Decoding of Differential AG Codes

The interpolation-based decoding that was developed for general evaluation AG codes is shown to be equally applicable to general differential AG codes. A performance analysis of the decoding algorithm, which is parallel to that of its companion algorithm, is reported. In particular, the decoding capacities of evaluation AG codes and differential AG codes are seen to be nicely interrelated. As an interesting special case, a decoding algorithm for classical Goppa codes is presented.


I. INTRODUCTION
Let X be a smooth geometrically irreducible projective curve defined over a finite field F of genus g. Let F(X) and Ω X denote the function field and the module of differentials of X respectively. Let P 1 , P 2 , . . . , P n be distinct rational points on X, and D = P 1 + P 2 + · · · + P n . Let G be an arbitrary divisor on X, whose support is disjoint from that of D. Recall that L(G) = {f ∈ F(X) | (f ) + G ≥ 0} and Ω(G) = {ω ∈ Ω X | (ω) ≥ G}. Then Goppa's famous two codes [1] are defined by C L (D, G) = {(f (P 1 ), f (P 2 ), . . . , f (P n )) | f ∈ L(G)}

and
C Ω (D, G) = {(res P1 (ω), res P2 (ω), . . . , res Pn (ω)) | ω ∈ Ω(−D + G)}, which are respectively called evaluation AG code and differential AG code. It is well-known that C Ω (D, G) = C L (D, G) ⊥ , whose proof [2] requires the Riemann-Roch theorem. Though the two kinds of AG codes were equally created, their historical development has been somewhat unbalanced. The target of intensive researches on the bounds on the minimum distance and decoding algorithms up to the bounds were usually the differential code or rather the dual code to the evaluation code. Thus all known decoding algorithms for differential AG codes decode C L (D, G) ⊥ rather than C Ω (D, G) itself in the sense that they work with the data called syndromes defined using functions in L(G). See [3], [4], [5], [6], [7] and many references therein. The bias is also reflected on the terms like primal AG code and dual AG code, which mean evaluation AG code and differential AG code respectively. In this respect, the recent result [8] on the unique decoding algorithm for evaluation AG codes is against to the trend and implies that the duality is not essential for decoding and for bounding the minimum distance of C L (D, G). This makes one conceive of a decoding algorithm for C Ω (D, G) that likewise does not rely on the duality, syndromes, or the space L(G).
In this paper, we present a fast unique decoding algorithm for general differential AG codes, which does not rely on the duality and does not use syndromes defined by the functions in L(G). Essentially it is the interpolation-based decoding algorithm for C L (D, G) of [8] rewritten for the differential AG code C Ω (D, G) based on the same principle ideas but using data derived from the relevant space of differentials. Specifically, the ring R defined in this paper (1) is the same R defined in [8], but instead of R-moduleR ⊂ F(X), here we define another R-module W ⊂ Ω X . Thus the decoding algorithm for differential AG codes works with the polynomials in R ⊕ W while the algorithm for evaluation AG codes works in R ⊕R. These changes aside, the basic principles underlying both decoding algorithms are exactly the same. Thus we achieve an equal and symmetric treatment of Goppa's two codes in decoding and bounding the minimum distance.
In Section II, we set up the algebraic framework in which the decoding algorithm works. In Section III, we present the decoding algorithm after a brief explanation of its structure. In Section IV, we report a performance analysis. It will be clearly seen that the framework and the algorithm itself resemble the corresponding ones in [8] so closely that, to avoid repetition, we do not prove that the algorithm works correctly nor provide the proofs for the assertions about performance analysis, but instead refer the reader to [8] for almost verbatim details of missing proofs. In Section IV-C, we will see that decoding capacities K. Lee  of both decoding algorithms are nicely interrelated. In Section V, we give an explicit example. In Section VI, we consider decoding of Goppa codes. Recall that Goppa codes are subfield subcodes of differential AG codes on the projective line. Hence as a special case, we obtain a decoding algorithm for classical Goppa codes. This algorithm is interesting because Goppa codes are the main workhorse in the McEliece code-based cryptosystem and the speed of decryption is largely dependent on the efficiency of its decoding algorithm.

II. PRELIMINARIES
We assume the existence of a rational point Q distinct from the points in the support of D. Let (1) The Weierstrass semigroup at Q is then which is a numerical semigroup whose number of gaps, the positive integers not in Λ, is the genus g of X. Let γ be the smallest positive nongap, and let ρ(x) = γ for some x ∈ R. For each 0 ≤ i < γ, let a i be the smallest nongap such that a i ≡ i (mod γ) and ρ(y i ) = a i for some y i ∈ R. By the properties of ρ : R → Z ≥0 inherited from the valuation v Q of F(X), the set {y 0 , y 1 , . . . , y γ−1 } forms a basis of R as a free module of rank γ over F[x], which we call the Apéry system of R. Hence {x k y i | k ≥ 0, 0 ≤ i < γ} is a vector space basis of R over F, whose elements are called the monomials of R. The monomials of R are in one-to-one correspondence with the nongaps in Λ. For λ ∈ Λ, we denote by ϕ λ ∈ R the unique monomial with ρ(ϕ λ ) = λ.
Notice that the ring R and the numerical semigroup Λ are the same as defined in [8]. Now come the definitions which are new but correspond toR andΛ in [8]. Let which is clearly a module over R. For a differential ω ∈ W , let δ(ω) denote the smallest integer s such that ω ∈ Ω(−D + G − sQ). Thus δ(ω) is simply v Q (G) − v Q (ω). LetΩ = δ(W ). Note that Λ +Ω =Ω, and in this senseΩ is a numerical Λ-module. The integers inΩ will also be called nongaps. AsΩ contains all large enough integers, for each 0 ≤ i < γ, there exists the smallest nongap b i ofΩ such that b i ≡ i (mod γ) and δ(ω i ) = b i for someω i ∈ W . Using the valuative properties of δ, we also see that {ω i | 0 ≤ i < γ} forms a basis of W as a free module of rank γ over F[x]. For s ∈Ω, defineφ s = x kω i for i = s mod γ and k = (s − b i )/γ ≥ 0. Then δ(φ s ) = s. Thus {φ s | s ∈Ω} = {x kω i | k ≥ 0, 0 ≤ i < γ} is a basis of W over F, and will be called the monomials of W . The set {ω i | 0 ≤ i < γ} is called the Apéry system of W . One may observe that W , as W , andΩ were defined in [8] but not used for decoding. Now let us consider the R-module with indeterminate z. It is also a free F[x]-module of rank 2γ with free basis K = {y i z,ω i | 0 ≤ i < γ}, and that every element of Rz ⊕W can be written as a unique F-linear combination of the monomials in M = {x k y i z, x kω i | k ≥ 0, 0 ≤ i < γ}. So we can regard the elements of Rz ⊕ W as polynomials over F. We denote deg x (x k y i z) = k, deg y (x k y i z) = i, deg x (x kω i ) = k, and degω(x kω i ) = i. Let us review the Gröbner basis theory on the R-module Rz ⊕ W . For an integer s, the weighted degree of a polynomial In particular, we have Then δ s induces the weighted degree order > s on M, where we break ties by declaring the monomial with z precedes the other without z. For f ∈ Rz ⊕ W , the notations lt s (f ), lm s (f ), and lc s (f ) are used to denote respectively the leading term, the leading monomial, and the leading coefficient, where we understand that the leading term of g i is in W while that of f i is in Rz. The sigma set Σ s = Σ s (M ) of M is the set of all leading monomials of the polynomials in M with respect to > s . The delta set is linear over F. Thus the differential AG code C = C Ω (D, G) = res(Ω(−D + G)) is a linear code of length n over F. Note that {φ s | s ∈Ω, s ≤ 0} is a basis of Ω(−D + G) as a vector space over F. Let k be the dimension of C. Then there is a set S = {s 0 , s 1 , . . . , s k−1 } ⊂ {s | s ∈Ω, s ≤ 0} such that {res(φ s ) | s ∈ S} is a basis of C. Note that the map res is surjective onto F n . Indeed we can show that res(Ω(−D + G − sQ)) = F n for s > |G| = deg(G) by the Riemann-Roch theorem. Let h i ∈ W be the differential such that res(h i ) is the ith element of the standard basis of F n . Let J be the kernel of res. Note that J is a submodule of W over R, and also over which corresponds to Proposition 2 of [8] and can be proved in a similar way.
III. DECODING ALGORITHM We assume a codeword is sent through a communication channel and a vector v ∈ F n is received. Thus we suppose v = c+e with a codeword c and the error vector e. Then c = res(µ) with a unique differential is a Gröbner basis of I v with respect to > δ(hv) . The Fast Decoding Algorithm for differential AG codes, displayed in Figure 1, starts with the basis (3) and iterates the substeps Pairing, Voting, and Rebasing, computing a Gröbner basis of I v (s−1) from that of I v (s) while m s ∈ F is computed by majority voting for s ∈ S. Let for s ∈ S, and define d Ω = min{ν(s) | s ∈ S}. Then it can be shown that m s = m s if 2wt(e) < ν(s) for s ∈ S, and hence the algorithm succeeds in iteratively computing m s for all s ∈ S if wt(e) ≤ τ = (d Ω − 1)/2 . The proof is mostly identical with the corresponding one in [8], with some obvious change of notations. So we leave out the proof. Note that the Fast Decoding Algorithm for differential AG codes is also enhanced with the speedup techniques introduced in the Section III.E of [8] for evaluation AG codes. A minor difference is due to the different inequality in the following theorem.
According to Theorem 2, a polynomial f in I v (s) satisfying the condition δ s (f ) + wt(e) + 2g − 1 ≤ |G| is called a Qpolynomial for v (s) . In the Fast Decoding Algorithm, we actually use the condition δ s (f ) + τ + 2g − 1 ≤ |G| since if we assume wt(e) ≤ τ , then a polynomial f in B (s) satisfying the condition is a Q-polynomial for v (s) . See the step Q. Since Fast Decoding Algorithm. Let v ∈ F n be the received vector.
Let m s = 0 for s with N < s ∈ S. If N ≤ 0, then set m s ∈ F such that h v = s∈S m sφs , and go to the step S3. S2 Repeat the following for s from N to s 0 . Let Voting. If s / ∈ S, then for i with k i ≥ 0, let and for i with k i < 0, let m i = 0, µ i = 1. Let m = 0 in both cases. If s ∈ S, then for each i, let and letc i = max{c i , 0}, and let m be the element of F with the largest m=mic i , and let m s = m.
Rebasing. For each i, do the following. If m i = m, then let Output the codeword s∈S m s res(φ s ). To see the last equality, note that by the Riemann-Roch theorem, for all large enough t. Since |∆(J) ∪ ∆(Rφ s )| ≥ n, we have ν(s) ≥ |G| − 2g + 2 − s. Now our assertion follows.
Let us define τ M (s) = (ν(s) − 1)/2 for s ∈Ω, which is the largest number of errors for which the majority voting succeeds for s. Like Proposition 22 in [8], we can show that for nongap s ≤ |G| − 2g + 2, and if s ≤ |G| − 4g + 2, equality holds on the left. We now find out when the condition in the step Q is satisfied. Let t = wt(e).
Theorem 4. Let B (s) be a Gröbner basis of I v (s) with respect to > s . If λ t + s + t + 2g − 1 ≤ |G|, then there exists an f ∈ B (s) such that f is a Q-polynomial for v (s) .
Proof: By the same argument of the proof of Lemma 18 of [8], we know that there exists an f ∈ B (s) such that δ s (f ) ≤ λ t + s. So if λ t + s + t + 2g − 1 ≤ |G|, then this f satisfies the condition to be a Q-polynomial.
By Theorem 5, the condition in the step Q is satisfied for some s ≥ s Q (t) = |G| − λ t − τ − 2g + 1 depending on t = wt(e), and at the latest for some s ≥ s Q (τ ) = |G| − λ τ − τ − 2g + 1. Finally note that which can be verified by definitions.

B. Complexity
The Fast Decoding Algorithm iteratively updates a 2γ × 2γ array of polynomials in F[x] that represents B (s) . Each of the 2γ rows of the array are again viewed as pairs of vectors in F[x] γ . For the initialization step S1, we precompute h i for 1 ≤ i ≤ n and η i for 0 ≤ i < γ in the vector form. In the Rebasing substep of the step M, the most intensive computation is the substitution of z with z +mφ s . Asφ s is in the form x kω i , the computation is facilitated if y iωj for 0 ≤ i, j < γ is precomputed in the vector form. For the step S3, it is necessary to precompute the vectors res(φ si ) in F n for 0 ≤ i ≤ k − 1, essentially the generator matrix of the code C. Our complexity analysis is now summarized, omitting the details, in the following. (2) The maximum degree of the polynomials in the vector form of η i is bounded by N η = (n + 3g + γ − 1)/γ .
(3) The maximum degree of the polynomials in the 2γ × 2γ array during an execution is bounded by N deg = 1 + (n + 4g − 2)/γ if g > 0. If g = 0, then it is bounded by n.
(4) The number of iterations is at most N iter = n + 2g.
Observe that these results are exactly the same with the complexity analysis of the decoding algorithm for evaluation AG codes reported in [8].

C. Comparisons of minimum distance bounds
We now show that d Ω is indeed a lower bound for the minimum distance of the code C Ω (D, G).
Proof: Let s ∈ S and suppose c = res(µ), µ = t∈S,t≤s a tφt ∈ Ω(−D + G) with nonzero a s ∈ F. Consider F n as an F-algebra with the component-wise multiplication * . Let us consider the evaluation map from R to F n , which is a surjective homomorphism of F-algebras . LetJ be the kernel of the map, and we have an isomorphism R/J with F n . Then whereΛ is the numerical Λ-module used in [8]. Then Theorem 33 in [8] says that the minimum distance of C L (D, G) is lower bounded by d L = min s∈Λ,s≤0 For comparison of d Ω with d L , we assume deg(G) ≥ 2g − 1 such that S = {s ∈Λ, s ≤ 0} from now on. Like Lemma 32 of [8], we can show that a + 1 ∈Λ if and only if −a / ∈Ω orφ −a ∈ ∆(J), which implies that Observe the nice symmetry between d L and d Ω .
Recall that ev(f ) = (f (P 1 ), f (P 2 ), . . . , f (P n )) for f ∈R = s L(G + sQ). Let C i = ev(L(G + iQ)) ⊂ F n for i ∈ Z. The codes C i are sometimes used in formulating minimum distance bounds of AG codes [9], [10]. For the last equivalence, recall that dim Lemma 9 allows us to write d Ω = min Finally let us focus on one-point AG codes with G = mQ. In this caseΛ = Λ − m. Let H i = ev(L(iQ)) = C i−m and where the former is the famous Feng-Rao bound of the one-point AG code C Ω (D, mQ) and the latter is a slight variation of the bound d * defined in [9].

V. EXAMPLE
Let X be the Hermitian curve of genus g = 3 defined by the equation The monomials of Rz ⊕ W are displayed in the array below, where the common z factor of the monomials of Rz are omitted. x Here are the corresponding nongaps of Λ and W , respectively. The Lagrange interpolation polynomials in W are h 26 = (α 6 x 8 + α 3 x 7 + · · · + 1)ω 2 + (α 6 x 7 + 2x 6 + · · · + 1)ω 1 Using these data, we can compute s ν(s) and hence d Ω = 13. The Fast Decoding Algorithm runs with the received vector v as input and with the above precomputed data. The decoding process itself is similar to that of the example in Section IV-A in [8]. Thus we omit an example run of the algorithm.

VI. DECODING GOPPA CODES
Let L = {α 1 , α 2 , . . . , α n } ⊂ F be a set of distinct rational points of the projective line P F over F = F q m , and let P ∞ denote the point at infinity. Let D denote the divisor of zeros of n k=1 (x − α k ). Let g(x) ∈ F[x] be a given polynomial with g(α i ) = 0 for 1 ≤ i ≤ n, and let Z be the divisor of zeros of g(x). We assume deg g(x) < n. Then the classical Goppa code C| Fq is a subfield subcode over F q of the differential AG code As C is an [n, k, d] code with k = n − deg g(x) and d ≥ deg g(x) + 1, the Goppa code C| Fq is an [n, k , d ] linear code over F q with k ≥ n − m deg g(x), d ≥ deg g(x) + 1. See [2] for more on Goppa codes and subfield subcodes of AG codes.
Clearly, the Fast Decoding Algorithm can decode the subfield subcode C| Fq just by decoding C. So let us specialise the algorithm for C. Let X = P F . The genus of the projective line is g = 0, and F(X) = F(x), , simply ρ(f (x)) = deg f (x). In particular, ρ(x) = γ = 1 and ρ(y 0 ) = a 0 = 0 with y 0 = 1. Furthermore and for 1 ≤ i ≤ n, With the above precomputed data, the Fast Decoding Algorithm for Goppa codes is reduced to the following simple algorithm.
Fast Decoding Algorithm for Goppa Codes. Let v ∈ F n be the received vector.
Note that the differentialω 0 , as well as z, is just a placeholder, and the algorithm actually works with a 2 × 2 array of univariate polynomials. We made some changes in notations for clarification and restructured the algorithm slightly for ready implementation. It should be noted that when the algorithm is in second phase s < n − deg g(x), the update of G (s) is actually unnecessary.

VII. FINAL REMARKS
We presented a fast unique decoding algorithm for differential AG codes. The principle of the algorithm is the same with the companion algorithm for evaluation AG codes in [8], and the description of the algorithm is almost identical with that of the other. In this paper, we focused on the differences and omitted most of the repetitive parts. The list decoding extension for evaluation AG codes done by [11] can be done for differential AG codes in the same way.
This work is partially done while I visited Maria Bras-Amorós. The author thanks her for helpful discussions.