Efficient Decoding of Gabidulin Codes over Galois Rings
Sven Puchinger, Julian Renner, Antonia Wachter-Zeh, Jens Zumbrägel
aa r X i v : . [ c s . I T ] F e b Efficient Decoding of Gabidulin Codesover Galois Rings
Sven Puchinger , Julian Renner , Antonia Wachter-Zeh , Jens Zumbrägel Department of Applied Mathematics and Computer Science, Technical University of Denmark (DTU), Denmark Institute for Communications Engineering, Technical University of Munich (TUM), Germany Faculty of Computer Science and Mathematics, University of Passau, GermanyEmail: [email protected], [email protected], [email protected], [email protected]
Abstract —This paper presents the first decoding algorithmfor Gabidulin codes over Galois rings with provable quadraticcomplexity. The new method consists of two steps: (1) solving asyndrome-based key equation to obtain the annihilator polynomialof the error and therefore the column space of the error, (2) solvinga key equation based on the received word in order to reconstructthe error vector. This two-step approach became necessary sincestandard solutions as the Euclidean algorithm do not properlywork over rings.
I. I
NTRODUCTION
Network coding over finite rings [1]–[6] may result in moreefficient physical-layer network coding schemes in comparisonto using finite fields . Since rank-metric codes can be appliedfor error correction in network coding (cf. [7] for finite fields),Kamche and Mouaha [8] considered rank-metric codes overfinite principal ideal rings. The authors, amongst others, definedGabidulin codes over rings and designed a Welch-Berlekamp-like decoding algorithm similar to the one over finite fields [9].This decoding algorithm has to solve a linear system ofequations and perform a polynomial division, resulting in anasymptotic complexity O ( n ) for a Gabidulin code of length n .In order to accelerate the decoding process, different coding-theoretic approaches can be thought of: a Berlekamp–Massey(BM) approach, an approach based on the Euclidean algorithm,or row reduction techniques. The Euclidean algorithm requiresdivisions of polynomials such that the degree of the remainderis smaller than the one of the inputs; over rings, this degreereduction does not work if the leading monomial is not a unit.When investigating row reduction techniques, we encountereda similar problem: having to divide rows by a non-unit element.In [10], a BM-like decoding approach for Reed–Solomon andBCH codes over rings was presented. However, when decodingGabidulin codes, a BM-like approach would only acceleratethe first step of decoding, namely, finding the annihilatorpolynomial of the error, not the second step which is necessaryto find the explicit error vector. This is fundamentally differentfrom Reed–Solomon codes where the second step (finding the error values ) is easy and efficient. All these observations forcedus to establish a different decoding technique.In this paper, we investigate a new approach to decodeGabidulin codes over Galois rings efficiently. Namely, we firstsolve a syndrome-based key equation with a BM-like approachto obtain the error span polynomial and then set up another typeof key equation based on the received word (in the literaturealso called Gao key equation [11]) to explicitly recover theerror vector in an efficient way. This therefore leads to the first
S. Puchinger has received funding from the European Union’s Horizon 2020research and innovation programme under the Marie Skłodowska-Curie grantagreement no. 713683. J. Renner and A. Wachter-Zeh were supported by theEuropean Research Council (ERC) under the European Union’s Horizon 2020research and innovation programme (grant agreement no. 801434). approach that decodes Gabidulin codes over Galois rings withprovable quadratic complexity.II. P
RELIMINARIES
A. Galois Rings
For a given prime p and positive integers r and s we denoteby GR( p r , s ) the Galois ring of characteristic p r and degree s .It can be defined as the quotient ring Z p r [ x ] / ( f ) , where f ∈ Z p r [ x ] is a polynomial such that its reduction f mod p in F p [ x ] is irreducible of degree s .The theory of Galois rings can be viewed as a close analogof the theory of finite fields, which is translated to the realmof finite commutative local rings, i.e., rings with a uniquemaximal ideal. Galois rings may in fact be more intrinsicallydefined as the unique separable ring extensions of Z p r , orequivalently, as the unramified local ring extensions of Z p r ,meaning that the principal ideal ( p ) remains the maximal idealin those extensions (see [12, Sec. 14]).Most importantly for the present work is the property ofa Galois ring being a Galois extension of Z p r , with groupof ring automorphisms isomorphic to the Galois group ofthe corresponding residue fields. More precisely, let R :=GR( p r , s ) and S := GR( p r , t ) be Galois rings with residuefields k := F p s and K := F p t , respectively, and let s | t sothat R ⊆ S is a ring extension. Then the Galois group Gal R ( S ) of ring automorphisms of S fixing R corresponds, by a liftingconstruction, to the Galois group Gal k ( K ) of field automor-phisms of K fixing k ; hence, the group Gal R ( S ) is isomorphicto a cyclic group of order m , where m = ts = dim k K is theextension degree (see [12, Sec. 15]). B. Computing the Galois Group
For an extension k ⊆ K of finite fields where q := | k | ,the field Galois group Gal k ( K ) is generated by a q -th powerFrobenius map. Likewise, the ring Galois group Gal R ( S ) ofGalois rings R ⊆ S is also generated by an automorphism σ : S → S that can be described by a q -th power α α q of some element α ∈ S with S = R [ α ] (although it does nothold that σ ( z ) = z q for all z ∈ S ). Such an element α canbe constructed by the following procedure. Let f ∈ k [ x ] besome irreducible polynomial of degree m defining the fieldextension k ⊆ K , then there holds x q m − x = f · g for some g ∈ k [ x ] coprime to f . By Hensel lifting [12, Sec. 13] thereare f, g ∈ R [ x ] with f = f mod p and g = g mod p such that x q m − x = f · g holds over R . Then letting S := R [ x ] / ( f ) and α := [ x ] ∈ S we construct a generator σ : S → S , α α q of Gal R ( S ) as desired. . Polynomials and Skew Polynomials In the following let R be a finite local commutative ring withmaximal ideal m , which is nilpotent. Moreover, let k := R/ m be the residue field and let µ : R → k be the canonical map,extended to polynomials R [ x ] → k [ x ] . The following resultscan be found in [12, Sec. 13].For a polynomial f = P f i x i ∈ R [ x ] we have:1) f is a unit ⇔ f ∈ R ∗ and all f i ∈ m , i > ⇔ µf ∈ k ∗ ,2) f is no zero divisor ⇔ some f i ∈ R ∗ ⇔ µf = 0 .In the case of 2) the polynomial f is called primitive . Lemma 1
Let g ∈ R [ x ] be a primitive polynomial.1) There exists a unit u ∈ R [ x ] such that ug is monic;moreover, deg ug = deg µg ≤ deg g .2) For f ∈ R [ x ] there is “division with remainder”, i.e.,there are q, r ∈ R [ x ] with f = qg + r and deg r < deg g . Now let σ ∈ Aut( R ) be a ring automorphism. We definethe skew polynomial ring R [ x ; σ ] via the rule xr = σ ( r ) x for all r ∈ R , extended by addition and multiplication. Stillone may apply the canonical map µ : R [ x ; σ ] → k [ x ; σ ] , with σ ∈ Aut( k ) induced by σ , and above remarks remain valid.For a polynomial f = P ni =0 f i x i ∈ R [ x ; σ ] of degree n we denote by lt( f ) := x n the leading term , lc( f ) := f n its leading coefficient and lm( f ) := lc( f )lt( f ) = f n x n the leading monomial . D. Smith Normal Form and Rank Profile of Modules
Consider again an extension R = GR( p r , s ) ⊆ S =GR( p r , sm ) of Galois rings. Let m be the maximal ideal of R ,which has nilpotency index r . For a ∈ R \ { } the valuation v ( a ) is defined as the unique integer v with a ∈ m v \ m v +1 ,and we let v (0) := r .For any matrix A ∈ R m × n there are invertible matrices S ∈ R m × m and T ∈ R n × n such that D = SAT ∈ R m × n ,where D is called the Smith normal form of A and isa diagonal matrix with diagonal entries d , . . . , d min { n,m } satisfying ≤ v ( d ) ≤ . . . ≤ v ( d min { n,m } ) ≤ r . Wedefine rk( A ) := |{ i ∈ { , . . . , min { m, n }} : d i = 0 }| and frk( A ) := |{ i ∈ { , . . . , min { m, n }} : d i is a unit }| as therank and the free rank of A , respectively. The same propertieshold for matrices over S , where m needs to be replaced by themaximal ideal of S denoted by M .Let γ = [ γ , . . . , γ m ] denote an ordered basis of S over R .We define ext γ : S n → R m × n , a A , where a j = P mi =1 A i,j γ i , j ∈ { , . . . , n } and denote by rk R ( a ) := rk( A ) and frk R ( a ) := frk( A ) the rank norm and free rank norm of a , respectively.Let M denote an R -submodule of S and let d , . . . , d n referto the diagonal elements of a matrix in Smith normal form withrow space M . Then, we call the polynomial φ M ( x ) := r − X i =0 φ M i x i ∈ Z [ x ] / ( x r ) the rank profile of M , where φ M i := |{ j : v ( d j ) = i }| . Notethe relationship between (free) rank and the rank profiles frk R M = φ M = φ M (0) , rk R M = r − X i =0 φ M i = φ M (1) . E. Gabidulin Codes
Let R ⊆ S be Galois rings and let σ ∈ Gal R ( S ) be a gener-ating automorphism. For a skew polynomial f = P ni =0 f i x i ∈ S [ x ; σ ] and s ∈ S we let f ( s ) := f s + f σ ( s )+ . . . + f n σ n ( s ) .Denote by S [ x ; σ ] Let g = [ g , . . . , g n ] ∈ S n , where the entries arelinearly independent over R , and let < k ≤ n . A Gabidulincode of length n , dimension k and support g is defined by Gab k ( g ) := { f ( g ) : f ∈ S [ x ; σ ] Gab k ( g ) has a generator matrix G = [ σ i ( g j )] ≤ i KEW -P OLYNOMIAL V ARIANT OF THE B YRNE -F ITZPATRICK A LGORITHM Let S := GR( p r , t ) be a Galois ring and let σ ∈ Aut( S ) bean automorphism of S .In order to solve the decoding problem of rank metricGabidulin codes over S , following [10], [13] we introduce the solution module over the skew polynomial ring S [ x ; σ ] . Givena positive integer m and a polynomial u ∈ S [ x ; σ ] we let M := (cid:8) ( f, g ) ∈ S [ x ; σ ] | f u ≡ g mod x m (cid:9) , which is a left submodule of S [ x ; σ ] (note that the congruence mod x m does not depend on taking left or right modulo).Suitable elements of the solution module of minimal degreemay be found by adapting the Gröbner basis approach ofByrne and Fitzpatrick [10] (see also [14] for a more elementarydescription for codes over Z ), as described next.We consider a term order ≺ on the set of all terms { ( x n , | n ∈ N } ∪ { (0 , x n ) | n ∈ N } of S [ x ; σ ] , compatiblewith multiplication by x k ∈ S [ x ; σ ] for k ∈ N . Accordingly,for any nonzero pair in S [ X ; σ ] the leading term, leadingcoefficient and leading monomial can be defined with respectto ≺ . Concretely, we are going to use the term order given by (1 , ≺ (0 , ≺ ( x, ≺ (0 , x ) ≺ . . . .A left Gröbner basis of the module M is a generating set { ( f i , g i ) | i ∈ I } of M such that for all ( f, g ) ∈ M thereexists some i ∈ I such that lm( f i , g i ) left-divides lm( f, g ) .Since ( x m , and (0 , x m ) are in the solution module M , byadapting an argument in [10] one can show that M has a leftGröbner basis of the form B = { ( a , b ) , . . . , ( a r − , b r − ) , ( c , d ) , . . . , ( c r − , d r − ) } with lm( a i , b i ) = ( p i x λ i , and lm( c j , d j ) = (0 , p j x µ j ) for all ≤ i, j < r , for some decreasing sequences λ ≥ · · · ≥ λ r − and µ ≥ · · · ≥ µ r − , called minimal exponents .The following algorithm, derived from the method of “so-lution by approximations” of [10], efficiently computes a leftGröbner basis of the solution module M . Theorem 3 After completing step k in Algorithm 1 theset B k +1 is a left Gröbner basis of the module M k +1 := (cid:8) ( f, g ) ∈ S [ x ; σ ] | f u ≡ g mod x k +1 (cid:9) . In particular, the al-gorithm is correct.It has complexity O ( rm ) operations in S . Furthermore, wehave |B| = 2 r . lgorithm 1: SkewByrneFitzpatrick Input : u ∈ S [ x ; σ ] and m ∈ Z > Output: Left Gröbner basis of the left S [ x ; σ ] module M := (cid:8) ( f, g ) ∈ S [ x ; σ ] | f u ≡ g mod x m (cid:9) . let B := (cid:8) ( p i , | i ∈ { , . . . , r − } (cid:9) ∪ (cid:8) (0 , p i ) | i ∈ { , . . . , r − } (cid:9) for k ∈ { , . . . , m − } do for each ( f i , g i ) ∈ B k do compute the discrepancy ζ i := ( f i u − g i ) k (where ( · ) k denotes the k -th coefficient) for each ( f i , g i ) ∈ B k do if ζ i = 0 then put ( f i , g i ) ∈ B k +1 continue if there is ( f j , g j ) ∈ B k with lt( f j , g j ) ≺ lt( f i , g i ) and ζ j divides ζ i then put ( f i , g i ) − q ( f j , g j ) in B k +1 , where q ∈ S with ζ i = qζ j else put ( xf i , xg i ) in B k +1 return B m Proof: The correctness is proved by induction on k , byadapting the arguments in [10]. We briefly sketch it here. Let ( ˜ f i , ˜ g i ) be put in B k +1 in ℓ , ℓ or ℓ of the algorithm.First we claim that ( ˜ f i , ˜ g i ) ∈ M k +1 , for which we show that ( ˜ f i , ˜ g i ) ∈ M k and the discrepancy ( ˜ f i u − ˜ g i ) k vanishes.This is obvious in the case of ℓ . In ℓ we have ( ˜ f i , ˜ g i ) ∈M k , since ( f i , g i ) , ( f j , g j ) ∈ M k and M k is an S -module;moreover we have ( ˜ f i u − ˜ g i ) k = ( f i u − g i ) k − ( qf j u − qg j ) k =( f i u − g i ) k − q ( f j u − g j ) k = ζ i − qζ j = 0 . And in ℓ itis clear that ( ˜ f i , ˜ g i ) ∈ M k +1 , since x k | f i u − g i implies x k +1 | xf i u − xg i .Now let λ ≥ . . . ≥ λ r − and µ ≥ . . . ≥ µ r − , as wellas λ ′ ≥ . . . ≥ λ ′ r − and µ ′ ≥ . . . ≥ µ ′ r − be the minimalexponents of M k and M k +1 , respectively. From the inclusions x M k ⊆ M k +1 ⊆ M k we easily infer that λ i ≤ λ ′ i ≤ λ i +1 and µ j ≤ µ ′ j ≤ µ j +1 (1)for all ≤ i, j < r .Suppose that lm( f i , g i ) = ( p i x λ i , , then we claim thatif-condition of ℓ holds ⇐⇒ λ i = λ ′ i (2)(and a similar statement holds if lm( f j , g j ) = (0 , p j x µ j ) ).Indeed, if ℓ holds, then lm( ˜ f i , ˜ g i ) = lm( f i , g i ) , so that λ i = λ ′ i . Conversely, suppose that λ i = λ ′ i , thus there is (˜ a, ˜ b ) ∈ M k +1 such that lm(˜ a, ˜ b ) = ( p i x λ i , , and hencewe have (˜ a, ˜ b ) − ( f i , g i ) ∈ M k with lt((˜ a, ˜ b ) − ( f i , g i )) ≺ ( x λ i , . By the division algorithm we may write (˜ a, ˜ b ) − ( f i , g i ) = P α l ( a l , b l ) + P β l ( c l , d l ) with α l , β l ∈ S [ x ; σ ] and lt( a l , b l ) , lt( c l , d l ) ≺ ( x λ i , . For the discrepancy we thenfind ζ i − qζ j for some q ∈ S and some j with leading termless than ( x λ i , . Therefore, the condition in ℓ is satisfied.From (1) and (2) it follows that if B k is a Gröbner basisof M k , then B k +1 as produced by Algorithm 1 is a Gröbnerbasis of M k +1 , establishing the correctness.For the running time analysis, observe first that there are r pairs ( f i , g i ) in the Gröbner bases B k , and the degree ofthe polynomials f i , g i is in O ( m ) as it increases in each outerloop by at most . Hence the computation of each discrepancy in ℓ requires O ( m ) operations in S . The if-condition in ℓ caneasily be checked by considering the degrees and valuations;neglecting this cost we only take ℓ into account, which againneeds O ( m ) operations in S . Therefore, completing one step k of the outer loop amounts to O ( rm ) operations in S , whichresults in the stated overall unning time.IV. A N EW D ECODER FOR G ABIDULIN C ODES OVER G ALOIS R INGS In this section, we propose a new decoding algorithm forGabidulin codes over rings with quadratic complexity in thecode length. The first part of the decoder is to retrieve a skewpolynomial called annihilator polynomial , which vanishes onthe module spanned by the error vector. In the literature, thispolynomial is also called error span polynomial . We obtainthis by solving a syndrome-based key equation via the skewByrne–Fitzpatrick algorithm presented in the previous section.The second part of the algorithm uses a different kindof key equation, which involves the message polynomial ofthe transmitted codeword, to retrieve this message polynomialunder the condition that the rank of the error is small. This isdone using standard operations with skew polynomials, suchas interpolation and left and right division. Definition 2 Let e ∈ S n . An annihilator polynomial of e is aprimitive polynomial Λ ∈ S [ x ; σ ] of minimal degree such that Λ( e i ) = 0 for all i = 1 , . . . , n . Lemma 4 Let e ∈ S n . Any annihilator polynomial has degreeexactly t := rk( e ) . Moreover, if rk( e ) = frk( e ) , then there isa unique monic annihilator polynomial of e .Proof: By [8, Prop. 2.5] there exists a monic (henceprimitive) polynomial of degree t that vanishes on the e i . Thisimplies that an annihilator polynomial has degree at most t .Furthermore, by [8, Prop. 3.16], any polynomial of degree < t that vanishes on the e i cannot be primitive, which proves thatthe degree must be at least t . The second claim directly followsfrom [8].We need the following lemma to derive the key equation thatwe use for decoding. The statement generalizes the decompo-sition of the error’s matrix representation, which was alreadyused for decoding in [15]. The difference is that, over rings,the entries of a are not necessarily linearly independent, butthe rank profile of a coincides with the rank profile of e . Lemma 5 Let e ∈ S n and define t := rk( e ) . Then there is avector a ∈ S t with the same rank profile as e and a matrix B ∈ R t × n whose rows are linearly independent, such that e = aB . The entries of a form a minimal generating set of h e , . . . , e n i .Proof: Expand e ∈ S n into a matrix E ∈ R r × n . By theexistence of the Smith normal form, we can decompose E = A ′ D ′ B ′ , where A ′ ∈ R r × r and B ′ ∈ R n × n are invertiblematrices and D ′ ∈ R r × n is a diagonal matrix with diagonalentries p i , . . . , p i t , , . . . , with min { n, r } − t many zeros, where the powers ≤ i j < r correspond to the rank profile of E (which is the same asthe one of e ). Due to the min { n, r } − t zero entries on thediagonal of D , we can write E = ˜ ADB , where ˜ A consistsof the first t columns of A , D is the left-upper t × t submatrixf D ′ , and B consists of the first t rows of B ′ . Note thatthe columns of ˜ A and the rows of B are linearly independent.Define A := ˜ AD ∈ R r × n and observe that A has the samerank profile as E . We obtain a as in the claim by writing everycolumn of A as an element of S .For a received word r ∈ S n , we define the syndromepolynomial s r ( x ) := n − k − X i =0 (cid:16) n X j =1 σ i ( h j ) r j (cid:17) x i ∈ S [ x ; σ ] Let Λ be an annihi-lator polynomial of e . Then, there is a skew polynomial Ω ofdegree deg Ω < deg Λ such that Λ s e ≡ Ω mod x n − k , where s e ∈ S [ x ; σ ] Let r = c + e , where c ∈ C with messagepolynomial f and t := rk( e ) ≤ n − k . Let s = s r = s e bethe syndrome polynomial corresponding to r . Suppose that wehave two non-zero polynomials u, v ∈ S [ x ; σ ] such that: • u is primitive • us − v ≡ x n − k • deg u ≤ t • deg v < deg u Then u is an annihilator polynomial of e . In particular, itsdegree equals t . Furthermore, we have uR ≡ uf mod r G, where R is the unique interpolation polynomial of r , and G isthe (unique, since the g i are linearly independent) annihilatorpolynomial of the g i (which has degree n ).Proof: Due to deg v < t , t − < n − k and the congruence us − v ≡ x n − k , the skew polynomial u satisfies ( us ) i = 0 , for all i = t, . . . , t − , where ( us ) i denotes the i -th coefficient. Written as a linearsystem in the coefficients u , . . . , u t of u , we get σ ( s t ) σ ( s t − ) . . . σ t ( s ) σ ( s t +1 ) σ ( s t ) . . . σ t ( s ) ... ... . . . ...σ ( s t − ) σ ( s t − ) . . . σ t ( s t − ) | {z } =: S u u ...u t = ... Due to Lemma 5, there is an a ∈ S t with the same rankprofile as e and a matrix B ∈ R t × n whose rows are linearlyindependent, such that e = aB , and the entries of a are aminimal generating set of h e , . . . , e n i . Define d = [ d , . . . , d t ] := hB ⊤ and observe that the entries of d are linearly independentover R , since the both the entries of h and the rows of B are linearly independent. As in [16], we can decompose thematrix S as follows: S = DA ⊤ , with D := [ σ t + i ( d j )] ≤ i Let f, g ∈ S [ x ; σ ] ≤ n . The following operationswith skew polynomials over S can be implemented in O ( n ) operations in S :1) Multiplication ab , where a, b ∈ S [ x ; σ ] ≤ n .2) Left and right division of a by b , where a, b ∈ S [ x ; σ ] ≤ n and b is primitive.3) Computing the unique interpolation polynomial of { ( g i , r i ) } ni =1 , where the g i ∈ S are linearly independentover R and the r i ∈ S are arbitrary.4) Computing a monic annihilator polynomial of g , where g ∈ S n .5) Computing [ a ( g ) , . . . , a ( g n )] , where a ∈ S [ x ; σ ] ≤ n and g , . . . , g n ∈ S are linearly independent over R .roof: 1) is obvious by definition and 4) follows bycarefully analyzing the algorithm given in [8, Prop. 2.5].Ad 5): It costs O ( n ) operations to evaluate one polynomialof degree at most n . Hence, evaluating it at n points naivelycosts O ( n ) operations in S .Ad 2): If g is monic, division works as in the case of finitefields (see, e.g., [17, Alg. 2.1, Alg. 2.2]), i.e., in quadraticcomplexity. If g is not monic, then by the inductive procedureof [12, Lem. 13.5] one may construct in quadratic time a unitpolynomial u ∈ S [ x ; σ ] such that ug is monic; then divide f by ug . The multiplication ug costs at most O ( n ) operations,and we can use the quadratic decoder for division by a monicpolynomial.Ad 3): Using the recursive strategy in [18, Lem. 16] (whichapplies as well in the case of rings), one can compute aninterpolation polynomial at n points by • two interpolations at ≈ n/ points, • computing two annihilator polynomials of vectors oflength ≈ n/ , and • multiplication of two skew polynomials of degree ≈ n/ .Since the latter two kinds of operations have quadratic com-plexity, the master theorem implies that the overall complexityof interpolation is quadratic in n . Algorithm 2: Decoder Input : r ∈ F nq m Output: If there is a c = [ f ( g ) , . . . , f ( g n )] ∈ C with f ∈ S [ x ; σ ] SkewByrneFitzpatrick ( s, n − k ) ( λ, ω ) ← element of B of minimal degree amongall ( u, v ) ∈ B with deg u > deg v and u primitive R ← unique interpolation polynomial of { ( g i , r i ) } ni =1 G ← unique annihilator polynomial of the g , . . . , g n ψ ← λR rem r G ( f, ρ ) ← (quotient, rem.) of left division of ψ by λ if ρ = 0 and d R ( r , [ f ( g ) , . . . , f ( g n )]) ≤ n − k and deg f < k then return f else return “decoding failure” Theorem 9 Algorithm 2 is correct and has complexity O ( rn ) operations in S .Proof: Assume that there is a codeword c with messagepolynomial f and rank distance at most n − k to the receivedword. Define e := r − c and t := rk( e ) ≤ n − k .The skew Byrne–Fitzpatrick algorithm outputs a left Groeb-ner basis of the module M := (cid:8) ( u, v ) | us ≡ v mod x n − k (cid:9) . Hence, the output basis must contain a pair ( u, v ) ∈ M with u primitive, deg u > deg v , and deg u minimal amongthe pairs with these properties.By Lemma 6, there is a pair ( u, v ) = (Λ , Ω) with deg u = t that fulfills the properties above. Thus, the u of minimal degreehas degree at most t . Hence, since also t ≤ n − k , by Theorem 7 the polynomial u is a valid annihilator polynomial of the error e . Moreover, uR ≡ uf mod r G, where R and G are the unique polynomials computed inLines 5 and 6 of Algorithm 2, and f is the message polynomialcorresponding to the codeword c .Since deg uf = deg u + deg f < t + k − < n = deg G ,we obtain uf by right division of uR by G . This division iswell-defined since G is monic.Finally, we obtain the message polynomial f by left divisionof uf by u . This is possible since u is primitive.If there is no codeword with radius n − k around the receivedword, Line 9 ensures that the output is “decoding failure”.The complexity follows by Theorem 3 and the discussionson the complexity of operations with skew polynomials inLemma 8.The proof of the first claim in Theorem 7 works similarto its finite field analog (see, e.g., [16]). A difference isthat we need to take care that we use the correct kind ofdecomposition e = aB of the error. Furthermore, in the caseof finite fields, the obtained u is uniquely determined. Here,the polynomials u that satisfy the conditions of Theorem 7 are all valid annihilator polynomials of e (cf. Lemma 4 for thenumber of such polynomials). In our case, it is advantageousto calculate the message polynomial instead of the error values(as done in [16]) for complexity reasons: our method uses onlyoperations with quadratic (or faster) algorithms (cf. Lemma 8).On the other hand, we did not directly solve the key equation Λ R ≡ Λ f mod r G since we rely on an adaptation of theByrne–Fitzpatrick algorithm, which is only able to solve keyequations with moduli of the form x i .Theorem 9 shows that Algorithm 2 is asymptotically fasterthan Kamche and Mouaha’s Welch–Berlekamp-like decoder[8, Alg. 1]. The latter algorithm relies on solving a linearsystem of equations over S , which costs O ( n ω ) operations in S using Smith normal form (cf. [19]), where ≤ ω ≤ is theexponent of the used matrix multiplication algorithm (naive: ω = 3 , Strassen’s algorithm: ω ≈ . , currently best-known: ω ≈ . ). Since there is no complexity analysis of the otherdecoders in [8], Theorem 9 beats the previous best-known costbound on the complexity of decoding Gabidulin codes overGalois rings. V. F UTURE W ORK Our proposed decoding algorithm has quadratic complexity.However, the cost bounds in Lemma 8 can be reduced to sub-quadratic complexity using the results in [18], [20], [21] andthus, our approach might be improved such that it has sub-quadratic complexity.It would be interesting to find a variant of the Byrne–Fitzpatrick algorithm that can solve key equations with arbi-trary moduli. This would allow us to solve the key equation Λ R ≡ Λ f mod r G directly instead of the two-step process.In [13], algorithms of the same forms as the extended Eu-clidean, the Berlekamp–Massey and the Peterson–Gorenstein–Zierler algorithms were proposed for Galois rings. However,only the latter one was generalized to finite rings. An in-teresting open problem is the generalization of an extendedEuclidean like algorithm to finite rings and to propose a sub-quadratic speed-up. A CKNOWLEDGEMENT We would like to thank Johan Rosenkilde for the valuablediscussions. EFERENCES[1] M. P. Wilson, K. Narayanan, H. D. Pfister, and A. Sprintson, “Jointphysical layer coding and network coding for bidirectional relaying,” IEEE Transactions on Information Theory , vol. 56, no. 11, pp. 5641–5654, 2010.[2] B. Nazer and M. Gastpar, “Compute-and-forward: Harnessing inter-ference through structured codes,” IEEE Transactions on InformationTheory , vol. 57, no. 10, pp. 6463–6486, 2011.[3] C. Feng, D. Silva, and F. R. Kschischang, “An algebraic approachto physical-layer network coding,” IEEE Transactions on InformationTheory , vol. 59, no. 11, pp. 7576–7596, 2013.[4] N. E. Tunali, Y.-C. Huang, J. J. Boutros, and K. R. Narayanan, “Latticesover Eisenstein integers for compute-and-forward,” IEEE Transactionson Information Theory , vol. 61, no. 10, pp. 5306–5321, 2015.[5] C. Feng, R. W. Nóbrega, F. R. Kschischang, and D. Silva, “Commu-nication over finite-chain-ring matrix channels,” IEEE Transactions onInformation Theory , vol. 60, no. 10, pp. 5899–5917, 2014.[6] E. Gorla and A. Ravagnani, “An algebraic framework for end-to-endphysical-layer network coding,” IEEE Transactions on Information The-ory , vol. 64, no. 6, pp. 4480–4495, 2017.[7] D. Silva, F. R. Kschischang, and R. Kötter, “A rank-metric approach toerror control in random netw. coding,” IEEE Transactions on InformationTheory , vol. 54, no. 9, pp. 3951–3967, 2008.[8] H. T. Kamche and C. Mouaha, “Rank-metric codes over finite principalideal rings and applications,” IEEE Transactions on Information Theory ,vol. 65, no. 12, pp. 7718–7735, 2019.[9] P. Loidreau, “A Welch–Berlekamp Like Algorithm for DecodingGabidulin Codes,” Coding and Cryptography — Revised selected papersof WCC 2005 , vol. 3969, pp. 36–45, 2006. [10] E. Byrne and P. Fitzpatrick, “Hamming metric decoding of alternantcodes over galois rings,” IEEE Transactions on Information Theory ,vol. 48, no. 3, pp. 683–694, 2002.[11] S. Gao, “A New Algorithm for Decoding Reed–Solomon Codes,” Com-mun. Inform. Network Sec. , vol. 712, pp. 55–68, 2003.[12] B. R. McDonald, Finite rings with identity . Marcel Dekker Incorporated,1974, vol. 28.[13] P. Fitzpatrick, “On the key equation,” IEEE Transactions on InformationTheory , vol. 41, no. 5, pp. 1290–1302, 1995.[14] E. Byrne, M. Greferath, J. Pernas, and J. Zumbrägel, “Algebraic decodingof negacyclic codes over ̥ ,” Designs, codes and cryptography , vol. 66,no. 1-3, pp. 3–16, 2013.[15] E. M. Gabidulin, “Theory of codes with maximum rank distance,” Problemy Peredachi Informatsii , vol. 21, no. 1, pp. 3–16, 1985.[16] ——, “A fast matrix decoding algorithm for rank-error-correcting codes,”in Workshop on Algebraic Coding . Springer, 1991, pp. 126–133.[17] A. Wachter-Zeh, “Decoding of block and convolutional codes in rankmetric,” Ph.D. dissertation, University of Rennes 1 and Ulm University,2013.[18] S. Puchinger and A. Wachter-Zeh, “Fast operations on linearized poly-nomials and their applications in coding theory,” Journal of SymbolicComputation , vol. 89, pp. 194–215, 2018.[19] A. Storjohann, “Algorithms for Matrix Canonical Forms,” Ph.D. disser-tation, ETH Zurich, 2000.[20] X. Caruso and J. L. Borgne, “Some algorithms for skew polynomialsover finite fields,” arXiv preprint arXiv:1212.3582 , 2012.[21] X. Caruso and J. Le Borgne, “Fast multiplication for skew polynomi-als,” in