From the Euclidean Algorithm for Solving a
Key Equation for Dual Reed–Solomon
Codes to the Berlekamp-Massey Algorithm
Maria Bras-Amorós, Michael E. O’Sullivan
The Claude Shannon Institute Workshop on
Coding and Cryptography
Cork, May 18, 2009
1 / 32
Contents
1
Extended Euclidean algorithm (revisited)
2
Key equations for Reed-Solomon codes (revisited)
3
Extended Euclidean algorithm for the new key equation
4
From the Euclidean to the Berlekamp-Massey algorithm
5
Other research directions
2 / 32
Bézout’s Theorem
Bézout’s Theorem
Given a, b ∈ Fq [x] there exist f , g ∈ Fq [x] such that
f a + gb = gcd(a, b)
Extended Euclidean Algorithm
Let r−2 = a, r−1 = b and, for i > 0 let the Euclidean division of ri−2 by ri−1 be
ri−2 = qi ri−1 + ri .
Define f−2 = 1, g−2 = 0, f−1 = 0, g−1 = 1, and for i > 0
fi = fi−2 − qi fi−1
gi = gi−2 − qi gi−1
then for all i > 0
f i a + g i b = ri
3 / 32
Extended Euclidean algorithm
The extended Euclidean algorithm can be expressed in matrix form as
ALGORITHM:
Initialize:
„
r−1
r−2
f−1
f−2
g−1
g−2
«
=
„
b
a
0
1
1
0
«
1
0
«„
while deg(ri ) > 0:
qi = Quotient(ri−2 , ri−1 )
„
ri
ri−1
fi
fi−1
gi
gi−1
«
=
„
−qi
1
ri−1
ri−2
fi−1
fi−2
gi−1
gi−2
«
end while
Return ri−1
4 / 32
Extended Euclidean algorithm
Remark
deg(fi ) > deg(fi−1 ) while deg(ri ) < deg(ri−1 )
deg(gi ) > deg(gi−1 )
(except maybe in the initial steps);
„
«
„
«
ri
fi
r−1 f−1
2 det
= (−1)i+1 det
= (−1)i+1 b, so
ri−1 fi−1
r−2 f−2
1
fi ri−1 = (−1)i b + fi−1 ri ,
and, since deg ri < deg ri−1 and deg fi > deg fi−1 , then
LT(fi ) = (−1)i LT(b)/LT(ri−1 )
deg fi = deg b − deg ri−1
„
«
„
fi
gi
f−1
3 det
= (−1)i+1 det
fi−1 gi−1
f−2
g−1
g−2
«
= (−1)i , so
fi gi−1 − fi−1 gi = (−1)i
and the intermediate Bézout coefficients are coprime at each step.
5 / 32
Extended Euclidean alg. with monic remainders
Definition
For all i > −1 define the matrices
„
« „
Ri Fi Gi
1/LC(ri )
=
0
R̃i F̃i G̃i
0
(−1)i LC(ri )
«„
ri
fi
ri−1
fi−1
gi
gi−1
«
Lemma
For
all i > 0,
„
«
Ri
R̃i
Fi
F̃i
Gi
G̃i
=
„
1/LC(R̃i−1 − Qi Ri−1 )
0
0
−LC(R̃i−1 − Qi Ri−1 )
«„
−Qi
1
1
0
«„
Ri−1
R̃i−1
Fi−1
F̃i−1
Gi−1
G̃i−1
«
,
where Qi is the quotient of R̃i−1 by Ri−1 .
6 / 32
Extended Euclidean alg. with monic remainders
The extended Euclidean algorithm for the new matrices is
ALGORITHM:
Initialize:
„
R−1
R̃−1
F−1
F̃−1
G−1
G̃−1
«
1
=
LC(b)
0
0
−LC(b)
!„
b
a
0
1
1
0
«
−Qi
1
1
0
«„
while deg(Ri ) > 0:
Qi = Quotient(R̃i−1 , Ri−1 )
„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
0
=@
1
LC(R̃i−1 −Qi Ri−1 )
0
0
−LC(R̃i−1 − Qi Ri−1 )
1
A
„
Ri−1
R̃i−1
Fi−1
F̃i−1
Gi−1
G̃i−1
end while
Return Ri−1 (a constant multiple of ri−1 )
7 / 32
Extended Euclidean alg. with monic remainders
The extended Euclidean algorithm for the new matrices is
ALGORITHM:
Initialize:
„
R−1
R̃−1
F−1
F̃−1
G−1
G̃−1
«
1
LC(b)
0
=
0
−LC(b)
!„
b
a
0
1
1
0
«
−Qi
1
1
0
«„
while deg(Ri ) > 0:
Qi = Quotient(R̃i−1 , Ri−1 )
„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
0
=@
1
LC(R̃i−1 −Qi Ri−1 )
0
0
−LC(R̃i−1 − Qi Ri−1 )
1
A
„
Ri−1
R̃i−1
Fi−1
F̃i−1
Gi−1
G̃i−1
end while
Return Ri−1 (a constant multiple of ri−1 )
(0)
If Qi = Qi
„
−Qi
1
1
0
«
(l)
(1)
+ Qi x + · · · + Qi x l then
=
„
1
0
(0)
−Qi
1
«„
1
0
(1)
−Qi x
1
«
...
„
1
0
(l)
−Qi x l
1
«„
0
1
1
0
«
.
7 / 32
Extended Euclidean alg. with monic remainders
The extended Euclidean algorithm for the new matrices is
ALGORITHM:
Initialize:
„
R−1
R̃−1
F−1
F̃−1
G−1
G̃−1
«
1
LC(b)
0
=
0
−LC(b)
!„
b
a
0
1
1
0
«
while deg(Ri ) > 0:
Qi = Quotient(R̃i−1 , Ri−1 )
„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
=
1
1
0
LC(R̃i−1 −Qi Ri−1 )
A
0
−LC(R̃i−1 − Qi Ri−1 )
!„
«„
(l) l
Ri−1
Fi−1
0
1
x
1
−Q
i
...
1
0
R̃i−1
F̃i−1
0
1
0
@
1
0
(0)
−Qi
1
«
!
1
0
(1)
−Qi
1
x
!
Gi−1
G̃i−1
end while
Return Ri−1 (a constant multiple of ri−1 )
(0)
If Qi = Qi
„
−Qi
1
1
0
«
(l)
(1)
+ Qi x + · · · + Qi x l then
=
„
1
0
(0)
−Qi
1
«„
1
0
(1)
−Qi x
1
«
...
„
1
0
(l)
−Qi x l
1
«„
0
1
1
0
«
.
7 / 32
...
Extended Euclidean alg. with monic remainders
The extended Euclidean algorithm for the new matrices is
ALGORITHM:
Initialize:
„
R−1
R̃−1
F−1
F̃−1
G−1
G̃−1
«
1
=
LC(b)
0
0
−LC(b)
!„
b
a
0
1
1
0
«
while deg(Ri ) > 0:
Qi = Quotient(R̃i−1 , Ri−1 )
„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
=
0
1
1
0
LC(R̃i−1 −Qi Ri−1 )
A
0
−LC(R̃i−1 − Qi Ri−1 )
!„
«„
(l) l
Ri−1
Fi−1
0
1
1
−Q
x
i
...
1
0
R̃i−1
F̃i−1
0
1
@
1
0
(0)
−Qi
1
«
!
1
0
(1)
−Qi
1
x
!
Gi−1
G̃i−1
end while
Return Ri−1 (a constant multiple of ri−1 )
9
LC(b)
=
they all are the LC of the left-most, top-most
LC(R̃i−1 − Qi Ri−1 )
element in the previous matrix
;
(j)
Qi
7 / 32
...
Extended Euclidean alg. with monic remainders
Splitting the matrix multiplications we get
ALGORITHM:
Initialize:
„
R−1
R̃−1
F−1
F̃−1
G−1
G̃−1
«
=
„
b/LC(b)
−LC(b)a
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
0
1
0
−LC(b)
1/LC(b)
0
«
while deg(Ri ) > 0:
„
Ri+1
R̃i+1
«„
1
0
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
while deg(Ri ) > deg(R̃i ):
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
«
„
=
1
0
−LC(Ri )x (deg(Ri )−deg(R̃i ))
1
!„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
end while
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
=
1/LC(Ri )
0
0
−LC(Ri )
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
end while
8 / 32
Extended Euclidean alg. with monic remainders
We introduced a bunch of intermediate matrices
„
«
Ri Fi Gi
R̃i F̃i G̃i
Not all of them satisfy
„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
=
„
1/LC(ri )
0
0
(−1) LC(ri )
i
«„
ri
fi
ri−1
fi−1
gi
gi−1
«
But all of them satisfy
Fi a + Gi b = Ri ,
F̃i a + G̃i b = R̃i .
9 / 32
Extended Euclidean alg. with monic remainders
The same algorithm can be expressed as
ALGORITHM:
Initialize:
„
R−1
R̃−1
F−1
F̃−1
G−1
G̃−1
«
=
„
−LC(b)a
b/LC(b)
0
1/LC(b)
−LC(b)
0
«
while deg(Ri ) > 0:
µ = LC(Ri )
p = deg(Ri ) − deg(R̃i )
if p > 0 or µ = 0 then
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
1
0
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
x −p
1/µ
„
1/µ
0
0
−µ
−µx p
1
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
−µ
0
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
else
end if
end while
µ = LC(Ri )
„
Ri+1
Fi+1
R̃i+1
F̃i+1
Gi+1
G̃i+1
«
=
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
10 / 32
Reed-Solomon Codes
Primal Reed-Solomon Code
Consider
F a finite field of size q = p m , α a primitive element in F, n = q − 1.
the identification
u = (u0 , u1 , . . . , un−1 ) ↔ u(x) = u0 + u1 x + · · · + un−1 x n−1
(denote u(α) = u0 + u1 α + · · · + un−1 αn−1 )
The Reed-Solomon code of dimension k C ∗ (k) is the cyclic code with
generator polynomial
(x − α)(x − α2 ) · · · (x − αn−k ).
It has generator and parity check matrices
0
B
B
B
G∗ (k) = B
B
@
1
1
1
..
.
1
1
α
α2
..
.
αk −1
1
α2
α4
..
.
α(k −1)2
...
...
...
..
.
...
1
n−1
α
α2(n−1)
..
.
α(k −1)(n−1)
1
C
C
C
C,
C
A
0
B
B
B
H ∗ (k) = B
B
B
@
1
1
1
..
.
1
α
α2
α3
..
.
αn−k
α2
α4
α6
..
.
α(n−k )2
...
...
...
..
.
...
αn−1
α2(n−1)
α3(n−1)
..
.
α(n−k )(n−1)
1
C
C
C
C.
C
C
A
11 / 32
Primal and dual Reed-Solomon Codes
Primal Reed-Solomon Code
The Reed-Solomon code of dimension k C ∗ (k) is the cyclic code with
generator polynomial (x − α)(x − α2 ) · · · (x − αn−k ).
It has generator and parity check matrices
0
B
B
B
G∗ (k) = B
B
@
1
1
1
..
.
1
1
α
α2
..
.
αk −1
1
α2
α4
..
.
α(k −1)2
...
...
...
..
.
...
1
αn−1
2(n−1)
α
..
.
α(k −1)(n−1)
0
1
B
C
B
C
B
C
∗
C , H (k) = B
B
C
B
A
@
1
1
1
..
.
1
α
α2
α3
..
.
n−k
α
α2
α4
α6
..
.
α(n−k )2
...
...
...
..
.
...
αn−1
α2(n−1)
α3(n−1)
..
.
α(n−k )(n−1)
1
C
C
C
C.
C
C
A
Dual Reed-Solomon Code
The dual Reed-Solomon code of dimension k C(k) is the cyclic code with
generator polynomial (x − α−(k +1) ) · · · (x − α−(n−1) )(x − 1).
It has generator and parity check matrices
0
B
B
B
G(k) = B
B
B
@
1
1
1
..
.
1
α
α2
α3
..
.
αk
α2
α4
α6
..
.
α2k
...
...
...
..
.
...
αn−1
α2(n−1)
α3(n−1)
..
.
k (n−1)
α
1
0
C
B
C
B
C
C , H(k) = B
B
C
B
C
@
A
1
1
1
..
.
1
1
α
α2
..
.
1
α2
α4
..
.
αn−k −1
α(n−k −1)2
...
...
...
..
.
...
1
αn−1
α2(n−1)
..
.
α(n−k −1)(n−1)
1
C
C
C
C.
C
A
12 / 32
Primal and dual Reed-Solomon Codes
Properties
Both codes have minimum distance d = n − k + 1
C(k)⊥ = C ∗ (n − k)
If i is a vector of dimension k and
then
c
c(αi )
c
=
(c0 , c1 , . . . , cn−1 ) = iG(k) ∈ C(k),
c∗
=
∗
(c0∗ , c1∗ , . . . , cn−1
) = iG∗ (k) ∈ C ∗ (k),
=
(c0∗ ,
αc1∗ ,
α2 c2∗ ,
...
∗
αn−1 cn−1
),
=
=
c0∗ +
c0∗ +
αc1∗ αi +
c1∗ αi+1 +
α2 c2∗ α2i +
c2∗ α2(i+1) +
...
...
∗
+αn−1 cn−1
α(n−1)i
∗
(n−1)(i+1)
+cn−1 α
c(αi ) = c ∗ (αi+1 )
13 / 32
Correction of RS codes: key polynomials
Suppose c ∗ ∈ C ∗ (k) is the transmitted word, e ∗ is the error added to c ∗ with
t = |e ∗ | 6 d −1
, and u ∗ = c ∗ + e ∗ is the received word.
2
Correction of RS codes
Error locator polynomial
Q
Λ∗ = e∗ 6=0 (1 − αi x)
i
Error evaluator polynomial
P
Q
∗
Ω = e∗ 6=0 ei∗ αi e∗ 6=0,j6=i (1 − αi x)
i
j
14 / 32
Correction of RS codes: key polynomials
Suppose c ∗ ∈ C ∗ (k) is the transmitted word, e ∗ is the error added to c ∗ with
t = |e ∗ | 6 d −1
, and u ∗ = c ∗ + e ∗ is the received word.
2
Correction of RS codes
Error locator polynomial
Q
Λ∗ = e∗ 6=0 (1 − αi x)
i
Error evaluator polynomial
P
Q
∗
Ω = e∗ 6=0 ei∗ αi e∗ 6=0,j6=i (1 − αi x)
i
j
Error location
Λ∗ (α−i ) = 0
Error evaluation (Forney)
∗
−i
)
.
ei∗ = − ΛΩ′∗(α
(α−i )
14 / 32
Correction of RS codes: key polynomials
Suppose c ∗ ∈ C ∗ (k) is the transmitted word, e ∗ is the error added to c ∗ with
t = |e ∗ | 6 d −1
, and u ∗ = c ∗ + e ∗ is the received word.
2
Correction of RS codes
Error locator polynomial
Q
Λ∗ = e∗ 6=0 (1 − αi x)
i
Error evaluator polynomial
P
Q
∗
Ω = e∗ 6=0 ei∗ αi e∗ 6=0,j6=i (1 − αi x)
i
j
Error location
Λ∗ (α−i ) = 0
Error evaluation (Forney)
∗
−i
)
.
ei∗ = − ΛΩ′∗(α
(α−i )
Syndrome polynomial
S ∗ = e ∗ (α) + e ∗ (α2 )x + · · · + e ∗ (αn )x n−1
Truncated syndrome polynomial
S̄ ∗ = e ∗ (α) + · · · + e ∗ (αn−k )x n−k −1
14 / 32
Correction of RS codes: key equations
Key equation
Λ∗ S ∗ = (1 − x n )Ω∗
Truncated key equation (Berlekamp)
Λ∗ S̄ ∗ = Ω∗ mod x n−k
15 / 32
Correction of RS codes: key equations
Key equation
Λ∗ S ∗ = (1 − x n )Ω∗
Truncated key equation (Berlekamp)
Λ∗ S̄ ∗ = Ω∗ mod x n−k
Bézout-like presentation
S̄ ∗ + m(x) x| n−k
Λ∗ |{z}
Ω∗
= |{z}
|{z}
| {z } {z }
fi
a
(known)
gi
b
(known)
ri
15 / 32
Correction of RS codes: key equations
Key equation
Λ∗ S ∗ = (1 − x n )Ω∗
Truncated key equation (Berlekamp)
Λ∗ S̄ ∗ = Ω∗ mod x n−k
Bézout-like presentation
S̄ ∗ + m(x) x| n−k
Λ∗ |{z}
Ω∗
= |{z}
|{z}
| {z } {z }
fi
a
(known)
gi
b
(known)
ri
Sugiyama et al’s algorithm solves this by means of the ext. Euclidean algorithm.
The bound on the degree of Ω∗ states the end of the algorithm.
Coprimality of Λ∗ and Ω∗ guarantees unicity.
15 / 32
Correction of RS codes: key polynomials
Suppose c ∈ C(k) is the transmitted word, e is the error added to c with
t = |e| 6 d −1
, and u = c + e is the received word.
2
Correction of RS codes
Correction of DUAL RS codes
Error locator polynomial
Q
Λ∗ = e∗ 6=0 (1 − αi x)
i
Error evaluator polynomial
P
Q
Ω∗ = e∗ 6=0 ei∗ αi e∗ 6=0,j6=i (1 − αi x)
i
j
Error location
Λ∗ (α−i ) = 0
Error evaluation (Forney)
∗
−i
)
ei∗ = − ΛΩ′∗(α
.
(α−i )
Syndrome polynomial
S ∗ = e∗ (α) + e∗ (α2 )x + · · · + e∗ (αn )x n−1
Truncated syndrome polynomial
S̄ ∗ = e∗ (α) + · · · + e∗ (αn−k )x n−k −1
16 / 32
Correction of RS codes: key polynomials
Suppose c ∈ C(k) is the transmitted word, e is the error added to c with
t = |e| 6 d −1
, and u = c + e is the received word.
2
Correction of RS codes
Correction of DUAL RS codes
Error locator polynomial
Q
Λ∗ = e∗ 6=0 (1 − αi x)
i
Error evaluator polynomial
P
Q
Ω∗ = e∗ 6=0 ei∗ αi e∗ 6=0,j6=i (1 − αi x)
Error locator polynomial
Q
Λ = ei 6=0 (x − αi )
Error evaluator polynomial
P
Q
Ω = ei 6=0 ei ej 6=0,j6=i (x − αi )
i
j
Error location
Λ∗ (α−i ) = 0
Error evaluation (Forney)
∗
−i
)
ei∗ = − ΛΩ′∗(α
.
(α−i )
Syndrome polynomial
S ∗ = e∗ (α) + e∗ (α2 )x + · · · + e∗ (αn )x n−1
Truncated syndrome polynomial
S̄ ∗ = e∗ (α) + · · · + e∗ (αn−k )x n−k −1
16 / 32
Correction of RS codes: key polynomials
Suppose c ∈ C(k) is the transmitted word, e is the error added to c with
t = |e| 6 d −1
, and u = c + e is the received word.
2
Correction of RS codes
Correction of DUAL RS codes
Error locator polynomial
Q
Λ∗ = e∗ 6=0 (1 − αi x)
i
Error evaluator polynomial
P
Q
Ω∗ = e∗ 6=0 ei∗ αi e∗ 6=0,j6=i (1 − αi x)
Error locator polynomial
Q
Λ = ei 6=0 (x − αi )
Error evaluator polynomial
P
Q
Ω = ei 6=0 ei ej 6=0,j6=i (x − αi )
Error location
Λ∗ (α−i ) = 0
Error evaluation (Forney)
Error location
Λ(αi ) = 0
Error evaluation (Forney)
i
∗
j
−i
)
ei∗ = − ΛΩ′∗(α
.
(α−i )
ei =
Ω(αi )
Λ′ (αi )
Syndrome polynomial
S ∗ = e∗ (α) + e∗ (α2 )x + · · · + e∗ (αn )x n−1
Truncated syndrome polynomial
S̄ ∗ = e∗ (α) + · · · + e∗ (αn−k )x n−k −1
16 / 32
Correction of RS codes: key polynomials
Suppose c ∈ C(k) is the transmitted word, e is the error added to c with
t = |e| 6 d −1
, and u = c + e is the received word.
2
Correction of RS codes
Correction of DUAL RS codes
Error locator polynomial
Q
Λ∗ = e∗ 6=0 (1 − αi x)
i
Error evaluator polynomial
P
Q
Ω∗ = e∗ 6=0 ei∗ αi e∗ 6=0,j6=i (1 − αi x)
Error locator polynomial
Q
Λ = ei 6=0 (x − αi )
Error evaluator polynomial
P
Q
Ω = ei 6=0 ei ej 6=0,j6=i (x − αi )
Error location
Λ∗ (α−i ) = 0
Error evaluation (Forney)
Error location
Λ(αi ) = 0
Error evaluation (Forney)
i
∗
j
−i
)
ei∗ = − ΛΩ′∗(α
.
(α−i )
ei =
Ω(αi )
Λ′ (αi )
Syndrome polynomial
Syndrome polynomial
S ∗ = e∗ (α) + e∗ (α2 )x + · · · + e∗ (αn )x n−1
S = e(αn−1 ) + e(αn−2 )x + · · · + e(1)x n−1
Truncated syndrome polynomial
Truncated syndrome polynomial
S̄ ∗ = e∗ (α) + · · · + e∗ (αn−k )x n−k −1
S̄ = e(αn−k −1 )x k + · · · + e(1)x n−1 .
16 / 32
Correction of RS codes: key polynomials
If e and e ∗ are such that e(αi ) = e ∗ (αi+1 ) then
Λ
=
x t Λ∗ (1/x)
Ω
=
x t−1 Ω∗ (1/x)
S
=
x n−1 S ∗ (1/x)
S̄
=
x n−1 S̄ ∗ (1/x).
17 / 32
Correction of RS codes: key equations
Key equation
Λ∗ S ∗ = (1 − x n )Ω∗
Truncated key equation (Berlekamp)
Λ∗ S̄ ∗ = Ω∗ mod x n−k
Key equation
ΛS = (x n − 1)Ω
Truncated key equation
deg(ΛS̄ − (x n − 1)Ω)< n − d/2
Bézout-like presentation
Λ∗ |{z}
Ω∗
S̄ ∗ + m(x) x| n−k
= |{z}
|{z}
| {z } {z }
fi
a
(known)
gi
b
(known)
ri
Sugiyama et al’s algorithm solves this
by means of the ext. Euclidean algorithm.
The bound on the degree of Ω∗
states the end of the algorithm.
Coprimality of Λ∗ and Ω∗
guarantees unicity.
18 / 32
Correction of RS codes: key equations
Key equation
Λ∗ S ∗ = (1 − x n )Ω∗
Truncated key equation (Berlekamp)
Λ∗ S̄ ∗ = Ω∗ mod x n−k
Key equation
ΛS = (x n − 1)Ω
Truncated key equation
deg(ΛS̄ − (x n − 1)Ω)< n − d/2
Bézout-like presentation
Λ∗ |{z}
Ω∗
S̄ ∗ + m(x) x| n−k
= |{z}
|{z}
| {z } {z }
Bézout-like presentation
Λ
Ω (x n − 1) = m(x)
S̄
− |{z}
|{z}
|{z}
| {z } | {z }
fi
a
(known)
gi
b
(known)
ri
fi
a
(known)
gi
−b
(known)
ri
Sugiyama et al’s algorithm solves this
by means of the ext. Euclidean algorithm.
The bound on the degree of Ω∗
states the end of the algorithm.
Coprimality of Λ∗ and Ω∗
guarantees unicity.
18 / 32
Correction of RS codes: key equations
Key equation
Λ∗ S ∗ = (1 − x n )Ω∗
Truncated key equation (Berlekamp)
Λ∗ S̄ ∗ = Ω∗ mod x n−k
Key equation
ΛS = (x n − 1)Ω
Truncated key equation
deg(ΛS̄ − (x n − 1)Ω)< n − d/2
Bézout-like presentation
Λ∗ |{z}
Ω∗
S̄ ∗ + m(x) x| n−k
= |{z}
|{z}
| {z } {z }
Bézout-like presentation
Λ
Ω (x n − 1) = m(x)
S̄
− |{z}
|{z}
|{z}
| {z } | {z }
Sugiyama et al’s algorithm solves this
by means of the ext. Euclidean algorithm.
Goal: solve this by means
of the ext. Euclidean algorithm
The bound on the degree of Ω∗
states the end of the algorithm.
The key equation itself
states the end of the algorithm
Coprimality of Λ∗ and Ω∗
guarantees unicity.
Coprimality of Λ and Ω
guarantees unicity.
fi
a
(known)
gi
b
(known)
ri
fi
a
(known)
gi
−b
(known)
ri
18 / 32
Correction of RS codes: key equations
Lemma
Suppose that at most d −1
errors occurred. Then Λ and Ω are the unique
2
polynomials λ, ω satisfying the following properties.
1
deg (λS̄ − ω(x n − 1)) < n − d/2
2
deg(λ) 6 d/2
3
λ, ω are coprime
4
λ is monic
19 / 32
Extended Euclidean alg. for the dual key equation
ALGORITHM:
Initialize:
„
R−1
R̃−1
F−1
F̃−1
G−1
G̃−1
«
=
„
S̄
xn − 1
1
0
0
−1
«
while deg(Ri ) > n − d /2:
µ = LC(Ri )
p = deg(Ri ) − deg(R̃i )
if p > 0 or µ = 0 then
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
1
0
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
x −p
1/µ
−µx p
1
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
else
−µ
0
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
end if
end while
Return Fi , Gi
20 / 32
Extended Euclidean alg. for the dual key equation
ALGORITHM:
Initialize:
„
R−1
R̃−1
F−1
F̃−1
G−1
G̃−1
«
=
„
S̄
xn − 1
1
0
0
−1
«
while deg(Ri ) > n − d /2:
µ = LC(Ri )
p = deg(Ri ) − deg(R̃i )
if p > 0 or µ = 0 then
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
1
0
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
x −p
1/µ
−µx p
1
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
else
−µ
0
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
end if
end while
Return Fi , Gi
1
deg(Fi S̄ − Gi (x n − 1)) = deg(Ri ) < n − d/2
20 / 32
Extended Euclidean alg. for the dual key equation
ALGORITHM:
Initialize:
„
R−1
R̃−1
F−1
F̃−1
G−1
G̃−1
«
=
„
S̄
xn − 1
1
0
0
−1
«
while deg(Ri ) > n − d /2:
µ = LC(Ri )
p = deg(Ri ) − deg(R̃i )
if p > 0 or µ = 0 then
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
1
0
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
x −p
1/µ
−µx p
1
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
else
−µ
0
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
end if
end while
Return Fi , Gi
2
deg(Fi ) = n − deg(Ri−1 ) 6 n − (n − d/2) = d/2
20 / 32
Extended Euclidean alg. for the dual key equation
ALGORITHM:
Initialize:
„
R−1
R̃−1
F−1
F̃−1
G−1
G̃−1
«
=
„
S̄
xn − 1
1
0
0
−1
«
while deg(Ri ) > n − d /2:
µ = LC(Ri )
p = deg(Ri ) − deg(R̃i )
if p > 0 or µ = 0 then
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
1
0
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
x −p
1/µ
−µx p
1
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
else
−µ
0
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
end if
end while
Return Fi , Gi
3
Fi , Gi coprime. Indeed, det
„
Fi
F̃i
Gi
G̃i
«
= −1 ⇒ Fi (−G̃i ) + Gi (F̃i ) = 1
20 / 32
Extended Euclidean alg. for the dual key equation
ALGORITHM:
Initialize:
„
R−1
R̃−1
F−1
F̃−1
G−1
G̃−1
«
=
„
S̄
xn − 1
1
0
0
−1
«
while deg(Ri ) > n − d /2:
µ = LC(Ri )
p = deg(Ri ) − deg(R̃i )
if p > 0 or µ = 0 then
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
1
0
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
x −p
1/µ
−µx p
1
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
else
−µ
0
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
end if
end while
Return Fi , Gi
4
Fi is monic. Indeed, det
„
Ri
R̃i
Fi
F̃i
«
= −1 ⇒ Fi (R̃i ) + Ri (−F̃i ) = 1
20 / 32
Extended Euclidean alg. for the dual key equation
ALGORITHM:
Initialize:
„
R−1
R̃−1
F−1
F̃−1
G−1
G̃−1
«
=
„
S̄
xn − 1
1
0
0
−1
«
while deg(Ri ) > n − d /2:
µ = LC(Ri )
p = deg(Ri ) − deg(R̃i )
if p > 0 or µ = 0 then
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
1
0
„
Ri+1
R̃i+1
Fi+1
F̃i+1
Gi+1
G̃i+1
«
=
„
x −p
1/µ
−µx p
1
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
else
−µ
0
«„
Ri
R̃i
Fi
F̃i
Gi
G̃i
«
end if
end while
Return Fi , Gi
Theorem: If t 6
d −1
2
then the algorithm outputs Λ and Ω.
20 / 32
From Euclidean to Berlekamp-Massey
The only reason to keep the polynomials Ri (and R̃i ) is that we need to
compute their leading coefficients (the µ’s).
Lemma
LC(Ri ) = LC(Fi S̄)
Proof.
On one hand, the remainder Ri = Fi S̄ − Gi (x n − 1) = Fi S̄ − x n Gi + Gi has
degree at most n − 1 for all i > 0. This means that all terms of x n Gi cancel
with terms of Fi S̄ and that the leading term of Ri must be either a term of Fi S̄
or a term of Gi or a sum of a term of Fi S̄ and a term of Gi .
On the other hand, the algorithm only computes LC(Ri ) while
deg(Ri ) > n − d/2. We want to see that in this case the leading term of Ri
has degree strictly larger than that of Gi . Indeed, one can check that for
i > 0, deg(Gi ) < deg(Fi ) and that all Fi ’s in the algorithm have degree at
most d/2. So deg(Gi ) < deg(Fi ) 6 d/2 6 n − d/2 6 deg(Ri ).
21 / 32
From Euclidean to Berlekamp-Massey
ALGORITHM:
Initialize:
d−1 = deg(S̄)
d̃−1 = n
„
F−1
F̃−1
G−1
G̃−1
«
=
„
1
0
0
−1
«
while di > n − d /2:
µ = Coefficient(Fi S̄, di )
p = di − d̃i
if p > 0 or µ = 0 then
„
Fi+1
Gi+1
F̃i+1
G̃i+1
di+1 = di − 1
d̃i+1 = d̃i
«
=
„
1
0
„
«
=
„
x −p
1/µ
−µx p
1
«„
Fi
F̃i
Gi
G̃i
«
else
Fi+1
Gi+1
F̃i+1
G̃i+1
di+1 = d̃i − 1
d̃i+1 = di
−µ
0
«„
Fi
F̃i
Gi
G̃i
«
end if
end while
22 / 32
From Euclidean to Berlekamp-Massey
This last algorithm is the Berlekamp-Massey algorithm that solves the linear
recurrence
t
X
Λj e(αi+j−1 ) = 0
j=0
for all i > 0.
This recurrence is derived from Λ x nS−1 being a polynomial and thus having no
terms of negative order in its expression as a Laurent series in 1/x, and from
the equality
„
«
1
e(α)
e(α2 )
S
=
e(1)
+
+
+
·
·
·
.
xn − 1
x
x
x2
23 / 32
Moving back to primal Reed-Solomon codes
Suppose c ∗ ∈ C ∗ (k) is the transmitted word, e ∗ is the error added to c ∗ and
u ∗ = c ∗ + e ∗ is the received word.
∗
Then c = (c0∗ , αc1∗ , α2 c2∗ , . . . , αn−1 cn−1
) ∈ C(k) and
∗
∗
2 ∗
n−1 ∗
e = (e0 , αe1 , α e2 , . . . , α en−1 ) has the same non-zero positions as e ∗ .
∗
Let u := c + e = (u0∗ , αu1∗ , α2 u2∗ , . . . , αn−1 un−1
). The error values ei∗ added to
∗
ui can be computed from the error values ei added to ui by
ei∗ = ei /αi .
Now we can use the previous algorithm with
S̄
=
e(αn−k −1 )x k + e(αn−k −2 )x k +1 + · · · + e(1)x n−1
=
e ∗ (αn−k )x k + e ∗ (αn−k −1 )x k +1 + · · · + e ∗ (α)x n−1
=
u ∗ (αn−k )x k + u ∗ (αn−k −1 )x k +1 + · · · + u ∗ (α)x n−1 .
Once we have the error positions, we can compute the error values as
ei∗ =
Ω(αi )
.
αi Λ′ (αi )
24 / 32
25 / 32
Other research directions: numerical semigroups
Definition
A numerical semigroup is a subset Λ of N0 satisfying
0∈Λ
Λ+Λ⊆Λ
|N0 \ Λ| is finite (genus:=g:= |N0 \ Λ|)
26 / 32
Cash point
Example
The amounts of money one can obtain from a cash point (divided by 10)
27 / 32
Cash point
amount
amount/10
0
0
10
impossible!
20
30
2
impossible!
+
40
4
50
5
60
+
70
+
80
+
+
90
+
+
100
+
110
..
.
+
..
.
+
6
7
+
8
9
10
+
+
11
..
.
28 / 32
Counting
Let ng denote the number of numerical semigroups of genus g.
29 / 32
Counting
Let ng denote the number of numerical semigroups of genus g.
n0 = 1, since the unique numerical semigroup of genus 0 is N0
29 / 32
Counting
Let ng denote the number of numerical semigroups of genus g.
n0 = 1, since the unique numerical semigroup of genus 0 is N0
n1 = 1, since the unique numerical semigroup of genus 1 is N0 \ {1}
29 / 32
Counting
Let ng denote the number of numerical semigroups of genus g.
n0 = 1, since the unique numerical semigroup of genus 0 is N0
n1 = 1, since the unique numerical semigroup of genus 1 is N0 \ {1}
n2 = 2. Indeed the unique numerical semigroups of genus 2 are
{0, 3, 4, 5, . . . },
{0, 2, 4, 5, . . . }.
29 / 32
Conjecture ng /ng−1 → φ
Conjecture
1
ng > ng−1 + ng−2
2
limg→∞
3
ng−1 +ng−2
ng
limg→∞ n
ng
g−1
=1
=φ
At the moment it has not even been proved that ng is increasing.
30 / 32
Conjecture ng /ng−1 → φ
g
ng
ng−1 + ng−2
ng−1 +ng−2
ng
ng
ng−1
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
1
1
2
4
7
12
23
39
67
118
204
343
592
1001
1693
2857
4806
8045
13467
22464
37396
62194
103246
170963
282828
467224
770832
1270267
2091030
3437839
5646773
9266788
15195070
24896206
40761087
66687201
109032500
178158289
290939807
474851445
774614284
1262992840
2058356522
3353191846
5460401576
8888486816
14463633648
23527845502
38260496374
62200036752
101090300128
2
3
6
11
19
35
62
106
185
322
547
935
1593
2694
4550
7663
12851
21512
35931
59860
99590
165440
274209
453791
750052
1238056
2041099
3361297
5528869
9084612
14913561
24461858
40091276
65657293
107448288
175719701
287190789
469098096
765791252
1249465729
2037607124
3321349362
5411548368
8813593422
14348888392
23352120464
37991479150
61788341876
100460533126
1
0.75
0.857143
0.916667
0.826087
0.897436
0.925373
0.898305
0.906863
0.938776
0.923986
0.934066
0.940933
0.942947
0.946733
0.952517
0.954259
0.957621
0.960825
0.962472
0.964589
0.967695
0.969526
0.971249
0.973042
0.974642
0.976121
0.977735
0.979120
0.980341
0.981474
0.982554
0.983567
0.984556
0.985470
0.986312
0.987114
0.987884
0.988610
0.989290
0.989919
0.990504
0.991053
0.991574
0.992067
0.992531
0.992969
0.993381
0.993770
1
2
2
1.75
1.71429
1.91667
1.69565
1.71795
1.76119
1.72881
1.68137
1.72595
1.69088
1.69131
1.68754
1.68218
1.67395
1.67396
1.66808
1.66471
1.66312
1.66006
1.65588
1.65432
1.65197
1.64981
1.64792
1.64613
1.64409
1.64254
1.64108
1.63973
1.63844
1.63724
1.63605
1.63498
1.63399
1.63304
1.63213
1.63128
1.63048
1.62975
1.62906
1.62842
1.62781
1.62723
1.62669
1.62618
1.62570
1.62525
31 / 32
Conjecture ng /ng−1 → φ
Behavior of
ng−1 +ng−2
ng
ng−1 +ng−2
ng
1
6q
q
qq q q q qq q q q qq q q q q qq q q q qq q q q qq
q q q q q q qq q q q qq q q q q
q
q
50
0
Behavior of
g
ng
ng−1
ng
ng−1
6q q
q
q q q q q q q qq q q q qq q q q q qq q
q q qq q q q qq q q q q qq q q q qq q q q qq
φ
q
0
50
g
32 / 32