The key equation for codes from order domains

1 The key equation for codes from order domains John B. Little Department of Mathematics and Computer Science, College of the Holy Cross, Worcester, MA 01610, USA E-mail: [email protected] We study a sort of analog of the key equation for decoding Reed-Solomon and BCH codes and identify a key equation for all codes from order domains which have finitely-generated value semigroups (the field of fractions of the order domain may have arbitrary transcendence degree, however). We provide a natural interpretation of the construction using the theory of Macaulay’s inverse systems and duality. O’Sullivan’s generalized Berlekamp-Massey-Sakata (BMS) decoding algorithm applies to the duals of suitable evaluation codes from these order domains. When the BMS algorithm does apply, we will show how it can be understood as a process for constructing a collection of solutions of our key equation. Keywords: order domain, key equation, Berlekamp-Massey-Sakata algorithm 1. Introduction The theory of error control codes constructed using ideas from algebraic geometry (including the geometric Goppa and related codes) has undergone a remarkable extension and simplification with the introduction of codes constructed from order domains. This development has been largely motivated by the structures utilized in the Berlekamp-Massey-Sakata decoding algorithm with Feng-Rao-Duursma majority voting for unknown syndromes. The order domains, see [1–4], form a class of rings having many of the same properties as the rings R = ∪∞ m=0 L(mQ) underlying the one-point geometric Goppa codes constructed from curves. The general theory gives a common framework for these codes, n-dimensional cyclic codes, as well as many other Goppa-type codes constructed from varieties of dimension > 1. Moreover, O’Sullivan has shown in [5] that the Berlekamp-Massey-Sakata decoding algorithm (abbreviated as the BMS algorithm in the following) and the Feng-Rao procedure extend in a natural way to a suitable class of 2 codes in this much more general setting. For the Reed-Solomon codes, the Berlekamp-Massey decoding algorithm can be phrased as a method for solving a key equation. For a Reed-Solomon code with minimum distance d = 2t + 1, the key equation has the form f S ≡ g mod hX 2t i. (1) Here S is a known univariate polynomial in X constructed from the error syndromes, and f, g are unknown polynomials in X. If the error vector e satisfies wt(e) ≤ t, there is a unique solution (f, g) with deg(f ) ≤ t, and deg(g) < deg(f ) (up to a constant multiple). The polynomial f is known as the error locator because its roots give the inverses of the error locations; the polynomial g is known as the error evaluator because the error values can be determined from values of g at the roots of f , via the Forney formula. O’Sullivan has introduced a generalization of this key equation for onepoint geometric Goppa codes from curves in [6] and shown that the BMS algorithm can be modified to compute the analogs of the error-evaluator polynomial together with error locators. Our main goal in this article is to identify an analog of the key equation Eq. (1) for codes from general order domains, and to give a natural interpretation of these ideas in the context of Macaulay’s inverse systems for ideals in a polynomial ring (see [7–10]) and the theory of duality. We will only consider order domains whose value semigroups are finitely generated. In these cases, the ring R can be presented as an affine algebra R∼ = F[X1 , . . . , Xs ]/I, where the ideal I has a Gröbner basis of a very particular form (see [3]). Although O’Sullivan has shown how more general order domains arise naturally from valuations on function fields, it is not clear to us how our approach applies to those examples. On the positive side, by basing all constructions on algebra in polynomial rings, all codes from these order domains can be treated in a uniform way, Second, we also propose to study the relation between the BMS algorithm and the process of solving this key equation in the cases where BMS is applicable. Our key equation generalizes the key equation for n-dimensional cyclic codes studied by Chabanne and Norton in [12]. Results on the algebraic background for their construction appear in [13]. See also [14] for connections with the more general problem of finding shortest linear recurrences, and [15] for a generalization giving a key equation for codes over commutative rings. The present article is organized as follows. In Section 2 we will briefly review the definition of an order domain, evaluation codes and dual evalu- 3 ation codes. Section 3 contains a quick summary of the basics of Macaulay inverse systems and duality. In Section 4 we introduce the key equation and relate the BMS algorithm to the process of solving this equation. 2. Codes from Order Domains In this section we will briefly recall the definition of order domains and explain how they can be used to construct error control codes. We will use the following formulation. Definition 2.1. Let R be a Fq -algebra and let (Γ, +, ≻) be a well-ordered semigroup. We assume the ordering is compatible with the semigroup operation in the sense that if a ≻ b and c is arbitrary in Γ, then a + c ≻ b + c. An order function on R is a surjective mapping ρ : R → {−∞} ∪ Γ satisfying: (1) (2) (3) (4) ρ(f ) = −∞ ⇔ f = 0, ρ(cf ) = ρ(f ) for all f ∈ R, all c 6= 0 in Fq , ρ(f + g)  max≻ {ρ(f ), ρ(g)}, if ρ(f ) = ρ(g) 6= −∞, then there exists c 6= 0 in Fq such that ρ(f ) ≺ ρ(f − cg), (5) ρ(f g) = ρ(f ) + ρ(g). We call Γ the value semigroup of ρ. Axioms 1 and 5 in this definition imply that R must be an integral domain. In the cases where the transcendence degree of R over Fq is at least 2, a ring R with one order function will have many others too. For this reason an order domain is formally defined as a pair (R, ρ) where R is an Fq -algebra and ρ is an order function on R. However, from now on, we will only use one particular order function on R at any one time. Hence we will often omit it in refering to the order domain, and we will refer to Γ as the value semigroup of R. Several constructions of order domains are discussed in [3] and [4]. The most direct way to construct codes from an order domain given by a particular presentation R ∼ = Fq [X1 , . . . , Xs ]/I is to generalize Goppa’s construction in the case of curves. Let XR be the variety V (I) ⊂ As and let XR (Fq ) = {P1 , . . . , Pn } be the set of Fq -rational points on XR . Define an evaluation mapping ev : R → Fnq f 7→ (f (P1 ), . . . , f (Pn )) 4 Let V ⊂ R be any finite-dimensional vector subspace. Then the image ev(V ) ⊆ Fnq will be a linear code in Fnq . One can also consider the dual code ev(V )⊥ . Of particular interest here are the codes constructed as follows (see [5]). Let R be an order domain whose value semigroup Γ can be put into order-preserving one-to-one correspondence with Z≥0 . We refer to such Γ as Archimedean value semigroups because it follows that for all nonconstant f ∈ R and all g ∈ R there is some n ≥ 1 such that ρ(f n ) ≻ ρ(g). This property is equivalent to saying that the corresponding valuation of K = QF (R) has rank 1. O’Sullivan gives a necessary and sufficient condition for this property when ≻ is given by a monomial order on Zr≥0 in [2], Example 1.3. Let ∆ be the ordered basis of R with ordering by ρ-value. Let ℓ ∈ N and let Vℓ be the span of the first ℓ elements of ∆. In this way, we obtain evaluation codes Evℓ = ev(Vℓ ) and dual codes Cℓ = Evℓ⊥ for all ℓ. O’Sullivan’s generalized BMS algorithm is specifically tailored for this last class of codes from order domains with Γ Archimedean. If the Cℓ codes are used to encode messages, then the Evℓ codes describe the parity checks and the syndromes used in the decoding algorithm. 3. Preliminaries on Inverse Systems A natural setting for our formulation of a key equation for codes from order domains is the theory of inverse systems of polynomial ideals originally introduced by Macaulay. There are several different versions of this theory. For modern versions using the language of differentiation operators, see [9, 10]. Here, we will summarize a number of more or less well-known results, using an alternate formulation of the definitions that works in any characteristic. A reference for this approach is [8]. Let k be a field, let S = k[X1 , . . . , Xs ] and let T be the formal power series ring k[[X1−1 , . . . , Xs−1 ]] in the inverse variables. T is an S-module under a mapping c:S×T → T (f, g) 7→ f · g, sometimes called contraction, defined as follows. First, given monomials X α in S and X −β in T , X α · X −β is defined to be X α−β if this is in T , and 0 otherwise. We then extend by linearity to define c : S × T → T . Let Homk (S, k) be the usual linear dual vector space. It is a standard 5 fact that the mapping φ : Homk (S, k) → T X Λ 7→ Λ(X β )X −β β∈Zs≥0 is an isomorphism of S-modules, if we make Homk (S, k) into an S-module in the usual way by defining (qΛ)(p) = Λ(qp) for all polynomials p, q in S. In explicit terms, the k-linear form on S obtained from an element g ∈ T is a mapping Λg defined as follows. For all f ∈ S, Λg (f ) = (f · g)0 , where (t)0 denotes the constant term in t ∈ T . In the following we will identify elements of T with their corresponding linear forms on S. The theory of inverse systems sets up a correspondence between ideals in S and submodules of T . All such ideals and submodules are finitely generated and we will use the standard notation hf1 , . . . , ft i for the ideal generated by a collection of polynomials fi ∈ S. For each ideal I ⊆ S, we can define the annihilator, or inverse system, of I in T as I ⊥ = {Λ ∈ T : Λ(p) = 0, ∀ p ∈ I}. It is easy to check that I ⊥ is an S-submodule of T under the module structure defined above. Similarly, given an S-submodule H ⊆ T , we can define H ⊥ = {p ∈ S : Λ(p) = 0, ∀ Λ ∈ H}, and H ⊥ is an ideal in S. The key point in this theory is the following duality statement. Theorem 3.1. The ideals of S and the S-submodules of T are in inclusionreversing bijective correspondence via the constructions above, and for all I, H we have: (I ⊥ )⊥ = I, (H ⊥ )⊥ = H. See [8] for a proof. We will be interested in applying Theorem 3.1 when I is the ideal of some finite set of points in the n-dimensional affine space over k (e.g. when k = Fq and I is an error-locator ideal arising in decoding – see Section 4 below). In the following, we will use the notation mP for the maximal ideal of S corresponding to the point P ∈ k s . 6 Theorem 3.2. Let P1 , . . . , Pt be points in k s and let I = mP1 ∩ · · · ∩ mPt . The submodule of T corresponding to I has the form H = I ⊥ = (mP1 )⊥ ⊕ · · · ⊕ (mPt )⊥ . Proof. In Proposition 2.6 of [11], Geramita shows that (I ∩ J)⊥ = I ⊥ + J ⊥ for any pair of ideals. The idea is that I ⊥ and J ⊥ can be constructed degree by degree, so the corresponding statement from the linear algebra of finitedimensional vector spaces applies. The equality (I + J)⊥ = I ⊥ ∩ J ⊥ also holds from linear algebra (and no finite-dimensionality is needed). The sum in the statement of the Lemma is a direct sum since mPi + ∩j6=i mPj = S, hence (mPi )⊥ ∩ Σj6=i (mPj )⊥ = {0}. We can also give a concrete description of the elements of (mP )⊥ . Theorem 3.3. Let P = (a1 , . . . , as ) ∈ As over k, and let Li be the coordinate hyperplane Xi = ai containing P . (1) (mP )⊥ is the cyclic S-submodule of T generated by X hP = P u X −u , u∈Zs≥0 where if u = (u1 , . . . , us ), P u denotes the product au1 1 · · · aus s (X u evaluated at P ). (2) f · hP = f (P )hP for all f ∈ S, and the submodule (mP )⊥ is a onedimensional vector space over k. (3) Let ILi be the ideal hXi − ai i in S (the ideal of Li ). Then (ILi )⊥ is the P∞ submodule of T generated by hLi = j=0 aji Xi−j . Qs (4) In T , we have hP = i=1 hLi . Proof. (1) First, if f ∈ mP , and g ∈ S is arbitrary then Λg·hP (f ) = (f · (g · hP ))0 = ((f g) · hP )0 = f (P )g(P ) = 0. Hence the S-submodule hhP i is contained in (mP )⊥ . Conversely, if h ∈ (mP )⊥ , then for all f ∈ mP , 0 = Λh (f ) = (f · h)0 . An easy calculation using all f of the form f = xβ − aβ ∈ mP shows that h = chP for some constant c. Hence (mP )⊥ = hhP i. 7 (2) The second claim follows by a direct computation of the contraction product f · hp . (3) Let f ∈ ILi (so f vanishes at all points of the hyperplane Li ), and let g ∈ S be arbitrary. Then Λg·hLi (f ) = (f · (g · hLi ))0 = ((f g) · hLi )0 = f (0, . . . , 0, ai , 0, . . . , 0)g(0, . . . , 0, ai , 0, . . . , 0) = 0, since the only nonzero terms in the product ((f g) · hLi ) come from monomials in f g containing only the variable Xi . Hence hhLi i ⊂ T is contained in IL⊥i . Then we show the other inclusion as in the proof of (1). (4) We have mP = IL1 +· · ·+ILs . Hence (mP )⊥ = (IL1 )⊥ ∩· · ·∩(ILs )⊥ , and the claim follows. We note that a more explicit form of this equation can be derived by the formal geometric series summation formula: hP = X P u X −u = u∈Zs≥0 s Y s Y 1 = hLi . 1 − ai /Xi i=1 i=1 Both the polynomial ring S and the formal power series ring T can be viewed as subrings of the field of formal Laurent series in the inverse variables, K = k((X1−1 , . . . , Xs−1 )), which is the field of fractions of T . Hence the (full) product f g for f ∈ S and g ∈ T is an element of K. The contraction product f · g is a projection of f g into T ⊂ K. We can also consider the projection of f g into S+ = hX1 , . . . , Xs i ⊂ S ⊂ K under the linear projection with kernel spanned by all monomials not in S+ . We will denote this by (f g)+ . 4. The Key Equation and its Relation to the BMS Algorithm Let C be one of the codes C = ev(V ) or ev(V )⊥ constructed from an order domain R ∼ = Fq [X1 , . . . , Xs ]/I. Consider an error vector e ∈ Fnq (where entries are indexed by the elements of the set XR (Fq )). In the usual terminology, the error-locator ideal corresponding to e is the ideal Ie ⊂ Fq [X1 , . . . , Xs ] defining the set of error locations: Ie = {f ∈ Fq [X1 , . . . , Xs ] : f (P ) = 0, ∀ P s.t. eP 6= 0}. We will use a slightly different notation and terminology in the following because we want to make a systematic use of the observation that this ideal 8 depends only on the support of e, not on the error values. Indeed, many different error vectors yield the same ideal defining the error locations. For this reason we will introduce E = {P : eP 6= 0}, and refer to the errorlocator ideal for any e with supp(e) = E as IE . For each monomial X u ∈ Fq [X1 , . . . , Xs ], we let X Eu = he, ev(X u )i = eP P u (2) P ∈XR (Fq ) be the corresponding syndrome of the error vector. (As in Theorem 3.3, P u is shorthand notation for the evaluation of the monomial X u at P .) In the practical decoding situation, of course, for a code C = ev(V )⊥ where V is a subspace of R spanned by some set of monomials, only the Eu for the X u in a basis of V are initially known from the received word. In addition, the elements of the ideal I +hX1q −X1 , . . . , Xsq −Xs i defining the set XR (Fq ) give relations between the Eu . Indeed, the Eu for u in the ordered basis ∆ for R with all components ≤ q − 1 determine all the others, and these syndromes still satisfy additional relations. Thus the Eu are, in a sense, highly redundant. To package the syndromes into a single algebraic object, following [12], we define the syndrome series X Eu X −u Se = u∈Zs≥0 in the formal power series ring T = Fq [[X1−1 , . . . , Xs−1 ]]. (This depends both on the set of error locations E and on the error values.) As in Section 3, we have a natural interpretation for Se as an element of the dual space of the ring S = Fq [X1 , . . . , Xs ]. The following expression for the syndrome series Se will be fundamental. We substitute from Eq. (2) for the syndrome Eu and change the order of summation to obtain: X X X Se = Eu X −u = eP P u X −u u∈Zn ≥0 = X P ∈XR (Fq ) u∈Zn ≥0 P ∈XR (Fq ) eP X u∈Zn ≥0 P u X −u = X eP hP , P ∈XR (Fq ) where hP is the generator of (mP )⊥ from Theorem 3.3. The sum here taking the terms with eP 6= 0, gives the decomposition of Se in the direct sum expression for IE⊥ as in Theorem 3.2. The first statement in the following Theorem is well-known; it is a translation of the standard fact that error-locators give linear recurrences on the 9 syndromes. But to our knowledge, this fact has not been considered from exactly our point of view in this generality (see [16] for a special case). Theorem 4.1. With all notation as above, (1) f ∈ IE if and only if f · Se = 0 for all error vectors e with supp(e) = E. (2) For each e with supp(e) = E, IE = hSe i⊥ in the duality from Theorem 3.1. (3) If e, e′ are two error vectors with the same support, then hSe i = hSe′ i as submodules of T . Proof. For (1), we start from the expression for Se from Eq. (3). Then by Theorem 3.3, we have X X eP f (P )hP . eP (f · hP ) = f · Se = P ∈E P ∈E If f ∈ IE , then clearly f ·Se = 0 for all choices of error values eP . Conversely, if f · Se = 0 for all e with supp(e) = E, then f (P ) = 0 for all P ∈ E, so f ∈ IE . Claim (2) follows from (1). The perhaps surprising claim (3) is a consequence of (2). Another way to prove (3) is to note that there exist g ∈ R such that g(P )eP = e′P for all P ∈ E. We have X X X e′P hP = Se′ . eP g(P )hP = eP (g · hP ) = g · Se = P ∈E P ∈E P ∈E ′ Hence hSe′ i ⊆ hSe i. Reversing the roles of e and e , we get the other inclusion as well, and (3) follows. The following explicit expression for the terms in f · Se is also useful. P Let f = m fm X m ∈ S. Then X X X X f · Se = ( fm X m ) · ( Eu X −u ) = ( fm Em+r )X −r . u∈Zs≥0 m P r∈Zs≥0 m Hence f · Se = 0 ⇔ m fm Em+r = 0 for all r ≥ 0. The equation f · S = 0 from (1) in Theorem 4.1 is the prototype, so to speak, for our generalizations of the key equation to codes from order domains, and we will refer to it as the key equation in the following. It also naturally generalizes all the various key equations that have been developed in special cases, as we will demonstrate shortly. Before proceeding with that, however, we wish to make several comments about the form of this equation. 10 Comparing the equation f ·Se = 0 with the familiar form Eq. (1), several differences may be apparent. First, note that the syndrome series Se will not be entirely known from the received word in the decoding situation. The same is true in the Reed-Solomon case, of course. The polynomial S in the congruence in Eq. (1) involves only the known syndromes, and Eq. (1) is derived by accounting for the other terms in the full syndrome series. With a truncation of Se in our situation we would obtain a similar type of congruence (see the discussion following Eq. (8) below, for instance). It is apparently somewhat rare, however, that the portion of Se known from the received word suffices for decoding up to half the minimum distance of the code. Another difference is that there is no apparent analog of the errorevaluator polynomial g from Eq. (1) in the equation f · Se = 0. The way to obtain error evaluators in this situation is to consider the “purely positive parts” (f Se )+ for certain solutions of our key equation. We now turn to several examples that show how our key equation relates to several special cases that have appeared in the literature. Example 4.1. We begin by providing more detail on the precise relation between Theorem 4.1, part (1) in the case of a Reed-Solomon code and the usual key equation from Eq. (1). These codes are constructed from the order domain R = Fq [X] (where Γ = Z≥0 and ρ is the degree mapping). The key equation Eq. (1) applies to the code Evℓ = ev(Vℓ ), where Vℓ = Span{1, X, X 2 , . . . , X ℓ−1 }, and the evaluation takes place at all Fq -rational points on the affine line, omitting 0. Our key equation in this case is closely related to, but not precisely the same, as Eq. (1). The reason for the difference is that Theorem 4.1 is applied to the dual code Cℓ = Evℓ⊥ rather than Evℓ . Starting from Eq. (3) and using the formal geometric series summation formula as in Theorem 3.3 part (4), we can write: P Q X X P ∈E eP Q∈E,Q6=P (X − Q) u −u Q . eP Se = P X =X P ∈E (X − P ) P ∈E u≥0 Hence, in this formulation, Se = Xq/p, where p is the generator of the actual error locator ideal (not the ideal of the inverses of the error locations). Moreover if we take f = p in Theorem 4.1, then (pSe )+ = Xq (3) gives an analog of the error evaluator. There are no “mixed terms” in the products f Se in this one-variable situation. 11 Example 4.2. The key equation for s-dimensional cyclic codes introduced by Chabanne and Norton in [12] has the form ! s Y (4) Xi g, σSe = i=1 Qs where σ = i=1 σi (Xi ), and σi is the univariate generator of the elimination ideal IE ∩Fq [Xi ]. Our version of the Reed-Solomon key equation from Eq. (3) is a special case of Eq. (4). Moreover, Eq. (4) is clearly the special case of Theorem 4.1, part (1) for these codes where f = σ is the particular error Qs locator polynomial i=1 σi (Xi ) ∈ IE . For this special choice of error locator, Qs σ · Se = 0, and (σSe )+ = ( i=1 Xi ) g for some polynomial g. We see that Se can be written as ! s X Y X 1 , eP Qs Xi eP hP = Se = i=1 (Xi − Xi (P )) i=1 P P and the product σSe = (σSe )+ reduces to a polynomial (again, there are no “mixed terms”). Example 4.3. We now turn to the key equation for one-point geometric Goppa codes introduced by O’Sullivan in [6]. Let X be a smooth curve over Fq of genus g, and consider one-point codes constructed from R = ∪∞ m=0 L(mQ) for some point Q ∈ X (Fq ), O’Sullivan’s key equation has the form: f ωe = φ. (5) Here ωe is the syndrome differential, which can be expressed as X ωe = eP ωP,Q , P ∈X (Fq ) where ωP,Q is the differential of the third kind on Y with simple poles at P and Q, no other poles, and residues resP (ωP,Q ) = 1, resQ (ωP,Q ) = −1. For any f ∈ R, we have X eP f (P ), resQ (f ωe ) = P the syndrome of e corresponding to f . (We only defined syndromes for monomials above; taking a presentation R = Fq [X1 , . . . , Xs ]/I, however, any f ∈ R can be expressed as a linear combination of monomials and the syndrome of f is defined accordingly.) The right-hand side of Eq. (5) is also a differential. In this situation, Eq. (5) furnishes a key equation in the 12 following sense: f is an error locator (i.e. f is in the ideal of R corresponding to IE ) if and only if φ has poles only at Q. In the special case that (2g − 2)Q is a canonical divisor (the divisor of zeroes of some differential of the first kind ω0 on X ), Eq. (5) can be replaced by the equivalent equation f oe = g, where oe = ωe /ω0 and g = φ/ω0 are rational functions on X . Since ω0 is zero only at Q, the key equation is now that f is an error locator if and only if Eq. (5) is satisfied for some g ∈ R. For instance, when X is a smooth plane curve V (F ) over Fq defined by F ∈ Fq [X, Y ], with a single smooth point Q at infinity, then it is true that (2g − 2)Q is canonical. O’Sullivan shows in Example 4.2 of [6] (using a slightly different notation) that X oe = eP HP , (6) P ∈X (Fq ) F (a,Y ) where if P = (a, b), then HP = (X−a)(Y −b) . This is a function with a pole of order 1 at P , a pole of order 2g − 1 at Q, and no other poles. To relate this to our approach, note that we may assume from the start that Q = (0 : 1 : 0) and that F is taken in the form F (X, Y ) = X β − cY α + G(X, Y ) for some relatively prime α < β generating the value semigroup at Q. Every term in G has (α, β)-weight less than αβ. First we rearrange to obtain HP = F (a, Y ) (aβ − X β ) + F (X, Y ) + (G(a, Y ) − G(X, Y )) = (X − a)(Y − b) (X − a)(Y − b) The F (X, Y ) term in the numerator does not depend on P . We can collect those terms in the sum Eq. (6) and factor out the F (X, Y ). We will see shortly that those terms can in fact be ignored. The G(a, Y ) − G(X, Y ) in the numerator furnish terms that go into the error evaluator g here. The remaining portion is β−1 ∞ X β−1 X X ai bj −(X β − aβ ) =− . (X − a)(Y − b) Y i=0 j=0 X i Y j The sum here looks very much like that defining our hP from Theorem 3.3, except that it only extends over the monomials in complement of hLT (F )i. Call this last sum h′P . As noted before the full series hP (and consequently S) are redundant. For example, every ideal contained in mP (for instance the ideal I = hF i defining the curve), produces relations between the coefficients. From the duality theorem, Theorem 3.1, we have that I ⊂ mP implies (mP )⊥ ⊂ I ⊥ , so F · hP = 0. 13 The relation F · hP = 0 says in particular that the terms in h′P are sufficient to determine the whole series hP . Indeed, we have i  β ∞  X X (cY α − G) ′ h′P . h = hP = P β X F i=0 It follows that O’Sullivan’s key equation and ours are equivalent. We now turn to the precise relation between solutions of our key equation and the polynomials generated by the BMS decoding algorithm applied to the Cℓ = Evℓ⊥ codes from order domains R. We will see that the BMS algorithm systematically produces successively better approximations to solutions of f · Se = 0, so that in effect, the BMS algorithm is a method for solving the key equation for these codes. For our purposes, it will suffice to consider the “Basic Algorithm” from §3 of [5], in which all needed syndromes are assumed known and no sharp stopping criteria are identified. The syndrome mapping corresponding to the error vector e is Syne : R → Fq X eP f (P ), f 7→ P ∈E where as above E is the set of error locations. The same reasoning used in the proof of our Theorem 4.1 shows f ∈ IE ⇔ Syne (f g) = 0, ∀g ∈ R. (7) From Definition 2.1 and Geil and Pellikaan’s presentation theorem, we have an ordered monomial basis of R: ∆ = {X α(j) : j ∈ N}, whose elements have distinct ρ-values. As in the construction of the Evℓ codes, we write Vℓ = Span{1 = X α(1) , . . . , X α(ℓ) }. The Vℓ exhaust R, so for f 6= 0 ∈ R, we may define o(f ) = min{ℓ : f ∈ Vℓ }, and (for instance) o(0) = −1. In particular the semigroup Γ in our presentation carries over to a (nonstandard) semigroup structure on N defined by the addition operation i ⊕ j = k ⇔ o(X α(i) X α(j) ) = k. 14 Given f ∈ R, one defines span(f ) = min{ℓ : ∃g ∈ Vℓ s.t. Syne (f g) 6= 0} f ail(f ) = o(f ) ⊕ span(f ). When f ∈ IE , span(f ) = f ail(f ) = ∞. The BMS algorithm, then, is an iterative process which produces a Gröbner basis for IE with respect to a certain monomial order >. The strategy is to maintain data structures for all m ≥ 1 as follows. The ∆m are an increasing sequence of sets of monomials, converging to the monomial basis for IE as m → ∞, and δm is the set of maximal elements of ∆m with respect to > (the “interior corners of the footprint”). Similarly, we consider the complement Σm of ∆m , and σm , the set of minimal elements of Σm (the “exterior corners”). For sufficiently large m, the elements of σm will be the leading terms of the elements of the Gröbner basis of IE , and Σm will be the set of monomials in LT> (IE ). For each m, the algorithm also produces collections of polynomials Fm = {fm (s) : s ∈ σm } and Gm = {gm (c) : c ∈ δm } satisfying: o(fm (s)) = s, f ail(fm (s)) > m span(gm (c)) = c, f ail(gm (c)) ≤ m. In the limit as m → ∞, by Eq. (7), the Fm yield the Gröbner basis for IE . We record the following simple observation. Theorem 4.2. With all notation as above, suppose f ∈ R satisfies o(f ) = s, f ail(f ) > m. Then f · Se ≡ 0 mod Ws,m , where Ws,m is the Fq -vector subspace of the formal power series ring T spanned by the X −α(j) such that s ⊕ j > m. Proof. By the definition, f ail(f ) > m means that Syne (f X α(k) ) = 0 for all k with o(f ) ⊕ k ≤ m. By the definitions of Se and the contraction product, Syne (f X α(k) ) is exactly the coefficient of X −α(k) in f · Se . The subspace Ws,m in Theorem 4.2 depends on s = o(f ). In our situation, though, note that if s′ = max{o(f ) : f ∈ Fm }, then Theorem 4.2 implies f · Se ≡ 0 mod Ws′ ,m (8) 15 for all f = fm (s) in Fm . Moreover, only finitely many terms from Se enter into any one of these congruences, so Eq. (8) is, in effect, a sort of general analog of Eq. (1). The fm (s) from Fm can be understood as approximate solutions of key equation (where the goodness of the approximation is determined by the subspaces Ws′ ,m , a decreasing chain, tending to {0} in T , as m → ∞). The BMS algorithm thus systematically constructs better and better approximations to solutions of the key equation. O’Sullivan’s stopping criteria (see [5]) show when further steps of the algorithm make no changes. The Feng-Rao theorem shows that any additional syndromes needed for this can ℓ )−1 ⌋. be determined by the majority-voting process when wt(e) ≤ ⌊ dF R (C 2 We conclude by noting that O’Sullivan has also shown in [6] that, for codes from curves, the BMS algorithm can be slightly modified to compute error locators and error evaluators simultaneously in the situation studied in Example 4.3. The same is almost certainly true in our general setting, although we have not worked out all the details. Acknowledgements Thanks go to Mike O’Sullivan and Graham Norton for comments on an earlier version prepared while the author was a visitor at MSRI. Research at MSRI is supported in part by NSF grant DMS-9810361. References [1] T. Høholdt, R. Pellikaan, and J. van Lint, Algebraic Geometry Codes, in: Handbook of Coding Theory, W. Huffman and V. Pless, eds. (Elsevier, Amsterdam, 1998), 871-962. [2] M. O’Sullivan, New Codes for the Berlekamp-Massey-Sakata Algorithm, Finite Fields Appl. 7 (2001), 293-317. [3] O. Geil and R. Pellikaan, On the Structure of Order Domains, Finite Fields Appl. 8 (2002), 369-396. [4] J. Little, The Ubiquity of Order Domains for the Construction of Error Control Codes, Advances in Mathematics of Communications 1 (2007), 151171. [5] M. O’Sullivan, A Generalization of the Berlekamp-Massey-Sakata Algorithm, preprint, 2001. [6] M. O’Sullivan, The key equation for one-point codes and efficient error evaluation, J. Pure Appl. Algebra 169 (2002), 295-320. [7] F.S. Macaulay, Algebraic Theory of Modular Systems, Cambridge Tracts in Mathematics and Mathematical Physics, v. 19, (Cambridge University Press, Cambridge, UK, 1916). 16 [8] D.G. Northcott, Injective envelopes and inverse polynomials, J. London Math. Soc. (2) 8 (1974), 290-296. [9] J. Emsalem and A. Iarrobino, Inverse System of a Symbolic Power, I, J. Algebra 174 (1995), 1080-1090. [10] B. Mourrain, Isolated points, duality, and residues J. Pure Appl. Algebra 117/118 (1997), 469-493. [11] A. Geramita, Inverse systems of fat points, Waring’s problem, secant varieties of Veronese varieties and parameter spaces for Gorenstein ideals, The Curves Seminar at Queen’s (Kingston, ON) X (1995), 2–114. [12] H. Chabanne and G. Norton, The n-dimensional key equation and a decoding application, IEEE Trans. Inform Theory 40 (1994), 200-203. [13] G.H. Norton, On n-dimensional Sequences. I, II, J. Symbolic Comput. 20 (1995), 71-92, 769-770. [14] G.H. Norton, On Shortest Linear Recurrences, J. Symbolic Comput. 27 (1999), 323-347. [15] G.H. Norton and A. Salagean, On the key equation over a commutative ring, Designs, Codes and Cryptography 20 (2000), 125-141. [16] J. Althaler and A. Dür, Finite linear recurring sequences and homogeneous ideals, Appl. Algebra. Engrg. Comm. Comput. 7 (1996), 377-390.