2010 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 44, NO. 5, SEPTEMBER 1998 Minimal Vectors in Linear Codes A. Ashikhmin and A. Barg Abstract— Minimal vectors in linear codes arise in numerous applications, particularly, in constructing decoding algorithms and studying linear secret sharing schemes. However, properties and structure of minimal vectors have been largely unknown. We prove basic properties of minimal vectors in general linear codes. Then we characterize minimal vectors of a given weight and compute their number in several classes of codes, including the Hamming codes and second-order Reed–Muller codes. Further, we extend the concept of minimal vectors to codes over rings and compute them for several examples. Turning to applications, we introduce a general gradient-like decoding algorithm of which minimal-vectors decoding is an example. The complexity of minimal-vectors decoding for long codes is determined by the size of the set of minimal vectors. Therefore, we compute this size for long randomly chosen codes. Another example of algorithms in this class is given by zero-neighbors decoding. We discuss relations between the two decoding methods. In particular, we show that for even codes the set of zero neighbors is strictly optimal in this class of algorithms. This also implies that general asymptotic improvements of the zero-neighbors algorithm in the frame of gradient-like approach are impossible. We also discuss a link to secret-sharing schemes. Index Terms— Minimal vectors, minimum distance decoding, Reed– Muller codes, secret sharing, zero neighbors. idea is to construct a certain fixed set of code vectors used to successively improve the current decision. This idea bears similarity with methods of steepest descent in continuous spaces. This feature enables us to introduce a general gradient-like decoding algorithm of which minimal-vectors decoding and another known method, the zero-neighbors decoding [15], are examples. We show basic properties of this method, which allows us to analyze both examples in a simple and unified manner. Further, we show that under certain conditions, gradient-like algorithms must examine all zero neighbors, and therefore, the size of this set provides a lower bound on the complexity of algorithms in this class. In the final section, we briefly review a link of our subject to secret-sharing schemes. II. MINIMAL VECTORS 6 The subject of this correspondence is minimal vectors in linear codes, i.e., vectors that do not cover other nonzero vectors except maybe proportional ones. Minimal vectors were extensively studied in combinatorics (cycles in linear matroids). In the coding context, minimal vectors were introduced in [14] where they were used to construct a minimum-distance decoding algorithm of linear codes (see Section IV). For the Euclidean space, this connection was again addressed in [1]. Recently, interest in this subject has been renewed in a series of works sparked by [17], where it was observed that minimal vectors in linear codes describe minimal access structures in linear secret sharing schemes defined by these codes. We begin with general properties of collections of minimal vectors in linear codes. Then we consider some examples, computing minimal vectors in the Hamming, second-order Reed–Muller, and some other codes. It turns out that there exist linear codes all of whose nonzero vectors are minimal. Under the name of intersecting these codes were studied in [8]. The Carlitz–Uchiyama bound shows (see below) that codes dual to the binary Bose–Chaudhuri–Hocquengham (BCH) codes are intersecting. On the other hand, for BCH codes themselves the problem of characterizing minimal vectors seems difficult to approach. Even for two-error-correcting binary BCH codes a recent attempt [7] ended with only a partial result. Next we show how to extend the concept of minimality to codes over Galois rings and compute minimal vectors in Z 4 Kerdock codes, first-order Reed–Muller, and Hamming codes. Turning to the minimal-vectors decoding algorithm, we observe that the underlying Manuscript received February 15, 1997; revised November 5, 1997. A. Ashikhmin is with the Los Alamos National Laboratory, Mail Stop P990, Los Alamos, NM 87545 USA. A. Barg was with the Department of Mathematics and Computing Science, Technical University of Eindhoven, Eindhoven, The Netherlands. He is now with Lucent Technologies, Bell Laboratories, Rm. 2C-375, Murray Hill, NJ 07974 USA. Publisher Item Identifier S 0018-9448(98)05084-6. LINEAR CODES A. General Properties Let Eqn be the n-dimensional coordinate space over the field F q . Let C  Eqn be an [n; k; d] linear code. We use a shorthand notation [n] := f1; 2; 1 1 1 ; ng for the set of code coordinates. A support of a vector c is defined as supp (c) = fi 2 [n]: ci 6= 0g. If supp (c0 )  supp (c) (respectively, ), we also write c 0  c (respectively, ). 0= I. INTRODUCTION IN Definition: A nonzero vector c 2 C is called minimal if c0  c implies c0 = acc, where c0 is another code vector and a is a nonzero constant. The support of a minimal code vector is called minimal with respect to C . Therefore, no minimal vector covers a nonzero code vector with a smaller support. Let M(C ) be the set of minimal vectors of a given code C . If the context does not allow ambiguity, we omit C in this notation and write simply M. For binary codes, M(C ) can be also viewed as the set of minimal supports. In the general case, minimal supports define a set of lines in the code. Let H be the parity-check matrix of C . By H (U ) we denote its restriction to columns indexed by a subset U  [n]: Basic properties of M are characterized in the following lemma. Lemma 2.1: 1) Let U  [n] be the support of a vector c 2 C . Then U is minimal if and only if rk (H (U )) = jU j 0 1. 2) (U is minimal) ) (jU j  n 0 k + 1). 3) Every support of size jU j  d(1 + 1=(q 0 1)) 0 1 is minimal. 4) The linear span of M(C ) coincides with C . 5) Let C be a binary code. Then if c 2 C; c 2 = M(C ) there is a pair of nonzero code vectors c1  c and c2  c with disjoint supports such that c = c1 + c 2 . Proof: The only if part of Part 1) is obvious. Let us prove the converse. Let h i be the ith column of H (U ). By the assumption, there exist w = jU j nonzero numbers i such that w i=1 ih i = 0 and some w 0 1 of these columns, say the first, are linearly independent. Suppose there exists a code vector c 0 ; c 0  c, i.e., there exists a vanishing linear combination of columns that does not involve at least one of the first w 0 1 columns, for instance, 0018–9448/98$10.00  1998 IEEE w i=2 ih i = 0 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 44, NO. 5, SEPTEMBER 1998 with w 6= 0. Multiply this sum by w =w and subtract from the first one. This gives a linear dependence between the first w 0 1 columns, a contradiction. Part 2) is implied by Part 1). To prove Part 3), suppose that c 2 C is a nonminimal vector of weight wt (c)  d(1 + 1=(q 0 1)) 0 1: Consider q 0 1 code vectors c 0 acc0 , where a runs over all nonzero constants. Summing up their weights, we get (q 0 1) wt (c)0 wt (c0 ). Thus their average weight is wt (c) 0 (q 0 1)01 wt (c0 ). One of these vectors, say c00 has weight at most the average. Together with our assumption this implies a contradiction wt (c00 )  wt(c) 0 =d 0 1: wt(c0 ) q01 d 1+ 1 q01 0 1 0 q 0d 1 Part 4) will follow from Lemma 4.3 below. Part 5) is obvious. Note that Part 1) of this lemma gives a straightforward way to check whether a given code vector is minimal. This lemma enables one to give immediate characterization of minimal vectors in some codes. Examples: 1) Binary Golay Codes: Let C = G23 be the binary [23; 12; 7] Golay code. We have n 0 k + 2 = 2d 0 1 = 13. Thus M(G 23 ) f = 3335 vectors of weight  12g (this was found by a search algorithm in [1]). The same argument ? , which gives applies to the dual [23; 11; 8] code G23 M(G ? ) = f1794 vectors of weights 8 and 12g: For the extended code G , we have n 0 k + 2 = 2d 0 1, and the 23 2011 vectors in C and EMw its average number of the ensemble over random linear codes. Theorem 2.2: We have n w 0; EMw = 0 1) 0 (1 0 q0 0 0 q 0 w w (q n d(C ) + d(C ? ) = (n 0 k + 1) + (k + 1) = n + 2: This is the largest possible value for this sum. If C is not MDS, then clearly d(C ) + d(C ? )  n. A code is called near-MDS [9] if this holds with equality. This definition implies that any k? + 1 columns of the parity-check matrix of C have rank k? [9]. Thus M(C ) = fvectors of weight d and d + 1g. B. Random Codes To understand the structure of minimal vectors in long codes, let us suppose that C is a random linear code whose parity-check matrix has independent equiprobable entries. Let Mw be the number of minimal (n i) k ); i=0 w  n 0 k +1 otherwise. (1) Proof: Let n; k (w) be the probability that a given support of size w is minimal. By the definition, code vectors sharing the same n n; k (w). support are proportional, therefore, EMw = (q 0 1) w The event considered is that some (say, first) w 0 1 columns of H among the chosen w columns are linearly independent and the remaining column is their linear combinations with w 0 1 nonzero coefficients. The number of collections of w columns that satisfy the above conditions equals (q 0 n k 0 1)(q 0 0 q) 1 1 1 (q 0 0 q 0 )(q 0 1) 0 n n k k 2 w w 1 and the total number of choices is q w(n0k) . The probability n; k (w) equals the quotient of these quantities. Intuitive understanding of this result is acquired by asymptotic analysis. This is not only interesting in itself, but also is used below in Section IV to assess certain decoding algorithms. Let n ! 1; (n 0 k) ! 1. We shall compare the number of minimal vectors Mw with the number of all code vectors of weight w. Let Nw denote this number. The probability that a given vector satisfies a random check equation is q 01 ; therefore, the probability that this vector is contained in a random code with n 0 k checks equals q 0(n0k) : Thus 24 answer is also obvious. 2) Binary Intersecting Codes: These codes were introduced in [8]. They are linear codes in which any pair of nonzero code vectors intersect. By Lemma 2.1, Part 5, this is equivalent to the fact that M(C ) = C nf0g. Let C be the binary code dual to the BCH code of length n = 2m 0 1 with designed distance d = 2t + 1 and t  13 2(m=2)01 . Then by the Carlitz–Uchiyama bound [16, Ch. 9], the maximum weight D of C is bounded from above as D  2m01 + (t 0 1)2m=2 . By the same bound, the quantity 2d  2m 0 2(t 0 1)2m=2 > D: Thus M(C ) = C f0g and C is intersecting [8, Proposition 9]. 3) Maximum-Distance-Separable (MDS) Codes: In an [n; k; d] MDS code C , the set of minimal vectors coincides with the set of all n (q 0 1) d codewords of weight d (by Part 2) of the lemma). For an [n; k; n 0 k] code C , the answer is generally not as obvious. However, there is a subclass of codes with these parameters, namely “near-MDS” codes of [9] for which it is easily given. These codes are defined as follows. If a code C is MDS, then so is its dual C ? , and k 2 n w ENw = 0 1) (q w q 0 n (2) k a classical result of coding theory [10]. From this we see that the difference between EMw and ENw is in the factor w 02 (1 i=0 0 q0 0 0 (n k i) ): It will be seen that the asymptotic behavior of EMw depends on the difference between w and n 0 k + 1. Let w = (n 0 k + 1) 0 `; `  0: To simplify the analysis, we shall use the notation t = n 0 k, so that ` = t 0 w + 1. Using this notation, the product in question takes the form ti=`+1 (1 0 q 0i ): Since we study its limit value as n ! 1, we are interested in the behavior of the function (q; `) := 1 (1 0 q0 ): i i=`+1 Its properties are given in the following lemma. 1) 2) 3) 4) Lemma 2.3: The product (q; `) converges for any `  0. For ` ! 1 we have (q; `) ! 1. For ` = const, 1 0 q 0` < (q; `) < 1: The function (q; `) is monotone increasing in one argument if the other argument is fixed. Proof: By [13, Theorem 353] 1 + 0(1 2)(3 + ) (01) q 01 01 0 q02 + q05 + q07 0 1 1 1 : =10 q (q; 0) = i = i i i= It is known and can be easily checked that this series converges. The quantity (q; `) for any fixed ` > 0 differs from (q; 0) by a 2012 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 44, NO. 5, SEPTEMBER 1998 constant. This proves Part 1) for constant `. Further, for any ` > we have t 1 > (1 i=`+1 0 q0i ) >10 t i=`+1 0 q 0i > 1 0 q 0` : q; `) for ` growing and implies This proves the convergence of Parts 1)–3). Part 4) is obvious. ( Thus if w is not too close to n 0 k + 1, then on the average almost all code vectors of weight w in a random code are minimal. Let us formulate this as a corollary. Corollary 2.4: Let n ! 1; 0 < w < (n 0 k + 1) 0 `; ` ! 1. Then limn!1 (EMw =ENw ) = 1: If w differs from n 0 k + 1 by a constant, then the quotient EMw =ENw tends to a constant between 0 and 1. In particular, from the series expansion for (q; 0) we compute (2; 0) = 0:288 1 1 1 ; which is a familiar fraction of nonsingular square matrices over F 2 . Otherwise, (q; `) is always greater than 1=2. This is shown by computing (3; 0) = 0:560 1 1 1 and applying Lemma 2.3, Part 4). This shows that for all q  2 and all w  n 0 k + 1 except for the case q = 2; w = n 0 k + 1 on the average more than half of code vectors of weight w are minimal. The total average number of minimal vectors in a random code is given in the following corollary. ! 1; k Rn; 0R 0 0R ; Corollary 2.5: Let n 1 n logq Hq (1 EjMj = = ) (1 0 ) R; < R < 1. Then 0 q01 q  1 0 R < 1. <10R < q01 q Here Hq (1) is the entropy function. Proof: As long as 1 0 R < (q 0 1)=q , asymptotically the sum EjMj = n0k+1 EMw w=0 is dominated by the term EMn0k+1 . We have just shown that EMn0k+1 q; = ( Proof: Consider s = w 0 1 linearly independent columns in the parity-check matrix H of the code C . The total number of linear combinations of these columns with nonzero coefficients equals s (q 0 1) ; the 1=(q 0 1)th fraction of them appear as columns in H distinct from the chosen columns (since they are linearly independent). Every choice of w linearly dependent columns of which s = w 0 1 are linearly independent, defines a minimal code vector. Thus one has to count the number of distinct choices of s linearly independent columns in H . This number equals 1 s! n(n 0 1) n 0 q2 0 1 q01 111 n0 q s01 0 1 : q01 Taking into account that all the ww 01 choices of w 0 1 linearly independent columns within a given support of size w yield one and the same code vector, we find that the number of minimal vectors of weight w in the code equals Mw = 1 w 0 1)!w ( n(n 0 1) n 0 q2 0 1 q01 111 n0 q s01 0 1 q01 The substitution of the value of n gives the desired result. A similar argument in the binary case yields the following fact. Theorem 2.8: In the extended Hamming code of length 2m , the number of minimal codewords of even weight w; 4  w  m + 2, equals Mwex 1 = w! m 2 w03 m (2 i=0 0 i : 2 ) Proof: As above, we have to count the number of choices of w linearly independent columns in the parity-check matrix, of which w 0 1 are linearly dependent. Since only half of the total of 2m+1 columns of length m + 1 are present in H , every t 0 1 linearly independent columns forbid 2t02 columns in H . Therefore, we can choose w 0 1 linearly independent columns in w03 n w 0 1)! i=0 ENn0k+1 : 0) ( n 0 2i ) ( Conclude by using (2). different ways. As above, this has to be divided by ww 01 . In Section IV we use the variance of the number of minimal vectors in C . This has been estimated in [3]. We quote this result only for the binary case. D. Second-Order Reed–Muller Codes Theorem 2.6 [3]: Let C be a random binary linear code with distance d. Then Var Mw  EMw 0d=2 EMw ): C. Hamming Codes Let C be the q -ary Hamming code of length n = (qm 0 1)=(q 0 1). For the binary case, the required set of vectors forms a configuration defined by J. Steiner, from which later the modern notion of Steiner systems has been coined. Formula (3) is quoted in [12] with a reference to [20]. Its proof for any q is given below. Steiner’s original definition is cited in the Appendix. Theorem 2.7: The set M(C ) is formed by Mw vectors of every weight w; 3  w  m + 1, where Mw = 1 w02 w! i=0 q m 0 q i ): ( Let C = RM (2; m) be the second-order binary Reed–Muller code [16, Ch. 15]. Its parameters are [n = 2m ; k = 1 + m + m 2 ; d = 2m02 ]. Let Aw the number of vectors of weight w in C . Then Aw = 0 except for w = 2m01 ; w = 2m01 6 2m010h ; (1 + 2 (3) q 0 1)s : ( 0  h  bm= c 2 (4) (see [16, ch. 15]). In particular, it is known that Ad = m = (4 3)(2 0 m01 1)(2 0 : 1) Let Mw be the number of minimal vectors of weight w > 0 in C . Theorem 2.9: For w = 2m01 + 2m010h ; h = 0; 1; 2; there are no minimal code vectors (Mw = 0). Otherwise, Mw = Aw , except for the case w = 2m01 , when the number of nonminimal vectors equals A2 0 M2 m+1 = 2 0 2+ Ad (2m01 0 2): (5) Thus the only weights when there exist nonminimal codewords are = n; (5=8)n; n (all codewords) and (1=2)n (part of them). (3 4) IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 44, NO. 5, SEPTEMBER 1998 Proof: Let c 2 C be nonminimal. Then by Lemma 2.1, Part 5) there are c1 ; c2 2 C n f0g such that c 1 + c 2 = c . Let w1 ; w2 ; w be the weights of these vectors. We have w = w1 + w2 2 d m01 = =2 n=2: m01 + 2m010h = 2m01 + 2m01 0 2m010h 2 where h; h1 are some integers between 1 and bm=2c. This is possible only if h = h1 = 1. Thus if either w1 or w2 equals n=2, we have the following subcase: i) (w; w1 ; w2 ) = ( 43 n; 12 n; 14 n). If w > n=2 and both w1 and w2 differ from n=2, then (6) yields the equation or 0h = 1 0 20h 2 m01 +2 0 2m0 0h 6 20h 1 ; h; h1 ; h2 6 2m0 0h 1 6= 0 m = 2(2 0 1) : In the second case, the image of X in the (three-dimensional) quotient space F m =W is a set of four points that do not constitute an affine plane. Hence the total number of vectors X of this type equals N2 = m m 03 8 4 02 3 2 bm=2c Bn=2 : Thus the number of nonminimal vectors A2 0 M2 = N1 + N2 , which gives the claimed number if one recalls the expression for Ad given before the theorem. = m02h+1 (2 02 A2 h=2 n=2 0 2) : in (7) III. MINIMUM VECTORS IN CODES OVER RINGS Codes over Galois rings have been a subject of considerable attention lately. In this section we extend the definition of minimal vectors to this case and give some examples. Let S be a finite commutative ring S with identity e, whose set of zero divisors has the form pS for a certain prime p, also known as a Galois ring. It is known [19] that jS j = q m ; m  1; where q = ps for some s  1, and the characteristic of S (the order of e in the group m m m (S; +)) equals p . Since fixing the numbers p and q identifies m m S up to isomorphism, it may be also denoted as GR (q ; p ). All ideals of S form the following chain: N0 = : Obviously, this equality cannot be satisfied with the “+” sign whereas for the “0” the only possibilities for (h; h1 ; h2 ) are (1; 2; 2) and (2; 2; 1). This gives rise to two subcases: ii) (w; w1 ; w2 ) = ( 34 n; 38 n; 38 n); iii) (w; w1 ; w2 ) = ( 85 n; 38 n; 14 n). This exhausts the possibilities for w > n=2. Let us examine them. All code vectors of one and the same weight w 6= n=2 are affinely equivalent, i.e., if there exists one nonminimal vector of weight w, then applying a suitable automorphism, one concludes that all code vectors of weight w are nonminimal. Suppose (x1 ; 1 1 1 ; xm ) are the affine coordinates on F m = AG (m; 2). Then the code vector given by the incidence vector of the equation x1 x2 = 0 has weight 3n=4 and covers the incidence vector (of weight n=2) of the hyperplane x1 = 0. This shows that every code vector of weight 3n=4 is nonminimal and is formed by a disjoint union of a vector of weight n=2 and a vector of weight n=4, while subcase ii) is never realized. Likewise, in case iii), the incidence vector of x1 x2 + x3 x4 = 0 has weight 5n=8 and contains the vector given by (x1 +x2 )(x3 +x4 ) = 1. What is left is the case of w = n=2. This case is more difficult. Fortunately, the structure of nonminimal code vectors of weight n=2 is known. Let c be such a vector. Then c is a sum of two nonzero code vectors of minimal weight. By [16, Theorem 13.5], any vector of minimal weight in C corresponds to an (m 0 2)-dimensional flat in F m . Hence the subset X of F m corresponding to c is a disjoint union of two (m 0 2)-dimensional flats in F m , say A1 and A2 . Let V1 and V2 be the (m 0 2)-dimensional linear spaces parallel to A1 and A2 , respectively. The disjointness of A1 and A2 implies that dim (V1 + V2 ) < m. Hence either V1 = V2 and X is an (m 0 1)flat or W = V1 V2 has dimension m 0 3. The number N1 of nonminimal vectors of weight n=2 of the first type equals the number of (m 0 1)-flats in F m N1 Remark: The number of minimal vectors of weight RM (2; m) equals (6) First suppose that w > n=2. Then there are two possibilities, namely, either one of the weights w1 ; w2 equals n=2 or not. In the former case, (4) and (6) imply the following equality: m01 m010h m01 2 +2 =2 2013 S  N1 = pS   N2 = 2 p S  111 01 = pm01 S  Nm = pm S = 0 Nm (8) and jNi j = q m0i : Consider a “linear” code C over S , i.e., a set of strings of n elements of S such that if c1 ; c2 2 C then also a1 c 1 + a2 c 2 2 C for any a1 ; a2 2 S , i.e., an S -module. The original definition in Section II is not applicable in this case because of zero divisors in the ring. Namely, it is often possible to multiply a nonzero codeword by a nonzero constant so that it becomes all-zero. Therefore, in this section we find it more convenient to speak of supports than of codewords. Another reason is that S is not a vector space. The number T (c ) = f min i2supp (c) u: ci 2 Nu g will be called the type of the word c. Let us call the number = minsupp (c)=I T (c) the type of a subset I  [n]. If there is no word with support I , the type of I is undefined. T (I ) Definition: A subset I  [n] of type t is called minimal if there does not exist a codeword c with T (c)  t and supp c  I . This yields a hierarchy of minimal subsets of types 0  t  m 0 1. The collection of type t minimal subsets will be denoted by Mt (C ). Examples: 4) Consider the first-order Reed–Muller code ZRM (1; v ) of length v over Z [11]. Then there are two types of minimal words, n = 2 4 namely, those of types 0 and 1. It can be easily seen that M0 consists of a single set I = [n] and M1 consists of 2v+1 0 2 subsets (supports of words) of size n=2. 5) Let C be the Z 4 Kerdock code of length n = 2v , where v is an odd number, v  5, [11], [18]. Then M0 is formed by the type v 01 + 2v 02 6 2(v 03)=2 (the number of 0 minimal subsets of sizes 2 subsets of either size is 2v+1 (2v 0 1)) and M1 consists of 2v+1 0 2 subsets of size n=2. Therefore, all supports except the one of size n are minimal. 6) Let C be the Z 4 “Hamming” code with the parity-check matrix 1 0 0 0 1 0 0 2 1 0 2 0 1 0 2 2 1 2 0 0 1 2 0 2 1 2 2 0 1 2 2 2 whose columns are formed by all the n = 2v possible vectors of zeros and twos, each preceded by a 1. This code is orthogonal over Z 4 to the ZRM (1; v ) code of Example 1. The binary image of this 2014 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 44, NO. 5, SEPTEMBER 1998 code under the mapping (0 ! 00; 1 ! 10; 2 ! 11; 3 ! 01) is a nonlinear (2v +1 ; 22 0(v+1)01 ; 4) code. Let M = M0 [ M1 be the set of minimal supports with respect to Hv . We refer to [3] for the proof of the following theorem. Theorem 3.1 [3]: The number of minimal supports of type and size w in Hv equals M (0) w = 1 w! v 2 w03 i=0 v 0 2i ); (2 4   w v + 1; w even: 0 (9) Let us prove that this algorithm always converges to the nearest code vector. Theorem 4.2: For any set of code vectors satisfying (11) the gradient-like algorithm performs a complete minimum-distance decoding. The time complexity of this algorithm is O (n2 jT j): The space complexity is O (njT j). Proof: Let y 62 D(0). The algorithm expands y into a sum of test vectors. Suppose that after m steps no further test vectors satisfying (11) are found. This means that we managed to bring y “down” to D(0) Every pair of coordinates forms a minimal support of type 1, thus (1) M2 = n 2 m e = y + (10) : u=1 By Lemma 4.1 this means that IV. MINIMUM DISTANCE DECODING In this and the next section we outline two applications of minimal vectors mentioned in the Introduction. We begin with minimum distance decoding algorithms. In this section we deal with binary codes only. We introduce a general gradient-like decoding algorithm and study its properties. One of the first works devoted to minimal vectors was paper [14], where they were used to construct such a decoding algorithm. This algorithm bears similarity to the steepest descent methods for computing optima in continuous spaces. Another example of algorithms of this type, the zero-neighbors decoding, was provided in [15]. Our results provide a framework for the study of algorithms of this type and show their limits. The minimum distance decoding problem that we consider is formulated as follows. We are given a linear code C  E2n . The problem is to implement the mapping f : E2n ! C such that 8x2E x; dist (x x)) = f (x x; dist (x C ): If for a certain x , this is satisfied for many code vectors, the value of x) is chosen arbitrarily from them. This function gives rise to the f (x concept of Voronoi regions of code vectors in E2n . Let c 2 C , then the Voronoi region D(cc) is defined as follows: c) := D(c f 2 x n j dist (xx; c)  dist E2 0 0 2 C g: x; c ); c (x Any point of E2n is contained in at least one Voronoi region; some points fall into many regions. Note that geometrically Voronoi regions of different code vectors in a linear code C all have the same shape. Namely, the following property follows directly from the definition. Lemma 4.1: 0. Let c ; c 0 2 C and let x 2 D(cc). Then x + c 0 2 c + c ) D(c Let us define the general gradient-like decoding method. A general principle of the decoding is to construct a set T of codewords in such a way that every vector y either lies in D(0) or there exists a z 2 T such that wt (yy + z ) < wt (yy): (11) Any set T  C satisfying this property will be called a test set. This suggests that the decoding can be accomplished by recursively inspecting the test set for the existence of such a vector z and subtracting it from the current vector. Let y be the received vector. Let us formulate the algorithm. Gradient-like decoding: 1) Set c = 0. 2) Find z 2 T such that wt (yy + z ) < wt (yy ). Let c c + z; y y + z. 3) Repeat until no such z is found. Output c. y z 2 u 2 D(0): m zu . u=1 D Submitting a code vector c 6= 0 to this algorithm, we observe that it constructs a decomposition of zero in the form 0 = c + u z u: In addition, we can observe that in each step the algorithm produces a vector of a strictly smaller weight. Let us formulate this as a lemma. 6 Lemma 4.3: Let T  C be a test set. Then any code vector can be decomposed into a sum c = 0 m c = u=1 z u; z u 2T; m1 where wt (cc) > wt (cc + z 1 ) > wt (cc + (zz 1 + z 2 )) > 1 1 1  0: Thus the linear span of T equals the entire code C . The set M of minimal vectors of a binary code forms a test set. Lemma 4.4: Minimal vectors in a binary linear code form a test set. Proof: Let y 62 D(0). Then there is a code vector c such that wt (yy + c ) < wt (yy). If c is not minimal, then it can be decomposed into a sum c = u m u of minimal vectors with disjoint supports. Clearly, for at least one of these vectors, say m1 , we must have wt (yy + m 1 ) < wt (yy). Note that Lemma 2.1, Part 5) left without proof earlier now follows from the last two lemmas. Therefore, minimal vectors can be used for decoding. To estimate the complexity of this decoding for long random codes, we use Corollaries 2.4, 2.5, and Theorem 2.6. First, Corollary 2.5 implies that the average decoding complexity for rates 0 < R < (q 0 1)=q behaves exponentially in the same way as that of the exhaustive search. To estimate the worst case complexity, we use the expression for the variance in Theorem 2.6. This amounts in standard calculations using Stirling approximation (see [3]) that we omit. The conclusion is that, at least for low code rates, the worst case complexity of minimalvectors decoding has the same order of magnitude as the average-case complexity. Note that in examples the number of minimal code vectors can be much smaller than the total size of the code. This is the case for all codes whose distance is close to n 0 k +1 since then many vectors have weight greater than n 0 k + 1 and cannot be minimal. An extreme example is MDS codes (Example 3 in the previous section). Another example is Hamming codes. Namely, using (3) we see that as n ! 1, the number of minimal vectors is of exponential order at most q m = q log n(1+o(1)) . The total number of code vectors is n0O(log n) . q IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 44, NO. 5, SEPTEMBER 1998 Another example of decoding algorithms in this class was given in [15]. Let A  E2n and let X (A) be formed by all the points of E2n at a distance 1 from A X (A) = fx j dist (x; A) = 1g: A as follows: @A = X (A) [ X (A): code vectors c1 ; c 2 are Define the boundary of Definition: Two called neighbors if their Voronoi regions share a common boundary, i.e., if @D(c1 ) \ @D(c2 ) 6= ;: A neighbor of the zero vector is called a zero neighbor. Note that here we deviate slightly from [15]. This enables us to give the definition of zero neighbors in symmetric form. Let Z be the set of zero neighbors. The definition has the following simple consequence: (12) X (D(0)) \ D(z) 6= ;) ) z 2 Z : Indeed, x 2 X (D(0)) \ D(z ) implies that there is a y 2 D(0) at a distance 1 from x . Hence y 2 @D(0) \ @D(z ). 2015 Thus we may further restrict the test set of vectors by choosing a smallest subset of Z with this property. Denote this subset by Zmin . (This is how zero neighbors were originally defined in [15].) Note that though the set Zmin may not be unique, its size is well-defined. Therefore, let Zmin = jZmin j: First, we prove that for codes with only even weights of codewords zero neighbors in the set Zmin form a test set of the smallest possible size. Theorem 4.7: Let C be a binary linear code all of whose codewords have even weight and let T  C be a test set. Then jT j  Zmin . Proof: Let y 2 X (D(0)) and let z 2 T be such a vector that wt (y 0 z ) < wt (y ). Since dist (y ; D(0)) = 1, we can choose a vector x 2 D(0) with dist (x; y ) = 1 and x  y . We have dist (z ; y ) < dist (0; y ) = dist (0; x) + 1  dist (c; x) + 1; ( Decoding with zero neighbors proceeds in the same way as with minimal supports except that now we choose the test set T in Algorithm 2.1 equal to Z . This version of the algorithm is called zero-neighbors decoding, first introduced in [15]. The zero-neighbors decoding always converges to the closest code vector. To justify this we again verify that Z is a test set. Theorem 4.5 [15]: The zero-neighbors algorithm performs a complete minimum distance decoding. Proof: Let y 62 D(0). Consider a chain of inclusions  ...  y  y  y = y where wt (y i ) = wt (y i0 ) 0 1. Clearly, there exists a number i such that y i 2 D(0) and y i 2 @D(0) n D(0). Then y i 2 D(z ) for some z 2 Z . We have wt (y 0 z ) = dist (y; z )  dist (y; y i ) + dist (yi ; z ) 0 2 1 0 1 dist (c; x) = dist (c; y ) 0 1: Then (14) implies The complexity of zero-neighbors decoding was estimated in [15] as follows. Theorem 4.6 [15]: For almost all codes, both time and space complexity of zero-neighbors decoding behaves as 2 (R)n(1+o(1)) , where  R  1 0 H (1=4) (R) = 0 H (1=4) < R  1 where  is the smallest positive root of R = 1 0 H ( ). R; (H2 (20 ) 0 (1 0 R)); 0 1 b) Let C 00 0 X (D(0))  z 2Z D(z ): (13) (15) dist (c; x) = dist (c; y ) + 1: Definition (11) implies dist (0; y )0dist (z ; y )  1. Suppose that this holds with equality. Let wt (y) = w, then dist (z ; y ) = wt (z ) + wt (y ) 0 2wt (z \ y ) or 2wt (z \ y ) = wt (z ) + 1: This contradicts our assumption that Therefore, C has only even weights. dist (0; y ) 0 dist (z ; y )  2: Then (14) implies dist (z ; y )  dist (0; y ) 0 2  dist (c; x) 0 1 = dist (c ; y ); 8c 2 C : 00 (16) Inequalities (15) and (16) together imply that 2 The memory used by the algorithm is spent on storing zero neighbors. Therefore, (R) also gives an estimate of the exponent of the size of Z for most long codes. This size grows slower than the total size of the code for R > 1 0 H2 (1=4)  0:189. We conclude that the complexity of this decoding for almost all codes and for R > 0:189 is exponentially smaller than that of minimal-vectors decoding. Two last results of this section deal with characterization theorems for zero neighbors and minimal vectors in linear codes. Let us first take a closer look at the set of zero neighbors. The only property of the set Z that is essential for the successful decoding is formulated in (12) 0  C be the subset of codewords for which 2 2 c2C : dist (z ; y ) < dist (c; y ); < dist (y ; y i ) + dist (y i ; 0) = wt (y ): Z is a test set and the theorem follows. (14) Clearly, for any c 2 C we have dist (c; x) = dist (c; y ) 6 1. a) Consider the subset C 0  C for which +1 Hence 8 c 2 C: y 2 D(z ): Running over all y 2 X (D(0)), we collect a subset T X (D(0))  z 2T 0  C with D(z ): jT j  jT j  Z : Since M is a test set, this theorem implies that for C an even binary linear code, jMj  Z . However, it is possible to prove a Then 0 min min stronger fact, namely, that in any even binary linear code there is a set Zmin all of whose elements are minimal codewords. Theorem 4.8: Let C be a binary linear code with only even weights of codewords. Then the set Zmin can be chosen so that Zmin  M. 2016 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 44, NO. 5, SEPTEMBER 1998 Fig. 1. Proof: Let us assume that there is a codeword z 2 Z ; z 62 M and let y 2 E2n be a vector such that y 2 X (D(0)); y 2 D(z ). Since z is not minimal, there are nonzero vectors z 1 ; z 2 with disjoint supports such that z = z 1 + z 2 . Let wt (z ) = t wt (z 1 ) = t1 wt (z 2 ) = t2 : We want to show that if one of the vectors z 1 ; z 2 is farther from than z , then the other one is at most as far as z . By our assumptions, `1 + `2 = dist (0; y ) = t 2 +1 dist (z ; y ) = t 2 y 0 1: Let dist (z 2 ; y ) > dist (z ; y ). We then plug in our notation and perform straightforward computations using the Fig. 1 to find that dist (z 1 ; y )  t=2 0 1. Thus y 2 D(z ) and y 2 D(z 1 ), i.e., z and z 1 cannot both be in the set Zmin at the same time. Moreover, given a nonminimal code vector (z in our case) and a vector y 2 X (D(0)); y 2 D(z ), we can always cast it away so that the remaining subset of zero neighbors still satisfies condition (13). Therefore, Zmin can be chosen to be a subset of M. For more details and a general overview we refer to [4]. Remarks: i) Generally, not all zero neighbors are minimal. Indeed, consider the code f0000; 1100; 0011; 1111g. Then vector 0110 lies equally far from all the code vectors which proves that all nonzero code vectors are zero neighbors. However, the allone vector is not minimal. Looking at smallest sets of zero neighbors defined by (13) we easily see that z 2 Zmin implies wt (z )  2 (covering radius of C )01. Let C be a binary linear code such that its covering radius equals at most its minimum distance. For instance, long BCH codes are known to satisfy this. By Lemma 2.1, Part 3), in such codes any set Zmin is formed by minimal code vectors. ii) In view of Theorem 4.7, the set Zmin is in the general case unavoidable in gradient-like decoding methods. For this reason it is no surprise that in the case of arbitrary q the zeroneighbors algorithm is also applicable and leads to similar results [4]. Interestingly, minimal vectors do not always form a test set in q -ary linear codes. V. SECRET SHARING A general introduction to secret sharing schemes can be found for instance in Stinson’s survey article [21]. Some familiarity with this concept is helpful in reading this section. The relation to linear codes was observed in [17] and analyzed in [6]. In the context of secret-sharing schemes one coordinate of the code is associated with values of the secret information and the remaining n 0 1 coordinates are associated with users of a system of restricted access to the secret. Let H = khij k; 1  i  r; 1  j  n, be a matrix with entries from F q . Define a linear transformation : Eqm ! Eqn by (e) = eH; e 2 Eqm . Suppose the first coordinate of (e) carries the value of the secret. The remaining coordinates contain shares of information given to the n 0 1 users. It can be shown [6] that users corresponding to nonzero entries in (2 (e); 3 (e); 1 1 1 ; n01 (e)), putting their shares together, can uniquely reconstruct the secret. Each such group of users is called an authorized coalition. Any group of users that does not form an authorized coalition is called unauthorized. When e runs over Eqn , we obtain the entire set of authorized coalitions, called the access structure of the scheme. If no unauthorized coalition can obtain any a posteriori information of the secret value, the scheme is called perfect. A minimal authorized coalition is an authorized coalition that becomes unauthorized upon deletion of any of the users. The set of minimal authorized coalitions provides a complete description of a perfect secret-sharing scheme. Viewing H as a parity-check matrix of a linear code C , one can establish a one-to-one correspondence between minimal authorized coalitions and a subset of minimal supports in C . Theorem 5.1 [6], [17]: Let C be a linear secret-sharing scheme defined by a q -ary r 2 n matrix H and let C = ker H be an [n; n 0 r ] q-ary linear code. Then the set of minimal supports in C intersecting the first coordinate equals the set of minimal authorized coalitions in C . Moreover, the scheme is perfect. For some of the above examples it is easy to find minimal supports intersecting the first (or any other fixed) coordinate. Examples 1–3 (Continued): In the extended Golay code G24 a code vector is minimal if and only if its weight is 8 or 12. Since puncturing G24 in any coordinate we get G23 , the number of minimal vectors with a one in any fixed coordinate is the same. The same holds for binary intersecting codes, namely, the number of minimal vectors with a one in any fixed coordinate is jC j=2. The only minimal supports in an [n; k; d] MDS code are nd 01 intersect the first (or any fixed) supports of size d. Of them nd0 1 coordinate. For codes over Galois rings the situation is more complicated in the sense that some of the minimal supports characterize groups of users that can recover only a part of the secret. More specifically, let C be a “linear” code over GR (q m ; pm ) as discussed in Section III, and suppose we construct a linear secret-sharing scheme as above using the parity-check matrix of C to generate distribution rules. Suppose again that the first coordinate corresponds to the secret. Minimal authorized coalition in this case can reconstruct either a part of the secret or the secret in full, depending on the type of the corresponding minimal support. More precisely, the following is true. Theorem 5.2 [2], [3]: Let I = f1g [ I  [n] be a minimal support of type t in C such that there is a codeword c 2 C with supp (c) = I and c1 2 Nt . Then the users in I , taking their shares of information together, can reconstruct exactly m 0 t q -ary symbols of the secret. For instance, if C is a ZRM (1; 3) first-order Reed–Muller code, then M0 consists of a single set I = [n] and M1 is formed by 14 sets of size 8 (see Example 4). A half of them contain coordinate 1; therefore, there are seven groups of users that can reconstruct one of the two bits of the secret. Note that since the binary image of the ZRM (1; v ) code is Z 2 linear, this scheme can be realized by two linear schemes over Z 2 , one corresponding to the [8; 1; 8] repetition code and the other to IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 44, NO. 5, SEPTEMBER 1998 the [8; 4; 4] binary RM code. In both schemes, the number of bits in the secret (one) equals the number of bits in the information share of each participant. Such schemes are called ideal. One of the reviewers suggested that any scheme over Z 4 can be realized by two ideal (not necessarily linear) binary schemes, one responsible for sharing the first (say, less significant) bit of the secret and the other one the second bit. We conclude by showing that this is not true. The counterexample is furnished by the Nordstrom–Robinson code C of length 8 over Z 4 [11]. Suppose its first coordinate corresponds to the secret. Puncturing C in this coordinate, we get a cyclic code of length 7, whose type 0 supports are given by the vectors 1223233; 1013102; 1100123; 1033320 and their cyclic shifts. Minimal supports of type 0 are defined by the last three vectors. Thus minimal coalitions authorized to recover both bits of the secret correspond to supports of vectors 1013102; 1100123; 1033320 and those of their cyclic shifts that have 1 or 3 on the first coordinate. We shall show that this access structure cannot be realized by a binary ideal scheme. It is known [5], [19] that every binary ideal scheme is either linear or affine, i.e., corresponds to a binary linear code or to a binary affine code (a binary code is affine if the sum of any three code vectors is a code vector). Suppose that the minimal coalitions in this scheme correspond to minimal vectors (with a 1 in the first coordinate) of some binary linear or affine code, say A. In either case, the sum of any three code vectors should be again a code vector. On the other hand, it is immediate to observe that there are three vectors in A that sum up to a vector of weight 3. Since the size of all minimal authorized coalitions in the original system is 4, this proves that code A does not realize our access structure. We leave as an open problem to prove that every scheme corresponding to a Z 4 -linear code whose binary image is not Z 2 -linear cannot be represented by two binary ideal schemes. APPENDIX Steiner’s Original Problem [20]. Given two numbers k and v , k  v , construct a pair (X; B ), where X is a finite set and B a collection of its subsets, which satisfies the following conditions: i) jX j = v ; ii) B = kn=3 B(n) and jBi j = n for every Bi 2 B(n); iii) every pair (x; y )  X is contained in exactly one block of B(3); iv) every i-subset of X; 3  i  k 0 1; which does not contain a block of ij =3 B(j ), is contained in exactly one block of B(ii + 1); no block of B(i + 1) contains as subsets blocks of B(j ). j =3 ACKNOWLEDGMENT The short and nice geometric proof of Theorem 2.9 that now replaces our original (much longer) one with coordinate approach was suggested by Juriaan Simonis. REFERENCES [1] E. Agrell, “Voronoi regions for binary linear block codes,” IEEE Trans. Inform. Theory, vol. 42, pp. 310–316, 1996. [2] A. Ashikhmin and A. Barg, “Minimal vectors in linear codes and sharing of secrets,” Universität Bielefeld, SFB 343 Diskrete Strukturen in der Mathematik, preprint 94-113, 1994, available online at : : : = = . [3] A. Ashikhmin, A. Barg, G. Cohen, and L. Huguet, “Variations on minimal codewords in linear codes,” in Applied Algebra, Algebraic Algorithms and Error-Correcting Codes (AAECC-11) (Lecture Notes in Computer Science, vol. 948), G. Cohen, M. Giusti, and T. Mora, Eds. Berlin: Springer-Verlag, 1995, pp. 96–105. 2017 [4] A. Barg, “Complexity issues in coding theory,” in Handbook of Coding Theory, V. Pless and W. C. Huffman, Eds. Amsterdam, The Netherlands: Elsevier, to be published. [5] A. Beimel and B. Chor, “Universally ideal secret-sharing schemes,” IEEE Trans. Inform. Theory, vol. 40, pp. 786–794, 1994. [6] G. R. Blakley and G. A. Kabatianskii, “Linear algebra approach to secret sharing schemes,” in Error Control, Cryptology, and Speech Compression, Selected Papers from Int. Workshop Information Protection (Lecture Notes in Computer Science, vol. 829). Berlin, Germany: Springer-Verlag, 1994, pp. 33–40. [7] Y. Borissov and N. Manev, “On the minimal words of the primitive BCH codes,” in Proc. Int. Workshop Algebraic and Combinatorial Coding Theory (ACCT-5) (Sozopol, Bulgaria, June 1996), pp. 59–65. [8] G. D. Cohen and A. Lempel, “Linear intersecting codes,” Discr. Math., vol. 56, pp. 35–43, 1984. [9] S. Dodunekov and I. Landgev, “On near-MDS codes,” J. Geom., vol. 54, no. 1–2, pp. 30–43, 1995. [10] R. G. Gallager, Low-Density Parity-Check Codes. Cambridge, MA: MIT Press, 1963. [11] A. R. Hammons, P. V. Kumar, A. R. Calderbank, N. J. A. Sloane, and P. Solé, “The Z 4 -linearity of Kerdock, Preparata, Goethals, and related codes,” IEEE Trans. Inform. Theory, vol. 40, pp. 301–319, Mar. 1994. [12] H. Hanani, “On the original Steiner systems,” Discr. Math., vol. 51, pp. 309–310, 1984. [13] G. H. Hardy and E. M. Wright, Introduction to the Theory of Numbers. Oxford, U.K.: Oxford Univ. Press, 1960. [14] T.-Y. Hwang, “Decoding linear block codes for minimizing word error rate,” IEEE Trans. Inform. Theory, vol. IT-25, pp. 733–737, Nov. 1979. [15] L. Levitin and C. R. P. Hartmann, “A new approach to the general minimum distance decoding problem: The zero-neighbors algorithm,” IEEE Trans. Inform. Theory, vol. IT-31, pp. 378–384, May 1985. [16] F. J. MacWilliams and N. J. A. Sloane, The Theory of Error-Correcting Codes. Amsterdam, The Netherlands: North-Holland, 1977. [17] J. Massey, “Minimal codewords and secret sharing,” in Proc. 6th Joint Swedish–Russian Workshop on Information Theory (Mölle, Sweden, 1993), pp. 246–249. [18] A. A. Nechaev, “The Kerdock code in a cyclic form,” Diskr. Mat., vol. 1, no. 4, pp. 123–139, 1989. English translation in Discr. Math. Appl., vol. 1, pp. 365–384, 1991. [19] J. Simonis and A. Ashikhmin, “Almost affine codes,” Des., Codes Cryptogr., vol. 14, pp. 179–197, 1998. [20] J. Steiner, “Combinatorische Aufgabe,” J. Reine Angew. Math., vol. 45, pp. 181–182, 1853. [21] D. R. Stinson, “An explication of secret sharing schemes,” Des., Codes Cryptogr., vol. 2, no. 4, pp. 357–390, 1992.