IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. which approachesone uniformly on .H2 as n increasesfor any a.o. p, since H(Q) 2 2. The sameprocedure is used for &‘,, but the sequenceis . * - + p(h(j,,j,))p(h(k,,k,)) -+ KL.LMhk,) 203 IT-21, NO. 2, MARCH 1975 **. so that the 2” integersmapped by h” are always drawn from the same distribution (Q, or Q,). Using this encoding on the rows of the array in Fig. I, sending representationsof 2” runs of zerosand 2” runs of onesfrom eachrow, and using the appropriate marker-moving algorithm gives an a.o. sequenceof universal codes for SZZ~, A, and JZ’. REFERENCES [l] L. D. Davisson, “Universal noiseless coding,” IEEE Trans. Inform. Theory, vol. IT-19 pp. 783-795, Nov. 1973. [2] P. Elias, “Predictive codmg,” IRE Trans. Inform. Theory, vol. IT-l, pp. 16-33, esp. pp. 30-33, Mar. 1955. [3] -, “The efficient construction of an unbiased random sequence,” Ann. Math. Statist., vol. 43, pp. 865-870, 1972. [4] :, “Efficient storage and retrieval by content and address of stattc files,” J. Ass. Comput. Mach., vol. 21, pp. 246-260, 1974. [51 -, “Minimum times and memories needed to compute the values of a function,” J. Comput. Syst. Sci., Oct. 1974. 161R. A. Flower, “Computer updating of a data structure,” Research Lab. Electron., M.I.T., Cambridge, Mass., Quart. Progress Rep. 110, pp. 147-154., July 15, 1973. 171 R. W. Floyd, “Permuting information in idealized two-level storage,” in Complexity of Computer Computations, Miller, Thatcher and Bohlinaer, - Eds. New York: Plenum. 1972., DD. __ 105-109. 181S. W. Golomb, “Run-length encodings,” IEEE Trans. Inform. Theory (Corresp.), vol. IT-12, pp. 399-401, July 1966. “A class of probability distributions on the integers,” J. Number Theory, vol. 2, pp. 189-192, 1970. [lOI R. G. Gallager, Information Theory and Reliable Communication. New York: Wtley, 1968. -, personal communication. :::3 D. E. Knuth, The Art of Computer Programming, vol. 3. Reading, Mass. : Addrson-Wesley, 1973, esp. pp. 181-218. 1131 A. Kohavi, Switching and Finite Automata Theory. New York: McGraw-Hill, 1970, esp. ch. 16. [I41 M. Minsky and S. Papert, Perceptrons. Cambridge, Mass.: M.I.T. Press, 1969, esp. pp. 215-226. r151C. E. Shannon and W. Weaver, The Mathematical Theory of Communication. Urbana, Ill.: University of Illinois Press, 1949, esp. p. 64. T. Welch, “Bounds on information retrieval efficiency in static 1161 file structures,” M.I.T., Cambridge, Mass., MAC TR-88, Project [91 -, MAC. 1971. P71 A. D. Wyner, “An upper bound on the entropy series,” Inform. [18] cot{r., vol. 20, pp. 176181, 1972. K. Karp, personal commumcatton. The Algebraic Decoding of Goppa Codes N. J. PATTERSON Abstract-An interesting class of linear error-correcting codes has been found by Goppa [3], [4]. This paper presents algebraic decoding algorithms for the Goppa codes. These algorithms are only a little more complex than Berlekamp’s well-known algorithm for BCH codes and, in fact, make essential use of his procedure. Hence the cost of decoding a Goppa code is similar to the cost of decoding a BCH code of comparable block length. Let C be a codeword and R the receivedword, so that the error vector E is given by R=C+E so that CAL3 YSLX -y I. INTRODUCTION z C A mod g(x). ET K be the finite field GF(q”). Let J be the finite ysLX - y field GP(q). Let g(x) be a polynomial of degreen 2 1 with coefficients in K, and let L be a subset of K with the It is natural then to define the syndrome S(X) as the polyproperty that no element of L is a root of g. We define a nomial of degreelessthan n such that Goppa code 9 with Goppa polynomial g and symbol field J S(x) E c -!f% mod g(x). (2) as follows. It is convenient to index the coordinates of Y yeLX y by L. Then C is a codeword of 9, if and only if We define 4x) = y;L 0 - Y) +?2- z 0 mod g(x). L yeLX - y Manuscript received January 22, 1974; revised October 20, 1974. The author is with the Government Communications Headquarters, Cheltenham, England. E,#O (thus deg G = number of errors), and we define V(X) of degreelessthan n by q(x) = a(x)S(x) mod g(x). (3) 204 IEEE TRANSACTIONS THEORY, MARCH 1975 get p 1g. Supposep 1$, thenp 10. Now B/p is a polynomial ;1of least degree satisfying Now 9 ii) V(Y) = E, 6& (Y - 6) = Ey64 . deg fA mod g/p I deg (g/p) - r - 1. x I 9. Ea#O d#Y E, = g) deg 2 I r - degp So by our choice of g we get 0/p 1$1~ whence 8 I $. So we can assume that gcd (0,w) = a, say, is coprime to II/. Let gcd (a,g) = c(~, then a = cc,a,. Let f0 = o + pg. We get a, 1p, and our choice of 0 implies CI~= I, whence Now, if Ey # 0, we get whence ON INFORMATION (4) So knowledge of d and rl determines E. We are thus led to the following problem. Given polynomials f and g over a finite field K with g having degreen > 1 and f not divisible by g, find a solution to fo = o mod g with deg c and deg o “small.” An algorithm to solve this problem implies a decoding algorithm for the Goppa codes. Berlekamp [2] has given an elegant and economical solution for the caseg(x) = x”. We reduce our problem to this case so that we can use Berlekamp’s procedure. II. PRELIMINARIES Theorem 1: Let r be an integer, 0 I r < n. Let 8 = a&, o = MU’, and g = ccg’. By (5) 04 = rl/w, or 0’4 = o’$ whence 0’ 1+. Set $ = fit?, hence, 4 = PO’. CIand p are coprime. Now let PO= gcd @,g), /I = BPpl. Then f~oj?lO’ = /30plw’ + Ag, for some polynomial 2. Hencefjlot.9’E Bow’mod g. CIJ’ POso since$ was chosen of smallest degree subject to 0 $ $, we get PO= ,8 or /3I g. Let g = afig”. Now f0’ - o’ = 0 mod /?g” and mod ag”. Hence fe’ - W’ 3 0 mod apg”, or ftl’ 3 o’ mod g. This contradicts the choice of 0 and proves c), completing the proof of Theorem 1. The reader should not assumethat the minimal 0 shown to exist by c) has the property that ffl mod g is coprime to 0. Take for example g(x) = x4, f(x) = 1 + x3, r = 1. Then 0 = x, o = x is obviously the choice we need for c). The polynomials given by Theorem 1 can in fact be found by Euclid’s algorithm [S]. We now take r = [n/2], so n - r - 1 = [(n - 1)/2], and wish to compute 8, satisfying i) and ii). By [l] this is the crucial step in giving an Z-error correcting algorithm for a Goppa code with Goppa polynomial of degree 21. a) There exists a manic polynomial 8, # 0 such that i) deg 0, I r ii)f0, = w,modganddego, I IZ- r - 1. b) If a,~ are coprime polynomials and deg 0 I r, III. THE CASEg(x) = x” deg 11< n - r - 1 with fa E q mod g, then rr In essence we use Berlekamp’s well-known algorithm divides 8,. c) Choose 8 of smallest possible degree satisfying i) and for decoding BCH codes [2, sec. 7.41. Berlekamp in [2] assumesf (0) = 1, which sufficesfor his purposes; we cannot ii), then 8 divides 8,. make this assumption, but the algorithm needs only minor Proof: Let A(x) = a, + a,x + * . . + a,x’ be a poly- changes. It seems worthwhile to give an exposition here, nomial of degree r over K[a,, * * *,a,], the field K extended following Berlekamp very closely. by r + 1 indeterminates {ai}o~i~r. Requiring deg (A(x) . Let f(x) mod g(x)) I n - r - 1 imposes r linear constraints d-l on the r + 1 indeterminates. Thus this system of r linear f(x) = go w’. equations in r + 1 unknowns has a nonzero solution in K. This proves a). Without loss of generality we take the first nonzero coefficient Suppose f0 = o mod g and ftl* E o* mod g, where offtobeone.Thatis,ai = 0,O I i < k - 1,~ = 1. 8,8* satisfy i) and ii). Then 6*o = o*8 mod g. As deg 8*w Algorithm 1 (Berlekump): If a, = 1, define o. = 1, and deg o*8 are less than deg g, we get z. = 1, w. = 1, y. = 0, B(O) = 0, B(0) = 0. If a, = 0, e*0 = o*e. (5) define co = 1, z. = 1, o. = 0, y. = - 1, D(O) = 0, B(0) = 1. Thereafter proceed recursively, for 0 I k I n - 2. Define Ak to be the coefficient of xk+’ in fake Set If 0*,w* are coprime then 8* divides 8 proving b). Now suppose c) is false. Choose g and r so that deg g A,xZ,. is as small as possible while contravening c). Let 8 # 0 gk+t = uk be of smallest degreesatisfying i) and ii). Let ftl = o mod g. #k+ I = *k AkxYk. Since c) is false, there exists II/ so that fi) = 4 mod g; deg If A, = 0, or if D(k) > (k + 1)/2, or if both D(k) = 8,deg$ I r;dego,deg4 I n - r - l;while8doesnot (k + 1)/2 and B(k) = 0, set divide $. We choose $ of smallest possible degree, subject to our choice of 0 and g. D(k‘ + 1) = D(k) By b), 0 and o are not coprime. Let p(x) be an irreducible B(k + 1) = B(k) polynomial dividing 8 and o. By minimality of deg 8 we PATTERSON : ALGEBRAIC DECODING OF GGPPA 205 CODES Theorem 4 (Berlekump [2]): Suppose cr,w are coprime polynomials and o(O) = 1,fo E o mod xk, deg rs I [k/2], and deg o 5 [(k - 1)/2]. Then (r = crk-r, o = &-1. and zk+l = xzk Yk+l = kYk; Proof: We use Theorem 3. By (7) we find otherwise, set D(k + 1) = k + 1 - D(k) k - 1 < deg(r,-,o - ey&-1) B(k + 1) = 1 - B(k) I max -k-l+k 2 Ok Ok+1 = - 1 - D(k - l), Ak k 5 Y&+1 = +k - 1 - D(k - 1) > F* c&l+;- k D(k - 1). Theorem 2 (Berlekump [2]): a) ok(O)= 1 b) fgr, = ok + Therefore mod Xk+2 AkXk+l D(k - 1) < ;. c) fzk = yk + xk mod xk+l d) deg ck I D(k) e) deg rk 5 k - D(k) f) deg ok I D(k) - B(k) g) deg yk I k - D(k) - (1 - B(k)) h) e,ktk - a,,,$ = xk. Proof: a)-g) are all readily proved by induction on k, noting that the initial conditions are chosen to make the theorem true at k = 0. To prove h), from b) and c) we find OkZk - ukyk = ukxkmod xk+ r E xk mod xk+’ where the last congruencefollows from a). Now deg &rk I k by e), f); deg fr&yk5 k by d), g). Hence the result. Theorem 3 (Berlekump [2, sec. 7.431): Let 6,~ be any pair of polynomials that satisfy o(0) = 1,fa 3 comod xk”’ ‘. Let D = max (deg g, deg o). Then there exist polynomials U and V such that 1) 2) 3) 4) 5) 6) Also D(k - 1) = k/2 implies degyk- 1 = k - 1 - D(k - 1) whence B(k - 1) = 1 by Theorem 2 g). Thus we obtain deg CT,-1 I k/2 and deg wk- 1 I (k - 1)/2. Now it follows that deg (ck- 1o - c+-lc) < k, and, using (6), that V = 0. So d = &k- 1, w = &&. 1. As g’,o are coprime, this proves Theorem 4. Theorem 5 (Berlekump [2]): a) if B(k) = 0, then deg rk = deg ok = b) if B(k) = 1, then deg yk = deg o, = Proof: By Theorem2 h) mkrk - flkyk = xk. If B(k) = 0, then degokyk5 k - 1 so dego,z, = k. Now, using Theorem 2 e), f), we get part a). If B(k) = 1, then deg r&q‘ I k - 1 so deg crkyk= k. Now, using Theorem 2 d), g), we get part b). fa E o mod x”, where deg c I Supposed = G&J*, where o*(O) = 1. So o = x’w*. Then co = Uo, + Vyk. Proof: fo = comod xk+ ’ ; fck G ok mod xk+l Theorem 2 b). So orrk - okg mod xk+’ or where V(0) = 0 by 1) fs* = a,-,-,; 2) co* = co,-,-I; 3) if B(n - a - 1) = 1, then D(n - a - 1) < [n/2] - a, while if B(n - a - 1) = 0, then D(n - a - 1) I Lln - lIPI (6) Ykb = x”‘%x>, where U(0) = 1 - a; 4) if a > 0, then ~~-~-r # CJ~-~and fo # o mod x”+l. Proof: Clearly c* and o* are coprime and anddegVID+max(dego,,dego,)-kID+D(k)-k by Theorem 2. Similarly, zkw = cr(yk+ xk) mod x“+’ or Tkm- k - D(k) D(k); k - D(k) D(k). Theorem 6: Let (r be a polynomial of least degreesuchthat n/2, deg o I (n - 1)/2. U(0) = 1 V(0) = 0 deg U I D - D(k) deg V I D - (k - D(k)) d = uu, + VT, ckw - mk(T= -x”v(x), (10) fo* E co*mod x”-” (7) and deg U I D + max (deg rk, deg yk) - k I D - D(k) by Theorem 2. By (6), (7) &$uk - $yk) = xk(%, + Vrk). By Theorem 2 h), 0 = UC, + VT,. (8) Similarly 0 = uw, + vy,. (9) This completes the proof of Theorem 3. and deg cr* I deg w* I [I [ 1 4 - o 5 !!$? n-l 2 -U_< n-u-l 2 - (11) By Theorem 4, (r* = o,-,-~ and w* = o,,-,-~, proving 1) and 2). 3) follows at once from (11) and Theorem 5. Finally, if a > 0, then fxaelo* $ x”-‘co* mod x”, or 206 IEEE TRANSACTIONS ON INFORMATION THEORY, MARCH 1975 fa* + co* mod a?‘-‘+‘. This shows a,-,-, Algorithm 3 : # a,,-,,, prov1) For 0 I i < n - 1, let a, be the coefficient of 9-l ing 4). This yields an algorithm to determine cr # 0 of least in xif (x) mod g. 2) Leth(y) = a, + u,y + *** + ~~-~y”-‘. degree such that fo = o mod x”, deg a I [n/2], and Case A-n ever1: Use Algorithm 2 to find a’,o’,N such deg w I [(n - 1)/2]. o is unique (up to multiplication by a field element) by Theorem 1. We suppose rr = Xaa*, that deg (r’ I n/2, deg o’ I [(n - 1)/2] = n/2 - 1, and h(y)a’(y) - w’(y) mod j’, where where e*(O) = 1. Let N = max (deg a, (deg o) + 1). N = max (deg B’, (deg o’) + 1). Algorithm 2: We proceed exactly as in Algorithm 1, Case B-n odd: Use Algorithm 2 to find a’,o’,N such that except that at each iteration, if Ak # 0 and deg cr’ 5 (n - 1)/2, deg o’ I [(n - 2)/2] = (n - 1)/2 - 1, and h(y)o’(y) = o’(y) mod y”-‘, where N = max (deg CJ’,(deg w’) + 1). 3) Suppose 0’ = co + c,y + . . . + cry’, r I N. Then set c = cOxN+ *a* + cfl-” and w = fa mod g. ifB(k-l)=landD(k-l)Ik-[%1-l)) then set d = y-k+l, i%= ,?-kc&l, R = n - k + Proof sf Algorithm 3: It is convenient here to introduce D(k - 1) + 1 - B(k - l), and terminate. If we compute the ring R[x] of all formal power seriesCg _ m uixi (where without terminating, then set ~7= an- 1, a, are coefficients in our field K) in which ai = 0, for every aoPt,’ * .,0,-l 6 = 0,-l, R = D(n - 1) + 1 - B(n - 1). i > 0 with at most a finite number of exceptions. Addition and multiplication in R[x] are defined in the obvious way. Theorem 7: Observethat K[x], the ring of polynomials in x, is embedded 1) a=5 in R[x] in a natural manner. 2)o=cl, Theorem 8: Let a, B E R[x] be polynomials in x. Let 3) R = max (deg cr, (deg w) + 1). deg jI = n. Let a = qp + r, where r is a polynomial of Proof: Suppose our algorithm has computed go, degree <n. Suppose r # 0. Let without terminating. Then by Theorem 6 CJl,’ * ‘,0,-l (setting a = n - k), we find CJ= a,,- 1 = d and I), 2) M(X) = g(X) + 2 biXmi B(x) i=l follow. So we may assumed = ~“-~a,-,, for some k -c n. ( 1 Then deg ok- 1 5 [k/2], deg ok- 1 I [(k - 1)/2]. Hence where g(x) is a polynomial in x. If b, = b, = . . . = by Theorem 4, ok- 1 and wk- 1 are coprime. By Theorem 1 b, = 0 and bsfl # 0, then degr = n - s - 1. a I d. Let C?(X)= a(x)+(x), G(x) = w(x)$(x), hence, e(x) = Proof: For a 2 0, let x%(x) = qa(x)p(x) + m(x), xc, for some c I n - k. c 2 1 implies where deg r, -C n. Then fcMx>w> -= 4+m) mod x” X’M(X) = q”(X)X” + ~ bjx”-’ + ~ bi+,x-i p(X). x x i=l j=l or f (x)8(x) - G(x) mod x”+‘, whence f(x)ck-l(x) = mk-l(x) Let mod xk+‘. q*(X) = 4”(X)Xn + ~ bjx’-’ j=l This implies Ak = 0, contradicting the algorithm. So c = 0, whence a = 6. This proves 1) and 2). By Theorem 5, max (deg or, (deg 0,) + 1) = D(r) + 1 - B(r); 3) is an immediate consequence. IV. GENERALS We now make no assumptions on g. We wish to solve the equation f (x)g(x) E o(x) mod g(x). The idea is to load f into a feedback shift register wired to multiply by x mod g(x). We next compute a polynomial f’ whose coefficients are given by the successivevalues of a particular cell of the register. Algorithm 2 is now used to solve f’(y)a’(y) z o’(v) mod y”. It then turns out that for a suitable choice of i, a(x) = xio’(x- ‘) gives us the answer we require. Here then is an algorithm to compute the (r of least degree such that fa E o mod g, deg a I [n/2], -. - deg o I C<n- WI. for a 2 1. q* is a polynomial in x. Then (qa - q*)/3 + ( r, - /I i bi+,xvi = 0. i=l Now comparing coefficients of xk for k 2 n we get qa‘q* = 0, or r, = p Cg1 bi+,xmi. So comparing the coefficient of x”-r, we get that bn+ l is the coefficient of x”-’ in r, = x% mod j?. Theorem 8 is now obvious. We return to Algorithm 3 f(x) = ((u,x-l + u1x-2 + . * * + a,-,x-y + b,x-(“+‘I + * * *)g(x) where bn,b,+l,* * * are elementsof K. Substituting x-l for y in 2) of Algorithm 3 yields (a, + u,x-’ + *. . + u”-lx-(“-‘))o’(x-‘) 3 o’(x-l) mod xwM PATTERSON: ALGEBRAIC DECODING OF GOPPA 207 CODES where M = n if n is even, M = n - 1 if II is odd. Hence where (r’ is the formal derivative of cr. For simplicity, we assumeg is irreducible. (12) has a unique solution with f(x)a’(x-1) = (x-la’(x-l)(uo + qx-l + * * * deg Q < deg g and e,e’ coprime (or a square free). Now a = c? + x/?‘, where deg a < (n - 1)/2, deg fi < + a,-,x-(“-l)) + b”x-(“+l) + - * *)g(x) n/2. Sinceg is irreducible, f is coprime to g, whence there = (x-lw’(x-1) exists h such that f(x)h(x) = 1 mod g(x). So f(a” + x/l’) E /I2 mod g whence + X-+ydo + dlx-l + ** *))g(x) where the di are some elements of K whose value is not important. Multiplying by xN we get, setting a(x) = flo’(x-‘) and noting that N = max (deg rY, (deg o’) + l), f(x>W = (44 + x -(“+l-N)(do + d,x-l + * * *))g(x) (h + x)/?” 2 cc2mod g. (13) If h(x) = x, then fx E 1 mod g, whence (r = x is the solution. Otherwise, there exists a unique nonzero polynomial (mod g), d say, such that d2 = (h + x) mod g. Now from (13), d2j?’ z a2 mod g. So dB = CY mod g. This gives us an algorithm for a. where n(x) is a polynomial in x. Hence by Theorem 8, o =fomodghasdegree In - 1 - (M - N) = N - 1, Algorithm 4: if n is even and N, if n is odd. Hence we get deg B I N, 1) Find h such that fh = 1 mod g (see, for example, anddegw I N - 1, if n is evenand deg w I N, if n is odd. [2, sec. 2.31). If h(x) = x, set e = x and terminate. By Algorithm 3, N I n/2, if n is even and N I (n - 1)/2, 2) Calculate d such that d2 = (h + x) mod g. (Note if n is odd. Hence deg (r < [n/2], deg w 5 [(n - 1)/2], that d -+ d2 mod g is a linear transformation, T say. If as asserted. we are going to carry out this procedure many times, it is Reversing the steps of the preceding proof, it may be perhaps best to store T- ’ in matrix form since d = shown that our algorithm yields the unique polynomial T-‘(h + x).) (up to multiplication by a field element) with the required 3) Using Algorithm 3, find CI and j? with /? of least properties. degreesuch that dp = c(mod g with deg /? I n/2, deg c1< Remarks: (n - 1)/2. 1) Implementation of this algorithm is hardly more 4) Set (T= xj2 + ~1~; difficult than for a BCH decoder using Berlekamp’s Algorithm 4, with [l], yields a t-error-correcting algoalgorithm. rithm for the binary Goppa codewith Goppa polynomial of 2) Berlekamp’s Algorithm 1 requires a,,,~,, * * . sequentidegreet. ally, so if convenient each a, can be fed immediately upon ACKNOWLEDGMENT calculation to a decoder carrying out Algorithm 1. 3) In practice there is no need to compute the Wi and yi I should like to thank J. C. Cock and Dr. G. H. Toulmin of Algorithm 1. for very helpful suggestions. Algorithm 3 together with [l] gives a simple algebraic t-error-correcting procedure for a Goppa code with Goppa REFERENCES polynomial of degree2t. [l] E. R. Berlekamp, “Goppa codes,” IEEE Trans. Znform. Theory, V. BINARY GOPPA CODES Let K = GF(2m), In this case, the key equation for the Goppa code over GF(2) with location field K and Goppa polynomial g becomes fa E o’modg (12) vol. IT-19, pp. 590-592. Sept. 1973. [2] -, Algebraic Coding Theory. New York: McGraw-Hill, 1968. [3] V. D. Goppa, “A new class of linear error-correcting codes,” Probl. Peredach. Znfbrm., vol. 6, pp. 24-30, Sept. 1970. [4] -, “Rational representation of codes and (L,g) codes,” Probl. Peredach. Inform., vol. 7, pp. 41-49, Sept. 1971. [5] Y. Sugiyama, M. Kasahara, S. Hirasawa, and T. Namekawa, “A method for solving the key equation for decoding Goppa codes,” presented at the IEEE Int. Symp. Information Theory, Notre Dame, Ind., Oct. 27-31, 1974.