21].
•

Potentially apply power decoding in a more efficient message attack on AG-based cryptosystems than in [19], possibly by first reformulating it in terms of power error-locating pairs.

II Preliminaries

In this section we briefly introduce AG codes as evaluation codes and formulate the decoding problem that we wish to solve. We assume that the reader is familiar with the language of function fields, which is presented in great detail in [24].

Let $F$ be a function field having genus $g$ over a base field $\mathbb{F}$ . Let $P_{1},\dots,P_{n},P_{\infty}$ be rational places of $F$ , and fix two divisors $D=P_{1}+\cdots+P_{n}$ and $G$ with $\deg G=\gamma$ , such that $\operatorname{supp}G\cap\operatorname{supp}D=\emptyset$ . The code that we will be considering is

\mathcal{C}_{D,G}=\{\big{(}f(P_{1}),\dots,f(P_{n})\big{)}\in\mathbb{F}^{n}\;|\;f\in\mathcal{L}(G)\}\ ,

where $\mathcal{L}(G)=\{f\in F\;|\;(f)\geq-G\}\cup\{0\}$ is the Riemann-Roch space of $G$ . The dimension of this code is $k=\mathfrak{l}(G)$ , where $\mathfrak{l}(A)$ denotes the dimension of $\mathcal{L}(A)$ for any divisor $A$ ; and the code’s minimum distance is bounded from below by the designed minimum distance $d^{*}=n-\gamma$ .

The problem that we wish to address is as follows:

Problem II.1.

Let $f\in\mathcal{L}(G)$ be a message and let $\boldsymbol{c}\in\mathcal{C}_{D,G}$ be the corresponding codeword. Given the received word

\boldsymbol{r}=(r_{1},\dots,r_{n})=\boldsymbol{c}+\boldsymbol{e}\ ,

where $\boldsymbol{e}=(e_{1},\dots,e_{n})\in\mathbb{F}^{n}$ is some unknown error, recover $f$ .

In the next section, in the traditional spirit of power decoding, we show how II.1 can be reformulated as a highly non-linear system of equations.

III The Key Equations

In this section we formulate the so called key equations that lie at the heart of power decoding using the language of function fields.

We begin by defining the error locator and the received word interpolator, following up with some results about their sizes.

Definition III.1.

If $\boldsymbol{r}=(r_{1},\dots,r_{n})$ is the received word, then an $\boldsymbol{r}$ -interpolator of degree $\rho$ is an element

	$\displaystyle R$	$\displaystyle\in\mathcal{L}(G+\rho P_{\infty})\quad\text{such that}$
	$\displaystyle R$	$\displaystyle\not\in\mathcal{L}\big{(}G+(\rho-1)P_{\infty}\big{)}\ ,$

and $R(P_{i})=r_{i}$ for $i=1,\dots,n$ .

Lemma III.2.

There exists an ${\boldsymbol{r}}$ -interpolator $R$ with degree $\rho$ satisfying $\rho\leq n-\gamma+2g-1$ .

Proof.

Consider the $\mathbb{F}$ -linear map

\displaystyle\phi:\begin{cases}\mathcal{L}(G+\rho P_{\infty})\rightarrow\mathbb{F}^{n}\\ h\mapsto\big{(}h(P_{1}),\dots,h(P_{n})\big{)}\end{cases}

We are guaranteed that $R$ exists if the dimension of the image of $\phi$ , which is given by the rank-nullity theorem as

\dim\operatorname{im}\phi=\mathfrak{l}(G+\rho P_{\infty})-\mathfrak{l}(G+\rho P_{\infty}-D)\ ,

is $n$ . Indeed, Riemann’s theorem theorem says that

\mathfrak{l}(G+\rho P_{\infty})\geq\gamma+\rho+1-g\ ,

and if $\rho\geq n-\gamma+2g-1$ , then [24, Thm 1.5.17] promises that

\mathfrak{l}(G+\rho P_{\infty}-D)=\gamma+\rho-n+1-g\ ,

which shows that the image of $\phi$ has dimension $n$ . ∎

Definition III.3.

Let $E=\sum_{i\in\mathcal{E}}P_{i}$ , where $\mathcal{E}=\{i\;|\;e_{i}\neq 0\}$ is the set of error positions. An error locator with multiplicity $s$ and degree $\lambda_{s}$ is an element

	$\displaystyle\Lambda_{s}$	$\displaystyle\in\mathcal{L}(\lambda_{s}P_{\infty}-sE)\quad\text{such that}$
	$\displaystyle\Lambda_{s}$	$\displaystyle\not\in\mathcal{L}\big{(}(\lambda_{s}-1)P_{\infty}-sE\big{)}\ .$

Lemma III.4.

For any $\lambda_{s}\geq s|\mathcal{E}|+g$ there exists an error locator with degree at most $\lambda_{s}$ , however, if $\lambda_{s}<s|\mathcal{E}|$ , then no such error locator exists.

Proof.

If $\lambda_{s}\geq s|\mathcal{E}|+g$ , then the Riemann-Roch theorem promises that

\mathfrak{l}(\lambda_{s}P_{\infty}-sE)\geq\lambda_{s}-s|\mathcal{E}|+1-g\geq 0\ ,

which guarantees existence of an error locator with degree at most $\lambda_{s}$ .

If on the other hand $\lambda_{s}<s|\mathcal{E}|$ , then $\Lambda_{s}$ must have more zeroes than poles, which is impossible. ∎

It will be convenient to define the following divisors:

	$\displaystyle V_{t}$	$\displaystyle=\lambda_{s}P_{\infty}+tG\ ,$
	$\displaystyle Q_{t}$	$\displaystyle=\lambda_{s}P_{\infty}+t(G+\rho P_{\infty})\quad\text{and}$
	$\displaystyle W_{j}$	$\displaystyle=\lambda_{s}P_{\infty}+j(G+\rho P_{\infty}-D),$

for $j=0,\dots,s-1$ and $t=1,\dots,\ell$ .

The next lemma relates these divisors to $f$ , $\Lambda_{s}$ and $R$ .

Lemma III.5.

If $f$ is the sent message, $R$ is an $\boldsymbol{r}$ -interpolator and $\Lambda_{s}$ is an error locator, then for $t=1,\dots,\ell$ it holds that

\Lambda_{s}f^{t}\in\mathcal{L}(V_{t})\ ,

and for $j=0,\dots,s-1$ it holds that

\Lambda_{s}(f-R)^{j}R^{t-j}\in\begin{cases}\mathcal{L}\big{(}W_{j}+(t-j)(G+\rho P_{\infty})\big{)}&\text{ if }j<s\\ \mathcal{L}(Q_{t}-sD)&\text{ if }j\geq s\end{cases}\ .

Proof.

The first claim is obvious. For the second claim observe that

\displaystyle f-R

\displaystyle\in\mathcal{L}\big{(}G+\rho P_{\infty}-D+E\big{)}\ .

If $j<s$ , then

	$\displaystyle\Lambda_{s}(f-R)^{j}$	$\displaystyle\in\mathcal{L}\big{(}\lambda_{s}P_{\infty}+j(G+\rho P_{\infty})-sE-j(D-E)\big{)}$
		$\displaystyle\in\mathcal{L}\big{(}\lambda_{s}P_{\infty}+j(G+\rho P_{\infty}-D)-(s-j)E\big{)}$
		$\displaystyle\subset\mathcal{L}(W_{j})\ .$

If on the other hand $j\geq s$ , then

	$\displaystyle\Lambda_{s}(f-R)^{j}R^{t-j}$	$\displaystyle\in\mathcal{L}\big{(}\lambda_{s}P_{\infty}+t(G+\rho P_{\infty})-sE-j(D-E)\big{)}$
		$\displaystyle\subset\mathcal{L}\big{(}\lambda_{s}P_{\infty}+t(G+\rho P_{\infty})-sE-s(D-E)\big{)}$
		$\displaystyle=\mathcal{L}(Q_{t}-sD)\ .$

∎

We are now ready to present the key equations, which express an algebraic relationship between the sent message $f$ , an ${\boldsymbol{r}}$ -interpolator $R$ and a corresponding error locator $\Lambda_{s}$ .

Theorem III.6 (The Key Equations).

For $t=1,\dots,\ell$

\displaystyle\begin{split}\Lambda_{s}f^{t}-\sum_{j=0}^{\min\{t,s-1\}}\binom{t}{j}\Lambda_{s}(f-R)^{j}R^{t-j}\\ \in\begin{cases}\{0\}&\text{ if }1\leq t\leq s-1\\ \mathcal{L}(Q_{t}-sD)&\text{ if }s\leq t\leq\ell\end{cases}\ .\end{split}

(1)

Proof.

We have that

	$\displaystyle\Lambda_{s}f^{t}$	$\displaystyle=\Lambda_{s}\big{(}(f-R)+R\big{)}^{t}$
		$\displaystyle=\sum_{j=0}^{t}\binom{t}{j}\Lambda_{s}(f-R)^{j}R^{t-j}\ ,$

which proves the claim when $1\leq t\leq s-1$ , while if $s\leq t\leq\ell$ , then it follows from Lemma III.5 that

	$\displaystyle\Lambda_{s}f^{t}-\sum_{j=0}^{\min\{t,s-1\}}\binom{t}{j}\Lambda_{s}(f-R)^{j}R^{t-j}$
	$\displaystyle=\sum_{j=s}^{t}\binom{t}{j}\Lambda_{s}(f-R)^{j}R^{t-j}\in\mathcal{L}(Q_{t}-sD)$

∎

Since (1) is satisfied by the sent message, it makes sense to look for a solution of (1) in order to address II.1. We explain how this can be done in the next section.

IV Solving the Key Equations

In this section we show how to solve the following problem, which is motivated by Theorem III.6 and II.1:

Problem IV.1.

Consider an instance of II.1. Fix $\lambda_{s}\geq 0$ and let $R$ be an ${\boldsymbol{r}}$ -interpolator. Find $\phi_{t}\in\mathcal{L}(V_{t})$ for $t=1,\dots,\ell$ and $\psi_{j}\in\mathcal{L}(W_{j})$ for $j=0,\dots,s-1$ , not all zero, such that

	$\displaystyle\phi_{t}-\sum_{j=0}^{\min\{t,s-1\}}\binom{t}{j}\psi_{j}R^{t-j}$
	$\displaystyle\quad\quad\in\begin{cases}\{0\}&1\leq t\leq s-1\\ \mathcal{L}(Q_{t}-sD)&s\leq t\leq\ell\end{cases}\ .$

According to Theorem III.6, if $f$ is the sent message and there exists an error locator $\Lambda_{s}$ with degree at most $\lambda_{s}$ , then among the possible solutions of IV.1 we would find

	$\displaystyle\phi_{t}$	$\displaystyle=\Lambda_{s}f^{t}$
	$\displaystyle\psi_{j}$	$\displaystyle=\Lambda_{s}(f-R)^{j}.$		(2)

Since $\deg\Lambda_{s}$ is roughly proportional to the number of errors (see Lemma III.4), this means that a solution of IV.1 of the type (2) for the smallest-possible $\lambda_{s}$ corresponds to a codeword that is among the closest codewords to our received word.²²2Note that it might happen that for two errors of similar weight, the error locator degree of the one of smaller weight is larger or equal to the one of larger weight. For large enough parameter $s$ , this case becomes less likely for random errors. It might be that IV.1 for small $\lambda_{s}$ has solutions that do not correspond to an error locator/message pair. This might happen since IV.1 poses weaker constraints on its solutions compared to (1). Previous works on (improved) power decoding indicate that such “spurious” solutions only occur with very small probability. Also our simulation results in Section VI indicate this. We will get back to types of failure in the next section.

These arguments motivate our decoding strategy: Find a solution of IV.1 for the smallest $\lambda_{s}$ for which the problem has a solution. If we are successful, we get a solution of IV.1 of the form in (2) (or a scalar multiple thereof), where $\Lambda_{s}$ and $f$ correspond to a close codeword to ${\boldsymbol{r}}$ . We can extract $f$ , and thus ${\boldsymbol{c}}$ from this solution by division $\tfrac{\phi_{1}}{\psi_{0}}=\tfrac{\Lambda_{s}f^{1}}{\Lambda_{s}}=f$ .

Since computational complexity is not a primary concern here, we describe in this section how to solve the problem for a fixed $\lambda_{s}$ . The “smallest solution” can then be found by iterating $\lambda_{s}$ from $0$ to the maximal possible value for which we expect to be able to decode.

The entire decoding strategy is outlined in Algorithm 1.

Input: Received word

{\boldsymbol{r}}\in\mathbb{F}^{n}

and positive integers

s\leq\ell

Output:

f\in\mathcal{L}(G)

such that

{\boldsymbol{c}}=(f(P_{1}),\dots,f(P_{n}))

is a codeword with corresponding minimal error locator degree; or “decoding failure”.

1 for $\lambda_{s}=0,\dots,sn+g$ do

2 if IV.1 with parameter $\lambda_{s}$ has a unique solution up to scalar multiples then

(\phi_{t})_{t=1,\dots,\ell},(\psi_{j})_{j=0,\dots,s-1}\leftarrow

a solution of IV.1

\hat{f}\leftarrow\tfrac{\phi_{1}}{\psi_{0}}

5 if $\hat{f}\in\mathcal{L}(G)$ and $\psi_{0}$ is a valid error locator for the error $\hat{{\boldsymbol{e}}}={\boldsymbol{r}}-\hat{{\boldsymbol{c}}}$ , where $\hat{c}$ is the codeword corresponding to $\hat{f}$ then

6 return $\hat{f}$

7 else

8 return “decoding failure”

return “decoding failure”

Algorithm 1 Decoder

In the remainder of this section we give an explicit construction of a matrix $\boldsymbol{U}$ over $\mathbb{F}$ whose right kernel contains vectors from which solutions to IV.1 can be obtained, i.e., how to implement Lines 1 and 1 of Algorithm 1.

For any divisor $A$ let $\boldsymbol{\beta}_{A}\in\mathcal{L}(A)^{\mathfrak{l}(A)}$ denote a vector whose entries form any $\mathbb{F}$ -basis of $\mathcal{L}(A)$ such that for any two divisors $A$ and $B$ it holds that

\mathcal{L}(A)=\mathcal{L}(B)\iff\boldsymbol{\beta}_{A}=\boldsymbol{\beta}_{B}\ .

For any $h\in\mathcal{L}(A)$ let $h_{A}\in\mathbb{F}^{\mathfrak{l}(A)}$ be the unique vector such that $\boldsymbol{\beta}_{A}\cdot h_{A}=h$ , and for any $p\in\mathcal{L}(B-A)$ let $p_{B,A}\in\mathbb{F}^{\mathfrak{l}(B)\times\mathfrak{l}(A)}$ be the matrix whose $i$ -th column is $(pa_{i})_{B}$ , where $(a_{1},\dots,a_{\mathfrak{l}(A)})=\boldsymbol{\beta}_{A}$ . It is easy to see that

\boldsymbol{\beta}_{B}p_{B,A}h_{A}=p\boldsymbol{\beta}_{A}\cdot h_{A}=ph\in\mathcal{L}(B)\ .

In order to construct $\boldsymbol{U}$ we will need a satisfactory received word interpolator $R$ which can be for example be obtained as follows: If $\boldsymbol{M}\in\mathbb{F}^{n\times\mathfrak{l}(H)}$ , where $H=\rho P_{\infty}+G$ , is the matrix whose $i$ -th column is

[b_{i}(P_{1})\ \cdots\ b_{i}(P_{n})]^{T}\ ,

where $(b_{1},\dots,b_{\mathfrak{l}(H)})=\boldsymbol{\beta}_{H}$ , then $R=\boldsymbol{\beta}_{H}\cdot\boldsymbol{z}$ , where $\boldsymbol{z}$ is any solution to the linear system $\boldsymbol{M}\boldsymbol{z}=\boldsymbol{r}$ .

The next lemma together with the the subsequent Corollary IV.3 give an explicit construction of $\boldsymbol{U}$ and show its relation to IV.1.

Lemma IV.2.

Let

\boldsymbol{u}=(\boldsymbol{v}_{1}|\dots|\boldsymbol{v}_{\ell}|\boldsymbol{w}_{0}|\dots|\boldsymbol{w}_{s-1})\in\mathbb{F}^{\nu}\ ,

where

	$\displaystyle\boldsymbol{v}_{r}$	$\displaystyle=(\phi_{r})_{V_{r}}\ ,$
	$\displaystyle\boldsymbol{w}_{j}$	$\displaystyle=(\psi_{j})_{W_{j}}\quad\text{and}$
	$\displaystyle\nu$	$\displaystyle=\sum_{r}\mathfrak{l}(V_{r})+\sum_{j}\mathfrak{l}(W_{j})$

for $r=1,\dots,\ell$ and $j=0,\dots,s-1$ , where the $\phi_{r},\psi_{j}$ are a solution to IV.1. If $\boldsymbol{U}_{t}\in\mathbb{F}^{\mathfrak{l}(Q_{t})\times\nu}$ is the matrix defined by

\boldsymbol{U}_{t}=\begin{bmatrix}\boldsymbol{V}_{t,1}|\cdots|\boldsymbol{V}_{t,\ell}|\boldsymbol{W}_{t,0}|\cdots|\boldsymbol{W}_{t,s-1}\end{bmatrix}\ ,

where

	$\displaystyle\boldsymbol{V}_{t,r}$	$\displaystyle=\begin{cases}1_{Q_{t},V_{r}}&\text{ if }t=r\\ 0_{Q_{t},V_{r}}&\text{ if }t\neq r\\ \end{cases}\quad\text{and}$
	$\displaystyle\boldsymbol{W}_{t,j}$	$\displaystyle=\begin{cases}-\binom{t}{j}(R^{t-j})_{Q_{t},W_{j}}&\text{ if }j\leq t\\ 0_{Q_{t},W_{j}}&\text{ if }j>t\\ \end{cases}\ ,$

for $t=1,\dots,\ell$ , then

\boldsymbol{\beta}_{Q_{t}}\boldsymbol{U}_{t}\boldsymbol{u}\in\begin{cases}\{0\}&\text{ if }1\leq t\leq s-1\\ \mathcal{L}(Q_{t}-sD)&\text{ if }s\leq t\leq\ell\end{cases}\ .

Proof.

Simply observe that

	$\displaystyle\boldsymbol{\beta}_{Q_{t}}\boldsymbol{U}_{t}\boldsymbol{u}$	$\displaystyle=\boldsymbol{\beta}_{Q_{t}}\sum_{r=1}^{\ell}\boldsymbol{V}_{t,r}\boldsymbol{v}_{r}+\boldsymbol{\beta}_{Q_{t}}\sum_{j=0}^{s-1}\boldsymbol{W}_{t,j}\boldsymbol{w}_{j}$
		$\displaystyle=\phi_{t}-\sum_{j=0}^{\min\{t,s-1\}}\binom{t}{j}\psi_{j}R^{t-j}\ .$

∎

Corollary IV.3 (of Lemma IV.2).

\boldsymbol{U}=\left[\begin{array}[]{cc}\boldsymbol{K}_{1}\boldsymbol{U}_{1}\\ \hline\cr\vdots\\ \hline\cr\boldsymbol{K}_{\ell}\boldsymbol{U}_{\ell}\end{array}\right]\ ,

where

\boldsymbol{K}_{t}=\begin{cases}1_{Q_{t},Q_{t}}&\text{ if }1\leq t\leq s-1\\ \text{left kernel matrix of }1_{Q_{t},Q_{t}-sD}&\text{ if }s\leq t\leq\ell\end{cases}\

and $\boldsymbol{u}$ is as in Lemma IV.2, then

\displaystyle\boldsymbol{U}\boldsymbol{u}=\boldsymbol{0}\ .

(3)

In the next section we describe the conditions under which decoding is expected to fail.

V Decoding Radius

We turn to investigating the decoding performance of the proposed decoder. Since the decoder returns at most one codeword while attempting to decode beyond half the minimum distance, it must obviously fail for certain received words. Theoretically bounding this probability seems a difficult problem even for the simplest case of Reed–Solomon codes, and only partial results are known [1, 5]. We follow the approach of several previous papers on power decoding: we derive theoretically a number of errors at which our decoder is always guaranteed to fail, and we define this to be the “decoding radius”; this name will be supported by simulations in Section VI which indicates that the decoding algorithm succeeds with high probability whenever fewer, random errors occur.

It can be seen from Algorithm 1 that our decoder declares a decoding failure if and only if there is no value of $\lambda_{s}$ for which the matrix $\boldsymbol{U}$ in Corollary IV.3 has a right kernel of $\mathbb{F}_{q}$ -dimension exactly 1.

On the other hand, when we do not declare decoding failure, the returned message candidate $\hat{f}\in\mathcal{L}(G)$ must correspond to the closest codeword to the received word, as in the discussion in the preceding section.

This notion of decoding failure motivates a natural bound for when we – simply by linear algebraic arguments – would know a priori that the decoder will fail in the generic case when the smallest error locator corresponding to a codeword has degree $\lambda_{s}=s|\mathcal{E}|+g$ (and not smaller), where $|\mathcal{E}|$ is the distance of the codeword to the received word:

Definition V.1.

For a given code $\mathcal{C}$ , the decoding radius of power decoding, denoted $\tau_{\mathsf{max}}$ , is the greatest value of $\tau$ such that for $\lambda_{s}=s\tau+g$ , if $\epsilon,\nu$ are the row resp. column dimensions of the matrix $\boldsymbol{U}$ of Lemma IV.2, then $\nu>\epsilon+1$ .

Since the proposed decoder will typically return no solutions (and therefore fail) when $|\mathcal{E}|>\tau$ , the decoding radius tells us how many errors we should at most expect to correct.³³3It might succeed in rare cases in which the error locator has surprisingly low degree. Our simulation results suggest that this happens with very small probability. We reiterate that, at this point we have given no indications that the decoder should usually succeed up to $\tau_{\mathsf{max}}$ errors, but we address this by simulations in Section VI.

For a given code $\mathcal{C}$ , one may compute $\tau_{\mathsf{max}}$ exactly, but since the equations involve dimensions of sequences of Riemann–Roch spaces, it seems impossible to give a general precise closed form. However, we may lower-bound these numbers using common function field tools:

Lemma V.2.

For $t=1,\dots,\ell$ and $j=0,\dots,s-1$ it holds that

	$\displaystyle\mathfrak{l}(V_{t})$	$\displaystyle\geq\lambda_{s}+t-g+1\ ,$
	$\displaystyle\mathfrak{l}(W_{j})$	$\displaystyle\geq\lambda_{s}+j(\gamma+\rho-n)-g+1\ ,$
	$\displaystyle\mathfrak{l}(Q_{t}-sD)$	$\displaystyle\geq\lambda_{s}+t(\gamma+\rho)-sn-g+1\ ,$

and if $\gamma\geq 2g-2$ , then

\mathfrak{l}(Q_{t})=\lambda_{s}+t(\gamma+\rho)-g+1\ .

Proof.

The lower bounds on $\mathfrak{l}(V_{t})$ , $\mathfrak{l}(W_{j})$ and $\mathfrak{l}(Q_{t}-sD)$ are given by the Riemann-Roch theorem, while the exact value of $\mathfrak{l}(Q_{t})$ is given by [24, Thm 1.5.17] since $\gamma\geq 2g-2$ . ∎

The next lemma gives bounds on the dimensions of $\boldsymbol{U}$ .

Lemma V.3.

If $\gamma\geq 2g-2$ , then $\boldsymbol{U}\in\mathbb{F}^{\epsilon\times\nu}$ , where

	$\displaystyle\epsilon$	$\displaystyle\leq(s-1)(\lambda_{s}-g+1)+\tfrac{s(s-1)}{2}(\gamma+\rho)+(\ell-s+1)sn\ ,$
	$\displaystyle\nu$	$\displaystyle\geq(\ell+s)(\lambda_{s}-g+1)+\tfrac{\ell(\ell+1)}{2}\gamma+\tfrac{s(s-1)}{2}(\gamma+\rho-n)\ .$

Proof.

From Lemma V.2 it follows that

	$\displaystyle\nu$	$\displaystyle=\sum_{t=1}^{\ell}\mathfrak{l}(V_{t})+\sum_{j=0}^{s-1}\mathfrak{l}(W_{j})$
		$\displaystyle\geq\sum_{t=1}^{\ell}(\lambda_{s}+t\gamma-g+1)+\sum_{j=0}^{s-1}(\lambda_{s}+j(\gamma+\rho)-jn-g+1)$
		$\displaystyle=\ell(\lambda_{s}-g+1)+\tfrac{\ell(\ell+1)}{2}\gamma$
		$\displaystyle+s(\lambda_{s}-g+1)+\tfrac{(s-1)s}{2}(\gamma+\rho-n)\ .$

Similarly, observing that $\boldsymbol{K}_{t}$ must have exactly

\mathfrak{l}(Q_{t})-\mathfrak{l}(Q_{t}-sD)

rows for $t=s-1,\dots,\ell$ , it holds that

	$\displaystyle\epsilon$	$\displaystyle=\sum_{t=1}^{s-1}\mathfrak{l}(Q_{t})+\sum_{t=s}^{\ell}\big{(}\mathfrak{l}(Q_{t})-\mathfrak{l}(Q_{t}-sD)\big{)}$
		$\displaystyle\leq\sum_{t=1}^{s-1}\big{(}\lambda_{s}+t(\gamma+\rho)-g+1\big{)}+\sum_{t=s}^{\ell}sn$
		$\displaystyle=(s-1)(\lambda_{s}-g+1)+\frac{(s-1)s}{2}(\gamma+\rho)+(l-s+1)sn\ .$

∎

With the aid of Lemma V.3 we can deduce a lower bound on values of $\lambda_{s}$ for which decoding must fail.

Lemma V.4.

It holds that (3) has at least two linearly independent solutions (and decoding fails) if

\lambda_{s}>s\tfrac{2\ell-s+1}{2(\ell+1)}n-\tfrac{\ell}{s}\gamma+\tfrac{\ell}{\ell+1}+g\ .

(4)

Proof.

Keeping the notation from Lemma V.3 we have that (3) has at least two linearly independent solutions if

\nu>\epsilon+1\ ,

which is equivalent to (4). ∎

Corollary V.5.

The decoding radius as defined in Definition V.1 is given by

\displaystyle\tau_{\mathsf{max}}(\ell,s):=\left\lfloor\tfrac{2\ell-s+1}{2(\ell+1)}n-\tfrac{\ell}{2s}\gamma+\tfrac{\ell}{s(\ell+1)}\right\rfloor\ .

Remark V.6.

The decoding radius $\tau_{\mathsf{max}}(\ell,s)$ coincides with the one in [20] in the special case of Reed–Solomon, and the one in [21] for one-point Hermitian codes.

Remark V.7.

Although this definition of failure is convenient for theoretical analysis it means our decoder must try every sensible (sufficiently small) value of $\tau$ before declaring failure, which is computationally inefficient. In this paper, our primary concern is not computational complexity, but we will remark that in practice, one only needs to use the largest sensible value of $\tau$ : we then pick any non-zero vector in the right kernel of $\boldsymbol{U}$ and check if the corresponding message $f$ is in $\mathcal{L}(G)$ . This is how the simulations in Section VI have been conducted.

V-A Parameter Choice & Asymptotic Behavior

The following theorem shows that the decoding radius achieves the Johnson radius asymptotically for large parameters $\ell$ and $s$ . It also implies a good practical choice of the parameters $\ell$ and $s$ .

Theorem V.8.

Define the sequence $(\ell_{i},s_{i})_{i\in\mathbb{Z}_{>0}}$ as $\ell_{i}=i$ and $s_{i}=\left\lfloor\sqrt{\tfrac{\gamma}{n}}i\right\rfloor+1$ . Then, for $i\to\infty$ , we have

\displaystyle\tau_{\mathsf{max}}(\ell_{i},s_{i})=n\left(1-\sqrt{\tfrac{\gamma}{n}}-O(\tfrac{1}{i})\right).

Proof.

This is a special case of [21, Theorem 5]. ∎

VI Numerical Results

In this section we present Monte-Carlo simulation results of the proposed decoder for a few different AG codes in order to experimentally verify our hypothesis that Algorithm 1 corrects up to $\tau_{\mathsf{max}}(\ell,s)$ errors with high probability and fails with high probability above.

To be precise, for a given code and radius $\tau$ , we test the following:

•

Draw a random message $f$ and encode it into ${\boldsymbol{c}}$
•

Draw an error ${\boldsymbol{e}}$ uniformly at random from the set of vectors in $\mathbb{F}^{n}$ of Hamming weight $\tau$
•

Decode ${\boldsymbol{r}}={\boldsymbol{c}}+{\boldsymbol{e}}$ using Algorithm 1
•

If the algorithm does not return a decoding failure and the returned message polynomial is exactly $f$ , then count it as success.

Note that the simulation might be unsuccessful also in cases in which Algorithm 1 returns a valid close codeword, but not the transmitted one. This is called a miscorrection, and typically occurs only rarely (see, e.g., [25] for RS codes).

The above described simulation was tested on a few one- and two-point codes over two well known function fields:

•

The Hermitian function field is defined by the equation

$H_{q}:y^{q}+y=x^{q+1}$

over $\mathbb{F}_{q^{2}}$ , i.e. the finite field of cardinality $q^{2}$ . It has genus $\frac{1}{2}q(q-1)$ and $q^{3}+1$ rational places.
•

The Suzuki function field is defined by the equation

$S_{q}:y^{q}+y=x^{q_{0}}(x^{q}+x)$

over $\mathbb{F}_{q^{4}}$ , where $q=2q_{0}^{2}>2$ . It has genus $q_{0}(q-1)$ and $q^{2}+1$ rational places.
•

The function from [26, Lemma 3.2] field is defined by

$T_{q}:y^{q}+y=\frac{x^{q}}{x^{q-1}+1}$

over $\mathbb{F}_{q^{2}}$ . It has genus $(q-1)^{2}$ and $q^{3}-q^{2}+2q$ rational places.

Table I contains simulation results for various function field family, code, and decoder parameters. All results confirm our hypothesis.

Table I: Simulation results

Curve	$\|\mathbb{F}\|$	$\gamma$	$n$	$k$	$d^{*}$	$\ell$	$s$	$\tau$	OFR	$N\geq$
$H_{4}$	$4^{2}$	$15$	$64$	$10$	$49$	$4$	$2$	$29^{+}$	$0.00$	$10^{2}$
								$30$	$1.00$	$10^{2}$
$H_{4}$	$4^{2}$	$10+5$	$63$	$10$	$48$	$4$	$2$	$28^{+}$	$0.00$	$10^{2}$
								$29$	$1.00$	$10^{2}$
$H_{5}$	$5^{2}$	$55$	$125$	$46$	$70$	$5$	$2$	$36^{+}$	$0.00$	$10^{2}$
								$37$	$1.00$	$10^{2}$
$H_{5}$	$5^{2}$	$30+25$	$124$	$46$	$69$	$3$	$2$	$35^{+}$	$0.00$	$10^{2}$
								$36$	$0.94$	$10^{2}$
$S_{1}$	$2^{4}$	$12$	$24$	$12$	$12$	$2$	$2$	$5^{+}$	$0.00$	$10^{4}$
								$6$	$>0.99$	$10^{4}$
$S_{1}$	$2^{4}$	$6+6$	$23$	$12$	$11$	$2$	$2$	$5^{+}$	$0.00$	$10^{4}$
								$6$	$1.00$	$10^{4}$
$S_{1}$	$2^{4}$	$4$	$24$	$4$	$20$	$6$	$2$	$12^{+}$	$<6.98\cdot 10^{-4}$	$10^{3}$
								$13$	$1.00$	$10^{3}$
$S_{1}$	$2^{4}$	$2+2$	$23$	$4$	$19$	$6$	$2$	$11^{+}$	$0.00$	$10^{3}$
								$12$	$>0.99$	$10^{3}$
$T_{4}$	$4^{2}$	$15$	$55$	$7$	$40$	$4$	$2$	$23^{+}$	$<1.74\cdot 10^{-3}$	$10^{3}$
								$24$	$1.00$	$10^{3}$

•

Code parameters $\gamma,n,k,d^{*}$ . $\gamma=a+b$ means that $G=aP+bP^{\prime}$ for some rational places $P$ and $P^{\prime}$ . Decoder parameters $\ell,s$ . Number of errors $\tau$ , ⁺ means that $\tau=\tau_{\max}$ . Observed failure rate OFR. Each simulation was repeated at least $N$ times.

References

[1] G. Schmidt, V. Sidorenko, and M. Bossert, “Decoding Reed-Solomon Codes Beyond Half the Minimum Distance Using Shift-Register Synthesis,” in IEEE International Symposium on Information Theory, 2006, pp. 459–463.
[2] ——, “Syndrome Decoding of Reed-Solomon Codes Beyond Half the Minimum Distance Based on Shift-Register Synthesis,” IEEE Transactions on Information Theory, vol. 56, no. 10, pp. 5245–5252, 2010.
[3] M. Sudan, “Decoding of Reed–Solomon Codes beyond the Error-Correction Bound,” Journal of Complexity, vol. 13, no. 1, pp. 180–193, 1997.
[4] J. S. R. Nielsen, “Power Decoding of Reed–Solomon Codes Revisited,” in International Castle Meeting on Coding Theory and Applications, Sep. 2014. [Online]. Available: http://jsrn.dk/publications.html
[5] J. Rosenkilde, “Power Decoding of Reed–Solomon Up to the Johnson Radius,” Advances in Mathematics of Communications, vol. 12, no. 1, pp. 81–106, Feb. 2018.
[6] V. Guruswami and M. Sudan, “Improved Decoding of Reed–Solomon and Algebraic-Geometric Codes,” in IEEE Annual Symposium on Foundations of Computer Science, 1998, pp. 28–37.
[7] V. D. Goppa, “Codes on algebraic curves,” Dokl. Akad. Nauk SSSR, vol. 259, no. 6, pp. 1289–1290, 1981.
[8] ——, “Algebraico-Geometric Codes,” Izvestiya: Mathematics, vol. 21, no. 1, pp. 75–91, 1983.
[9] M. A. Tsfasman, S. G. Vladut, and T. Zink, “Modular curves, Shimura curves, and Goppa codes, better than Varshamov-Gilbert bound,” Mathematische Nachrichten, vol. 109, no. 1, pp. 21–28, 1982.
[10] V. Sidorenko and G. Schmidt, “A Linear Algebraic Approach to Multisequence Shift-Register Synthesis,” Problems of Information Transmission, vol. 47, no. 2, pp. 149–165, 2011.
[11] J. Rosenkilde and A. Storjohann, “Algorithms for simultaneous Hermite–Padé approximations,” Journal of Symbolic Computation, vol. In press, Oct. 2019. [Online]. Available: http://www.sciencedirect.com/science/article/pii/S0747717119301300
[12] M. Chowdhury, C.-P. Jeannerod, V. Neiger, E. Schost, and G. Villard, “Faster Algorithms for Multivariate Interpolation With Multiplicities and Simultaneous Polynomial Approximations,” IEEE Transactions on Information Theory, vol. 61, no. 5, pp. 2370–2387, May 2015.
[13] V. Neiger, J. Rosenkilde, and E. Schost, “Fast Computation of the Roots of Polynomials Over the Ring of Power Series,” in International Symposium on Symbolic and Algebraic Computation, Jul. 2017. [Online]. Available: https://hal.inria.fr/hal-01457954/document
[14] J. Nielsen and P. Beelen, “Sub-Quadratic Decoding of One-Point Hermitian Codes,” IEEE Transactions on Information Theory, vol. 61, no. 6, pp. 3225–3240, Jun. 2015.
[15] A. Ahmed, R. Koetter, and N. R. Shanbhag, “VLSI Architectures for Soft-Decision Decoding of Reed-Solomon Codes,” IEEE Transactions on Information Theory, vol. 57, no. 2, pp. 648–667, Feb. 2011.
[16] X.-W. Wu and P. H. Siegel, “Efficient Root-Finding Algorithm With Application to List Decoding of Algebraic-Geometric Codes,” IEEE Transactions on Information Theory, vol. 47, no. 6, pp. 2579–2587, 2001.
[17] H. Cohn and N. Heninger, “Approximate Common Divisors via Lattices,” The Open Book Series, vol. 1, no. 1, pp. 271–293, 2013.
[18] S. Puchinger and J. Rosenkilde né Nielsen, “Decoding of Interleaved Reed-Solomon Codes Using Improved Power Decoding,” IEEE International Symposium on Information Theory, 2017.
[19] A. Couvreur and I. Panaccione, “Power error locating pairs,” Designs, Codes and Cryptography, vol. 88, no. 8, pp. 1561–1593, 2020.
[20] J. Rosenkilde, “Power decoding Reed-Solomon codes up to the Johnson radius,” Advances in Mathematics of Communications, vol. 12, no. 1, p. 81, 2018.
[21] S. Puchinger, J. Rosenkilde, and I. Bouw, “Improved Power Decoding of Interleaved One-Point Hermitian Codes,” Designs, Codes and Cryptography, vol. 87, no. 2-3, pp. 589–607, 2019.
[22] S. C. Porter, B.-Z. Shen, and R. Pellikaan, “Decoding geometric goppa codes using an extra place,” IEEE transactions on information theory, vol. 38, no. 6, pp. 1663–1676, 1992.
[23] S. Gao, “A New Algorithm for Decoding Reed-Solomon Codes,” in Communications, Information and Network Security, ser. The Springer International Series in Engineering and Computer Science. Springer, Jan. 2003, no. 712, pp. 55–68.
[24] H. Stichtenoth, Algebraic Function Fields and Codes, 2nd ed. Springer, 2009.
[25] G. Schmidt, V. R. Sidorenko, and M. Bossert, “Collaborative Decoding of Interleaved Reed–Solomon Codes and Concatenated Code Designs,” IEEE Transactions on Information Theory, vol. 55, no. 7, pp. 2991–3012, 2009.
[26] A. Garcia and H. Stichtenoth, “On the asymptotic behaviour of some towers of function fields over finite fields,” Journal of number theory, vol. 61, no. 2, pp. 248–273, 1996.

Improved Power Decoding of Algebraic Geometry Codes

Abstract

Index Terms:

I Introduction

I-A Related work

I-B Contributions

II Preliminaries

Problem II.1.

III The Key Equations

Definition III.1.

Lemma III.2.

Proof.

Definition III.3.

Lemma III.4.

Proof.

Lemma III.5.

Proof.

Theorem III.6 (The Key Equations).

Proof.

IV Solving the Key Equations

Problem IV.1.

Lemma IV.2.

Proof.

Corollary IV.3 (of Lemma IV.2).

V Decoding Radius

Definition V.1.

Lemma V.2.

Proof.

Lemma V.3.

Proof.

Lemma V.4.

Proof.

Corollary V.5.

Remark V.6.

Remark V.7.

V-A Parameter Choice & Asymptotic Behavior

Theorem V.8.

Proof.

VI Numerical Results

References

Improved Power Decoding of
Algebraic Geometry Codes