The Symmetric Key Equation for Reed–Solomon Codes and a New Perspective on the Berlekamp–Massey Algorithm

: This paper presents a new way to view the key equation for decoding Reed–Solomon codes that unites the two algorithms used in solving it—the Berlekamp–Massey algorithm and the Euclidean algorithm. A new key equation for Reed–Solomon codes is derived for simultaneous errors and erasures decoding using the symmetry between polynomials and their reciprocals as well as the symmetries between dual and primal codes. The new key equation is simpler since it involves only degree bounds rather than modular computations. We show how to solve it using the Euclidean algorithm. We then show that by reorganizing the Euclidean algorithm applied to the new key equation we obtain the Berlekamp–Massey algorithm.


Introduction
Reed-Solomon codes are the basis of many applications such as secret sharing [1], distributed storage [2,3], private information retrieval [4] and the analysis of cryptographic hardness [5]. The most used tool for decoding Reed-Solomon codes is the key equation by Berlekamp [6] and the milestone algorithms that solve it are the Berlekamp-Massey algorithm [7] and the Sugiyama et al. adaptation of the Euclidean algorithm [8]. Their connections are analyzed in [9][10][11][12]. This paper is meant to bring a new unified presentation of the key equation, the Sugiyama-Euclidean algorithm and the Berlekamp-Massey algorithm for correcting errors and erasures for Reed-Solomon codes.
Section 2 presents a revisited key equation for both erasures and errors using the symmetry between polynomials and their reciprocals as well as the symmetries between dual and primal codes. In the new key equation, as opposed to the classical equation, there is no need to reference computations modulo a power of the indeterminate, and the correction polynomials reveal error locations rather than their inverses. Section 3 gives a way to solve the new key equation using the Euclidean algorithm. We show how the Berlekamp-Massey algorithm can be obtained by reorganizing the Euclidean algorithm. Hence, the whole paper is, in fact, a simple presentation of the Berlekamp-Massey algorithm as a restructured Euclidean algorithm.

Reed-Solomon Codes
Suppose that F is a finite field of q elements and suppose that α is a primitive element of F. Let n = q − 1. Each vector u = (u 0 , . . . , u n−1 ) ∈ F n is identified with the polynomial u(x) = u 0 + u 1 x + · · · + u n−1 x n−1 . The evaluation of u(x) at a is then denoted u(a). The cyclic code C * (k) of length n generated by the polynomial (x − α)(x − α 2 ) · · · (x − α n−k ) is classically referred to as a (primal) Reed-Solomon code. Its dimension is k. On the other hand, the cyclic code C(k) of lenth n generated by the polynomial (x − α n−(k+1) )(x − α n−(k+2) ) · · · (x − α)(x − 1) is referred to as a dual Reed-Solomon code. Its dimension is k as well. The minimum distance of both codes is d = n − k + 1. The codes are related by the equality C(k) ⊥ = C * (n − k).
The vector space F n is naturally bijected to itself through a map c → c * taking C(k) to C * (k). For a vector c = (c 0 , c 1 , . . . , c n−1 ) ∈ F n the vector c * is defined componentwise Due to this bijective map, algorithms for correcting errors and erasures for primal Reed-Solomon code are also applicable for dual Reed-Solomon codes and vice versa. Indeed, if the codeword c ∈ C(k) at minimum distance of a received vector u differs from u by a vector of errors e, then the codeword c * ∈ C * (k) at minimum distance of a received vector u * differs from u * by a vector of errors e * .

Decoding for Errors and Erasures
Suppose that a noisy channel adds t errors and erases s other components of a transmitted codeword c ∈ C(k) with 2t + s < d. Let u be the received word after replacing the erased positions by 0 and let e = u − c. The erasure locator polynomial is defined as Λ r = ∏ i:c i was erased (x − α i ) while the error locator polynomial is defined as Λ e = ∏ i:e i =0,c i not erased (x − α i ). The product Λ r Λ e is called Λ. We remark that while Λ r is known driectly from the received word, the Λ e is not a priori known. The error evaluator polynomial is defined as Ω = ∑ i:e i =0 or c i erased e i ∏ j:e j =0 or c j erased, Notice that in the traditional setting, the roots of the locator polynomial are not related to the error positions but to their inverses. Hence, in the new setting we take the reciprocals of the polynomials of the traditional setting thus establishing a symmetry between the different versions. Also, the classical Forney formula involves the evaluator polynomial and the derivative of the locator polynomial evaluated at the inverses of the error positions, while with the new settings we use directly the error positions.
Proof. We can compute directly, The general term of S is e(α n−1−i )x i , but we only know from a received word the values e(1) = u(1), . . . , e(α n−k−1 ) = u(α n−k−1 ). For this reason we use the truncated syndrome polynomial defined as One consequence of this bound is that the reciprocal polynomials Ω * = x t+s−1 Ω(1/x), Λ * = x t+s Λ(1/x) and the polynomialS * = x n−1S (1/x) satisfy the well known Berlekamp key equation Λ * S * = Ω * mod x n−s−k . Theorem 1 uses the bound on the degree of Ω(x n − 1) − ΛS to derive a symmetric key equation for dual Reed-Solomon codes. To prove it, we first need the next two lemmas.

Lemma 2. Suppose that f is a polynomial of F[x]
with deg( f ) < n. Suppose that for a given α ∈ F * the polynomial f (x) x n −1 x−α has no term of degree n − 1. Then α is a root of f .

Proof.
The Euclidean division of f by x − α gives a polynomial g ∈ F[x] of degree smaller than n − 1 that satisfies . On one hand, the product g(x)(x n − 1) has no term of degree n − 1. On the other hand, the coefficient of f (α) x n −1 x−α has no term of degree n − 1, then necessarily f (α) = 0.
Proof. Suppose that the terms of degree n − t, . . . , n − 1 of f Λ r S are all zero. Suppose c j was not erased and e j = 0. Consider g(x) = Λ e /(x − α j ). We have deg(g) = t − 1 and consequently the term of degree n − 1 of f gΛ r S is 0. Then, Because of the restriction on the degree of f , none of the last two summands has term of degree n − 1. Since the term of degree n − 1 of f gΛ r S is 0, so is the term of degree By Lemma 2, x − α j must be a divisor of f . Since j was chosen arbitrarily such that e j = 0 and c j was not erased, we conclude that Λ e must divide f . f is monic 2.
Proof. It is easy to see that Λ e and Ω satisfy conditions 1, 2, 3. It follows from the previous lemmas that Λ e and Ω satisfy condition 4. Conversely, suppose that f , ϕ satisfy the conditions 3 and 4. We will prove that the terms of degrees n − t, . . . , n − 1 of f Λ r S are all zero. Then, by Lemma 3, and because By consition 4, the degree of the first term in this sum is less than n − d−s 2 < n − t. By condition 3, By condition 4, deg( f Λ rS − ϕ(x n − 1)) < n − d−s 2 and as just seen, deg( f Λ r (S − S)) < n − t. Consequently, ϕ = gΩ. Now condition 1 and condition 2 imply g = 1 and so ϕ = Ω and f = Λ e .

Solving the Symmetric Key Equation
We first approach the case in which only erasures occurred. In this case Λ = Λ r , Λ e = 1, and Ω can be directly derived from the key equation of Theorem 1. Indeed, the polynomial Ω is exactly the sum of those monomials of Λ rS of degree at least n − d−s 2 , divided by the monomial x n− d−s 2 . Suppose now the case in which errors and erasures occured simultaneously. The extended Euclidean algorithm applied to the quotient polynomial Λ rS and the divisor polynomial −(x n − 1) gives gcd(Λ rS , x n − 1) and two polynomials λ(x) and η(x) satisfying that λΛ rS − η(x n − 1) = gcd(Λ rS , x n − 1). A new remainder r i and two polynomials λ i (x) and η i (x) such that λ i Λ rS − η i (x n − 1) = r i are computed at each intermediate step of the Euclidean algorithm, in a way such that the degree of r i decreases at each step. Truncating at a proper point the Euclidean algorithm we can obtain two polynomials λ i and η i satisfying that the degree of λ i Λ rS − η i (x n − 1) is smaller than n − d−s 2 . The next algorithm is a truncated version of the Euclidean algorithm. It satisfies that, for all i ≥ 0, deg(r i ) ≤ deg(r i−1 ) and deg( f i ) ≥ deg( f i−1 ).

Initialize:
r For every integer i larger than or equal to −1 consider the matrix It is easy to check that the polynomial • R i is monic. In the algorithm one can replace the update step by the next multiplication.
One can see that LC( i 's are the leading coefficients of the left-most, top-most polynomials in the previous product of all the previous matrices. This follows from the fact that • R i is monic. Define µ as the (changing) leading coefficients of the left-most, top-most element in the product of all the previous matrices. It follows that Let us label the matrices in the previous product: Now, we define Lets us see now that, for all i ≤ m, the polynomialsR i and F i are monic. Indeed,R −1 = x n − 1 is monic, and it follows by induction and by the definition of the matrices M i , thatR i is monic for all i. Now, all the matrices M i have determinant equal to 1. This implies that R iFi − F iRi is constant for all i and it equals −(x n − 1). In particular, since LC( we deduce that for every i, the polynomial F i is monic.

Algorithm 2 computes the matrices
Algorithm 2: Single Coefficient Euclidean Algorithm. Initialize: Due to the fact that the polynomialsR i are monic, after each step with a negative value of p the new updated value p coincides with the previous one but with opposite sign and so happens for µ. Taking this into account we join each step with a negative value of p with the next step. We obtain This adjustment keeps F i , Φ i unaltered. It can be stated as follows At this point we observe that we only need to keep the polynomials R i (andR i ) because we need their leading coefficients (the µ i 's). The next lemma proves that these leading coefficients can be obtained independently of the polynomials R i . This allows the computation of the polynomials F i , Φ i iteratively while dispensing with the polynomials R i .
Proof. The result is obvious for i = −1. Since we joined two steps, before Algorithm 3, the degree of the remainder Consequently all terms of x n Φ i cancel with terms of F i Λ rS and R i must have leading term equal to either a term of Φ i or a term of F i Λ rS or a sum of a term of Φ i and a term of F i Λ rS .
On the other hand, the algorithm computes LC(R i ) only while deg(R i ) ≥ n − d−s 2 . In particular, 2deg(R i ) = 2n − d + s ≥ n + s. Leu us show that in this case the degree of the leading term of R i is strictly larger than the degree of Φ i . Indeed, since all the matrices M i in the algorithm have determinant equal to 1, this implies that deg

Algorithm 3: Refactored Single Coefficient Euclidean Algorithm
Initialize: We transform now Algorithm 3 in a way such that isntead of keeping the remainders we keep their degrees. For this we use the values d i ,d i satisfying, at each step, that d i ≥ deg(R i ),d i = deg(R i ).
Algorithm 4 is exactly the Berlekamp-Massey algorithm applied to the recurrence ∑ t j=0 Λ j e(α i+j−1 ) = 0 for all i > 0. This linear recurrence is a consequence of the equality S x n −1 = 1 x e(1) + e(α) x + e(α 2 ) x 2 + · · · and the fact that Λ S x n −1 is a polynomial and, hence, its terms of negative order in its expression as a Laurent series in 1/x are all zero.

Conclusions
By working with error/erasure locator polynomials whose roots correspond to the error positions rather than to their inverses and with an evaluator polynomial that gives the error values when we evaluate it at the error positions instead of evaluating it at the inverses of the error positions we get to a symmetric key equation for Reed-Solomon codes. We showed that the symmetric key equation can be solved by an adapted Euclidean algorithm whose steps can be refined leading naturally to the Berlekamp-Massey algorithm.