On the key equation - Information Theory, IEEE ... - IEEE Xplore
IEEE TRANSACTIONS ON INFORMATJON THEORY, VOL. 41, NO. 5. SEPTEMBER 1995
I290
On the Key Equation Patrick Fitzpatrick
Abstract-We consider the set M = { ( a . 11): n bh mod.rL') of all solutions of the key equation for alternant codes, where h is the syndrome polynomial. In decoding these codes a particular solution (d.(T) E M is sought, subject to d and being relatively prime and satisfying certain degree conditions. We prove that these requirements specify (d.( T ) uniquely as the minimal element of M (analogous to the monic polynomial of minimal degree generating an ideal of F[.r])with respect to a certain term order and that, as such, (d,( T ) may be determined from an appropriate Grobner basis of M . Motivated by this and other variations of the key equation (such as that appropriate to errors-anderasures decoding) we derive a general algorithm for solving the congruence n hg mod .r"' for a range of term orders defined by the conditions on the particular solution required. Our techniques provide a unified approach to the solution of these key equations.
=
Congruence ( 1 ) may be viewed as an instance of the more general a
Sa 5 C.
Sb 5 'rn,
C + n~< ri
a and b relatively prime
(3)
for some nonnegative integers e, m. Other special cases of (2) include Berlekamp's (original) key equation ij
a( 1
+ z h ) mod
[2], which is itself a special case of the errors-and-erasures congruence
1. INTRODUCTION
T
HE CENTRAL computation in decoding alternant codes (including BCH, RS, and 1-variable Goppa codes) is the determination of polynomials a , b E A = F [ z ] ,F a finite field, satisfying the key equation which we write in the form of a congruence as
= uhmodzZt.
(2)
where 6y 5 r1 - 1 and we want to find a particular solution (a.b ) , that we call the required solution, satisfying
Index Terms- Grobner basis, alternant code, decoding algorithms, errors-and-erasures.
w
bg mod :E"
(1)
Here h, is the syndrome polynomial and u, w represent the error locator and error evaluator polynomials, respectively. If S f denotes the degree of the polynomial f then Sh 5 2t - 1, and r Tw are relatively prime polynomials with Sw < Sa 5 t. The following names are associated with algorithms that have been developed for the solution of the key equation: Peterson-Gorenstein-Zierler 131, 1221, 1321, [33], BerlekampMassey [2]-[4], 1261, and Sugiyama et al., who developed the technique based on the extended Euclidean algorithm [4], [27], 1281, [35]. We refer to these algorithms as PGZ, BM, and E, respectively; all of them can be used in the decoding of alternant codes [ 3 ] ,[23], [31]. Moreover, similar congruences also arise in a variety of different contexts including errors-and-erasures decoding, linear recumng sequences, continued fractions, Hankel and Toeplitz linear systems, Pad6 approximation, polynomial inversion, and so on ([41, [SI, [19], [291, [30], 1361, for example). This has prompted many authors to study the interrelationships among these algorithms and particular effort has been devoted to the comparison between BM and E 171, 1121, [13], [20], [25]. Manuscript received October 18, 1993; revised November 18, 1994. A summary of an early version of this paper is contained in [15]; the solution of the errors-and-erasures problem was outlined in [ 161. The author is with the Department of Mathematics, University College, Cork, Ireland. IEEE Log Number 9413876.
X
= p(1+ z H ) modx;2t+1
are the error evaluator and error locator polywhere X: nomials, respectively, and H is the "modified" syndrome polynomial 121, 131, 1161, [34]. In this paper we use the theory of Grobner bases to develop techniques that unify these different manifestations of the key equation and lead to new algorithms corresponding to PGZ, BM, and E. For a specific choice of the parameter T = e - m, two of our algorithms are computationally equivalent to PGZ and E, while the third is computationally better than BM. We denote by
M = { ( a ?b ) : a E bgmodz"}
C A2 = A x
A
the solution set of (2). It is clear that M is closed under c = ( b d)h, addition ( a e bh and c z dh imply a d ) E M ) and i.e., ( a , b ) , (c. d ) E M imply ( a c, b multiplication by polynomials ( a = b h and f E A imply f a = ( f b ) h , i.e., ( a , b ) E M implies f ( a , b ) = ( f a . f b ) E M ) . By definition, this means that M is a submodule of A' (corresponding structurally to an ideal in A ) . It is well known (see [ l , Theorem 3.321, for example) that any such submodule has a finite basis which generates it in the sense that each of its elements can be expressed as a sum of (polynomial) multiples of the basis elements. We shall show that each basis of M can be reduced to one containing precisely two elements. In general, many essentially distinct two-element bases exist; this is in contrast to the situation in A where each ideal has a uniquely defined one-element basis, namely, the monic generator of minimal degree. However, one basis of A4 is easily available, namely, 13 = ( ( 9 . l ) , ( z n ,0)). The central theme of our method is to use the conditions ( 3 ) to define a
0018-9448/95$04.00 0 1995 IEEE
+
+ +
+
FITZPATRICK: ON
rw
KEY EQUATION
1291
basis B’ that contains the required solution. Our algorithms submodules of A’. Moreover, given a basis of a submodule represent different ways of deriving B‘ from B. and a term order it is immediate that the construction of We shall need a classification of Grobner bases of sub- the relevant Grobner basis is only a matter of reduction, modules of A2: since there is only one variable involved in other words, there is no need to generate critical pairs. this is very elementary and follows straightforwardly from Thus Buchberger’s algorithm [6] is not required and, as the general theory (see [l]). However, in order to make this a consequence, the theory is very elementary and easily paper self-contained, we have devoted Section I1 to developing developed from first principles: this is our aim in this section. the necessary theory from first principles. We define for each The reader is referred to [ 11 for a comprehensive treatment of integer T a term order
I290
On the Key Equation Patrick Fitzpatrick
Abstract-We consider the set M = { ( a . 11): n bh mod.rL') of all solutions of the key equation for alternant codes, where h is the syndrome polynomial. In decoding these codes a particular solution (d.(T) E M is sought, subject to d and being relatively prime and satisfying certain degree conditions. We prove that these requirements specify (d.( T ) uniquely as the minimal element of M (analogous to the monic polynomial of minimal degree generating an ideal of F[.r])with respect to a certain term order and that, as such, (d,( T ) may be determined from an appropriate Grobner basis of M . Motivated by this and other variations of the key equation (such as that appropriate to errors-anderasures decoding) we derive a general algorithm for solving the congruence n hg mod .r"' for a range of term orders defined by the conditions on the particular solution required. Our techniques provide a unified approach to the solution of these key equations.
=
Congruence ( 1 ) may be viewed as an instance of the more general a
Sa 5 C.
Sb 5 'rn,
C + n~< ri
a and b relatively prime
(3)
for some nonnegative integers e, m. Other special cases of (2) include Berlekamp's (original) key equation ij
a( 1
+ z h ) mod
[2], which is itself a special case of the errors-and-erasures congruence
1. INTRODUCTION
T
HE CENTRAL computation in decoding alternant codes (including BCH, RS, and 1-variable Goppa codes) is the determination of polynomials a , b E A = F [ z ] ,F a finite field, satisfying the key equation which we write in the form of a congruence as
= uhmodzZt.
(2)
where 6y 5 r1 - 1 and we want to find a particular solution (a.b ) , that we call the required solution, satisfying
Index Terms- Grobner basis, alternant code, decoding algorithms, errors-and-erasures.
w
bg mod :E"
(1)
Here h, is the syndrome polynomial and u, w represent the error locator and error evaluator polynomials, respectively. If S f denotes the degree of the polynomial f then Sh 5 2t - 1, and r Tw are relatively prime polynomials with Sw < Sa 5 t. The following names are associated with algorithms that have been developed for the solution of the key equation: Peterson-Gorenstein-Zierler 131, 1221, 1321, [33], BerlekampMassey [2]-[4], 1261, and Sugiyama et al., who developed the technique based on the extended Euclidean algorithm [4], [27], 1281, [35]. We refer to these algorithms as PGZ, BM, and E, respectively; all of them can be used in the decoding of alternant codes [ 3 ] ,[23], [31]. Moreover, similar congruences also arise in a variety of different contexts including errors-and-erasures decoding, linear recumng sequences, continued fractions, Hankel and Toeplitz linear systems, Pad6 approximation, polynomial inversion, and so on ([41, [SI, [19], [291, [30], 1361, for example). This has prompted many authors to study the interrelationships among these algorithms and particular effort has been devoted to the comparison between BM and E 171, 1121, [13], [20], [25]. Manuscript received October 18, 1993; revised November 18, 1994. A summary of an early version of this paper is contained in [15]; the solution of the errors-and-erasures problem was outlined in [ 161. The author is with the Department of Mathematics, University College, Cork, Ireland. IEEE Log Number 9413876.
X
= p(1+ z H ) modx;2t+1
are the error evaluator and error locator polywhere X: nomials, respectively, and H is the "modified" syndrome polynomial 121, 131, 1161, [34]. In this paper we use the theory of Grobner bases to develop techniques that unify these different manifestations of the key equation and lead to new algorithms corresponding to PGZ, BM, and E. For a specific choice of the parameter T = e - m, two of our algorithms are computationally equivalent to PGZ and E, while the third is computationally better than BM. We denote by
M = { ( a ?b ) : a E bgmodz"}
C A2 = A x
A
the solution set of (2). It is clear that M is closed under c = ( b d)h, addition ( a e bh and c z dh imply a d ) E M ) and i.e., ( a , b ) , (c. d ) E M imply ( a c, b multiplication by polynomials ( a = b h and f E A imply f a = ( f b ) h , i.e., ( a , b ) E M implies f ( a , b ) = ( f a . f b ) E M ) . By definition, this means that M is a submodule of A' (corresponding structurally to an ideal in A ) . It is well known (see [ l , Theorem 3.321, for example) that any such submodule has a finite basis which generates it in the sense that each of its elements can be expressed as a sum of (polynomial) multiples of the basis elements. We shall show that each basis of M can be reduced to one containing precisely two elements. In general, many essentially distinct two-element bases exist; this is in contrast to the situation in A where each ideal has a uniquely defined one-element basis, namely, the monic generator of minimal degree. However, one basis of A4 is easily available, namely, 13 = ( ( 9 . l ) , ( z n ,0)). The central theme of our method is to use the conditions ( 3 ) to define a
0018-9448/95$04.00 0 1995 IEEE
+
+ +
+
FITZPATRICK: ON
rw
KEY EQUATION
1291
basis B’ that contains the required solution. Our algorithms submodules of A’. Moreover, given a basis of a submodule represent different ways of deriving B‘ from B. and a term order it is immediate that the construction of We shall need a classification of Grobner bases of sub- the relevant Grobner basis is only a matter of reduction, modules of A2: since there is only one variable involved in other words, there is no need to generate critical pairs. this is very elementary and follows straightforwardly from Thus Buchberger’s algorithm [6] is not required and, as the general theory (see [l]). However, in order to make this a consequence, the theory is very elementary and easily paper self-contained, we have devoted Section I1 to developing developed from first principles: this is our aim in this section. the necessary theory from first principles. We define for each The reader is referred to [ 11 for a comprehensive treatment of integer T a term order
