HAL Id: inria-00614474
https://hal.inria.fr/inria-00614474
Submitted on 11 Aug 2011
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entic research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destinée au dépôt et à la diusion de documents
scientiques de niveau recherche, publiés ou non,
émanant des établissements d’enseignement et de
recherche français ou étrangers, des laboratoires
publics ou privés.
Fast Decoding of Gabidulin Codes
Antonia Wachter-Zeh, Valentin Afanassiev, Vladimir Sidorenko
To cite this version:
Antonia Wachter-Zeh, Valentin Afanassiev, Vladimir Sidorenko. Fast Decoding of Gabidulin Codes.
WCC 2011 - Workshop on coding and cryptography, Apr 2011, Paris, France. pp.433-442. �inria-
00614474�
Fast Decoding of Gabidulin Codes
Antonia Wachter
1
, Valentin Afanassiev
2
, and Vladimir Sidorenko
1
1
Institute of Telecommunications and Applied Information Theory,
University of Ulm, Ulm, Germany
⋆
2
Institute for Information Transmission Problems,
Russian Academy of Sciences, Moscow, Russia
antonia.wachter@uni-ulm.de, afanv@iitp.ru, vladimir.sidorenko@uni-ulm.de
Abstract. A deco ding algorithm for Gabidulin codes (defined over F
q
m
)
is shown that directly provides the evaluation polynomial using an equiv-
alent of the Euclidean Algorithm. To obtain low complexity, a fast sym-
bolic product and a fast symbolic division are presented. The achieved
complexity of the whole decoding algorithm for Gabidulin codes is
O(m
3
log m) operations over the ground field F
q
.
1 Introduction
Gabidulin codes [1] are the rank metric analogues of Reed–Solomon (RS) codes.
In [1], Gabidulin presented decoding based on a linearized equivalent of the
Extended Euclidean Algorithm (LEEA). In [8], [9], [10], a generalization of the
Berlekamp-Massey Algorithm (BMA) was given. The BMA and LEEA are used
in the decoding process for solving a key equation. As a second step the so–
called Gabidulin Algorithm (GA) has to be carried out, which can be seen as
the rank metric analogue to calculating the error values. Loidreau formulated a
Welch–Berlekamp–like Algorithm (WBA) that uses interpolation techniques [6]
and directly gives the linearized evaluation polynomial of the code. Hence, for
the WBA no GA is necessary. The complexity of all these decoding methods is
quadratic with the length of the code.
In [11], a method for fast encoding and decoding of Gabidulin co des was
presented, where the complexity of the two most demanding steps was reduced.
Considering their complexity reduction, solving the key equation and the GA
are the most complex steps.
In this contribution, we present a method to solve an alternative (trans-
formed) key equation that directly outputs the evaluation polynomial using
the LEEA. We use the accelerated LEEA from [12], which has complexity
O(M(m) log m), where the Gabidulin code is defined over F
q
m
and M(m) de-
notes the complexity of the symbolic product. To achieve a low overall complexity,
we present a fast symbolic product and a fast symbolic division with complexity
⋆
This work was supported by the German Research Council ”Deutsche Forschungs-
gemeinschaft” (DFG) under Grant No. Bo867/21-1. V. Sidorenko is on leave from
IITP, Russian Academy of Sciences, Moscow, Russia.
434
O(m
3
) operations over the ground field F
q
using low–complexity normal bases.
Since our algorithm does not require the GA afterwards, the complexity of the
whole deco ding process is accelerated to O(m
3
log m) operations over F
q
.
This paper is organized as follows: In Section 2, we give some preliminaries.
Section 3 states the problem and in Section 4, we present the fast symbolic
product and the fast symbolic division. Section 5 provides the decoding algorithm
and Section 6 concludes this paper.
2 Preliminaries
2.1 Linearized Polynomials
Gabidulin codes are defined by means of linearized polynomials which were in-
troduced by Ore [7]. Let q be a power of a prime and let us denote the Frobenius
q-power by x
[i]
= x
q
i
where i is an integer. A linearized polynomial over the field
F
q
m
is a polynomial of the form f(x) =
P
d
f
i=0
f
i
x
[i]
, with f
i
∈ F
q
m
. If f
d
f
6= 0,
we call deg
q
f(x)
def
= d
f
the q-degree of f(x). An important property of linearized
polynomials ∀ α
1
, α
2
∈ F
q
and ∀ a, b ∈ F
q
m
is f(α
1
a + α
2
b) = α
1
f(a) + α
2
f(b).
The symbolic product of two linearized polynomials f(x) and g(x) is:
f(x) ⊗ g(x) = f(g(x)). (1)
Denote deg
q
f(x) = d
f
and deg
q
g(x) = d
g
, then deg
q
(f(x) ⊗ g(x)) = d
f
+
d
g
. The symbolic product is associative and distributive, but in general non-
commutative. The (usual) addition and the symbolic product convert the set
of linearized polynomials into a non-commutative ring with identity element
x
[0]
= x. Throughout this paper, all polynomials are linearized polynomials.
We call b(x) a right symbolic divisor of a(x), if a(x) = q(x) ⊗ b(x) for some
q(x). We denote the algorithmic calculation of the right symbolic division by
q(x), rem(x) ← RDiv (a(x), b(x)), where rem(x) with deg
q
rem(x) < deg
q
a(x)
denotes a possible remainder. Equivalently, b(x) is a left symbolic divisor of a(x),
if a(x) = b(x) ⊗ q(x) and we denote the left symbolic division by q(x), rem(x) ←
LDiv (a(x), b(x)).
2.2 The Linearized Euclidean Algorithm
Let r
−1
(x) = a(x) and r
0
(x) = b(x) be two linearized polynomials with deg
q
a(x)
≥ deg
q
b(x). The LEEA with a stopping condition d
S
> 0 is given in Algorithm 1,
where for the remainder deg
q
r
i
(x) < deg
q
r
i−1
(x) holds. If d
S
= 1, the last non–
zero remainder r
j
(x) is the so–called right symbolic greatest common divisor
rsgcd(a(x), b(x)). With the additional polynomials u
i
(x), v
i
(x), we can rewrite
each remainder:
r
i
(x) = v
i
(x) ⊗ a(x) + u
i
(x) ⊗ b(x), ∀i. (2)
435
Algorithm 1: LEEA (Linearized Extended Euclidean Algorithm)
Input: a(x), b(x) with deg
q
a(x) ≥ deg
q
b(x), Stopping Degree d
S
Initialize: r
−1
(x) ← a(x), r
0
(x) ← b(x), i ← 1, u
−1
(x) = 0, u
0
(x) = x
[0]
,
v
−1
(x) = x
[0]
, v
0
(x) = 0
while deg
q
r
i−1
(x) ≥ d
S
do
1
q
i
(x), r
i
(x) ← RDiv (r
i−1
(x), r
i−2
(x))2
u
i
(x) ← u
i−2
(x) − q
i
(x) ⊗ u
i−1
(x)3
v
i
(x) ← v
i−2
(x) − q
i
(x) ⊗ v
i−1
(x)4
i ← i + 15
Output: r
i−1
(x), u
i−1
(x), v
i−1
(x)
2.3 Normal Bases
A basis B = {β
0
, β
1
, . . . , β
m−1
} of F
q
m
over F
q
is a normal basis if β
i
= β
[i]
for all i and β ∈ F
q
m
is called a normal element. There is a normal basis of
F
q
m
over F
q
for any prime power q and any positive integer m [4]. A basis
e
B = {
e
β
0
,
e
β
1
, . . . ,
e
β
m−1
} of F
q
m
over F
q
is called a dual basis to B if Tr(
e
β
i
β
j
) is
equal to 1 for i = j and 0 in all other cases. The dual basis of a normal basis is
again a normal basis [4]. If B =
e
B, it is called a self–dual normal basis.
In a normal basis B, the product of a, b ∈ F
q
m
is usually done as follows.
We represent a =
P
m−1
i=0
a
(i)
β
i
, b =
P
m−1
i=0
b
(i)
β
i
with all a
(i)
, b
(i)
∈ F
q
and
a = (a
(0)
. . . a
(m−1)
), b = (b
(0)
. . . b
(m−1)
) denote the vector representations.
A multiplication table T ∈ F
m×m
q
is defined such that [4]:
β
0
· (
β
0
β
1
. . . β
m−1
)
T
= T · (
β
0
β
1
. . . β
m−1
)
T
.
This is used to calculate the product a · b =
P
m−1
i=0
b
(i)
(a
←i
T)
→i
, where the
arrows denote a cyclic shift of the vector by i positions to the right/left. The
number of non–zero entries of T is called complexity C(T) and is lower bounded
by C(T) ≥ 2m − 1. Low–complexity normal bases (i.e., C(T) ≈ 2m) exist in
many cases, e.g. for q = 2
s
if gcd(m, s) = 1 and 8 ∤ m. For q = 2
s
and odd m,
all these low–complexity normal bases are self–dual (see also [4]).
For a normal basis B, the q-transform of a linearized polynomial f(x) is:
Definition 1 (q-Transform [11]). The q-transform of a vector f ∈ F
m
q
m
(or a
linearized polynomial f(x) with deg
q
f(x) < m) with respect to a normal element
β is the vector (F
0
F
1
. . . F
m−1
) ∈ F
m
q
m
(or F (x) =
P
m−1
j=0
F
j
x
[j]
), given by
F
j
= f (β
[j]
) =
m−1
X
i=0
f
i
β
[i+j]
, j = 0, . . . , m − 1. (3)
Using the multiplication table, F
j
=
P
m−1
k=0
P
m−1
i=0
f
(i)
k
(T
j+k−i
)
→i
, where f
k
=
(f
(0)
k
. . . f
(m−1)
k
) is the vector representation of f
k
over F
q
and T
j+k−i
is the
(j + k − i)-th row of T. Here, the index ℓ of T
ℓ
is calculated mod m.
436
Theorem 1 (Inverse q-Transform [11]). The inverse q-transform of a vector
(F
0
F
1
. . . F
m−1
) ∈ F
m
q
m
(or a linearized polynomial F (x)) with resprect to
β is given by f
i
= F (
e
β
[j]
) =
P
m−1
j=0
F
j
e
β
[j+i]
, j = 0, . . . , m − 1, where
e
B =
{
e
β
0
, . . . ,
e
β
m−1
}, is dual to B.
2.4 Complexity of Elementary Operations
For simplicity, throughout this paper, let us consider only self–dual normal bases,
i.e.,
e
β
i
= β
i
= β
[i]
. In a normal basis representation, q-exponentiations are only
cyclic shifts and hence the complexity of the Frobenius powers is negligible. The
product a · b of any two elements a, b ∈ F
q
m
can be calculated by the multiplica-
tion table T with complexity O(m
2
) operations over F
q
. The calculation of the
(inverse) q-transform (3) requires at most (m − 1)mC(T) additions over F
q
, i.e.,
in the order of O(m
3
) operations over F
q
[11].
Let M(n) denote the complexity of calculating the symbolic product (1)
where n = max{d
f
, d
g
}. The complexity of the (right/left) symbolic division will
be denoted by D(n). With standard implementation, the complexity of both is in
the order of O(n
2
) operations over F
q
m
[3]. In Section 4, we give fast algorithms
for calculating the symbolic product and division.
In [12], a fast LEEA was presented which achieves complexity O(M(n) log n)
if n ≥ deg
q
a(x) ≥ deg
q
b(x).
2.5 Gabidulin Codes
Definition 2 (Gabidulin Code [1]). A linear G(n, k) Gabidulin code over
F
q
m
for n ≤ m is the set of all codewords, which are the evaluation of a q-degree
restricted linearized polynomial:
G(n, k)
def
= {c = (f (α
0
), f(α
1
), . . . , f(α
n−1
)| deg
q
f(x) < k)},
where the fixed elements α
0
, . . . , α
n−1
∈ F
q
m
are linearly independent over F
q
.
If we use the basis elements α
i
= β
[i]
as evaluation points (where β is a normal
element), the codeword c(x) is the inverse q-transform of the corresponding f(x).
Given a basis B of F
q
m
over F
q
, there exists a one–to–one mapping for each
vector x ∈ F
n
q
m
on a matrix X ∈ F
m×n
q
. Let the rank norm rank
q
(x) be the
rank of X over F
q
. The minimum rank distance d of a code G is defined by
d = min{rank
q
(c) | c ∈ G, c 6= 0}. Gabidulin codes are Maximum Rank Distance
(MRD) codes, i.e., d = n − k + 1.
Let c be the transmitted codeword that is corrupted by an additive error
vector e ∈ F
n
q
m
of rank
q
(e) = t. The received vector r ∈ F
n
q
m
is r = c + e. We
can use a t × n matrix Y ∈ F
t×n
q
of rank t to decompose the error:
e = x · Y = (x
1
x
2
. . . x
t
) · Y, (4)
with x
1
, x
2
, . . . , x
t
∈ F
q
m
are linearly independent over F
q
. Note, that this de-
composition into x and Y is not unique.