chapter 13 decoding and nding the minimum distance with gr ...ruudp/paper/55.pdf4 s. bulygin and r....

May 3, 2013 15:21 World Scientific Review Volume - 9.75in x 6.5in handbook

Chapter 13

Decoding and finding the minimum distance

with Grobner bases: history and new insights

Stanislav Bulygin and Ruud Pellikaan

[email protected], Department of Mathematics, University of

Kaiserslautern, P.O. Box 3049, 67653 Kaiserslautern, Germany

[email protected], Department of Mathematics and Computing Science,

Eindhoven University of Technology, P.O. Box 513, NL-5600 MB, Eindhoven,

The Netherlands

In Series on Coding Theory and Cryptology vol. 7

Selected Topics in Information and Coding Theory

I. Woungang, S. Misra, S.C. Misra (Eds.)

pp. 585–622, World Scientific, 2010.

In this chapter we discuss decoding techniques and finding the minimum distanceof linear codes with the use of Grobner bases. First we give a historical overviewof decoding cyclic codes via solving systems of polynomial equations over finitefields. In particular we mention papers of Cooper, Reed, Chen, Helleseth, Truong,Augot, Mora, Sala and others. Some structural theorems that use Grobner basesin this context are presented. We then shift to the general situation of arbitrarylinear codes. We give an overview of approaches of Fitzgerald and Lax. Thenwe introduce our method of decoding linear codes that reduces this problem tosolving a system of quadratic equations. We discuss open problems and futureresearch possibilities.

13.1. Introduction

The chapter is devoted to decoding and finding the minimum distance of arbitrary

linear codes with the use of Grobner bases. In recent years a lot of attention was

paid to this question for cyclic codes, which form a particular subclass of linear

codes. We give a survey on decoding cyclic codes with Grobner bases and consider

two approaches that exist for arbitrary linear codes. We also present a new method

based on reducing the problems of decoding and finding the minimum distance

to solving a system of quadratic equations. We give a very brief introduction to

Grobner bases theory. Introduction material can be taken for instance from [1, 2].

1


2 S. Bulygin and R. Pellikaan

Quite a lot of methods exist for decoding cyclic codes and the literature on this

topic is vast. We just mention [3–7]. But all these methods do not correct up to

the true error-correcting capacity. The theory of Grobner bases is used to remedy

this problem. These methods are roughly divided into the following categories:

• Newton identities method [8–14]

• Power sums method or Cooper’s philosophy [14–19].

The term ”Cooper’s philosophy” first was used during the talk [20]. In Sec. 13.2

necessary background on Grobner bases is given, as well as the notation we are going

to use throughout the chapter. In Sec. 13.3 we give an overview of the methods

based on power sums and Newton identities together with examples. Section 13.4

is devoted to the case of arbitrary linear codes. Namely, we look at the method

of Fitzgerald and Lax, and the method based on solving a quadratic system of

equations. We should mention that there exist other Grobner bases-based methods

for arbitrary linear codes, e.g. generalizations of the Cooper’s philosophy [21, 22],

applications of Pade approximation [23, 24], FGLM-like techniques [25, 26], key

equation [27]. These methods are out of scope of this chapter. We end the chapter

with the thoughts for practitioners and directions for further research, as well as

conclusions, terminology list and the list of sample questions and answers to the

material presented in the chapter. We made an extensive bibliography, so that the

reader is able to look at numerous sources that exist in the area.

13.2. Background

13.2.1. Grobner bases in polynomial system solving

The theory of Grobner basis is about solving systems of polynomial equations in

several variables and can be viewed as a common generalization of Gaussian elimina-

tion in linear algebra that deals with linear systems of equations in several variables

and the Euclidean Algorithm that is about polynomial equations of arbitrary degree

in one variable. The polynomial equations are linearized by treating the monomials

as new variables. In this way the number of variables grows exponentially in the

degree of the polynomials. The complexity of computing a Grobner basis is doubly

exponential in general, and exponential in our case of a finite set of solutions. In this

subsection we give a brief overview of monomial orders, Grobner bases and their

use in polynomial system solving. This subsection is only intended to refresh these

notions; for a thorough exposition of the material the reader can use e.g [1, 28].

Let F be a field and let F[X1, . . . , Xn] = F[X] be the polynomial ring in n vari-

ables over F. In commutative algebra objects like polynomials, ideals, quotients

are intensively studied. If we want to do computations with these objects we must

somehow impose an order on them, so that we know which way a computation will

go. Let Mon(X) be the set of all monomials in the variables X = (X1, . . . , Xn).


Decoding and finding the minimum distancewith Grobner bases: history and new insights 3

Definition 13.1. A monomial order on F[X] is any relation > on Mon(X) such

that

(1) > is a total order on Mon(X).

(2) > is multiplicative, i.e. Xα > Xβ implies Xα ·Xγ > Xβ ·Xγ for all vectors γ

with non-negative integer entries; here Xα = Xα11 · · · · ·Xαn

n .

(3) > is a well-order, i.e. every non-empty subset of Mon(X) has a minimal ele-

ment.

Example 13.2. Here are some orders that will be used in this chapter.

• Lexicographic order induced by X1 > · · · > Xn : Xα >lp Xβ iff there exists an s

such that α1 = β1, . . . , αs−1 = βs−1, αs > βs.

• Degree reverse lexicographic order induced by X1 > · · · > Xn : Xα >dp Xβ iff

|α| := α1 + · · · + αn > β1 + · · · + βn =: |β| or if |α| = |β| and there exists an s

such that αn = βn, . . . , αn−s+1 = βn−s+1, αn−s < βn−s.

• Block order or product order. Let X and Y be two ordered sets of variables, >1 a

monomial order on F[X] and >2 a monomial order on F[Y ]. The block order on

F[X,Y ] is the following: Xα1Y β1 > Xα2Y β2 iff Xα1 >1 Xα2 or if Xα1 =1 X

α2

and Y β1 >2 Yβ2 .

Definition 13.3. Let > be a monomial order on F[X]. Let f =∑α cαX

α be a

non-zero polynomial from F[X]. Let α0 be such that cα0 6= 0 and Xα0 > Xα for all

α with cα 6= 0. Then lc(f) := cα0is called the leading coefficient of f , lm(f) := Xα0

is called the leading monomial of f , lt(f) := cα0Xα0 is called the leading term of

f .

Having these notions we are ready to define the notion of a Grobner basis.

Definition 13.4. Let I be an ideal in F[X]. The leading ideal of I with respect to

> is defined as L>(I) := 〈lt(f)|f ∈ I, f 6= 0〉. L>(I) is sometimes abbreviated by

L(I). A finite subset G = {g1, . . . , gm} of I is called a Grobner basis for I with

respect to > if L>(I) = 〈lt(g1), . . . , lt(gm)〉.

Example 13.5. Consider two polynomials f = X3, g = Y 4 −X2Y from F[X,Y ],

where F is any field. We claim that f and g constitute a Grobner basis of an ideal

I = 〈f, g〉 with respect to the degree reverse lexicographic order >dp with X > Y .

For this we need to show that L(I) = 〈lt(f), lt(g)〉. We have lt(f) = X3 and

lt(g) = Y 4. Thus we have to show that lt(h) is divisible either by X3 or by Y 4, for

any h ∈ I. A polynomial h can be written as h = af + bg = aX3 + b(Y 4 −X2Y ).

If deg(a) > 1 + deg(b), then lm(h) = lm(a)X3. If deg(a) < 1 + deg(b), then

lm(h) is divisible by Y 4. If deg(a) = 1 + deg(b) and lm(a)X3 6= lm(b)Y 4, then

lm(h) = lm(a)X3. If deg(a) = 1 + deg(b) and lm(a)X3 = lm(b)Y 4, then lm(h) is

divisible by X3.



Every ideal has a Grobner basis. By doing some additional operations on the

elements of a Grobner basis, one can construct a reduced Grobner basis. For the

definition we refer to the literature. The reduced Grobner basis of an ideal with

respect to a given monomial order is unique.

There are several algorithms for computing Grobner bases. Historically the first

is Buchberger’s algorithm [29] and its numerous improvements and optimizations

implemented in different computer algebra systems like for example SINGULAR

[30], MAGMA [31], CoCoA [32]. Also there are algorithms F4 and F5 [33, 34].

The algorithm F4 is implemented e.g. in MAGMA and FGb [35].

For solving systems of polynomial equations with the use of Grobner bases we

need the so-called elimination orders.

Definition 13.6. Let S be some subset of variables in X. A monomial order > on

F[X] is called an elimination order with respect to S if for all f ∈ F[X] from the

fact that lm(f) ∈ F[X \ S] follows that f ∈ F[X \ S].

For example, let > be the block order (>1, >2) on F[S, T ] (S ⊂ X and T = X \ S),

where >1 is defined on F[S] and >2 is defined on F[T ], is an elimination order with

respect to S. In particular, lexicographic order is an elimination order with respect

to any subset S of X. Due to this property of the lexicographic order we have the

following theorem that can be obtained from the Elimination Theorem, p.114 and

the theorem about finiteness, p.232, [1]; also p.83 [28].

Theorem 13.7. Let f1(X) = · · · = fm(X) = 0 be a system of polynomial equations

defined over F[X] with X = (X1, . . . , Xn), such that it has finitely many solutions

in Fn, where F is the algebraic closure of F. Let I = 〈f1, . . . , fm〉 be an ideal defined

by the polynomials in the system and let G be a Grobner basis for I with respect to

>lp. Then there are elements g1, . . . , gn ∈ G such thatgn ∈ F[Xn], lt(gn) = cnX

mnn ,

gn−1 ∈ F[Xn−1, Xn], lt(gn−1) = cn−1Xmn−1

n−1 ,

. . .

g1 ∈ F[X1, . . . , Xn], lt(g1) = c1Xm11 .

It is clear how to solve the system I now. After computing G, first solve a univariate

equation gn(Xn) = 0. Let a(n)1 , . . . , a

(n)ln

be the roots. For every a(n)i then solve

gn−1(Xn−1, a(n)i ) = 0 to find possible values for Xn−1. Repeat this process until

all the coordinates of all the solutions are found. Since the number of solutions is

finite it is always possible.

Remark 13.8. Usually from the practical point of view finding a Grobner basis

with respect to an elimination order is harder than with respect to some degree-

refining order, like the degree reverse lexicographic order. Therefore, a conversion

technique like FGLM [36] comes in hand here. It enables one to convert a basis



with respect to one order, for instance some degree-refining order, to another one,

such as the lexicographic order. For solving, we actually need an elimination order,

but sometimes it is possible to obtain a result with a degree order. More on that

in Sec. 13.4.2, Theorem 13.34.

13.2.2. Notation

Let C be a linear code over the field Fq with q elements of length of n, dimension

k and minimum distance d. The parameters of C are denoted by [n, k, d] and its

redundancy by r = n−k. The (true) error-correcting capacity b(d−1)/2c of the code

is denoted by e. The code C can be constructed via its generator matrix G, which

is any matrix composed of a basis of vectors in C. Alternatively, one can see C as a

null-space of a parity-check matrix H, so c ∈ C iff HcT = 0. The code C is cyclic,

if for every codeword c = (c0, . . . , cn−1) in C its cyclic shift (cn−1, c0, . . . , cn−2)

is again a codeword in C. When working with cyclic codes, vectors are usually

presented as polynomials. So c is represented by the polynomial c(x) =∑n−1i=0 cix

i

with xn = 1, more precisely c(x) is an element of the factor ring Fq[x]/〈xn − 1〉.Cyclic codes over Fq of length n correspond one-to-one to ideals in this factor ring.

We assume for cyclic codes that (q, n) = 1. Let F = Fqm be the splitting field of

Xn − 1 over Fq. Then F has a primitive n-th root of unity which will be denoted

by a. A cyclic code is uniquely given by a defining set SC which is a subset of Znsuch that

c(x) ∈ C if c(ai) = 0 for all i ∈ SC .

The complete defining set of C is the set of all i ∈ Zn such that c(ai) = 0 for all

c(x) ∈ C. If c(ai) = 0, then c(aqi) = (c(ai))q = 0. Hence a defining set is complete

if and only it is invariant under multiplication by q. A cyclotomic set of a number

a ∈ Zn is a subset Cl(a) := {aqi mod n|i ∈ N}. A defining set is complete iff it

is a disjoint union of some cyclotomic sets. The size of the complete defining set is

equal to the redundancy r = n− k.

13.3. Decoding and finding minimum distance of cyclic codes

13.3.1. Cooper’s philosophy and its development

In this subsection we give an overview of the so-called Cooper’s philosophy or the

power sums method (see Sec. 13.1). The idea here is basically to write parity check

equations with unknowns for error positions and error values and then try to solve

with respect to these unknowns by adding some natural restrictions on them.

If i is in the defining set of C, then

(1, ai, . . . , a(n−1)i)cT = c0 + c1ai + · · ·+ cn−1a

(n−1)i = c(ai) = 0.



Hence (1, ai, . . . , a(n−1)i) is a parity check of C. Let {i1, . . . , ir} be a defining set of

C. Then a parity check matrix H of C can be represented as a matrix with entries

in F:

H =

1 ai1 a2i1 . . . a(n−1)i1

1 ai2 a2i2 . . . a(n−1)i2

......

.... . .

...

1 air a2ir . . . a(n−1)ir

.

Let c, r and e be the transmitted codeword, the received word and the error vector,

respectively. Then r = c + e. Denote the corresponding polynomials by y(x), c(x)

and e(x), respectively. If we apply the parity check matrix to r, we obtain

sT := HrT = H(cT + eT ) = HcT +HeT = HeT ,

since HcT = 0, where s is the so-called syndrome vector. Define si = y(ai) for all

i = 1, . . . , n. Then si = e(ai) for all i in the complete defining set, and these si are

called the known syndromes . The remaining si are called the unknown syndromes .

We have that the vector s above has entries s = (si1 , . . . , sir ). Let t be the number

of errors that occurred while transmitting c over a noisy channel. If the error vector

is of weight t, then it is of the form

e = (0, . . . , 0, ej1 , 0, . . . , 0, ejl , 0, . . . , 0, ejt , 0, . . . , 0),

more precisely there are t indices jl with 1 ≤ j1 < · · · < jt ≤ n such that ejl 6= 0

for all l = 1, . . . , t and ej = 0 for all j not in {j1, . . . , jt}. We obtain

sim = y(aim) = e(aim) =

t∑l=1

ejl(aim)jl , 1 ≤ m ≤ r. (13.1)

The aj1 , . . . , ajt but also the j1, . . . , jt are called the error locations, and the

ej1 , . . . , ejt are called the error values. Define zl = ajl and yl = ejl . Then z1, . . . , ztare the error locations and y1, . . . , yt are the error values and the syndromes in

Eq. (13.1) become generalized power sum functions

sim =

t∑l=1

ylziml , 1 ≤ m ≤ r. (13.2)

In the binary case the error values are yi = 1, and the syndromes are the ordinary

power sums.

Now we give a description of Cooper’s philosophy [18]. As the receiver does not know

how many errors occurred, the upper bound t is replaced by the error-correcting

capacity e and some zl’s are allowed to be zero, while assuming that the number of

errors is at most e. The following variables are introduced: X1, . . . , Xr, Z1, . . . , Zeand Y1, . . . , Ye, where Xj stands for the syndrome sj , 1 ≤ j ≤ r; Zl stands for the

error location zl for 1 ≤ l ≤ t, and 0 for t < l ≤ e; and finally Yl stands for the error



value yl for 1 ≤ l ≤ t, and any element of Fq for t < l ≤ e. The syndrome equations

Eq. (13.1) are rewritten in terms of these variables as power sums:

fu :=

e∑l=1

YlZiul −Xu = 0, 1 ≤ u ≤ r.

We also add some other equations in order to specify the range of values that can

be achieved by our variables, namely:

εj := Xqm

j −Xj = 0, 1 ≤ j ≤ r,

since sj ∈ F;

ηi := Zn+1i − Zi = 0, 1 ≤ i ≤ e,

since aji are either n-th roots of unity or zero; and

λi := Y q−1i − 1 = 0, 1 ≤ i ≤ e,

since yl ∈ Fq \ {0}. We obtain the following set of polynomials in the variables

X = (X1, . . . , Xr), Z = (Z1, . . . , Ze) and Y = (Y1, . . . , Ye):

FC = {fj , εj , ηi, λi : 1 ≤ j ≤ r, 1 ≤ i ≤ e} ⊂ Fq[X,Z, Y ]. (13.3)

The zero-dimensional ideal IC generated by FC is called the CRHT-syndrome ideal

associated to the code C, and the variety V (FC) defined by FC is called the CRHT-

syndrome variety , after Chen, Reed, Helleseth and Truong, see [14, 16, 17]. We

have V (FC) = V (IC).

Initially decoding of cyclic codes was essentially brought to finding the reduced

Grobner basis of the CRHT-ideal . It turned out that adding more polynomials to

this ideal gives better results [19]. By adding polynomials

χl,m := ZlZmp(n,Zl, Zm) = 0, 1 ≤ l < m ≤ e

to FC , where

p(n,X, Y ) =Xn − Y n

X − Y=

n−1∑i=0

XiY n−1−i, (13.4)

we ensure that for all l and m either Zl and Zm are distinct or at least one of them

is zero. The resulting set of polynomials:

F ′C := {fj , εj , ηi, λi, χl,m : 1 ≤ j ≤ r, 1 ≤ i ≤ e, 1 ≤ l < m ≤ e} ⊂ Fq[X,Z, Y ].

(13.5)

The ideal generated by F ′C is denoted by I ′C . By investigating the structure of

I ′C and its reduced Grobner basis with respect to lexicographic order induced by

X1 < · · · < Xr < Ze < · · · < Z1 < Y1 < · · · < Ye, the following result is proved,

see [19][Theorem 6.8, 6.9].



Theorem 13.9. Every cyclic code C possesses a general error-locator polynomial

LC . That means that there exists a unique polynomial LC from Fq[X1, . . . , Xr, Z]

that satisfies the following two properties:

• LC = Ze + at−1Ze−1 + · · ·+ a0 with aj ∈ Fq[X1, . . . , Xr], 0 ≤ j ≤ e− 1;

• given a syndrome s = (s1, . . . , sr) ∈ Fr corresponding to an error of weight t ≤ eand error locations {k1, . . . , kt}, if we evaluate the Xi = si for all 1 ≤ i ≤ r, then

the roots of LC(s, Z) are exactly ak1 , . . . , akt and 0 of multiplicity e− t, in other

words

LC(s, Z) = Ze−tt∏i=1

(Z − aki)

Such an error locator polynomial actually is an element of the reduced Grobner

basis of I ′C . Having this polynomial, decoding of the cyclic code C reduces to

univariate factorization. The main effort here is finding the reduced Grobner basis

of I ′C . In general this is infeasible already for moderate size codes, but for small

codes, though, it is possible to apply this technique successfully [37].

Example 13.10. As an example we consider finding the general error locator poly-

nomial for a binary cyclic BCH code C with parameters [15,7,5] that corrects 2

errors. This code has {1, 3} as a defining set. So here q = 2,m = 4, n = 15. The

field F16 is the splitting field of X15− 1 over F2. During this example we show how

the idea of the Cooper’s philosophy is applied. For rigorous justification of the steps

below, see [14, 16, 17, 19, 37]. In the above description we have to write equations

for all syndromes that correspond to elements in the complete defining set. Note

that we may write the equations only for the element from the defining set {1, 3}as all the others are just consequences of those. Following the description above we

write generators F ′C of the ideal I ′C in the ring F16[X1, X2, Z1, Z2]:Z1 + Z2 −X1, Z3

1 + Z32 −X2,

X161 −X1, X16

2 −X2,

Z161 − Z1, Z16

2 − Z2,

Z1Z2p(15, Z1, Z2)

We suppress the equations λ1 and λ2 as error values are over F2. In order to find the

general error locator polynomial we compute the reduced Grobner basis G of the

ideal I ′C with respect to the lexicographical order induced by X1 < X2 < Z2 < Z1.

The elements of G are:

X161 +X1,

X2X151 +X2,

X82 +X4

2X121 +X2

2X31 +X2X

61 ,

Z2X151 + Z2,

Z22 + Z2X1 +X2X

141 +X2

1 ,

Z1 + Z2 +X1



According to Theorem 6.8 (cf. [19]) the general error correcting polynomial LC is

then a unique element of G of degree 2 with respect to Z2. So LC ∈ F2[X1, X2, Z]

is

LC(X1, X2, Z) = Z2 + ZX1 +X2X141 +X2

1 .

Let us see how decoding using LC works. Let r = (0, 1, 1, 0, 1, 0, 1, 0, 1, 0, 0, 1, 1, 0, 1)

be a received word with at most 2 errors. In the field F16 with a primitive element

a, such that a4 + a+ 1 = 0, a is also a 15-th root of unity. Then the syndromes are

s1 = a2, s3 = a. Plug them into LC in place of X1 and X2 and obtain:

LC(Z) = Z2 + a2Z + a(a2)14 + (a2)2 = Z2 + a2Z + a9.

Factorizing yields LC = (Z+a3)(Z+a6). According to Theorem 13.9, exponents 3

and 6 show exactly the error locations minus 1. So that errors occurred on positions

4 and 7.

Consider another example. Let r = (0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 0, 0, 0) be a re-

ceived word with at most 2 errors. The syndromes are now s1 = a8, s3 = a9. Plug

them into LC in place of X1 and X2 and obtain:

LC(Z) = Z2 + a8Z + a9(a8)14 + (a8)2 = Z2 + a8Z.

Factorizing yields LC = Z(Z + a8). Thus 1 error occurred according to Theorem

13.9, namely on position 8+1=9.

This method can be adapted to correct erasures [19], and to find the minimum

distance of a code [38]. The basic approach is as follows. We are working again with

the cyclic code C with parameters [n, k, d] over Fq. Let w ≤ d. Denote by JC(w)

the set of equations Eq. (13.5) for t = w and variables Xi assigned to zero and the

equations Zn+1i − Zi = 0 replaced by Zni − 1 = 0. In the binary case we have the

following result that can be deduced from Theorem 3.3 and Corollary 3.4 [38]:

Theorem 13.11. Let C be a binary [n, k, d] cyclic code with a defining set SC =

{i1, . . . , ir}. Let 1 ≤ w ≤ n and let JC(w) denote the system:

Zi11 + · · ·+ Zi1w = 0,...

Ziv1 + · · ·+ Zivw = 0,

Zn1 − 1 = 0,...

Znw − 1 = 0

p(n,Zi, Zj) = 0, 1 ≤ i < j ≤ w

Then the number of solutions of JC(w) is equal to w! times the number of codewords

of weight w. And for 1 ≤ w ≤ d:

• either JC(w) has no solutions, which is equivalent to w < d,



• or JC(w) has some solutions, which is equivalent to w = d.

So, the method of finding the minimum distance is based on replacing syndrome

variables by zeros and than searching for solutions of corresponding parametrized

systems. In the previous theorem JC(w) is parametrized by w. We also mention the

notion of accelerator polynomials. The idea is as follows. Since, when trying to find

the minimum distance of a code we are only interested in a question whether the

corresponding system JC(w) has solutions or not, we may add some polynomials

AC(w) with the property that if we enlarge our system JC(w) with these polynomi-

als and the system JC(w) had some solutions, then the new system AC(w)∪JC(w)

also has some solutions. So not all solutions are lost. In [39] it is shown, how to

choose such polynomials AC(w), so that solving the system AC(w) ∪ JC(w) takes

less time, than solving JC(w).

It is possible to adapt the method to finding codewords of certain weight, and

thus the weight enumerator of a given code.

Example 13.12. As an example application of Theorem 13.11 we show how to

determine the minimum distance of a cyclic code C from Example 13.10. This

binary cyclic code C has parameters [15,7] and has a defining set {1, 3}, so the

assumptions of Theorem 13.11 are satisfied. We have to look at all systems JC(w)

starting from w = 1, until we encounter a system, which has some solutions. The

system JC(w) is

Z1 + · · ·+ Zw = 0,

Z31 + · · ·+ Z3

w = 0,

Z151 − 1 = 0,

...

Z15w − 1 = 0

p(15, Zi, Zj) = 0, 1 ≤ i < j ≤ w

For w = 1, . . . , 4 the reduced Gobner basis of JC(w) is {1}, so there are no solutions.

For JC(5) the reduced Grobner basis with respect to the lexicographic order is

Z155 + 1,

Z124 + Z9

4Z35 + Z6

4Z65 + Z3

4Z95 + Z12

5 ,

Z63 + Z4

3Z4Z5 + Z23Z

24Z

25 + Z3Z

44Z5 + Z3Z4Z

45 + Z6

4 + Z65 ,

g2(Z2, Z3, Z4, Z5),

Z1 + Z2 + Z3 + Z4 + Z5.



Here g2(Z2, Z3, Z4, Z5) is equal to

Z22 + Z2Z3 + Z2Z4 + Z2Z5 + Z5

3Z104 Z2

5 + Z53Z

94Z

35+

+Z53Z

84Z

45 + Z5

3Z44Z

85 + Z5

3Z34Z

95 + Z5

3Z24Z

105 +

+Z43Z

114 Z2

5 + Z43Z

84Z

55 + Z4

3Z54Z

85 + Z4

3Z24Z

115 +

+Z33Z

104 Z4

5 + Z33Z

94Z

55 + Z3

3Z84Z

65 + Z3

3Z44Z

105 +

+Z33Z

34Z

115 + Z3

3Z24Z

125 + Z3

3Z145 + Z2

3Z114 Z4

5+

+Z23Z

84Z

75 + Z2

3Z54Z

105 + Z2

3Z24Z

135 + Z2

3Z4Z145 +

+Z23 + Z3Z

104 Z6

5 + Z3Z94Z

75 + Z3Z

84Z

85 + Z3Z

44Z

125 +

+Z3Z34Z

135 + Z3Z4 + Z11

4 Z65 + Z8

4Z95 + Z5

4Z125 + Z3

4Z145 + Z2

4 .

Already the fact that the GB of JC(5) is not equal to 1 shows that there is a

solution. Theorem 13.7 gives all solutions explicitly. We show how to obtain one

solution here. Namely, we know already that a15 + 1 = 0, where a is a primitive

element of F16, so set Z5 = a and the first equation is satisfied. Substitute Z5 = a

to the second equation, we have Z124 + a3Z9

4 + a6Z64 + a9Z3

4 + a12 = 0. Factorizing

yields that Z4 = 1 is one of the roots. Substitute Z5 = a, Z4 = 1 to the third

equation. We have Z63 +aZ4

3 +a2Z23 +Z3 +a13 = 0. Factorizing yields that Z3 = a2

is one of the roots. Substitute Z5 = a, Z4 = 1, Z3 = a2 to the third equation. We

have Z22 + a10Z2 + a7 = 0. Here Z2 = a9 is one of the roots. Finally, substitute

Z5 = a, Z4 = 1, Z3 = a2, Z2 = a9 to the last equation. We obtain that Z1 = a13.

Thus we have proved that the system JC(5) has a solution and thus the minimum

distance of C is 5, which coincides with what we had in Example 13.10. Note

that the BCH bound yields d(C) ≥ 5, so in fact it was necessary to consider only

JC(5). Here it is possible to count the number of roots. Due to the equations

Z151 − 1 = 0, . . . , Z15

5 − 1 = 0 and the fact that F16 is the splitting field of X15 − 1

we have that the number of solutions is just the product of leading terms degrees

of the elements in the Grobner basis above. This number is 15 · 12 · 6 · 2 · 1 = 2160.

Dividing this number by 5! yields the number of minimum weight codewords: 18.

We mention that the first use of Grobner bases in finding minimum distance appears

to be in [40].

13.3.2. Newton identities based method

The error-locator polynomial is defined by

σ(Z) =

t∏l=1

(Z − zl).

If this product is expanded

σ(Z) = Zt + σ1Zt−1 + · · ·+ σt−1Z + σt,



then the coefficients σi are the elementary symmetric functions in the error locations

z1, . . . , zt.

σi = (−1)i∑

1≤j1<j2<···<ji≤t

zj1zj2 . . . zji , 1 ≤ i ≤ t,

The decoding of cyclic codes up to half the BCH distance is well-known by Peterson

[6] in the binary case and Gorenstein-Zierler [41] for arbitrary q and independently

by Arimoto [3], and goes as follows. The syndromes si and the coefficients σi satisfy

the following generalized Newton identities [6].

Theorem 13.13.

si +

t∑j=1

σjsi−j = 0, for all i ∈ Zn. (13.6)

Now suppose that the complete defining set of the cyclic code contains the 2t con-

secutive elements b, . . . , b+ 2t− 1 for some b. Then d ≥ 2t+ 1 by the BCH bound.

Furthermore the set of equations Eq. (13.6) for i = b + t, . . . , b + 2t − 1 is a sys-

tem of t linear equations in the unknowns σ1, . . . , σt with the known syndromes

sb, . . . , sb+2t−1 as coefficients. Gaussian elimination solves the system of equations

with complexityO(n3). In this way we have obtained the APGZ decoding algorithm,

after Arimoto, Peterson, Gorenstein and Zierler.

Example 13.14. We consider the same example that was considered in [10], namely

of the binary 3-error correcting cyclic code of length 31 and dimension 16 with defin-

ing set {1, 5, 7}. This code is actually a quadratic residue code and has parameters

[31,16,7]. The splitting field of X31 − 1 over F2 is F32 with a primitive 31-th root

of unity a, such that a5 + a2 + 1 = 0. Note that Z31 is a disjoint union of cyclo-

tomic classes of 1,3,5,7,11, and 15. That is to say if i is in the defining set then 2i

is in the complete defining set. The cyclotomic class of 1 is {1, 2, 4, 8, 16}, of 5 is

{5, 10, 20, 9, 18} and of 7 is {7, 14, 28, 25, 19}. Hence the complete defining set of C

is {1, 2, 4, 5, 7, 8, 9, 10, 14, 16, 18, 19, 20, 25, 28}. It has 7, 8, 9, 10 as four consecutive

elements. Hence the BCH bound is 5 and with the APGZ algorithm we are able to

correct two errors.

Let

r = (0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 1)

be a received word with at most two errors. So the known syndromes from the

defining set are s1 = a13, s5 = a23, s7 = a16. From this we can compute s8 = s81 =

a11, s9 = s85 = a29, s10 = s25 = a15. The corresponding APGZ linear system is then:{a29 + a11σ1 + a16σ2 = 0,

a15 + a29σ1 + a11σ2 = 0.

This system has a unique solution σ1 = a13, σ2 = a10. The corresponding error

locator polynomial is σ(Z) = Z2 + a13Z + a10, which has the roots a3 and a7, so



the error positions are 4 and 8. So

c = (0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 1)

is the nearest codeword.

Suppose that {1, . . . , 2t} ⊂ SC . Define the syndrome polynomial S(Z) by

S(Z) =

2t∑i=1

siZi−1

The Newton identities can be reformulated as the key equation

σ(Z)S(Z) ≡ ω(Z) mod Z2t (13.7)

for some polynomial ω(Z) such that deg(ω(Z)) < deg(σ(Z)). The key equation

is solved by the algorithm of Berlekamp-Massey [4, 5] and a variant of Euclidean

algorithm due to Sugiyama et al. [7]. Here ω(Z) is called the error evaluator poly-

nomial and is used to calculate the error values by Forney’s formula [42], Theorem

25, p.246. Both these algorithms are of prime importance in applications. They are

more efficient than solving the system of linear equations, and are basically equiva-

lent [43], although one might prefer one over the other depending on the application

and actual implementation.

All these algorithms decode up to the BCH error-correcting capacity, which is often

strictly smaller than the true capacity. A general method was outlined by Berlekamp

[4, pp. 231-240], Tzeng, Hartmann and Chien [44] and Stevens [45], where the

unknown syndromes were treated as variables. We have

si+n = si, for all i ∈ Zn,

since si+n = y(ai+n) = y(ai). Furthermore

sqi = (e(ai))q = e(aiq) = sqi, for all i ∈ Zn,

and

σqm

i = σi, for all 1 ≤ i ≤ t.

So the zeros of the following set of polynomials Newtont in the variables S1, . . . , Snand σ1, . . . , σt is considered, see Augot et al. [8, 9].

Newtont

σq

m

i − σi, for all 1 ≤ i ≤ t,Si+n − Si, for all i ∈ Zn,Sqi − Sqi, for all i ∈ Zn,Si +

∑tj=1 σjSi−j , for all i ∈ Zn.

(13.8)

It is this method of treating the unknown syndromes as variables that we generalize

to arbitrary linear codes in Sec. 13.4.2



Solutions of Newtont are called generic , formal or one-step and this is considered

as a preprocessing phase which has to be performed only one time. For the actual

decoder for every received word r the variables Si are specialized to the actual value

si(r) for i ∈ SC . Alternatively one can solve Newtont together with the polynomi-

als Si − si(r) for 1 ≤ i ≤ 2t. This is called online decoding.

Example 13.15. Let us consider an example of decoding using Newton identities

and such that the APGZ algorithm is not applicable. We consider the same 3-error

correcting cyclic code of length 31 with a defining set {1, 5, 7} as in Example 13.14.

This time we are aiming at correcting three errors. Let us write the corresponding

ideal:

σ1S31 + σ2S30 + σ3S29 + S1,

σ1S1 + σ2S31 + σ3S30 + S2,

σ1S2 + σ2S1 + σ3S31 + S3,

σ1Si−1 + σ2Si−2 + σ3Si−3 + Si, 4 ≤ i ≤ 31,

σ32i + σi, i = 1, 2, 3,

Si+31 + Si, for all i ∈ Z31,

S2i + S2i, for all i ∈ Z31,

Note that the equations Si+31 = Si, and S2i = S2i imply,

S21 + S2, S4

1 + S4, S81 + S8, S16

1 + S16,

S25 + S10, S

45 + S20, S

85 + S9, S16

5 + S18,

S27 + S14, S

47 + S28, S

87 + S25, S

167 + S19,

S23 + S6, S4

3 + S12, S83 + S24, S

163 + S17,

S211 + S22, S

411 + S13, S

811 + S26, S

1611 + S21,

S215 + S30, S

415 + S29, S

815 + S27, S

1615 + S23

S231 + S31

Our intent is to write σ1, σ2, σ3 in terms of known syndromes S1, S5, S7. The next

step would be to compute the reduced Grobner basis of this system with respect to

some elimination order induced by S31 > · · · > S8 > S6 > S4 > · · · > S2 > σ1 >

σ2 > σ3 > S7 > S5 > S1. Unfortunately the computation is quite time consuming

and the result is too huge to illustrate the idea. Rather, we do online decoding, i.e.

compute syndromes S1, S5, S7, plug the values into the system and then find σ’s.

Let

r = (0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1)

be a received word with at most three errors. So the known syndromes we need are

s1 = a5, s5 = a8 and s7 = a26. Substitute these values into the system above and

compute the reduced Grobner basis of the system. The reduced Grobner basis with

respect to the degree reverse lexicographic order (here it is possible to go without



an elimination order, see Remark 13.8) restricted to the variables σ1, σ2, σ3 isσ3 + a4,

σ2 + a5,

σ1 + a5,

Corresponding values for σ’s gives rise to the error locator polynomial:

σ(Z) = Z3 + a5Z2 + a5Z + a4.

Factoring this polynomial yields three roots: a3, a7, a25, which indicate error posi-

tions.

Note also that we could have worked only with the equations for

S1, S5, S7, S3, S11, S15, S31, but the Grobner basis computation is harder then: on

our computer it took 8 times longer.

Another way of finding the error locator polynomial σ(Z) in the binary case is

described in [10]. In this case the error values are 1 and the Si, i ∈ SC are power

sums of the error positions and therefore symmetric under all possible permutations

of these positions. Hence Si is equal to a polynomial wi(σ1, . . . , σt). These wi’s are

known as Waring functions. By considering the ideal generated by the following

polynomials

Si − wi(σ1, . . . , σt), i ∈ SC ,

Augot et al. where able to prove the unicity theorem for the solution (σ∗1 , . . . , σ∗t ),

when Si’s are assigned the concrete values of syndromes. Here the authors prefer

online decoding, rather than formal one, that is by specializing some variables Si to

specific values before any Grobner bases computation. This approach demonstrates

pretty good performance in practice, but it lacks some theoretical explanations of

several tricks the authors used. Further treatment of this approach is in [46].

13.4. Decoding and finding minimum distance of arbitrary linear

codes

13.4.1. Decoding affine variety codes

The method proposed by Fitzgerald and Lax [47, 48] generalizes Cooper’s phi-

losophy to arbitrary linear codes. In this approach the main notion is the

affine variety code. Let I = 〈g1, . . . , gm〉 ⊆ Fq[X1, . . . , Xs] be an ideal. Define

Iq := I + 〈Xq1 − X1, . . . , X

qs − Xs〉. So Iq is a 0-dimensional ideal. Define also

V (Iq) =: {P1, . . . , Pn}. The claim [48] is that every q-ary linear code C with pa-

rameters [n, k] can be seen as an affine variety code C(I, L), that is the image of a

vector space L of the evaluation map{φ : R→ Fnqf 7→ (f(P1), . . . , f(Pn)),



where R := Fq[U1, . . . , Us]/Iq, L is a vector subspace of R and f the coset of f in

Fq[U1, . . . , Us] modulo Iq. In order to obtain this description we do the following.

Given a q-ary [n, k] code C with a generator matrix G = (gij), we choose s, such

that qs ≥ n, and construct s distinct points P1, . . . , Ps in Fsq. Then there is an

algorithm [49] that produces a Grobner basis {g1, . . . , gm} for an ideal I of poly-

nomials from Fq[X1, . . . , Xs] that vanish at the points P1, . . . , Ps. Then, denote

by ξi ∈ Fq[X1, . . . , Xs] a polynomial that assumes the values 1 at Pi and 0 at all

other Pj . The linear combinations fi =∑ni=1 gijξj constitute the set L, so that

gij = fi(Pj). In this way we obtain that the code C is an image of the evaluation

above, so C = C(I, L). In the same way by considering a parity check matrix

instead of a generator matrix we have that the dual code is also an affine variety

code.

The method of decoding is analogous to the one of CRHT with the generalization

that along with the polynomials of type Eq. (13.3) one needs to add polynomials

(gl(Xk1, . . . , Xks))l=1,...,m;k=1,...,t for every error position. Namely, let C be a q-ary

[n, k] linear code such that its dual is written as an affine variety code of the form

C⊥ = C(I, L), where I = 〈g1, . . . , gm〉 ⊆ Fq[X1, . . . , Xs]

L = {f1, . . . , fn−k}V (Iq) = {P1, . . . , Ps}

Let r = (r1, . . . , rn) be a received word with error vector e = c + (e1, . . . , en) with

t errors and t ≤ e. Then the syndromes are computed by

si =

n∑j=1

rjfi(Pj) =

n∑j=1

ejfi(Pj) for i = 1, . . . , n− k.

Now consider the ring Fq[X11, . . . , X1s, . . . , Xt1, . . . , Xts, E1, . . . , Et], where

(Xi1, . . . , Xis) correspond to the i-th error position and Ei to the i-th error value.

Consider the ideal IC generated by∑tj=1Ejfi(Xj1, . . . , Xjs)− si, 1 ≤ i ≤ n− k,

gl(Xj1, . . . , Xjs), 1 ≤ l ≤ m,Eq−1k − 1

Note that Xqij − Xij ∈ IC for all 1 ≤ i ≤ t, 1 ≤ j ≤ s. The order < is defined as

follows. It is the block order (<1, <2), where <1 is the lexicographic order induced

by X11 < · · · < X1s < E1 and <2 is any (e.g. degree reverse lexicographic) order on

the variables X21, . . . , X2s, E2, . . . , Xt1, . . . , Xts, Et. We only impose lexicographic

order on the first error variables, as there is a symmetry group acting on the solu-

tions, so we are interested only in the first coordinate solutions. They will in turn

give solutions for all the coordinates by symmetry. Then Theorem 2.2 from [48]

states



Theorem 13.16. Let G be the reduced Grobner basis for IC with respect to the or-

der <. Then we may solve for the error locations and values by applying elimination

theory to the polynomials in G.

In general, finding I and L is quite technical and it turns out that for random

codes this method is quite poor, because of the complicated structure of IC . As in

Sec. 13.3.1 it is possible to replace syndromes with variables, but the ideal becomes

then even more complicated. We consider an application of the method to Hermitian

codes as is done in [48].

Example 13.17. Consider the Hermitian function field defined by Y 2+Y +X3 = 0

over F4 with a primitive element a, such that a2 + a + 1 = 0. Let C be a 4-ary

[8,3,5] Hermitian code. It is orthogonal to the [8,5,3] Hermitian code defined by

L = {1, X, Y,X2, XY }. Choose s = 2, so that 42 > 8, and the points

P1 = (0, 0), P2 = (0, 1), P3 = (1, a), P4 = (1, a2),

P5 = (a, a), P6 = (a, a2), P7 = (a2, a), P8 = (a2, a2)

Denote I = 〈Y 2 + Y +X3〉. Then C⊥ = C(I, L). The parity check matrix for C is

H =

1 1 1 1 1 1 1 1

0 0 1 1 a a a2 a2

0 1 a a2 a a2 a a2

0 0 1 1 a2 a2 a a

0 0 a a2 a2 1 1 a

Let r = (1, 1, 0, a, a2, a2, a, 1) be a received word with at most two errors.

The corresponding syndrome is s = (1, 0, a2, a2, 0). So the ideal IC in

F4[X1, Y1, E1, X2, Y2, E2] is generated by

X41 +X1, X4

2 +X2,

Y 41 + Y1, Y 4

2 + Y2,

E31 + 1, E3

2 + 1,

Y 21 + Y1 +X3

1 , Y 22 + Y2 +X3

2 ,

E1 + E2 + 1,

E1X1 + E2X2,

E1Y1 + E2Y2 + a2,

E1X21 + E2X

22 + a2,

E1X1Y1 + E2X2Y2.

We are working with a block order (<1, <2) induced by X1 < Y1 < E1 < X2 <

Y2 < E2, where <1 is the lexicographic order induced by X1 < Y1 < E1, and <2

is the degree reverse lexicographic order induced by X2 < Y2 < E2. The reduced



Grobner basis G of IC with respect to this order is

X21 + aX1 + a2,

Y1 + a2,

E1 + a2X1 + 1,

X2 +X1 + a,

Y2 + a2,

E2 + a2X1

Solving the first equation X21 +aX1+a2 = 0 actually gives the X-coordinates of the

two error positions. They are 1 and a2. We substitute further and obtain the error

positions (1, a2) and (a2, a2), that is positions 4 and 8 in our numeration, and the

corresponding error values a and a2, respectively. Hence c = (1, 1, 0, 0, a2, a2, a, a)

is the codeword sent.

We mention that there are generalizations of the approach of Fitzgerald and Lax,

which follow the same idea as the generalizations for the CRHT-ideal. Namely, one

adds the polynomials that ensure that the error locations are different. For more

details, see [22]. There it is also proven that affine variety codes possess the so-called

multi-dimensional general error-locator polynomial , which is a generalization of the

general error locator polynomial from Sec. 13.3.1.

13.4.2. The method of quadratic equations

In this subsection we propose a new method of decoding and finding minimum

distance of arbitrary linear codes that is based on solving a system of quadratic

equations. In a sense we generalize the ideas from Sec. 13.3.2 by trying to find

unknown syndromes, although the meaning of this term is different in our setting.

Most of the results with proofs can be found in [50].

Let b1, . . . ,bn be a basis of Fnq . Now B is the n× n matrix with b1, . . . ,bn as

rows.

Definition 13.18. The (unknown) syndrome u(B, e) of a word e with respect

to B is the column vector u(B, e) = BeT . It has entries ui(B, e) = bi · e for

i = 1, . . . , n. The following abbreviations u(e) and ui(e) are used for u(B, e) and

ui(B, e), respectively.

Remark 13.19. The matrix B is invertible, since its rank is n. The syndrome

u(B, e) determines the vector e uniquely, since

B−1u(B, e) = B−1BeT = eT .

Our idea is going to be: having an error vector e to find a vector of unknown

syndromes with respect to some specific basis with the matrix B. Then finding e

itself is straightforward.



Definition 13.20. Define the coordinate wise star product of two vectors x,y ∈ Fnqby x∗y = (x1y1, . . . , xnyn). Then bi∗bj is a linear combination of the basis vectors

b1, . . . ,bn, so there are constants µijl ∈ Fq such that

bi ∗ bj =

n∑l=1

µijl bl.

The elements µijl ∈ Fq are called the structure constants of the basis b1, . . . ,bn.

Definition 13.21. Define the n × n matrix of (unknown) syndromes U(e) =

(uij(e))1≤i,j≤n of a word e by uij(e) = (bi ∗ bj) · e.

Remark 13.22. The relation between the entries of the matrix U(e) and the vector

u(e) of unknown syndromes is given by

uij(e) =

n∑l=1

µijl ul(e).

Definition 13.23. Let b1, . . . ,bn be a basis of Fnq . Let Bs be the s × n matrix

with b1, . . . ,bs as rows, then B = Bn. We say that b1, . . . ,bn is an ordered MDS

basis and B an MDS matrix if all the s× s submatrices of Bs have rank s for all

s = 1, . . . , n. Let Cs be the code with Bs as parity check matrix.

Remark 13.24. Let B be an MDS matrix. Then Cs is an [n, s, n − s + 1] code,

that is an MDS code for all 1 ≤ s ≤ n. This motivates the name in the definition

above.

Definition 13.25. Suppose n ≤ q. Let x = (x1, . . . , xn) be an n-tuple of mutually

distinct elements in Fq. Define

bi = (xi−11 , . . . , xi−1n ).

Then b1, . . . ,bn is called an ordered Vandermonde basis and the corresponding

matrix is denoted by B(x) and called a Vandermonde matrix.

It can be shown that if we have a linear [n, k, d] code C over the field Fq, then a

code C ′ = CFqm has the same parameters. So without loss of generality we may

assume that after a finite extension of the finite field Fq we have that n ≤ q. Let

b1, . . . ,bn be a basis of Fnq . From now on we assume that the corresponding matrix

B is an MDS matrix.

The next Proposition gives a relation between the rank of the matrix of unknown

syndromes U(e) and the weight of e.

Proposition 13.26. Let D(e) be the diagonal matrix with e on its diagonal. Then

U(e) = BD(e)BT ,

and the rank of U(e) is equal to the weight of e.



Proof. See also [51, Lemma 4.7]. We have that

uij(e) = (bi ∗ bj) · e =

n∑l=1

bilelbjl.

Hence U(e) = BD(e)BT . Now B and BT are invertible. Hence the rank of U(e) is

equal to the rank of D(e) which is equal to the weight of e. �

We have done all the necessary preparations. Next, we will see which role the

notion of unknown syndromes plays in decoding. Let C be an Fq-linear code with

parameters [n, k, d]. Choose a parity check matrix H of C. Let h1, . . . ,hr be the

rows of H. The row hi is a linear combination of the basis b1, . . . ,bn, that is there

are constants aij ∈ Fq such that

hi =

n∑j=1

aijbj .

In other words H = AB where A is the r × n matrix with entries aij .

Remark 13.27. Let r = c + e be a received word with c ∈ C a codeword and e

an error vector. The syndromes of r and e with respect to H are equal and known:

si(r) := hi · r = hi ·e = si(e) and they can be expressed in the unknown syndromes

of e with respect to B:

si(r) =

n∑j=1

aijuj(e),

since hi =∑nj=1 aijbj and bj · e = uj(e).

Definition 13.28. Let 1 ≤ u, v ≤ n. Then we define Uuv(e) as a submatrix of U(e)

with the entries (uij(e))1≤i≤u,1≤j≤v.

Proposition 13.29. Let w = wt(e). If u ≥ w, then

rank(Uuv(e)) = min{v, w}.

Hence Unv(e) has rank v if v ≤ w, and its rank is w if v > w. This also means

that in the matrix Un,w+1 the w+ 1 columns are linearly dependent, which implies

an existence of elements v1(e), . . . , vw(e), such that∑wj=1 uij(e)vj(e) − ui,w+1(e) for i = 1, . . . , n

Recall, that at the beginning of this subsection we claimed our goal to be finding

the unknown syndromes. Thus, replace them everywhere by variables and try to

solve the corresponding system.

Definition 13.30. Let B be an MDS matrix with structure constants µijl . Define

the linear functions Uij in the variables U1, . . . , Un by

Uij =

n∑l=1

µijl Ul.



Let U be the n × n matrix with entries Uij . Let Uu,v be the u × v matrix with

entries Uij with 1 ≤ i ≤ u and 1 ≤ j ≤ v.

Definition 13.31. The ideal J(r) in the ring Fq[U1, . . . , Un] is generated by the

elements ∑nl=1 ajlUl − sj(r) for j = 1, . . . , r

The ideal I(t,U , V ) in the ring F[U1, . . . , Un, V1, . . . , Vt] is generated by the elements∑tj=1 UijVj − Ui,t+1 for i = 1, . . . , n

Let J(t, r) be the ideal in Fq[U1, . . . , Un, V1, . . . , Vt] generated by J(r) and I(t,U , V ).

Remark 13.32. The ideal J(t, r) is generated by n − k linear functions and n

quadratic polynomials.

Now we are ready to state the main results of this subsection.

Theorem 13.33. Let B be an MDS matrix with structure constants µijl and linear

functions Uij. Let H be a parity check matrix of the code C such that H = AB as

above. Let r = c + e be a received word with c in C the codeword sent and e the

error vector. Suppose that the weight of e is not zero and at most b(d(C) − 1)/2c.Let t be the smallest positive integer such that J(t, r) has a solution (u,v) over Fq.Then wt(e) = t and the solution is unique satisfying u = u(e).

Theorem 13.34. Let r = c + e be a received word with c in C the codeword

sent and e the error vector. Suppose that the weight of e is not zero and at most

b(d(C)−1)/2c. Let t be the smallest positive integer such that J(t, r) has a solution.

Then the solution is unique and the reduced Grobner basis G for the ideal J(t, r)

with respect to any monomial ordering will be{Ui − ui(e), i = 1, . . . , n,

Vj − vj , j = 1, . . . , t,

where (u(e),v) is the unique solution.

We would like to note that the fact that we can obtain a unique solution of

multiplicity one without adding field equations is quite remarkable and really make

computations easier. The proofs, especially of the last statement, are quite involved.

We demonstrate how the above works for a small example.

Example 13.35. Consider the ternary Golay code with parameters [11,6,5]. The

code is 2-error correcting. We have q = 3, n = 11, and t = 2. So m = 3 is the

smallest number, such that 3m ≥ n. We have not taken the conventional choice

m = 5 which is the smallest degree of an extension such that F∗3m has an element



of order 11. A parity check matrix for this code is given by H = (P |I5), where

P =

1 −1 −1 −1 1 0

0 1 −1 −1 −1 1

−1 1 −1 0 1 −1

1 1 0 1 1 1

−1 −1 −1 1 0 1

.

Let a be a primitive element of F27 with a3 − a+ 1 = 0. Then B = (aij)0≤i,j≤10 is

an MDS matrix. Now H = AB, where

A =

a12 a2 a3 a8 a19 a12 a2 a22 a11 a11 a23

a23 a22 a13 a7 a12 a0 a5 a0 a5 a5 a8

a6 a8 a24 a23 a2 a3 a14 a10 a23 a13 a10

a14 a14 a16 a18 a6 a17 a8 0 a21 a20 a

a14 a7 a13 a10 a9 a25 a17 a20 a25 a5 a0

.

Let r = (1, 1, 0,−1, 0, 1,−1,−1,−1, 1, 0) be a received word with two errors. Then

the syndrome vector s(r) is given by (0,−1, 1, 0, 1)T . We are working in the ring

F27[U1, . . . , U11, V1, V2]. Let us choose an order to be degree reverse lexicographic

with U11 > · · · > U6 > V1 > V2 > U5 > · · · > U1 as in Theorem 13.34. The ideal

J(r) is generated by the entries of the vector AUT , where U = (U1, . . . , U11). The

matrix U has entries Uij , where Uij = Ui+j−1 for all i, j with 1 ≤ i + j ≤ 11. The

ideal J(t, r) is generated by J(r) and J(t,U , V ), and the generators of J(2,U , V )

are listed by

V1U1 + V2U2 − U3,

V1U2 + V2U3 − U4,

V1U3 + V2U4 − U5,

V1U4 + V2U5 − U6,

V1U5 + V2U6 − U7,

V1U6 + V2U7 − U8,

V1U7 + V2U8 − U9,

V1U8 + V2U9 − U10,

V1U9 + V2U10 − U11,

V1U10 + V2U11 − U10,3,

V1U11 + V2U11,2 − U11,3,

where

−U10,3 = a16U1 + a22U2 + a25U3 + a22U4 + a20U5 + a25U6 + a7U7 + a18U8 + a10U9 + a3U10 + a16U11,

U11,2 = a3U1 + a9U2 + a12U3 + a9U4 + a7U5 + a12U6 + a20U7 + a5U8 + a23U9 + a16U10 + a3U11,

−U11,3 = a19U1 + a19U2 + a7U3 + a12U4 + a5U5 + a9U6 + a9U7 + a23U8 + a4U9 + a24U10 + a25U11.



The reduced Grobner basis for the ideal J(2, r) is

U1, U2 − 1, U3 + a9, U4 − 1,

U5 + a3, V2 + a9, V1 + a4, U6 + a16,

U7 + a, U8 + a3, U9 + a22, U10 − 1,

U11 + a.

Let us check that this unique solution indeed gives rise to the error vector e. In-

deed, from the above we obtain that the vector u(B, e) of unknown syndromes is

(0, 1,−a9, 1,−a3) = (0, 1, a22, 1, a16). By Remark 13.19 we can then find e as

eT = B−1u(B, e) = (0, 1, 0,−1, 0, 0, 0, 0, 0, 0, 0)T .

We also note that the corresponding system for t = 1 has the reduced Grobner basis

{1} and therefore it has no solutions.

Example 13.36. Let us revise Example 13.15. So we are working again with the

3-error correcting binary cyclic code of length 31 with a defining set {1, 5, 7}. So

now we have q = 2, n = 31, and t = 3. So m = 5 and qm = 32. Choose as matrix B

a Vandermonde matrix with xi = ai−1, where a is a primitive 31-th root of unity

of F32 with a5 + a2 + 1 = 0. A parity check matrix of this code over F2 in the row

echelon form H = (I15|P ), where

P =

1 1 0 1 1 0 0 0 1 0 1 0 0 1 0 0

0 1 1 0 1 1 0 0 0 1 0 1 0 0 1 0

0 0 1 1 0 1 1 0 0 0 1 0 1 0 0 1

1 1 0 0 0 0 1 1 1 0 1 1 0 0 0 0

0 1 1 0 0 0 0 1 1 1 0 1 1 0 0 0

0 0 1 1 0 0 0 0 1 1 1 0 1 1 0 0

0 0 0 1 1 0 0 0 0 1 1 1 0 1 1 0

0 0 0 0 1 1 0 0 0 0 1 1 1 0 1 1

1 1 0 1 1 1 1 0 1 0 1 1 1 0 0 1

1 0 1 1 0 1 1 1 1 1 1 1 1 0 0 0

0 1 0 1 1 0 1 1 1 1 1 1 1 1 0 0

0 0 1 0 1 1 0 1 1 1 1 1 1 1 1 0

0 0 0 1 0 1 1 0 1 1 1 1 1 1 1 1

1 1 0 1 0 0 1 1 1 1 0 1 1 0 1 1

1 0 1 1 0 0 0 1 0 1 0 0 1 0 0 1

.

Let as in Example 13.15

r = (0, 0, 0, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1)



be the received word with errors on positions 4,8,26. The corresponding system isJ(r),

U29V1 + U30V2 + U31V3 + U1,

U30V1 + U31V2 + U1V3 + U2,

U31V1 + U1V2 + U2V3 + U3,

Ui−3V1 + Ui−2V2 + Ui−1V3 + Ui. for 4 ≤ i ≤ 31

From this system we obtain a unique solution, which gives a way to find an error

vector via multiplication of the vector of unknown syndromes by B−1 on the left.

Note that from the way we compute syndrome in Eq. (13.1) and the way we have

chosen the matrix B it follows that actually Ui = Si−1, Vj = σt−j+1 for 1 ≤ i ≤ n

and 1 ≤ j ≤ t, where Si and σj are the variables from Example 13.15. So we

see that it is actually possible to decode without adding the field equations. This

example also shows how we generalize the ideas from Sec. 13.3.2.

Much more serious examples can be attacked by this approach. We only mention

that decoding, e.g. 5-20 errors in a binary code of length 120 and dimension 10-30

is feasible. For more details, see [50].

Next we mention how the above technique can be adapted for finding minimum

distance of a code. The following is more or less a special case of Theorem 13.33 on

decoding up to half the minimum distance.

Theorem 13.37. Let B be an MDS matrix with structure constants µijl and linear

functions Uij. Let H be a parity check matrix of the code C such that H = AB. Let

t be the smallest integer such that J(t, 0) has a solution (u,v) with u 6= 0. Then t

is the minimum distance of C.

Again we supply the statement with an example.

Example 13.38. Let us find minimum distance of a cyclic [15, 7] binary code with

a check matrix:

H =

1 1 0 1 0 0 0 1 0 0 0 0 0 0 0

0 1 1 0 1 0 0 0 1 0 0 0 0 0 0

0 0 1 1 0 1 0 0 0 1 0 0 0 0 0

0 0 0 1 1 0 1 0 0 0 1 0 0 0 0

0 0 0 0 1 1 0 1 0 0 0 1 0 0 0

0 0 0 0 0 1 1 0 1 0 0 0 1 0 0

0 0 0 0 0 0 1 1 0 1 0 0 0 1 0

0 0 0 0 0 0 0 1 1 0 1 0 0 0 1

.

By computing the reduced Grobner basis of J(t, 0) for t = 1, . . . , 4 we see that

it always consists of the elements U1, . . . , U15, so there is no solution (u,v) with

u 6= 0. For t = 5 the reduced Grobner basis (with respect to the degree reverse

lexicographic order) is listed in Appendix. It can be seen that, e.g. (u,v) with

u = (1, 0, 0, 0, 0, 1, 0, 1, 0, 0, 1, 1, 0, 1, 1) and v = (1, 1, 0, 1, 0) is a solution of the



system J(5, 0). So we obtained a desired solution, thus minimum distance is 5.

It can also be seen that u corresponds to a codeword of weight 5, namely c =

(1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 1, 1).

13.5. Thoughts for practitioners

From the practical point of view we can outline three major possible directions of

further study for the method of quadratic system solving

• Fast (polynomial time) decoding in the case when the dimension k and the number

of errors t is small compared to the length n, e.g. k and t of order O(√n), then

it is possible to decode in time O(n3).

• Try to adapt the method to cryptanalysis of coding-based cryptosystems that

follow the ideas of McEliece and Niederreiter [52, 53].

• As the quadratic system we are working with has a quite specific reduced Grobner

basis, it might be possible to find some specialized algorithms that would find

such a basis, and perform much faster.

The last item applies also to the other methods based on Grobner bases: to find

an adapted algorithm that would solve a particular system faster, than a ”generic”

one.

13.6. Directions for future research

On the more theoretical side probably one of the most important questions is the

question of estimating the complexity of algorithms presented in this chapter. There

were some attempts to apply the theory of semi-regular sequences, but so far they

were not successful. Definitely more research is needed here, as this question is one

of the milestones in comprehending the Grobner bases-based methods. Also the

question of formal decoding is interesting for particular classes of codes like cyclic

codes and some AG-codes. It would be interesting to prove the existence of sparse

general error-locator polynomials in these cases. This would shed more light on the

old problem of whether decoding cyclic codes is NP-hard.

For the method of quadratic equations it is possible to prove the results like the

ones presented here, but for the nearest codeword problem. So the question of list

decoding should be studied here further.

13.7. Conclusions

In this chapter we gave an overview of some of the existing methods for decoding

and finding the minimum distance of linear codes and cyclic codes in particular. We

tried to give an exposition in a manner as the material appeared historically with

the following improvements. We concentrated more on giving examples that would



facilitate understanding of the methods, rather than giving some real-life compar-

isons, although such are also available by [50]. A SINGULAR library for generating

different systems for decoding is available [54]. The original method based on solv-

ing quadratic system was presented. It turned out that the corresponding reduced

Grobner basis for our system has a very simple form, which is not true for many

other methods. We hope that more research in this area may reveal quite fast and

robust algorithms that are able to correct up to error-correcting capacity.

Terminology

• Grobner basis: A finite subset G = {g1, . . . , gm} of an ideal I ⊆ F[X1, . . . , Xn]

is called a Grobner basis for I with respect to a monomial order > if L>(I) =

〈lt(g1), . . . , lt(gm)〉, where L>(I) is the leading ideal of I with respect to >; Def-

inition 13.4.

• generalized power sum function: It is a sum of the form∑tl=1 ylz

iml . In our

context we use it to compute the syndrome via error locations and error values

in Eq. (13.2).

• CRHT-ideal: It is an ideal constructed following Cooper’s philosophy and its

variety contains the information needed for decoding a cyclic code. The generators

of this ideal are given in Eq. (13.3).

• general error-locator polynomial: A polynomial LC = Ze+at−1Ze−1 + · · ·+

a0 with aj ∈ Fq[X1, . . . , Xr], 0 ≤ j ≤ e − 1. When the X-variables are assigned

the syndromes, then the roots of LC(s, Z) give error positions; Theorem 13.9.

• Newton identities: Equation (13.6) shows how syndromes are connected with

the elementary symmetric functions. One can use known syndromes to find sym-

metric functions, and then the error positions via the error-locator polynomial,

see below.

• error-locator polynomial: It is a polynomial σ(Z) =∏tl=1(Z − zl) = Zt +

σ1Zt−1 + · · · + σt−1Z + σt, where σ’s are elementary symmetric functions and

z’s are the error positions. The knowledge of the symmetric functions yields the

error positions as the roots of σ(Z).

• formal and online decoding: The former term means that in a Grobner basis-

based method one needs to compute a Grobner basis only once and then decode

every time using this precomputed Grobner basis. The latter term means that

one performs the Grobner basis computation every time one wants to decode.

Online decoding involves systems with less variables and thus is much easier to

handle; on the other hand performing the Grobner basis computation every time

can be too time consuming.

• affine variety code: C(I, L) is an image of a vector subspace L of the map

φ : R → Fnq , f 7→ (f(P1), . . . , f(Pn)), where R := Fq[U1, . . . , Us]/Iq and f ∈ L is

any pre-image of f under a canonical homomorphism, L is a vector subspace of

R.



• unknown syndromes: Let b1, . . . ,bn be a basis of Fnq and let B be the n× nmatrix with b1, . . . ,bn as rows. The (unknown) syndrome u(B, e) of a word e

with respect to B is the column vector u(B, e) = BeT . It has entries ui(B, e) =

bi · e for i = 1, . . . , n; Definition 13.18.

• MDS basis/matrix: Let b1, . . . ,bn be a basis of Fnq . Let Bs be the s×n matrix

with b1, . . . ,bs as rows, then B = Bn. We say that b1, . . . ,bn is an ordered MDS

basis and B an MDS matrix if all the s × s submatrices of Bs have rank s for

all s = 1, . . . , n. Let Cs be the code with Bs as parity check matrix; Definition

13.23.

Questions

(1) In Example 13.5 we have seen that f = X3, g = Y 4 − X2Y from F[X,Y ]

form a Grobner basis of an ideal I = 〈f, g〉 with respect to the degree reverse

lexicographic order >dp. Do they form a Grobner basis with respect to the

lexicographic order >lp?

(2) For constructing a binary cyclic code of length 41 we need a primitive 41-th

root of unity. What is the smallest field extension of F2 that has an element

of order 41?

(3) In Eq. (13.4) the polynomial p(n,X, Y ) = (Xn − Y n)/(X − Y ) =∑n−1i=0 X

iY n−1−i is defined. Suppose that n ≥ 2 and (n, q) = 1. Show that x

and y are distinct if at least one of them is non-zero and p(n, x, y) = 0.

(4) In Theorem 13.9 the general error-correcting polynomial is defined. Does its

degree depend on the number of errors occurred?

(5) In Example 13.12 can we leave out the polynomials ZiZjp(15, Zi, Zj) = 0, 1 ≤i < j ≤ w?

(6) Let Pi = (ai1, . . . , ais), 1 ≤ i ≤ n be n distinct points in Fsq (qs ≥ n). In

Sec. 13.4.1 we needed functions ξi, 1 ≤ i ≤ n, such that ξi(Pi) = 1, ξi(Pj) =

0, j 6= i. Give a representation of ξi as a polynomial from Fq[X1, . . . , Xs].

(7) In Definition 13.23 we are talking about ordered MDS matrix. Is the order of

b1, . . . ,bn really important for the MDS property to hold?

(8) In Definition 13.25 we introduced a Vandermonde matrix B = B(x). Why is

this matrix MDS?

(9) Let C be an [n, k, d] code over Fq. Show that the code C ′ = CFqm has the

same parameters [n, k, d] over Fqm .

(10) For those who are familiar with the notion of a reduced Grobner basis: Con-

sider an ideal I ⊂ F37[X,Y, Z]. It is known that a Grobner basis of I with

respect to the lexicographic order induced by X > Y > Z is X+16, Y +6, Z+1.

What is the reduced Grobner basis of I with respect to the degree reverse lex-

icographic order?



Answers

(1) No. We have lm(f) = X3, lm(g) = X2Y . Consider h = Y ·f+X ·g = XY 4 ∈ I,

but lm(h) = XY 4 is divisible neither by X3 nor by X2Y .

(2) F20. In order to find it we need to find the smallest n such that 41|(2n − 1),

then the extension is going to be F2n . In our case n = 20.

(3) If x = y, then p(n, x, y) = p(n, x, x) = nxn−1. Since we assumed n ≥ 2 and

(n, q) = 1, it follows that x = y = 0.

(4) No. The degree is always e, the error correcting capacity. If t < e errors

occurred, then the specialized polynomial LC(s, Z) has the root zero with

multiplicity e− t.(5) No. Since the system JC(2) : Z1 + Z2, Z

31 + Z3

2 , Z151 + 1, Z15

2 + 1, would have

a Grobner basis Z152 + 1, Z1 + Z2. Thus we obtain the solutions of the form

(a, a), a ∈ F16.

(6) ξi(X1, . . . , Xs) =∏sj=1(1− (Xj − aij)q−1). We have that if Xj 6= aij for some

j then Xj − aij is a non-zero element in Fq, and thus (Xj − aij)q−1 = 1. On

the other hand, if Xj = aij , then 1− (Xj − aij)q−1 = 1.

(7) Yes. Consider a matrix M over F2 with rows (1, 1) and (0, 1). It is obvious

that M is an MDS matrix. On the other hand, if we exchange the rows, then

the obtained matrix N does not have an MDS property, because it has a zero

in the first row, and thus not all the 1× 1 submatricies of N1 have full rank 1.

(8) First assume that all xi are non-zero. Consider an s × s submatrix S

of Bs with the columns indexed by j1, . . . , js, so that the rows of S are

(1, . . . , 1), (xj1 , . . . , xjs), . . . , (xs−1j1, . . . , xs−1js

). The matrix S is invertible, since

its determinant can be computed to be∏i>j,i,j∈{j1,...,js}(xi − xj). If we allow

some xi to be zero, w.l.o.g x1 = 0 and consider again a matrix S, wherein

j1 = 1, then we may consider an (s− 1)× (s− 1) submatrix S′ of S, obtained

by leaving out the first row and the first column. The rank of S′ is s − 1 by

the argument above. Then, passing to the matrix S we see that its rank is s,

because the first column of S is (1, 0, . . . , 0)T .

(9) Obviously the length of C ′ is n. Then, we claim that the vectors b1, . . . ,blfrom Fnq are linearly dependent over Fq iff they are linearly dependent over

Fqm . Indeed, if b1, . . . ,bl are linearly dependent over Fq, they are linearly

dependent over Fqm . Other way, let there exist a non-trivial linear combination

α1b1 + · · · + αlbl = 0 with αi ∈ Fqm , 1 ≤ i ≤ l. Write α’s as vectors over Fqof length m: αi = (αi1, . . . , αim), 1 ≤ i ≤ l. Since the vectors b1, . . . ,bl are

defined over Fq, we have α1jb1 + · · · + αljbl = 0, 1 ≤ j ≤ m. As the initial

linear combination was non-trivial, we obtain at least one non-trivial linear

combination for b1, . . . ,bl over Fq, and thus they are linearly dependent over

Fq. Therefore, the dimension of C ′ is also k. Now the minimum distance can

be found as a minimal number of linearly dependent columns of a parity check

matrix of a code. Using the argument above we see that the minimum distance



of C ′ is d, as a parity check matrix H for C is also a parity check matrix of

C ′.

(10) The same. Denote this basis with G. It is obvious that X+16, Y +6, Z+1 ∈ Gand that I is generated by these polynomials. For any other polynomial f ∈ I,

it follows lm(f) is divisible by either of X, Y , or Z. So f does not belong to

the reduced Grobner basis.

Acknowledgments

The first author would like to thank ”DASMOD: Cluster of Excellence in Rhineland-

Palatinate” for funding his research, and also personally his Ph.D. supervisor

Prof.Dr. Gert-Martin Greuel and his second supervisor Prof.Dr. Gerhard Pfis-

ter for continuous support. The work of the first author has been partially inspired

by the Special Semester on Grobner Bases, February 1 - July 31, 2006, organized

by RICAM, Austrian Academy of Sciences, and RISC, Johannes Kepler University,

Linz, Austria.

Appendix A. For Example 13.38

U2, U3, U4, U5,

U7, U9, U10, U13,

V5U1, V3U1, V1U1 + U6, U26 + U11U1,

U11U6 + U21 , V5U6, V4U6 + U8, V3U6,

V1U6 + U11, U28 + U15U1, U12U8 + U14U6, V5U8,

V4U8 + V2U6, V3U8, V2U8 + U12, U211 + U6U1,

U12U11 + U15U8, V5U11, V4U11 + V1U8, V3U11,

V2U11 + U15, V1U11 + U1, U212 + U8U1, U14U12 + U15U11,

V5U12, V4U12 + U14, V3U12, U214 + U12U1,

U15U14 + U8U6, V5U14, V4U14 + V2U12, V3U14,

V2U14 + V4U1, U215 + U14U1, V5U15, V4U15 + V1U12,

V3U15, V2U15 + V1U14, V1U15 + V2U1, V4U21 + U11U8,

V2U21 + U15U6, V2U6U1 + U15U11, V

24 U1 + V2U1, U14U8U6 + U15U12U1,

U15U8U6 + U12U21 , V2U12U6 + U14U8, V

22 U6 + U14, U14U11U8 + U15U12U6,

U15U11U8 + U12U6U1, V1U14U8 + U15U12, V21 U8 + V4U1, V 2

2 U12 + V2U1,

V 21 U12 + V2V4U1, V 2

1 U14 + V 22 U1, V 3

2 U1 + V1U8

References

[1] D. Cox, J. Little and D. O’Shea, ”Ideals, varieties, and algorithms”, 2nd EditionSpringer-Verlag, 1997.

[2] G.-M.Greuel and G.Pfister, “A SINGULAR Introduction to Commutative Algebra”,Springer-Verlag, 2002.



[3] S. Arimoto, “Encoding and decoding of p-ary group codes and the correction sys-tem,” (in Japanese) Inform. Processing in Japan, vol. 2, pp. 320–325, Nov. 1961.

[4] E.R. Berlekamp, Algebraic coding theory, Mc Graw Hill, New York, 1968.[5] J.L. Massey, “Shift-register synthesis and BCH decoding,” IEEE Trans. Inform.

Theory vol. IT-15, pp. 122–127, 1969.[6] W.W. Peterson and E.J. Weldon, Error-correcting codes, MIT Pres, Cambridge

1977.[7] Y. Sugiyama, M. Kasahara, S. Hirasawa and T. Namekawa, “A method for solving

the key equation for decoding Goppa codes,” Information and Control, vol. 27,pp. 87–99, 1975.

[8] D. Augot, P. Charpin, N. Sendrier, “The minimum distance of some binary codesvia the Newton’s Identities,” Eurocodes’90, LNCS 514, p 65–73, 1990.

[9] D. Augot, P. Charpin and N. Sendrier, “Studying the locator polynomial of minimumweight codewords of BCH codes,” IEEE Trans. Inform. Theory, vol. IT-38, pp. 960–973, May 1992.

[10] D. Augot, M. Bardet and J.-C. Faugere “Efficient Decoding of (binary) Cyclic Codesbeyond the correction capacity of the code using Grobner bases,” INRIA Report,no. 4652, Nov. 2002.

[11] D. Augot, M. Bardet and J.C. Faugere, “On formulas for decoding binary cycliccodes”, Proc. IEEE Int. Symp. Information Theory, 2007.

[12] M.A. de Boer and R. Pellikaan, “Grobner bases for codes,” in Some tapas of com-puter algebra (A.M. Cohen, H. Cuypers and H. Sterk eds.), Chap. 10, pp. 237–259,Springer-Verlag, Berlin 1999.

[13] M.A. de Boer and R. Pellikaan, “Grobner bases for decoding,” in Some tapas ofcomputer algebra (A.M. Cohen, H. Cuypers and H. Sterk eds.), Chap. 11, pp. 260–275, Springer-Verlag, Berlin 1999.

[14] X. Chen, I.S. Reed, T. Helleseth and T.K. Truong, “Use of Grobner bases to decodebinary cyclic codes up to the true minimum distance,” IEEE Trans. Inform. Theory,vol. IT-40, pp. 1654–1661, 1994.

[15] M. Caboara and T.Mora, “The Chen-Reed-Helleseth-Truong decoding algorithmand the Gianni-Kalkbrenner Grobner shape theorem,” Appl. Algeb. Eng. Commum.Comput., 13, pp.209–232, 2002.

[16] X. Chen, I.S. Reed, T. Helleseth and T.K. Truong, “Algebraic decoding of cycliccodes: a polynomial point of view,” Contemporary Math. vol. 168, pp. 15–22, 1994.

[17] X. Chen, I.S. Reed, T. Helleseth and T.K. Truong, “General principles for thealgebraic decoding of cyclic codes,” IEEE Trans. Inform. Theory, vol. IT-40, pp.1661–1663, 1994.

[18] A.B. Cooper, “Toward a new method of decoding algebraic codes using Grobnerbases,” Trans. 10th Army Conf. Appl. Math. and Comp.,, pp.1–11, 1993.

[19] E. Orsini, M.Sala, “Correcting errors and erasures via the syndrome variety,” J.Pure and Appl. Algebra, 200, pp.191–226, 2005.

[20] T. Mora and E. Orsini, “Decoding cyclic codes: the Cooper philosophy”, a talk atthe Special Semester on Grobner bases, May, 2006.

[21] M. Giorgetti and M. Sala, “A commutative algebra approach to linear codes”, BCRIpreprint no.58, submitted to J. Algebra www.bcri.ucc.ie, 2006

[22] E. Orsini and M. Sala, “Improved decoding of affine–variety codes”, BCRI preprintno.68, www.bcri.ucc.ie, 2007.

[23] J.B. Farr and S. Gao, “Grobner bases, Pade approximation, and decoding of lin-ear codes”, to appear in Coding Theory and Quantum Computing, ContemporaryMathematics, AMS, 2005.



[24] P.Fitzpatrick and J.Flynn, “A Grobner basis technique for Pade approximation,”J.Symbolic Computation. 24(5), pp.133–138, 1992.

[25] M. Borges-Quintana, M.A. Borges-Trenard and E. Martınez-Moro, “A GeneralFramework for Applying FGLM Techniques to Linear Codes”, AAECC 2006, Lec-ture Notes in Computer Science, pp.76–86, 2006.

[26] P. Loustaunau and E.V. York, “On the decoding of cyclic codes using Grobnerbases,” AAECC, vol. 8 (6), pp. 469–483, 1997.

[27] P. Fitzpatrick, “On the key equation”, IEEE Transactions on Information Theory,41, no. 5, pp.1290–1302, 1995.

[28] C.Lossen, A.Fruhbis-Kruger, “Introduction to Computer Algebra (Solving Sys-tems of Polynomial Equations)” http://www.mathematik.uni-kl.de/~lossen/

SKRIPTEN/COMPALG/compalg.ps.gz, 2005.[29] B. Buchberger, “Ein Algorithmus zum Auffinden der Basiselemente des Restklassen-

rings”, Ph.D. thesis, Innsbruck, 1965.[30] G.-M. Greuel, G. Pfister, and H. Schonemann. Singular 3.0. A computer algebra

system for polynomial computations. Centre for Computer Algebra, University ofKaiserslautern (2007). http://www.singular.uni-kl.de.

[31] Magma V2.14-4, Computational Algebra Group, School of Mathematics and Statis-tics, University of Sydney, Website: http://magma.maths.usyd.edu.au, 2007.

[32] CoCoA: a system for doing Computations in Commutative Algebra, http://cocoa.dima.unige.it, 2007.

[33] J.C.Faugere, “A new efficient algorithm for computing Grbner bases (F4),” Journalof Pure and Applied Algebra, 139(1–3), pp.61–88, 1999.

[34] J.C.Faugere, “A new efficient algorithm for computing Grbner bases without reduc-tion to zero F5,” In T. Mora, editor, Proceedings of the 2002 International Sympo-sium on Symbolic and Algebraic Computation ISSAC, pp. 75–83, 2002.

[35] FGb, http://fgbrs.lip6.fr/jcf/Software/FGb/index.html, 2007.[36] J.-C. Faugere, P.Gianni, D. Lazard, and T.Mora, “Efficient Computation of Zero-

dimensional Grobner Bases by Change of Ordering”, J. Symb. Comput., 16, pp.329–344, 1993.

[37] T.Mora, E.Orsini, M.Sala, “General error locator polynomials for binary cyclic codeswith t≤2 and n<63,” BCRI Preprint, 2005.

[38] M.Sala, “Grobner basis techniques to compute weight distributions of shortenedcyclic codes,” J. Algebra Appl., vol. 6, no. 3, pp.403–414, 2007.

[39] T. Mora, M.Sala, “On the Grobner bases for some symmetric systems and theirapplication to coding theory,” J. Symb. Comp., vol. 35, no.2, p.177–194, 2003.

[40] D. Augot, “Description of minimum weight codewords of cyclic codes by algebraicsystem,” Finite Fields Appl., vol. 2, no.2, p.138–152, 1996.

[41] D.C. Gorenstein and N. Zierler, “A class of error-correcting codes in pm symbols,”Journ. SIAM, vol. 9, pp. 207–214, 1961.

[42] F.J.MacWilliams and N.J.A. Sloane, “The Theory of Error-correcting Codes”,Amsterdam-New York-Oxford: North Holland, 1977.

[43] A.E. Heydtmann and J.M. Jensen, “On the equivalence of the Berlekamp-Masseyand the Euclidean algorithms for decoding,” IEEE Trans. Inform. Theory, vol. 46,pp. 2614–2624, 2000.

[44] K.K. Tzeng, C.R.P. Hartmann and R.T. Chien, “Some notes on iterative decoding,”Proc. 9th Allerton Conf. Circuit and Systems Theory, 1971.

[45] P. Stevens, “Extensions of the BCH decoding algorithm to decode binary cyclic codesup to their maximum error correction capacities,” IEEE Trans. Inform. Theory, vol.IT-34, pp. 1332–1340, 1988.



[46] D. Augot, M. Bardet and J.C. Faugere, “On the decoding of cyclic codes withNewton identities”, to appear in Special Issue ”Grobner Bases Techniques in Cryp-tography and Coding Theory” of Journ. Symbolic Comp., 2008.

[47] J. Fitzgerald, “Applications of Grobner bases to Linear Codes,” Ph.D. Thesis,Louisiana State University, 1996.

[48] J. Fitzgerald and R.F. Lax, “Decoding affine variety codes using Grobner bases,”Designs, Codes and Cryptography, vol. 13, pp. 147–158, 1998.

[49] M.G. Marinari, H.M. Moller, T. Mora, “Grobner basis of ideals defined by functionalwith an application to ideals of projective points,” Appl. Algebra Engrg. Comm.Comput., 4, no. 2, pp. 103–145, 1993.

[50] S. Bulygin and R. Pellikaan, “Bounded distance decoding of linear error-correctingcodes with Grobner bases,” to appear in Special Issue ”Grobner Bases Techniquesin Cryptography and Coding Theory” of Journ. Symbolic Comp., 2008.

[51] T. Høholdt, J.H. van Lint and R. Pellikaan, “Algebraic geometry codes,” in Handbookof Coding Theory, vol 1, pp. 871-961, (V.S. Pless and W.C. Huffman eds.), Elsevier,Amsterdam 1998.

[52] R.J. McEliece, “A public-key cryptosystem based on algebraic coding theory,” DSNProgress Report, vol. 42-44, pp. 114-116, 1978.

[53] H. Niederreiter, “Knapsack-type crypto systems and algebraic coding theory,” Prob-lems of Control and Information Theory, vol. 15 (2), pp. 159-166, 1986.

[54] S. Bulygin, Err.lib, http://www.mathematik.uni-kl.de/~bulygin/files/Err.lib,2006.


Index

affine variety code, 15

Cooper’s philosophy, 6CRHT

ideal, 7syndrome variety, 7

decodingformal, 14generic, 14one-step, 14online, 14

defining set, 5complete, 5

error-locator polynomial, 11general, 8

multi-dimensional, 18

generalized Newton identities, 12generalized power sum function, 6Grobner basis, 3

reduced, 4

leadingcoefficient, 3monomial, 3term, 3

MDSmatrix, 19ordered basis, 19

monomial order, 3elimination, 4

syndromeknown, 6polynomial, 13unknown, 6, 19

33

chapter 13 decoding and nding the minimum distance with gr ...ruudp/paper/55.pdf4 s. bulygin and r....

Documents