Row Reduction Applied to Decoding of Rank-Metric and Subspace

Noname manuscript No. (will be inserted by the editor)

Row Reduction Applied to Decoding of Rank-Metric and Subspace Codes Sven Puchinger · Johan S. R. Nielsen · Wenhui Li · Vladimir Sidorenko

arXiv:1510.04728v2 [cs.IT] 13 Apr 2016

Received: date / Accepted: date

Abstract We show that error and erasure decoding of `-Interleaved Gabidulin codes, as well as list-` decoding of Mahdavifar–Vardy codes can be solved by row reducing skew polynomial matrices. Inspired by row reduction of F[x] matrices, we develop a general and flexible approach of transforming matrices over skew polynomial rings into certain normal forms. We apply this to solve generalised shift register problems, or Padé approximations, over skew polynomial rings, which occur in error and erasure decoding `-Interleaved Gabidulin codes. We obtain an algorithm with complexity O(`µ2 ) where µ measures the size of the input problem and is proportional to the code length n in the case of decoding. Further, we show how to list-` decode Mahdavifar–Vardy subspace codes in O(`r2 m2 ) time, where m is a parameter proportional to the dimension of the codewords’ ambient space and r is the dimension of the received subspace. Keywords Skew Polynomials · Row Reduction · Module Minimisation · Gabidulin Codes · Shift Register Synthesis · Mahdavifar–Vardy Codes

Sven Puchinger (grant BO 867/29-3), Wenhui Li and Vladimir Sidorenko (grant BO 867/341) were supported by the German Research Foundation “Deutsche Forschungsgemeinschaft” (DFG). Sven Puchinger · Wenhui Li Institute of Communications Engineering, Ulm University, Germany E-mail: [email protected], [email protected] Johan S.R. Nielsen Department of Applied Mathematics and Computer Science, Technical University of Denmark E-mail: [email protected] Vladimir Sidorenko Institute for Communications Engineering, TU München, Germany, and on leave from the Institute of Information Transmission Problems (IITP), Russian Academy of Sciences E-mail: [email protected]

2

1 Introduction Numerous recent publications have unified the core of various decoding algorithms for Reed–Solomon (RS) and Hermitian codes using row reduction of certain F[x]-module bases. First for the Guruswami–Sudan list decoder [2,8,29], then for Power decoding [43] and also either type of decoder for Hermitian codes [45]. By factoring out coding theory from the core problem, we enable the immediate use of sophisticated algorithms developed by the computer algebra community such as [22,66]. In addition, the setup has proved to be very flexible and readily applicable in settings which were not envisioned to begin with, such as the aforementioned Power decoder for Hermitian codes, or recently for Power decoding of RS codes up to the Johnson bound [44]. The main goal of this paper is to explore the row reduction description over skew polynomial rings for decoding rank-metric and subspace codes. Concretely, we prove that Interleaved Gabidulin and Mahdavifar–Vardy codes can be decoded by transforming a module basis into weak Popov form, which can be obtained by the elegantly simple Mulders–Storjohann algorithm [42]. We prove that the algorithm works for skew polynomial modules and analyse its complexity using the Dieudonné determinant for matrices over non-commutative rings. Finally, we improve the decoding complexity by exploiting the structure of the module bases arising from the decoding problems. Our algorithms match the best known results in these applications and solve more general problems. We also believe there is a justifiable hope for similar generalisations and speed-ups as known for other code classes. Gabidulin codes [11, 17, 55] are maximum rank distance codes with various applications like random linear network coding [27, 60] and cryptography [18]. They are the rank-metric analogue of RS codes. An Interleaved Gabidulin code [35, 58, 60] is a direct sum of several Gabidulin codes: these can be decoded in a collaborative manner, improving the error-correction capability beyond the usual half the minimum rank distance of Gabidulin codes. Similar to Interleaved RS codes, see [56] and its references, the core task of decoding can be reduced to a multi-sequence skew-feedback shift register synthesis problem [58]. We recall this fact here and then show that the general shift-register synthesis problem can be solved using row reduction. Over skew polynomial rings, work has been spurred on by decoding of Gabidulin and related codes, e.g. [17, 58], and the literature is still far behind the F[x] counterpart. Mahdavifar–Vardy (MV) codes [36,38] are subspace codes which can be used for errorand erasure correction in random linear network coding. They are related to the codes proposed by Kötter–Kschischang [27], who use Gabidulin codes to construct constantdimension subspace codes. Although obtainable rates tend to zero with increasing codelength, their decoding is of interest since they can be list-decoded using an algorithm similar to Sudan’s algorithm [61] for list-decoding Reed–Solomon codes. It was shown in [25] that MV can be constructed for arbitrary code rates by selecting locators from a subfield. These codes can be decoded up to almost Singleton bound. Previous work on normal form computation of matrices over skew or Ore rings can be found in [1, 4, 41]. However, the focus of [1, 4] was on Z or F[z] where coefficient growth is a major concern. Over finite fields, only field operations are counted, and in this measure those previous algorithms are slower than what we present here. The row reduction algorithm in [41] is different from ours and has a slightly larger complexity. This work was partly presented at the International Workshop on Coding and Cryptography (WCC) 2015 [31]. Compared to this previous work, we added the decoding

3

of MV codes using the row reduction approach1 . It spurred a new refinement of the Mulders–Storjohann, in Section 5.2, which could be of wider interest. We also give proofs that were omitted in the conference paper due to space restrictions, and we added a formal correctness proof and analysis of the Demand–Driven algorithm. We have added an appendix containing basic facts on modules over skew polynomial rings, culminating in Theorem 16 which is crucial to our work; these facts are all known, but we found no convenient compilation in the literature. We set basic notation in Section 2. Section 3 shows how to solve the mentioned decoding problems using row reduction and states the final complexity results which are proven in the subsequent sections. We describe row reduction of skew polynomial matrices, present the skew polynomial version of Mulders–Storjohann algorithm for accomplishing this and analyse its complexity in Section 4. In Section 5 we obtain faster row reduction algorithms for certain input matrices, with applications to the decoding problems. Appendix B contains technical proofs omitted from the main text, and we prove general statements about modules over skew polynomial rings in Appendix C.

2 Notation and Remarks on Generality 2.1 Skew Polynomials Let F be a finite field. Denote by R = F[x; θ] the non-commutative ring of skew 2 polynomials P overi F with automorphism θ and zero derivation : elements of R are of the form i ai x with ai ∈ F, addition is as usual, while multiplication is defined by xa = θ(a)x. Being an Ore extension, R is both a left and right Euclidean ring. When we say “polynomial”, we will mean elements of R. The definition of the degree of a polynomial is the same as for ordinary polynomials. By R deg ωi − (ki + % + γ), and deg λ minimal, where % and γ are the (known) number of row respectively column erasures, satisfying deg ΛR ≤ % and deg ΛE ≤ γ.

3.1.3 Shift Register Synthesis Problems For the remainder of this section, we consider the following “Multi-Sequence generalised Linear Skew-Feedback Shift Register” (MgLSSR) synthesis problem4 , which as special cases includes both types of key equations introduced in the previous subsections5 Problem 1 (MgLSSR) Given skew polynomials si , gi ∈ R and non-negative integers γi ∈ N0 for i = 1, . . . , `, find skew polynomials λ, ω1 , . . . , ω` ∈ R, with λ of minimal degree such that the following holds: λsi ≡ ωi

mod gi

deg λ + γ0 > deg ωi + γi 4 We use the well-known polynomial description of shift-register synthesis, see e.g. [39]. Formulated as such, the problem is almost equivalent to rational function reconstruction and Padé approximation. Shift-register synthesis has several generalisations, some of which have found applications in decoding of algebraic codes, e.g. [54, 56, 65]. In the computer algebra community, Padé approximations have been studied to matrix forms in a wide generality, e.g. [5]. 5 It might be necessary to add positive integers to both sides in the degree restrictions to obtain non-negative shifts, e.g. deg λ + maxj {kj } > deg ωi + (maxj {kj } − ki ).

8

We show how to solve this problem by row reduction of a particular module basis. This approach works over any skew polynomial ring R, and not just Fqm [x; ·q ]. Our overall approach is completely analogous to how the F[x]-version of the problem is handled by Nielsen in [43], with only a few technical differences due to the non-commutativity of R. Over F[x] this problem is known in almost identical descriptions as multi-sequence shift-register synthesis [14], simultaneous Padé approximation [3], or vector rational function reconstruction [47]. In the sequel we consider a particular instance of Problem 1, so R, ` ∈ N, and si , gi ∈ R, γi ∈ N0 for i = 1, . . . , ` are arbitrary but fixed. We assume deg si ≤ deg gi for all i since taking si := (si mod gi ) yields the same solutions to Problem 1. Denote by M the set of all vectors v ∈ R`+1 satisfying just the congruence requirement, i.e., M := (λ, ω1 , . . . , ω` ) ∈ R`+1 | λsi ≡ ωi



mod gi ∀i = 1, . . . , `}.

(2)

Lemma 2 M with component-wise addition and left multiplication by elements of R forms a free left module over R. The rows of M form a basis of M, where 1 0 0 M = .  .. 0



s1 g1 0 .. . 0

s2 0 g2 .. . 0

... ... ... .. . ...

s` 0 0  ..   . g`

 (3)

Proof: Since M ⊆ R`+1 , the first half of the statement follows by showing that M is closed under addition and left scalar multiplication. M is then free due to Theorem 14 in Appendix C. M is a basis of M by the same arguments as in the F[x] case, cf. [43, Lemma 1], with non-commutativity in mind. The above gives a simple description of all solutions of the congruence requirement of Problem 1 in the form of the row span of an explicit matrix M . The following theorem implies that computing the weak Popov form of M is enough to solve Problem 1. The proof is like for the F[x]-case but since there is no convenient reference for it, we give it here. The entire strategy is formalised in Algorithm 1. Theorem 3 Let w = (γ0 , . . . , γ` ) ∈ N`+1 0 . If V is a basis of M in w-shifted weak Popov form, the row v of M with LP(Φw (v)) = 0 is a solution to Problem 1. Proof: By Lemma 2 the row v satisfies the congruence requirement of Problem 1. For the degree restriction of Problem 1, note that any u ∈ M satisfies this restriction if and only if LP(Φw (u)) = 0, since deg ui + γi = deg(Φw (u)i ). Furthermore, if this is the case, then deg(Φw (u)) = deg u0 + γ0 . Thus, not only must v satisfy the degree restriction, but by Lemma 1, v0 also has minimal possible degree.

Algorithm 1 Solve Problem 1 by Row Reduction Input: si , gi ∈ R for i = 1, . . . , ` and a shift w = (γ0 , . . . , γ` ) ∈ N`+1 . 0 Output: Solution v = (λ, ω1 , . . . , ω` ) of Problem 1. 1 Set up M as in (3). 2 Compute V as a w-shifted weak Popov form of M . 3 return the row v of V having LP(Φw (v)) = 0.

9

Remark 1 Using known properties for the weak Popov form, it is easy to prove how the polynomials returned by Algorithm 3 can be used as a basis for all solutions to the shift register problem. For decoding Gabidulin codes, this can be used to determine whether the found solution corresponds to a unique decoding result, without incurring an additional cost. Another use is when the error has rank greater than (n − k)/2, where such a basis can be used to exhaustively search through the higher-degree solutions to the key equation, thereby correcting more errors (at a high computational cost). The complexity of Algorithm 1 is determined by Line 2. A w-shifted weak Popov form of M can be computed by row reducing Φw (M ), and then applying Φ−1 w to the result. Therefore, in Sections 4 and 5.1 we analyse how and in which complexity we can row reduce R matrices. In particular, we prove the following statement, where µ := maxi {γi + deg gi }.

( Theorem 4 Algorithm 1 has complexity

O(`µ2 ), 2 2

O(` µ ),

if gi = xti + ci , ti ∈ N, ci ∈ F ∀ i, otherwise.

Proof: The first case follows from Theorem 10 in Section 5.1, using Algorithm 4 for the row reduction step. For general gi ’s, the result of Example 2 in Section 4 holds, which estimates the complexity of Algorithm 3 for a shift-register input. As can be seen, in the special cases of decoding Gabidulin codes with n | m, the code locators αi ’s can be chosen as a basis of Fqn ⊆ Fqm , yielding gi = xn − 1, µ ∈ O(n) and therefore: Corollary 1 Error- and erasure decoding `-Interleaved Gabidulin codes of length n | m can be done in complexity O(`n2 ).

3.2 Decoding Mahdavifar–Vardy Codes Mahdavifar–Vardy (MV) codes [36, 38]6 are subspace codes constructed by evaluating powers of skew polynomials at certain points. We will describe how one can use row reduction to carry out the most computationally intensive step of the MV decoding algorithm given in [38]. The decoding of MV codes is heavily inspired by the Guruswami– Sudan algorithm for Reed–Solomon codes [24]; our row reduction approach is similarly inspired by fast module-based algorithms for realising the Guruswami–Sudan, [6, 8, 29]. We give an overview of MV codes and the other parts of the decoding procedure here. Let n, m ∈ Z+ be such that 1 ≤ n ≤ m. Consider the space W = hα1 , . . . , αn i⊕F`qnm , where the αi ∈ Fqnm are n carefully selected elements specified in [38, Section IV.A]. j

All the elements αiq for i = 1, . . . , n and j = 0, . . . , m − 1 are linearly independent over Fq , but apart from that their precise expression will not be important for us. W is then an n(`m + 1)-dimensional Fq -vector space. The Grassmanian Gr(n, W) is the set of all n-dimensional Fq -subspaces of W. A Mahdavifar–Vardy code CMV ⊆ Gr(n, W) of dimension k ≤ nm is defined as

n

o

CMV = hv 1 , . . . , v n i : v i = (αi , f (αi ), f 2 (αi ), . . . , f ` (αi )) ∧ f ∈ Fq [x; ·q ] deg Q` ≥ 0, we must have rm+1 `+1

> 12 `(k − 1) + 1

so

rm > 21 `(` + 1)(k − 1) + ` > `(k − 1),

and thus, maxdeg(Φw (M )) = rm and ∆(Φw (M )) ≤

P`

i=1 (rm − i(k

− 1)) = `rm −

`(`+1) (k 2

− 1) ≤ `rm.

Using Theorem 8, the complexity in operations over Fqnm becomes O(`3 r2 m2 ). Note that the rough bound of Section 4.1 yields the same result. Rounding off this section, we remind that Algorithm 3 of skew polynomial matrices works almost exactly as in the F[x] case. However, the correctness and complexity proofs require a deeper study of the underlying modules (cf. Appendix C) and auxiliary tools such as the Dieudonné determinant.

5 Faster Row Reduction on Matrices having Special Forms In this section, we will investigate improved row reduction algorithms for matrices of special forms. The main goals are to improve the running time of row reducing the matrices appearing in the decoding settings of Section 3.1 and Section 3.2, but the results here apply more broadly.

5.1 Shift Register Problems: The Demand-Driven Algorithm Our first focus is on the MgLSSR case of Algorithm 1 on page 8, where we are to row reduce Φw (M ), given by (8). We will give a refinement of Algorithm 3 for the MgLSSR case which is asymptotically faster on many interesting input, e.g. error-decoding of any Interleaved Gabidulin codes as in [58], or error- and erasure decoding of certain Interleaved Gabidulin codes as in Section 3.1.2. The special case where all gi are powers of x and all γi = 0 was considered by [58]; our algorithm matches their complexity for much more general input.

19

Algorithm 4 Demand–Driven algorithm for MgLSSR Input: s˜j ← s1,j xγj , g˜j ← gj xγj for j = 1, . . . , `. Output: The zeroth column of a basis of M in w-shifted weak Popov form. 1 (η, h) ← (deg, LP) of (xγ0 , s ˜1 , . . . , s˜σ ). 2 if h = 0 then return (1, 0, . . . , 0). 3 (λ0 , . . . , λ` ) ← (xγ0 , 0, . . . , 0). 4 αj xηj ← the leading monomial of g ˜j for j = 1, . . . , `. 5 while deg λ0 ≤ η do η 6 α ← coefficient to x in (λ0 s˜h mod g˜h ). 7 if α 6= 0 then 8 if η < ηh then swap (λ0 , α, η) and (λh , αh , ηh ). 9 λ0 ← λ0 − α/θη−ηh (αh )xη−ηh λh . 10 (η, h) ← (η, h − 1) if h > 1 else (η − 1, `).
11 return λ0 x−η0 , . . . , λ` x−η0 .

The refinement is analogous to that of [43] for the F[x] case. The main challenge in carrying the method over to R is again complexity: the computational bottleneck of the algorithm can over F[x] be handled using fast polynomial multiplication, but this is not nearly as potent over R. Instead, we analyse for which input that line of the algorithm can still be carried out quickly. Most of the proofs of this section are therefore analogous to the F[x] case. As they have not appeared in unabridged, peer-reviewed form before, however, we include them in the appendix (for the R case). The refinement is formalised as Algorithm 4. We will attempt to explain some intuition of the algorithm, since the proof of correctness has been moved to Appendix B. The central observation is that due to the special form of M , during the Mulders– Storjohann algorithm the zeroth column suffices for reconstructing the rest. In a “demanddriven” manner, it therefore suffices to calculate just the zeroth element of a vector whenever doing an LP-transformation: these are the λi , corresponding to the zeroth column in the working matrix. Knowing which simple transformations to apply would now seem difficult, since we do not keep the full matrix. However, every time a simple transformation is applied, we know that the value of the modified row went down, so we can guess that it went down by exactly 1: this usually corresponds to moving the leading position one to the left while keeping the degree intact. This is stored as η, the degree, and h, the leading position. In the next iteration, this can be checked by computing the coefficient to xη for the polynomial on the h’th position: if the coefficient is zero, the value must have gone down by more than 1, but usually it will be non-zero and the guess was correct. That is enough to predict the next simple transformation, by keeping track of which rows have which leading position. Theorem 9 Algorithm 4 is correct. Proof: See Appendix B.2. Now we turn to the computational complexity of Algorithm 4. This will depend entirely on how Line 6 is realised, as is described by the following proposition.

P`

Pµ−1

Proposition 1 Algorithm 4 has computational complexity O(`µ2 + h=1 η=0 Th,η ), where Th,η bounds the complexity of running Line 6 for those values of h and η. Proof: Clearly, all steps of the algorithm are essentially free except Line 6 and Line 9. Observe that every iteration of the while-loop decrease an upper bound on the

20

value of row 0, whether we enter the if-branch in Line 7 or not. So by the arguments of the proof of Theorem 8, the loop will iterate at most O(`µ) times in which each possible value of (h, η) ∈ {1, . . . , `} × {0, . . . , µ − 1} will be taken at most once. Each execution of Line 9 costs O(µ) since the λj all have degree at most µ. The cost of Line 6 will depend on how we realise it. The most straightforward would be to compute all of (λ0 s˜h mod g˜h ) using a polynomial multiplication followed by a modulo reduction; that would have complexity O(µ2 ), or possibly O∼(µ1.69 ) using the algorithms from [51], though the latter assumes the Coppersmith–Winograd matrix multiplication algorithm [10]. That would leave a total complexity for Algorithm 4 of O(`µ3 ) or O∼(`µ2.69 ), which usually compares unfavourably with O(`2 µ2 ) that is obtained by using Algorithm 3, see Example 2. We note that two cases are particularly important for decoding of Interleaved Gabidulin codes: when the gi are of the form xdi or of the form xdi − 1. This motivates studying the case where the gi are “sparse”, i.e. have few non-zero monomials. The idea is now that we can compute single coefficients of λ0 s˜h in complexity O(µ) by simple convolution. So if only relatively few coefficients of λ0 s˜h influence some given coefficient in (λ0 s˜h mod g˜h ) we can compute that coefficient fast. This can be characterised by which non-zero monomials gi has. By Proposition 1, we can even amortise the complexity over all the µ possible coefficients of (λ0 s˜h mod g˜h ). Using this idea, we prove in Appendix B.2 the following theorem: Theorem 10 Algorithm 4 can be realised with complexity O(`µ2 ) if, for all i, gi has only O(1) non-zero monomials, and the second-largest degree among the monomials is less than deg g/2. Remark 3 When all gi are powers of x, Algorithm 4 bears a striking similarity to the Berlekamp–Massey-variant for multiple shift-registers [58]. By Theorem 10, the algorithms have the same running time in this case. Using the language of modules, we obtain a more general algorithm with a conceptually simpler proof, and we can much more readily realise algebraic properties of the algorithm, as mentioned in Remark 1.

5.2 Weak Popov Walking The goal of this section is to arrive at a faster row reduction algorithm for the matrices used for decoding Mahdavifar–Vardy codes in Section 3.2. However, the algorithm we describe could be of much broader interest: it is essentially an improved way of computing a w-weak Popov form of a matrix which is already in w0 -weak Popov form, for another shift w0 . Inspired by “Gröbner walks”, we have dubbed this strategy “weak Popov walking”. Each “step” of the walk can be seen as just Algorithm 3 but where we use a clever, deterministic strategy for choosing which LP-transformations to apply each iteration, in case where there is choice. This strategy would work completely equivalently for the F[x] case. However, to the best of our knowledge, that has not been done before. In this section we will extensively discuss vectors under different shifts. To ease the notation somewhat, we therefore introduce shifted versions of the following operators: LPw (v) := LP(Φw (v)) as well as degw (v) := deg Φw (v). We begin by Algorithm 5 that efficiently “walks” from a weak Popov form according to the shift w into one with the shift w + (1, 0, . . . , 0). The approach can readily be

21

generalised to support incrementing any index, and not just index 0, but since we need only this case and since it simplifies notation, we restrict ourselves to that.

Algorithm 5 Weak Popov Walking m×m in w-shifted weak Popov form. Input: Shift w ∈ Nm 0 and matrix V ∈ R Output: Matrix in w-shifted ˆ weak Popov form spanning the same R-row space as V , where w ˆ = w + (1, 0, . . . , 0). 1 hi ← LPw (v i ), for i = 0, . . . , m − 1. 2 I ← indexes i such that LPw ˆ (v i ) = 0. 3 [i1 , . . . , is ] ← I sorted such that hi1 < hi2 < . . . < his . 4 t ← i1 . 5 for i = i2 , . . . , is do 6 if deg vt,0 ≤ deg vi,0 then 7 Apply a simple transformation t on i at position 0 in V . 8 else 9 Apply a simple transformation i on t at position 0 in V . 10 t ← i. 11 return V .

Theorem 11 Algorithm 5 is correct. Proof: Denote for the sake of the proof V as the input and Vˆ as the output of the algorithm. The algorithm performs a single sweep of simple transformations, modifying only rows indexed by I: in particular, if v i , v ˆi are the rows of V respectively Vˆ , then either v ˆi = v i , or v ˆi is the result of a simple transformation on v i by another row v j of V and i, j ∈ I. All the hi are different since V is in w-shifted weak Popov form. We will show that the w-shifted ˆ leading positions of Vˆ is a permutation of the hi , implying that Vˆ is in w-shifted ˆ weak Popov form. Note first that for any vector v ∈ Rm with LPw (v) 6= LPw ˆ (v), then LPw ˆ (v) = 0, since only the degree of the 0’th position of Φw ˆ (v) is different from the corresponding position of Φw (v). Since v ˆi = v i for each i ∈ {0, . . . , m − 1} \ I, we therefore have LPw v i ) = hi . And of course for each i ∈ I we have LPw ˆ (ˆ ˆ (v i ) = 0. Furthermore, for each i ∈ I we must have deg vi,0 + w0 = deg vi,hi + whi .

(9)

Consider first an index i ∈ I for which Line 7 was run, and let t be as at that point. This means v ˆi = v i + αxδ v t for some α ∈ F and δ = deg vi,0 − deg vt,0 . Note that the if-condition ensures δ ≥ 0 and the simple transformation makes sense. We will establish that LPw v i ) = hi . Since we are performing an LP-transformation, we know ˆ (ˆ that degw ˆi ≤ degw ˆi,hi = deg vi,hi and ˆv ˆ v i , so we are done if we can show that deg v deg vˆi,k + wk < deg vi,hi + whi for k > hi . Due to LPw (v t ) = ht and (9) then for k > ht : deg vt,k + wk < deg vt,ht + wht = deg vt,0 + w0 .

(10)

Together with (9), we conclude that deg vt,k + wk + δ < deg vi,0 + w0 = deg vi,hi + whi . Since ht < hi by the ordering of the i? , this shows that αxδ v t will have w-weighted ˆ degree less than deg vi,hi + whi on position hi and all positions to the right of this. This implies the degree bounds we sought and so LPw v i ) = hi . ˆ (ˆ

22

Consider now an i ∈ I for which Line 9 was run, and let again t be as at that point, before the reassignment. The situation is completely reversed according to before, so by the same arguments LPw v t ) = hi . ˆ (ˆ For the value of t at the end of the algorithm, then clearly LPw v t ) = 0 since the ˆ (ˆ row was not modified. Since we necessarily have hi1 = 0, then LPw v t ) = hi 1 . ˆ (ˆ Thus we conclude that the w-leading ˆ positions of the w ˆ i are a permutation of the hi . But the hi were all different, and so Vˆ is in w-shifted ˆ weak Popov form. Proposition 2 Algorithm 5 performs at most O m deg det(V ) +

Pm−1 i=0

(2i + 1 − m)wi + m2




operations over R. Proof: We will bound the number of non-zero monomials which are involved in simple transformations. As remarked in the proof of Theorem 11, at most one simple transformation is applied to each row. Thus, the number of non-zero monomials involved in simple transformations cannot exceed the number of monomials in the input matrix V ; we will bound the latter. Assume w.l.o.g. that w0 ≤ w1 ≤ . . . ≤ wm−1 , and since the input matrix V was in w-shifted weak Popov form, assume also w.l.o.g that we have sorted the rows such that LPw (v i ) = i. Since ∆(Φw (V )) = 0 we have deg det Φw (V ) = degw V

that is

degw V = deg det V +

X

w.

We can therefore consider what assignment of degw to the individual rows of V under these constraints will maximise the possible number of monomials in V . We cannot have degw vi < wi since LPw (vi ) = i. It is easy to see that the worst-case assignment is then to have exactly degw vi = wi for i = 0, . . . , m − 2 and degw vm−1 = deg det V + wm−1 . In this case, the number of monomials can then be bounded as



m−2 X



1+

i=0

i−1 X

 (wi − wj + 1)  +

m(deg det V + wm−1 ) −

j=0

 2




m−2 X

≤m +

i=0

iwi −

m−1 X

! wi + 1

i=0



m−2 X

(m − 2 − j)wj  +

j=0

= m2 + m deg det V +

m deg det V + mwm−1 −

m−1 X

! wi

i=0

m−1 X

(2i + 1 − m)wi .

i=0

Pm−1

In particular, if i=0 (2i + 1 − m)wi ∈ O(m deg det V ), then the cost is bounded by O(m deg det V + m2 ). That is to say, as long as the wi are fairly balanced wrt. each other, then they essentially are handled for free. Similar balancing conditions are seen in other fast algorithms for F[x] matrices, e.g. in [66]. Remark 4 Note that Algorithm 5 is essentially a special case of the Mulders–Storjohann, Algorithm 3, where we carefully select which simple transformations to apply. This results in a factor m fewer simple transformations to apply, as well as a better handle on the size of the simple transformations, leading to the improved complexity.

23

The idea is now to iterate Algorithm 5 to “walk” from a matrix that is in weak Popov form for one shift w into another one w, ˆ where the entries of w ˆ are element-wise greater than or equal to that of w. As mentioned, Algorithm 5 is restricted to incrementing only the zeroth coordinate of the shift, since that is what we need here, but it could easily be generalised. Note that though we cannot decrement a position of the shift, we could then still walk from any shift to any other since decrementing position i is equivalent to increment all other positions by 1. For row reducing the matrix for the MV codes, however, we only need to increment the zeroth position.

Algorithm 6 Find MV Interpolation Polynomial by Weak Popov Walk Input: Interpolation points P and w = (0, (k − 1), . . . , `(k − 1)). Output: Interpolation polynomial satisfying (4) and (5) on page 10. 1 V ← M as in (7) on page 12.
2 w = 0, (k − 1), 2(k − 1), . . . , `(k − 1) .
0 3 w = w + 0, rm, rm, . . . , rm . 4 for i = 0, ..., rm − 1 do 5 V ← WeakPopovWalk(V, w0 ). 6 w0 ← w0 + (1, 0, . . . , 0). 7 return row v which has minimal w-shifted degree degw v.

Theorem 12 Algorithm 6 is correct. It has complexity O(`r2 m2 ). Proof: Note that M is in w0 -shifted weak Popov form, where w0 is as on Line 3. Thus by the correctness
of Algorithm 5, then V at the end of the algorithm must be in w + (rm, . . . , rm) -shifted weak Popov form. Then it is clearly also in w-shifted weak Popov form. By Theorem 5 the returned row must be a satisfactory interpolation polynomial. For the complexity, the algorithm simply performs rm calls to WeakPopovWalk. Pm−1 The quantity i=0 (2i + 1 − m)wi0 is greatest at the first iteration, where it is: m−1 X

(2i + 1 − m)(rm + i(k − 1)) ≈ `rm + 32 `3 (k − 1) − 12 `2 .

i=1

Since rm > 12 `(` + 1)(k − 1), as we established in Example 3, the above is bounded by O(`rm). Since deg det(V ) = deg det(M ) = rm then by Proposition 2 each of the calls to WeakPopovWalk therefore costs at most O(`rm). Bounding r < `n, we obtain a complexity of O(`2 m2 rn), matching [64].

6 Conclusion In this paper, we have explored the notion of row reduction of polynomial matrices in the setting of matrices over skew polynomial rings. For ordinary polynomial rings, row reduction has proven a useful strategy for obtaining numerous flexible, efficient while conceptually simple decoding algorithms for Reed–Solomon and other code families. Our results introduce the methodology and tools aimed at bringing similar benefits to Gabidulin, Interleaved Gabidulin, Mahdavifar–Vardy, and other skew polynomial-based

24

codes. We used those tools in two settings. We solved a general form of multiple skew-shift register synthesis, and applied this for error-erasure decoding of Interleaving Gabidulin codes in complexity O(`µ2 ). For Mahdavifar–Vardy codes, we gave an interpolation algorithm with complexity O(`r2 m2 ). We extended and analysed the simple and generally applicable Mulders–Storjohann algorithm to the skew polynomial setting. In both the studied settings, the complexity of that algorithm was initially not satisfactory, but it served as a crucial step in developing more efficient algorithms. For multiple skew-shift register synthesis, we were able to solve a much more general problem than previously, but retaining good complexity. For the Mahdavifar–Vardy codes, the improved algorithm was in the shape of a versatile “Weak Popov Walk”, which could potentially apply to many other problems. In all previously studied cases, we matched the best known complexities [58, 64]. Over F[x], row reduction, and the related concept of order bases, have been widely studied and sophisticated algorithms have emerged, e.g. [2, 22, 66]. We hope that future work will enable similar speed-ups for reducing R-matrices. Acknowledgements The authors would like to thank the anonymous reviewers for suggestions that have substantially improved the clarity of the paper.

References 1. Abramov, S.A., Bronstein, M.: On solutions of linear functional systems. In: Proc. of ISSAC, pp. 1–6. New York, NY, USA (2001) 2. Alekhnovich, M.: Linear Diophantine equations over polynomials and soft decoding of Reed–Solomon codes. IEEE Trans. Inf. Theory 51(7), 2257–2265 (2005) 3. Baker, G., Graves-Morris, P.: Padé approximants, vol. 59. Cambridge Univ. Press (1996) 4. Beckermann, B., Cheng, H., Labahn, G.: Fraction-free row reduction of matrices of Ore polynomials. J. Symb. Comp. 41(5), 513–543 (2006) 5. Beckermann, B., Labahn, G.: A Uniform Approach for the Fast Computation of Matrix-Type Padé Approximants. SIAM J. Matr. Anal. Appl. 15(3), 804–823 (1994) 6. Beelen, P., Brander, K.: Key equations for list decoding of Reed–Solomon codes and how to solve them. J. Symb. Comp. 45(7), 773–786 (2010) 7. Boucher, D., Ulmer, F.: Linear codes using skew polynomials with automorphisms and derivations. Designs, Codes and Cryptography 70(3), 405–431 (2014) 8. Cohn, H., Heninger, N.: Ideal forms of Coppersmith’s theorem and Guruswami–Sudan list decoding. arXiv 1008.1284 (2010) 9. Cohn, P.M.: Skew Field Constructions, vol. 27. Cambridge Univ. Press (1977) 10. Coppersmith, D., Winograd, S.: Matrix Multiplication via Arithmetic Progressions. J. Symb. Comp. 9(3), 251–280 (1990) 11. Delsarte, P.: Bilinear forms over a finite field, with applications to coding theory. J. Comb. Th. 25(3), 226–241 (1978) 12. Dieudonné, J.: Les déterminants sur un corps non commutatif. Bull. Soc. Math. France 71, 27–45 (1943) 13. Draxl, P.K.: Skew Fields, vol. 81. Cambridge Univ. Press (1983) 14. Feng, G.L., Tzeng, K.K.: A Generalization of the Berlekamp-Massey Algorithm for Multisequence Shift-Register Synthesis with Applications to Decoding Cyclic Codes. IEEE Trans. Inf. Theory 37(5), 1274–1287 (1991) 15. Gabidulin, E., Paramonov, A., Tretjakov, O.: Rank errors and rank erasures correction. In: Proc. of ICCT, vol. 30, pp. 11–19 (1991) 16. Gabidulin, E.M.: Rank-metric codes and applications. Moscow Institute of Physics and Technology (State University). http://iitp.ru/upload/content/839/Gabidulin.pdf 17. Gabidulin, E.M.: Theory of codes with maximum rank distance. Problemy Peredachi Informatsii 21(1), 3–16 (1985) 18. Gabidulin, E.M., Paramonov, A., Tretjakov, O.: Ideals over a non-commutative ring and their application in cryptology. In: Eurocrypt, pp. 482–489 (1991)

25 19. Gabidulin, E.M., Pilipchuk, N., et al.: A new method of erasure correction by rank codes. In: Proc. of IEEE ISIT, p. 423 (2003) 20. Gabidulin, E.M., Pilipchuk, N.I.: Error and erasure correcting algorithms for rank codes. Designs, Codes and Cryptography 49(1-3), 105–122 (2008) 21. Gao, S.: A new algorithm for decoding Reed-Solomon codes. In: Communications, Information and Network Security, pp. 55–68. Springer (2003) 22. Giorgi, P., Jeannerod, C., Villard, G.: On the complexity of polynomial matrix computations. In: Proc. of ISSAC, pp. 135–142 (2003) 23. Gupta, S., Sarkar, S., Storjohann, A., Valeriote, J.: Triangular -basis decompositions and derandomization of linear algebra algorithms over. J. Symb. Comp. 47(4), 422–453 (2012) 24. Guruswami, V., Sudan, M.: Improved Decoding of Reed–Solomon Codes and AlgebraicGeometric Codes. IEEE Trans. Inf. Theory 45(6), 1757–1767 (1999) 25. Guruswami, V., Xing, C.: List Decoding Reed–Solomon, Algebraic-Geometric, and Gabidulin Subcodes up to the Singleton Bound. ECCC 19(146) (2012) 26. Kailath, T.: Linear Systems. Prentice-Hall (1980) 27. Koetter, R., Kschischang, F.R.: Coding for errors and erasures in random network coding. IEEE Trans. Inf. Theory 54(8), 3579–3591 (2008) 28. Lang, S.: Algebra (2002) 29. Lee, K., O’Sullivan, M.E.: List decoding of Reed–Solomon codes from a Gröbner basis perspective. J. Symb. Comp. 43(9), 645 – 658 (2008) 30. Lenstra, A.: Factoring multivariate polynomials over finite fields. J. Comp. Syst. Sc. 30(2), 235–246 (1985) 31. Li, W., Nielsen, J.S.R., Puchinger, S., Sidorenko, V.: Solving shift register problems over skew polynomial rings using module minimisation. In: Proc. of WCC (2015) 32. Li, W., Sidorenko, V., Silva, D.: On transform-domain error and erasure correction by Gabidulin codes. Designs, Codes and Cryptography 73(2), 571–586 (2014) 33. Lidl, R., Niederreiter, H.: Finite Fields, vol. 20. Cambridge Univ. Press (1997) 34. Loidreau, P.: A welch–berlekamp like algorithm for decoding gabidulin codes. In: Coding and Cryptography, pp. 36–45. Springer (2006) 35. Loidreau, P., Overbeck, R.: Decoding rank errors beyond the error correcting capability. In: Proc. of ACCT, pp. 186–190 (2006) 36. Mahdavifar, H.: List decoding of subspace codes and rank-metric codes. dissertation, University of California, San Diego (2012) 37. Mahdavifar, H., Vardy, A.: Algebraic list-decoding of subspace codes with multiplicities. In: Allerton Conf. Comm., Ctrl. and Comp., pp. 1430–1437 (2011) 38. Mahdavifar, H., Vardy, A.: Algebraic list-decoding of subspace codes. IEEE Trans. Inf. Theory 59(12), 7814–7828 (2013) 39. Massey, J.L.: Shift-register synthesis and BCH decoding. IEEE Trans. Inf. Theory 15(1), 122–127 (1969) 40. Menezes, A.J., Blake, I.F., Gao, X., Mullin, R.C., Vanstone, S.A., Yaghoobian, T.: Applications of finite fields, vol. 199. Springer (2013) 41. Middeke, J.: A computational view on normal forms of matrices of Ore polynomials. Ph.D. thesis, Research Institute for Symbolic Computation (RISC) (2011) 42. Mulders, T., Storjohann, A.: On lattice reduction for polynomial matrices. J. Symb. Comp. 35(4), 377–401 (2003) 43. Nielsen, J.S.R.: Generalised multi-sequence shift-register synthesis using module minimisation. In: Proc. of IEEE ISIT, pp. 882–886 (2013). Extended version at http://arxiv.org/abs/1301.6529. 44. Nielsen, J.S.R.: Power decoding Reed–Solomon codes up to the Johnson radius. In: Proc. of ACCT (2014) 45. Nielsen, J.S.R., Beelen, P.: Sub-Quadratic Decoding of One-Point Hermitian Codes. IEEE Trans. Inf. Theory 61(6), 3225–3240 (2015) 46. Nielsen, R.R., Høholdt, T.: Decoding Reed–Solomon codes beyond half the minimum distance. In: Coding Theory, Cryptography and Related Areas, p. 221–236. Springer (1998) 47. Olesh, Z., Storjohann, A.: The vector rational function reconstruction problem. In: Proc. of WWCA, pp. 137–149 (2006) 48. Ore, O.: Theory of non-commutative polynomials. Annals of Mathematics 34(3), 480–508 (1933) 49. Overbeck, R.: Public key cryptography based on coding theory. Ph.D. thesis, TU Darmstadt (2007)

26 50. Pete L. Clark: Non-commutative algebra. University of Georgia. http://math.uga.edu/ ~pete/noncommutativealgebra.pdf (2012) 51. Puchinger, S., Wachter-Zeh, A.: Fast Operations on Linearized Polynomials and their Applications in Coding Theory. J. Symb. Comp. Submitted (2015). Preprint available as arXiv:1512.06520 52. Richter, G., Plass, S.: Error and erasure decoding of rank-codes with a modified BerlekampMassey algorithm. ITG Fachbericht pp. 203–210 (2004) 53. Richter, G., Plass, S.: Fast decoding of rank-codes with rank errors and column erasures. In: Proc. of IEEE ISIT, pp. 398–398 (2004) 54. Roth, R., Ruckenstein, G.: Efficient Decoding of Reed–Solomon Codes Beyond Half the Minimum Distance. IEEE Trans. Inf. Theory 46(1), 246 –257 (2000) 55. Roth, R.M.: Maximum-rank array codes and their application to crisscross error correction. IEEE Trans. Inf. Theory 37(2), 328–336 (1991) 56. Schmidt, G., Sidorenko, V.R., Bossert, M.: Collaborative decoding of interleaved Reed– Solomon codes and concatenated code designs. IEEE Trans. Inf. Theory 55(7), 2991–3012 (2009) 57. Sidorenko, V., Bossert, M.: Decoding interleaved Gabidulin codes and multisequence linearized shift-register synthesis. In: Proc. of IEEE ISIT, pp. 1148–1152. IEEE (2010) 58. Sidorenko, V., Jiang, L., Bossert, M.: Skew-feedback shift-register synthesis and decoding interleaved Gabidulin codes. IEEE Trans. Inf. Theory 57(2), 621–632 (2011) 59. Silva, D.: Error control for network coding. Ph.D. thesis, University of Toronto (2009) 60. Silva, D., Kschischang, F.R., Koetter, R.: A rank-metric approach to error control in random network coding. IEEE Trans. Inf. Theory 54(9), 3951–3967 (2008) 61. Sudan, M.: Decoding of Reed Solomon codes beyond the error-correction bound. J. Complexity 13(1), 180–193 (1997) 62. Wachter-Zeh, A.: Decoding of block and convolutional codes in rank metric. Ph.D. thesis, Universität Ulm (2013) 63. Wachter-Zeh, A., Zeh, A.: Interpolation-based decoding of interleaved Gabidulin codes. In: Proc. of WCC, pp. 528–538 (2013) 64. Xie, H., Lin, J., Yan, Z., Suter, B.W.: Linearized Polynomial Interpolation and Its Applications. IEEE Trans. Signal Process. 61(1), 206–217 (2013) 65. Zeh, A., Gentner, C., Augot, D.: An Interpolation Procedure for List Decoding Reed-Solomon Codes Based on Generalized Key Equations. IEEE Trans. Inf. Theory 57(9), 5946–5959 (2011) 66. Zhou, W., Labahn, G.: Efficient algorithms for order basis computation. J. Symb. Comp. 47(7), 793–819 (2012)

A Error- and Erasure Decoding of Interleaved Gabidulin Codes Erasures in rank metric naturally occur in error correction of subspace codes constructed as lifted rank-metric codes [59, 60]. Compared to erasures in Hamming metric, we need to distinguish between two different types of erasures, row erasures and column erasures. These terms stem from the interpretation of errors as matrices [60, 62], where row erasures correspond to an error matrix whose column space is given in form of a basis and in case of column erasures, a basis of the row space of the error matrix is given. There exist several descriptions and decoding algorithms for correcting errors and erasures for Gabidulin codes [15,19,20,52,53,59,60,62] and Interleaved Gabidulin codes [32], [62, Section 4.4]. Here, we use the erasure description of [16], which is similar to [32, 58], and combine them with the results of [62, Section 3.2.3] to obtain a Gao key equation for error and erasure correction of Interleaved Gabidulin codes. The description is not an entirely new approach, but it was not written down in this way before. Its advantage is that, e.g. in contrast to [32], no additional steps are required after obtaining a solution of the key equation. Also, the decoding radius and existence probability of a unique solution can be directly derived from the better-studied errors-only case, using an argument similar to the ` = 1 case in [62, Section 3.2.3]. For simplicity, we restrict ourselves to the case n = m. Thus, for every i = 1, . . . , `, ⊥ Gi = {αi,1 , . . . , αi,n } is a basis of Fqm and has a unique dual basis Gi⊥ = {α⊥ i,1 , . . . , αi,n } [40]. Also, Gi = xm − 1 for all i. Consider again receiving r = c + e. The “erasures” correspond to side-information at the receiver on the structure of e, whose nature we now explain. We consider that the error ` E R C e = (e1 , . . . , e` ) ∈ (Fn q m ) is decomposed into three components e = e + e + e , where

27 – eE is the full error of rank(eE ) = τ – eR is the row erasure of rank(eR ) = % – eC is the column erasure of rank(eC ) = γ By rank decomposition, we can thus rewrite any sub-part ei ∈ Fn q m of the error as ei =

τ X

E aE j bi,j +

j=1

% X

R aR j bi,j +

j=1

γ X

C aC j bi,j ,

j=1

where for all i, j we consider at the receiver that: m and bE ∈ Fn are both unknown, – aE q j ∈ Fq i,j R n – aR ∈ F q m is known and bi,j ∈ Fq is unknown, j m is unknown and bC ∈ Fn is known. – aC ∈ F q q j i,j

C Using only known variables, we can define the following (bC i,j,κ is the κth entry of bi,j ):

dC i,j =

n X

⊥ bC i,j,κ ακ ∈ Fq m ,

κ=1

ΓiC = AhdC

C i,1 ,...,di,τ iFq

ΛR = AhaR ,...,aR i 1

% Fq

∈ Fqm [x; ·q ] ,

∈ Fqm [x; ·q ],

i Pm−1 Using the full q-reverse a ¯ = ¯i = aq−i mod m , of a polynomial a = ¯i xi , where a i=0 a Pm−1 i q m i=0 ai x ∈ Fq [x; · ] k it holds that  (k+1) (k+1)  −∞ < deg vii = deg vii (since vij = 0),     
 (k) (k) (k) (k) (k) (k+1)  deg vij − vik · (vkk )−1 · vkj ≤ deg vii = deg vii ,    |{z} | {z }    (k)  (k) deg≤deg vii deg < t − i, wt(h> ) < w, and deg h⊥ < deg2 g + i − (t − deg2 g) < 2 deg2 g . Furthermore, wt(h⊥ ) < (w − wt(h> ))w: this is because each non-zero monomial of g 0 becomes at most w monomials when they have been shifted to degree t and reduced modulo g. In total, the number on non-zero entries in Ξg is upper-bounded by t + tw + min(w2 deg2 g, 2(deg2 g)2 ) Proof of Theorem 10: When deg2 g < 12 deg g and wt(g) ∈ O(1) then Corollary 3 implies wt(Ξg ) ∈ O(deg g). So the result follows from combining Lemma 11 and Proposition 1.

Remark 5 Algorithm 4 also has good memory complexity when Line 6 is realised using Lemma 11: if the Ξg are sparse matrices, they require only memory O(wt(Ξg )) to store, and the rest of Algorithm 4 clearly uses only O(`µ) memory. This can be compared with the memory complexity O(`2 µ) of Algorithm 3. 10 In Theorem 3 of the WCC extended abstract [31], a complexity estimate was given for Algorithm 4 which unfortunately is slightly incorrect: in the terms of this paper, it claims wt(Ξg ) ∈ O(deg g · wt(g)) when deg2 g < deg g/2. As seen by this corollary, that is not generally true, e.g. if deg2 g ∈ O(deg g) while wt(g) ∈ Ω(1) and wt(g)2 ∈ o(deg g).

33

It×t

deg2 g ∈ K (2t−1)×t

Ξg = 0

w-sparse 0

≤ w2 -sparse

Figure 1 Depiction of Ξg in the proof of Corollary 3.

We argued in Section 5.1 that for arbitrary gh , we can perform Algorithm 4 in complexity O(`µ3 ) or O(`µ2.69 ), the latter assuming the Coppersmith–Winograd matrix multiplication algorithm [10]. We can, in fact, do slightly better: Proposition 3 Algorithm 4 can be realised in complexity O(` MM(µ)), where MM(µ) denotes the cost of multiplying two K µ×µ matrices. Proof: Consider u, λ, qh as in the proof of Lemma 11. If we first compute qh Ξg˜h , then afterwards u[η] can be computed in time O(µ) as a dot-product of λ and the ηth column of qh Ξg˜h . Thus, if we prepend Algorithm 4 with the computation of the ` matrices qh Ξg˜h , costing a total of O(`MM(µ)), the execution of Algorithm 4 itself will cost only a further O(`µ2 ) by Proposition 1.

C Basics on R-modules In this section, we prove statements about R-modules. Most of the results are well-known or obvious for commutative rings. However, we have not found a compact source for these statements which include the case of skew polynomial rings and derives them from algebraic principles. We say that vectors v 1 , v 2 , . . . , v n ∈ Rn are (left) linearly independent over R if from a vanishing linear combination a1 v 1 + a2 v 2 , . . . , an v n = 0 it follows that a1 = a2 = · · · = an = 0. For a left module M and B ⊆ M, by hBiR we denote the (left) span of B: the set of (left) R-linear combinations of elements of B. B is a generating set of M if hBiR = M. A basis of a (left) module M is a generating set B ⊆ M which is (left) linearly independent over R. We say a module M is free if it admits a basis. We define the (left) rank of a matrix as the maximum number of rows which are linearly independent over R. Note that any subset of linearly independent rows of cardinality equal to the rank is a basis of the (left) row space hM iR of a matrix M , which is a (left) module. Since R is a left (right) Euclidean domain [48], it is a left (right) principal ideal domain. The statement and proof of the following theorem is similar to [28, Theorem 7.1], with the difference that we use the weaker assumption that R is in general only left (right) principal and not a commutative principal ideal domain. Theorem 14 Let F be a free left (right) module over R which has a finite basis {x1 , . . . , xn } for some n ∈ N, and M ⊂ F a left (right) submodule. Then M is free and there exists a basis of M which has ≤ n elements.

34 Proof: We prove the claim by constructing a basis of F inductively. Before we start, we have to define the sets Mr := M ∩ hx1 , . . . , xr iR for any r ∈ N with 1 ≤ r ≤ n. Note that we only show the claim for left modules. The right module case can be shown equivalently. Base case: We first consider M1 = M ∩ hx1 iR . Since M and hx1 iR are both left modules over R, M1 is also a left module over R. Let J be the set of all a ∈ R such that ax1 ∈ M . Then J is a left ideal of R because for any a, b ∈ J and r ∈ R also (a + b) ∈ J (because (a + b)x1 = ax1 + bx1 ∈ M ) and (ra) ∈ J (because (ra)x1 = r(ax1 ) ∈ M ). J is (left) principal and therefore generated by some a1 ∈ R. Hence, M1 must be of the form (a1 x1 ). If a1 6= 0, {a1 x1 } is a basis of M1 . Otherwise, M1 = {0} and ∅ is a basis of M1 . Thus, M1 is free and has a basis with ≤ 1 elements. Induction hypothesis: Now we assume that Mr = M ∩ hx1 , . . . , xr iR is free and has a basis {˜ x1 , . . . , x ˜` } with 0 ≤ ` ≤ r for some r with 1 ≤ r < n. Inductive step: If Mr = Mr+1 , we are done, because by hypothesis Mr+1 is free with the same basis as Mr which also obviously has ≤ (r + 1) elements. In the following we therefore assume that Mr+1 \ Mr 6= ∅. (a) (a) Let I be the set of all a ∈ R such that there exists an element x(a) ∈ M and b1 , . . . , br ∈ Pr (a) (a) R with axr+1 = x − i=1 bi xi . Then I is a left ideal of R because if a, b ∈ I and r ∈ R, (a+b)

then a + b ∈ I because x(a+b) = x(a) + x(b) ∈ M and bi x(ra)

rx(a)

(ra) bi

(a)

= bi

(b)

+ bi

∈ R and ra ∈ I

(a) rbi

because = ∈ M and = ∈ R. Since R is (left) principal, I is generated by some element ar+1 ∈ R. Since we assume that Mr+1 6= Mr , ar+1 must not be 0. We can choose a γ ∈ Mr+1 such that γ = x(ar+1 ) 6= 0. (Sub-)Claim: Br+1 := {˜ x1 , . . . , x ˜` , γ} is a basis of Mr+1 . (i) Br+1 is a generating set of Mr+1 : For any x ∈ Mr+1 , the coefficient of x with respect to xr+1 is in I and therefore divisible by ar+1 . Hence, there exists a d ∈ R such that the coefficient of x − dγ with respect to xr+1 is 0 and therefore x − dγ ∈ Mr . This shows that {˜ x1 , . . . , x ˜` , γ} is a generating set of Mr+1 . (ii) The elements of Br+1 are linearly independent: Since Mr+1 6= Mr , there is an x ∈ Mr+1 which is not in Mr . Like in the previous statement, there is a d ∈ R such that x − dγ ∈ Mr (note that here d 6= 0 because x ∈ / Mr ). This shows that γ ∈ / Mr because if it was, dγ would be in Mr (because Mr is a module) and x = (x − dγ) + dγ ∈ Mr , which would be a contradiction. Thus, γ ∈ / Mr = (˜ x1 , . . . , x ˜` ) which implies that x ˜1 , . . . , x ˜` and γ are linearly independent. Hence, Br+1 is a basis of Mr+1 which has ` + 1 ≤ r + 1 elements (by hypothesis ` ≤ r). Conclusion: At this point we found a basis Bn for Mn which has ≤ n elements. Since {x1 , . . . , xn } is a basis of F and M ⊂ F , Mn = M ∩ hx1 , . . . , xn iR = M ∩ F = M and therefore Bn is also a basis of M . Note that the existence of a basis directly implies that M is free. An important corollary of Theorem 14 is that for n ∈ N, any submodule of Rn is free. The following theorem proves that R has the Invariant Basis Number property. Its statement and proof combines ideas from [50, Theorem 18] and [50, Proposition 16]. Note that R is left (right) Noetherian because it is left (right) principal. Hence, any finitely generated R-module is Noetherian which implies that any submodule of a finitely generated R-module is finitely generated. Theorem 15 Any two finite bases of a left (right) R-module have the same number of elements. Proof: Again we show the claim only for left modules, the right case can be shown equivalently. Assume we have two bases B1 and B2 of the same R-module with |B1 | =: n ∈ N and |B2 | =: m ∈ N. We want to show that n = m. We first note that from any R-module with a basis B = {b1 , . . . , bk } of cardinality k, there is a natural module isomorphism ϕ : hBiR → Rk , ϕ(x) = (x1 , . . . , xk ) which is defined by the P unique representation x = ki=1 xi bi for any x ∈ (B). This means that Rn ∼ = hB1 iR = hB2 iR ∼ = Rn , so Rn ∼ = Rm , or in other words there is an isomorphism α : Rn → Rm . L n−m We assume n > m. This means that α gives us an embedding α : Rn = Rm R ,→ Rm with Rn−m = 6 {0} because n > m and R = 6 {0}. Therefore, A0 := Rm must have a L submodule of the form A1 B1 such that A1 ∼ 6 {0}. Constructing = Rm and B1 ∼ = Rn−m = L A B as a submodule of A inductively with the same approach, we obtain a submodule i i i−1 L∞ m which is an infinite direct sum of non-zero modules and can therefore not i=1 Bi of R

35 be finitely generated. This contradicts the fact that Rm is a (left) Noetherian module, which means that all its submodules are finitely generated. Hence, n ≤ m. By the same argument we get that m ≤ n and therefore n = m. We continue with some remarks on matrices over R and the module their rows span. An elementary row operation on an R matrix can be the following two actions: (i) Interchange two rows. (ii) Add an R multiple of a row v i to another row v j . Theorem 16 An elementary row operation on a matrix neither changes its row space nor its rank. Proof: The statement is obvious for type (i) row operations because (R, +) is an abelian group. Suppose that in a type (ii) operation on a matrix V , resulting in V 0 , v j is replaced by 0 v j ← av i + v j , where a ∈ R. Clearly we then have hV 0 iR ⊂ hV iR . But since v i = v 0i and v j = v 0j − av 0i then also v j ∈ hV 0 iR and so hV 0 iR ⊂ hV iR . So the two modules spanned by the rows are the same. Therefore the rank can also not change due to Theorem 15. Note that a simple transformation (cf. Section 4.1) is an elementary row operation (type (ii)). A type (i) row operation is used in Section 5.1 (swapping of rows within the Demand-Driven algorithm).