← All blueprints

Essential Coding Theory — Blueprint

5 The Greatest Code of Them All: Reed-Solomon Codes

Definition 116 Polynomial over a finite field, Def 5.1.1
#

A polynomial over a variable \(X\) and a finite field \(\mathbb {F}_q\) is given by a finite sequence \((f_0, f_1, \ldots , f_d)\) with \(f_i \in \mathbb {F}_q\), denoted \(F(X) = \sum _{i=0}^{d} f_i X^i\). The degree of \(F(X)\), denoted \(\deg (F)\), is the largest index \(i\) such that \(f_i \neq 0\). The set \(\mathbb {F}_q[X]\) of all such polynomials, with the usual coefficientwise addition and convolution multiplication, forms a commutative ring.

Definition 117 Evaluation of a polynomial, Def 5.1.2
#

Given a polynomial \(F(X) \in \mathbb {F}_q[X]\) and \(\alpha \in \mathbb {F}_q\), the evaluation of \(F(X)\) at \(\alpha \), denoted \(F(\alpha )\), is \(\sum _{i=0}^{\deg F} f_i \alpha ^i \in \mathbb {F}_q\). (More generally, if \(\alpha \) lies in an extension field \(\mathbb {F}_Q \supseteq \mathbb {F}_q\), the evaluation \(F(\alpha ) \in \mathbb {F}_Q\) is defined the same way.)

Proposition 118 Polynomial division, Prop 5.1.3
#

Given polynomials \(f(X), g(X) \in \mathbb {F}_q[X]\) with \(g \neq 0\), there exist unique polynomials \(q(X)\), the quotient, and \(r(X)\), the remainder, with \(\deg (r) {\lt} \deg (g)\), such that \(f(X) = q(X)g(X) + r(X)\). If \(g(X) = X - \alpha \) for \(\alpha \in \mathbb {F}_q\), then \(r(X)\) is the degree-\(0\) polynomial \(f(\alpha )\), i.e., the evaluation of \(f\) at \(\alpha \).

Definition 119 Root of a polynomial, Def 5.1.4
#

\(\alpha \in \mathbb {F}_q\) is a root of a polynomial \(F(X)\) if \(F(\alpha ) = 0\).

Proposition 120 Degree Mantra, Prop 5.1.5
#

A nonzero polynomial \(f(X)\) of degree \(t\) over a field \(\mathbb {F}_q\) has at most \(t\) distinct roots in \(\mathbb {F}_q\).

Definition 121 Irreducible polynomial, Def 5.1.6
#

A polynomial \(F(X)\) is irreducible if for every \(G_1(X), G_2(X)\) such that \(F(X) = G_1(X) G_2(X)\), we have \(\min (\deg (G_1), \deg (G_2)) = 0\).

Theorem 122 Quotient by an irreducible polynomial is a field, Thm 5.1.7
#

Let \(E(X)\) be an irreducible polynomial of degree \(s \geq 2\) over \(\mathbb {F}_p\), \(p\) prime. Then the set of polynomials in \(\mathbb {F}_p[X]\) modulo \(E(X)\), denoted \(\mathbb {F}_p[X]/E(X)\), with addition, multiplication, additive/multiplicative identities and inverses induced by the ring \(\mathbb {F}_p[X]\), is a field.

Lemma 123 Size of a quotient field, Lem 5.1.8
#

Let \(E(x) \in \mathbb {F}_q[x]\) be an irreducible polynomial of degree \(s\). Then \(\mathbb {F}_q[x]/E(x)\) is a field of size \(q^s\).

Theorem 124 Existence and count of irreducible polynomials, Thm 5.1.9
#

For all \(s \geq 2\) and prime \(p\), there exists an irreducible polynomial of degree \(s\) over \(\mathbb {F}_p\). In fact, the number of such monic irreducible polynomials is \(\Theta \! \left(\dfrac {p^s}{s}\right)\). (The existence statement holds more generally over any finite field \(\mathbb {F}_q\), not just prime fields \(\mathbb {F}_p\).)

Proof
Corollary 125 Finite fields as polynomial quotients, Cor 5.1.10
#

The field \(\mathbb {F}_{p^s}\) is \(\mathbb {F}_p[X]/E(X)\), where \(E(X)\) is an irreducible polynomial of degree \(s\).

Proof

By Theorem 124 an irreducible polynomial \(E(X)\) of degree \(s\) over \(\mathbb {F}_p\) exists. By Theorem 122, \(\mathbb {F}_p[X]/E(X)\) is a field, and by Lemma 123 it has size \(p^s\). Since there is a unique field of order \(p^s\) (up to isomorphism), this field must be \(\mathbb {F}_{p^s}\).

Algorithm 126 Generating an irreducible polynomial, Alg 5.1.1
#

Input: A prime power \(q\) and an integer \(s {\gt} 1\).
Output: A monic irreducible polynomial of degree \(s\) over \(\mathbb {F}_q\).

  1. Repeat:

    1. Choose \(F(X) = X^s + \sum _{i=0}^{s-1} f_i X^i\) with each \(f_i\) chosen uniformly at random from \(\mathbb {F}_q\).

    2. Test whether \(F(X)\) is irreducible by checking: \(\gcd (F(X), X^{q^s} - X) = F(X)\), and for every \(t \notin \{ 1, s\} \) dividing \(s\), \(\gcd (F(X), X^{q^t} - X) = 1\).

  2. Until \(F(X)\) passes the irreducibility test; return \(F(X)\).

Proof

Correctness of the test in step (1b) rests on the fact (Appendix D) that an irreducible polynomial of degree exactly \(t\) divides \(X^{q^t} - X\); checking the two gcd conditions therefore certifies that \(F(X)\) has no factor of degree dividing \(s\) other than \(1\) and \(s\) itself, i.e., that \(F(X)\) is irreducible. Since Euclid’s algorithm for \(\gcd (A(X), B(X))\) runs in time polynomial in \(\min (\deg A, \deg B)\) and \(\log q\), each iteration of the loop runs in time \(\mathrm{poly}(s, \log q)\). By Theorem 124, the number of monic irreducible polynomials of degree \(s\) over \(\mathbb {F}_q\) is \(\Theta (q^s/s)\) out of \(q^s\) monic polynomials of degree \(s\), so a uniformly random monic polynomial of degree \(s\) is irreducible with probability \(\Theta (1/s)\); hence the expected number of iterations is \(O(s)\).

Corollary 127 Las Vegas algorithm for irreducible polynomials, Cor 5.1.11
#

There is a Las Vegas algorithm (Algorithm 126) to generate an irreducible polynomial of degree \(s\) over any \(\mathbb {F}_q\) in expected time \(\mathrm{poly}(s, \log q)\).

Proof

This is immediate from the analysis in the proof of Algorithm 126: each iteration takes time \(\mathrm{poly}(s, \log q)\) and the expected number of iterations is \(O(s)\), giving a total expected running time of \(\mathrm{poly}(s, \log q)\).

Definition 128 Reed-Solomon code, Def 5.2.1
#

Let \(\mathbb {F}_q\) be a finite field, and choose \(n\) and \(k\) satisfying \(k \leq n \leq q\). Fix a sequence \(\alpha = (\alpha _1, \alpha _2, \ldots , \alpha _n)\) of \(n\) distinct elements (evaluation points) from \(\mathbb {F}_q\). The encoding function of the Reed-Solomon code \(\mathrm{RS}_q[\alpha , k] : \mathbb {F}_q^k \to \mathbb {F}_q^n\) maps a message \(m = (m_0, m_1, \ldots , m_{k-1})\) with \(m_i \in \mathbb {F}_q\) to the degree-\((k-1)\) polynomial

\[ f_m(X) = \sum _{i=0}^{k-1} m_i X^i \in \mathbb {F}_q[X], \]

and then outputs

\[ \mathrm{RS}_q[\alpha , k](m) = \big(f_m(\alpha _1), f_m(\alpha _2), \ldots , f_m(\alpha _n)\big). \]

We write simply \(\mathrm{RS}\) when \(q\), \(\alpha \), \(k\) are clear from context, and call the image \(\{ \mathrm{RS}[m] \mid m \in \mathbb {F}_q^k\} \) the Reed-Solomon code, or RS code. A common special case is \(n = q - 1\) with evaluation points \(\mathbb {F}_q^* = \mathbb {F}_q \setminus \{ 0\} \).

Lemma 129 RS codes are linear, Claim 5.2.2
#

The Reed-Solomon code \(\mathrm{RS}\) of Definition 128 is a linear code.

Proof

If \(a \in \mathbb {F}_q\) and \(f(X), g(X) \in \mathbb {F}_q[X]\) are polynomials of degree at most \(k - 1\), then \(af(X)\) and \(f(X) + g(X)\) are also polynomials of degree at most \(k-1\). In particular, let messages \(m_1, m_2 \in \mathbb {F}_q^k\) be mapped to \(f_{m_1}(X), f_{m_2}(X)\); by the definition of \(f_m\),

\[ f_{m_1}(X) + f_{m_2}(X) = f_{m_1+m_2}(X), \qquad a f_{m_1}(X) = f_{a m_1}(X). \]

Since evaluation at each \(\alpha _i\) is applied coordinatewise, this gives

\[ \mathrm{RS}(m_1) + \mathrm{RS}(m_2) = \mathrm{RS}(m_1 + m_2), \qquad a\, \mathrm{RS}(m_1) = \mathrm{RS}(a m_1). \]

Hence \(\mathrm{RS}\) is an \([n,k]_q\) linear code.

Lemma 130 Distance of RS codes, Claim 5.2.3
#

The minimum distance of the Reed-Solomon code \(\mathrm{RS}\) of Definition 128 is \(n - k + 1\).

Proof

Fix arbitrary \(m_1 \neq m_2 \in \mathbb {F}_q^k\). The polynomials \(f_{m_1}(X), f_{m_2}(X) \in \mathbb {F}_q[X]\) are distinct polynomials of degree at most \(k-1\), so \(f_{m_1}(X) - f_{m_2}(X) \neq 0\) also has degree at most \(k-1\). Since \(\mathrm{wt}(\mathrm{RS}(m_2) - \mathrm{RS}(m_1)) = \Delta (\mathrm{RS}(m_1), \mathrm{RS}(m_2))\), and the weight of \(\mathrm{RS}(m_2) - \mathrm{RS}(m_1)\) is \(n\) minus the number of zero coordinates, which equals \(n\) minus the number of roots of \(f_{m_1}(X) - f_{m_2}(X)\) among \(\{ \alpha _1, \ldots , \alpha _n\} \), we get

\[ \Delta (\mathrm{RS}(m_1), \mathrm{RS}(m_2)) = n - |\{ \alpha _i \mid f_{m_1}(\alpha _i) = f_{m_2}(\alpha _i)\} |. \]

By the Degree Mantra (Proposition 120), \(f_{m_1}(X) - f_{m_2}(X)\) has at most \(k-1\) roots. Thus the weight of \(\mathrm{RS}(m_2) - \mathrm{RS}(m_1)\) is at least \(n - (k-1) = n-k+1\), so the minimum distance \(d\) of \(\mathrm{RS}\) satisfies \(d \geq n-k+1\). Since the Singleton bound (110) gives \(d \leq n-k+1\), we conclude \(d = n-k+1\).

The same argument shows distinct polynomials \(f_{m_1}(X) \neq f_{m_2}(X)\) of degree at most \(k-1\) are mapped to distinct codewords, since their Hamming distance is at least \(n-k+1 \geq 1\) (as \(k \leq n\)). Hence \(\mathrm{RS}\) has exactly \(q^k\) codewords and, by Lemma 129, dimension \(k\).

Theorem 131 RS codes meet the Singleton bound, Thm 5.2.4
#

\(\mathrm{RS}\) is an \([n, k, n-k+1]_q\) code. That is, Reed-Solomon codes match the Singleton bound.

Proof

Immediate from Lemma 129 (linearity, so \(\mathrm{RS}\) has a well-defined dimension \(k\), matching the number of coefficients of the message polynomials) and Lemma 130 (minimum distance \(n-k+1\)).

Construction 132 Vandermonde generator matrix for RS codes
#

Any basis \(f_{m^1}, \ldots , f_{m^k}\) of the space of polynomials of degree at most \(k-1\) gives rise, via Definition 128, to a basis \(\mathrm{RS}(m^1), \ldots , \mathrm{RS}(m^k)\) of the Reed-Solomon code. Taking the monomial basis \(1, X, \ldots , X^{k-1}\) yields the \(k \times n\) Vandermonde generator matrix whose \(i\)-th row (for \(0 \leq i \leq k-1\)) is \((\alpha _1^i, \alpha _2^i, \ldots , \alpha _n^i)\).

Proof

By Lemma 129, \(\mathrm{RS}\) is linear, hence the image of a basis of the message/polynomial space under the (linear, by Definition 128) encoding map is a basis of the code, i.e., forms a valid generator matrix. Choosing the monomial basis \(X^0, \ldots , X^{k-1}\), the \(i\)-th basis polynomial \(X^i\) encodes to \((\alpha _1^i, \ldots , \alpha _n^i)\), giving exactly the stated matrix.

Definition 133 MDS codes, Def 5.3.1
#

An \((n,k,d)_q\) code is called Maximum Distance Separable (MDS) if \(d = n-k+1\).

Corollary 134 RS codes are MDS
#

Reed-Solomon codes are MDS codes.

Proof

By Theorem 131, \(\mathrm{RS}\) is an \([n,k,n-k+1]_q\) code, and by Definition 133 this means it is MDS.

Definition 135 Projection of a code onto a subset of coordinates, Def 5.3.2
#

For every subset of indices \(S \subseteq [n]\) of size exactly \(k\) and a code \(C \subseteq \Sigma ^n\), \(C_S\) is the set of all codewords in \(C\) projected onto the indices in \(S\).

Proposition 136 MDS codes are “information sets” complete, Prop 5.3.3
#

Let \(C \subseteq \Sigma ^n\) of integral dimension \(k\) be an MDS code. Then for every \(S \subseteq [n]\) with \(|S| = k\), we have \(C_S = \Sigma ^k\).

Proof

Consider the \(|C| \times n\) matrix whose rows are the codewords of \(C\); there are \(|C| = |\Sigma |^k\) rows (since \(C\) has dimension \(k\)) and \(n\) columns. Since \(C\) is MDS, its minimum distance is \(d = n-k+1\).

Fix \(S \subseteq [n]\) with \(|S| = k\). For any distinct \(c^i \neq c^j \in C\), the projections \(c^i_S \neq c^j_S \in C_S\) are distinct: if they agreed, then \(c^i\) and \(c^j\) would agree on all \(k\) coordinates in \(S\), so \(\Delta (c^i, c^j) \leq n - k = d - 1\), contradicting that the minimum distance of \(C\) is \(d\). Hence every codeword of \(C\) maps to a distinct element of \(C_S\), giving \(|C_S| = |C| = |\Sigma |^k\). Since \(C_S \subseteq \Sigma ^k\) and \(|C_S| = |\Sigma ^k|\), we conclude \(C_S = \Sigma ^k\).