Reverse Berlekamp-Massey Decoding

Reverse Berlekamp-Massey Decoding Jiun-Hung Yu and Hans-Andrea Loeliger Department of Information Technology and Electrical Engineering ETH Zurich, Switzerland Email: {yu, loeliger}@isi.ee.ethz.ch arxiv:1301.736v [cs.it] 17 May 013 Abstract We propose a new algorithm for decoding Reed- Solomon codes up to half the minimum distance and for computing inverses in F [x]/mx. The proposed algorithm is similar in spirit and structure to the Berlekamp-Massey algorithm, but it works naturally for general mx. I. INTRODUCTION In this paper, we propose a new algorithm that solves the following problem. Partial-Inverse Problem: Let bx and mx be nonzero polynomials over some finite field F, with deg bx < deg mx. Find a nonzero polynomial Λx F [x] of the smallest degree such that deg bxλx mod mx < d 1 for fixed d Z, 1 d deg mx. In the special case where d = 1 and gcd bx, mx = 1, the problem reduces to computing the inverse of bx in F [x]/mx. Another special case of the Partial-Inverse Problem is the standard key equation for decoding Reed-Solomon codes [1] [5] see Section II-B. In this case, we have mx = x n k, where n and k are the blocklength and the dimension of the code, respectively. The proposed algorithm then essentially coincides with the Berlekamp-Massey algorithm [], [6] except that it processes the polynomial bx the syndrome in the reverse order. The Partial-Inverse Problem with general mx arises from an alternative key equation that will be discussed in Section IV. This alternative key equation and the corresponding decoding algorithm generalize naturally to polynomial remainder codes [7], [9] [11], which have not been amenable to Berlekamp-Massey decoding. The Partial-Inverse Problem can also be solved by a version of the Euclidean algorithm in the style of [3], [5], [7], [8]. In fact, it has long been known that the Berlekamp-Massey algorithm and the Euclidean algorithm are related [1] [14], and explicit translations were given in [1], [14]. In this respect, the algorithm proposed in this paper allows such a translation that is particularly transparent. However, this topic is not elaborated in the present paper due to lack of space. The paper is structured as follows. Section II comprises a number of remarks on the Partial-Inverse Problem, including its application to the standard key equation. The new algorithm is proposed in Section III and proved in Sections V and VI. Decoding Reed-Solomon codes via the alternative key equation is described in Section IV, and the generalization of this approach to polynomial remainder codes is outlined in the appendix. The following notation will be used. The Hamming weight of e F n will be denoted by w H e. The coefficient of x l of a polynomial bx F [x] will be denoted b l. The leading coefficient i.e., the coefficient of x deg bx of a nonzero polynomial bx will be denoted by lcf bx, and we also define lcf0 = 0. We will use mod both as in rx = bx mod mx the remainder of a division and as in bx rx mod mx a congruence modulo mx. For x R, x is the smallest integer not smaller than x. A. General Remarks II. REMARKS We begin with a number of remarks on the Partial-Inverse Problem as stated in Section I. 1 The stated assumptions imply deg mx 1. For d = deg mx, the problem is solved by Λx = 1. Smaller values of d will normally require a polynomial Λx of higher degree. 3 In the special case where d = 1, we have the following solutions. If gcd bx, mx = 1, then bx has an inverse in F [x]/mx and Λx is that inverse up to a scale factor; otherwise, the solution is Λx = mx/ gcd bx, mx, which yields bxλx mod mx = 0. 4 The previous remark implies that the problem has a solution for any d 1. 5 We will see that the solution Λx of the problem is unique up to a scale factor Proposition in Section V and deg Λx deg mx d by 4 in Section VI. 6 In consequence of, coefficients b l of bx with and coefficients m l of mx with l < d deg mx 3 l < d deg mx + 1 4 are irrelevant for the solution Λx: these coefficients do not affect 1 since bxλx mod mx = bxλx qxmx 5

with deg qx < deg Λx deg mx d. Such irrelevant coefficients may be set to zero without affecting the solution Λx. B. Application to the Standard Key Equation The standard key equation for decoding Reed-Solomon codes [] [5], [13] is SxΛx Γx mod x n k, 6 where n and k are the blocklength and the dimension of the code, respectively, and where Sx is a given syndrome polynomial with deg Sx < n k. The desired solution is a pair Γx and Λx 0 such that deg Γx < deg Λx n k/. The problem of finding such a pair Γx and Λx translates into a Partial-Inverse Problem with bx = Sx, mx = x n k, and d = n k/. Because of, the resulting Λx deg Λx n k/, and we have Γx = SxΛx mod x n k. If the number of errors does not exceed n k/, the condition deg Γx < deg Λx will then be satisfied automatically. III. THE ALGORITHM The Partial-Inverse Problem as stated in Section I can be solved by the following algorithm. Proposed Algorithm: Input: bx, mx, and d as in the problem statement. Output: Λx as in the problem statement. 1 if deg bx < d begin return Λx := 1 3 end 4 Λ 1 x := 0, d 1 := deg mx, κ 1 := lcf mx 5 Λ x := 1, d := deg bx, κ := lcf bx 6 loop begin 7 Λ 1 x := κ Λ 1 x κ 1 x d1 d Λ x 8 d 1 := deg bxλ 1 x mod mx 9 if d 1 < d begin 10 return Λx := Λ 1 x 11 end 1 κ 1 := lcf bxλ 1 x mod mx 13 if d 1 < d begin 14 Λ 1 x, Λ x := Λ x, Λ 1 x 15 d 1, d := d, d 1 16 κ 1, κ := κ, κ 1 17 end 18 end Note that lines 14 16 simply swap Λ 1 x with Λ x, d 1 with d, and κ 1 with κ. The only actual computations are in lines 7 and 8. The correctness of this algorithm will be proved in Section VI. In particular, we will see that the value of d 1 is reduced in every execution of line 8. Note that lines 8 and 1 do not require the computation of the entire polynomial bxλ 1 x mod mx. Indeed, lines 8 1 can be replaced by the following loop: Equivalent Alternative to Lines 8 1: 31 repeat 3 d 1 := d 1 1 33 if d 1 < d begin 34 return Λx := Λ 1 x 35 end 36 κ 1 := coefficient of x d1 in bxλ 1 x mod mx 37 until κ 1 0 In the special case where mx = x ν, line 36 amounts to 41 κ 1 := b d1 Λ 1 0 + b d1 1Λ 1 1 +... + b d1 τ Λ 1 τ with τ = deg Λ 1 x and where b l = 0 for l < 0. In the other special case where mx = x n 1 as in 10 below, line 36 becomes 51 κ 1 := b d1 Λ 1 0 + b [d1 1]Λ 1 1 +... + b [d1 τ]λ 1 τ with b [l] = b l mod n. In both cases, the proposed algorithm looks very much like, and is as efficient as, the Berlekamp- Massey algorithm [6]. IV. DECODING REED-SOLOMON CODES VIA AN ALTERNATIVE KEY EQUATION Decoding Reed-Solomon codes up to half the minimum distance can be reduced rather directly to the Partial-Inverse Problem of Section I as follows. Let F be a finite field, let β 0,..., β n 1 be n different elements of F, let mx = n 1 l=0 x β l, let F [x]/mx be the ring of polynomials modulo mx, and let ψ be the evaluation mapping ψ : F [x]/mx F n : ax aβ 0,..., aβ n 1, 7 which is a ring isomorphism. A Reed-Solomon code with blocklength n and dimension k may be defined as {c = c 0,..., c n F n : deg ψ 1 c < k}, 8 usually with the additional condition that β l = α l for l = 0,..., n 1, 9 where α F is a primitive n-th root of unity. The condition 9 implies mx = x n 1 10 and turns ψ into a discrete Fourier transform [4]. However, 9 and 10 will not be required below. Let y = y 0,..., y n 1 F n be the received word, which we wish to decompose into y = c + e 11 where c C is a codeword and where the Hamming weight of e = e 0,..., e n 1 F n is as small as possible.

Let Cx = ψ 1 c, and analogously Ex = ψ 1 e and Y x = ψ 1 y. Clearly, we have deg Cx < k and deg Ex < deg mx = n. For any e F n, we define the error locator polynomial Λ e x = x β l. 1 l {0,..., n 1} e l 0 Clearly, deg Λ e x = w H e and ExΛ e x mod mx = 0. 13 Theorem 1 Alternative Key Equation. If w H e n k, then the error locator polynomial Λ e x deg Y xλ e x mod mx < n n k 14 Conversely, for any y and e F n and t R with w H e t n k, 15 if some nonzero Λx F [x] with deg Λx t deg Y xλx mod mx < n t, 16 then Λx is a multiple of Λ e x. The proof is not difficult, but omitted due to lack of space. We thus arrive at the following decoding procedure: 1 Compute Y x = ψ 1 y. Run the algorithm of Section III with bx = Y x and d = n+k. If w He n k, then the polynomial Λx returned by the algorithm equals Λ e x up to a scale factor. 3 Complete decoding by any standard method [4] or by means of Proposition 1 below. Note that in Step, because of 3, coefficients Y l of Y x with { k, if n k is even l < l min = 17 k + 1, if n k is odd are irrelevant for finding Λx and can be set to zero. The remaining coefficients Y l are syndromes since C l = 0 and Y l = E l for l l min. As mentioned, decoding can be completed by the following proposition: Proposition 1. If Λx is a nonzero multiple of Λ e x with deg Λx n k, then Cx = Y xλx mod mx Λx Proof: If Λx has the stated properties, then Y xλx mod mx 18 = CxΛx mod mx + ExΛx mod mx 19 = CxΛx, 0 where the second term in 19 vanishes because of 13. Note that computing the numerator of 18 may be viewed as continuing the algorithm of Section III line 36 with frozen Λ 1 x = Λx. V. KEY ELEMENTS OF THE PROOF We now turn to the proof of the algorithm proposed in Section III. In this section, we discuss some key elements of the proof; the actual proof will then be given in Section VI. The pivotal part of the algorithm is line 7, which is explained by the following simple lemma. The corresponding statement for the Berlekamp-Massey algorithm is the twowrongs-make-a-right lemma, so called by J. L. Massey. Lemma 1. Let mx be a polynomial over F with deg mx 1. For further polynomials bx, Λ 1 x, Λ x F [x], let r 1 x = bxλ 1 x mod mx, 1 r x = bxλ x mod mx, d 1 = deg r 1 x, κ 1 = lcf r 1 x, d = deg r x, κ = lcf r x, and assume d 1 d 0. Then Λx = κ Λ 1 x κ 1 x d1 d Λ x 3 deg bxλx mod mx < d 1. 4 Proof: From 3, we obtain rx = bxλx mod mx 5 = κ r 1 x κ 1 x d1 d r x 6 by the natural ring homomorphism F [x] F [x]/mx. It is then obvious from 6 that deg rx < deg r 1 x = d 1. A similar argument proves Proposition Uniqueness of Solution. The solution Λx of the Partial-Inverse Problem of Section I is unique up to a scale factor. Proof: Let Λ 1 x and Λ x be two solutions of the problem, which implies deg Λ 1 x = deg Λ x 0. Define r 1 x and r x as in 1 and and consider Λx = lcf Λ x Λ 1 x lcf Λ 1 x Λ x. 7 Then rx = bxλx mod mx 8 = lcf Λ x r 1 x lcf Λ 1 x r x, 9 which implies that Λx also 1. But 7 implies deg Λx < deg Λ 1 x, which is a contradiction unless Λx = 0. Thus Λx = 0, which means that Λ 1 x and Λ x are equal up to a scale factor. Definition Minimal Partial Inverse: For fixed nonzero bx and mx F [x] with deg bx < deg mx, a nonzero polynomial Λx F [x] is a minimal partial inverse of bx if deg bxλ 1 x mod mx deg bxλx mod mx 30 with Λ 1 x 0 implies deg Λ 1 x deg Λx.

The following lemma is the counterpart to Theorem 1 of [6]. Lemma Degree Change Lemma. For fixed nonzero bx and mx F [x] with deg bx < deg mx, let Λx be a minimal partial inverse of bx and let If rx = bxλx mod mx. 31 deg Λx deg mx deg rx, 3 then any nonzero polynomial Λ 1 x F [x] such that deg bxλ 1 x mod mx < deg rx 33 deg Λ 1 x deg mx deg rx. 34 The proof is given below. Corollary: Assume everything as in Lemma including 3 and 33. If 34 is satisfied with equality, then Λ 1 x is also a minimal partial inverse of bx. Proof of Lemma : Assume that Λ 1 x is a nonzero polynomial that 33, i.e., the degree of r 1 x = bxλ 1 x mod mx 35 deg r 1 x < deg rx. 36 Multiplying 31 by Λ 1 x and 35 by Λx yields Λ 1 xrx Λxr 1 x mod mx. 37 If we assume both 3 and contrary to 34 then 37 reduces to deg Λ 1 x < deg mx deg rx, 38 Λ 1 xrx = Λxr 1 x. 39 But then 36 implies deg Λ 1 x < deg Λx, which is impossible because Λx is a minimal partial inverse. Thus 3 and 38 cannot hold simultaneously. VI. PROOF OF THE PROPOSED ALGORITHM We now prove the correctness of the algorithm proposed in Section III. To this end, we restate the algorithm with added assertions as follows. Proposed Algorithm Restated: 1 if deg bx < d begin return Λx := 1 3 end 4 Λ 1 x := 0, d 1 := deg mx, κ 1 := lcf mx 5 Λ x := 1, d := deg bx, κ := lcf bx 6 loop begin Assertions: d 1 > d d A.1 deg Λ x = deg mx d 1 A. > deg Λ 1 x A.3 Λ x is a minimal partial inverse A.4 7 repeat 8 Λ 1 x := κ Λ 1 x κ 1 x d1 d Λ x Assertions: degbxλ 1 x mod mx < d 1 A.5 deg Λ 1 x = deg mx d A.6 > deg Λ x A.7 9 d 1 := deg bxλ 1 x mod mx 10 if d 1 < d begin Assertion: Λ 1 x is a min. partial inverse A.8 11 return Λx := Λ 1 x 1 end 13 κ 1 := lcf bxλ 1 x mod mx 14 until d 1 < d Assertion: Λ 1 x is a minimal partial inverse 15 Λ 1 x, Λ x := Λ x, Λ 1 x 16 d 1, d := d, d 1 17 κ 1, κ := κ, κ 1 18 end A.9 Note the added inner repeat loop lines 7 14, which does not change the algorithm but helps to state its proof. Throughout the algorithm except at the very beginning, before the first execution of lines 9 and 13, d 1, d, κ 1, and κ are defined as in Lemma 1, i.e., d 1 = deg r 1 x, κ 1 = lcf r 1 x, d = deg r x, and κ = lcf r x for r 1 x and r x as in 1 and. Assertions A.1 A.4 are easily verified, both from the initialization and from A.6, A.7, and A.9. As for A.5, after the very first execution of line 8, we still have d 1 = deg mx from line 4, which makes A.5 obvious. For all later executions of line 8, A.5 follows from Lemma 1. As for A.6 and A.7, we note that line 8 changes the degree of Λ 1 x as follows: Upon entering the repeat loop, line 8 increases the degree of Λ 1 to deg Λ x + d 1 d = deg mx d 40 > deg Λ x, 41 which follows from A.1 A.3. Subsequent executions of line 8 without leaving the repeat loop i.e., without executing lines 15 17 do not change the degree of Λ 1 x. This follows from the fact that d 1 is smaller than in the first execution while Λ x, d, and κ 0 remain unchanged.

Assertion A.9 follows from the Corollary to Lemma with Λx = Λ x and deg rx = d, which applies because d 1 < d and A.6. Because of A.1, the same argument applies also to A.8. Finally, A.1 and A.6 imply that the polynomial Λx returned by the algorithm deg Λx deg mx d. 4 VII. CONCLUSION We have proposed a new algorithm for decoding Reed- Solomon codes and polynomial remainder codes, and for computing inverses in F [x]/mx. In the special case where mx = x ν or mx = x n 1, the proposed algorithm almost coincides with the Berlekamp-Massey algorithm, except that it processes the syndrome in reverse order. APPENDIX: EXTENSION TO POLYNOMIAL REMAINDER CODES Polynomial remainder codes [7], [9] [11] are a class of codes that include Reed-Solomon codes as a special case. We briefly outline how decoding via the alternative key equation of Section IV generalizes to polynomial remainder codes, which can thus be decoded by the algorithm of Section III. Let m 0 x,..., m n 1 x F [x] be relatively prime and let mx = n 1 l=0 m lx. Let R m = F [x]/mx denote the ring of polynomials modulo mx and let R ml = F [x]/m l x. The mapping 7 is generalized to the ring isomorphism ψ : R m R m0... R mn 1 : ax ψa = ψ 0 a,..., ψ n 1 a 43 with ψ l a = ax mod m l x. Following [11], a polynomial remainder code may be defined as {c = c 0,..., c n 1 R m0... R mn 1 : deg ψ 1 c < K} 44 where k 1 K = deg m l x 45 l=0 for some fixed k, 0 < k < n. We also define n 1 N = deg mx = deg m l x. 46 l=0 As in Section IV, let y = c + e be the received word with c C, and let Cx = ψ 1 c, Ex = ψ 1 e, and Y x = ψ 1 y. Clearly, deg Cx < K and deg Ex < N. For such codes, the error locator polynomial Λ e x = m l x 47 l {0,..., n 1} e l 0 and the error factor polynomial [11] Λ f x = mx/ gcd Ex, mx 48 do not, in general, coincide. However, if all moduli m l x are irreducible, then Λ f x = Λ e x. We then have the following generalization of Theorem 1: Theorem. For given y and e with deg Λ f x t N K, assume that some nonzero polynomial Λx with deg Λx t deg Y xλx mod mx < N t. 49 Then Λx is a multiple of Λ f x. Conversely, Λx = Λ f x is a polynomial of the smallest degree that 49. It follows that the decoding procedure of Section IV works also for polynomial remainder codes, except that n, k, and Λ e x are replaced by N, K, and Λ f x, respectively. Moreover, Cx can still be recovered from Λx by means of 18 [11]. REFERENCES [1] I. S. Reed and G. Solomon, Polynominal codes over certain finite fields, J. SIAM, vol. 8, pp. 300 304, Oct. 196. [] E. R. Berlekamp, Algebraic Coding Theory. New York: McGraw-Hill, 1968. [3] Y. Sugiyama, M. Kasahara, S. Hirasawa, and T. Namekawa, A method for solving key equation for decoding Goppa codes, Information and Control, vol. 7, pp. 87 99, 1975. [4] R. E. Blahut, Algebraic Codes for Data Transmission. Cambridge University Press, Cambridge, UK, 003. [5] R. M. Roth, Introduction to Coding Theory. New York: Cambridge University Press, 006. [6] J. L. Massey, Shift-register synthesis and BCH decoding, IEEE Trans. Information Theory, vol. 15, pp. 1-17, May 1969. [7] A. Shiozaki, Decoding of redundant residue polynomial codes using Euclid s algorithm, IEEE Trans. Information Theory, vol. 34, pp. 1351 1354, Sep. 1988. [8] S. Gao, A new algorithm for decoding Reed-Solomon codes, in Communications, Information and Network Security, V. Bhargava, H. V. Poor, V. Tarokh, and S.Yoon, Eds. Norwell, MA: Kluwer, 003, vol. 71, pp. 55-68. [9] J. J. Stone, Multiple-burst error correction with the Chinese Remainder Theorem, J. SIAM, vol. 11, pp. 74 81, Mar. 1963. [10] J.-H. Yu and H.-A. Loeliger, On irreducible polynomial remainder codes, IEEE Int. Symp. on Information Theory, Saint Petersburg, Russia, July 31 Aug. 5, 011. [11] J.-H. Yu and H.-A. Loeliger, On polynomial remainder codes, http://arxiv.org/abs/101.181. [1] J. L. Dornstetter, On the equivalence between Berlekamps s and Euclids s algorithms, IEEE Trans. Information Theory, vol. 33, pp. 48-431, May 1987. [13] P. Fitzpatrick, On the key equation, IEEE Trans. Information Theory, vol. 41, pp. 190-130, Sep. 1995. [14] A. E. Heydtmann and J. M. Jensen, On the equivalence of the Berlekamp-Massey and Euclidean algorithms for decoding, IEEE Trans. Information Theory, vol. 46, pp. 614-64, Nov. 000.