Decoding Linear Codes over Chain Rings Given by Parity Check Matrices

: We design a decoding algorithm for linear codes over ﬁnite chain rings given by their parity check matrices. It is assumed that decoding algorithms over the residue ﬁeld are known at each degree of the adic decomposition.


Introduction
One of the first applications of linear codes whose underlying alphabet is not a finite field appears in [1], where nonlinear binary codes are built from Z 4 -linear codes by means of the Gray map. Since then, considerable research efforts have focused on linear codes having a finite ring R as their alphabet. Normally, R is assumed to enjoy suitable properties. For instance, Wood, in [2], states MacWilliams identities for finite Frobenius rings, extending the foundations of coding theory to linear codes over Frobenius rings. In [3] it is proven that finite Frobenius rings are Frobenius algebras over their characteristic subrings, which enriches the duality theory for linear codes over this kind of alphabet.
Feng et al. connect linear codes over finite chain rings to network coding in [4,5] by means of matrix channels. They provide a general description of linear codes over finite chain rings, where the m-adic decomposition is made with respect to any set of representatives containing the element zero.
Concerning efficient decoding algorithms, a framework for decoding linear codes over Galois rings is proposed in [6], which generalizes previous works like [7]. This decoding framework assumes that there is a chain of linear codes over the residue field which have efficient decoding algorithms. These codes are defined by their generating matrices.
In this paper we improve the decoding framework of [6] in two ways. In Appendix A we observe that the decoding scheme from [6] works, with slight modifications, over any finite chain ring and for any set of representatives containing 0 in each degree. Anyway, the efficiently decodable codes are still ordered in a chain. In Section 3 we introduce a new framework where the codes are provided by parity check matrices. This viewpoint has an advantage: the codes over the residue field which are associated to each degree in the corresponding m-adic decomposition do not need to be ordered in a chain. We gain thus flexibility to build them from codes over fields with good decoding algorithms. In Section 4, Smith normal form of matrices over chain rings are used to compute generating matrices from parity check ones. So a complete coding/decoding scheme is provided. We have also included the Sagemath code of the proposed framework in Appendix B.

Preliminaries
Throughout this paper, the word ring means finite commutative ring with identity. A ring is said to be a chain ring if its ideals form a chain under inclusion. Every chain ring is a local ring and, therefore, its elements admit "adic" expansions with respect to the maximal ideal. More precisely, let R be a finite local ring with maximal ideal m. Nakayama's Lemma shows that the powers of m form a finite chain with strict inclusions R ⊃ m ⊃ · · · ⊃ m ν−1 ⊃ m ν = {0}, with m ν−1 = {0} for some positive integer ν called the nilpotency index of R. If R is a chain ring, then all its ideals appear in this chain.
Given r ∈ R, we set deg(r) = max{i ≤ ν : r ∈ m i }, the degree of r. For i = 0, . . . , ν − 1 we consider the canonical projection maps and we fix maps Every r ∈ R is expressed as for uniquely determined This expression is referred to as the (m, [0] , . . . , [ν−1] )-adic expansion of r. Indeed, if r is written as in (1), then, since π k (r [j] ) = 0 whenever j > k, we have , so we deduce From (1) we also get that π 0 (r) = π 0 (r [0] ) and, thus, Equality (4), in conjunction with the recursive formula (3), shows that the elements r [i] are uniquely determined by r. This idea also shows how to compute, granting in this way the existence of the expression (1), the elements r [i] from a given r ∈ R. In fact, r [0] is computed according to (4), and the subsequent elements r [1] , . . . , r [ν−1] are defined recursively by (3). Observe that as a consequence of a recursive application of the identities π i [i] = id m i /m i+1 , (4) and (3). Finally, we may see that When R is a chain ring, its maximal ideal is principal, and we may then choose m ∈ R such that m = Rm (see e.g., Proposition 2.1 in [8] or §XVII in [9]). It follows that m i = Rm i for each 0 ≤ i ≤ ν − 1.
Taking advantage of the well known fact that m i /m i+1 is a vector space of dimension 1 over the residue field F = R/m, we obtain a bijective map as follows. The multiplication map R ·m i / / m i /m i+1 induces an isomorphism of R-modules In this way, for each i = 0, 1, . . . , ν − 1, given i : The maps [i] obey the rule Summing up the relevant information so far obtained, we state the following proposition.

Remark 1.
The coefficients ρ i can be computed recursively from (7).
The m-adic expansion (6) is extended to matrices in a straightforward way. Let A s×t denote the set of all matrices of size s × t with coefficients in a commutative ring A, which is a free A-module. We may extend any map : F → R component-wise to a map : F s×t → R s×t . Then, every matrix L ∈ R s×t has an m-adic expansion for uniquely determined matrices Λ i ∈ F s×t . Although the splitting maps are not additive neither multiplicative, they obey some relations which will be used. Concretely, let ρ, σ ∈ F and i , j , k : F → R splittings. Since π 0 : R → F is a ring morphism, it follows that The structure of the finite chain rings is well known, see (XVII.5) Theorem in [9]. We will not use this description in full generality, so we only recall the rings that appear in our examples.

Example 1.
Recall that a Galois ring GR(p α , β) is an extension of degree β of Z/Zp α , i.e., of degree β. Its maximal ideal is generated by the prime p. The nilpotency index of p is α, and . In particular, Z/Zp α = GR(p α , 1) is a chain ring. On the other side, GF(p β ) = GR(p, β) is a field, so it is trivially a chain ring.

Example 2.
The ring F p α [x]/ x β , where F p α is the field with p α elements, is also a chain ring. The maximal ideal is generated by x, and it has nilpotency index β. Of course F ∼ = F p α .
In the rest of the paper, C is an R-linear code of length n. Vectors are represented by boldface letters, whilst matrices with uppercase letters. We use Latin alphabet to represent elements in R and greek alphabet to represent elements of F. Moreover, given a matrix M over R with n rows, we denote The same applies to matrices over the residue field F.

Remark 3. By an abuse of language, for
The same convention applies to matrices.

Decoding via Parity Check
Let us fix a chain ring R with maximal ideal m and nilpotency index ν, i.e., m ν = {0} and m ν−1 = {0}. We also fix a splitting structure (m, 0 , . . . , ν−1 ) for R. There are two standard ways to present an R-linear code C, as the image C = im(G) of a generating matrix G or as the kernel C = ker(H) of a parity check matrix H. In the first case, by §IV in [5], we do not lose generality if we assume C = im(G), where (1) . . .
j whose entries are in F, and Γ (i) i is full rank. The decoding framework introduced in [6] and expounded in Appendix A uses this presentation of codes as images. It needs a chain of linear codes over the residue field F with efficient decoding algorithms. There are several ways to get it. For instance, even with classical linear codes, if we want to use BCH (Bose-Chaudhuri-Hocquenghem) codes, we shall use a decreasing chain of defining sets to build the chain of codes. Goppa codes can also be used but taking as the Goppa polynomial of one code in the chain a divisor of the Goppa polynomial of the previous code. Anyway, this is a limitation of the possible codes we can use at each degree.
We are interested in the second presentation, so let C be an R-linear code given by a parity check matrix H ∈ R n×q , i.e., In this section, we develop a new decoding framework based on syndrome decoding for each degree, i.e., we use the parity check matrices and the syndromes of the received words to decode. This strategy allows one to choose independently the linear codes over the residue field at each degree.
By §II.D in [4], we can replace H by its column reduced canonical form, so we do not lose generality if we assume for suitable matrices Θ (i) j ∈ F n×q i such that the matrices Θ Our decoding framework computes e e e from H and s s s by means of an iterative process. Let us introduce notation for the corresponding m-adic expansions: We have taken into account that s s s where we use that m ν = 0 and we performed the change of variable j = j 0 + l 0 . Hence, for each 0 ≤ i ≤ ν − 1. The right hand side of (12) needs not to be an m-adic decomposition, so we cannot infer from (12) any equality of the corresponding coefficients of each m j . Let us describe the iterative decoding framework.

Second
Step: Computing ξ ξ ξ 1 We include this second step to help the reader to follow the framework. At this step, ξ ξ ξ 0 is known. If we put i = ν − 2 in (12), we have Since the vector ξ ξ ξ 0 is assumed to be known, the element can be computed. Hence, by Proposition 1, there exists δ δ δ ∈ F n such that (15) which can be computed since all elements appearing in its definition are known. Equations (14) and (15) imply ν−2 ). If the weight of ξ ξ ξ 1 is below the correction capability of d ν−2 , then ξ ξ ξ 1 = d ν−2 (δ δ δ).
Proof. As we observed before in Propositions 2 and 3, ξ ξ ξ l is the unique solution of (20) whose weight is below the correction capability of ker(Θ The decoding framework is summarized in Algorithm 1.

Remark 4.
Our parity check decoding framework could be used to design a McEliece like cryptosystem following the proposal in [10]. However, by Remark 2, given H as in (9), the matrices Θ ν−1 do not depend on the splitting structure, so an eavesdropper could use any structure to compute the parity check matrices of the linear codes over F. Therefore, the security of this possible cryptosystem would be equivalent to ν consecutive linear codes over the residue field F. According to (7), an m-adic expansion can be computed by 2ν operations, so that Line 1 belongs to O(ν 2 ). Now, the calculation of δ in Line 4 is obtained by solving a linear system over the residue field F. This can be computed by Gaussian elimination, which can be done in O(t ω ), where ω is the matrix multiplication exponent and t is the dimension of the matrix. We may consider the classical algorithm and set ω = 3, so that Line 3 in each iteration of the loop belongs to O(n 3 + f (n)), where n is the length of the code. Thus Algorithm 1 can be executed in O(ν 2 + νn 3 + ν f (n)). In general, since ν n, we may say that the complexity belongs to O(max(n 3 , f (n))).

Parity Check and Encoders
There are known interesting applications of linear codes over finite chain rings as those mentioned in [4,5]. So, even though the decoding framework is based on the syndrome decoding by means of parity check matrices, it is needed to provide an encoding process. So we need to build a generating matrix from the parity check matrix H which defines our code. This task may be performed by using the Smith normal form. Recall that a k × n matrix M over an arbitrary ring has a Smith normal form if there exist invertible k × k and n × n matrices P, Q and a diagonal (non necessarily square) matrix D, where d 1 , . . . , d min(k,n) are the elements in the main diagonal, such that PMQ = D and d i | d i+1 .
Any matrix over a commutative principal ideal ring has a Smith normal form (Chapter 15 in [11]). In the particular case of a chain ring, Algorithm 2 gives a way to compute this normal form which simplifies the general procedure in [11].
We may assume k ≤ n, otherwise we can compute it for its transpose M T , and if PM T Q = D we have Q T MP T = D T .

Algorithm 2: Smith normal form for finite chain rings.
Input A matrix M ∈ R k×n over a finite chain ring R with nilpotency index ν, such that k ≤ n.
Output D, P, Q such that D is a Smith normal form, P and Q are invertible, and D = PMQ. Q ← I n×n . 3: Find m 1,j of lowest degree in M.

4:
Swap columns 1 and j in M and Q

7:
In M and Q, replace column j with column j minus t times column 1. Compute t ∈ R such that m 1,j = tm 1,1

21:
In M and T, replace column j with column j minus t times column 1. (21) Since deg(r + s), deg(rs) ≥ min{deg(r), deg(s)} for all r, s ∈ R, once m 1,1 is an element of lowest degree, any operation involving sums and products cannot decrease the degree, so, by (21), we can compute t ∈ R in lines 6, 16 and 20, and all entries of M have degree greater or equal than the degree of m 1,1 . Since S and T are built to obtain so the output of Algorithm 2 is correct.
Once the Smith normal form of the parity check matrix has been found, we may compute a generating matrix. Indeed, assume H ∈ R n×q and let D, P, Q matrices such that D is a Smith normal form for H and D = PHQ. Since Q is invertible, it follows that c c c ∈ ker(H) if and only if c c c ∈ ker(HQ). Moreover, x x x ∈ ker(D) if and only if x x xP ∈ ker(HQ), so, if ker(D) = im(E) we get ker(H) = im(EP). Now, recall D is diagonal with d 1 | d 2 | · · · | d min{n,q} which, by (21), is equivalent to say that deg(d 1 ) ≤ deg(d 2 ) ≤ · · · ≤ deg(d min{n,q} ). It follows that E can be taken as an n × n diagonal matrix whose diagonal elements are {m ν−deg(d 1 ) , m ν−deg(d 2 ) , . . . , m ν−deg(d min{n,q} ) , 1, . . . , 1}. We may summarize these ideas in Algorithm 3.

Algorithm 3: Generating matrix computation from a parity check matrix.
Input A parity check matrix H ∈ R n×q .
Output A matrix G such that ker(H) = im(G).

Conflicts of Interest:
The authors declare no conflict of interest.

Appendix A. Decoding via Encoders
In this appendix we show that the decoding framework for linear codes over Galois rings presented in [6] is still valid for the broader class of chain rings. In addition, we amend a subtle gap in [6].
A splitting structure (m, 0 , . . . , ν−1 ) is fixed for a chain ring R with maximal ideal m and nilpotency index ν. As we pointed out in Section 3, we may assume C = im(G), where (1) . . .
and, for each 0 ≤ i ≤ ν − 1, G (i) is a k i × n matrix whose m-adic decomposition is j whose entries are in F, and Γ (i) i is full rank. Information is presented as vectors The reason for this restriction is that terms of higher degree are annihilated in the encoding process. Indeed, let c c c = u u uG. Then This is not necessarily the m-adic decomposition of c c c, since we do not know if the coefficients of each m l belong to im( l ). Actually, this is the inaccuracy in Equation (11) in [6]. However, we may fix this issue, since the knowledge of υ υ υ For each 0 ≤ l ≤ ν − 1 it follows that and, by (A1), We use (A2) to describe the decoding framework. We start by computing ξ ξ ξ 0 and υ υ υ These last two equations imply that 0 is a codeword in C (0) and γ γ γ 0 is a received word with error ξ ξ ξ 0 . If we can decode γ γ γ 0 , then we can compute ξ ξ ξ 0 and υ υ υ For the general recursive step, assume that ξ ξ ξ i for 0 ≤ i ≤ l − 1 and υ υ υ (j) 0 · · · υ υ υ (0) j for 0 ≤ j ≤ l − 1 are known. Let us describe how to compute ξ ξ ξ l and υ υ υ Rearranging its summads we get so, by Proposition 1, there exists δ δ δ l ∈ F n such that Combining (A3) and (A4), we get In our experiments we have used Goppa codes as efficiently decodable codes over the residue field. The current implementation of Goppa codes in [12] works only for prime fields. Since some of our tests need Goppa codes over F 4 , we have implemented their construction and decoding by means of the Sugiyama algorithm.