List Decoding of Binary Goppa Codes up to the Binary Johnson Bound

Size: px

Start display at page:

Download "List Decoding of Binary Goppa Codes up to the Binary Johnson Bound"

Christian Carter
5 years ago
Views:

1 List Decoding of Binary Goppa Codes up to the Binary Johnson Bound Daniel Augot Morgan Barbier Alain Couvreur École Polytechnique INRIA Saclay - Île de France ITW Paraty Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

2 Outline 1 List decoding Main principle Johnson s bound Decoding of generalized Reed-Solomon codes 2 List decoding of classical Goppa codes Goppa codes Method Analysis Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

3 List decoding Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

4 List decoding Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

5 List decoding Unambiguous decoding: t = d 1 2. Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

6 List decoding List decoding: τ > t. Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

7 Johnson s bound Theorem Let v F n q and e be an integer such that then B(v, e) C n 2. e < J q (n, d) n q 1 q ( 1 ) 1 q d, q 1 n When q +, we obtain the generic Johnson bound: ( ) J(n, d) = n For the binary case: q = 2 J 2 (n, d) = n d n ( ) 1 1 2d n.. Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

8 Comparison of the Johnson bounds e/n : normalised error capacity Binary Johnson s bound Generic Johnson s bound Unambiguous bound d/n : normalised minimum distance Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

9 Decoding context Definition (Generalised Reed-Solomon GRS) Let β 1,..., β n be elements of F q and α 1,..., α n be distinct elements of F q. The Generalised Reed-Solomon code (GRS) is given by GRS k [(β i ) i, (α i ) i ] {(β 1 P(α 1 ),..., β n P(α n )) : P F q [X ] k }. Let the received word y = (y 1,..., y n ) F n q be such that y = c + e, where e F n q and w(e) t n k 2. The decoding problem consists in finding P such that y = (β 1 P(α 1 ) + e 1,..., β n P(α n ) + e n ). Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

10 Decoding of Reed-Solomon codes Welch-Berlekamp: Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

11 Decoding of Reed-Solomon codes Welch-Berlekamp: Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. Y P(X ) Q(X, Y ) Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

12 Decoding of Reed-Solomon codes Welch-Berlekamp: Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. Y P(X ) Q(X, Y ) Sudan: Compute Q(X, Y ) Q 0 (X ) + + Q l (X )Y l such that Q(α i, y i ) = 0. Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

13 Decoding of Reed-Solomon codes Welch-Berlekamp: Compute Q(X, Y ) Q 0 (X ) + Q 1 (X )Y such that Q(α i, y i ) = 0. Y P(X ) Q(X, Y ) Sudan: Compute Q(X, Y ) Q 0 (X ) + + Q l (X )Y l such that Q(α i, y i ) = 0. Guruswami-Sudan: Compute Q(X, Y ) Q 0 (X ) + + Q l (X )Y l such that Q(α i, y i ) = 0 with multiplicities. Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

14 Definitions Definition (Subfield subcode) Let C be a code over F q m is given by of length n. The subfield subcode of C over F q C q C F n q. Definition (Alternant codes) A code is alternant if it is a subfield subcode of a GRS. Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

15 Goppa codes Definition (Goppa codes as alternant codes) Let α 1,..., α n be distinct elements of F q m, G(X ) a polynomial over F q m of degree r such that i n, G(α i ) 0. The Goppa code over F q is given by: Γ q ((α i ) i, G) GRS n r [(β i ) i, (α i ) i ] q, where β i = G(α i ) j i (α i α j ). length n, dimension n mr, minimum distance r + 1. Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

16 Particular property Theorem (Sugiyama et al ) Let α 1,..., α n be distinct elements of F 2 m, G(X ) a polynomial over F 2 m of degree r such that i, G(α i ) 0. If G(X ) is square-free then Γ 2 ((α i ) i, G) = Γ 2 ((α i ) i, G 2 ). length n, dimension n mr, minimum distance 2r + 1. Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

17 Decoding algorithm for binary Goppa codes Decoding methods based on interpolation step: 1986: unambiguous decoding for RS codes Welch, Berlekamp. 1997: first list decoding for RS codes Sudan. 1999: list decoding for RS codes Guruswami, Sudan. 2000: soft-decoding (preprint) Koetter, Vardy, 2003: application to the alternant codes (1 ISIT page) Roth, Tal. Other methods: 2008: extension of Patterson algorithm Bernstein, 2011: lattice-basis reduction Bernstein. Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

18 Context of decoding Let Γ 2 ((α i ) i, G) be a binary Goppa code of length n, where G is a square-free polynomial of degree r, and let y F n 2 be the received word. Their exists e F n 2 and P F 2m[X ] of degree strictly less than n r, such that y = (β 1 P(α 1 ) + e 1,..., β n P(α n ) + e n ), where β i = G(α i ) j i (α i α j ). Decode y find P. Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

19 Decoding I GRS n r GRS n 2r * Γ 2 (α i, G) = * Γ 2 (α i, G 2 ) Where * is the subfield subcode operator. Main idea: List decode on the GRS n 2r and add interpolation constraints to force the codewords to be on F 2. Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

20 Decoding II Let Γ 2 ((α i ) i, G) be a binary Goppa code of length n, where G is a square-free polynomial of degree r, y F n 2 and s be auxiliary. Compute Q(X, Y ) l j=0 Q j(x )Y j such that Q(X, Y ) 0, Q(x i, y i β 1 i ) = 0 with multiplicity s(1 J 2 /n), Q(x i, z i β 1 i ) = 0 with multiplicity sj 2 /n and z i y i + 1, deg(q j ) < sn ( (1 J 2 /n) 2 + (J 2 /n) 2) j(n r 1), j {1,..., l}, where J 2 is the binary Johnson bound: n 2 ( ) 1 1 2d n. Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

21 Computation of P(X ) Theorem The polynomial Q(X, Y ) F p m[x, Y ] satisfying the previous conditions always exists. Theorem For all P solution of the decoding problem, the polynomial Q(X, P(X )) F p m[x ] is the null polynomial. = Y P(X ) Q(X, Y ). Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

22 Correction Radii e/n : normalised error capacity This method Guruswami-Sudan Welch-Berlekamp d/n : normalised minimum distance Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

23 Complexity Theorem To decode a square-free binary Goppa code up to the binary Johnson bound ( ) n J 2 (n, 2r + 1) = 1 1 4r n this algorithm runs in O(n 7 ) field operations. Theorem To decode up to (1 ɛ)j 2, this algorithm runs in O(n 2 ɛ 5 ) field operations. Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

24 List Decoding of Binary Goppa Codes up to the Binary Johnson Bound Daniel Augot Morgan Barbier Alain Couvreur École Polytechnique INRIA Saclay - Île de France ITW Paraty Augot - Barbier - Couvreur (LIX) List Decoding of Binary Goppa Codes ITW / 21

List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem

List decoding of binary Goppa codes and key reduction for McEliece s cryptosystem Morgan Barbier morgan.barbier@lix.polytechnique.fr École Polytechnique INRIA Saclay - Île de France 14 April 2011 University