-
Fast Kötter-Nielsen-Høholdt Interpolation over Skew Polynomial Rings and its Application in Coding Theory
Authors:
Hannes Bartz,
Thomas Jerkovits,
Johan Rosenkilde
Abstract:
Skew polynomials are a class of non-commutative polynomials that have several applications in computer science, coding theory and cryptography. In particular, skew polynomials can be used to construct and decode evaluation codes in several metrics, like e.g. the Hamming, rank, sum-rank and skew metric. We propose a fast divide-and-conquer variant of Kötter-Nielsen-Høholdt (KNH) interpolation algor…
▽ More
Skew polynomials are a class of non-commutative polynomials that have several applications in computer science, coding theory and cryptography. In particular, skew polynomials can be used to construct and decode evaluation codes in several metrics, like e.g. the Hamming, rank, sum-rank and skew metric. We propose a fast divide-and-conquer variant of Kötter-Nielsen-Høholdt (KNH) interpolation algorithm: it inputs a list of linear functionals on skew polynomial vectors, and outputs a reduced Gröbner basis of their kernel intersection. We show, that the proposed KNH interpolation can be used to solve the interpolation step of interpolation-based decoding of interleaved Gabidulin codes in the rank-metric, linearized Reed-Solomon codes in the sum-rank metric and skew Reed-Solomon codes in the skew metric requiring at most $\tilde{O}(s^ω M(n))$ operations in $\mathbb{F}_{q^m}$ , where $n$ is the length of the code, $s$ the interleaving order, $M(n)$ the complexity for multiplying two skew polynomials of degree at most $n$, $ω$ the matrix multiplication exponent and $\tilde{O}(\cdot)$ the soft-O notation which neglects log factors. This matches the previous best speeds for these tasks, which were obtained by top-down minimal approximant bases techniques, and complements the theory of efficient interpolation over free skew polynomial modules by the bottom-up KNH approach. In contrast to the top-down approach the bottom-up KNH algorithm has no requirements on the interpolation points and thus does not require any pre-processing.
△ Less
Submitted 4 July, 2022;
originally announced July 2022.
-
Fast Decoding of AG Codes
Authors:
Peter Beelen,
Johan Rosenkilde,
Grigory Solomatov
Abstract:
We present an efficient list decoding algorithm in the style of Guruswami-Sudan for algebraic geometry codes. Our decoder can decode any such code using $\tilde{\mathcal O}(s\ell^ωμ^{ω-1}(n+g))$ operations in the underlying finite field, where $n$ is the code length, $g$ is the genus of the function field used to construct the code, $s$ is the multiplicity parameter, $\ell$ is the designed list si…
▽ More
We present an efficient list decoding algorithm in the style of Guruswami-Sudan for algebraic geometry codes. Our decoder can decode any such code using $\tilde{\mathcal O}(s\ell^ωμ^{ω-1}(n+g))$ operations in the underlying finite field, where $n$ is the code length, $g$ is the genus of the function field used to construct the code, $s$ is the multiplicity parameter, $\ell$ is the designed list size and $μ$ is the smallest positive element in the Weierstrass semigroup at some chosen place; the "soft-O" notation $\tilde{\mathcal O}(\cdot)$ is similar to the "big-O" notation ${\mathcal O}(\cdot)$, but ignores logarithmic factors. For the interpolation step, which constitutes the computational bottleneck of our approach, we use known algorithms for univariate polynomial matrices, while the root-finding step is solved using existing algorithms for root-finding over univariate power series.
△ Less
Submitted 2 March, 2022;
originally announced March 2022.
-
Twisted Reed-Solomon Codes
Authors:
Peter Beelen,
Sven Puchinger,
Johan Rosenkilde
Abstract:
In this article, we present a new construction of evaluation codes in the Hamming metric, which we call twisted Reed-Solomon codes. Whereas Reed-Solomon (RS) codes are MDS codes, this need not be the case for twisted RS codes. Nonetheless, we show that our construction yields several families of MDS codes. Further, for a large subclass of (MDS) twisted RS codes, we show that the new codes are not…
▽ More
In this article, we present a new construction of evaluation codes in the Hamming metric, which we call twisted Reed-Solomon codes. Whereas Reed-Solomon (RS) codes are MDS codes, this need not be the case for twisted RS codes. Nonetheless, we show that our construction yields several families of MDS codes. Further, for a large subclass of (MDS) twisted RS codes, we show that the new codes are not generalized RS codes. To achieve this, we use properties of Schur squares of codes as well as an explicit description of the dual of a large subclass of our codes. We conclude the paper with a description of a decoder, that performs very well in practice as shown by extensive simulation results.
△ Less
Submitted 23 January, 2022; v1 submitted 14 July, 2021;
originally announced July 2021.
-
Improved Power Decoding of Algebraic Geometry Codes
Authors:
Sven Puchinger,
Johan Rosenkilde,
Grigory Solomatov
Abstract:
Power decoding is a partial decoding paradigm for arbitrary algebraic geometry codes for decoding beyond half the minimum distance, which usually returns the unique closest codeword, but in rare cases fails to return anything. The original version decodes roughly up to the Sudan radius, while an improved version decodes up to the Johnson radius, but has so far been described only for Reed--Solomon…
▽ More
Power decoding is a partial decoding paradigm for arbitrary algebraic geometry codes for decoding beyond half the minimum distance, which usually returns the unique closest codeword, but in rare cases fails to return anything. The original version decodes roughly up to the Sudan radius, while an improved version decodes up to the Johnson radius, but has so far been described only for Reed--Solomon and one-point Hermitian codes. In this paper we show how the improved version can be applied to any algebraic geometry code.
△ Less
Submitted 17 May, 2021; v1 submitted 1 May, 2021;
originally announced May 2021.
-
Bounds on List Decoding of Linearized Reed-Solomon Codes
Authors:
Sven Puchinger,
Johan Rosenkilde
Abstract:
Linearized Reed-Solomon (LRS) codes are sum-rank metric codes that fulfill the Singleton bound with equality. In the two extreme cases of the sum-rank metric, they coincide with Reed-Solomon codes (Hamming metric) and Gabidulin codes (rank metric). List decoding in these extreme cases is well-studied, and the two code classes behave very differently in terms of list size, but nothing is known for…
▽ More
Linearized Reed-Solomon (LRS) codes are sum-rank metric codes that fulfill the Singleton bound with equality. In the two extreme cases of the sum-rank metric, they coincide with Reed-Solomon codes (Hamming metric) and Gabidulin codes (rank metric). List decoding in these extreme cases is well-studied, and the two code classes behave very differently in terms of list size, but nothing is known for the general case. In this paper, we derive a lower bound on the list size for LRS codes, which is, for a large class of LRS codes, exponential directly above the Johnson radius. Furthermore, we show that some families of linearized Reed-Solomon codes with constant numbers of blocks cannot be list decoded beyond the unique decoding radius.
△ Less
Submitted 5 February, 2021;
originally announced February 2021.
-
Decoding of Interleaved Alternant Codes
Authors:
Lukas Holzbaur,
Hedongliang Liu,
Alessandro Neri,
Sven Puchinger,
Johan Rosenkilde,
Vladimir Sidorenko,
Antonia Wachter-Zeh
Abstract:
Interleaved Reed-Solomon codes admit efficient decoding algorithms which correct burst errors far beyond half the minimum distance in the random errors regime, e.g., by computing a common solution to the Key Equation for each Reed-Solomon code, as described by Schmidt et al. If this decoder does not succeed, it may either fail to return a codeword or miscorrect to an incorrect codeword, and good u…
▽ More
Interleaved Reed-Solomon codes admit efficient decoding algorithms which correct burst errors far beyond half the minimum distance in the random errors regime, e.g., by computing a common solution to the Key Equation for each Reed-Solomon code, as described by Schmidt et al. If this decoder does not succeed, it may either fail to return a codeword or miscorrect to an incorrect codeword, and good upper bounds on the fraction of error matrices for which these events occur are known. The decoding algorithm immediately applies to interleaved alternant codes as well, i.e., the subfield subcodes of interleaved Reed-Solomon codes, but the fraction of decodable error matrices differs, since the error is now restricted to a subfield. In this paper, we present new general lower and upper bounds on the fraction of error matrices decodable by Schmidt et al.'s decoding algorithm, thereby making it the only decoding algorithm for interleaved alternant codes for which such bounds are known.
△ Less
Submitted 17 September, 2021; v1 submitted 14 October, 2020;
originally announced October 2020.
-
Fast Decoding of Codes in the Rank, Subspace, and Sum-Rank Metric
Authors:
Hannes Bartz,
Thomas Jerkovits,
Sven Puchinger,
Johan Rosenkilde
Abstract:
We speed up existing decoding algorithms for three code classes in different metrics: interleaved Gabidulin codes in the rank metric, lifted interleaved Gabidulin codes in the subspace metric, and linearized Reed-Solomon codes in the sum-rank metric. The speed-ups are achieved by new algorithms that reduce the cores of the underlying computational problems of the decoders to one common tool: compu…
▽ More
We speed up existing decoding algorithms for three code classes in different metrics: interleaved Gabidulin codes in the rank metric, lifted interleaved Gabidulin codes in the subspace metric, and linearized Reed-Solomon codes in the sum-rank metric. The speed-ups are achieved by new algorithms that reduce the cores of the underlying computational problems of the decoders to one common tool: computing left and right approximant bases of matrices over skew polynomial rings. To accomplish this, we describe a skew-analogue of the existing PM-Basis algorithm for matrices over ordinary polynomials. This captures the bulk of the work in multiplication of skew polynomials, and the complexity benefit comes from existing algorithms performing this faster than in classical quadratic complexity. The new algorithms for the various decoding-related computational problems are interesting in their own and have further applications, in particular parts of decoders of several other codes and foundational problems related to the remainder-evaluation of skew polynomials.
△ Less
Submitted 10 March, 2021; v1 submitted 20 May, 2020;
originally announced May 2020.
-
Fast Encoding of AG Codes over $C_{ab}$ Curves
Authors:
Peter Beelen,
Johan Rosenkilde,
Grigory Solomatov
Abstract:
We investigate algorithms for encoding of one-point algebraic geometry (AG) codes over certain plane curves called $C_{ab}$ curves, as well as algorithms for inverting the encoding map, which we call "unencoding". Some $C_{ab}$ curves have many points or are even maximal, e.g. the Hermitian curve. Our encoding resp. unencoding algorithms have complexity $\tilde{O}(n^{3/2})$ resp. $\tilde{O}(qn)$ f…
▽ More
We investigate algorithms for encoding of one-point algebraic geometry (AG) codes over certain plane curves called $C_{ab}$ curves, as well as algorithms for inverting the encoding map, which we call "unencoding". Some $C_{ab}$ curves have many points or are even maximal, e.g. the Hermitian curve. Our encoding resp. unencoding algorithms have complexity $\tilde{O}(n^{3/2})$ resp. $\tilde{O}(qn)$ for AG codes over any $C_{ab}$ curve satisfying very mild assumptions, where $n$ is the code length and $q$ the base field size, and $\tilde{O}$ ignores constants and logarithmic factors in the estimate. For codes over curves whose evaluation points lie on a grid-like structure, notably the Hermitian curve and norm-trace curves, we show that our algorithms have quasi-linear time complexity $\tilde{O}(n)$ for both operations. For infinite families of curves whose number of points is a constant factor away from the Hasse--Weil bound, our encoding algorithm has complexity $\tilde{O}(n^{5/4})$ while unencoding has $\tilde{O}(n^{3/2})$.
△ Less
Submitted 18 August, 2020; v1 submitted 30 March, 2020;
originally announced March 2020.
-
Generic bivariate multi-point evaluation, interpolation and modular composition with precomputation
Authors:
Vincent Neiger,
Johan Rosenkilde,
Grigory Solomatov
Abstract:
Suppose $\mathbb{K}$ is a large enough field and $\mathcal{P} \subset \mathbb{K}^2$ is a fixed, generic set of points which is available for precomputation. We introduce a technique called \emph{resha**} which allows us to design quasi-linear algorithms for both: computing the evaluations of an input polynomial $f \in \mathbb{K}[x,y]$ at all points of $\mathcal{P}$; and computing an interpolant…
▽ More
Suppose $\mathbb{K}$ is a large enough field and $\mathcal{P} \subset \mathbb{K}^2$ is a fixed, generic set of points which is available for precomputation. We introduce a technique called \emph{resha**} which allows us to design quasi-linear algorithms for both: computing the evaluations of an input polynomial $f \in \mathbb{K}[x,y]$ at all points of $\mathcal{P}$; and computing an interpolant $f \in \mathbb{K}[x,y]$ which takes prescribed values on $\mathcal{P}$ and satisfies an input $y$-degree bound. Our genericity assumption is explicit and we prove that it holds for most point sets over a large enough field. If $\mathcal{P}$ violates the assumption, our algorithms still work and the performance degrades smoothly according to a distance from being generic. To show that the resha** technique may have an impact on other related problems, we apply it to modular composition: suppose generic polynomials $M \in \mathbb{K}[x]$ and $A \in \mathbb{K}[x]$ are available for precomputation, then given an input $f \in \mathbb{K}[x,y]$ we show how to compute $f(x, A(x)) \operatorname{rem} M(x)$ in quasi-linear time.
△ Less
Submitted 4 June, 2020; v1 submitted 27 March, 2020;
originally announced March 2020.
-
Generic Decoding in the Sum-Rank Metric
Authors:
Sven Puchinger,
Julian Renner,
Johan Rosenkilde
Abstract:
We propose the first non-trivial generic decoding algorithm for codes in the sum-rank metric. The new method combines ideas of well-known generic decoders in the Hamming and rank metric. For the same code parameters and number of errors, the new generic decoder has a larger expected complexity than the known generic decoders for the Hamming metric and smaller than the known rank-metric decoders. F…
▽ More
We propose the first non-trivial generic decoding algorithm for codes in the sum-rank metric. The new method combines ideas of well-known generic decoders in the Hamming and rank metric. For the same code parameters and number of errors, the new generic decoder has a larger expected complexity than the known generic decoders for the Hamming metric and smaller than the known rank-metric decoders. Furthermore, we give a formal hardness reduction, providing evidence that generic sum-rank decoding is computationally hard. As a by-product of the above, we solve some fundamental coding problems in the sum-rank metric: we give an algorithm to compute the exact size of a sphere of a given sum-rank radius, and also give an upper bound as a closed formula; and we study erasure decoding with respect to two different notions of support.
△ Less
Submitted 28 October, 2021; v1 submitted 14 January, 2020;
originally announced January 2020.
-
Verification Protocols with Sub-Linear Communication for Polynomial Matrix Operations
Authors:
David Lucas,
Vincent Neiger,
Clément Pernet,
Daniel S. Roche,
Johan Rosenkilde
Abstract:
We design and analyze new protocols to verify the correctness of various computations on matrices over the ring F[x] of univariate polynomials over a field F. For the sake of efficiency, and because many of the properties we verify are specific to matrices over a principal ideal domain, we cannot simply rely on previously-developed linear algebra protocols for matrices over a field. Our protocols…
▽ More
We design and analyze new protocols to verify the correctness of various computations on matrices over the ring F[x] of univariate polynomials over a field F. For the sake of efficiency, and because many of the properties we verify are specific to matrices over a principal ideal domain, we cannot simply rely on previously-developed linear algebra protocols for matrices over a field. Our protocols are interactive, often randomized, and feature a constant number of rounds of communication between the Prover and Verifier. We seek to minimize the communication cost so that the amount of data sent during the protocol is significantly smaller than the size of the result being verified, which can be useful when combining protocols or in some multi-party settings. The main tools we use are reductions to existing linear algebra verification protocols and a new protocol to verify that a given vector is in the F[x]-row space of a given matrix.
△ Less
Submitted 11 December, 2019; v1 submitted 3 July, 2018;
originally announced July 2018.
-
Computing Popov and Hermite forms of rectangular polynomial matrices
Authors:
Vincent Neiger,
Johan Rosenkilde,
Grigory Solomatov
Abstract:
We consider the computation of two normal forms for matrices over the univariate polynomials: the Popov form and the Hermite form. For matrices which are square and nonsingular, deterministic algorithms with satisfactory cost bounds are known. Here, we present deterministic, fast algorithms for rectangular input matrices. The obtained cost bound for the Popov form matches the previous best known r…
▽ More
We consider the computation of two normal forms for matrices over the univariate polynomials: the Popov form and the Hermite form. For matrices which are square and nonsingular, deterministic algorithms with satisfactory cost bounds are known. Here, we present deterministic, fast algorithms for rectangular input matrices. The obtained cost bound for the Popov form matches the previous best known randomized algorithm, while the cost bound for the Hermite form improves on the previous best known ones by a factor which is at least the largest dimension of the input matrix.
△ Less
Submitted 17 May, 2018; v1 submitted 6 February, 2018;
originally announced February 2018.
-
Improved Power Decoding of Interleaved One-Point Hermitian Codes
Authors:
Sven Puchinger,
Johan Rosenkilde,
Irene Bouw
Abstract:
We propose a new partial decoding algorithm for $h$-interleaved one-point Hermitian codes that can decode-under certain assumptions-an error of relative weight up to $1-(\tfrac{k+g}{n})^{\frac{h}{h+1}}$, where $k$ is the dimension, $n$ the length, and $g$ the genus of the code. Simulation results for various parameters indicate that the new decoder achieves this maximal decoding radius with high p…
▽ More
We propose a new partial decoding algorithm for $h$-interleaved one-point Hermitian codes that can decode-under certain assumptions-an error of relative weight up to $1-(\tfrac{k+g}{n})^{\frac{h}{h+1}}$, where $k$ is the dimension, $n$ the length, and $g$ the genus of the code. Simulation results for various parameters indicate that the new decoder achieves this maximal decoding radius with high probability. The algorithm is based on a recent generalization of Rosenkilde's improved power decoder to interleaved Reed-Solomon codes, does not require an expensive root-finding step, and improves upon the previous best decoding radius by Kampf at all rates. In the special case $h=1$, we obtain an adaption of the improved power decoding algorithm to one-point Hermitian codes, which for all simulated parameters achieves a similar observed failure probability as the Guruswami-Sudan decoder above the latter's guaranteed decoding radius.
△ Less
Submitted 22 January, 2018;
originally announced January 2018.
-
Structural Properties of Twisted Reed-Solomon Codes with Applications to Cryptography
Authors:
Peter Beelen,
Martin Bossert,
Sven Puchinger,
Johan Rosenkilde
Abstract:
We present a generalisation of Twisted Reed-Solomon codes containing a new large class of MDS codes. We prove that the code class contains a large subfamily that is closed under duality. Furthermore, we study the Schur squares of the new codes and show that their dimension is often large. Using these structural properties, we single out a subfamily of the new codes which could be considered for co…
▽ More
We present a generalisation of Twisted Reed-Solomon codes containing a new large class of MDS codes. We prove that the code class contains a large subfamily that is closed under duality. Furthermore, we study the Schur squares of the new codes and show that their dimension is often large. Using these structural properties, we single out a subfamily of the new codes which could be considered for code-based cryptography: These codes resist some existing structural attacks for Reed-Solomon-like codes, i.e. methods for retrieving the code parameters from an obfuscated generator matrix.
△ Less
Submitted 11 May, 2018; v1 submitted 22 January, 2018;
originally announced January 2018.
-
Two-Point Codes for the Generalized GK curve
Authors:
Elise Barelli,
Peter Beelen,
Mrinmoy Datta,
Vincent Neiger,
Johan Rosenkilde
Abstract:
We improve previously known lower bounds for the minimum distance of certain two-point AG codes constructed using a Generalized Giulietti-Korchmaros curve (GGK). Castellanos and Tizziotti recently described such bounds for two-point codes coming from the Giulietti-Korchmaros curve (GK). Our results completely cover and in many cases improve on their results, using different techniques, while also…
▽ More
We improve previously known lower bounds for the minimum distance of certain two-point AG codes constructed using a Generalized Giulietti-Korchmaros curve (GGK). Castellanos and Tizziotti recently described such bounds for two-point codes coming from the Giulietti-Korchmaros curve (GK). Our results completely cover and in many cases improve on their results, using different techniques, while also supporting any GGK curve. Our method builds on the order bound for AG codes: to enable this, we study certain Weierstrass semigroups. This allows an efficient algorithm for computing our improved bounds. We find several new improvements upon the MinT minimum distance tables.
△ Less
Submitted 7 October, 2017; v1 submitted 2 June, 2017;
originally announced June 2017.
-
Fast Computation of the Roots of Polynomials Over the Ring of Power Series
Authors:
Vincent Neiger,
Johan Rosenkilde,
Eric Schost
Abstract:
We give an algorithm for computing all roots of polynomials over a univariate power series ring over an exact field $\mathbb{K}$. More precisely, given a precision $d$, and a polynomial $Q$ whose coefficients are power series in $x$, the algorithm computes a representation of all power series $f(x)$ such that $Q(f(x)) = 0 \bmod x^d$. The algorithm works unconditionally, in particular also with mul…
▽ More
We give an algorithm for computing all roots of polynomials over a univariate power series ring over an exact field $\mathbb{K}$. More precisely, given a precision $d$, and a polynomial $Q$ whose coefficients are power series in $x$, the algorithm computes a representation of all power series $f(x)$ such that $Q(f(x)) = 0 \bmod x^d$. The algorithm works unconditionally, in particular also with multiple roots, where Newton iteration fails. Our main motivation comes from coding theory where instances of this problem arise and multiple roots must be handled.
The cost bound for our algorithm matches the worst-case input and output size $d °(Q)$, up to logarithmic factors. This improves upon previous algorithms which were quadratic in at least one of $d$ and $°(Q)$. Our algorithm is a refinement of a divide \& conquer algorithm by Alekhnovich (2005), where the cost of recursive steps is better controlled via the computation of a factor of $Q$ which has a smaller degree while preserving the roots.
△ Less
Submitted 30 May, 2017;
originally announced May 2017.
-
Power Decoding Reed--Solomon Codes Up to the Johnson Radius
Authors:
Johan Rosenkilde
Abstract:
Power decoding, or "decoding using virtual interleaving" is a technique for decoding Reed--Solomon codes up to the Sudan radius. Since the method's inception, it has been an open question if it is possible to use this approach to decode up to the Johnson radius -- the decoding radius of the Guruswami--Sudan algorithm. In this paper we show that this can be done by incorporating a notion of multipl…
▽ More
Power decoding, or "decoding using virtual interleaving" is a technique for decoding Reed--Solomon codes up to the Sudan radius. Since the method's inception, it has been an open question if it is possible to use this approach to decode up to the Johnson radius -- the decoding radius of the Guruswami--Sudan algorithm. In this paper we show that this can be done by incorporating a notion of multiplicities. As the original Power decoding, the proposed algorithm is a one-pass algorithm: decoding follows immediately from solving a shift-register type equation, which we show can be done in quasi-linear time. It is a "partial bounded-distance decoding algorithm" since it will fail to return a codeword for a few error patterns within its decoding radius; we investigate its failure behaviour theoretically as well as give simulation results.
This is an extended version where we also show how the method can be made faster using the re-encoding technique or a syndrome formulation.
△ Less
Submitted 7 December, 2017; v1 submitted 8 May, 2015;
originally announced May 2015.
