The Symmetric Key Equation for Reed–Solomon Codes and a New Perspective on the Berlekamp–Massey Algorithm

Abstract

This paper presents a new way to view the key equation for decoding Reed–Solomon codes that unites the two algorithms used in solving it—the Berlekamp–Massey algorithm and the Euclidean algorithm. A new key equation for Reed–Solomon codes is derived for simultaneous errors and erasures decoding using the symmetry between polynomials and their reciprocals as well as the symmetries between dual and primal codes. The new key equation is simpler since it involves only degree bounds rather than modular computations. We show how to solve it using the Euclidean algorithm. We then show that by reorganizing the Euclidean algorithm applied to the new key equation we obtain the Berlekamp–Massey algorithm.

1. Introduction

Reed–Solomon codes are the basis of many applications such as secret sharing [1], distributed storage [2,3], private information retrieval [4] and the analysis of cryptographic hardness [5]. The most used tool for decoding Reed–Solomon codes is the key equation by Berlekamp [6] and the milestone algorithms that solve it are the Berlekamp–Massey algorithm [7] and the Sugiyama et al. adaptation of the Euclidean algorithm [8]. Their connections are analyzed in [9,10,11,12]. This paper is meant to bring a new unified presentation of the key equation, the Sugiyama-Euclidean algorithm and the Berlekamp–Massey algorithm for correcting errors and erasures for Reed–Solomon codes.

Section 2 presents a revisited key equation for both erasures and errors using the symmetry between polynomials and their reciprocals as well as the symmetries between dual and primal codes. In the new key equation, as opposed to the classical equation, there is no need to reference computations modulo a power of the indeterminate, and the correction polynomials reveal error locations rather than their inverses. Section 3 gives a way to solve the new key equation using the Euclidean algorithm. We show how the Berlekamp–Massey algorithm can be obtained by reorganizing the Euclidean algorithm. Hence, the whole paper is, in fact, a simple presentation of the Berlekamp–Massey algorithm as a restructured Euclidean algorithm.

2. Symmetric Key Equation

2.1. Reed–Solomon Codes

Suppose that $\mathbb{F}$ is a finite field of q elements and suppose that $\alpha$ is a primitive element of $\mathbb{F}$. Let $n=q-1$. Each vector $u=(u_0,\cdots ,u_{n-1})\in {\mathbb{F}}^n$ is identified with the polynomial $u\left(x\right)=u_0+u_{1}x+\cdots +u_{n-1}{x}^{n-1}$. The evaluation of $u\left(x\right)$ at a is then denoted $u\left(a\right)$. The cyclic code $C^{\ast }\left(k\right)$ of length n generated by the polynomial $(x-\alpha )(x-{\alpha }^2)\cdots (x-{\alpha }^{n-k})$ is classically referred to as a (primal) Reed–Solomon code. Its dimension is k. On the other hand, the cyclic code $C\left(k\right)$ of lenth n generated by the polynomial $(x-{\alpha }^{n-(k+1)})(x-{\alpha }^{n-(k+2)})\cdots (x-\alpha )(x-1)$ is referred to as a dual Reed–Solomon code. Its dimension is k as well. The minimum distance of both codes is $d=n-k+1$. The codes are related by the equality $C{\left(k\right)}^{\perp }=C^{\ast }(n-k).$

The vector space ${\mathbb{F}}^n$ is naturally bijected to itself through a map $c\mapsto c^{\ast }$ taking $C\left(k\right)$ to $C^{\ast }\left(k\right)$. For a vector $c=(c_0,c_1,\cdots ,c_{n-1})\in {\mathbb{F}}^n$ the vector $c^{\ast }$ is defined componentwise as $c^{\ast }=(c_0,{\alpha }^{-1}{c}_1,{\alpha }^{-2}{c}_2,\cdots ,\alpha c_{n-1})$. Symmetrically, if $c^{\ast }=(c_0^{\ast },c_1^{\ast },\cdots ,c_{n-1}^{\ast })$, then $c=(c_0^{\ast },\alpha c_1^{\ast },{\alpha }^2{c}_2^{\ast },\cdots ,{\alpha }^{n-1}{c}_{n-1}^{\ast }).$ In particular, $c\left({\alpha }^i\right)=c_0^{\ast }+\alpha c_1^{\ast }{\alpha }^i+{\alpha }^2{c}_2^{\ast }{\alpha }^{2i}+\cdots +{\alpha }^{n-1}{c}_{n-1}^{\ast }{\alpha }^{(n-1)i}=c^{\ast }\left({\alpha }^{i+1}\right)$.

Due to this bijective map, algorithms for correcting errors and erasures for primal Reed–Solomon code are also applicable for dual Reed–Solomon codes and vice versa. Indeed, if the codeword $c\in C\left(k\right)$ at minimum distance of a received vector u differs from u by a vector of errors e, then the codeword $c^{\ast }\in C^{\ast }\left(k\right)$ at minimum distance of a received vector $u^{\ast }$ differs from $u^{\ast }$ by a vector of errors $e^{\ast }$.

2.2. Decoding for Errors and Erasures

Suppose that a noisy channel adds t errors and erases s other components of a transmitted codeword $c\in C\left(k\right)$ with $2t+s<d$. Let u be the received word after replacing the erased positions by 0 and let $e=u-c$. The erasure locator polynomial is defined as ${\Lambda }_r={\prod }_{i:c_i\mathrm{was}\mathrm{erased}}(x-{\alpha }^i)$ while the error locator polynomial is defined as ${\Lambda }_e={\prod }_{i:e_i\ne 0,c_i\mathrm{not}\mathrm{erased}}(x-{\alpha }^i).$ The product ${\Lambda }_r{\Lambda }_e$ is called $\Lambda$. We remark that while ${\Lambda }_r$ is known driectly from the received word, the ${\Lambda }_e$ is not a priori known. The error evaluator polynomial is defined as $\mathsf{\Omega }={\sum }_{\begin{array}{c}i:e_i\ne 0\\ \mathrm{or}{c}_i\mathrm{erased}\end{array}}{e}_i{\prod }_{\begin{array}{c}j:e_j\ne 0\mathrm{or}{c}_j\mathrm{erased},\\ \mathrm{and}j\ne i\end{array}}(x-{\alpha }^i)={\sum }_{i=0}^{n-1}{e}_i{\displaystyle \frac{\Lambda }{x-{\alpha }^i}}$ The error positions can be identified by ${\Lambda }_e\left({\alpha }^i\right)=0$ while the error values can be derived, as well as the erased values, from the analogue of the Forney formula [13]

$$e_i=\frac{\mathsf{\Omega }\left({\alpha }^i\right)}{{\Lambda }^{\prime }\left({\alpha }^i\right)}.$$

Notice that in the traditional setting, the roots of the locator polynomial are not related to the error positions but to their inverses. Hence, in the new setting we take the reciprocals of the polynomials of the traditional setting thus establishing a symmetry between the different versions. Also, the classical Forney formula involves the evaluator polynomial and the derivative of the locator polynomial evaluated at the inverses of the error positions, while with the new settings we use directly the error positions.

Finally, the polynomial $S=e\left({\alpha }^{n-1}\right)+e\left({\alpha }^{n-2}\right)x+\cdots +e\left(\alpha \right)x^{n-2}+e\left(1\right)x^{n-1}$ is called the syndrome polynomial of e.

Lemma 1.

$\mathsf{\Omega }(x^n-1)=\Lambda S$.

Proof. 

We can compute directly,

$$\begin{array}{ccc}\hfill \mathsf{\Omega }(x^n-1)& =& (x^n-1)\sum _{i=0}^{n-1}{e}_i{\displaystyle \frac{\Lambda }{x-{\alpha }^i}}\hfill \\ & =& \Lambda \sum _{i=0}^{n-1}{e}_i{\displaystyle \frac{x^n-1}{x-{\alpha }^i}}\hfill \\ & =& \Lambda \sum _{i=0}^{n-1}{e}_i\sum _{j=0}^{n-1}{x}^{n-1-j}{\left({\alpha }^i\right)}^j\hfill \\ & =& \Lambda \sum _{j=0}^{n-1}{x}^{n-1-j}\sum _{i=0}^{n-1}{e}_i{\left({\alpha }^j\right)}^i\hfill \\ & =& \Lambda \sum _{j=0}^{n-1}{x}^{n-1-j}e\left({\alpha }^j\right)\hfill \\ & =& \Lambda S\hfill \end{array}$$

 ☐

The general term of S is $e\left({\alpha }^{n-1-i}\right)x^i$, but we only know from a received word the values $e\left(1\right)=u\left(1\right),\cdots ,e\left({\alpha }^{n-k-1}\right)=u\left({\alpha }^{n-k-1}\right)$. For this reason we use the truncated syndrome polynomial defined as $\overline{S}=e\left({\alpha }^{n-k-1}\right)x^k+e\left({\alpha }^{n-k-2}\right)x^{k+1}+\cdots +e\left(1\right)x^{n-1}.$ The degree of the polynomial $\mathsf{\Omega }(x^n-1)-\Lambda \overline{S}=\Lambda (S-\overline{S})$ is at most $t+s+k-1<\frac{d-s}{2}+s+n-d=n-\frac{d-s}{2}$. One consequence of this bound is that the reciprocal polynomials ${\mathsf{\Omega }}^{\ast }=x^{t+s-1}\mathsf{\Omega }(1/x)$, ${\Lambda }^{\ast }=x^{t+s}\Lambda (1/x)$ and the polynomial ${\overline{S}}^{\ast }=x^{n-1}\overline{S}(1/x)$ satisfy the well known Berlekamp key equation ${\Lambda }^{\ast }{\overline{S}}^{\ast }={\mathsf{\Omega }}^{\ast }\mathrm{mod}{x}^{n-s-k}$. Theorem 1 uses the bound on the degree of $\mathsf{\Omega }(x^n-1)-\Lambda \overline{S}$ to derive a symmetric key equation for dual Reed–Solomon codes. To prove it, we first need the next two lemmas.

Lemma 2.

Suppose that f is a polynomial of $\mathbb{F}\left[x\right]$ with $deg\left(f\right)<n$. Suppose that for a given $\alpha \in {\mathbb{F}}^{\ast }$ the polynomial $f\left(x\right)\frac{x^n-1}{x-\alpha }$ has no term of degree $n-1$. Then α is a root of f.

Proof. 

The Euclidean division of f by $x-\alpha$ gives a polynomial $g\in \mathbb{F}\left[x\right]$ of degree smaller than $n-1$ that satisfies $f\left(x\right)=f\left(\alpha \right)+g\left(x\right)(x-\alpha )$. Then $f\left(x\right)\frac{x^n-1}{x-\alpha }=f\left(\alpha \right)\frac{x^n-1}{x-\alpha }+g\left(x\right)(x^n-1)$. On one hand, the product $g\left(x\right)(x^n-1)$ has no term of degree $n-1$. On the other hand, the coefficient of $f\left(\alpha \right)\frac{x^n-1}{x-\alpha }$ of degree $n-1$ is exactly $f\left(\alpha \right)$. Hence, if $f\left(x\right)\frac{x^n-1}{x-\alpha }$ has no term of degree $n-1$, then necessarily $f\left(\alpha \right)=0$.  ☐

Lemma 3.

Suppose that f is a polynomial of $\mathbb{F}\left[x\right]$ with $deg\left(f\right)\le n-s-t$ such that the terms of degree $n-t,\cdots ,n-1$ of $f{\Lambda }_{r}S$ are all zero. Then ${\Lambda }_e$ is a divisor of f.

Proof. 

Suppose that the terms of degree $n-t,\cdots ,n-1$ of $f{\Lambda }_{r}S$ are all zero. Suppose $c_j$ was not erased and $e_j\ne 0$. Consider $g\left(x\right)={\Lambda }_e/(x-{\alpha }_j)$. We have $\mathrm{deg}\left(g\right)=t-1$ and consequently the term of degree $n-1$ of $fg{\Lambda }_{r}S$ is 0. Then,

$$\begin{array}{ccc}\hfill fg{\Lambda }_{r}S& =& f\left(x\right)g\left(x\right){\Lambda }_r\left(x\right)\frac{\mathsf{\Omega }\left(x\right)(x^n-1)}{\Lambda \left(x\right)}\hfill \\ & =& \sum _{k:e_k\ne 0}{e}_{k}f\left(x\right)g\left(x\right){\Lambda }_r\left(x\right)\frac{x^n-1}{x-{\alpha }_k}\hfill \\ & =& e_{j}f\left(x\right)g\left(x\right){\Lambda }_r\left(x\right)\frac{x^n-1}{x-{\alpha }_j}\hfill \\ & & +\sum _{\begin{array}{c}k:e_k\ne 0,\\ c_k \mathrm{not} \mathrm{erased}\\ k\ne j\end{array}}{e}_{k}f\left(x\right)\frac{g\left(x\right)}{x-{\alpha }_k}{\Lambda }_r\left(x\right)(x^n-1)\hfill \\ & & +\sum _{\begin{array}{c}k:c_k \mathrm{erased}\end{array}}{e}_{k}f\left(x\right)g\left(x\right)\frac{{\Lambda }_r\left(x\right)}{x-{\alpha }_k}(x^n-1).\hfill \end{array}$$

Because of the restriction on the degree of f, none of the last two summands has term of degree $n-1$. Since the term of degree $n-1$ of $fg{\Lambda }_{r}S$ is 0, so is the term of degree $n-1$ of $f\left(x\right)g\left(x\right){\Lambda }_r\left(x\right)\frac{x^n-1}{x-{\alpha }_j}$. By Lemma 2, $x-{\alpha }_j$ must be a divisor of f. Since j was chosen arbitrarily such that $e_j\ne 0$ and $c_j$ was not erased, we conclude that ${\Lambda }_e$ must divide f. ☐

Theorem 1 (Symmetric key equation).

Suppose that a number s of erasures occurred together with a number of at most $\lfloor \frac{d-s-1}{2}\rfloor$ errors. Then the polynomials ${\Lambda }_e$ and Ω are uniquely determined by the conditions

• f is monic
• $f,\phi$ are coprime
• $deg\left(f\right)\le \frac{d-s}{2}$
• $deg(f{\Lambda }_r\overline{S}-\phi (x^n-1))<n-\frac{d-s}{2}$

Proof. 

It is easy to see that ${\Lambda }_e$ and $\mathsf{\Omega }$ satisfy conditions 1, 2, 3. It follows from the previous lemmas that ${\Lambda }_e$ and $\mathsf{\Omega }$ satisfy condition 4. Conversely, suppose that $f,\phi$ satisfy the conditions 3 and 4. We will prove that the terms of degrees $n-t,\cdots ,n-1$ of $f{\Lambda }_{r}S$ are all zero. Then, by Lemma 3, and because $\mathrm{deg}\left(f\right)\le \frac{d-s}{2}\le n-\frac{d+s}{2}=n-s-\frac{d-s}{2}<n-s-t$, it can be deduced that ${\Lambda }_e$ is a divisor of f. Indeed, write

$$f{\Lambda }_{r}S=(f{\Lambda }_r\overline{S}-\phi (x^n-1))+f{\Lambda }_r(S-\overline{S})+\phi (x^n-1).$$

By consition 4, the degree of the first term in this sum is less than $n-\frac{d-s}{2}<n-t$. By condition 3, $\mathrm{deg}\left(f{\Lambda }_r(S-\overline{S})\right)\le \frac{d-s}{2}+s+k-1=n-\frac{d-s}{2}<n-t$. By condition 4, $\mathrm{deg}\left(\phi \right)+n\le \mathrm{deg}\left(f\right)+s+n-1$. Consequently $\mathrm{deg}\left(\phi \right)<\mathrm{deg}\left(f\right)+s$ and by condition 3, $\mathrm{deg}\left(\phi \right)<\frac{d-s}{2}+s=\frac{d+s}{2}\le n-\frac{d-s}{2}<n-t$. So, the terms of degrees $n-t,\cdots ,n-1$ of $\phi (x^n-1)$ are all zero. Suppose now that there exists $g\in \mathbb{F}\left[x\right]$ such that $f=g{\Lambda }_e$. Then

$$\begin{array}{ccc}\hfill f{\Lambda }_r\overline{S}-\phi (x^n-1)& =& f{\Lambda }_r(\overline{S}-S)+f{\Lambda }_{r}S-\phi (x^n-1)\hfill \\ & =& f{\Lambda }_r(\overline{S}-S)+g\Lambda S-\phi (x^n-1)\hfill \\ & =& f{\Lambda }_r(\overline{S}-S)+g\mathsf{\Omega }(x^n-1)-\phi (x^n-1)\hfill \\ & =& f{\Lambda }_r(\overline{S}-S)+(g\mathsf{\Omega }-\phi )(x^n-1).\hfill \end{array}$$

By condition 4, $\mathrm{deg}(f{\Lambda }_r\overline{S}-\phi (x^n-1))<n-\frac{d-s}{2}$ and as just seen, $\mathrm{deg}\left(f{\Lambda }_r(\overline{S}-S)\right)<n-t$. Consequently, $\phi =g\mathsf{\Omega }$. Now condition 1 and condition 2 imply $g=1$ and so $\phi =\mathsf{\Omega }$ and $f={\Lambda }_e$.  ☐

3. Solving the Symmetric Key Equation

We first approach the case in which only erasures occurred. In this case $\Lambda ={\Lambda }_r$, ${\Lambda }_e=1$, and $\mathsf{\Omega }$ can be directly derived from the key equation of Theorem 1. Indeed, the polynomial $\mathsf{\Omega }$ is exactly the sum of those monomials of ${\Lambda }_r\overline{S}$ of degree at least $n-\frac{d-s}{2}$, divided by the monomial $x^{n-\frac{d-s}{2}}$.

Suppose now the case in which errors and erasures occured simultaneously. The extended Euclidean algorithm applied to the quotient polynomial ${\Lambda }_r\overline{S}$ and the divisor polynomial $-(x^n-1)$ gives $gcd({\Lambda }_r\overline{S},x^n-1)$ and two polynomials $\lambda \left(x\right)$ and $\eta \left(x\right)$ satisfying that $\lambda {\Lambda }_r\overline{S}-\eta (x^n-1)=gcd({\Lambda }_r\overline{S},x^n-1)$. A new remainder $r_i$ and two polynomials ${\lambda }_i\left(x\right)$ and ${\eta }_i\left(x\right)$ such that ${\lambda }_i{\Lambda }_r\overline{S}-{\eta }_i(x^n-1)=r_i$ are computed at each intermediate step of the Euclidean algorithm, in a way such that the degree of $r_i$ decreases at each step. Truncating at a proper point the Euclidean algorithm we can obtain two polynomials ${\lambda }_i$ and ${\eta }_i$ satisfying that the degree of ${\lambda }_i{\Lambda }_r\overline{S}-{\eta }_i(x^n-1)$ is smaller than $n-\frac{d-s}{2}$. The next algorithm is a truncated version of the Euclidean algorithm. It satisfies that, for all $i\ge 0$, $\mathrm{deg}\left(r_i\right)\le \mathrm{deg}\left(r_{i-1}\right)$ and $\mathrm{deg}\left(f_i\right)\ge \mathrm{deg}\left(f_{i-1}\right)$.

Algorithm 1: Euclidean Algorithm

Initialize:        $\begin{array}{ccc}{r}_{-2}={\Lambda }_r\overline{S},\hfill & f_{-2}=1,\hfill & {\phi }_{-2}=0,\hfill \\ r_{-1}=-(x^n-1),\hfill & f_{-1}=0,\hfill & {\phi }_{-1}=1,\hfill \end{array}$ while$\mathbf{deg}\left(r_i\right)\ge n-\frac{d-s}{2}$:   $q_i=\mathrm{Quotient}(r_{i-2},r_{i-1})$    $r_i=\mathrm{Remainder}(r_{i-2},r_{i-1})$   $f_i=f_{i-2}-q_i{f}_{i-1}$   ${\phi }_i={\phi }_{i-2}-q_i{\phi }_{i-1}$ end while Return $f_i/\mathbf{LC}\left(f_i\right)$, ${\phi }_i/\mathbf{LC}\left(f_i\right)$ or, equivalently, in matrix form, Initialize:        $\left(\begin{array}{ccc}{r}_{-1}& f_{-1}& {\phi }_{-1}\\ r_{-2}& f_{-2}& {\phi }_{-2}\end{array}\right)=\left(\begin{array}{ccc}-(x^n-1)& 0& 1\\ {\Lambda }_r\overline{S}& 1& 0\end{array}\right)$ while $\mathbf{deg}\left(r_i\right)\ge n-\frac{d-s}{2}$: $q_i=\mathbf{Quotient}(r_{i-2},r_{i-1})$ $\left(\begin{array}{ccc}{r}_i& f_i& {\phi }_i\\ r_{i-1}& f_{i-1}& {\phi }_{i-1}\end{array}\right)=\left(\begin{array}{cc}-q_i& 1\\ 1& 0\end{array}\right)\left(\begin{array}{ccc}{r}_{i-1}& f_{i-1}& {\phi }_{i-1}\\ r_{i-2}& f_{i-2}& {\phi }_{i-2}\end{array}\right)$ end while Return $f_i/\mathbf{LC}\left(f_i\right)$, ${\phi }_i/\mathbf{LC}\left(f_i\right)$

For every integer i larger than or equal to $-1$ consider the matrix $\left(\begin{array}{ccc}{\stackrel{\circ }{R}}_i& {\stackrel{\circ }{F}}_i& {\stackrel{\circ }{\mathsf{\Phi }}}_i\\ {\stackrel{\circ }{\tilde{R}}}_i& {\stackrel{\circ }{\tilde{F}}}_i& {\stackrel{\circ }{\tilde{\mathsf{\Phi }}}}_i\end{array}\right)=\left(\begin{array}{cc}1/\mathrm{LC}\left(r_i\right)& 0\\ 0& -\mathrm{LC}\left(r_i\right)\end{array}\right)\left(\begin{array}{ccc}{r}_i& f_i& {\phi }_i\\ r_{i-1}& f_{i-1}& {\phi }_{i-1}\end{array}\right)$ It is easy to check that the polynomial $\stackrel{\circ }{R_i}$ is monic. In the algorithm one can replace the update step by the next multiplication.

$\left(\begin{array}{ccc}{\stackrel{\circ }{R}}_i& {\stackrel{\circ }{F}}_i& {\stackrel{\circ }{\mathsf{\Phi }}}_i\\ {\stackrel{\circ }{\tilde{R}}}_i& {\stackrel{\circ }{\tilde{F}}}_i& {\stackrel{\circ }{\tilde{\mathsf{\Phi }}}}_i\end{array}\right)=\left(\begin{array}{cc}\frac{1}{\mathrm{LC}({\stackrel{\circ }{\tilde{R}}}_{i-1}-Q_i{\stackrel{\circ }{R}}_{i-1})}& 0\\ 0& -\mathrm{LC}({\stackrel{\circ }{\tilde{R}}}_{i-1}-Q_i{\stackrel{\circ }{R}}_{i-1})\end{array}\right)\left(\begin{array}{cc}-Q_i& 1\\ 1& 0\end{array}\right)\left(\begin{array}{ccc}{\stackrel{\circ }{R}}_{i-1}& {\stackrel{\circ }{F}}_{i-1}& {\stackrel{\circ }{\mathsf{\Phi }}}_{i-1}\\ {\stackrel{\circ }{\tilde{R}}}_{i-1}& {\stackrel{\circ }{\tilde{F}}}_{i-1}& {\stackrel{\circ }{\tilde{\mathsf{\Phi }}}}_{i-1}\end{array}\right),$ where the polynomial $Q_i$ is the quotient of the division of ${\stackrel{\circ }{\tilde{R}}}_{i-1}$ by ${\stackrel{\circ }{R}}_{i-1}$. Furthermore, if $Q_i=Q_i^{\left(0\right)}+Q_i^{\left(1\right)}x+\cdots +Q_i^{\left(l_i\right)}{x}^{l_i}$, then $\left(\begin{array}{cc}-Q_i\hfill & 1\hfill \\ 1\hfill & 0\hfill \end{array}\right)=\left(\begin{array}{cc}1\hfill & -Q_i^{\left(0\right)}\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}1\hfill & -Q_i^{\left(1\right)}x\hfill \\ 0\hfill & 1\hfill \end{array}\right)\dots \left(\begin{array}{cc}1\hfill & -Q_i^{\left(l\right)}{x}^l\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}0\hfill & 1\hfill \\ 1\hfill & 0\hfill \end{array}\right)$ and the update step becomes

$$\left(\begin{array}{ccc}{\stackrel{\circ }{R}}_i& {\stackrel{\circ }{F}}_i& {\stackrel{\circ }{\mathsf{\Phi }}}_i\\ {\stackrel{\circ }{\tilde{R}}}_i& {\stackrel{\circ }{\tilde{F}}}_i& {\stackrel{\circ }{\tilde{\mathsf{\Phi }}}}_i\end{array}\right)=\left(\begin{array}{cc}\frac{1}{\mathrm{LC}({\stackrel{\circ }{\tilde{R}}}_{i-1}-Q_i{\stackrel{\circ }{R}}_{i-1})}& 0\\ 0& -\mathrm{LC}({\stackrel{\circ }{\tilde{R}}}_{i-1}-Q_i{\stackrel{\circ }{R}}_{i-1})\end{array}\right)\left(\begin{array}{cc}1\hfill & -Q_i^{\left(0\right)}\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}1\hfill & -Q_i^{\left(1\right)}x\hfill \\ 0\hfill & 1\hfill \end{array}\right)\dots$$

$$\dots \left(\begin{array}{cc}1\hfill & -Q_i^{\left(l\right)}{x}^l\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}0\hfill & 1\hfill \\ 1\hfill & 0\hfill \end{array}\right)\left(\begin{array}{ccc}{\stackrel{\circ }{R}}_{i-1}& {\stackrel{\circ }{F}}_{i-1}& {\stackrel{\circ }{\mathsf{\Phi }}}_{i-1}\\ {\stackrel{\circ }{\tilde{R}}}_{i-1}& {\stackrel{\circ }{\tilde{F}}}_{i-1}& {\stackrel{\circ }{\tilde{\mathsf{\Phi }}}}_{i-1}\end{array}\right),$$

One can see that $\mathrm{LC}({\stackrel{\circ }{\tilde{R}}}_{i-1}-Q_i{\stackrel{\circ }{R}}_{i-1})$ and the $Q_i^{\left(j\right)}$’s are the leading coefficients of the left-most, top-most polynomials in the previous product of all the previous matrices. This follows from the fact that ${\stackrel{\circ }{R}}_i$ is monic. Define $\mu$ as the (changing) leading coefficients of the left-most, top-most element in the product of all the previous matrices. It follows that

$$\begin{array}{ccc}\hfill \left(\begin{array}{ccc}{\stackrel{\circ }{R}}_i& {\stackrel{\circ }{F}}_i& {\stackrel{\circ }{\mathsf{\Phi }}}_i\\ {\stackrel{\circ }{\tilde{R}}}_i& {\stackrel{\circ }{\tilde{F}}}_i& {\stackrel{\circ }{\tilde{\mathsf{\Phi }}}}_i\end{array}\right)& =& \left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu \hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu x\hfill \\ 0\hfill & 1\hfill \end{array}\right)\dots \left(\begin{array}{cc}1\hfill & -\mu x^{l_i}\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}0\hfill & 1\hfill \\ 1\hfill & 0\hfill \end{array}\right)\left(\begin{array}{ccc}{\stackrel{\circ }{R}}_{i-1}& {\stackrel{\circ }{F}}_{i-1}& {\stackrel{\circ }{\mathsf{\Phi }}}_{i-1}\\ {\stackrel{\circ }{\tilde{R}}}_{i-1}& {\stackrel{\circ }{\tilde{F}}}_{i-1}& {\stackrel{\circ }{\tilde{\mathsf{\Phi }}}}_{i-1}\end{array}\right)\hfill \\ & =& \left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu \hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu x\hfill \\ 0\hfill & 1\hfill \end{array}\right)\dots \left(\begin{array}{cc}1\hfill & -\mu x^{l_i}\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}0\hfill & 1\hfill \\ 1\hfill & 0\hfill \end{array}\right)\hfill \\ & & \left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu \hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu x\hfill \\ 0\hfill & 1\hfill \end{array}\right)\dots \left(\begin{array}{cc}1\hfill & -\mu x^{l_{i-1}}\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}0\hfill & 1\hfill \\ 1\hfill & 0\hfill \end{array}\right)\left(\begin{array}{ccc}{\stackrel{\circ }{R}}_{i-2}& {\stackrel{\circ }{F}}_{i-2}& {\stackrel{\circ }{\mathsf{\Phi }}}_{i-2}\\ {\stackrel{\circ }{\tilde{R}}}_{i-2}& {\stackrel{\circ }{\tilde{F}}}_{i-2}& {\stackrel{\circ }{\tilde{\mathsf{\Phi }}}}_{i-2}\end{array}\right)\hfill \\ & =& \left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu \hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu x\hfill \\ 0\hfill & 1\hfill \end{array}\right)\dots \left(\begin{array}{cc}1\hfill & -\mu x^{l_i}\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}0\hfill & -\mu \hfill \\ 1/\mu \hfill & 0\hfill \end{array}\right)\hfill \\ & & \phantom{\left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)}\left(\begin{array}{cc}1\hfill & -\mu \hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu x\hfill \\ 0\hfill & 1\hfill \end{array}\right)\dots \left(\begin{array}{cc}1\hfill & -\mu x^{l_{i-1}}\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}0\hfill & 1\hfill \\ 1\hfill & 0\hfill \end{array}\right)\left(\begin{array}{ccc}{\stackrel{\circ }{R}}_{i-2}& {\stackrel{\circ }{F}}_{i-2}& {\stackrel{\circ }{\mathsf{\Phi }}}_{i-2}\\ {\stackrel{\circ }{\tilde{R}}}_{i-2}& {\stackrel{\circ }{\tilde{F}}}_{i-2}& {\stackrel{\circ }{\tilde{\mathsf{\Phi }}}}_{i-2}\end{array}\right)\hfill \\ & =& \left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu \hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu x\hfill \\ 0\hfill & 1\hfill \end{array}\right)\dots \left(\begin{array}{cc}1\hfill & -\mu x^{l_i}\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}0\hfill & -\mu \hfill \\ 1/\mu \hfill & 0\hfill \end{array}\right)\hfill \\ & & \phantom{\left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)}\left(\begin{array}{cc}1\hfill & -\mu \hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu x\hfill \\ 0\hfill & 1\hfill \end{array}\right)\dots \left(\begin{array}{cc}1\hfill & -\mu x^{l_{i-1}}\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}0\hfill & -\mu \hfill \\ 1/\mu \hfill & 0\hfill \end{array}\right)\hfill \\ & & \phantom{\left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)}\phantom{\left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)}\phantom{\left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)}⋮\hfill \\ & & \phantom{\left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)}\left(\begin{array}{cc}1\hfill & -\mu \hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu x\hfill \\ 0\hfill & 1\hfill \end{array}\right)\dots \left(\begin{array}{cc}1\hfill & -\mu x^{l_0}\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}0\hfill & 1\hfill \\ 1\hfill & 0\hfill \end{array}\right)\left(\begin{array}{ccc}{\stackrel{\circ }{R}}_{-1}& {\stackrel{\circ }{F}}_{-1}& {\stackrel{\circ }{\mathsf{\Phi }}}_{-1}\\ {\stackrel{\circ }{\tilde{R}}}_{-1}& {\stackrel{\circ }{\tilde{F}}}_{-1}& {\stackrel{\circ }{\tilde{\mathsf{\Phi }}}}_{-1}\end{array}\right),\hfill \end{array}$$

Let us label the matrices in the previous product:

$$\begin{array}{c}\left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)\stackrel{M_m}{\overbrace{\left(\begin{array}{cc}1\hfill & -\mu \hfill \\ 0\hfill & 1\hfill \end{array}\right)}}\stackrel{M_{m-1}}{\overbrace{\left(\begin{array}{cc}1\hfill & -\mu x\hfill \\ 0\hfill & 1\hfill \end{array}\right)}}\dots \left(\begin{array}{cc}1\hfill & -\mu x^{l_i-1}\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu x^{l_i}\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}0\hfill & -\mu \hfill \\ 1/\mu \hfill & 0\hfill \end{array}\right)\hfill \\ \phantom{\left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)}\phantom{\left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)}\phantom{\left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)}⋮\hfill \\ \phantom{\left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)}\left(\begin{array}{cc}1\hfill & -\mu \hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}1\hfill & -\mu x\hfill \\ 0\hfill & 1\hfill \end{array}\right)\cdots \stackrel{M_{l_0+3}}{\overbrace{\left(\begin{array}{cc}1\hfill & -\mu x^{l_1-1}\hfill \\ 0\hfill & 1\hfill \end{array}\right)}}\stackrel{M_{l_0+2}}{\overbrace{\left(\begin{array}{cc}1\hfill & -\mu x^{l_1}\hfill \\ 0\hfill & 1\hfill \end{array}\right)}}\stackrel{M_{l_0+1}}{\overbrace{\left(\begin{array}{cc}0\hfill & -\mu \hfill \\ 1/\mu \hfill & 0\hfill \end{array}\right)}}\hfill \\ \phantom{\left(\begin{array}{cc}\frac{1}{\mu }& 0\\ 0& -\mu \end{array}\right)}\stackrel{M_{l_0}}{\overbrace{\left(\begin{array}{cc}1\hfill & -\mu \hfill \\ 0\hfill & 1\hfill \end{array}\right)}}\stackrel{M_{l_0-1}}{\overbrace{\left(\begin{array}{cc}1\hfill & -\mu x\hfill \\ 0\hfill & 1\hfill \end{array}\right)}}\dots \stackrel{M_1}{\overbrace{\left(\begin{array}{cc}1\hfill & -\mu x^{l_0-1}\hfill \\ 0\hfill & 1\hfill \end{array}\right)}}\stackrel{M_0}{\overbrace{\left(\begin{array}{cc}1\hfill & -\mu x^{l_0}\hfill \\ 0\hfill & 1\hfill \end{array}\right)}}\left(\begin{array}{cc}0\hfill & 1\hfill \\ 1\hfill & 0\hfill \end{array}\right).\left(\begin{array}{ccc}{\stackrel{\circ }{R}}_{-1}& {\stackrel{\circ }{F}}_{-1}& {\stackrel{\circ }{\mathsf{\Phi }}}_{-1}\\ {\stackrel{\circ }{\tilde{R}}}_{-1}& {\stackrel{\circ }{\tilde{F}}}_{-1}& {\stackrel{\circ }{\tilde{\mathsf{\Phi }}}}_{-1}\end{array}\right)\hfill \end{array}$$

Now, we define

$$\begin{array}{ccc}\hfill \left(\begin{array}{ccc}{R}_{-1}& F_{-1}& {\mathsf{\Phi }}_{-1}\\ {\tilde{R}}_{-1}& {\tilde{F}}_{-1}& {\tilde{\mathsf{\Phi }}}_{-1}\end{array}\right)& =& \left(\begin{array}{cc}0\hfill & 1\hfill \\ 1\hfill & 0\hfill \end{array}\right)\left(\begin{array}{ccc}{\stackrel{\circ }{R}}_{-1}& {\stackrel{\circ }{F}}_{-1}& {\stackrel{\circ }{\mathsf{\Phi }}}_{-1}\\ {\stackrel{\circ }{\tilde{R}}}_{-1}& {\stackrel{\circ }{\tilde{F}}}_{-1}& {\stackrel{\circ }{\tilde{\mathsf{\Phi }}}}_{-1}\end{array}\right)=\left(\begin{array}{ccc}{\Lambda }_r\overline{S}& 1& 0\\ x^n-1& 0& -1\end{array}\right)\hfill \\ \hfill \left(\begin{array}{ccc}{R}_i& F_i& {\mathsf{\Phi }}_i\\ {\tilde{R}}_i& {\tilde{F}}_i& {\tilde{\mathsf{\Phi }}}_i\end{array}\right)& =& M_i·M_{i-1}·\cdots ·M_0·\left(\begin{array}{ccc}{R}_{-1}& F_{-1}& {\mathsf{\Phi }}_{-1}\\ {\tilde{R}}_{-1}& {\tilde{F}}_{-1}& {\tilde{\mathsf{\Phi }}}_{-1}\end{array}\right)\hfill \end{array}$$

Lets us see now that, for all $i\le m$, the polynomials ${\tilde{R}}_i$ and $F_i$ are monic. Indeed, ${\tilde{R}}_{-1}=x^n-1$ is monic, and it follows by induction and by the definition of the matrices $M_i$, that ${\tilde{R}}_i$ is monic for all i. Now, all the matrices $M_i$ have determinant equal to 1. This implies that $R_i{\tilde{F}}_i-F_i{\tilde{R}}_i$ is constant for all i and it equals $-(x^n-1)$. In particular, since $\mathrm{LC}(R_i{\tilde{F}}_i-F_i{\tilde{R}}_i)=-\mathrm{LC}\left(F_i\right)\mathrm{LC}\left({\tilde{R}}_i\right)=-\mathrm{LC}\left(F_i\right)$, we deduce that for every i, the polynomial $F_i$ is monic.

Algorithm 2 computes the matrices $\left(\begin{array}{ccc}{R}_i& F_i& {\mathsf{\Phi }}_i\\ {\tilde{R}}_i& {\tilde{F}}_i& {\tilde{\mathsf{\Phi }}}_i\end{array}\right)$ until $\mathrm{deg}\left(R_i\right)<n-\frac{d-s}{2}$.

Algorithm 2: Single Coefficient Euclidean Algorithm.

Initialize:   $\left(\begin{array}{ccc}{R}_{-1}\hfill & F_{-1}\hfill & {\mathsf{\Phi }}_{-1}\hfill \\ {\tilde{R}}_{-1}\hfill & {\tilde{F}}_{-1}\hfill & {\tilde{\mathsf{\Phi }}}_{-1}\hfill \end{array}\right)=\left(\begin{array}{ccc}{\Lambda }_r\overline{S}\hfill & 1\hfill & 0\hfill \\ x^n-1\hfill & 0\hfill & -1\hfill \end{array}\right)$ while$\mathbf{deg}\left(R_i\right)\ge n-\frac{d-s}{2}$:   $\mu =\mathbf{LC}\left(R_i\right)$   $p=\mathbf{deg}\left(R_i\right)-\mathbf{deg}\left({\tilde{R}}_i\right)$   if$p\ge 0$then   $\left(\begin{array}{ccc}{R}_{i+1}\hfill & F_{i+1}\hfill & {\mathsf{\Phi }}_{i+1}\hfill \\ {\tilde{R}}_{i+1}\hfill & {\tilde{F}}_{i+1}\hfill & {\tilde{\mathsf{\Phi }}}_{i+1}\hfill \end{array}\right)=\left(\begin{array}{cc}1\hfill & -\mu x^p\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{ccc}{R}_i\hfill & F_i\hfill & {\mathsf{\Phi }}_i\hfill \\ {\tilde{R}}_i\hfill & {\tilde{F}}_i\hfill & {\tilde{\mathsf{\Phi }}}_i\hfill \end{array}\right)$   else   $\left(\begin{array}{ccc}{R}_{i+1}\hfill & F_{i+1}\hfill & {\mathsf{\Phi }}_{i+1}\hfill \\ {\tilde{R}}_{i+1}\hfill & {\tilde{F}}_{i+1}\hfill & {\tilde{\mathsf{\Phi }}}_{i+1}\hfill \end{array}\right)=\left(\begin{array}{cc}0\hfill & -\mu \hfill \\ 1/\mu \hfill & 0\hfill \end{array}\right)\left(\begin{array}{ccc}{R}_i\hfill & F_i\hfill & {\mathsf{\Phi }}_i\hfill \\ {\tilde{R}}_i\hfill & {\tilde{F}}_i\hfill & {\tilde{\mathsf{\Phi }}}_i\hfill \end{array}\right)$   end if end while Return$F_i$, ${\mathsf{\Phi }}_i$

Due to the fact that the polynomials ${\tilde{R}}_i$ are monic, after each step with a negative value of p the new updated value p coincides with the previous one but with opposite sign and so happens for $\mu$. Taking this into account we join each step with a negative value of p with the next step. We obtain $\left(\begin{array}{ccc}{R}_{i+1}\hfill & F_{i+1}\hfill & {\mathsf{\Phi }}_{i+1}\hfill \\ {\tilde{R}}_{i+1}\hfill & {\tilde{F}}_{i+1}\hfill & {\tilde{\mathsf{\Phi }}}_{i+1}\hfill \end{array}\right)=\left(\begin{array}{cc}1\hfill & \mu x^{-p}\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}0\hfill & -\mu \hfill \\ 1/\mu \hfill & 0\hfill \end{array}\right)\left(\begin{array}{ccc}{R}_i\hfill & F_i\hfill & {\mathsf{\Phi }}_i\hfill \\ {\tilde{R}}_i\hfill & {\tilde{F}}_i\hfill & {\tilde{\mathsf{\Phi }}}_i\hfill \end{array}\right)$

This adjustment keeps $F_i,{\mathsf{\Phi }}_i$ unaltered. It can be stated as follows

At this point we observe that we only need to keep the polynomials $R_i$ (and ${\tilde{R}}_i$) because we need their leading coefficients (the ${\mu }_i$’s). The next lemma proves that these leading coefficients can be obtained independently of the polynomials $R_i$. This allows the computation of the polynomials $F_i,{\mathsf{\Phi }}_i$ iteratively while dispensing with the polynomials $R_i$.

Lemma 4.

$LC\left(R_i\right)=LC\left(F_i{\Lambda }_r\overline{S}\right)$

Proof. 

The result is obvious for $i=-1$. Since we joined two steps, before Algorithm 3, the degree of the remainder $R_i=F_i{\Lambda }_r\overline{S}-{\mathsf{\Phi }}_i(x^n-1)=F_i{\Lambda }_r\overline{S}-x^n{\mathsf{\Phi }}_i+{\mathsf{\Phi }}_i$ is at most $n-1$ for every $i\ge 1$. Consequently all terms of $x^n{\mathsf{\Phi }}_i$ cancel with terms of $F_i{\Lambda }_r\overline{S}$ and $R_i$ must have leading term equal to either a term of ${\mathsf{\Phi }}_i$ or a term of $F_i{\Lambda }_r\overline{S}$ or a sum of a term of ${\mathsf{\Phi }}_i$ and a term of $F_i{\Lambda }_r\overline{S}$.

On the other hand, the algorithm computes $\mathrm{LC}\left(R_i\right)$ only while $\mathrm{deg}\left(R_i\right)\ge n-\frac{d-s}{2}$. In particular, $2\mathrm{deg}\left(R_i\right)=2n-d+s\ge n+s$. Leu us show that in this case the degree of the leading term of $R_i$ is strictly larger than the degree of ${\mathsf{\Phi }}_i$. Indeed, since all the matrices $M_i$ in the algorithm have determinant equal to 1, this implies that $\mathrm{deg}\left({\mathsf{\Phi }}_i\right)=\mathrm{deg}\left({\Lambda }_r\overline{S}\right)-\mathrm{deg}\left({\tilde{R}}_i\right)\le n+s-\mathrm{deg}\left({\tilde{R}}_i\right)<2\mathrm{deg}\left(R_i\right)-\mathrm{deg}\left(R_i\right)=\mathrm{deg}\left(R_i\right)$. ☐

Algorithm 3: Refactored Single Coefficient Euclidean Algorithm

Initialize:   $\left(\begin{array}{ccc}{R}_{-1}\hfill & F_{-1}\hfill & {\mathsf{\Phi }}_{-1}\hfill \\ {\tilde{R}}_{-1}\hfill & {\tilde{F}}_{-1}\hfill & {\tilde{\mathsf{\Phi }}}_{-1}\hfill \end{array}\right)=\left(\begin{array}{ccc}{\Lambda }_r\overline{S}\hfill & 1\hfill & 0\hfill \\ x^n-1\hfill & 0\hfill & -1\hfill \end{array}\right)$ while$\mathbf{deg}\left(R_i\right)\ge n-\frac{d-s}{2}$:   $\mu =\mathbf{LC}\left(R_i\right)$   $p=\mathbf{deg}\left(R_i\right)-\mathbf{deg}\left({\tilde{R}}_i\right)$   if$p\ge 0$ or $\mu =0$ then   $\left(\begin{array}{ccc}{R}_{i+1}\hfill & F_{i+1}\hfill & {\mathsf{\Phi }}_{i+1}\hfill \\ {\tilde{R}}_{i+1}\hfill & {\tilde{F}}_{i+1}\hfill & {\tilde{\mathsf{\Phi }}}_{i+1}\hfill \end{array}\right)=\left(\begin{array}{cc}1\hfill & -\mu x^p\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{ccc}{R}_i\hfill & F_i\hfill & {\mathsf{\Phi }}_i\hfill \\ {\tilde{R}}_i\hfill & {\tilde{F}}_i\hfill & {\tilde{\mathsf{\Phi }}}_i\hfill \end{array}\right)$   else   $\left(\begin{array}{ccc}{R}_{i+1}\hfill & F_{i+1}\hfill & {\mathsf{\Phi }}_{i+1}\hfill \\ {\tilde{R}}_{i+1}\hfill & {\tilde{F}}_{i+1}\hfill & {\tilde{\mathsf{\Phi }}}_{i+1}\hfill \end{array}\right)=\left(\begin{array}{cc}{x}^{-p}\hfill & -\mu \hfill \\ 1/\mu \hfill & 0\hfill \end{array}\right)\left(\begin{array}{ccc}{R}_i\hfill & F_i\hfill & {\mathsf{\Phi }}_i\hfill \\ {\tilde{R}}_i\hfill & {\tilde{F}}_i\hfill & {\tilde{\mathsf{\Phi }}}_i\hfill \end{array}\right)$   end if end while Return $F_i$, ${\mathsf{\Phi }}_i$

We transform now Algorithm 3 in a way such that isntead of keeping the remainders we keep their degrees. For this we use the values $d_i,{\tilde{d}}_i$ satisfying, at each step, that $d_i\ge \mathrm{deg}\left(R_i\right)$, ${\tilde{d}}_i=\mathrm{deg}\left({\tilde{R}}_i\right)$.

Algorithm 4 is exactly the Berlekamp–Massey algorithm applied to the recurrence ${\sum }_{j=0}^t{\Lambda }_{j}e\left({\alpha }^{i+j-1}\right)=0$ for all $i>0$. This linear recurrence is a consequence of the equality $\frac{S}{x^n-1}=\frac{1}{x}\left(e\left(1\right)+\frac{e\left(\alpha \right)}{x}+\frac{e\left({\alpha }^2\right)}{x^2}+\cdots \right)$ and the fact that $\Lambda \frac{S}{x^n-1}$ is a polynomial and, hence, its terms of negative order in its expression as a Laurent series in $1/x$ are all zero.

Algorithm 4: Berlekamp-Massey Algorithm

Initialize:   $d_{-1}=s+\mathbf{deg}\left(\overline{S}\right)$   ${\tilde{d}}_{-1}=n$   $\left(\begin{array}{cc}{F}_{-1}\hfill & {\mathsf{\Phi }}_{-1}\hfill \\ {\tilde{F}}_{-1}\hfill & {\tilde{\mathsf{\Phi }}}_{-1}\hfill \end{array}\right)=\left(\begin{array}{cc}1\hfill & 0\hfill \\ 0\hfill & -1\hfill \end{array}\right)$ while$d_i\ge n-\frac{d-s}{2}$:   $\mu =\mathbf{Coefficient}(F_i{\Lambda }_r\overline{S},d_i)$   $p=d_i-{\tilde{d}}_i$   if$p\ge 0$ or $\mu =0$ then    $\left(\begin{array}{cc}{F}_{i+1}\hfill & {\mathsf{\Phi }}_{i+1}\hfill \\ {\tilde{F}}_{i+1}\hfill & {\tilde{\mathsf{\Phi }}}_{i+1}\hfill \end{array}\right)=\left(\begin{array}{cc}1\hfill & -\mu x^p\hfill \\ 0\hfill & 1\hfill \end{array}\right)\left(\begin{array}{cc}{F}_i\hfill & {\mathsf{\Phi }}_i\hfill \\ {\tilde{F}}_i\hfill & {\tilde{\mathsf{\Phi }}}_i\hfill \end{array}\right)$    $d_{i+1}=d_i-1$    ${\tilde{d}}_{i+1}={\tilde{d}}_i$   else    $\left(\begin{array}{cc}{F}_{i+1}\hfill & {\mathsf{\Phi }}_{i+1}\hfill \\ {\tilde{F}}_{i+1}\hfill & {\tilde{\mathsf{\Phi }}}_{i+1}\hfill \end{array}\right)=\left(\begin{array}{cc}{x}^{-p}\hfill & -\mu \hfill \\ 1/\mu \hfill & 0\hfill \end{array}\right)\left(\begin{array}{cc}{F}_i\hfill & {\mathsf{\Phi }}_i\hfill \\ {\tilde{F}}_i\hfill & {\tilde{\mathsf{\Phi }}}_i\hfill \end{array}\right)$    $d_{i+1}={\tilde{d}}_i-1$    ${\tilde{d}}_{i+1}=d_i$    end if end while Return $F_i,{\mathsf{\Phi }}_i$

4. Conclusions

By working with error/erasure locator polynomials whose roots correspond to the error positions rather than to their inverses and with an evaluator polynomial that gives the error values when we evaluate it at the error positions instead of evaluating it at the inverses of the error positions we get to a symmetric key equation for Reed–Solomon codes. We showed that the symmetric key equation can be solved by an adapted Euclidean algorithm whose steps can be refined leading naturally to the Berlekamp–Massey algorithm.