Efficient Decoding of Reed–Solomon Codes Beyond Half the …zhcheng/efficient.pdf · 2009. 5. 25. · Efficient Decoding of Reed–Solomon Codes Beyond Half the Minimum Distance

246 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 1, JANUARY 2000

Theorem 5: GivenP (X1; X2; ~X1; X2) 2 P , there exist auxiliaryvariable ~X

12 ~X

1� ~X1, reproduction variableX

22 X

2� X2 and

joint distributionP (X1X2~X1X

2) 2 P such that

j ~X1j � jX1j + 4; jX

2j � jX2kX1j+ 4jX2j + 2

and

R ~X X= R ~X X

:

REFERENCES

[1] T. Berger,Rate Distortion Theory: A Mathematical Basis for Data Com-pression, ser. Series in Information and System Sciences. EnglewoodCliffs, NJ: Prentice-Hall, 1971.

[2] , “Multiterminal source coding,” inThe Information Theory Ap-proach to Communications. ser. CISM Courses and Lectures, G. Longo,Ed. Vienna/New York: Springer-Verlag, 1978, pp. 171–231.

[3] Y.-J. Chiu and T. Berger, “A software-only Videocodec using pixelwiseconditional differential replenishment and perceptual enhancements,”IEEE Trans. Circuits Syst. Video Technol., vol. 9, pp. 438–450, Apr.1996.

[4] T. M. Cover and J. A. Thomas,Elements of Information Theory. NewYork: Wiley, 1991.

[5] I. Csiszár and J. Körner,Information Theory Coding Theorems forDiscrete Memoryless Systems. Budapest, Hungary: Akadémiai Kiadó,1986.

[6] W. H. R. Equitz and T. M. Cover, “Successive refinement of informa-tion,” IEEE Trans. Inform. Theory, vol. 37, pp. 269–274, Mar. 1991.

[7] A. J. Goldman, “Resolution and separation theorems for polyhedralconvex sets,” inLinear Inequalities and Related Systems, H. W. Kuhnand A. W. Tucker, Eds. Princeton, NJ: Princeton Univ. Press, 1956.

[8] R. M. Gray, “A new class of lower bounds to information rates of sta-tionary sources via conditional rate-distortion functions,”IEEE Trans.Inform. Theory, vol. IT-19, pp. 480–489, July 1973.

[9] N. Jayant, J. Johnston, and R. Safrenk, “Signal compression based onmodels of human perception,”Proc. IEEE, vol. 81, pp. 1385–1421, Oct.1993.

[10] A. Netravali and B. Haskell,Digital Pictures. New York: Plenum,1998.

[11] Y. Oohama, “Gaussian multiterminal source coding,”IEEE Trans. In-form. Theory, vol. 43, pp. 1912–1923, Nov. 1997.

[12] , “The rate-distortion function for the quadratic Gaussian CEOproblem,” IEEE Trans. Inform. Theory, vol. 44, pp. 1057–1070, May1997.

[13] B. Rimoldi, “Successive refinement of information: Characterization ofachievable rates,”IEEE Trans. Inform. Theory, vol. 40, pp. 253–359,Jan. 1994.

[14] J. R. Roche, R. W. Yeung, and K. P. Hau, “Symmetric multilevel diver-sity coding,”IEEE Trans. Inform. Theory, vol. 43, pp. 1059–1064, May1997.

[15] A. D. Wyner, “The rate-distortion function for source coding with sideinformation at the decoder—II: General sources,”Inform. Contr., vol.38, no. 6, Nov. 1978.

[16] R. W. Yeung, “Multilevel diversity coding with distortion,”IEEE Trans.Inform. Theory, vol. 41, pp. 412–422, Mar. 1995.

Efficient Decoding of Reed–Solomon Codes Beyond Halfthe Minimum Distance

Ron M. Roth, Senior Member, IEEE,and Gitit Ruckenstein

Abstract—A list decoding algorithm is presented for [ ]Reed–Solomon (RS) codes over GF( ), which is capable of cor-recting more than ( ) 2 errors. Based on a previous work ofSudan, an extended key equation (EKE) is derived for RS codes, whichreduces to the classical key equation when the number of errors islimited to ( ) 2 . Generalizing Massey’s algorithm that findsthe shortest recurrence that generates a given sequence, an algorithm isobtained for solving the EKE in time complexity ( ( ) ), where

is a design parameter, typically a small constant, which is an upperbound on the size of the list of decoded codewords. (The case = 1corresponds to classical decoding of up to( ) 2 errors where thedecoding ends with at most one codeword.) This improves on the timecomplexity ( ) needed for solving the equations of Sudan’s algorithmby a naive Gaussian elimination. The polynomials found by solving theEKE are then used for reconstructing the codewords in time complexity(( log ) ( + log )) using root-finders of degree- univariate

polynomials.

Index Terms—Decoding, key equation, list decoding, polynomial inter-polation, Reed–Solomon codes.

I. INTRODUCTION

An [n; k] codeC over the finite fieldF = GF(q) is ak-dimensionallinear subspace ofFn. It is well known thatC can recover uniquely andcorrectly any pattern of� errors or less if and only if� � b(d�1)=2c,whered is the minimum Hamming distance between any two distinctelements (codewords) ofC. Most of the decoding algorithms for error-correcting codes indeed work under the assumption that the number oferrors is at mostb(d�1)=2c.

An [n; k] (generalized) Reed–Solomon (in short, RS) codeCRS overF is defined by

CRS = fc = (f(�1); f(�2); � � � ; f(�n)): f(x) 2 Fk[x]g (1)

where�1; �2; � � � ; �n aren < q prescribed distinct nonzero elementsin F , referred to ascode locators, andFk[x] stands for the set of allpolynomials of degree< k in the indeterminatex overF . RS codes areknown to be maximum-distance separable (MDS), i.e., their minimumHamming distance equalsn�k+1 [11, ch. 11].

Letv = (v1; v2; � � � ; vn) be the received word. Several efficient RSdecoding algorithms are known for correcting up to� = b(n�k)=2cerrors. The Berlekamp–Massey algorithm [2, Sec. 7.4], [12] and thealgorithm of Sugiyamaet al. [3, Ch. 7], [18] comprise the followingthree steps:

Manuscript received August 10, 1998; revised August 5, 1999. This workwas performed in part at Hewlett-Packard Laboratories, Palo Alto, CA, andHewlett-Packard Laboratories, Israel. This work was supported by the UnitedStates–Israel Binational Science Foundation (BSF), Jerusalem, Israel, underGrant 95-522. The material in this correspondence was presented in part atthe IEEE International Symposium on Information Theory, Cambridge, MA,August 16–21, 1998.

The authors are with the Computer Science Department, Technion—IsraelInstitute of Technology, Haifa 32000, Israel (e-mail: {ronny; gitit}@cs.tech-nion.ac.il).

Communicated by I. F. Blake, Associate Editor for Coding Theory.Publisher Item Identifier S 0018-9448(00)00031-6.

0018–9448/00$10.00 © 2000 IEEE

Authorized licensed use limited to: University of Ottawa. Downloaded on May 25, 2009 at 10:55 from IEEE Xplore. Restrictions apply.

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 46, NO. 1, JANUARY 2000 247

Step D0: Computing syndrome elementsS0; S1; � � � ; Sn�k�1

from the received wordv. The syndrome elements arecommonly written in a form of a polynomial

S(x) =

n�k�1

i=0

Sixi:

Step D1: Solving thekey equation(in short, KE) of RS codes

�(x) � S(x) � (x) (mod xn�k)

for the error-locator polynomial�(x) of degree� �and for theerror-evaluator polynomial(x) of degree<�(� n�k��).

Step D2: Locating the errors (through computing the roots of�(x))and finding their values (from�(x) and(x)).

To specify the time complexity of algorithms, we count opera-tions of elements inF and use the notationh1(m) = O(h2(m))to mean that there exist positive constantsc and m0 such thath1(m) � c � h2(m) for all integersm � m0 [1, Ch. 1]. Based ontechniques presented in [1, Ch. 8], procedures for evaluating poly-nomials inFn[x] at n points in F , as well as interpolating suchpolynomials given their values atn points in F , can be carriedout in time complexityO(n log2 n).

Denote by[n] the set of integersf1; 2; � � � ; ng. The syndrome ele-ments in Step D0 are computed by

Si =

n

j=1

vj�j�ij (2)

where

��1j =

r2[n]nfjg

(�j � �r) (3)

(see Proposition 4.1 below). Using a result by Kaminskiet al. in [9],it can be shown that the time complexity of computing(2) is the sameas that of evaluating a polynomial inFn[x] at the code locators�j ,j 2 [n], and is, therefore,O(n log2 n).

Step D2 can be carried out through Chien search [4] and Forney’salgorithm (see [3]). Both algorithms involve evaluation of polynomialsat given points, implying that reconstructing the codewords in Step D2can be executed in time complexityO(n log2 n).

Writing

�(x) =

n�k��

s=0

�sxs

we obtain from the KE the following set of� homogeneous equationsin the coefficients of�(x)

n�k��

s=0

�s � Si�s = 0; n�k�� i < n�k (4)

where�0 = 1. Massey’s algorithm [12] solves these equations in timecomplexityO(�2), and acceleration methods reduce the complexity ofStep D1 toO((n�k) log2 (n�k)) [3].

Step D0 is commonly applied while the received word is read intothe decoder, and Step D2 is carried out while the correct codeword isflushed out. On the other hand, Step D1 is executed only after the wholereceived word has been read but before any output is generated; hence,minimizing the complexity of Step D1 means reducing thelatencyofthe decoder.

In a recent paper [17], Sudan presented a decoding algorithm for[n; k] RS codes of the form (1) that corrects more thanb(n�k)=2cerrors. In this case, the decoding might not be unique, so the decoder’stask is to find the list of codewords that differ from the received wordin no more than� locations. This task is referred to in the literature aslist decoding[5].

If Gaussian elimination is used as an equation solver in Sudan’s al-gorithm, then its time complexity isO(n3). The algorithm can be de-scribed as a method for interpolating the polynomialf(x) 2 Fk[x]through the set of pointsf(�j ; vj)g

nj=1, while taking into account that

some of the valuesvj may be erroneous. The interpolation is done bycomputing from the received wordv a nonzero bivariate polynomialQ(x; y) that vanishes at the pointsf(�j ; vj)g

nj=1 and then finding the

linear factors,y � g(x), of Q(x; y). The codewords to whichv is de-coded are computed from the polynomialsg(x) through re-encoding.

Viewing Sudan’s algorithm, it is intriguing to find its relationshipwith the classical RS decoding algorithms; specifically, can his algo-rithm be somehow regarded as an extension of the previously knownRS decoding algorithms? If so, can we reduce the time complexity ofthe counterpart of Step D1 in his algorithm from cubic inn to quadraticin n�k?

In this work, we provide positive answers to these questions. Weuse the algorithm in [17] as a basis for developing anextended keyequation(in short, EKE) which reduces to the (classical) KE when� =b(n�k)=2c. The EKE involves an integer parameter` which providesan upper bound on the number of codewords that can be at Hammingdistance� � from any received word; we refer to those codewords astheconsistent codewords. Specifically, the EKE takes the form

`

t=1

�(t)(x) � x(t�1)(k�1) � S(t)(x) � (x) (mod xn�k)

where S(1)(x); S(2)(x); � � � ; S(`)(x) are “syndrome polyno-mials” that can be computed from the received word and�(1)(x);�(2)(x); � � � ; �(`)(x), and(x) are polynomials that satisfy certaindegree constraints. These polynomials are then used to find theconsistent codewords as a final step. The KE is a special case of theEKE when` = 1.

To compute the polynomialsf�(t)(x)g`t=1, we first translate theEKE into a set of� homogeneous linear equations and then apply a gen-eralization of Massey’s algorithm that takes advantage of the specialstructure of the equations and solves them in time complexityO(`�2),which is quadratic inn�k assuming that is fixed (e.g., = 2).

In the last step of our decoding algorithm, which appears also inSudan’s algorithm, the codewords are reconstructed from the polyno-mials (�(t)(x))`t=1 through a procedure for finding linear factors ofbivariate polynomials. We show that these factors can be found in timecomplexityO((` log2 `)k(n+` log q)) using root finders of degree-`univariate polynomials. There are known general algorithms for fac-toring multivariate polynomials [19]; yet, those algorithms have rela-tively large complexity when applied to the particular application in thiscorrespondence. We also mention the recent work of Gao and Shokrol-lahi [7] where they study the (slightly different) problem of finding



linear factors of bivariate polynomialsQ(x; y) where the polynomialarithmetic is carried out modulo a power ofx (in which case more so-lutions may exist).

Note that increasing the number� of correctable errors by increasingthe number of consistent codewords in Sudan’s algorithm, as well asin ours, requires decreasing the maximum ratek=n of the RS codes towhich the algorithm is applied. For example, when` = 2 we will have� > (n�k)=2 only whenk � (n+1)=3. An improvement of Sudan’swork [17] has been recently reported by Guruswami and Sudan in [8],where the constraints on the rates have been relaxed.

This work is organized as follows. For the sake of completeness, wereview Sudan’s algorithm in Section II. In Section III, the EKE is de-rived, and then, in Section IV, we present an algorithm that solves theEKE for the polynomials(�(t)(x))`t=1. In Section V, we show how theconsistent codewords can be efficiently computed from those polyno-mials. Complexity analysis is given in Section VI and, finally, a sum-mary and examples are presented in Section VII.

II. SUDAN’S ALGORITHM

Given a prescribed upper bound` on the number of consistent code-words, Sudan’s algorithm corrects any error pattern of up to� errorsfor

� = n� (m+ 1)� `(k � 1) (5)

wherem is the smallest nonnegative integer satisfying

(m+ 1)(`+ 1) + (k � 1)`+ 1

2> n: (6)

We will further assume throughout this correspondence that`, k, andn satisfy the inequality

`+ (k � 1)`+ 1

2� n: (7)

Indeed, it can be verified that if (7) did not hold, then, for the samevalues ofk,n, and� , (5) and (6) would still be satisfied if we decreased` by 1 and chosem = k�1; this means that, for the givenk, n, and� ,we could assume a shorter list of consistent codewords. In particular,setting` = 2 in (7) impliesk � (n+1)=3. Note that from (6) and theminimality of m we obtain

(m+ 1)(`+ 1) + (k � 1)`+ 1

2� n+ `+ 1: (8)

If we now fix k, n, and`, then from (5) it follows that� will bemaximized if we choose the smallest possiblem that satisfies (6). For` = 1 (the classical case) we thus obtainm = d(n�k)=2e and� =n� k�m = b(n�k)=2c. For` = 2 we obtainm = d(n+1)=3e� k(assumingk � (n+1)=3, in conjunction with (7)) and

� = n+1� 2k �m = b2(n+1)=3c � k:

Define

Nt = n� � � t(k�1); t = 0; 1; � � � ; ` (9)

where by (5), (6), and (8), we have

� + 1 �

`

t=1

Nt � � + `+ 1: (10)

Sudan’s algorithm is based on the following two lemmas, taken from[17].

Lemma 2.1: Whenever(5) and(6) hold, there exists a nonzero bi-variate polynomialQ(x; y) overF that satisfies

Q(x; y) =

`

t=0

Q(t)(x)yt; degQ(t)(x) < Nt (11)

and

Q(�j ; vj) = 0; 8 j 2 [n]: (12)

Lemma 2.2: LetQ(x; y) be a nonzero bivariate polynomial overFsatisfying (11) and (12) and letf(x) 2 Fk[x] be such thatf(�j) = vjfor at leastn� � locators�j . ThenQ(x; f(x)) is identically zero.

Sudan’s algorithm consists of the following steps:

Input: received wordv = (v1; v2; � � � ; vn).Step S1:Find a nonzero bivariate polynomialQ(x; y) overF satis-

fying (11) and(12).Step S2:Output all the polynomialsg(x) 2 Fk[x] such that

• y � g(x) is a factor ofQ(x; y), and• g(�j) = vj for at leastn � � locators�j .

III. EXTENDED KEY EQUATION

In this section, we derive the EKE based on Sudan’s algorithm. Letv = (v1; v2; � � � ; vn) be the received word and letV (x) be the uniquepolynomial inFn[x] such thatV (�j) = vj for all j 2 [n]; the exis-tence and the uniqueness of the polynomialV (x) are implied by theLagrange interpolation theorem [10, Ch. 1].

Lemma 3.1: Let

Q(x; y) =

`

t=0

Q(t)(x)yt

be a bivariate polynomial that satisfies (11). ThenQ(x; y) satisfies(12) if and only if there exists a polynomialB(x) overF for which

`

t=0

Q(t)(x) � (V (x))t = B(x) �

n

j=1

(x� �j) (13)

where

degB(x) < `(n�k)� �: (14)

Proof: By the definition ofV (x), an equivalent condition to (12)is that the univariate polynomialQ(x; V (x)) vanishes at each of thecode locators�j , j 2 [n]. Alternatively, there is a polynomialB(x)overF satisfying (13). Now, by (9) and (11)

degQ(t)(x) � (V (x))t < n� � + t(n�k); t 2 [`]



implying that

degQ(x; V (x)) < n� � + `(n�k)

and thatB(x) must satisfy (14).LetQ(x; y) be a polynomial satisfying (11). We will introduce the

short-hand bivariate notation

Q�(x; y) =

`

t=1

Q(t)(x)yt:

Define the following polynomials obtained by reversing the order ofcoefficients inV (x), n

j=1(x� �j), and(Q(t)(x))`t=1, respectively:

V (x) =xn�1

V (x�1);

G(x) =

n

j=1

(1� �jx) (15)

�(t)(x) =xN �1

Q(t)(x�1); t 2 [`]:

Lemma 3.2: Let

Q�(x; y) =

`

t=1

Q(t)(x)yt

satisfy

degQ(t)(x) < Nt; t 2 [`]

(16)

and letV (x),G(x), and(�(t)(x))`t=1 be defined by (15). There existsa (unique) polynomialQ(0)(x) such that the bivariate polynomial

Q(x; y) = Q(0)(x) +Q

�(x; y)

satisfies (11) and (12) if and only if there exists a (unique) polynomialB(x) 2 F`(n�k)�� [x] such that

`

t=1

�(t)(x) � x(`�t)(n�k) � (V (x))t�B(x) �G(x) (mod x`(n�k)):

(17)

Proof: We start with the “only if” part. Suppose thatQ(0)(x) issuch thatQ(x; y) = Q(0)(x) + Q�(x; y) satisfies (11) and (12). ByLemma 3.1, there exists a (unique) polynomialB(x) satisfying (13)and (14). DefineB(x) to be the polynomial of degree< `(n�k)� �

obtained by reversing the order of coefficients inB(x), namely,

B(x) = x`(n�k)��1

B(x�1): (18)

Consider the (highest)(n�k) coefficients ofxi in both sides of(13) for i in the range

n� � � i < n� � + `(n�k):

Since

degQ(0)(x) < N0 = n� �

each of those coefficients in `

t=1 Q(t)(x)(V (x))t must be equal

to its counterpart in the right-hand side of (13). If we now reversethe order of coefficients in both sides of (13), then the coefficients

of 1; x; � � � ; x`(n�k)�1 should be identical in the resulting twopolynomials. Formally,

xn��+`(n�k)�1

�

`

t=1

Q(t)(x�1) � (V (x�1))t

� x`(n�k)��1

� B(x�1) �

n

j=1

(1� �jx) (mod x`(n�k)): (19)

Using the definitions (15) and (18), equation (19) becomes (17).As for the “if” part, suppose that(17) holds for B(x) 2

F`(n�k)�� [x]. Define B(x) to be the polynomial inF`(n�k)�� [x]that is obtained by reversing the order of coefficients inB(x). If wereverse each side of (17), we get two polynomials of degree less thann � � + `(n�k) that may differ only in their lowestn � � = N0

coefficients. In other words, there exists some (unique) polynomialQ(0)(x) 2 FN [x] such that

Q(0)(x) +

`

t=1

Q(t)(x)(V (x))t = B(x) �

n

j=1

(x� �j):

The bivariate polynomial

Q(x; y) = Q(0)(x) +Q

�(x; y)

thus satisfies (11) and (12), as required.

For t 2 [`], let

S(t)1(x) =

1

i=0

S(t)i x

i

be the formal power series which is defined by

(V (x))t

G(x)= x

(t�1)(n�1)� S

(t)1(x) + U

(t)(x) (20)

whereU (t)(x) 2 F(t�1)(n�1)[x]. Indeed, sinceG(0) = 1, (20) iswell-defined (see, for example, [10, Ch. 8]). Further, define the uni-variate syndrome polynomials

S(t)(x) =

n�2�t(k�1)

i=0

S(t)i x

i

and the bivariate syndrome polynomial

S(x; y) =

`

t=1

S(t)(x)yt:

Proposition 3.3: Let

Q�(x; y) =

`

t=1

Q(t)(x)yt

satisfy (16) and let (�(t)(x))`t=1 be defined by (15). Thereexists a (unique) polynomialQ(0)(x) such that Q(x; y) =Q(0)(x) + Q�(x; y) satisfies (11) and (12) if and only if there existsa (unique) polynomial(x) 2 Fn�k�� [x] that satisfies the EKE

`

t=1

�(t)(x) � x(t�1)(k�1) � S(t)(x) � (x) (mod xn�k): (21)

Proof: By Lemma 3.2, all we need to prove is that the EKE (21)is equivalent to (17). Substituting

(V (x))t = (x(t�1)(n�1) � S(t)1(x) + U

(t)(x)) �G(x)



into (17) and rearranging terms yields

`

t=1

�(t)(x) � x(`�t)(n�k)+(t�1)(n�1) � S(t)1 (x) �G(x)

� ~V (x) �G(x) (mod x`(n�k)) (22)

where

~V (x) = B(x)�

`

t=1

�(t)(x) � x(`�t)(n�k) � U (t)(x):

Now,

(`�t)(n�k) + (t�1)(n�1) = (`�1)(n�k) + (t�1)(k�1)

and

deg�(t)(x) � x(`�t)(n�k) � U (t)(x)

< Nt + (`�t)(n�k) + (t�1)(n�1)� 1 = `(n�k)� �:

Hence,deg ~V (x)<`(n�k)�� if and only if degB(x)<`(n�k)��:Since the polynomialsG(x) andx`(n�k) are relatively prime, we canrewrite (22) as

`

t=1

�(t)(x) � x(`�1)(n�k)+(t�1)(k�1) � S(t)1 (x) � ~V (x)

(mod x`(n�k)): (23)

The left-hand side of (23) is divisible byx(`�1)(n�k) and, therefore,so must~V (x). Letting(x) = ~V (x)=x(`�1)(n�k), we get

`

t=1

�(t)(x) � x(t�1)(k�1) � S(t)(x) � (x) (mod xn�k) (24)

where we have replacedS(t)1 (x) by S(t)(x), since the coefficients of

S(t)1 (x) that actually appear in (23) are those that correspond to the

powersxi for 0 � i < n � 1� t(k�1). Observe that

deg(x) = deg ~V (x)� (`�1)(n�k)

so we indeed have

deg(x) < n�k��

if and only if degB(x) < `(n�k)� � .

IV. SOLVING THE EKE

In view of the analysis presented in Section III, Step S1 in Sudan’salgorithm splits into two steps, which may be denoted by D0 and D1,similarly to their counterparts in the classical decoding scheme. In StepD0, the bivariate syndrome polynomialS(x; y) = `

t=1 S(t)(x)yt

is computed, and in Step D1, the bivariate polynomialQ(x; y) =`

t=0 Q(t)(x)yt is found by solving the EKE. The following propo-

sition shows that the syndrome elements can be computed in Step D0using a formula which is a generalization of (2).

Proposition 4.1: Let �1; �2; � � � ; �n be as in(3) andS(t)1 (x) =

1i=0 S

(t)i xi as in (20). Then

S(t)i =

n

j=1

vtj�j�ij ; t 2 [`]; i � 0: (25)

Proof: For eacht 2 [`], let V(t)(x) 2 Fn[x] and ~U (t)(x) 2

F(t�1)(n�1)[x] be the unique polynomials that satisfy

(V (x))t = ~U (t)(x)G(x) + V(t)(x): (26)

Since

V(t)(��1

j ) = (V (��1j ))t = vj�

�(n�1)j

t

we can expressV(t)(x) as an interpolation polynomial by

V(t)(x) =

n

j=1

vtj�(1�t)(n�1)j �j

r2[n]nfjg

(1� �rx):

This, in turn, implies

V(t)(x)

G(x)=

n

j=1

vtj�j�(1�t)(n�1)j

1� �jx

=

1

i=(1�t)(n�1)

n

j=1

vtj�j�ijx

i+(t�1)(n�1): (27)

Combining (20), (26), and (27) we obtain

x(t�1)(n�1) � S(t)1 (x)

=(V (x))t

G(x)� U (t)(x) =

V(t)(x)

G(x)� U (t)(x) + ~U (t)(x)

= x(t�1)(n�1) �

1

i=(1�t)(n�1)

n

j=1

vtj�j�ijx

i � U (t)(x) + ~U (t)(x)

that is,

S(t)1 (x) =

1

i=0

S(t)i xi =

1

i=0

n

j=1

vtj�j�ijx

i:

Writing �(t)(x) = N �1s=0 �

(t)s xs and

Q(t)(x) =

N �1

s=0

Q(t)s xs =

N �1

s=0

�(t)s xN �1�s

from (21) we obtain

`

t=1

N �1

s=0

�(t)s � S

(t)(1�t)(k�1)+i�s

= 0; n�k�� i < n� k

(28)

(compare with (4)), or

`

t=1

N �1

s=0

Q(t)s � S

(t)i+s = 0; 0 � i < �: (29)

For two bivariate polynomials

a(x) =s; t

as; txsyt

and

b(x) =s; t

bs; txsyt

we define the inner productha(x; y); b(x; y)i bys; t

as; tbs; t.Using this notation, (29) takes the following short-hand form:

hx�Q�(x; y); S(x; y)i = 0; 0 � � < �: (30)

The number of linear equations expressed by (30) (or (29)) is� ,which is the maximum number of errors that we attempt to correct, andby (10) it is smaller than the number of unknowns in those equations.Comparing (30) to the set of linear equations derived directly from(11) and (12), we conclude that both the number of equations and thenumber of unknowns have been reduced byn � � .



Fig. 1. Algorithm for solving (30).

The algorithm in Fig. 1 solves (30) for the coefficients of

Q�(x; y) =

`

t=1

Q(t)(x)yt

under the degree constraints (16) assuming that the syndrome poly-nomialS(x; y) is given. Equivalently, this algorithm is a method forsolving the EKE (21).

Our algorithm and its analysis are based on the approach of Massey[12] and Sakata [16], as presented in [15]. Even though our algorithmbears similarity to Sakata’s algorithm—and both Sakata’s algorithmand ours generalize Massey’s algorithm—the two generalizations arenot the same. Our proof of the algorithm in Fig. 1 is based on that ofan algorithm by Feng and Tzeng in [6].

Let � denote the (total) order defined in [15] over the set of pairsf(i; t)ji 2 IN; t 2 [`]g; that is,

(i; t) � (i0; t0) if and only ifi+ t(k�1) < i0 + t0(k�1)

or(i+ t(k�1) = i0 + t0(k�1) and t < t0)

:

The notation(i; t) � (i0; t0) means that either(i; t) = (i0; t0) or(i; t) � (i0; t0), andsucc�(i; t) is the pair that immediately follows

(i; t) with respect to the order defined by�. For a nonzero bivariatepolynomialT (x; y) = `

t=1 iT(t)i xiyt we definelead(T (x; y))

as the maximal pair(�; �), with respect to�, for whichT (�)� 6= 0 and

denoteleadx(T (x; y)) = � andleady(T (x; y)) = � (lead(0) isdefined to be(�1; �1)).

The algorithm in Fig. 1 scans the syndrome elementsS(�)�

in the order defined by� on (�; �), and maintains up to bi-variate polynomials T1(x; y); T2(x; y); � � � ; T`(x; y), whereleady(T�(x; y)) = �. An invariant of the algorithm is thathx� � T�(x; y); S(x; y)i = 0 for 0 � �0 < �. Lines 6 and 11 updateT�(x; y) so that it generates the syndrome elementS

(�)� as well. Note,

however, that in our algorithm, unlike in Sakata’s,T�(x; y) is notrequired to generate syndrome elementsS

(�)� for � 6= �. The update

of T�(x; y) in line 6 does not change the value oflead(T�(x; y)),whereas in line 11,lead(T�(x; y)) grows (with respect to�), andthe value ofT�(x; y) right before the update is stored as a polynomialnamedR(x; y). Unlike Sakata’s algorithm (but similarly to Massey’salgorithm), only one stored polynomialR(x; y) is needed in everystage of our algorithm in order to update any of the polynomialsT1(x; y); T2(x; y); � � � ; T`(x; y).

Basing on Lemma 2.1 and on the analysis in the current and previoussections, the validity of the algorithm in Fig. 1 is implied by Proposition



Fig. 2. Recursive procedure for finding a superset of the consistent polynomials.

4.2 below, the proof of which can be found in the Appendix. Note thatfor the purpose of solving (30), any one of the polynomials returned bythe algorithm will suffice.

Proposition 4.2: For everys 2 [`], if there exists some nonzeropolynomialQ�(x; y) with leadx(Q

�(x; y)) = s that satisfies (16)and (30), then the algorithm in Fig. 1 returns such a polynomial with aminimal value (with respect to�) of lead(Q�(x; y)).

To complete Step D1, we need to compute the polynomialQ(0)(x)for whichQ(0)(x)+Q�(x; y) = Q(x; y) satisfies(11)and (12) (seeProposition 3.3). Since

Q(0)(�j) = �Q�(�j ; vj) = �

`

t=1

Q(t)(�j)vtj ; j 2 [n] (31)

the polynomialQ(0)(x) can be obtained by interpolation once we com-pute the right-hand side of (31) forN0 = n � � pairs(�j ; vj).

V. RECONSTRUCTING THECODEWORDS

In this section, we present an efficient implementation of Step S2 inSudan’s algorithm given that the polynomial

Q(x; y) =

`

t=0

Q(t)(x)yt

is known. Specifically, our goal is to compute all theconsistent polyno-mialsf(x) 2 Fk[x] for which the vector(f(�1); f(�2); � � � ; f(�n))is at Hamming distance� � from the received wordv. Step S2 inSudan’s algorithm applies Lemma 2.2 and looks for all the polynomialsg(x) 2 Fk[x] such thatQ(x; g(x)) is identically zero; the polynomialsg(x) will be referred to as they-rootsof Q(x; y) over the polynomialringF [x]. They-degreeofQ(x; y) is the degree ofQ(x; y) as a poly-nomial iny overF [x].

The recursive procedureReconstructin Fig. 2 computes a set ofup to ` polynomials inFk[x] that contains as a subset all they-rootsof Q(x; y); as such, this set also contains all the consistent polyno-mials. The procedureReconstructis initially called with parameters(Q; k; 0), where

Q = Q(x; y) =

`

t=0

Q(t)(x)yt

is a nonzero bivariate polynomial withy-degree� `, e.g., a polyno-mial that satisfies (11). The validity ofReconstruct, as established inProposition 5.2 below, is based on the following lemma, which showsthat the coefficients of ay-root g(x) of Q(x; y) can all be calculatedrecursively as roots of univariate polynomials.

Lemma 5.1: Let

g(x) =s�0

gsxs

be ay-root of a nonzero bivariate polynomialQ(x; y) over F . Fori � 0, let

i(x) =s�i

gsxs�i

and letQi(x; y) andMi(x; y) be defined inductively byQ0(x; y) =Q(x; y)

Mi(x; y) =x�r Qi(x; y)

and

Qi+1(x; y) =Mi(x; xy + gi); i � 0;

whereri is the largest integer such thatxr dividesQi(x; y). Then,for everyi � 0

Qi(x; i(x)) = 0 and Mi(0; gi) = 0

while Mi(0; y) 6= 0.Proof: First observe that they-degrees of the polynomials

Qi(x; y) are the same for alli and, so,Qi(x; y) 6= 0 and riis well-defined. Also, sincex does not divideMi(x; y) thenMi(0; y) 6= 0. Next, we prove thatQi(x; i(x)) = 0 by inductionon i, where the induction basei = 0 is obvious. As for the inductionstep, if i(x) is ay-root ofQi(x; y), then i+1(x) = ( i(x)�gi)=xis ay-root ofQi(x; xy + gi) and hence of

Qi+1(x; y) =Mi(x; xy + gi) = x�r Qi(x; xy + gi):

Finally, by substitutingx = 0 in

Mi(x; i(x)) = x�r Qi(x; i(x)) = 0

we obtainMi(0; gi) =Mi(0; i(0)) = 0.



Fig. 3. Summary of the decoding algorithm.

Proposition 5.2: Let Q(x; y) be a nonzero bivariate polynomial.Every y-root in Fk[x] of Q(x; y) is found by the callRecon-struct(Q; k; 0).

Proof: Using the notations of Lemma 5.1, there is a recursiondescend inReconstructwhere recursion leveli is called with the pa-rameters(Qi; k; i) and�[i] is set togi.

We show in Proposition 6.4 below thatReconstructoutputs at most` polynomials. To complete the decoding, each of those polynomials isevaluated at the code locators, producing up to` different codewordsfrom which we select the consistent codewords as those that are atHamming distance� � from the received wordv. Our decoding al-gorithm for the RS codeCRS defined by (1) is summarized in Fig. 3.

VI. COMPLEXITY ANALYSIS

We now present a complexity analysis of the algorithm shown inFig. 3. The time complexity of Step D0, in which all the coefficients ofthe bivariate syndrome polynomialS(x; y) are computed by (25) is atmost` times the complexity of computing the syndrome in the classicalcase using (2), namely,O(`n log2 n) (see the discussion in Section I).

The time and space complexities of the algorithm in Fig. 1, whichsolves (30) in Step D1, are given in Proposition 6.1 below. Throughoutthe proof of the proposition, an iteration of the algorithm in Fig. 1 inwhich the variable� takes the values will be called aniteration of types. If in additions 2 L, the iteration will be callednontrivial.

Proposition 6.1: The time complexity of the algorithm in Fig. 1 isO(`�2) and its space complexity isO(`�).

Proof: In every nontrivial iteration of the algorithm of Fig. 1, themost time-consuming steps are the computations of� in line 4 andthe polynomial updates in lines 6 and 11. The time complexity of allthese computations is linear in the number of nonzero coefficients ofthe respective polynomialTs(x; y). The check in line 10 guaranteesthatlead(Ts(x; y)) � (Ns; s) and, so, the number of nonzero coef-ficients inTs(x; y) never exceeds `

t=1Nt. By (10), the number of

coefficients inTs(x; y), as well as the time complexity of every com-putation in lines 4, 6, and 11, isO(�).

As shown in the proof of Lemma A.2 in the Appendix, the number ofnontrivial iterations of types is smaller thanNs + � for everys 2 [`].The overall number of nontrivial iterations of all types throughout theexecution of the algorithm can therefore be bounded from above by

`� +

`

s=1

Ns = O(`�)

where the equality follows from (10). The time complexity of the wholealgorithm is thusO(`�2).

As for the space complexity, most of the memory is allocated for the`+1 polynomials(Ts(x; y))

`s=1 andR(x; y), where for each of them

we allocate

`

t=1

Nt = O(�)

coefficients overF .

Next we turn to the time complexity of computing the polynomialQ(0)(x) using (31). Note that

degQ(t)(x) � degQ(0)(x) < N0

for everyt 2 [`] and that by (8)

N0 �2(n+ `+ 1)

`+ 1: (32)

Hence, for everyt 2 [`], we can evaluateQ(t)(x) atn� � locators�j

in time complexityO((n=`) log2 n). So, the right-hand side of (31)



can be evaluated forn � � pairs(�j ; vj) in timeO(n log2 n); thiswill also be the time complexity of interpolatingQ(0)(x) out of thosecomputed values.

The remainder of this section is devoted to proving Proposition6.6 below in which the time and space complexities of the recursiveprocedureReconstructin Fig. 2 are established. In each of the recur-sion levelsi of Reconstruct, we find roots of nonzero polynomialsM(0; y) = Mi(0; y) with degree at most. It may seem at first thatthe number of root extractions could grow exponentially. However,Lemma 6.2 below shows that having more than one root ofMi(0; y)in a given recursion level is compensated by having a multiple root inthe respective polynomialMi�1(0; y) in the previous recursion level.

Lemma 6.2: Let

M1(x; y) =

`

t=0

M (t)(x)yt

be a nonzero bivariate polynomial overF and let 2 F be ay-root ofmultiplicity h of M1(0; y). Define

M2(x; y) = x�rM1(x; xy + )

where r is the largest integer for whichxrjM1(x; xy + ). ThendegM2(0; y) � h.

Proof: Similarly to the notations in Fig. 2, we denote

M(x; y) =

`

t=0

M (t)(x)yt = M1(x; y + )

and

~M(x; y) =

`

t=0

~M (t)(x)yt = M1(x; xy + ):

Since is a root of multiplicityh of M1(0; y), theny = 0 is aroot of multiplicity h of M(0; y). ThusM (t)(0) = 0 for 0 � t < handM (h)(0) 6= 0; equivalently,x dividesM (t)(x) for 0 � t < hbut it does not divideM (h)(x). Noting that ~M (t)(x) = M (t)(x)xt itfollows thatx divides ~M(x; y) butxh+1 does not.

The largest integerr such thatxr divides ~M(x; y) thus satisfies1 � r � h. Now,

M2(x; y) =~M(x; y)

xr

=

r

t=0

M (t)(x)xt

xryt +

`

t=r+1

M (t)(x)xt�ryt:

Substitutingx = 0 in M2(x; y) yields a univariate polynomialM2(0; y) of degree� r � h.

Corollary 6.3: Consider the special case where the very first execu-tion of Step R2 inReconstructresults in a polynomialM(x; y) suchthat all the roots inF ofM(0; y) are simple. Then the polynomials ob-tained in Step R3 throughout all the subsequent recursive calls have de-gree at most1, meaning that their roots can be found simply by solvinglinear equations overF .

As for the general case, we have the following upper bounds.

Proposition 6.4: Suppose thatReconstructis initially called withthe parameters(Q; k; 0), where

Q = Q(x; y) =

`

t=0

Q(t)(x)yt

is a nonzero bivariate polynomial. Then the number of output polyno-mials produced byReconstructis at most and the overall number ofrecursive calls made toReconstruct(in Step R9) is at most(k�1).

Proof: For 0 � s < k, denote by!s thesumof the degrees ofall the polynomialsM(0; y) that Step R3 is applied to wheni equalss.Whens = 0, the degree ofM(0; y) = M0(0; y) is at most , and byLemma 6.2 we have!s � !s�1 for everys 2 [k�1]. It can, therefore,be proved by induction ons that !s � `. As a result,Reconstructgenerates at most!k�1 � ` outputs, and the number of executions ofStep R9 is k�2

s=0 !s � `(k�1).

Lemma 6.5: Assume a call toReconstructas in Proposition 6.4, andfurther assume thatQ(x; y) satisfies (11). Then they-degree of eachof the bivariate polynomials computed in any of the recursion levels isat most , and itsx-degree is at mostm+ `(k�1) = O(n=`).

Proof: It is easy to see that Steps R2, R7, and R8 never increasethey-degree. As for thex-degree, letMi(x; y) be a polynomial com-puted in Step R2 in recursion leveli and write

Mi(x) =

`

t=0

M(t)i (x)yt:

The degree ofM (t)i (x) can increase withi only as a result of Step R8,

and it is easy to check by induction oni that

degM(t)i (x) < Nt + ti = N0 � t(k�1�i)

for every0 � i < k. So,

degM(t)i (x) < N0 � 2(n+ `+ 1)=(`+ 1)

(see (32)).

Proposition 6.6: Assume a call toReconstructas in Proposition 6.4,whereQ(x; y) satisfies (11). The time complexity of such an applica-tion to its full recursion depth isO((` log2 `)k(n+ ` log q)), and itcan be implemented using space of overall sizeO(n).

Proof: Each execution of Step R1, R2, or R8 has time complexitywhich is proportional to the number of coefficients in the polynomialsinvolved in that step. By Lemma 6.5, this number isO(n). By Propo-sition 6.4, each of those steps is executed at most`k times throughoutthe recursion levels. Therefore, the contribution of Steps R1, R2, andR8 to the overall complexity ofReconstructisO(`kn).

By Proposition 6.4, the sum of the degrees of all the polynomialsM(0; y) that Step R3 is applied to at theith recursion level is at most`. The roots inF = GF(q) of a polynomial of degreeu can be foundin expected time complexityO((u2 log2 u) log q) [10, Ch. 4], [14];also recall that there are known efficient deterministic algorithms forroot extraction when the characteristic ofF is small [2, Ch. 10], and



root extraction is particularly simple when= 2 [11, pp. 277-278].Therefore, for any0 � i < k, the executions of Step R3 at recursionlevel i have accumulated time complexityO((`2 log2 `) log q), andthe contribution of Step R3 to the overall complexity ofReconstructisO((`2 log2 `)k log q).

Let M(x; y) be the polynomial that Step R7 is applied to at someiteration leveli. Writing M(x; y) as a polynomial inx, we get

M(x; y) =

N �1

s=0

M [s](y)xs:

If `s is the smallest integert such thatNt + ti � s, then it is easy tocheck thatdegM [s](y) < `s for every0 � s < N0. The computedpolynomialM(x; y) in Step R7 can be written as

M(x; y) =

N �1

s=0

M [s](y)xs = M(x; y + )

=

N �1

s=0

M [s](y + )xs

and, so, we can compute each polynomialM [s](y) by interpolatingthe valuesM [s](� + ) at `s distinct points� 2 F . Therefore, eachpolynomialM [s](y) can be found in time complexityO(`s log2 `s).We now observe thats � ` and that

N �1

s=0

`s =

`

t=0

(Nt + ti) � (`+ 1)N0 � 2(n+ `+ 1)

the latter inequality following from (32). Hence, each execution of StepR7 has time complexityO(n log2 `), and the contribution of Step R7to the overall complexity ofReconstructis thereforeO(kn` log2 `).

Summing up the contributions of the steps ofReconstruct, the timecomplexity of an application ofReconstructto its full recursion depthis O((` log2 `)k(n + ` log q)). As for the space complexity, noticethat the input parameterQ(x; y) can be recomputed fromr, , and theparameter~M(x; y) to the next recursion level. So, instead of keepingthe polynomials in each recursion level, we can recompute them aftereach execution of Step R9. Therefore,Reconstructcan be implementedusing space of overall sizeO(n).

Finally, we point out that the time complexity of computing theconsistent codewords out of the output polynomials ofReconstructis O(`n log2 n), as the re-encoding involves the evaluation of thosepolynomials at the code locators.

VII. SUMMARY

The three main decoding steps in our algorithm, as it appears inFig. 3, are denoted D0, D1, and D2, to point out their relationship withthe classical decoding algorithms as outlined in Section I. Steps D0 andD1 replace Step S1 in Sudan’s algorithm that finds the bivariate poly-nomialQ(x; y).

As shown in Section VI, the time complexity of Step D0 isO(`n log2 n) and the time complexity of Step D1 isO(`�2).Compared to classical decoding, those figures are larger by a factorof `. Step D2, which is presented in Section V, is an efficient ap-plication of Step S2 in Sudan’s algorithm and has time complexityO((` log2 `)k(n + ` log q)).

In cases where the particular use of the decoding algorithmdoes not dictate an upper bound on`, we can select the valueof ` that maximizes (5) subject to (6). By (7) we will thus have` = O( n=k). For this value of , the time complexities of Steps

D0, D1, and D2 areO(n3=2k�1=2 log2 n), O((n�k)2 n=k), andO((

pnk + log q)n log2 (n=k)), respectively.

The next example is provided to illustrate the various decoding steps;the parameters were selected to be small enough so that the computa-tion can be more easily verified by the reader.

Example 7.1: Let F = GF(19), n = 18, andk = 2. When maxi-mizing (5) we get� = 12 for ` = 4 andm = 1. We select�j = j andobtain from (3) that�j = ��j .

Suppose we encode the polynomialf(x) = 18+14x by (1) and getthe following transmitted codeword, error vector, and received word:

c =(13; 8; 3; 17; 12; 7; 2; 16; 11; 6; 1; 15; 10; 5; 0; 14; 9; 4)

e =(11; 16; 17; 12; 17; 0; 0; 2; 14; 0; 0; 0; 3; 0; 14; 8; 11; 15)

v =(5; 5; 1; 10; 10; 7; 2; 18; 6; 6; 1; 15; 13; 5; 14; 3; 1; 0):

The computation of the syndrome elements in Step D0 results in thefollowing coefficients of the polynomials

S(t)(x) =

�+N �2

i=0

S(t)i xi

4

t=1

:

S(1)(x): (13; 14; 5; 11; 3; 4; 10; 14; 13; 14; 11; 14; 17; 4; 0; 2)

S(2)(x): (4; 8; 14; 18; 9; 18; 5; 13; 11; 6; 8; 8; 16; 0; 12)

S(3)(x): (3; 12; 5; 7; 10; 18; 4; 14; 0; 14; 18; 11; 16; 3)

S(4)(x): (14; 13; 0; 13; 10; 1; 9; 3; 7; 8; 11; 0; 7):

Step D1 yields the following polynomialsQ(t)(x):

Q(0)(x) = 4 + 12x+ 5x2 + 11x3 + 8x4 + 13x5

Q(1)(x) = 14 + 14x+ 9x2 + 16x3 + 8x4

Q(2)(x) = 14 + 13x+ x2

Q(3)(x) = 2 + 11x+ x2

Q(4)(x) = 17

where

Q�(x; y) =

4

t=1

Q(t)(x)yt

is the first polynomial returned by the algorithm in Fig. 1 andQ(0)(x)is computed by (31).

When applyingReconstructin Step D2 to

Q(x; y) =

4

t=0

Q(t)(x)yt

we obtain the following four different solutionsg(x) for f(x):

18 + 14x 18 + 15x 14 + 16x 8 + 8x:

The first two solutions share the same constant coefficient,18, whichis a multiple root of the polynomial

M(0; y) = Q(0; y) = 4 + 14y + 14y2 + 2y3 + 17y4

at recursion leveli = 0. The first solution forf(x) corresponds to thecorrect codeword. The second solution is not even ay-root ofQ(x; y)(yet, as commented by one of the reviewers, it is a prefix of they-root18 + 15x+ 10x2). The third solution is ay-root ofQ(x; y) but not aconsistent polynomial (the respective codeword has Hamming distance15 from v). And the fourth solution is a consistent polynomial but doesnot correspond to the correct codeword.

In this example, the algorithm in Fig. 1 yields a second polynomialQ(x; y) which is given by

Q(0)(x) = 8 + 12x2 + 9x3 + 8x4

Q(1)(x) = 5 + 14x+ 7x2 + 15x3 + 4x4

Q(2)(x) = 12 + 12x+ 15x2 + 4x3



Q(3)(x) = 9 + 10x+ 14x2

Q(4)(x) = 13 + x

and the respective output ofReconstructis

18 + 14x 13 + 9x 10 + x 8 + 8x

with only the first and fourth polynomials beingy-roots ofQ(x; y) (aswell as being consistent polynomials); the remaining irreducible factorof Q(x; y) is (13+x)y2+(5+18x+17x2)y+(18+6x+15x2).

In the example above, the common factors of the two solutions forQ(x; y) correspond to the two (and all) consistent polynomials. How-ever, there are examples where the commony-roots inFk[x] of all thepolynomialsQ(x; y) generated in Fig. 1 contain—in addition to theconsistent polynomials—also inconsistent ones.

Note that the connection between the error vectore and the polyno-mials that appear in the EKE seems to be less obvious than in the clas-sical case; recall that when= 1, e can be obtained from�(x) and(x) through Chien search [4] and Forney’s algorithm [3]. It wouldbe interesting to find such an intimate relationship betweene and thepolynomials that appear in the EKE also when` > 1.

Sudan’s algorithms, as well as the decoding algorithm in Fig. 3, cancorrect more than(n�k)=2 errors only whenk � (n+1)=3. Clearly,in many (if not most) practical applications, higher code rates are used.Therefore, it would be interesting to investigate whether the EKE pre-sented in this correspondence and the algorithm in Section IV can begeneralized to higher rates. In particular, connecting the results of thiswork with the improvements presented in [8], might be possible ( re-cently, Nielsen and Høholdt have been working independently on a dif-ferent approach to accelerate [8]; see [13]).

APPENDIX

We present here the proof of Proposition 4.2, which makes use ofLemmas A.1 and A.2 below. We omit the proof of Lemma A.1 as it issimilar to proofs already contained in [12], [15], and [16].

Lemma A.1: Let

S(x; y) =

`

t=1

S(t)(x)yt

T (x; y) =

`

t=1

T (t)(x)yt

and

R(x; y) =

`

t=1

R(t)(x)yt

be bivariate polynomials, let� and� be elements ofF , and letr and� be nonnegative integers such that

lead(xr �R(x; y)) � lead(x� � T (x; y))

as well as

hxa � T (x; y); S(x; y)i =0; 0 � a < �

and

hx� � T (x; y); S(x; y)i =�;

hxa �R(x; y); S(x; y)i =0; 0 � a < r

and

hxr �R(x; y); S(x; y)i = �:

a) Suppose that� � r and define

A(x; y) = T (x; y)� (�=�) � xr�� R(x; y):

Then

1) hxa � A(x; y); S(x; y)i = 0; 0 � a � �;2) lead(A(x; y)) = lead(T (x; y)); and3) lead(xr � R(x; y)) � lead(x�+1 � A(x; y)).

b) Suppose that� > r and define

A(x; y) = x��r � T (x; y)� (�=�) � R(x; y):

Then

1) hxa � A(x; y); S(x; y)i = 0, 0 � a � r;2) lead(A(x; y)) = lead(x��r � T (x; y)); and3) lead(x� � T (x; y)) � lead(xr+1 � A(x; y)).

As in Section VI, we use the termiteration of types to mean aniteration of the algorithm in Fig. 1 in which the variable� takes thevalues. Such an iteration isnontrivial if s 2 L.

Lemma A.2: The algorithm in Fig. 1 terminates, and each of itsoutput polynomials, if there exist any, may serve as a polynomialQ�(x; y) that satisfies (30) under the constraint (16).

Proof: By the conditions in lines 7 and 10, the number of non-trivial iterations of types throughout an execution of the algorithm isalways smaller thanNs+� . The setL thus always becomes empty andthe algorithm terminates. Now, if a polynomial

Ts(x; y) =

`

t=0

T (t)s (x)yt

is returned as output in line 8, then, by Lemma A.1 and the condition inline 7, it may serve asQ�(x; y) in (30). By the condition in line 10 wehavelead(Ts(x; y)) � (Ns; s), and from the definition of the order� we get thatdegT (t)

s (x) < Nt for everyt 2 [`]. The polynomialTs(x; y) thus satisfies the degree constraint (16).

Proof of Proposition 4.2:We reformulate the requirements ofProposition 4.2 through the� � `

t=1Nt matrixS defined as follows.The columns ofS are indexed by ordered pairs(�; �), where� 2 [`]and0 � � < N� , and are ordered from left to right with respect to theorder� on their indexes. A column inS indexed by(�; �) is called acolumn of type� and is given by

S(�; �) = (S(�)� ; S

(�)�+1; � � � ; S

(�)�+��1)

T :

For instance, when = 2 the matrixS takes the form shown at thebottom of this page.

We show that ifS(�; s) is the first (leftmost) column of types in Sthat is linearly dependent on previous columns inS , then a polynomialQ�(x; y) with lead(Q�(x; y)) = (�; s) is returned as output by thealgorithm. The respective linear dependency is given by the coefficientsof Q�(x; y); namely, the coefficient ofxiyt in Q�(x; y) multiplies

S(1)0 S

(1)1 � � � S

(1)k�2 S

(1)k�1 S

(2)0 � � � S

(1)N �1 S

(2)N �1

S(1)1 S

(1)2 � � � S

(1)k�1 S

(1)k S

(2)1 � � � S

(1)N S

(2)N

...... ..

. ......

... ... ...

...S(1)��1 S

(1)� � � � S

(1)�+k�3 S

(1)�+k�2 S

(2)��1 � � � S

(1)�+N �2 S

(2)�+N �2

:



the columnS(i; t) in the linear combination. By Lemma A.2, it sufficesto show that iflead(Ts(x; y)) takes in the course of the algorithm avaluegreaterthan(�; s) (with respect to�), then the columnS(�; s) islinearly independent of previous columns inS (this applies also to thecase wherelead(Ts(x; y)) was supposed to take a value which is atleast(Ns; s), thereby reaching line 13).

By Lemma A.1, line 11 is the only place in the algorithm wherelead(T�(x; y)) can change. Therefore, all we have to show isthat whenever line 11 is reached with given values of�, �, r,and lead(T�(x; y)) = (�; �), then each of the columnsS(p; �),� � p < � + � � r, is linearly independent of the columns standingto its left in S .

Let si, �i, ri, �i, (�i; si), and fT�; i(x; y)g`�=1 denote,respec-tively, the values of�, �, r, �, lead(T�(x; y)), andfT�(x; y)g`�=1right before theith execution of line 11; note thatri = �i�1. LetYi bethe upper-left submatrix ofS that consists of the columnsSP for

(0; 1) � P � (�i+�i�ri; si)

shortened to their first�i +1 entries. Define the setsDi inductively asfollows:

D0 = ; and Di = Di�1 [ f(�i + j; si): 0 � j < �i � rig:

Observing thatjDij = jDi�1j+�i��i�1 and that�0 � r1 = �1, wehavejDij = �i +1. We denote byZi the(�i+1)� (�i+1) submatrixof Yi consisting of the columns of the latter indexed byDi. It can beverified thatZi consists of all the columns ofYi, except, possibly, acertain number of rightmost columns of each typeotherthansi in Yi.

The rest of the proof is devoted to showing that every column inZi

is linearly independent of columns that stand to its left inYi. We showthis in two steps.

• We first show that each column ofYi that is not a column ofZi

is linearly dependent on previous columns inYi.• We then prove thatrank (Yi) = �i + 1.

(Note that in the classical case of` = 1, the matricesYi andZi coin-cide, thereby making the first step vacuous.)

Let (�; �) be the index of a column inYi that does not belongto Zi. It is clear that� 6= si. Since(�; �) =2 Di, it follows thatlead(T�; i(x; y)) � (�; �). Leta be an integer such that0 � a � �i.We distinguish between two cases.

Case 1(�+a; �) � (�i+�i; si): Here, the index(�; �) reachesthe value(�+ a; �) with a polynomialT�(x; y) with

lead(T�(x; y)) = lead(T�; i(x; y)) � (h; �)

before (�; �) takes the value(�i + �i; si) with the polynomialT�(x; y) = Ts ; i(x; y). In this case we have

hxa � x��h � T�; i(x; y); S(x; y)i = 0:

Case 2(�i + �i; si) � (�+ a; �): To the smallesta0 such that

hxa � x��h � T�; i(x; y); S(x; y)i 6= 0

we can apply Lemma A.1a) withT (x; y) x��h � T�; i(x; y), � a0, R(x; y) Ts ; i(x; y), and r �i, to obtain a polynomialA(x; y) with lead(A(x; y)) = (�; �) for which

hxb � A(x; y); S(x; y)i = 0; 0 � b � a0:

By repeatedly applying Lemma A.1, we can update the polynomialA(x; y) while keepinglead(A(x; y)) = (�; �) so that it satisfies

hxa � A(x; y); S(x; y)i = 0; 0 � a � �i:

The last equation means that the column(Yi)(�; �) is linearly dependenton columns standing to its left inYi. This completes the first step of ourproof.

In our second step, we show thatrank (Yi) = �i + 1 by applyingGaussian elimination to the columns ofYi, where the linear combi-

nations applied to the columns will be determined byTs ; i(x; y).By Lemma A.1 it follows that the sequence of updates carried out onT�(x; y) in the algorithm to produceTs ; i(x; y) guarantees that

hxa � Ts ; i(x; y); S(x; y)i =0; if 0 � a < �i�i 6= 0; if a = �i.

This implies that when using the coefficients ofTs ; i(x; y) to computea linear combination of the columns(Yi)P , (0; 1) � P � (�i; si), weend up with a column vector(0; 0; � � � ; 0; �i)

T 2 F � +1.Next, we take advantage of the Hankel-like structure ofS and gen-

eralize our previous argument as follows. For everyj in the range0 � j < �i � �i�1, the linear combination of(Yi)P , (0; 1) � P �(�i+j; si), yields a column vector(0; 0; � � � ; 0; �i; � � �)

T 2 F � +1,where the number of leading zeros is�i � j. We thus have

rank (Yi) � rank (Yi�1) + �i � �i�1;

which readily implies by induction the desired result.

REFERENCES

[1] A. V. Aho, J. E. Hopcroft, and J. D. Ullman,The Design and Analysisof Computer Algorithms. Reading, MA: Addison-Wesley, 1974.

[2] E. R. Berlekamp,Algebraic Coding Theory, 2nd ed. Laguna Hills, CA:Aegean Park, 1984.

[3] R. E. Blahut,Theory and Practice of Error Control Codes. Reading,MA: Addison-Wesley, 1983.

[4] R. T. Chien, “Cyclic decoding procedures for Bose–Chaudhuri–Hoc-quenghem codes,”IEEE Trans. Inform. Theory, vol. IT-10, pp. 357–363,1964.

[5] P. Elias, “Error-correcting codes for list decoding,”IEEE Trans. Inform.Theory, vol. 37, pp. 5–12, 1991.

[6] G. L. Feng and K. K. Tzeng, “A generalization of the Berlekamp–Massey algorithm for multisequence shift-register synthesis withapplications to decoding cyclic codes,”IEEE Trans. Inform. Theory,vol. 37, pp. 1274–1287, 1991.

[7] S. Gao and M. A. Shokrollahi, “Computing roots of polynomials overfunction fields of curves,” paper, to be published.

[8] V. Guruswami and M. Sudan, “Improved decoding of Reed–Solomonand algebraic–geometric codes,”IEEE Trans. Inform. Theory, vol. 45,pp. 1757–1767, Sept. 1999.

[9] M. Kaminski, D. G. Kirkpatrick, and N. H. Bshouty, “Addition require-ments for matrix and transposed matrix products,”J. Algorithms, vol. 9,pp. 354–364, 1988.

[10] R. Lidl and H. Niederreiter,Finite Fields. Reading, MA: Addison-Wesley, 1983.

[11] F. J. MacWilliams and N. J. A. Sloane,The Theory of Error-CorrectingCodes. Amsterdam, The Netherlands: North-Holland, 1977.

[12] J. L. Massey, “Shift-register synthesis and BCH decoding,”IEEE Trans.Inform. Theory, vol. IT-15, pp. 122–127, 1969.

[13] R. R. Nielsen and T. Høholdt, “Decoding Reed–Solomon codes beyondhalf the minimum distance,” Tech. Univ. Denmark, Lyngby, Denmark,preprint, to be published.

[14] M. O. Rabin, “Probabilistic algorithms in finite fields,”SIAM J.Comput., vol. 9, pp. 273–280, 1980.

[15] K. Saints and C. Heegard, “Algebraic–geometric codes and multidimen-sional cyclic codes: A unified theory and algorithms for decoding usingGröbner bases,”IEEE Trans. Inform. Theory, vol. 41, pp. 1733–1751,1995.

[16] S. Sakata, “Finding a minimal set of linear recurring relations capableof generating a given finite two-dimensional array,”J. Symb. Comput.,vol. 5, pp. 321–337, 1988.

[17] M. Sudan, “Decoding of Reed–Solomon codes beyond the error-correc-tion bound,”J. Compl., vol. 13, pp. 180–193, 1997.

[18] Y. Sugiyama, M. Kasahara, S. Hirasawa, and T. Namekawa, “A methodfor solving key equation for decoding Goppa codes,”Inform. Contr., vol.27, pp. 87–99, 1975.

[19] R. Zippel,Effective Polynomial Computation. Boston, MA: Kluwer,1993.


Documents

Efficient Decoding of Reed–Solomon Codes Beyond Half the …zhcheng/efficient.pdf · 2009. 5. 25. · Efficient Decoding of Reed–Solomon Codes Beyond Half the Minimum Distance