understanding binary-goppa decoding

Understanding binary-Goppa decoding

Daniel J Bernstein123

1 Department of Computer Science University of Illinois at Chicago USA2 Horst Goumlrtz Institute for IT Security Ruhr University Bochum Germany

3 Research Center for Information Technology Innovation Academia Sinica Taipeidjbcrypto

Abstract This paper reviews from bottom to top a polynomial-timealgorithm to correct t errors in classical binary Goppa codes defined bysquarefree degree-t polynomials The proof is factored through a proofof a simple ReedndashSolomon decoder and the algorithm is simpler thanPattersonrsquos algorithm All algorithm layers are expressed as Sage scriptsThe paper also covers the use of decoding inside the Classic McEliececryptosystem including reliable recognition of valid inputs

1 Introduction

This paper is aimed at a reader who

bull is interested in how ciphertexts are decrypted in the McEliece cryptosystembull has arrived at a mysterious-sounding ldquoGoppa decodingrdquo subroutine andbull wants to understand how this works without taking a coding-theory course

A busy reader can jump straight to Algorithm 62 and Theorem 64 for a conciseanswer highlighting the main mathematical objects inside the decoding process

In more detail The cryptosystem uses a large family of subspaces of the vectorspace Fn

2 namely ldquoclassical binary Goppa codesrdquo defined by squarefree degree-tpolynomials This paper reviews a simple polynomial-time ldquot-error-correctionrdquoalgorithm for these codes an algorithm that recovers a vector c in a specifiedsubspace given a vector that agrees with c on at least nminust positions Componentsof the algorithm are introduced in a bottom-up order Sections 3 4 5 and 6present respectively ldquointerpolationrdquo finding ldquoapproximantsrdquo interpolation witherrors (ldquoReedndashSolomon decodingrdquo) and Goppa decoding

11 Hasnrsquot this been done alreadyGoppa codes are more than 50 years oldThere are many descriptions of Goppa decoders in the literature Self-contained

This work was funded by the Intel Crypto Frontiers Research Center by the DeutscheForschungsgemeinschaft (DFG German Research Foundation) as part of the Excel-lence Strategy of the German Federal and State GovernmentsmdashEXC 2092 CASAmdash390781972 ldquoCyber Security in the Age of Large-Scale Adversariesrdquo by the US Na-tional Science Foundation under grant 2037867 and by the Cisco University ResearchProgram ldquoAny opinions findings and conclusions or recommendations expressed inthis material are those of the author(s) and do not necessarily reflect the views ofthe National Science Foundationrdquo (or other funding agencies) Permanent ID of thisdocument 8561e73dab75d01a6dd6bf542594ddac03cdbe6e Date 20220320

2 Daniel J Bernstein

descriptions appear in eg van Tilborgrsquos coding-theory textbook [77 Section45 ldquoA decoding algorithmrdquo] a PreneelndashBosselaersndashGovaertsndashVandewalle paperon a software implementation of the McEliece cryptosystem [67 Section 53] aGhoshndashVerbauwhede paper on a constant-time hardware implementation of thecryptosystem [42 Algorithm 3] and the OverbeckndashSendrier survey of code-basedcryptography [61 pages 139ndash140]

All of these sourcesmdashand many moremdashare describing an algorithm introducedby Patterson [64 Section V] to correct t errors for binary Goppa codes definedby squarefree degree-t polynomials McEliecersquos paper introducing the McEliececryptosystem [56] had also pointed to Pattersonrsquos algorithm

However Pattersonrsquos algorithm isnrsquot the simplest fast binary-Goppa decoderA side issue here is that there are tradeoffs between simplicity and the numberof errors corrected (which in turn influences the required McEliece key size) asthe following variations illustrate

bull Pattersonrsquos paper contained a simpler algorithm to correct bt2c errorsbull More complicated ldquolist decodingrdquo algorithms starting with Sudan [74] and

GuruswamindashSudan [45] correct slightly more than t errors

But letrsquos focus on fast algorithms to correct exactly the t errors traditionally usedin the McEliece cryptosystem The main issue is that within these algorithmsPattersonrsquos algorithm isnrsquot the simplest

Goppa had already pointed out in the first paper on Goppa codes [43 Section4] that a binary Goppa code defined by a squarefree degree-t polynomial g isalso defined by g2 The problem of correcting t errors in the code defined by g2immediately reduces to the problem of polynomial interpolation with t errorsie ReedndashSolomon decoding The resulting binary-Goppa decoder is simplerthan Pattersonrsquos

The benefits of simplicity go beyond general accessibility of the topic softwarefor simpler algorithms tends to be easier to optimize easier to protect againsttiming attacks and easier to test It isnrsquot a coincidence that the same simplestructure is used in the state-of-the-art McEliece software from BernsteinndashChoundashSchwabe [14] Chou [30] and ChenndashChou [28] This software eliminates data-dependent timing and at the same time includes many speedups in subroutinesAvoiding Pattersonrsquos algorithm also seems likely to help for formal verificationof software correctness a top challenge for post-quantum cryptography today

Maybe someday software for Pattersonrsquos algorithm will catch up in these otherfeatures and maybe it will bring further speedupsmdashor maybe not Pattersonrsquosalgorithm uses degree t instead of degree 2t for some computations but it alsoincludes extra computations such as inversion modulo g the literature doesnot make clear whether the speedups outweigh the slowdowns Also even ifPattersonrsquos algorithm ends up faster surely there will be applications wheresimplicity is more important Having only Pattersonrsquos algorithm brings to mindKnuthrsquos quote [49 page 268] that ldquopremature optimization is the root of all evilrdquo

For an audience familiar with coding theory it suffices to say ldquothe Goppacode for g is the same as the Goppa code for g2 now use your favorite ReedndashSolomon decoder as an alternant decoderrdquo (essentially as in [15 Section 5] which

Understanding binary-Goppa decoding 3

also generalizes from F2 to Fq) For a broader audience one can reduce to theprevious sentence by saying ldquoTake the following course on coding theoryrdquo Butitrsquos more efficient for the audience to take a minicourse focusing on this type ofdecodermdashand I havenrsquot found any such minicourse in the literature

To summarize this paper is a general-audience introduction to a simple t-errordecoder for binary Goppa codes defined by squarefree degree-t polynomials withthe proof factored through a proof of a t-error ReedndashSolomon decoder

12 Bonus features This paper systematically presents each algorithm layerin two forms a theorem with a full proof (Theorems 31 41 54 and 64) andan algorithm statement (Algorithms 33 44 53 and 62)

Each algorithm layer is presented as a script in the Sage [76] mathematicssystem rather than as pseudocode The scripts use Sagersquos built-in support forfields matrices and polynomials The scripts do not use Sagersquos functions forinterpolation (lagrange_polynomial) the BerlekampndashMassey algorithm etc

As context Section 8 explains how the Classic McEliece cryptosystem usesa Goppa decoder In this context it is important to reliably recognize invalidciphertexts Most descriptions of decoders in the literature simply assume thatthe input vector has at most t errors but for cryptography one has to verify theinput vector This paper includes various efficient characterizations of vectorshaving at most t errors (Theorems 55 65 and 74) and an analysis of safeoptions for recognizing valid ciphertexts (Sections 83 and 84)

Finally this paper includes extensive pointers to the literature primarily togive appropriate credit but also to point the reader to further material explaininghow to turn this algorithm into todayrsquos state-of-the-art software

13 Acknowledgments Thanks to Tanja Lange and Alex Pellegrini for theircomments

2 Polynomials

This section reviews the definition of the polynomial ring k[x] over a field k andthe necessary properties of polynomials

21 Commutative rings A commutative ring is a set R with elements0 1 isin R a unary operation minus Rrarr R and binary operations + middot RtimesRrarr Rsatisfying the identities r + s = s + r r + (s + t) = (r + s) + t r + (minusr) = 00 + r = r r middot s = s middot r r middot (s middot t) = (r middot s) middot t r middot (s+ t) = (r middot s) + (r middot t) 1 middot r = r

These identities imply all of the identities satisfied by Z the set of integerswith its usual 0 1minus+ middot

Normally r middot s is abbreviated rs and r + (minuss) is abbreviated r minus s

22 Ring morphisms A ring morphism from R to S where R and Sare commutative rings is a function from R to S preserving 0 1minus+ middot iea function ϕ R rarr S with ϕ(0) = 0 ϕ(1) = 1 ϕ(minusr) = minusϕ(r) ϕ(r + s) =ϕ(r) + ϕ(s) and ϕ(rs) = ϕ(r)ϕ(s)


This is the universal-algebra definition of a ring morphism This is equivalentto a shorter definition that omits the conditions ϕ(0) = 0 and ϕ(minusr) = minusϕ(r)

A ring morphism maps every 0 1minus+ middot formula in the inputs to the sameformula in the outputs eg ϕ(r+st) = ϕ(r)+ϕ(s)ϕ(t) and ϕ(

sumi ri) =

sumi ϕ(ri)

23 Multiples Let R be a commutative ring The notation uR for u isin Rmeans the set uq q isin R The notation uR + vR for u v isin R means the setuq + vr q r isin R24 Units The notation Rlowast means u isin R 1 isin uR ie u isin Rlowast exactly whensome v isin R satisfies uv = 1 The elements of Rlowast are called the units of R

25 Fields One calls R a field if Rlowast = u isin R u 6= 0 In other words anelement of a field is a unit and if only if it is nonzero

For example the set 0 1 with minus+ middot defined as arithmetic modulo 2 is afield denoted F2 As another example the set Q of rational numbers with itsusual 0 1minus+ middot is a field

26 Vector spaces Let k be a field A k-vector space is a set V with anelement 0 a unary operation minus a binary operation + and for each α isin k aunary operation v 7rarr α middot v such that v + w = w + v u+ (v + w) = (u+ v) + w0+ v = v v+(minusv) = 0 1 middot v = v α middot (v+w) = α middot v+α middotw (αβ) middot v = α middot (β middot v)and (α+ β) middot v = (α middot v) + (β middot v) for all u v w isin V and α β isin k27 The standard n-dimensional vector space Let n be a nonnegative in-teger The set kn = (v0 v1 vnminus1) v0 v1 vnminus1 isin k is a k-vector spaceunder the following operations

bull 0 is (0 0 0)bull minus(v0 v1 vnminus1) is (minusv0minusv1 minusvnminus1)bull (v0 v1 vnminus1)+(w0 w1 wnminus1) is (v0+w0 v1+w1 vnminus1+wnminus1)bull α middot (v0 v1 vnminus1) is (αv0 αv1 αvnminus1)

28 Linear maps Let k be a field and let VW be k-vector spaces A k-linear map from V to W is a function from V to W preserving 0minus+ middot iea function ϕ satisfying ϕ(0) = 0 ϕ(minusv) = minusϕ(v) ϕ(u+ v) = ϕ(u) + ϕ(v) andϕ(α middot v) = α middot ϕ(v) for all u v isin V and all α isin k

This is the universal-algebra definition of a k-linear map as a k-vector-spacemorphism This is equivalent to a shorter definition that omits the conditionsϕ(0) = 0 and ϕ(minusv) = minusϕ(v)

If nm isin Z with n gt m ge 0 then any k-linear map from kn to km must mapsome nonzero input to zero

29 Polynomials Let k be a field By definition k[x] is the set of vectors(f0 f1 ) with all nonnegative integers as indices fi isin k for each nonnegativeinteger i and i fi 6= 0 finite

If one drops the requirement that i fi 6= 0 is finite then one obtains thepower-series ring k[[x]] but the reader can safely focus on k[x] for this paper

210 The ring structure of polynomials The set k[x] is a commutativering under the following operations


bull 0 is the vector (0 0 )bull 1 is the vector (1 0 )bull Negation maps (f0 f1 ) to (minusf0minusf1 )bull Addition maps (f0 f1 ) (g0 g1 ) to (f0 + g0 f1 + g1 )bull Multiplication (ldquoconvolutionrdquo) maps (f0 f1 f2 f3 ) (g0 g1 g2 g3 ) to

(f0g0 f0g1 + f1g0 f0g2 + f1g1 + f2g0 f0g3 + f1g2 + f2g1 + f3g0 )

211 The k-algebra structure of polynomials The map α 7rarr (α 0 0 )from k to k[x] is a ring morphism This map is injective so one can view k as asubset of k[x]

212 Units of k[x] The units of k[x] are exactly the elements (α 0 0 )where α isin klowast

213 The k-vector structure of polynomials The set k[x] is a vector spaceunder the following operations 0minus+ are as defined above α middot (f0 f1 ) forα isin k is defined as (αf0 αf1 )

This k-vector structure matches the k-algebra structure (αf0 αf1 ) is thesame as the product (α 0 0 )(f0 f1 )

214 Powers of x The vector (0 1 0 ) isin k[x] is abbreviated x One thenhas x0 = (1 0 0 ) = 1 x1 = (0 1 0 ) x2 = (0 0 1 ) etc

Any f = (f0 f1 ) isin k[x] equals the finite sumsum

ifi 6=0 fixi One can also

write f as the infinite sumsum

ige0 fixi only finitely many terms here are nonzero

215 Coefficients If f = (f0 f1 ) isin k[x] and i isin Z then the coefficientof xi in f means the entry fi for i ge 0 or 0 for i lt 0 (The case i lt 0 arises inthe proof of Theorem 41 if t gt degA)

One conventionally hides the formal definition of a polynomial as a vectorrather than constructing a polynomial f as (f0 f1 ) and referring to fi asthe entry at position i in f one constructs f as

sumi fix

i and refers to fi as thecoefficient of xi in f

216 Degree If f = (f0 f1 ) isin k[x] then the degree of f written deg f is minusinfin for f = 0 and otherwise the largest i such that fi 6= 0

If f g isin k[x] then deg fg = deg f +deg g and deg(f plusmn g) le maxdeg f deg g

217 Monic polynomials An element f = (f0 f1 ) isin k[x] is called monicif f 6= 0 and fdeg f = 1 ie f 6= 0 and the coefficient of xdeg f in f is 1

218 Evaluation If f = (f0 f1 ) isin k[x] and α isin k then the value of f atα denoted f(α) is

sumige0 fiα

i iesum

ifi 6=0 fiαi This is an element of k Beware

the ambiguity of concatenation being used to express both multiplication andevaluation (α+ β)f (α+ β) middot f and f middot (α+ β) refer to products in k[x] whilef(α+ β) refers to a value in k

For each α isin k the map f 7rarr f(α) from k[x] to k is a ring morphism Inother words for f g isin k[x] one has f(α) = 0 if f = 0 f(α) = 1 if f = 1(minusf)(α) = minusf(α) (f + g)(α) = f(α) + g(α) and (f middot g)(α) = f(α) middot g(α)


219 Roots For f isin k[x] and α isin k saying that α is a root of f means thatf(α) = 0 This is equivalent to f = (xminusα)q for some q isin k[x] ie f isin (xminusα)k[x]

220 Vandermonde invertibility If f 6= 0 then f has at most deg f rootsEquivalently if α1 α2 αn isin k are distinct and f0 f1 fnminus1 isin k satisfysum

i fiαij = 0 for all j isin 1 2 n then (f0 f1 fnminus1) = (0 0 0)

221 Transposed Vandermonde invertibility If α1 αn isin k are distinctand c1 cn isin k satisfy the equations

sumj cjα

ij = 0 for all i isin 0 1 nminus 1

then (c1 cn) = (0 0 0)

222 Derivatives If f = (f0 f1 f2 f3 ) isin k[x] then the derivative of fis (f1 2f2 3f3 ) In other words the derivative of

sumi fix

i issum

ige1 ifiximinus1

If f g isin k[x] then (fg)prime = fgprime + f primeg where f prime gprime (fg)prime are the derivatives off g fg respectively this is the product rule

One consequence of the product rule is Bernoullirsquos rule that if α isin k andf(α) = 0 then (fg)prime(α) = f prime(α) middot g(α) Bernoullirsquos rule is typically described asa rule for evaluating some ldquo00rdquo expressions if f(α) = 0 and f prime(α) 6= 0 thenthe ratio (fgf)(α) is (fg)prime(α)f prime(α) Bernoullirsquos rule is often called LrsquoHocircpitalrsquosrule for reasons explained in [73]

As an example of Bernoullirsquos rule if α1 αn isin k and A =prod

1lejlen(xminusαj)then Aprime(αh) =

prod1lejlenj 6=h(αh minus αj)

223 Quotients and remainders If f g isin k[x] and g 6= 0 then there areunique q r isin k[x] such that f = gq + r and deg r lt deg g If r = 0 then thenotation fg means q

224 Unique factorization The ring k[x] is a unique-factorization domainIn particular if f isin k[x] has roots α1 αn isin k and α1 αn are distinctthen f isin (xminus α1) middot middot middot (xminus αn)k[x]

225 Greatest common divisors If f g isin k[x] are not both 0 then thereis a unique monic d isin k[x] such that dk[x] = fk[x] + gk[x] This is called thegreatest common divisor of f and g written gcdf g One has f g isin dk[x]and k[x] = (fd)k[x] + (gd)k[x] so gcdfd gd = 1

226 Squarefreeness A nonzero element f isin k[x] is called squarefree ifit has the following property g2 isin fk[x] implies g isin fk[x] Equivalently fis not divisible by the square of any irreducible element of k[x] Equivalentlygcdf f prime = 1 where f prime is the derivative of f

3 Interpolation

This section explains how to recover a polynomial f isin k[x] with deg f lt n given(f(α1) f(αn)) Here α1 αn are distinct elements of k See Section 5 fora generalization that handles as many as t errors in the input vector at theexpense of requiring deg f lt nminus 2t

The formula for ϕ in Theorem 31 is usually called the ldquoLagrange interpolationformulardquo However Waring [78] published the same formula earlier


def interpolator(nkar) ar = list(a)list(r) assert kis_field() assert len(a) == n and len(set(a)) == n and len(r) == n kpolyltxgt = k[] A = kpoly(prod(x-a[j] for j in range(n))) Aprime = Aderivative() return kpoly(sum(((r[i]Aprime(a[i]))(A(x-a[i]))) for i in range(n)))

Algorithm 33 Direct interpolation algorithm to compute ϕ isin k[x] with degϕ lt nand (ϕ(α1) ϕ(αn)) = (r1 rn) Inputs integer n ge 0 field k (α1 αn) isin knwith distinct entries (r1 rn) isin kn

Theorem 31 (direct interpolation) Let n be a nonnegative integer Let kbe a field Let α1 αn be distinct elements of k Let r1 rn be elements ofk Define

ϕ =sumi

riprodj 6=i

xminus αj

αi minus αj

Then f isin k[x] deg f lt n (f(α1) f(αn)) = (r1 rn) = ϕ

Proof By construction ϕ is a sum of n terms each term having degree at mostnminus 1 (more precisely degree nminus 1 if ri 6= 0 otherwise degree minusinfin) and hencehas degree at most nminus 1

Observe that ϕ(αh) =sum

i riprod

j 6=i(αhminusαj)(αiminusαj) If i 6= h then αhminusαj = 0for j = h so

prodj 6=i(αhminusαj)(αiminusαj) = 0 If i = h then

prodj 6=i(αhminusαj)(αiminusαj) =prod

j 6=h(αh minus αj)(αh minus αj) = 1 Hence ϕ(αh) = rh as claimedAny f isin k[x] with deg f lt n and (f(α1) f(αn)) = (r1 rn) must have

f = ϕ Otherwise fminusϕ is a nonzero polynomial so it has at most deg(fminusϕ) lt nroots but it visibly has the distinct roots α1 αn contradiction ut

32 An interpolation algorithm Algorithm 33 interpolates a polynomialfrom its values using the ϕ formula in Theorem 31

The algorithm starts by computing the polynomial A =prod

j(x minus αj) Thistakes Θ(n2) operations in k using schoolbook arithmetic in k[x] Then for eachi the algorithm uses Θ(n) operations to compute A(xminusαi) =

prodj 6=i(xminusαj) and

Θ(n) operations to compute Aprime(αi) =prod

j 6=i(αi minus αj) where Aprime is the derivativeof A In total this takes Θ(n2) operations

34 More interpolation algorithms An older interpolation method (due toNewton) the ldquodivided differencesrdquo method recursively interpolates a polynomialg isin k[x] with (g(α2) g(αn)) = ((r2minusr1)(α2minusα1) (rnminusr1)(αnminusα1))and then takes f = r1+(xminusα1)g This method is more complicated than directinterpolation to express as a concise formula but also costs Θ(n2)

There is an extensive literature on algorithms using n1+o(1) operations in knot just for interpolation but also for multiplication (multiplying

sum0leiltn fix

i

bysum

0leiltn gixi) division and other basic operations See generally [6]


One particularly fast case is interpolating f from its values at every point ina finite field k using various types of ldquofast Fourier transformsrdquo A difficulty hereis that each of these transforms uses a standard order of points while α1 αn

are in a secret order inside the McEliece cryptosystem There are algorithms toapply a secret permutation without using secret array indices see generally [10]

4 Approximants

Let AB be elements of k[x] with degA gt degB and consider the rank-2 latticek[x] middot (A 0) + k[x] middot (B 1) inside k[x]2 Readers familiar with integer-coefficientlattices should note that this is something different a k[x]-lattice The elementsof this lattice have the form a(B 1) minus b(A 0) = (aB minus bA a) for polynomialsa b isin k[x] The vector (aB minus bA a) is a short vector when both aB minus bA and ahave low degree

Itrsquos useful to vary the weights put on the two vector components let t be anonnegative integer and consider the lattice k[x] middot (A 0)+k[x] middot (B xdegAminus2tminus1)The point of this section is to find inside this lattice a minimum-length nonzerovector (aB minus bA axdegAminus2tminus1)

(If 2t ge degA then therersquos a denominator here One can manually trackweights of polynomials to avoid ever having to consider denominators this is howthe theorems below are phrased One can instead allow denominators droppingthe requirement of staying inside k[x]2 Alternatively one can clear denominatorsby considering the lattice k[x] middot (x2t+1minusdegAA 0)+ k[x] middot (x2t+1minusdegAB 1) in thecase 2t ge degA Or one can simply prohibit this case such large values of tarenrsquot of interest for the application to decoding)

Theorem 41 says that one can arrange for both aB minus bA and axdegAminus2tminus1

to have degree at most degA minus t minus 1 This also forces b to have degree belowt (Otherwise deg bA ge degA + t while deg aB = degB + deg a lt degA + tso deg(aB minus bA) ge degA + t) One can also take a b to be coprime then byTheorem 42 any lattice vector of degree at most degAminustminus1 must be a multipleof this particular vector

Why take a minus sign on b Why multiply a by B and b by A ratherthan a by A and b by B Answer small aB minus bA means that the rationalfunction ba is close to BA This rational function ba has small height meaningthat its numerator and denominator are small The perspective of small-heightrational approximations has played an important role in the development of fastalgorithms in this area

Theorem 41 (approximants) Let t be a nonnegative integer Let k be afield Let AB be elements of k[x] with degA gt degB Then there exist a b isink[x] such that gcda b = 1 deg a le t deg b lt t and deg(aBminus bA) lt degAminus t

Proof Define n = degA Consider the following k-linear map from k2t+1 tok2t the input is a vector (a0 a1 atminus1 at b0 b1 btminus1) the output entriesare the coefficients of xn+tminus1 xn+tminus2 xnminust in aB minus bA where a = atx

t +atminus1x

tminus1 + middot middot middot + a1x + a0 and b = btminus1xtminus1 + middot middot middot + b1x + b0 Explicitly if A =


Anxn + Anminus1x

nminus1 + middot middot middot and B = Bnminus1xnminus1 + middot middot middot then the output entries are

atBnminus1 minus btminus1An atBnminus2 + atminus1Bnminus1 minus btminus1Anminus1 minus btminus2An etcThe input dimension 2t + 1 exceeds the output dimension 2t so there is

a nonzero input that maps to zero The corresponding polynomials a b have(a b) 6= (0 0) deg a le t deg b lt t and deg(aB minus bA) lt nminus t Finally to ensurethat gcda b = 1 replace (a b) with (agcda b bgcda b) this subtractsdeg gcda b ge 0 from deg a deg b and deg(aB minus bA) ut

Theorem 42 (the best-approximation property of approximants) Lett be a nonnegative integer Let k be a field Let AB a b c d be elements of k[x]such that gcda b = 1 deg a le t deg(aB minus bA) lt degA minus t deg c le t anddeg(cB minus dA) lt degAminus t Then (c d) = (λa λb) for some λ isin k[x]

Equivalently (in the case c 6= 0) if deg a le t if deg c le t deg(BAminus ba) ltminust minus deg a and deg(BA minus dc) lt minust minus deg c then dc must equal ba Toapproximate BAmore closely than the fraction ba constructed in Theorem 41one must take larger-degree denominators

One way to describe the proof is as follows if the lattice mentioned abovehas two independent vectors (aBminus bA axdegAminus2tminus1) (cBminusdA cxdegAminus2tminus1) ofdegree at most degA minus t minus 1 then the lattice determinant has degree at most2 degAminus 2tminus 2 but by inspection the lattice determinant is AxdegAminus2tminus1 ofdegree 2 degAminus 2tminus 1 Combining linear dependence with gcda b = 1 forces(c d) = (λa λb)

Proof c(aB minus bA)minus a(cB minus dA) = (adminus cb)A The left side has degree smallerthan degA so ad minus cb = 0 In particular cb isin ak[x] but gcda b = 1 soc isin ak[x] and similarly d isin bk[x] Write λ for ca if a 6= 0 or for db if b 6= 0 inboth cases (c d) = (aλ bλ) as claimed ut

43 An approximant algorithm Algorithm 44 computes a b from t k ABThis algorithm works in the same way as the proof of Theorem 41 constructingcoefficients of a b as solutions to an explicit system of 2t equations in 2t + 1variables Straightforward matrix algorithms use O(t3) operations in k typicallyΘ(t3) operations

45 More approximant algorithms One can construct a b via an extended-gcd computation Straightforward extended-gcd algorithms use O(t2) operationstypically Θ(t2) operations

More sophisticated extended-gcd algorithms use t1+o(1) operations See [6Section 21] Applying a sequence of 2t ldquodivstepsrdquo taking n = 2t in [16 TheoremsA1 and A2] uses t1+o(1) operations with the ldquojumprdquo algorithms in [16] whileavoiding the timing variability of polynomial division

46 Approximants as ratios With the following definition the conclusion ofTheorem 41 is that there is an approximant to BA at degree t This definitionwould also slightly compress the statement of Theorem 42 and the statementsof some theorems later in this paper For the benefit of a reader looking at


def approximant(tkAB) assert t gt= 0 and Abase_ring() == k and Bbase_ring() == k kpolyn = Aparent()Adegree() assert n gt Bdegree() M = [ [ B[t+n-1-i-j] for i in range(t+1)] + [-A[t+n-1-i-j] for i in range(t) ] for j in range(2t)] M = matrix(k2t2t+1M) ab = list(Mright_kernel()gens()[0]) ab = kpoly(ab[t+1])kpoly(ab[t+1]) d = gcd(ab) return adbd

Algorithm 44 Linear-algebra algorithm to compute a b isin k[x] with gcda b = 1deg a le t deg b lt t and deg(aB minus bA) lt degA minus t Inputs integer t ge 0 field kA isin k[x] B isin k[x] with degA gt degB Note that []+[] in Sage is concatenationof lists

just one theorem this paper avoids using this definition in theorem statementsbut readers exploring the literature may find this definition useful Analogouscomments apply to eg Definition 58 below

Definition 47 Let k be a field Let AB be elements of k((xminus1)) with A 6= 0Let t be a nonnegative integer If (a b) isin k[x] times k[x] satisfy gcda b = 1deg a le t and deg(aBminus bA) lt degAminus t then ba is an approximant to BAat degree t

For simplicity the theorems in this section were stated specifically for AB isink[x] but the concepts and proofs do not require this This paper does not definek((xminus1)) but instead notes that k((xminus1)) contains the field k(x) of rationalfunctions in x and that k(x) in turn contains the polynomial ring k[x] so readersnot familiar with k((xminus1)) can substitute k[x] for k((xminus1)) in the definition

The condition deg(aB minus bA) lt degA minus t is equivalent to deg(BA minus ba) ltminustminusdeg a this is why it is safe to describe the input as BA rather than (AB)As for the output knowing the ratio ba and knowing gcda b = 1 does notexactly determine the pair (a b) but the only ambiguity is that one can replace(a b) by (λa λb) for λ isin klowast this replacement does not affect the conditions ondeg a deg b and deg(aB minus bA)

48 History Euclidrsquos subtractive algorithm [36 Book VII Propositions 1ndash2translation ldquothe less of the numbers ABCD being continually subtracted fromthe greaterrdquo] recognizes coprime integers and more generally computes the gcdof two integers

What is typically called Euclidrsquos algorithmmdashsee [50 Section 452 text beforeAlgorithm E] for an argument that this must be what Euclid had in mindmdashisa variant that iterates (AB) 7rarr (BA mod B) This is much faster than theoriginal algorithm when bABc is large This version also has a polynomialanalogue Stevin [71 page 241 of original page 123 of cited PDF] computedpolynomial gcd by iterating (AB) 7rarr (BA mod B)


According to [22 page 3] an extended-gcd algorithm computing solutionsto aB minus bA = 1 for coprime integers AB is due to Aryabhata around the6th century and the forward recurrence relation for coefficients in the extendedalgorithmmdashin other words numerators and denominators of convergents to acontinued fractionmdashis due to Bhascara in the 12th century

Lagrange [53] used convergents to continued fractions of rational functionsas small-height approximations to power series Kronecker [51 pages 118ndash119of cited PDF] gave both the continued-fraction construction and (ldquoin directerWeiserdquo) the linear-algebra construction Consequently it seems reasonable tocredit Theorem 41 to Lagrange but the short proof to Kronecker Small-heightapproximations to power series are often miscredited to [62] under the nameldquoPadeacute approximantsrdquo

An earlier paper of Lagrange [52 pages 723ndash728 of cited URL] had describedin the integer case an algorithm for basis reduction for rank-2 latticesmdashin thecontext of simplifying quadratic forms rather than as a perspective on extended-gcd computations Lagrange reduction is often miscredited to [41] under thename ldquoGauss reductionrdquo

In coding theory finding an approximant is called ldquosolving the key equationrdquothe ldquokey equationrdquo is by definition the congruence dminusaB isin Ak[x] where deg a let and deg d lt degA minus t Decoding algorithms are typically factored throughthis concept and often the proofs are factored through continued-fraction factswhen the continued-fraction machinery is stripped away those facts boil downto Theorem 42 For the more complicated setting of list-decoding algorithmsshort vectors in arbitrary-rank lattices often appear as an abstraction layer seeeg [21] [7] [32] [8] and [9]

5 Interpolation with errors

This section explains how to recover a polynomial f isin k[x] with deg f lt nminus 2tgiven a vector that matches (f(α1) f(αn)) on at least nminus t positions Hereα1 αn are distinct elements of k The special case t = 0 of this problem washandled in Section 3 and is used as a subroutine for handling the general case

51 Hamming weight If e isin kn where n is a nonnegative integer thenldquowt erdquo means i isin 1 2 n ei 6= 0 the number of nonzero positions in eA vector r isin kn matches c = (f(α1) f(αn)) on at least nminus t positions if andonly if wt(r minus c) le t ie wt(r1 minus f(α1) rn minus f(αn)) le t

52 An interpolation-with-errors algorithm Algorithm 53 recovers fgiven (n t k α r) where r is a vector with wt(r1 minus f(α1) rn minus f(αn)) le tThe algorithm has three steps

bull Interpolate the input vector into a polynomial B isin k[x] with degB lt n asin Theorem 31

bull Compute an approximant ba to BA at degree t as in Theorem 41 whereA =

prodi(xminus αi)

bull Compute f = B minus bAa Theorem 54 says that this works


from interpolator import interpolatorfrom approximant import approximant

def interpolator_with_errors(ntkalphar) alphar = list(alpha)list(r) assert kis_field() assert len(alpha) == n and len(set(alpha)) == n and len(r) == n B = interpolator(nkalphar) kpoly = Bparent() A = kpoly(prod(kpoly([-alpha[j]1]) for j in range(n))) ab = approximant(tkAB) if adivides(A) if aB-bA == 0 or (aB-bA)degree() lt n-2t+adegree() return B-bAa

Algorithm 53 Algorithm to compute the unique f isin k[x] with deg f lt n minus 2t forwhich (f(α1) f(αn)) matches r on at least n minus t positions or None if no such fexists Inputs integer n ge 0 integer t ge 0 field k (α1 αn) isin kn with distinctentries r isin kn

The algorithm returns None for invalid input vectors recognized as follows fexists if and only if A isin ak[x] (which is equivalent to j a(αj) = 0 = deg a)and deg(aB minus bA) lt nminus 2t+ deg a See Theorem 55

Beware that Sagersquos degree function is not the same as the conventional degreefunction for polynomials on input 0 it returns minus1 rather than minusinfin This is whyAlgorithm 53 includes a separate test for aB minus bA = 0

Theorem 54 (interpolation with errors) Let n t be nonnegative integersLet k be a field Let α1 αn be distinct elements of k Define A =

prodi(xminusαi)

Let B a b f be elements of k[x] with gcda b = 1 deg a le t deg(aB minus bA) ltnminust and deg f lt nminus2t Define e = (B(α1)minusf(α1) B(αn)minusf(αn)) Assumewt e le t Then A isin ak[x] f = B minus bAa deg(aB minus bA) lt n minus 2t + deg a andi ei 6= 0 = i a(αi) = 0

Proof Define E =prod

iei=0(xminus αi) and c =prod

iei 6=0(xminus αi) Then Ec = AIf ei = 0 then B(αi) = f(αi) so B minus f isin (x minus αi)k[x] This implies B minus f isin

Ek[x] since α1 αn are distinctDefine d = (B minus f)E isin k[x] Then dA = (B minus f)c so cB minus dA = cf Note

that deg c = wt e le t also deg f lt nminus 2t so deg(cB minus dA) lt nminus tThe conditions of Theorem 42 are satisfied AB a b c d are elements of

k[x] with gcda b = 1 deg a le t deg(aB minus bA) lt degA minus t deg c le t anddeg(cB minus dA) lt degAminus t

Hence (c d) = (λa λb) for some λ isin k[x] by Theorem 42 By constructionc 6= 0 so a 6= 0 Also A isin ck[x] sube ak[x] Consequently Bminus f = dAc = bAa sof = B minus bAa and deg(aB minus bA) = deg af lt nminus 2t+ deg a

To see that ei 6= 0 exactly when a(αi) = 0 A(αi) = 0 so if a(αi) = 0 then bythe Bernoulli rule (Aa)(αi) = Aprime(αi)a

prime(αi) 6= 0 where aprime Aprime are the derivatives


of aA respectively also b(αi) 6= 0 since gcda b = 1 so ei = (B minus f)(αi) =(bAa)(αi) 6= 0 If a(αi) 6= 0 then ei = (bAa)(αi) = 0 since A(αi) = 0 ut

Theorem 55 (checking interpolation with errors) Let n t be nonnegativeintegers Let k be a field Let α1 αn be distinct elements of k DefineA =

prodi(xminusαi) Let B a b be elements of k[x] such that gcda b = 1 deg a le t

A isin ak[x] and deg(aBminusbA) lt nminus2t+deg a Define f = BminusbAa Then f isin k[x]deg f lt nminus 2t and wt(B(α1)minus f(α1) B(αn)minus f(αn)) le t

The condition deg(aB minus bA) lt n minus 2t + deg a here cannot be weakened todeg(aBminus bA) lt nminus t Consider eg n = 3 t = 1 any field k with k ge 3 anydistinct α1 α2 α3 isin k A = (xminus α1)(xminus α2)(xminus α3) B = x a = 1 and b = 0Then deg(aB minus bA) = deg x = 1 = nminus 2t+deg a The values of B on α1 α2 α3

are α1 α2 α3 respectively and there is no polynomial f with deg f lt 1 thatmatches more than one of those values

Proof By assumption A isin ak[x] and a 6= 0 since A 6= 0 so f = BminusbAa isin k[x]Also deg f = deg(aB minus bA)minus deg a lt nminus 2t

If B(αi) minus f(αi) 6= 0 then (bAa)(αi) 6= 0 so (Aa)(αi) 6= 0 but A(αi) = 0so a(αi) = 0 The number of roots of a is at most deg a le t and α1 αn aredistinct so wt(B(α1)minus f(α1) B(αn)minus f(αn)) le t ut

56 More algorithms varying the pair (AB) If A =prod

i(x minus αi) andB =

sumi(riA

prime(αi))A(xminus αi) where Aprime is the derivative of A then

B

A=sumi

riAprime(αi)(xminus αi)

=sumi

riAprime(αi)

(1

x+αi

x2+ middot middot middot

)=sumsge0

1

xs+1

sumi

riαsi

Aprime(αi)

One can vary the choice of (AB) while preserving the ratio BA eg one cantake A = 1 and B =

sumsge0 x

minussminus1sumi riα

siprod

j 6=i(αjminusαi) Formally this requiresdefining k((xminus1)) but the terms in BA after xminus2t do not matter for decodingso one can take A = x2t and B =

sum0leslt2t

sumi riα

six

2tminussminus1prod

j 6=i(αj minus αi)These variations preserve the set of (a b) isin k[x]timesk[x] such that gcda b = 1

deg a le t and deg(aB minus bA) lt degA minus t If deg f lt n minus 2t and wt e le t withe = (r1 minus f(α1) rn minus f(αn)) then i ei 6= 0 = i a(αi) = 0 for any such(a b) If one assumes that F2 sube k and that e isin Fn

2 then knowing i ei 6= 0 isenough information to reconstruct e and thereby f To instead handle arbitrarye isin kn one can use any of these variants of (AB) to compute (a b) and thenreturn to the original (AB) to apply the formula f = BminusbAa in Theorem 54

57 ReedndashSolomon codes The set of vectors (f(α1) f(αn)) is calleda ReedndashSolomon code see Definition 58 This is a subspace of the k-vectorspace kn Each vector is called a codeword With this terminology Theorem 54recovers a ReedndashSolomon codeword from a vector that matches the codeword onat least nminus t positions One can similarly define Goppa codes in Section 6


Definition 58 Let n t be nonnegative integers Let k be a field Let α1 αn

be distinct elements of k Then (f(α1) f(αn)) f isin k[x]deg f lt nminus 2tis the ReedndashSolomon code over k of dimension n minus 2t with support(α1 αn)

59 History ReedndashSolomon [68] suggested encoding a polynomial f isin k[x]with deg f lt nminus2t as (f(α1) f(αn)) for distinct α1 αn so as to be ableto recover f even if t vector entries are corrupted The point is that the codeC = (f(α1) f(αn)) f isin k[x]deg f lt nminus 2t has ldquominimum distancerdquo atleast 2t + 1 (every nonzero c isin C has wt c ge 2t + 1) so the map (e f) 7rarre + (f(α1) f(αn)) from (e f) isin kn times k[x] wt e le tdeg f lt nminus 2t to knis injective This raises the question of how efficiently one can decode let errorsin C ie recover (e f) from e+ (f(α1) f(αn))

Assume n gt 2t Prangersquos ldquoinformation-set decodingrdquo [66] interpolates f fromn minus 2t values at selected positions in the input vector checks the remainingvalues of f to deduce e and if e has the wrong weight tries another selection ofnminus 2t positions This takes polynomial time if t is close enough to 0 or n2 butis much slower in general Reed and Solomon did not have the idea of checkingthe weight of e they had instead suggested trying many selections of n minus 2tpositions to find the most popular choice of f and relying on an upper boundfor how often any particular incorrect choice could appear

Forney [38 Chapter 4] (see also [39]) introduced a polynomial-time decodingalgorithm for ReedndashSolomon codes Forneyrsquos algorithm simplified and extendedan algorithm by Gorenstein and Zierler [44] which handled the special caseα1 αn = klowast The latter algorithm extended an algorithm by Peterson [65]which handled the following special case F2 sube k each f(αj) is in F2 and e isin Fn

2 The PetersonndashGorensteinndashZierlerndashForney algorithm is bottlenecked by matrix

operations that when carried out in a simple way use n3+o(1) operations in kassuming n isin t1+o(1) The exponent for generic matrix operations was laterreduced below 3 (starting with exponent log2 7 for matrix multiplication byStrassen [72] along with the same exponent for solving linear equations undervarious nonsingularity constraints) but it turns out that one can obtain muchbetter decoding speeds using the structure of these particular matrices

Berlekamp [5] introduced a decoding algorithm using just n2+o(1) operationsinstead of n3+o(1) operations the main work inside the algorithm is polynomialarithmetic rather than matrix arithmetic Massey [55] streamlined Berlekamprsquosalgorithm and factored the algorithm into two layers where the top layer is adecoder and the bottom layer is a subroutine for ldquoshift register synthesisrdquo Thesubroutine is called the BerlekampndashMassey algorithm

SugiyamandashKasaharandashHirasawandashNamekawa [75] built an n2+o(1) algorithm forReedndashSolomon decoding on top of an extended-gcd computation Algorithmsusing just n1+o(1) operations were already known for gcd (see [6 Section 216] forhistory) and for all other necessary subroutines these algorithms were appliedto ReedndashSolomon decoding by Justesen [48] and independently Sarwate [69]reducing the costs of decoding to n1+o(1)


It turned out that Berlekamp decoders and SugiyamandashKasaharandashHirasawandashNamekawa decoders are equivalent Mills [57] pointed out that ldquoshift registersynthesisrdquo is the same as the problem of finding approximants the problemof finding (a b) in Theorem 41 See also [79] for how the result after eachpolynomial division inside an extended-gcd computation appears inside in theBerlekampndashMassey algorithm [34] for an extended-gcd explanation of all furtherquantities inside the BerlekampndashMassey algorithm and [16 Appendix C] fora reformulation in terms of ldquodivstepsrdquo In a nutshell the polynomials in theBerlekampndashMassey algorithm are polynomials in an extended-gcd computationbut with coefficients in reverse order

This does not mean that all ReedndashSolomon decoders are the same See forexample Section 56 regarding different choices of (AB) the choice of (AB)in Theorem 54 was published by Shiozaki [70 Section III] and later Gao [40]For the problem of computing (a b) in Theorem 41 algorithms in the literaturehave costs ranging from n3+o(1) down through n1+o(1) A ldquosystematicrdquo ReedndashSolomon code represents a polynomial f of degree below n minus 2t as the values(f(α1) f(αnminus2t)) isin knminus2t rather than as the coefficients of f one needs tolook closely at algorithms to see which representation allows faster decodingalthough obviously the gap cannot be larger than the cost of converting betweenrepresentations ie the cost of evaluation and (error-free) interpolation Finallythere are list-decoding algorithms that can handle more than t errors

6 Binary-Goppa decoding

The title problem of this paper and of this section binary-Goppa decoding isto recover e c isin Fn

2 from e+ c assuming wt e le t andsum

i ciA(xminus αi) isin gk[x]Here α1 αn are distinct elements of a finite field k containing F2 A meansprod

i(x minus αi) and g is a squarefree degree-t element of k[x] with gcdgA = 1ie with g(α1) g(αn) all nonzero This section presents an algorithm to solvethis problem

61 An algorithm to decode binary Goppa codes Algorithm 62 allowsany r isin kn as an input vector and returns the unique e isin Fn

2 with wt e le t suchthat

sumi(ri minus ei)A(x minus αi) isin gk[x] or None if no such e exists The algorithm

has three steps

bull Interpolate a polynomial B satisfying B(αi) = riAprime(αi)g(αi)

2 Here Aprime isthe derivative of A so Aprime(αj) =

prodi6=j(αj minus αi)

bull Compute an approximant ba to BA at degree t as in Theorem 41bull Compute i ei = 1 as i a(αi) = 0 Theorem 64 says that this works

The algorithm recognizes the None case using tests stated in Theorem 65 e existsexactly when A isin ak[x] g2b minus aprime isin ak[x] and deg(aB minus bA) lt n minus 2t + deg aHere aprime is the derivative of a The test g2bminusaprime isin ak[x] can be skipped for inputsr isin Fn

2 see Section 7



def goppa_errors(ntkalphagr) alphar = list(alpha)list(r) assert kis_field() and kcharacteristic() == 2 assert gbase_ring() == k and gdegree() == t and gis_squarefree() assert len(alpha) == n and len(set(alpha)) == n and len(r) == n kpoly = gparent() A = kpoly(prod(kpoly([-alpha[j]1]) for j in range(n))) Aprime = Aderivative() rtwist = [r[i]Aprime(alpha[i])g(alpha[i])^2 for i in range(n)] B = interpolator(nkalphartwist) ab = approximant(tkAB) aprime = aderivative() if adivides(A) if adivides(g^2b-aprime) if aB-bA == 0 or (aB-bA)degree() lt n-2t+adegree() return [k(a(alpha[j]) == 0) for j in range(n)]

Algorithm 62 Algorithm to compute the unique e isin Fn2 with

sumi(riminusei)A(xminusαi) isin

gk[x] and wt e le t or None if no such e exists Here A =prod

i(x minus αi) isin k[x] Inputsinteger n ge 0 integer t ge 0 field k containing F2 (α1 αn) isin kn with distinctentries squarefree g isin k[x] with deg g = t and each g(αj) nonzero r isin kn

Theorem 63 (Goppa squaring) Let n be a nonnegative integer Let k bea finite field with F2 sube k Let α1 αn be distinct elements of k DefineA =

prodi(x minus αi) Let g be a squarefree element of k[x] such that gcdgA =

1 Let c be an element of Fn2 Then

sumi ciA(x minus αi) isin gk[x] if and only ifsum

i ciA(xminus αi) isin g2k[x]

Goppa proved Theorem 63 in [43 Section 4] The same proof works for allperfect fields of characteristic 2 not just finite fields

Proof Write Z =prod

ici=0(xminus αi) and C =prod

ici=1(xminus αi) Then A = ZC Byhypothesis gcdgA = 1 so gcdg Z = 1

The derivative C prime of C issum

ici=1 C(xminusαi) Hencesum

i ciA(xminusαi) isin gk[x] ifand only if ZC prime isin gk[x] ie if and only if C prime isin gk[x] Similarly

sumi ciA(xminusαi) isin

g2k[x] if and only if C prime isin g2k[x] It thus suffices to show that C prime isin gk[x] if andonly if C prime isin g2k[x]

Assume that C prime isin gk[x] Write C assum

j Cjxj By assumption k is a finite

field containing F2 so C prime =sum

j C2j+1x2j also C2j+1 has a square root C12

2j+1

in k so C prime = S2 where S =sum

j C122j+1x

j Thus S2 isin gk[x] implying S isin gk[x]since g is squarefree implying C prime isin g2k[x]

Conversely if C prime isin g2k[x] then certainly C prime isin gk[x] ut

Theorem 64 (Goppa decoding) Let n t be nonnegative integers Let k bea finite field with F2 sube k Let α1 αn be distinct elements of k Define


A =prod

i(x minus αi) Let g be a squarefree element of k[x] such that deg g = t andgcdgA = 1 Let B a b be elements of k[x] with gcda b = 1 deg a le t anddeg(aBminus bA) lt nminus t Let Aprime aprime be the derivatives of A a respectively Let e bean element of Fn

2 such that wt e le t and

sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A

xminus αiisin gk[x]

Then ei = [a(αi) = 0] for all i wt e = deg a A isin ak[x] g2b minus aprime isin ak[x] anddeg(aB minus bA) lt nminus 2t+ deg a

The notation [a(αi) = 0] means 1 if a(αi) = 0 else 0

Proof Write ci = (g2B)(αi)Aprime(αi)minusei By assumption

sumi ciA(xminusαi) isin gk[x]

sosum

i ciA(x minus αi) isin g2k[x] by Theorem 63 Write f = (sum

i ciA(x minus αi))g2

Then f isin k[x] and deg f lt nminus 2t since degA = n and deg g = tNotice that (g2f)(αi)A

prime(αi) = ci Indeedsumi

ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f

so ciAprime(αi) = (g2f)(αi) by Theorem 31Now (g2Bminus g2f)(αi)A

prime(αi) = ei so (Bminus f)(αi) = eiAprime(αi)g(αi)

2 which isnonzero exactly when ei 6= 0 so wt((B minus f)(α1) (B minus f)(αn)) = wt e le t

By Theorem 54 A isin ak[x] f = BminusbAa deg(aBminusbA) lt nminus2t+deg a andi (B minus f)(αi) 6= 0 = i a(αi) = 0 Hence i ei 6= 0 = i a(αi) = 0 Byassumption ei isin F2 so ei 6= 0 exactly when ei = 1 so ei = [a(αi) = 0] Also wt eequals the number of roots of a among α1 αn namely deg a since A isin ak[x]

Finally say a(αi) = 0 Then aprime(αi) 6= 0 and by Bernoullirsquos rule (Aa)(αi) =Aprime(αi)a

prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)

so (g2bminus aprime)(αi) = 0 Hence g2bminus aprime isin ak[x] ut

Theorem 65 (checking Goppa decoding) Let n t be nonnegative integersLet k be a finite field with F2 sube k Let α1 αn be distinct elements of kDefine A =

prodi(x minus αi) Let g be an element of k[x] such that deg g = t and

gcdgA = 1 Let B a b be elements of k[x] with gcda b = 1 deg a le tA isin ak[x] deg(aB minus bA) lt nminus 2t+ deg a and g2bminus aprime isin ak[x] where aprime is thederivative of a Define e isin Fn

2 by ei = [a(αi) = 0] Then wt e = deg a and

sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A

xminus αiisin g2k[x]

where Aprime is the derivative of A


One can replace g2 in this theorem by any polynomial of degree 2t with noroots among α1 αn but the extra generality is not useful for this paper

Proof First a 6= 0 since 0 6= A isin ak[x] Define f = B minus bAa Then f isin k[x]and deg f = deg(aB minus bA)minus deg a lt nminus 2t also deg g = t so deg g2f lt n

Observe that ei = (g2bAa)(αi)Aprime(αi) = (g2B minus g2f)(αi)A

prime(αi)

bull If a(αi) = 0 then aprime(αi) 6= 0 and (Aa)(αi)Aprime(αi) = 1aprime(αi) Also g2bminusaprime isin

ak[x] so (g2b)(αi) = aprime(αi) Multiply (g2bAa)(αi)Aprime(αi) = 1 = ei

bull If a(αi) 6= 0 then (g2bAa)(αi)Aprime(αi) = 0 = ei since A(αi) = 0

Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi

αj minus αi= g2f isin g2k[x]

by Theorem 31To see wt e = deg a Since A splits into linear factors of the form xminus αi the

same is true for a so i ei = 1 = i a(αi) = 0 = deg a ut

66 Goppa decoders via ReedndashSolomon decoders Fix β1 βn isin klowastand consider the problem of recovering f isin k[x] with deg f lt nminus2t given a vectorthat agrees with (β1f(α1) βnf(αn)) on at least nminus t positions Dividing βjout of the jth position immediately reduces this to the problem considered inSection 5

The main point of the proof of Theorem 64 is that the vectors c isin kn satisfyingsumi ciA(x minus αi) isin gk[x] are exactly the vectors (β1f(α1) βnf(αn)) where

βj = g(αj)2Aprime(αj) Any ReedndashSolomon decoder can thus be used as a Goppa

decoderAlgorithm 62 starts from this approach but streamlines the computation of

e taking advantage of the assumption e isin Fn2 The critical information coming

from the ReedndashSolomon decoder is the ldquoerror-locator polynomialrdquo a which is anonzero constant multiple of

prodiei 6=0(xminus αi) Knowing the positions of nonzero

entries in e immediately reveals e since each entry of e is either 0 or 1Without the assumption e isin Fn

2 one can compute each ei in the ReedndashSolomon context as (bAa)(αi) which is b(αi)A

prime(αi)aprime(αi) when a(αi) = 0

In the binary-Goppa context one multiplies by βi = g(αi)2Aprime(αi) to obtain

ei = g(αi)2b(αi)a

prime(αi) when a(αi) = 0 Streamlining this to ei = 1 mightnot seem helpful in Algorithm 62 since the algorithm checks g2b minus aprime isin ak[x]anyway and the obvious way to do this is to check g(αi)

2b(αi) = aprime(αi) butSection 7 shows that this check can simply be skipped when the input vector isin Fn

2


7 A closer look at binary Goppa codes

The main point of this section is that if the input vector is assumed to be inFn

2 not merely in kn then the test g2b minus aprime isin ak[x] can be removed fromAlgorithm 62

71 Overview of the logic Theorem 72 rewritessum

i ciA(x minus αi) isin gk[x]as the following system of linear equations

sumi cig(αi) = 0

sumi ciαig(αi) = 0

and so on throughsum

i ciαtminus1i g(αi) = 0 Ths theorem is from Goppa [43 Section

3] and is used inside the standard method of computing McEliece keysTheorem 73 uses this system of linear equations to show that any solution

c isin kn with at least n minus t entries in F2 must have all entries in F2 I wouldnrsquotbe surprised if this is already in the literature but I donrsquot know a reference

In the context of decoding skipping the test g2bminus aprime isin ak[x] means that onefinds c isin kn given any e + c isin kn with wt e le t If one adds the requirementthat the input e+ c is in Fn

2 then the resulting c must have at least nminus t entriesin F2 so it is in Fn

2 so e isin Fn2 as desired Theorem 74 spells out the precise

conditions

Theorem 72 (Goppa parity checks) Let n t be nonnegative integers Letk be a field Let α1 αn be distinct elements of k Define A =

prodi(x minus αi)

Let g be an element of k[x] such that deg g = t and gcdgA = 1 Let c be anelement of kn Then

sumi ciA(x minus αi) isin gk[x] if and only if

sumi ciα

sig(αi) = 0

for all nonnegative integers s lt t

Proof Define B =sum

i(cig(αi))A(x minus αi) and C =sum

i ciA(x minus αi) ThenB(αi) = ciA

prime(αi)g(αi) and C(αi) = ciAprime(αi) by Theorem 31 so C(αi) minus

g(αi)B(αi) = 0 so C minus gB isin Ak[x] since α1 αn are distinctBy hypothesis deg g = t If degB lt n minus t then deg gB lt n = degA so

C = gB isin gk[x] Conversely if C isin gk[x] then (CgminusB)g = C minus gB isin Ak[x] soCgminusB isin Ak[x] since gcdgA = 1 but deg(CgminusB) lt degA so CgminusB = 0so degB = deg(Cg) lt nminus deg g = nminus t

Define Q =sum

i(cig(αi))αtiA(xminus αi) Then

xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi

One has degQ lt n so degB lt nminus t if and only if deg(xtBminusQ) lt n ie if andonly if

sumi(cig(αi))

sum0lesltt x

tminus1minussαsi = 0 ie if and only if

sumi(cig(αi))α

si = 0

for all s with 0 le s lt t Hence C isin gk[x] if and only ifsum

i ciαsig(αi) = 0 for all

s with 0 le s lt t ut

If the formal structure of this paper allowed k((xminus1)) then one could replacethe last paragraph of the proof with the following degB lt n minus t if and only ifdeg(BA) lt minust ie if and only if

sumi ciα

sig(αi) = 0 for all nonnegative integers

s lt t since BA =sum

s xminussminus1sum

i ciαsig(αi) as in Section 56 The proof given

above replaces BA with the approximation (xtBminusQ)xtA so as to work entirelywith polynomials


Theorem 73 (Goppa alignment) Let n t be nonnegative integers Let kbe a finite field with F2 sube k Let α1 αn be distinct elements of k DefineA =

prodi(x minus αi) Let g be a squarefree element of k[x] such that deg g = t and

gcdgA = 1 Let c be an element of kn such thatsum

i ciA(xminus αi) isin gk[x] Ifi ci isin F2 ge nminus t then c isin Fn

2

Proof Write di = c2i minus ci Saying ci isin F2 is the same as saying di = 0Write I = i di 6= 0 By hypothesis di = 0 for at least nminus t values of i ie

I le t The objective is to show that di = 0 for all i ie that I = By Theorem 72

sumi ciα

sig(αi) = 0 for 0 le s lt t

Alsosum

i ciA(x minus αi) isin g2k[x] by Theorem 63 Substitute (g2 2t) for (g t)in Theorem 72 to see that

sumi ciα

sig(αi)

2 = 0 for 0 le s lt 2tOne has 2 = 0 in k since k contains F2 so (v+w)2 = v2+2vw+w2 = v2+w2

for all v w isin k in short squaring maps sums to sums Squaring is also injectiveif v2 = w2 then (v + w)2 = v2 + w2 = 2v2 = 0 so v + w = 0 so v = wConsequently α2

1 α2n are distinct

For each s with 0 le s lt t square the equationsum

i ciαsig(αi) = 0 to obtainsum

i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)

2 = 0 since 0 le 2s lt 2t Subtract toobtain

sumi diα

2si g(αi)

2 = 0 iesum

iisinI diα2si g(αi)

2 = 0The first I of these equations the equations with s lt I now imply

dig(αi)2 = 0 for each i isin I by transposed Vandermonde invertibility since

the quantities α2i for i isin I are distinct Hence di = 0 for each i isin I but di 6= 0

for i isin I so I = 0 as claimed ut

A slightly different proof takes I to be any set of size at most t containing all ifor which di 6= 0 This still reaches the conclusion that di = 0 for each i isin I Onealso has di = 0 for each i isin I by definition of I so di = 0 for all i as claimed

Theorem 74 (checking Goppa decoding for received words in Fn2 ) Let

n t be nonnegative integers Let k be a finite field with F2 sube k Let α1 αn

be distinct elements of k Define A =prod

i(xminus αi) Let g be a squarefree elementof k[x] such that deg g = t and gcdgA = 1 Let B a b be elements of k[x] withgcda b = 1 deg a le t A isin ak[x] and deg(aBminus bA) lt nminus 2t+deg a Assumethat g(αi)

2B(αi)Aprime(αi) isin F2 for all i Define e isin Fn

2 by ei = [a(αi) = 0] Thenwt e = deg a and sum

i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A



Compared to Theorem 65 this adds the condition that g(αi)2B(αi)A

prime(αi) isinF2 but removes the condition that g2bminus aprime isin ak[x]



Define c isin kn by ci = (g2f)(αi)Aprime(αi) Thensum

i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi


by Theorem 31Define ri = (g2B)(αi)A

prime(αi) If a(αi) 6= 0 then (Aa)(αi) = 0 so B(αi) =f(αi) so ri = ci There are at most deg a le t indices i for which a(αi) = 0 soi ri = ci ge nminus t By hypothesis ri isin F2 so i ci isin F2 ge nminus t Hencec isin Fn

2 by Theorem 73Now the difference ri minus ci is in F2 for each i If ei = 0 then a(αi) 6= 0 so

again ri = ci If ei = 1 then a(αi) = 0 so ri minus ci = (g2B minus g2f)(αi)Aprime(αi) =

(g2b)(αi)aprime(αi) 6= 0 since gcda b = 1 so ri minus ci = 1 In all cases ri minus ci = ei

Finallysum

i(riminusei)A(xminusαi) =sum

i ciA(xminusαi) isin g2k[x] and (as in Theorem 64)wt e = i a(αi) = 0 = deg a since A isin ak[x] ut

8 McEliece decryption

The reader is presumed to be interested specifically in Classic McEliece [12]although without much work one can also cover other versions of the McEliececryptosystem

81 Ciphertexts In this cryptosystem a secret vector e isin Fn2 with wt e = t is

encoded as a shorter ciphertext H(e) isin Fmt2 This function H Fn

2 rarr Fmt2 has

three critical properties

bull Linear The function is F2-linear This allows the function to be conciselycommunicated as a matrix the public key

bull Goppa Each c isin Fn2 has H(c) = 0 if and only if

sumi ciA(x minus αi) isin gk[x]

Here k is a field with k = 2m and α1 αn g are as in Section 6 asusual with A =

prodi(xminus αi)

bull Systematic The composition H ι Fmt2 rarr Fmt

2 is the identity mapwhere ι is the injection Fmt

2 rarr Fn2 that simply appends nminusmt zeros to the

input In other words the first mt timesmt block of the matrix is an identitymatrix Obviously the identity matrix can then be omitted from the publickey saving some space less obviously this reduces the cost of optimizeddecoding from n2+o(1) to n1+o(1)

For each k α1 αn g there is at most one H satisfying these properties Onecan construct this H if it exists by converting

sumi ciA(x minus αi) isin gk[x] into a

system of F2-linear equations (a ldquoparity-check matrixrdquo) using Theorem 72 andthen row-reducing the equations to obtain systematic form Conjecturally thissucceeds about 30 of the time In case of failure the traditional response is totry again with a new (α1 αn g) Choursquos ldquosemi-systematic formrdquo options (see[13]) instead apply a limited permutation to (α1 αn) [3] had instead appliedan arbitrary permutation to (α1 αn) See [13] for step-by-step algorithms


82 Decryption Decryption of a ciphertext H(e) works as follows Definec = ι(H(e)) minus e isin Fn

2 One has H(ι(H(e))) = H(e) by the systematic-formproperty of H so H(c) = 0 by linearity One then has

sumi ciA(xminus αi) isin gk[x]

by the Goppa property of H Recovering e from H(e) is thus a simple matter ofappending nminusmt zeros to obtain ι(H(e)) = e+ c and then recovering e c isin Fn

2

from e+ c as explained in Section 6 This recovery uses α1 αn g which aresecrets known to the party that generated the public key

83 Rigidity The cryptosystem includes defenses against chosen-ciphertextattacks These defenses require among other things recognizing invalid inputvectors An input vector σ isin Fmt

2 is by definition valid exactly when it is inH(e) e isin Fn

2 wt e = tOne way to handle this is as follows

bull Feed σ through any decoding algorithm that works for valid inputs Moreprecisely apply some function D Fmt

2 rarr Fn2 with the following property

all e isin Fn2 with wt e = t have D(H(e)) = e

bull In all cases whatever the output e isin Fn2 is check that wt e = t If this fails

the input vector is invalidbull ldquoReencryptrdquo to double-check validity of σ compute H(e) and check whetherH(e) = σ If this fails the input vector is invalid

Handling the matrix for H in the last step incurs similar costs to encryptionConsider eg [63] saying that this ldquonecessitates the inclusion of the public keyas part of the private key and increases the running time of decapsulationrdquoalthough to save space one could instead take time to ldquoregenerate the public keyfrom the private key when neededrdquo

A more efficient approach already noted in [12 Section 25] and used in thesoftware accompanying [12] checks whether H(e) = σ ldquowithout using quadraticspacerdquo and in particular without storing or recomputing the matrix for H Thepoint is that the following properties are equivalent

bull σ = H(e)bull H(ι(σ)) = H(e) by the systematic-form property of Hbull H(c) = 0 for c = ι(σ)minus e by linearitybullsum

i ciA(xminus αi) isin gk[x] by the Goppa property of H

This last condition checking that c = ι(σ)minus e is a codeword no longer involvesH it is simply some extra polynomial arithmetic the same type of arithmeticthat is being carried out anyway

A third approach is to inspect the details of decoding relying not just onTheorem 64 to decode valid inputs but also Theorem 65 to identify invalidinputs Specifically after interpolating B with B(αi)g(αi)

2Aprime(αi) = ι(σ)i andfinding an approximant ba to BA at degree t one checks

bull that deg a = t (this also forces deg(aB minus bA) lt n minus 2t + deg a since anapproximant by definition has deg(aB minus bA) lt nminus t)bull that A isin ak[x] (ie that a has exactly t roots among α1 αn) and


bull that bg2 minus aprime isin ak[x] (ie that bg2 minus aprime vanishes on each of the roots of a)

If all of these checks succeed then wt e = t and H(e) = σ where ei = [a(αi) = 0]Otherwise σ is invalid

It is not clear that the condition bg2 minus aprime isin ak[x] is more efficient to evaluatethan the condition

sumi ciA(xminus αi) isin gk[x] See generally the discussion of fast

ldquosyndromerdquo computation in [14]A fourth approach is to interpolate find an approximant ba check that

deg a = t and check that A isin ak[x] skipping the check that bg2 minus aprime isin ak[x]This relies on Theorem 74 and the fact that ι(σ) isin Fn

2

84 Robust system design There are several reasons to recommend thesecond approach the approach taken in Classic McEliece even if it is not quiteas efficient as the fourth approach

What happens if therersquos a mistake in the extra logic leading to Theorem 74or in the handling of invalid inputs in the software implementing a decodingalgorithm Software is normally tested on many valid inputs this doesnrsquot provideany assurance that invalid inputs are correctly recognized

A separate reencryption step whether expressed as testing H(e) = σ or moreefficiently as testing that c = ι(σ) minus e is a codeword splits the decryption taskinto two simpler tasks The task of decoding is to correctly handle valid inputsThe task of reencryption is to reject invalid inputs Reencryption is redundantif the decoder also rejects invalid inputs but having the separate reencryptionstep means that the requirements on the decoder are reduced

As an illustration of the value of reencryption consider the efficient chosen-ciphertext attack from Chou [31] breaking both specified versions (namely [3]and [4]) of ldquoNTS-KEMrdquo a McEliece variant that skipped reencryption

Recall that BerlekampndashMassey polynomials are extended-gcd polynomials butwith coefficients in reverse order Reversing polynomials loses information if onedoes not attach extra information (a ldquoformal degreerdquo) to each polynomial forexample both 3 + x + 4x2 and 3x + x2 + 4x3 have the same reversal namely4+x+3x2 The NTS-KEM decoding algorithms are shown in [31] to sometimesfind a polynomial ax of degree t when they should instead find a polynomial aof degree tminus1 This often leaks information if the attacker modifies a ciphertextH(e) in a way that correponds to flipping one bit of e

As further illustrations of how the decoding details matter [31] identifiesbugs (deviations from the specification) in the decoding algorithms in each ofthe four official NTS-KEM implementations (ref opt sse2 avx2) these bugsstop the attack from working against one implementation (ref) although theattack works against the other three implementations

Reencrypting the incorrect weight-t error vector obtained from ax would havedetected the mismatch with σ and would have stopped this attack A differentway to stop this attack would be to require computer verification of proofs that

bull decoding algorithms decode correctly including cases of weight below t andbull decoding software correctly implements those algorithms


Reencryption has the advantage of being easier Verification has the advantageof also ensuring that valid ciphertexts are handled correctly

85 History McEliecersquos original cryptosystem [56] had a different ciphertextshape the secret message being sent was encoded as some c with H(c) = 0 (iesome Goppa codeword) and then transmitted as e+c for a secret e with wt e = tNiederreiter [58] introduced the idea of sending just H(e) as a ciphertext withe as the message In both [56] and [58] the decoder handled matrices of similarsize to the public key

McEliece started with a generator matrix for the Goppa code meaning amatrix with row space c isin Fn

2 sum

i ciA(xminus αi) isin gk[x] McEliece said thatthis matrix ldquocould be in canonical for example row-reduced echelon formrdquo Row-reduced echelon form is easily compressed into less space than a random matrixespecially if one requires row-reduced echelon form specifically with no skippedcolumns ie systematic form

But McEliece didnrsquot use this canonical matrix as the public key McElieceused a random generator matrix McEliece also randomly permuted the outputpositions this is equivalent to randomly permuting (α1 αn)

Eventually it was understood that after permuting (α1 αn) one cansafely use a canonical generator matrix (or equivalently a canonical parity-check matrix) such as a systematic matrix Canteaut and Chabaud [25 page4 note 1] said that ldquomost of the bits of the plain-text would be revealedrdquo by asystematic generator matrix but that using a random generator matrix ldquohas nocryptographic functionrdquo Canteaut and Sendrier [26 pages 188ndash189] said thatthe Niederreiter variant ldquoallows a public key in systematic form at no cost forsecurity whereas this would reveal a part of the plaintext in McEliece systemrdquoAs noted by Overbeck and Sendrier [61 page 98] the partial-plaintext problemis eliminated by various McEliece variants designed for security against chosen-ciphertext attacks in these variants the plaintext looks completely random andthe attacker is faced with the problem of finding all of the bits of the plaintext

The fact that one can decrypt using n1+o(1) time and space including anoptimized version of a reencryption step to check H(e) = σ appeared in [12]This relies on systematic form

bull to reduce decryption of σ to decoding of ι(σ) and symmetricallybull to reduce testing H(e) = σ to testing that ι(σ)minus e is a codeword

The first reduction had already appeared in the McEliece context in [14 Section6] which in turn says that the choice of ι(σ) as a decoder input was recommendedto the authors by Sendrier

References

[1] mdash (no editor) 39th annual symposium on foundations of computer science FOCSrsquo98 November 8ndash11 1998 Palo Alto California USA IEEE Computer Society1998 See [45]


[2] mdash (no editor) Proceedings of the 32nd annual ACM symposium on theory ofcomputing Association for Computing Machinery New York 2000 ISBN 1-58113-184-4 See [20]

[3] Martin Albrecht Carlos Cid Kenneth G Paterson CJ Tjhai Martin TomlinsonNTS-KEM (2017) see also newer version [4] URL httpscsrcnistgovprojectspost-quantum-cryptographyround-1-submissions Citations in thisdocument sect81 sect84 sectA5 sectA7 sectA7 sectA7

[4] Martin Albrecht Carlos Cid Kenneth G Paterson CJ Tjhai Martin TomlinsonNTS-KEM second round submission (2019) see also older version [3]URL httpscsrcnistgovprojectspost-quantum-cryptographyround-2-submissions Citations in this document sect84 sectA5 sectA7 sectA7 sectA7

[5] Elwyn R Berlekamp Algebraic coding theory McGraw-Hill 1968 Citations inthis document sect59

[6] Daniel J Bernstein Fast multiplication and its applications in [24] (2008)325ndash384 URL httpscryptopapershtmlmultapps Citations in thisdocument sect34 sect45 sect59

[7] Daniel J Bernstein Reducing lattice bases to find small-height values ofunivariate polynomials in [24] (2008) 421ndash446 URL httpscryptopapershtmlsmallheight Citations in this document sect48

[8] Daniel J Bernstein List decoding for binary Goppa codes in IWCC 2011 [27](2011) 62ndash80 URL httpscryptopapershtmlgoppalist Citations inthis document sect48

[9] Daniel J Bernstein Simplified high-speed high-distance list decoding for alternantcodes in PQCrypto 2011 [81] (2011) 200ndash216 URL httpscryptopapershtmlsimplelist Citations in this document sect48

[10] Daniel J Bernstein Verified fast formulas for control bits for permutationnetworks (2020) URL httpscryptopapershtmlcontrolbits Citationsin this document sect34

[11] Daniel J Bernstein Johannes Buchmann Erik Dahmen (editors) Post-quantumcryptography Springer 2009 ISBN 978-3-540-88701-0 See [61]

[12] Daniel J Bernstein Tung Chou Tanja Lange Ingo von Maurich Rafael MisoczkiRuben Niederhagen Edoardo Persichetti Christiane Peters Peter SchwabeNicolas Sendrier Jakub Szefer Wen Wang Classic McEliece conservativecode-based cryptography ldquoSupporting Documentationrdquo (2017) see also newerversion [13] URL httpsclassicmcelieceorgnisthtml Citations in thisdocument sect8 sect83 sect83 sect85

[13] Daniel J Bernstein Tung Chou Tanja Lange Ingo von Maurich Rafael MisoczkiRuben Niederhagen Edoardo Persichetti Christiane Peters Peter SchwabeNicolas Sendrier Jakub Szefer Wen Wang Classic McEliece conservativecode-based cryptography ldquoSupporting Documentationrdquo (2019) see also olderversion [12] URL httpsclassicmcelieceorgnisthtml Citations in thisdocument sect81 sect81

[14] Daniel J Bernstein Tung Chou Peter Schwabe McBits fast constant-time code-based cryptography in [17] (2013) 250ndash272 URL httpscryptopapershtmlmcbits Citations in this document sect11 sect83 sect85

[15] Daniel J Bernstein Tanja Lange Christiane Peters Wild McEliece in SAC 2010[19] (2011) 143ndash158 URL httpseprintiacrorg2010410 Citations inthis document sect11

[16] Daniel J Bernstein Bo-Yin Yang Fast constant-time gcd computation andmodular inversion IACR Transactions on Cryptographic Hardware and


Embedded Systems 20193 (2019) 340ndash398 URL httpsgcdcryptopapershtml Citations in this document sect45 sect45 sect59

[17] Guido Bertoni Jean-Seacutebastien Coron (editors) Cryptographic hardware andembedded systemsmdashCHES 2013mdash15th international workshop Santa BarbaraCA USA August 20ndash23 2013 proceedings 8086 Springer 2013 ISBN 978-3-642-40348-4 See [14]

[18] Vijay K Bhargava H Vincent Poor Vahid Tarokh Seokho Yoon (editors)Communications information and network security With a foreword by RichardE Blahut (2003) ISBN 978-1-4020-7251-2 978-1-4419-5318-6 978-1-4757-3789-9See [40]

[19] Alex Biryukov Guang Gong Douglas R Stinson (editors) Selected areasin cryptographymdash17th international workshop SAC 2010 Waterloo OntarioCanada August 12ndash13 2010 revised selected papers Lecture Notes in ComputerScience 6544 Springer 2011 See [15]

[20] Dan Boneh Finding smooth integers in short intervals using CRT decoding inSTOC 2000 [2] (2000) 265ndash272 see also newer version [21]

[21] Dan Boneh Finding smooth integers in short intervals using CRT decodingJournal of Computer and System Sciences 64 (2002) 768ndash784 see also olderversion [20] ISSN 0022-0000 URL httpscryptostanfordedu~daboabstractsCRTdecodehtml Citations in this document sect48

[22] Claude Brezinski The long history of continued fractions and Padeacute approximantsin [23] (1981) 1ndash27 Citations in this document sect48

[23] Marcel G de Bruin Herman van Rossum (editors) Padeacute approximation and itsapplications Amsterdam 1980 proceedings of a conference held in Amsterdamthe Netherlands October 29ndash31 1980 (1981) ISSN 0075-8434 See [22]

[24] Joe P Buhler Peter Stevenhagen (editors) Surveys in algorithmic number theoryMathematical Sciences Research Institute Publications 44 Cambridge UniversityPress New York 2008 See [6] [7]

[25] Anne Canteaut Florent Chabaud Improvements of the attacks on cryptosystemsbased on error-correcting codes report LIENS-95-21 (1995) URL httpswwwdiensfrreports1995liens-95-21A4pdf Citations in this documentsect85

[26] Anne Canteaut Nicolas Sendrier Cryptanalysis of the original McEliececryptosystem in Asiacrypt rsquo98 [59] (1998) 187ndash199 URL httpswwwrocqinriafrsecretAnneCanteautPublicationsCanteaut_Sendrier98pdfCitations in this document sect85

[27] Yeow Meng Chee Zhenbo Guo San Ling Fengjing Shao Yuansheng TangHuaxiong Wang Chaoping Xing (editors) Coding and cryptologymdashthirdinternational workshop IWCC 2011 Qingdao China May 30ndashJune 3 2011proceedings Lecture Notes in Computer Science 6639 Springer 2011 ISBN 978-3-642-20900-0 See [8]

[28] Ming-Shing Chen Tung Chou Classic McEliece on the ARM Cortex-M4 IACRTransactions on Cryptographic Hardware and Embedded Systems 20213 (2021)125ndash148 URL httpstungchougithubiopaperscm-m4pdf Citations inthis document sect11

[29] Tung Chou McBits revisited in CHES 2017 [37] (2017) 213ndash231 see also newerversion [30] URL httpstungchougithubiopapersmcbits_revisitedpdf

[30] Tung Chou McBits revisited toward a fast constant-time code-based KEMJournal of Cryptographic Engineering 8 (2018) 95ndash107 see also older version


[30] URL httpsdoiorg101007s13389-018-0186-9 Citations in thisdocument sect11

[31] Tung Chou An IND-CCA2 attack against the 1st- and 2nd-round versions ofNTS-KEM in SecITC 2020 [54] (2020) 165ndash184 URL httpstungchougithubiopapersntskem_cca2pdf Citations in this document sect84 sect84sect84 sectA5 sectA7

[32] Henry Cohn Nadia Heninger Ideal forms of Coppersmithrsquos theorem andGuruswami-Sudan list decoding Advances in Mathematics of Communications9 (2015) 311ndash339 URL httpsarxivorgabs10081284 Citations in thisdocument sect48

[33] Douglas E Comer How to criticize computer scientists or avoiding ineffectivedeprecation and making insults more pointed (2001) URL httpswebarchiveorgweb20010111213900httpswwwcspurdueeduhomesdecessaycriticizehtml Citations in this document sectA5

[34] Jean Louis Dornstetter On the equivalence between Berlekamprsquos and Euclidrsquosalgorithms IEEE Transactions on Information Theory 33 (1987) 428ndash431Citations in this document sect59

[35] Peter van Emde Boas The correspondence between Donald E Knuth and Petervan Emde Boas on priority deques during the spring of 1977 (2013) URLhttpsstafffnwiuvanlpvanemdeboasknuthnotepdf Citations in thisdocument sectA

[36] Euclid Elements about 300 BC URL httpswwwclaymathorglibraryhistoricaleuclidfileselem72html Citations in this document sect48

[37] Wieland Fischer Naofumi Homma (editors) Cryptographic hardware andembedded systemsmdashCHES 2017mdash19th international conference Taipei TaiwanSeptember 25ndash28 2017 proceedings 10529 Springer 2017 ISBN 978-3-319-66786-7 See [29]

[38] G David Forney Jr Concatenated codes (1965) URL httpsdspacemitedubitstreamhandle172114303RLE-TR-440-04743368pdf Citationsin this document sect59

[39] G David Forney Jr On decoding BCH codes IEEE Transactions on InformationTheory 11 (1965) 549ndash557 Citations in this document sect59

[40] Shuhong Gao A new algorithm for decoding Reed-Solomon codes in [18] (2003)55ndash68 URL httpswwwmathclemsonedu~sgaopapersRSpdf Citationsin this document sect59

[41] Carl Friedrich Gauss Disquisitiones arithmeticae 1801 URL httpsarchiveorgdetailsdisquisitionesa00gaus Citations in this document sect48

[42] Santosh Ghosh Ingrid Verbauwhede BLAKE-512-based 128-bit CCA2 securetiming attack resistant McEliece cryptoprocessor IEEE Transactions onComputers 63 (2014) 1124ndash1133 URL httpswwwesatkuleuvenbecosicpublicationsarticle-2447pdf Citations in this document sect11

[43] Valerii D Goppa A new class of linear correcting codes ProblemyPeredachi Informatsii 6 (1970) 24ndash30 URL httpwwwmathnetrulinks95a131fb57f5ed88dd732c324798a36appi1748pdf Citations in this documentsect11 sect61 sect71

[44] Daniel Gorenstein Neal Zierler A class of error-correcting codes in pm symbolsJournal of the Society for Industrial and Applied Mathematics 9 (1961) 207ndash214 URL httpsepubssiamorgdoi1011370109020 Citations in thisdocument sect59


[45] Venkatesan Guruswami Madhu Sudan Improved decoding of Reed-Solomon andalgebraic-geometry codes in FOCS 1998 [1] (1998) 28ndash39 see also newer version[46] URL httpsmadhuseasharvardedupapershtml Citations in thisdocument sect11

[46] Venkatesan Guruswami Madhu Sudan Improved decoding of Reed-Solomon andalgebraic-geometry codes IEEE Transactions on Information Theory 45 (1999)1757ndash1767 see also older version [46] ISSN 0018-9448 URL httpsmadhuseasharvardedupapershtml

[47] G H L M Heideman Fokke W Hoeksema Henk E P Tattje (editors)Proceedings of the 13th symposium on information theory in the BeneluxWerkgemeenschap voor Informatie- en Communicatietheorie 1992 See [67]

[48] Joslashrn Justesen On the complexity of decoding ReedndashSolomon codes IEEETransactions on Information Theory 22 (1976) 237ndash238 Citations in thisdocument sect59

[49] Donald E Knuth Structured programming with go to statements ComputingSurveys 6 (1974) 261ndash301 Citations in this document sect11

[50] Donald E Knuth The art of computer programming volume 2 seminumericalalgorithms 3rd edition Addison-Wesley 1997 ISBN 0-201-89684-2 Citations inthis document sect48

[51] Leopold Kronecker Zur Theorie der Elimination einer Variablen aus zweialgebraischen Gleichungen Monatsberichte der Koumlniglich Preussischen Akademieder Wissenschaften zu Berlin (1881) URL httpsarchiveorgdetailswerkehrsgaufvera02kronuoftpage114mode2up Citations in this documentsect48

[52] Joseph-Louis Lagrange Recherches drsquoarithmeacutetique Nouveaux Meacutemoires delrsquoAcadeacutemie royale des Sciences et Belles-Lettres de Berlin (1773) URL httpsgallicabnffrark12148bpt6k229222df696 Citations in this documentsect48

[53] Joseph-Louis Lagrange Sur lrsquousage des fractions continues dans le calcul inteacutegralNouveaux Meacutemoires de lrsquoAcadeacutemie royale des Sciences et Belles-Lettres deBerlin (1776) URL httpsgallicabnffrark12148bpt6k229223sf303Citations in this document sect48

[54] Diana Maimut Andrei-George Oprina Damien Sauveron (editors) Innovativesecurity solutions for information technology and communicationsmdash13thinternational conference SecITC 2020 Bucharest Romania November 19ndash202020 revised selected papers 12596 Springer 2021 ISBN 978-3-030-69254-4 See[31]

[55] James Massey Shift-register synthesis and BCH decoding IEEE Transactionson Information Theory 15 (1969) 122ndash127 ISSN 0018-9448 Citations in thisdocument sect59

[56] Robert J McEliece A public-key cryptosystem based on algebraic coding theoryJPL DSN Progress Report (1978) 114ndash116 URL httpsipnprjplnasagovprogress_report242-4444NPDF Citations in this document sect11 sect85sect85

[57] William H Mills Continued fractions and linear recurrences Mathematics ofComputation 29 (1975) 173ndash180 URL httpswwwamsorgjournalsmcom1975-29-129S0025-5718-1975-0369276-7 Citations in this document sect59

[58] Harald Niederreiter Knapsack-type cryptosystems and algebraic coding theoryProblems of Control and Information Theory 15 (1986) 159ndash166 Citations inthis document sect85 sect85


[59] Kazuo Ohta Dingyi Pei (editors) Advances in cryptologymdashASIACRYPTrsquo98proceedings of the international conference on the theory and application ofcryptology and information security held in Beijing Lecture Notes in ComputerScience 1514 Springer 1998 ISBN 3-540-65109-8 See [26]

[60] Tavis Ormandy Issue 1804 cryptoapi SymCrypt modular inverse algorithm(2019) URL httpsbugschromiumorgpproject-zeroissuesdetailid=1804 Citations in this document sectA5

[61] Raphael Overbeck Nicolas Sendrier Code-based cryptography in [11] (2009) 95ndash145 Citations in this document sect11 sect85

[62] Henri Padeacute Sur la repreacutesentation approcheacutee drsquoune fonction par des fractionsrationnelles Annales scientifiques de lrsquoEacutecole normale supeacuterieure 9 (1892) 3ndash93URL httpswebarchiveorgweb20180718235117httpwwwnumdamorgarticleASENS_1892_3_9__S3_0pdf Citations in this document sect48

[63] Kenneth G Paterson New version of NTS-KEM (2019) URL httpsgroupsgooglecomalistnistgovgpqc-forumcGf5ucjoDok4mYciNWTraAwAJCitations in this document sect83

[64] Nicholas J Patterson The algebraic decoding of Goppa codes IEEE Transactionson Information Theory 21 (1975) 203ndash207 Citations in this document sect11

[65] W Wesley Peterson Encoding and error-correction procedures for the Bose-Chaudhuri codes Transactions of the Institute of Radio Engineers 6 (1960) 459ndash470 Citations in this document sect59

[66] Eugene Prange The use of information sets in decoding cyclic codes IRETransactions on Information Theory IT-8 (1962) S5ndashS9 Citations in thisdocument sect59

[67] Bart Preneel Antoon Bosselaers Reneacute Govaerts Joos Vandewalle A softwareimplementation of the McEliece public-key cryptosystem in [47] (1992) 119ndash126URL httpswwwesatkuleuvenbecosicpublicationsarticle-267pdfCitations in this document sect11

[68] Irving S Reed Gustave Solomon Polynomial codes over certain finite fieldsJournal of the Society for Industrial and Applied Mathematics 8 (1960) 300ndash304 URL httpsepubssiamorgdoi1011370108018 Citations in thisdocument sect59

[69] Dilip V Sarwate On the complexity of decoding Goppa codes IEEE Transactionson Information Theory 23 (1977) 515ndash516 URL httpscoreacukdownloadpdf158319337pdf Citations in this document sect59

[70] Akira Shiozaki Decoding of redundant residue polynomial codes using Euclidrsquosalgorithm IEEE Transactions on Information Theory 34 (1989) 1351ndash1354Citations in this document sect59

[71] Simon Stevin Lrsquoarithmeacutetique Imprimerie de Christophle Plantin 1585URL httpswebarchiveorgweb20190430054513httpwwwdwcknawnlpubbronnenSimon_Stevin-[II_B]_The_Principal_Works_of_Simon_Stevin_Mathematicspdf Citations in this document sect48

[72] Volker Strassen Gaussian elimination is not optimal Numerische Mathematik13 (1969) 354ndash356 ISSN 0029-599X Citations in this document sect59

[73] Dirk J Struik The origin of LrsquoHocircpitalrsquos rule The Mathematics Teacher 56(1963) 257ndash260 URL httpswwwjstororgstable27956806 Citations inthis document sect222

[74] Madhu Sudan Decoding of Reed Solomon codes beyond the error-correction boundJournal of Complexity 13 (1997) 180ndash193 ISSN 0885-064X URL httpsmadhuseasharvardedupapershtml Citations in this document sect11


[75] Yasuo Sugiyama Masao Kasahara Shigeichi Hirasawa Toshihiko NamekawaA method for solving key equation for decoding Goppa codes Information andControl 27 (1975) 87ndash99 Citations in this document sect59

[76] The Sage Developers (editor) SageMath the Sage Mathematics SoftwareSystem (Version 92) 2020 URL httpswwwsagemathorg Citations in thisdocument sect12

[77] Henk C A van Tilborg Coding theory a first course 1993 URL httpswwwwintuenl~henkvtimagesCODINGpdf Citations in this document sect11

[78] Edward Waring Problems concerning interpolations Philosophical Transactionsof the Royal Society 69 (1779) 59ndash67 URL httpsroyalsocietypublishingorgdoipdf101098rstl17790008 Citations in this document sect3

[79] Lloyd R Welch Robert A Scholtz Continued fractions and Berlekamprsquosalgorithm IEEE Transactions on Information Theory 25 (1979) 19ndash27 Citationsin this document sect59

[80] Davey Winder Warning Google researcher drops Windows 10 zero-day securitybomb (2019) URL httpswwwforbescomsitesdaveywinder20190612warning-windows-10-crypto-vulnerability-outed-by-google-researcher-before-microsoft-can-fix-it Citations in this document sectA5

[81] Bo-Yin Yang (editor) Post-quantum cryptographymdash4th international workshopPQCrypto 2011 Taipei Taiwan November 29ndashDecember 2 2011 proceedings7071 Springer 2011 ISBN 978-3-642-25404-8 URL httpsdoiorg101007978-3-642-25405-5 See [9]

A Random tests

Beware of bugs in the above code I have only proved it correctnot tried it mdashKnuth [35 page 11 in cited PDF]

Figures A1 A2 A3 and A4 are Sage scripts to test Algorithms 33 4453 and 62 respectively on random inputs

A5 Test-development principles The primary design objective of randomtests is for any given amount of CPU time spent on testing to minimize thechance that bugs will avoid the tests The obvious baseline is to ensure that testscatch every known bug in the subroutine being tested Beyond this one can tryto proactively catch further bugs extrapolating from what is known about theprocesses by which people make mistakes

Bug patterns are a central topic in the literature on software engineeringThere is far less attention to bugs in the literature on algorithms If one is tryingto test for example an extended-gcd algorithm then how does one evaluatewhether tests reach the baseline of catching every known extended-gcd bugnever mind proactively catching further bugs

Occasionally a bug will be highlighted because it has been shown to havesecurity consequences For example Section 84 described an exploitable bugpointed out by Chou [31] in the Goppa decoder from [3] and [4] As anotherexample Ormandy [60] discovered that some inputs would cause an extended-gcd algorithm in a Microsoft cryptography library to enter an infinite loop


from interpolator import interpolator

for q in range(100) q = ZZ(q) if not qis_prime_power() continue print(interp d q) sysstdoutflush() k = GF(q) for loop in range(100) n = randrange(q+1) a = list(k) shuffle(a) a = a[n] r = [krandom_element() for j in range(n)] phi = interpolator(nkar) assert phidegree() lt n assert all(phi(aj) == rj for ajrj in zip(ar)) kpoly = phiparent() assert phi == kpolylagrange_polynomial(zip(ar))

FigA1 Random tests for Algorithm 33

this meant that an attacker could trivially cause a server to stop respondingsomething that [80] called a ldquoWindows 10 zero-day security bombrdquo

However this information is generally not indexed by algorithm Furthermorethe baseline goal is to catch every known bugmdashnot merely the bugs alreadyshown to have security consequences From an engineering perspective one wouldexpect much more serious efforts to track what has previously gone wrong

Comerrsquos introduction [33] to the differences between two computer-sciencecultures namely the mathematical culture and the engineering culture listsalgorithms solely within the mathematical culture Certainly most algorithmpapers are like most mathematics papers in viewing proofs as the primary goalA typical algorithm paper includes a proof that an algorithm works the paperis expected to avoid reminding readers that proofs are often wrong and inparticular is expected to avoid taking any steps other than a proof to addressthe risk that the algorithm is wrong This position is defensible for the occasionalcomputer-verified proofs but most proofs in the literature are not computer-verified and the systematic lack of attention to bugs makes test developmentunnecessarily difficult

A6 General shape of these tests The element 0 isin k plays a special role inlinear algebra the definition of polynomials etc The tests here try small fieldsk so that 0 will often appear at various positions in the computation Hopefullythis means that any mishandling of 0 will be triggered by the tests

Half of the tests of ReedndashSolomon decoding in Figure A3 are tests aimed atchecking correct behavior on decodable inputs These tests use input vectors r


from approximant import approximant

for q in range(100) q = ZZ(q) if not qis_prime_power() continue print(approximant d q) sysstdoutflush() k = GF(q) kpolyltxgt = k[] for loop in range(100) Adeg = randrange(100) A = kpoly([krandom_element() for j in range(Adeg)]+[1]) if Adeg == 0 B = kpoly(0) else Bdeg = randrange(Adeg) B = kpoly([krandom_element() for j in range(Bdeg+1)]) note that B could actually have lower degree t = randrange(Adeg+3) ab = approximant(tkAB) assert gcd(ab) == 1 assert adegree() lt= t assert bdegree() lt t assert a = 0 assert aB-bA == 0 or (aB-bA)degree() lt Adegree()-t

Fig A2 Random tests for Algorithm 44

generated as e+c where c = (f(α1) f(αn)) and e has weight at most t (oftenchosen to be below t) These tests check whether the decoder finds f

The other half of the decoding tests are aimed at checking correct behavioron non-decodable inputs These tests use uniform random input vectors r Ifthe decoder finds some f then the tests check that wt(r minus c) le t where c =(f(α1) f(αn)) If the decoder returns None there is no check whether thedecoder should actually have found some f a bug here should be caught moreefficiently by the first type of test

Figure A4 has an analogous split between testing decodable inputs and testingnon-decodable inputs for Goppa decoding There is no similar split in Figures A1and A2 since those algorithms handle all inputs successfully

For Figures A1 A3 and A4 n is chosen randomly between 0 and q forFigure A2 degA is chosen randomly between 0 and 99 Similarly t is chosenrandomly in Figures A2 A3 and A4 in each case the range of t covered bythe tests is slightly beyond the range of t useful for applications

A7 How the tests catch various bugs The bug in the Goppa decoder from[3] and [4] is triggered when the correct error vector e has weight tminus 1 and hasez = 0 where αz = 0 Figure A4 is intended to catch this the tests generateuniform random sequences (α1 αn) of distinct field elements and often use


from rs import interpolator_with_errors

for q in range(100) q = ZZ(q) if not qis_prime_power() continue print(interpolator_with_errors d q) sysstdoutflush() k = GF(q) kpolyltxgt = k[] for loop in range(100) n = randrange(q+1) t = randrange(3+n2) a = list(k) shuffle(a) a = a[n] for known in TrueFalse if known f = kpoly([krandom_element() for j in range(n-2t)]) r = list(map(fa)) e = [krandom_element() for j in range(t)]+[0](n-t) shuffle(e) assert len([ej for ej in e if ej = 0]) lt= t for j in range(n) r[j] += e[j] else f = unknown cut off data flow from previous iteration r = [krandom_element() for j in range(n)] f2 = interpolator_with_errors(ntkar) if f2 == None assert not known else assert f2 == 0 or f2degree() lt n-2t if known assert f2 == f assert len([j for j in range(n) if f2(a[j]) = r[j]]) lt= t


weight t minus 1 for the error vector e often αz will be 0 for some z and often ezwill also be 0

I tried modifying Algorithm 62 to imitate what [31] described Figure A4immediately caught the bug One could directly test the algorithms from [3]and [4] by translating the algorithms from pseudocode to real code One coulddirectly test the software accompanying [3] and [4] by extracting the Goppa-decoding portions of that software and providing a shim layer to support thegoppa_errors interface

The extended-gcd bug in Microsoftrsquos cryptography library was that a modular-inversion algorithm continued to loop until finding gcd 1mdashwhich would alwayshappen for inputs with modular inverses but the attacker could provide a non-invertible input triggering an infinite loop In the decoding context an extended-


from goppa import goppa_errors

for m in range(110) q = 2^m print(goppa_errors d q) sysstdoutflush() k = GF(q) kpolyltxgt = k[] for loop in range(100) while True n = randrange(q+1) t = randrange(3+nm) if t gt= n t = n a = list(k) shuffle(a) a = a[n] g = kpoly([krandom_element() for j in range(t)]+[1]) if gis_squarefree() if all(g(aj) = 0 for aj in a) break

assert gdegree() == t A = kpoly(prod(x-aj for aj in a)) Aprime = Aderivative() for aj in a assert Aprime(aj) = 0

for known in TrueFalse if known f = kpoly([krandom_element() for j in range(n-2t)]) r = [(fg^2)(aj)Aprime(aj) for aj in a] if randrange(2) e = [1]t+[0](n-t) else actualweight = randrange(t+1) e = [1]actualweight+[0](n-actualweight) shuffle(e) assert len([ej for ej in e if ej = 0]) lt= t for j in range(n) r[j] += e[j] else e = unknown cut off data flow from previous iteration r = [krandom_element() for j in range(n)] e2 = goppa_errors(ntkagr) if e2 == None assert not known else assert len(e2) == n if known assert e2 == e assert len([ej for ej in e2 if ej = 0]) lt= t assert gdivides(sum((r[i]-e2[i])A(x-a[i]) for i in range(n)))



gcd computation is the normal way to compute approximants and one canimagine someone

bull starting with an extended-gcd algorithm that computes all remaindersbull augmenting the algorithm to record (a b) for the first remainder aBminus bA of

degree below degAminus t andbull not optimizing away the pointless computation of subsequent remainders

so there could still be an infinite-loop bug In these tests because k is smallsome input positions will often be 0 forcing gcdAB 6= 1 so if there is aninfinite loop for that case then the tests will trigger it

Another easy bug to imagine in ReedndashSolomon decoders and Goppa decodersis testing deg(aB minus bA) against n minus t rather than n minus 2t + deg a although thisdoes not matter in an application that requires deg a = t I checked that eightruns of Figure A3 consistently caught this bug each run already caught the bugwith k = 2 I also checked that eight runs of Figure A4 consistently caughtthis bug here the eight runs caught the bug with k = 8 k = 16 k = 4k = 8 k = 8 k = 4 k = 32 k = 4 respectively The variation in khere suggests running more repetitions of the tests for reliability or adding testsspecifically for this case


1 Introduction

11 Hasnt this been done already

12 Bonus features

13 Acknowledgments

2 Polynomials

21 Commutative rings

22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces

27 The standard n-dimensional vector space

28 Linear maps

29 Polynomials

210 The ring structure of polynomials

211 The k-algebra structure of polynomials

212 Units of k[x]

213 The k-vector structure of polynomials

214 Powers of x

215 Coefficients

216 Degree

217 Monic polynomials

218 Evaluation

219 Roots

220 Vandermonde invertibility

221 Transposed Vandermonde invertibility

222 Derivatives

223 Quotients and remainders

224 Unique factorization

225 Greatest common divisors

226 Squarefreeness

3 Interpolation

Theorem 31 Direct interpolation

32 An interpolation algorithm

Algorithm 33 Interpolation algorithm

34 More interpolation algorithms

4 Approximants

Theorem 41 Approximants

Theorem 42 Best approximation

43 An approximant algorithm

Algorithm 44 Approximant algorithm

45 More approximant algorithms

46 Approximants as ratios

Definition 47 Approximant

48 History


51 Hamming weight

52 An interpolation-with-errors algorithm

Algorithm 53 Decoding algorithm for ReedndashSolomon codes

Theorem 54 Interpolation with errors

Theorem 55 Checking interpolation with errors

56 More algorithms varying the pair (AB)

57 ReedndashSolomon codes

Definition 58 ReedndashSolomon code

59 History


61 An algorithm to decode binary Goppa codes

Algorithm 62 Decoding algorithm for Goppa codes

Theorem 63 Goppa squaring

Theorem 64 Goppa decoding

Theorem 65 Checking Goppa decoding

66 Goppa decoders via ReedndashSolomon decoders


71 Overview of the logic

Theorem 72 Goppa paritychecks

Theorem 73 Goppa alignment

Theorem 74 Checking Goppa decoding for binary received words


81 Ciphertexts

82 Decryption

83 Rigidity

84 Robust system design

85 History

References

A Random tests

Figure A1 Random tests for Algorithm 33




A5 Test-development principles

A6 General shape of these tests

A7 How the tests catch various bugs


descriptions appear in eg van Tilborgrsquos coding-theory textbook [77 Section45 ldquoA decoding algorithmrdquo] a PreneelndashBosselaersndashGovaertsndashVandewalle paperon a software implementation of the McEliece cryptosystem [67 Section 53] aGhoshndashVerbauwhede paper on a constant-time hardware implementation of thecryptosystem [42 Algorithm 3] and the OverbeckndashSendrier survey of code-basedcryptography [61 pages 139ndash140]

All of these sourcesmdashand many moremdashare describing an algorithm introducedby Patterson [64 Section V] to correct t errors for binary Goppa codes definedby squarefree degree-t polynomials McEliecersquos paper introducing the McEliececryptosystem [56] had also pointed to Pattersonrsquos algorithm

However Pattersonrsquos algorithm isnrsquot the simplest fast binary-Goppa decoderA side issue here is that there are tradeoffs between simplicity and the numberof errors corrected (which in turn influences the required McEliece key size) asthe following variations illustrate

bull Pattersonrsquos paper contained a simpler algorithm to correct bt2c errorsbull More complicated ldquolist decodingrdquo algorithms starting with Sudan [74] and

GuruswamindashSudan [45] correct slightly more than t errors

But letrsquos focus on fast algorithms to correct exactly the t errors traditionally usedin the McEliece cryptosystem The main issue is that within these algorithmsPattersonrsquos algorithm isnrsquot the simplest

Goppa had already pointed out in the first paper on Goppa codes [43 Section4] that a binary Goppa code defined by a squarefree degree-t polynomial g isalso defined by g2 The problem of correcting t errors in the code defined by g2immediately reduces to the problem of polynomial interpolation with t errorsie ReedndashSolomon decoding The resulting binary-Goppa decoder is simplerthan Pattersonrsquos

The benefits of simplicity go beyond general accessibility of the topic softwarefor simpler algorithms tends to be easier to optimize easier to protect againsttiming attacks and easier to test It isnrsquot a coincidence that the same simplestructure is used in the state-of-the-art McEliece software from BernsteinndashChoundashSchwabe [14] Chou [30] and ChenndashChou [28] This software eliminates data-dependent timing and at the same time includes many speedups in subroutinesAvoiding Pattersonrsquos algorithm also seems likely to help for formal verificationof software correctness a top challenge for post-quantum cryptography today

Maybe someday software for Pattersonrsquos algorithm will catch up in these otherfeatures and maybe it will bring further speedupsmdashor maybe not Pattersonrsquosalgorithm uses degree t instead of degree 2t for some computations but it alsoincludes extra computations such as inversion modulo g the literature doesnot make clear whether the speedups outweigh the slowdowns Also even ifPattersonrsquos algorithm ends up faster surely there will be applications wheresimplicity is more important Having only Pattersonrsquos algorithm brings to mindKnuthrsquos quote [49 page 268] that ldquopremature optimization is the root of all evilrdquo

For an audience familiar with coding theory it suffices to say ldquothe Goppacode for g is the same as the Goppa code for g2 now use your favorite ReedndashSolomon decoder as an alternant decoderrdquo (essentially as in [15 Section 5] which









2 Polynomials









sumi ri) =

sumi ϕ(ri)


























sumi fix






sumige0 fiα

i iesum









sumj cjα


then (c1 cn) = (0 0 0)


sumi fix

i issum

ige1 ifiximinus1










3 Interpolation







ϕ =sumi

riprodj 6=i

xminus αj

αi minus αj




i riprod














sum0leiltn fix

i

bysum





4 Approximants









t +atminus1x



Anxn + Anminus1x
































prodi(xminus αi)









prodi(xminusαi)






















sumi(riA


B

A=sumi


=sumi

riAprime(αi)

(1

x+αi


)=sumsge0

1

xs+1

sumi

riαsi

Aprime(αi)


sumsge0 x


siprod


sum0leslt2t

sumi riα

six

2tminussminus1prod


























has three steps






2 see Section 7














Proof Write Z =prod












2j+1


j C122j+1x





A =prod



sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A






sosum





ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f






prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)






sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A







prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests
















2 Polynomials









sumi ri) =

sumi ϕ(ri)


























sumi fix






sumige0 fiα

i iesum









sumj cjα


then (c1 cn) = (0 0 0)


sumi fix

i issum

ige1 ifiximinus1










3 Interpolation







ϕ =sumi

riprodj 6=i

xminus αj

αi minus αj




i riprod














sum0leiltn fix

i

bysum





4 Approximants









t +atminus1x



Anxn + Anminus1x
































prodi(xminus αi)









prodi(xminusαi)






















sumi(riA


B

A=sumi


=sumi

riAprime(αi)

(1

x+αi


)=sumsge0

1

xs+1

sumi

riαsi

Aprime(αi)


sumsge0 x


siprod


sum0leslt2t

sumi riα

six

2tminussminus1prod


























has three steps






2 see Section 7














Proof Write Z =prod












2j+1


j C122j+1x





A =prod



sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A






sosum





ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f






prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)






sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A







prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests











sumi ri) =

sumi ϕ(ri)


























sumi fix






sumige0 fiα

i iesum









sumj cjα


then (c1 cn) = (0 0 0)


sumi fix

i issum

ige1 ifiximinus1










3 Interpolation







ϕ =sumi

riprodj 6=i

xminus αj

αi minus αj




i riprod














sum0leiltn fix

i

bysum





4 Approximants









t +atminus1x



Anxn + Anminus1x
































prodi(xminus αi)









prodi(xminusαi)






















sumi(riA


B

A=sumi


=sumi

riAprime(αi)

(1

x+αi


)=sumsge0

1

xs+1

sumi

riαsi

Aprime(αi)


sumsge0 x


siprod


sum0leslt2t

sumi riα

six

2tminussminus1prod


























has three steps






2 see Section 7














Proof Write Z =prod












2j+1


j C122j+1x





A =prod



sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A






sosum





ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f






prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)






sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A







prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests






















sumi fix






sumige0 fiα

i iesum









sumj cjα


then (c1 cn) = (0 0 0)


sumi fix

i issum

ige1 ifiximinus1










3 Interpolation







ϕ =sumi

riprodj 6=i

xminus αj

αi minus αj




i riprod














sum0leiltn fix

i

bysum





4 Approximants









t +atminus1x



Anxn + Anminus1x
































prodi(xminus αi)









prodi(xminusαi)






















sumi(riA


B

A=sumi


=sumi

riAprime(αi)

(1

x+αi


)=sumsge0

1

xs+1

sumi

riαsi

Aprime(αi)


sumsge0 x


siprod


sum0leslt2t

sumi riα

six

2tminussminus1prod


























has three steps






2 see Section 7














Proof Write Z =prod












2j+1


j C122j+1x





A =prod



sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A






sosum





ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f






prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)






sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A







prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests













sumj cjα


then (c1 cn) = (0 0 0)


sumi fix

i issum

ige1 ifiximinus1










3 Interpolation







ϕ =sumi

riprodj 6=i

xminus αj

αi minus αj




i riprod














sum0leiltn fix

i

bysum





4 Approximants









t +atminus1x



Anxn + Anminus1x
































prodi(xminus αi)









prodi(xminusαi)






















sumi(riA


B

A=sumi


=sumi

riAprime(αi)

(1

x+αi


)=sumsge0

1

xs+1

sumi

riαsi

Aprime(αi)


sumsge0 x


siprod


sum0leslt2t

sumi riα

six

2tminussminus1prod


























has three steps






2 see Section 7














Proof Write Z =prod












2j+1


j C122j+1x





A =prod



sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A






sosum





ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f






prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)






sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A







prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests












ϕ =sumi

riprodj 6=i

xminus αj

αi minus αj




i riprod














sum0leiltn fix

i

bysum





4 Approximants









t +atminus1x



Anxn + Anminus1x
































prodi(xminus αi)









prodi(xminusαi)






















sumi(riA


B

A=sumi


=sumi

riAprime(αi)

(1

x+αi


)=sumsge0

1

xs+1

sumi

riαsi

Aprime(αi)


sumsge0 x


siprod


sum0leslt2t

sumi riα

six

2tminussminus1prod


























has three steps






2 see Section 7














Proof Write Z =prod












2j+1


j C122j+1x





A =prod



sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A






sosum





ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f






prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)






sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A







prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests











4 Approximants









t +atminus1x



Anxn + Anminus1x
































prodi(xminus αi)









prodi(xminusαi)






















sumi(riA


B

A=sumi


=sumi

riAprime(αi)

(1

x+αi


)=sumsge0

1

xs+1

sumi

riαsi

Aprime(αi)


sumsge0 x


siprod


sum0leslt2t

sumi riα

six

2tminussminus1prod


























has three steps






2 see Section 7














Proof Write Z =prod












2j+1


j C122j+1x





A =prod



sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A






sosum





ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f






prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)






sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A







prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests









Anxn + Anminus1x
































prodi(xminus αi)









prodi(xminusαi)






















sumi(riA


B

A=sumi


=sumi

riAprime(αi)

(1

x+αi


)=sumsge0

1

xs+1

sumi

riαsi

Aprime(αi)


sumsge0 x


siprod


sum0leslt2t

sumi riα

six

2tminussminus1prod


























has three steps






2 see Section 7














Proof Write Z =prod












2j+1


j C122j+1x





A =prod



sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A






sosum





ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f






prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)






sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A







prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests




























prodi(xminus αi)









prodi(xminusαi)






















sumi(riA


B

A=sumi


=sumi

riAprime(αi)

(1

x+αi


)=sumsge0

1

xs+1

sumi

riαsi

Aprime(αi)


sumsge0 x


siprod


sum0leslt2t

sumi riα

six

2tminussminus1prod


























has three steps






2 see Section 7














Proof Write Z =prod












2j+1


j C122j+1x





A =prod



sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A






sosum





ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f






prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)






sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A







prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests















prodi(xminusαi)






















sumi(riA


B

A=sumi


=sumi

riAprime(αi)

(1

x+αi


)=sumsge0

1

xs+1

sumi

riαsi

Aprime(αi)


sumsge0 x


siprod


sum0leslt2t

sumi riα

six

2tminussminus1prod


























has three steps






2 see Section 7














Proof Write Z =prod












2j+1


j C122j+1x





A =prod



sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A






sosum





ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f






prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)






sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A







prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests



















sumi(riA


B

A=sumi


=sumi

riAprime(αi)

(1

x+αi


)=sumsge0

1

xs+1

sumi

riαsi

Aprime(αi)


sumsge0 x


siprod


sum0leslt2t

sumi riα

six

2tminussminus1prod


























has three steps






2 see Section 7














Proof Write Z =prod












2j+1


j C122j+1x





A =prod



sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A






sosum





ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f






prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)






sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A







prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests





























has three steps






2 see Section 7














Proof Write Z =prod












2j+1


j C122j+1x





A =prod



sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A






sosum





ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f






prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)






sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A







prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests





















Proof Write Z =prod












2j+1


j C122j+1x





A =prod



sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A






sosum





ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f






prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)






sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A







prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests









A =prod



sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A






sosum





ciAprime(αi)

prodj 6=i

xminus αj

αi minus αj=sumi

ciprodj 6=i

(xminus αj) =sumi

ciA

xminus αi= g2f






prime(αi) so

1 = ei =g(αi)

2(B minus f)(αi)

Aprime(αi)=g(αi)

2(bAa)(αi)

Aprime(αi)=g(αi)

2b(αi)

aprime(αi)






sumi

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A







prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests












prime(αi)




Hencesumi

((g2B)(αi)

Aprime(αi)minus ei

)A

xminus αi=sumi

(g2f)(αi)

Aprime(αi)

A

xminus αi

=sumi

(g2f)(αi)prodj 6=i

xminus αi















ei = g(αi)2b(αi)a



2







sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests














sumi cig(αi) = 0









conditions


prodi(x minus αi)



sumi ciα

sig(αi) = 0


Proof Define B =sum






Define Q =sum


xtB minusQ =sumi

cig(αi)

(xt minus αti)

A

xminus αi= A

sumi

cig(αi)

sum0lesltt

xtminus1minussαsi


sumi(cig(αi))

sum0lesltt x


sumi(cig(αi))α

si = 0





sumi ciα



s xminussminus1sum








2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests













2



sumi ciα


Alsosum


sumi ciα

sig(αi)



1 α2n are distinct



i c2iα

2si g(αi)

2 = 0 Alsosum

i ciα2si g(αi)


sumi diα

2si g(αi)

2 = 0 iesum













i

(g(αi)

2B(αi)

Aprime(αi)minus ei

)A








i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests










i

ciA

xminus αi=sumi

(g2f)(αi)prodj 6=i

xminus αi







Finallysum







2 rarr Fmt2 has






prodi(xminus αi)













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests













2

























2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests















2













2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests












2 sum







References


























































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests
































































































A Random tests












































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests














































1 Introduction


12 Bonus features

13 Acknowledgments

2 Polynomials


22 Ring morphisms

23 Multiples

24 Units

25 Fields

26 Vector spaces


28 Linear maps

29 Polynomials



212 Units of k[x]


214 Powers of x

215 Coefficients

216 Degree


218 Evaluation

219 Roots



222 Derivatives




226 Squarefreeness

3 Interpolation





4 Approximants








48 History


51 Hamming weight








59 History














81 Ciphertexts

82 Decryption

83 Rigidity


85 History

References

A Random tests








understanding binary-goppa decoding

Documents