List Decoding Algorithms based on Gröbner Bases ... - Semantic Scholar

List Decoding Algorithms based on Gröbner Bases for General One-Point AG Codes Olav Geil∗ , Ryutaroh Matsumoto† and Diego Ruano∗

arXiv:1201.6248v2 [cs.IT] 1 Mar 2012

∗ Department

of Mathematical Sciences, Aalborg University, Denmark Email: {olav,diego}@math.aau.dk † Department of Communications and Integrated Systems, Tokyo Institute of Technology, 152-8550 Japan Email: [email protected] Abstract We generalize the list decoding algorithm for Hermitian codes proposed by Lee and O’Sullivan [18] based on Gröbner bases to general one-point AG codes, under an assumption weaker than one used by Beelen and Brander [4]. By using the same principle, we also generalize the unique decoding algorithm for one-point AG codes over the Miura-Kamiya Cab curves proposed by Lee, Bras-Amorós and O’Sullivan [17] to general one-point AG codes, without any assumption. Finally we extend the latter unique decoding algorithm to list decoding, modify it so that it can be used with the Feng-Rao improved code construction, analyze its error correcting capability that has not been done in the original proposal, and removing the unnecessary computational steps so that it can run faster. Index Terms algebraic geometry code, Gröbner basis, list decoding

I. Introduction We consider the list decoding of one-point algebraic geometry (AG) codes. Guruswami and Sudan [14] proposed the well-known list decoding algorithm for one-point AG codes, which consists of the interpolation step and the factorization step. The interpolation step has large computational complexity and many researchers have proposed faster interpolation steps, see [4, Figure 1]. Lee and O’Sullivan [18] proposed a faster interpolation step based on the Gröbner basis theory for one-point Hermitian codes. Little [19] generalized their method [18] by using the same assumption as Beelen and Brander [4, Assumptions 1 and 2]. Lax [16] generalized part of [18] to general algebraic curves, but he did not generalize the faster interpolation algorithm in [18]. The aim of the first part of this paper is to generalize the faster interpolation algorithm [18] to an even wider class of algebraic curves than [19]. The second part proposes another list decoding algorithm whose error correcting capability is higher than [4], [14], [18], [19] and whose computational complexity is empirically manageable. A decoding algorithm for the primal one-point AG codes was proposed in [22], which was a straightforward adaptation of the original Feng-Rao majority voting for the dual AG codes [9] to the primal ones. The Feng-Rao majority voting in [22] for one-point primal codes was generalized to multi-point primal codes in [5, Sec. 2.5]. Lee, Bras-Amorós and O’Sullivan [17] proposed another unique decoding (not list decoding) algorithm for primal codes based on the majority voting inside Gröbner bases. The module used by them [17] is a curve theoretic generalization of one used for Reed-Solomon codes in [2]. An interesting feature in [17] is that it did not use differentials and residues on curves for its majority voting, while they were used in [5], [22]. The above studies [5], [17], [22] dealt with the primal codes. Elbrønd Jensen et al. [8] and Bras-Amorós et al. [6] studied the error correction capability of the BMS algorithm [26], [27] with majority voting beyond half the designed distance that are applicable to the dual one-point AG codes. There were several rooms for improvements in the original result [17], namely, (a) they have not analyzed the error-correcting capability except the Hermitian codes, (b) they assumed that the maximum

pole order used for code construction is less than the code length, and (c) they have not shown how to use the method with the Feng-Rao improved code construction [10]. In the second part of this paper, we shall (1) prove that the error-correcting capability of the original proposal is always equal to half of the bound in [3] for the minimum distance of one-point primal codes, (2) generalize their algorithm to work with any one-point AG codes, (3) modify their algorithm to a list decoding algorithm, (4) remove the assumptions (b) and (c) above, and (5) remove unnecessary computational steps from the original proposal. The proposed algorithm is implemented on the Singular computer algebra system [13], and we verified that the proposed algorithm can correct more errors than [4], [14], [18], [19] with manageable computational complexity. This paper is organized as follows: Sec. II introduces notations and relevant facts. Sec. III generalizes [18]. Sec. IV improves [17] in various ways. Sec. V concludes the paper. II. Notation and Preliminary A. Normal Form of Algebraic Curves by Pellikaan and Miura Our study heavily relies on the normal form of algebraic curves introduced independently by Pellikaan [12] and Miura [24], which is an enhancement of earlier results [23], [25]. Let F/Fq be an algebraic function field of one variable over a finite field Fq with q elements. Let g be the genus of F. Fix n + 1 distinct places Q, P1 , . . . , Pn of degree one in F and a nonnegative integer u. We consider the following one-point algebraic geometry (AG) code Cu = {( f (P1 ), . . . , f (Pn)) | f ∈ L(uQ)}. Suppose that the Weierstrass semigroup H(Q) at Q is generated by a1 , . . . , at , and choose t elements x1 , . . . , xt in F whose pole divisors are (xi )∞ = ai Q for i = 1, . . . , t. Without loss of generality we may assume the availability of such x1 , . . . , xt , because otherwise we cannot find a basis of Cu for every u. Then we have that L(∞Q) = ∪∞ i=1 L(iQ) is equal to Fq [x1 , . . . , xt ] [25]. Let mi be the maximal ideal Pi ∩ L(∞Q) of L(∞Q) associated with the place Pi . We express L(∞Q) as a residue class ring Fq [X1 , . . . , Xt ]/I of the polynomial ring Fq [X1 , . . . , Xt ], where X1 , . . . , Xt are transcendental over Fq , and I is the kernel of the canonical homomorphism sending Xi to xi . Pellikaan and Miura [12], [24] identified the following convenient representation of L(∞Q) by using the Gröbner basis theory [1]. The following review is borrowed from [21]. Hereafter, we assume that the reader is familiar with the Gröbner basis theory in [1]. Let N0 be the set of nonnegative integers. For (m1 , . . . , mt ), (n1 , . . . , nt ) ∈ Nt0 , we define the monomial order ≻ such that (m1 , . . . , mt ) ≻ (n1 , . . . , nt ) if a1 m1 + · · · + at mt > a1 n1 + · · · + at nt , or a1 m1 + · · · + at mt = a1 n1 + · · · + at nt , and m1 = n1 , m2 = n2 , . . . , mi−1 = ni−1 , mi < ni , for some 1 ≤ i ≤ t. Note that a Gröbner basis of I with respect to ≻ can be computed by [25, Theorem 15] or [29, Proposition 2.17], starting from any defining equations of F/Fq . Example 1: According to [15, Example 3.7], u3 v + v3 + u = 0 is an affine defining equation for the Klein quartic over F8 . There exists a unique F8 -rational place Q such that (v)∞ = 3q, (uv)∞ = 5q, and (u2 v)∞ = 7Q. The numbers 3, 5 and 7 is the minimal generating set of the Weierstrass semigroup at Q. Choosing v as x1 , uv as x2 and u2 v, we can see that the normal form of the Klein quartic is given by X22 + X3 X1 , X3 X2 + X14 + X2 , X32 + X2 X13 + X3 , which is the reduced Gröbner basis with respect to the monomial order ≻. We can see that a1 = 3, a2 = 5, and a3 = 7. 2

For i = 0, . . . , a1 − 1, we define bi = min{m ∈ H(Q) | m ≡ i (mod a1 )}, and Li to be the minimum element (m1 , . . . , mt ) ∈ Nt0 with respect to ≺ such that a1 m1 + · · · + at mt = bi . Then we have ℓ1 = 0 if we write Li as (ℓ1 , . . . , ℓt ). For each Li = (0, ℓi2 , . . . , ℓit ), define yi = xℓ2i2 · · · xℓt it ∈ L(∞Q). The footprint of I, denoted by ∆(I), is {(m1 , . . . , mt ) ∈ Nt0 | X1m1 · · · Xtmt is not the leading monomial of any nonzero polynomial in I with respect to ≺}, and define B = {xm1 1 · · · xmt t | (m1 , . . . , mt ) ∈ ∆(I)}. Then B is a basis of L(∞Q) as an Fq -linear space [1], two distinct elements in B has different pole orders at Q, and B = {xm1 xℓ22 · · · , xℓt t | m ∈ N0 , (0, ℓ2, . . . , ℓt ) ∈ {L0 , . . . , La1 −1 }} = {xm1 yi | m ∈ N0 , i = 0, . . . , a1 − 1}.

(1)

Equation (1) shows that L(∞Q) is a free Fq [x1 ]-module with a basis {y0 , . . . , ya1 −1 }. Note that the above structured shape of B reflects a well-known property of the graded reverse lexicographic monomial order, see the paragraph preceding to [7, Proposition 15.12]. Example 2: For the curve in Example 1, we have y0 = 1, y1 = x3 , y2 = x2 . Let vQ be the unique valuation in F associated with the place Q. The semigroup S = H(Q) is equal to S = {ia1 − vQ (y j ) | 0 ≤ i, 0 ≤ j < a1 }. For each nongap s ∈ S there is a unique monomial xi1 y j ∈ L(∞Q) with 0 ≤ j < a1 such that −vQ (xi1 y j ) = s, by [21, Proposition 3.18], let us denote this monomial by ϕ s . Let Γ ⊂ S , we may consider the one-point codes CΓ = h(ϕ s (P1 ), . . . , ϕ s (Pn )) | s ∈ Γi.

(2)

One motivation for considering these codes is that one is that it was shown in [3] how to increase the dimension of the one-point codes without decreasing the bound for the minimum distance. III. Generalization of Lee-O’Sullivan’s List Decoding to General One-Point AG Codes A. Background on Lee-O’Sullivan’s Algorithm In the famous list decoding algorithm for the one-point AG codes in [14], we have to compute the univariate interpolation polynomial whose coefficients belong to L(∞Q). Lee and O’Sullivan [18] proposed a faster algorithm to compute the interpolation polynomial for the Hermitian one-point codes. Their algorithm was sped up and generalized to one-point AG codes over the so-called Cab curves [23] by Beelen and Brander [4] with an additional assumption. In this section we generalize Lee-O’Sullivan’s procedure to general one-point AG codes with an assumption weaker than [4, Assumption 2], which will be introduced in and used after Assumption 9. Let m be the multiplicity parameter in [14]. Lee and O’Sullivan introduced the ideal I~r,m containing the interpolation polynomial corresponding to the received word ~r and the multiplicity m. The ideal I~r,m contains the interpolation polynomial as its minimal nonzero element with respect to the monomial order. We will give a generalization of I~r,m for general algebraic curves. B. Generalization of the Interpolation Ideal n S∞Let ~r = (r1 , . . . , rn ) ∈ Fq be the received word. For a divisor G of F, we define L(−G + ∞Q) = i=1 L(−G + iQ). We see that L(−G + ∞Q) is an ideal of L(∞Q) [20]. Let h~r ∈ L(∞Q) such that h~r (Pi ) = ri . Computation of such h~r is easy provided that we can construct generator matrices for Cu for every u. We can choose h~r so that −vQ (h~r ) ≤ n + 2g. Let Z be transcendental over L(∞Q), and D = P1 + · · · + Pn . Define the ideal I~r,m of the ring L(∞Q)[Z] as I~r,m = L(−mD + ∞Q) + L(−(m − 1)D + ∞Q)hZ − h~r i + · · · +L(−D + ∞Q)hZ − h~r im−1 + hZ − h~r im , 3

(3)

where h·i denotes the ideal generated by ·, and the plus sign + denotes the sum of ideals. For Q(Z) ∈ L(∞Q)[Z], we say Q(Z) has multiplicity m at (Pi , ri ) if X Q(Z + ri ) = α jZ j (4) j

with α j ∈ L(∞Q) satisfies vPi (α j ) ≥ m − j. Define the set I~r′,m = {Q(Z) ∈ L(∞Q)[Z] | Q(Z) has multiplicity m for all (Pi , ri)}. This definition of the multiplicity is the same as [14]. Therefore, we can find the interpolation polynomial used in [14] from I~r′,m . We shall explain how to find efficiently the interpolation polynomial from I~r′,m . Lemma 3: We have I~r,m ⊆ I~r′,m . Proof: Observe that I~r′,m is an ideal of L(∞Q)[Z]. Let α(Z − h~r ) j ∈ L(−(m − j)D + ∞Q)hZ − h~r i j such that α ∈ L(−(m − j)D + ∞Q). Then we have α(Z + ri − h~r ) j = α(Z − (h~r − ri )) j j X = αk (h~r − ri ) j−k Z k , k=0

where αk ∈ L(−(m − j)D + ∞Q). We can see that αk (h~r − ri ) j−k ∈ L(−(m − k)Pi + ∞Q) and that L(−(m − j)D + ∞Q)hZ − h~r i j ⊆ I~r′,m . Since I~r′,m is an ideal, it follows that I~r,m ⊆ I~r′,m .   Proposition 4: [14] dimFq L(∞Q)[Z]/I~r′,m = n m+1 . 2 Lemma 5: Let G be a divisor ≥ 0 whose support disjoint from Q. dimFq L(∞Q)/L(−G + ∞Q) = deg G. Proof: Let n() be a mapping from supp(G) to the set of nonnegative integers. Let N be the set of those functions such that n(P) < vP (G) for all P ∈ supp(G). By the strong approximation theorem [28, Theorem I.6.4] we can choose a fn() ∈ L(∞Q) such that vP ( fn() ) = n(P) for every P ∈ supp(G). Any element in L(∞Q) \ L(−G + ∞Q) can be written as the sum of an element g ∈ L(−G + ∞Q) plus a linear combination of fn() ’s, which completes the proof.  Proposition 6: dimFq L(∞Q)[Z]/I~r ,m = n m+1 . 2 Proof: Recall that I is an ideal of Fq [X1 , . . . , Xt ] such that L(∞Q) = Fq [X1 , . . . , Xt ]/I as introduced in Sec. II. Let Gi be a Gröbner basis of the preimage of L(−iD + ∞Q) in Fq [X1 , . . . , Xt ], and H~r be the coset representative of h~r written as a sum of monomials in ∆(I). Then G = ∪mi=0 {F(Z − H~r )m−i | F ∈ Gi } is a Gröbner basis of the preimage of I~r,m in Fq [Z, X1 , . . . , Xt ] with the elimination monomial order with Z greater than Xi ’s and refining the monomial order ≻ defined in Sec. II. Please refer to [7, Sec. 15.2] for refining monomial orders. A remainder of division by G can always be written as F m−1 Z m−1 + F m−2 Z m−2 + · · · + F 0 with F i ∈ Fq [X1 , . . . , Xt ]. Then F i must belong to the footprint ∆(Gi ) of Gi . This shows that dimFq L(∞Q)[Z]/I~r ,m ≤

m−1 X i=0

4

♯∆(Gi ).

On the other hand, by Lemma 5, ♯∆(Gi ) = dimFq L(∞Q)/L(−iD + ∞Q) = ni. This implies dimFq L(∞Q)[Z]/I~r ,m

! m+1 . ≤n 2

By Proposition 4 and Lemma 3, we see dimFq L(∞Q)[Z]/I~r ,m

! m+1 . =n 2

Corollary 7: I~r′,m = I~r,m . Since I~r′,m is the ideal used in [14], what we need is to find a polynomial in I~r,m = I~r′,m of the lowest degree in Z. For i = 0, . . . , m and j = 0, . . . , a1 − 1, let ηi, j to be an element in L(−iD + ∞Q) such that −vQ (ηi, j ) is the minimum among {η ∈ L(−iD + ∞Q) | −vQ (η) ≡ j (mod a1 )}. Such elements ηi, j can be computed by [20] before receiving ~r. It was also shown [20] that {ηi, j | j = 0, . . . , a1 − 1} generates L(−iD + ∞Q) as an Fq [x1 ]-module. Note also that we can choose η0,i = yi defined in Sec. II. By Eq. (1), all ηi, j and h~r can be expressed as polynomials in x1 and y0 , . . . , ya1 −1 . Thus we have Theorem 8: Let ℓ ≥ m. {(Z − h~r )m−i ηi, j | i = 0, . . . , m, j = 0, . . . , a1 − 1} ∪{Z ℓ−m (Z − h~r )m η0, j | ℓ = 1, . . . , j = 0, . . . , a1 − 1} generates I~r ,m,ℓ = I~r,m ∩ {Q(Z) ∈ L(∞Q)[Z] | degZ Q(Z) ≤ ℓ} as an Fq [x1 ]-module. Proof: Let e ∈ I~r,m and E be its preimage in Fq [Z, X1 , . . . , Xt ]. By dividing E by the Gröbner basis G introduced in proof of Proposition 6, we can see that e is expressed as m X X ℓ m e= α−ℓ z (z − h~r ) + αi (z − h~r )m−i ℓ=1

i=0

with αi ∈ L(−iD + ∞Q), from which the assertion follows. C. Computation of the Interpolated Polynomial from the Interpolation Ideal I~r,m For (m1 , . . . , mt , mt+1 ), (n1 , . . . , nt , nt+1 ) ∈ Nt+1 0 , we define the monomial order ≻u in Fq [X1 , . . . , Xt , Z] such that (m1 , . . . , mt , mt+1 ) ≻ (n1 , . . . , nt , nt+1 ) if a1 m1 + · · · + at mt + umt+1 > a1 n1 + · · · + at nt + unt+1 , or a1 m1 + · · · + at mt + umt+1 = a1 n1 + · · · + at nt + unt+1 , and m1 = n1 , m2 = n2 , . . . , mi−1 = ni−1 , mi < ni , for some 1 ≤ i ≤ t + 1. As done in [18], the interpolation polynomial is the smallest nonzero polynomial with respect to ≻u in the preimage of I~r,m . Such a smallest element can be found from a Gröbner basis of the Fq [x1 ]-module I~r,m,ℓ in Theorem 8. To find such a Gröbner basis, Lee and O’Sullivan proposed the following general purpose algorithm as [18, Algorithm G]. Their algorithm [18, Algorithm G] efficiently finds a Gröbner basis of submodules of Fq [x1 ]s for a special kind of generating set and monomial orders. Please refer to [1] for Gröbner bases for modules. Let e1 , . . . , es be the standard basis of Fq [x1 ]s . Let u x , u1 , . . . , u s be positive integers. Define the monomial order in FPq [x1 ]s such that xn11 ei ≻LO xn12 e j if n1 u x + ui > n2 u x + u j or n1 u x + ui = n2 u x + u j and i > j. s For f = i=1 fi (x1 )ei ∈ Fq [x1 ]s , define ind( f ) = max{i | fi (x1 ) , 0}, where fi (x1 ) denotes a univariate polynomial in x1 over Fq . Their algorithm [18, Algorithm G] efficiently computes a Gröbner basis of a module generated by g1 , . . . , g s ∈ Fq [x1 ]s such that ind(gi ) = i. The computational complexity is also evaluated in [18, Proposition 16]. Let ℓ be the maximum Z-degree of the interpolation polynomial in [14]. The set I~r,m,ℓ in Theorem 8 is an Fq [x1 ]-submodule of Fq [x1 ]a1 (ℓ+1) with the module basis {y j Z k | j = 0, . . . , a1 − 1, k = 0, . . . , ℓ}. Assumption 9: We assume that we have f ∈ L(∞Q) whose zero divisor ( f )0 = D. 5

Observe that Assumption 9 is implied by [4, Assumption 2] and is weaker than [4, Assumption 2]. Let h f i be the ideal of L(∞Q) generated by f . By [20, Corollary 2.3] we have L(−D + ∞Q) = h f i. By [20, Corollary 2.5] we have L(−iD + ∞Q) = h f i i. Example 10: This is continuation of Example 2. Let f = x71 + 1. We see that −vQ ( f ) = 21 and that there exist 21 distinct F8 -rational places P1 , . . . , P21 such that f (Pi ) = 0 for i = 1, . . . , 21 by straightforward computation. By setting D = P1 + · · · + P21 Assumption 9 is satisfied. We remark that we have −vQ (x81 + x1 ) = 24 but there exist only 23 F8 -rational places P such that (x81 + x1 )(P) = 0, other than Q, and that (x81 + x1 ) does not satisfy Assumption 9. Without loss of generality we may assume existence of x′ ∈ L(∞Q) such that f ∈ Fq [x′ ]. By changing the choice of x1 , . . . , xt if necessary, we may assume x1 = x′ and f ∈ Fq [x1 ] without loss of generality, while it is better to make −vQ (x1 ) as small as possible in order to reduce the computational complexity. Under the assumption f ∈ Fq [x1 ], f i y j satisfies the required condition for ηi, j in Theorem 8. By naming y j zk as e1+ j+ku , the generators in Theorem 8 satisfy the assumption in [18, Algorithm G] and we can efficiently compute the interpolation polynomial required in the list decoding algorithm in [14]. Proposition 11: We assign the weight −ivQ (x1 ) − vQ (y j ) + ku to the module element xi1 y j zk when we use [18, Algorithm G] to find the minimal Gröbner basis of I~r,m,ℓ . Under Assumption 9, the number of multiplications in [18, Algorithm G] with the generators in Theorem 8 is at most [max{−vQ (y j )} + m(n + 2g − 1) + u(ℓ − j

m)]2 a−1 1

a1X (ℓ+1)

i2 .

(5)

i=1

Proof: The number of generators is a1 (ℓ + 1), which is denoted by m in [18, Proposition 16]. We have −vQ ( f ) ≤ n + g and −vQ (h~r ) ≤ n + 2g − 1. We can assume u ≤ n + 2g − 1. Thus, the maximum weight of the generators is upper bounded by max{−vQ (y j )} + m(n + 2g − 1) + u(ℓ − m). j

By [18, Proof of Proposition 16], the number of multiplications is upper bounded by Eq. (5). IV. New List Decoding based on Majority Voting inside Gr¨obner Bases A unique decoding algorithm for one-point codes over Cab curves has recently been introduced in [17]. This algorithm is also based on the interpolation approach, an ideal containing the interpolation polynomials of a received word is computed. Moreover, the algorithm in [17] combines the interpolation approach with syndrome decoding with majority voting scheme. However, this algorithm only considers the non-improved code Cu assuming that u < n. The aim of this section is to extend this algorithm for one-point codes defined over general curves without assuming u < n, besides, the modified algorithm performs list decoding. Furthermore, we can speed up the algorithm and deal with Feng-Rao improved codes by changing the majority voting. Still, the main structure of the algorithm remains the same. We stress that we do not assume Assumption 9 in this section. Let F/Fq be an algebraic function field as in Sec. II, we consider the same notation and concepts already introduced in Secs. II and III. Let Γ = {s1 , s2 , . . . , sk } ⊂ S and consider the code CΓ defined in Eq. (2). We will assume that Γ = Γindep , where Γindep = {s ∈ Γ | ev(ϕ s ) < hev(ϕ s′ ) : s′ ∈ Γ, s′ < si},

(6)

since there is no interest in considering s ∈ Γ \ Γindep . Let ~r be a received word. Choose any codeword in CΓ as ~c and define ~e(~c) = ~r − ~c. Then there is a unique X µ= ωs ϕs , (7) s∈Γ

6

with ~c = ev(µ) = (µ(P1 ), . . . , µ(Pn )). As in Sec. III-C, we consider L(∞Q) as an F[x1 ]-module of rank a1 with basis {y j | 0 ≤ j < a1 }. For f ∈ F[x1 ], we denote by f [xk1] the coefficient of the term xk1 in f . The following ideal containing the interpolation polynomial for a received word ~r is defined in [17], I~r = { f (z) ∈ L(∞Q)z ⊕ L(∞Q) | vPi ( f (ri )) ≥ 1, 1 ≤ i ≤ n}. We remark that I~r is a generalization for one-point codes of the interpolation ideal for decoding ReedSolomon codes in [2]. Moreover, I~r is a special case of the interpolation ideal in [18]. Thus, by Sec. III, we have that L(∞Q)z⊕ L(∞Q) is a free Fq [x1 ]-module of rank 2a1 with basis {y j z, y j | 0 ≤ j < a1 }. Hence an element in L(∞Q)z ⊕ L(∞Q) can be uniquely expressed by monomials in Ω1 = {xi1 y j zk | 0 ≤ i, 0 ≤ j < a1 , 0 ≤ k ≤ 1}. Recall also that an element in L(∞Q) can be uniquely expressed by monomials in Ω0 = {xi1 y j | 0 ≤ i, 0 ≤ j < a1 }. By the previous section, G = {η0 , η1 , . . . , ηa1 −1 , z − h~r , y1 (z − h~r ), . . . , ya1 −1 (z − h~r )}, with ηi and h~r as in Sec. III, is a Gröbner basis of the Fq [x1 ]-module I~r with respect to the monomial order >−vQ (h~r ) defined in Sec. III-C. Example 12: This is continuation of Example 2. When we take P1 , . . . , P23 as all the F8 -rational places on the Klein quartic except Q and D = P1 + · · · + P23 , then we have η0 = x81 + x1 , η1 = x3 (x81 + x1 ), η2 = x2 (x71 + 1). Note that the choice of D is different from Example 10, because Example 10 has to satisfy Assumption 9 while this example does not. Let J~e(~c) = ∩ei ,0 mi be the ideal of the error vector and let ǫi ∈ L(∞Q) such that −vQ (ǫi ) is the minimum among { f ∈ J~e(~c) | −vQ ( f ) ≡ i (mod a1 )}, for i = 0, . . . , a1 − 1. One has that {ǫ0 , ǫ1 , . . . , ǫa1 −1 } is a moduleGröbner basis with respect to the restriction to L(∞Q) of the order >u introduced in Sec. III-C (which is independent of u). Note that −vQ (J~e(~c) ) = {s − vQ (ǫi )|0 ≤ i < a1 , s ∈ S }. Then X degx1 (LT(ǫi )) = dimF L(∞Q)/J~e(~c) = wt(~e(~c)). (8) 0≤is where X X g(s) = c y z + di, j y j , with ci, j , di, j ∈ Fq [x1 ], i, j j i 0≤ j −vQ (α1 ), hence β′ cannot correspond to fmin . Note that the genus zero case was proved in [2, Theorem 12]. 6) Termination: After reaching s = max{s | 2τ + 2g < n − s} or after verifying the earlier termination condition, include the recovered message (ws1 , ws2 , . . . , wsk ) in the output list. B. Relation of ν(s) to [3] In [17], ν(s) was introduced in the same way as in in Eq. (11). We claim that ν(s) is equivalent to the sets used in [3], [11] for bounding the minimum distance. Let S indep = {u | Cu , Cu−1 }. Define λ(s) = |{ j ∈ S | j + s ∈ S indep }|.

(13)

The bound in [3, Propositions 27 and 28] for the minimum distance of CΓ is dAG (CΓ ) = min{λ(s) | s ∈ Γ} ≥ n − sk . The following proposition implies that du = min{ν(s) | s ∈ S , s ≤ u} is equivalent to dAG (Cu ), and therefore [3, Theorem 8] implies [17, Proposition 12]. Proposition 13: Let s ∈ S , one has that ν(s) = λ(s). Proof: Let T i = { j ∈ S | j ≡ i (mod a1 ), j + s ∈ S indep }, then we have λ(s) = |T 0 | + · · · + |T a−1 |. Moreover, observe that S \ S indep = {−vQ (ηi xk1 ) | i = 0, . . . , a1 − 1, k = 0, 1, . . .}. Therefore, we have Ti = = = =

{ j ∈ S | j ≡ i (mod a1 ), j + s ∈ S indep } { j ∈ S | j ≡ i (mod a1 ), j + s < S \ S indep } { j ∈ S | j ≡ i (mod a1 ), j + s < {−vQ (ηi′ xk1 | k ≥ 0}} {−vQ (yi xm1 ) | s − vQ (yi xm1 ) < {−vQ (ηi′ xk1 ) | k ≥ 0}},

where the third equality holds by Eq. (10). By the equalities above, we see ) ( −vQ (ηi′ ) + vQ (yi ) − s , |T i | = max 0, −vQ (x1 ) which proves the equality ν(s) = λ(s).

10

C. Proof and error correction capability of the algorithm We will prove in this section the correctness and error correction capability of the algorithm. Using [17, Lemmas 6,7 and Proposition 8] we have the following proposition that is an extension of [17, Proposition 9]. Proposition 14: Let ω s be as defined at Eq. (7). We have X X a1 c¯ i ≥ a1 c¯ i − 2a1 wt(~e(~c)) wi =ω s

+

X

wi ,ω s

max{−vQ (ηi′ ) + vQ (yi ) − s, −vQ (ǫi ) + vQ (yi )}.

0≤i