Chinese Remainder Codes: Using Lattices to Decode Error

Correcting Codes Based on Chinese Remaindering Theorem

Ragesh Jaiswal
University of California San Diego
([email protected])

1 Introduction

This report is an incomplete survey of Chinese Remaindering Codes. We study the work of
Goldreich, Ron and Sudan [GRS00] and Boneh [B02] which give unique and list-decoding algorithms
for an error correcting code based on the Chinese Remaindering Theorem. More specifically, we
will look at a decoding algorithm from [GSM00] which uniquely decodes upto (n − k) log plog p1
q 1 +log pn
errors. We will also look at a list-decoding algorithm ([GRS00]) which decodes upto n − 2kn log pn
log p1
q
error and an improvement ([B02]) to n − kn log pn
log p1 errors. Here k is the message length, n is the
length of the codeword and p1 and pn are the first and last relatively prime integers used in the
CRT code. We will define them in the next section.

Organization of this report In the next section we set up the basics required for the rest of
the report. In Section 3 we look at an algorithm due to Goldreich, Ron and Sudan [GRS00] for
unique decoding. In Section 4 we look at a list-decoding algorithm due to Goldreich, Ron and
Sudan [GRS00] and an improvement due to Boneh [B02]. Finally, we point out possible extensions
and briefly mention results from [GSM00] which indeed achieves some of the goals perceived.

2 Preliminaries

In this section we set up the basics required for the report.

Definition 1. Let p1 < p2 < . . . < pn denote positive integers which are relatively prime. We
denote K = p1 · pQ
2 . . . pk (for some k 6 n) and N = p1 · p2 . . . pn . Furthermore for a subset A ⊆ [n],
we denote PA = i∈A pi .

We will need the following version of the Chinese Remaindering Theorem (CRT) throughout the
report. We omit the proof here.

Theorem 2 (Chinese Remaindering Theorem (CRT)). Given K = p1 · p2 . . . pk such that pi ’s are

Q mapping between any integer x ∈ ZK and Φ(x) = (x
relatively prime, there is a one-one onto
mod p1 , x mod p2 , . . . , x mod pk ) ∈ Zpi . In addition, there is an efficient procedure to compute
the mapping in either direction.

1
 The following error correcting code can be designed based on the Chinese Remaindering Theorem
above.
Qk
CRT Code Given relatively prime integers p1 < pi < . . . < pn , K = i=1 pi and a message
m ∈ ZK , the CRT code for m is:

m̄ = CRT (m) =< m1 , . . . , mn >, where mi = m (mod pi )

We will need the following definitions for further analysis.

Definition 3. Given r̄ =< r1 , . . . , rn >, ri ∈ Zpi and m̄ =< m1 , . . . , mn >, mi ∈ Zpi , consider the
sets
A(r̄, m̄) = {i : ri = mi } and D(r̄, m̄) = {i : ri 6= mi }
In simpler words A denote the subset of indices where r̄ and m̄ agree and D denote the subset of
indices where they disagree. Also, PA is called the amplitude of agreement between r̄ and m̄ and
similarly PD is called the amplitude of disagreement.

Next, we show some simple properties of the above CRT code. Consider the following theorem
which gives a unique decoding property of of the CRT code.

Theorem 4. Given r̄ =< r1 , . . . , rn >, ri ∈ Zpi . There is a unique message m ∈ ZN such that

n+k
|A(r̄, CRT (m))| >
2
Proof. For the sake of contradiction, suppose there are two messages m1 , m2 ∈ ZK such that
|D(r̄, CRT (m1 ))| 6 (n − k)/2 and |D(r̄, CRT (m2 ))| 6 (n − k)/2. Let D1 = D(r̄, CRT (m1 )) and
D2 = D(r̄, CRT (m2 )). Consider the subset D = D1 ∪ D2 and A = [n] − D. Clearly, |A| > k. From
CRT we have
m1 ≡ m2 (mod PA )
but since K 6 PA we get that m1 = m2 .

The above theorem shows that, information theoretically, it is possible to uniquely decode the
CRT code from upto (n − k)/2 errors. So, the natural question that arises is, “how much error
can be tolerated algorithmically?”, or in other words, “what is the bound on the number of error
which can be corrected using an efficient algorithm?” We know that by using list-decoding we can
go beyond the information theoretic bound. So, another interesting question is “how many errors
can be corrected using an efficient list-decoding procedure?”
In this report we will answer the above questions. This report is essentially a survey of two of
the main results [GRS00, B02] which look into the above questions.

3 Unique Decoding

In this section we look at the algorithmic ideas for unique decoding. We start by looking at the
simple algorithm given in table 1. For unique decoding we assume that the number of errors is
smaller than (n − k)/2.
We now analyse the efficiency and correctness of the algorithm.

2
Input: r̄ =< r1 , . . . , rn >.
Output: The unique message m ∈ ZK such that PA(r̄,CRT (m)) > N/E.
q
N
Parameters: E < K−1

1. Find the r ∈ ZN that uniquely maps to < r1 , . . . , rn > by the CRT.

2. Find integers y, z with the following properties:

1 6 y 6 E, 0 6 z 6 N/E and y · r ≡ z (mod N )

3. Output z/y if it is an integer.

Algorithm 1: Algorithm for unique decoding

Efficiency We will show that the algorithm is efficient and then sketch the proof of correctness.
The efficiency of step 1 comes from the definition of the CRT. Step 2 is essentially Integer Linear
Programming in fixed number of variables which has been shown to be efficient (see [L83]).

Correctness We will show the correctness of the algorithm under the condition that

PD(r̄,CRT (m)) < E, (1)

where the value of E will be decided later. The proof of correctness is broken into two parts. First
we show that there exists integers y, z, 1 6 y 6 E, 0 6 z 6 N/E such that y · r ≡ z (mod N ).
Secondly, given such a pair of integers y, z we will show that y · m = z, thus showing that z/y is
the correct answer for m. The following claims show the two parts.
Claim 5. There exists integers y, z, 1 6 y 6 E, 0 6 z 6 N/E such that y · r ≡ z (mod N ).
Proof. We will fix 1 6 y 6 E and then show the existence of a z satisfying the conditions of
the claim. For D = D(r̄, CRT (m)), let y = PD , then we have y 6 E (from 1). Also, note that
y · r ≡ y · m (mod pi ) for all i (this comes from the simple fact that for any i ∈ D, y · r (mod pi ) =
0 = y · m (mod pi ) and for any i ∈ [n] − D, y · r ≡ y · mp(mod pi )). So, from CRT we get that
y · m ≡ z (mod N ), but since y 6 E, m 6 (K − 1) and E < N/(K − 1), we have that y · m < N/E
and hence z < N/E.

Claim 6. Given 1 6 y 6 E, 0 6 z 6 N/E such that y · r ≡ z (mod N ), then y · m = z.

Proof. Let A = A(r̄, CRT (m)), then for any i ∈ A we have z (mod pi ) = y · r (mod pi ) =
y · m (mod pi ). So, from CRT we get thatp
y · m ≡ z (mod PA ). From (1) we know that PA > N/E.
Also, since y 6 E, m 6 (K − 1) and E < N/(K − 1), y · m < N/E. z by definition 6 N/E so we
get that y · m = z.

The above claims show that the algorithm 1 can uniquely decode a message m given that the
amplitude of agreement PA(r̄,CRT (m)) > N/E. To translate it to the number of errors e that can be
corrected in the worst case, we need to consider the case when all the e errors happen in the last e
coordinates. Since E 2 6 N/K, we get
n
Y n
Y
p2i 6 pi
i=n−e+1 i=n−k+1

3
which gives
log p1
e 6 (n − k) ·
log p1 + log pn
.

4 List Decoding

4.1 A Simple List-Decoding Algorithm

The first list-decoding algorithm that we will look at in this section is due to [GRS00] and is a
simple generalization of the unique decoding algorithm. We define the algorithm and sketch the
proof.

Input: r̄ =< r1 , . . . , rn >.

Output: The list of messages m1 , . . . , ml ∈ ZK such that ∀i, PA(r̄,CRT (mi )) > 2(l + 1)F
l+1 √ 1 l+1
q
Parameters: F = 2 2 · l + 1 · N l+1 · K 2 , l = d 2n log pn
k log p1 − 1e

1. Find the r ∈ ZN that uniquely maps to < r1 , . . . , rn > by the CRT.

2. Find integers c0 , . . . , cl with the following properties:
F X
∀i, |ci | 6 , ci ri ≡ 0 (mod N ) and < c0 , . . . , cl >6= 0̄. (2)
Ki
i

3. Output all the roots of the polynomial i ci xi .

P

Algorithm 2: Algorithm for list decoding

We now analyse the efficiency and correctness of the algorithm.

Efficiency Step 1 is trivial. We work with the assumption that there is an algorithm for step 3
which runs in time O(l3 (log F )3 ) and avoid going into the details for the purpose of this report.
For step 2 we construct a lattice and use LLL to get an approximate shortest vector and then use
this vector to obtain the ci ’s which satisfy (2). Following (l + 2) × (l + 2) matrix denotes the basis
for the lattice:

K0
 
0 0 ... 0 0

 0 K1 0 ... 0 0 

 0 0 K2 ... 0 0 
B= , value of M will be decided later
 
.. .. .. .. .. .. 

 . . . . . . 

 0 0 0 ... Kl 0 
0 1 2 l
M · r M · r M · r ... M · r M · N

4
 A general lattice vector in this lattice is given by:
d0 · K 0
 

 d1 · K 1 

 .. 

 . 
 for integer di ’s and e
l
P dl · K
 
  
l i
M· i=0 di r + e · N

We will show that there is a lattice vector v such that the last coordinate of v is 0 and ||v|| is small.
This is done by the following argument: given di ’s are allowed to take certain P large but bounded
i
integers, there exist specific di ’s such such that for these values of di ’s we have i di r ≡ 0 (mod N ).
We can then use the upper bounds to get a bound on the shortest vector.
1 l+1
More specifically, let di 6 N l+1 ·K 2 −i , then consider the function f (d0 , . . . , dn ) = i di ri (mod N ).
P
Since the size of the domain of this function (> N ) is larger than the range (N ) there are integers
a0 , . . . , an such that
1 l+1
< a0 , . . . , an >6= 0̄ and ∀i, ai 6 N l+1 · K 2 −i and f (a0 , . . . , an ) ≡ 0 (mod N )
this implies that i ai ri = e · N for some integer e. Let us bound the size of the lattice vector
P
corresponding to these integers. We get that the last coordinate of the lattice vector is 0 and all
1 l+1
the other coordinates is 6 N l+1 · K 2 . This gives us that there is a lattice vector with size at most
√ 1 l+1 l+1
l + 1 · N l+1 · K 2 . Since the LLL algorithm always returns a lattice vector of size at most 2 2
times the size of the shortest vector, the algorithm is guaranteed to return a lattice vector of size
l+1 √ 1 l+1
at most F = 2 2 · l + 1 · N l+1 · K 2 . So, if we set M to be some integer > F then the LLL
algorithm returns a lattice vector with the last coordinate 0 and also gives integer di ’s such that
i i
P
i di r = 0 (mod N ) and |di · K | 6 F .

Correctness Here we need to show that any message m ∈P ZK that has an amplitude of agreement
with r̄ > 2(l + 1)F will be a root of the polynomial C(x) = i di xi . Let us first get an upper
P bound
on the maximum absolute value that the polynomial C(x) can take. We have C(x) 6 i |di K i | 6
(l + 1) · F . Now, let A = A(r̄, CRT (m)) such that PA > 2(l + 1)F . Note that for any i ∈ A we have
C(r) (mod pi ) = C(m) (mod pi ) = 0. So, from CRT we get that C(r) ≡ C(m) ≡ 0 (mod PA ) ≡
0 (mod 2(l + 1)F ), but since C(m) 6 (l + 1)F , we get that C(m) = 0.
We can optimize the choice of the list size l to minimize the errors. The following theorem from
[GRS00] defines these parameters. We omit the proof in this report.
q
Theorem 7 ([GRS00]). The Algorithm 2 with parameter l = d 2n log pn
k log p1 − 1e solves the error-
correction problem for
s s
log pn k + 6 log pn
e < n − 2(k + 3)n − < n − 2kn .
log p1 2 log p1

4.2 A Better List-Decoding Algorithm

Here we look at the list-decoding algorithm due to Boneh [B02] which tolerates errors upto
s
log pn
n − kn
log p1

5
thus improving upon [GRS00]. The algorithm uses ideas from the Coppersmith’s algorithm, though
the basic idea remains the same. The essential idea (as also in the previous subsection) is to
construct a polynomial C(x) such that all messages m which have high amplitude of agreement PA
with the given corrupted code r̄ =< r1 , . . . , rn > satisfies C(m) ≡ 0 (mod PAa ), for some constant
a (a was 1 in the previous subsection). This in conjunction with the fact that for any message
m, C(m) < PAa (since the message space is small), gives that C(m) = 0 for those messages that
have high amplitude of agreement. Finally, these messages are obtained by finding the roots of the
polynomial C(x).
[B02] deviates from [GRS00] in the definition of the amplitude of agreement. We will see later
how this helps us in defining the polynomial C(x). Given a corrupted code r̄ =< r1 , . . . , rn > and
a message m ∈ ZK , the amplitude of agreement is defined as:

M = gcd(N, m − r)

where r ∈ ZN such that ∀i, r ≡ ri (mod pi ). Note, the definition does not change from [GRS00] if
the pi ’s are prime. If not, then M might have certain prime factors of pi even when m 6≡ r (mod pi ).
Now, we define the construction of the polynomial. Consider the following sequence of polyno-
mials:

gi (x) = N a−i · (x − r)i f or i = 0, . . . , a − 1

hi (x) = (x − r) · x a i
f or i = 0, . . . , a0 − 1

where a and a0 will be decided later to optimize the bounds. Note that for any message m:

gi (m) ≡ 0 (mod M a ) f or i = 0, . . . , a − 1
hi (m) ≡ 0 (mod M a ) f or i = 0, . . . , a0 − 1

So any polynomial C(x) which is a linear combination of the above polynomials satisfies C(m) ≡
0 (mod M a ). Any such polynomial
p has degree at most d = a + a0 . In addition, if we can somehow
ensure that ||C(Kx)|| < M / deg(C) 1 , then a simple argument shows that C(m) = 0. To obtain
a

a linear combination of polynomials, we can construct a lattice with all these polynomials and then
consider a lattice vector. We can then try to find a short lattice vector to satisfy the second
requirement. Following is the description of the lattice (it represents the polynomials evaluated at
Kx, so the lattice vector that we will find will be interpreted as C(Kx)).
 a
N −N a−1 · r . . . N · (−r)a−1 ra

0 ...
a−1 a
N a−1 K (−r)a−2 K (−r)a−1 K ra K



 0
 . . . N · a−2 a−1 ...  
. . . N · a−1 a−3 K 2 a a−2 K 2 a a−1 K 2 . . . 




 0 0 (−r) (−r) (−r)

 . a−3 a−2 a−1 
 . .. .. .. .. 
 . . ... . . . . . .


a a
N K a−1 a−1 2 K a−1



B= 0 0 ... (−r)K (−r) . . .
 
1 2



 0 a a a 
0 ... 0 K 1 (−r)K ... 
K a+1
 
 0 0 ... 0 0 ... 
 
 .. .. .. .. .. 
 . . ... . . . ... 
0 0 ... 0 0 0 ...
1 Pd Pd
for a polynomial || i=0 ci xi ||2 = i=0 c2i

6
Since the above matrix is an upper triangular matrix, the determinant is simply the product of the
diagonal which is
det(B) = N a(a+1)/2 · K d(d−1)/2
We run the LLL algorithm on this lattice to obtain a short lattice vector which we interpret as
C(Kx). Now, LLL guarantee us a vector with norm bounded by 2d/2 det(B)1/d . So, we get that

||C(Kx)|| < 2d/2 det(B)1/d = 2d/2 N a(a+1)/2d · K (d−1)/2

So, if √
M a / d > 2d/2 N a(a+1)/2d · K (d−1)/2
then the roots of C(x) give the messages which
q have amplitude of agreement > M . Choosing a
appropriately we get that M > N , where  = log
 4B 5
log P + 4d . Using the bound on the amplitude of
agreement,qwe can compute the number of errors e that can be corrected in the worst-case which
is e > n − kn log pn
log p1 .

5 Further Questions

CRT code differs from conventional codes in using alphabet size that is not uniform. We used a
uniform notion of amplitude of agreement while decoding, as a result of which the amount of error
we can decode is conditioned on the locations where these errors happen. Note that we considered
the worst case to get a bound on e but this is not really the worst case, as when restricted to
places where the message agrees with the word, there is a high amplitude of agreement. If we can
implement some kind of weighted update method to locate the positions which yield high amplitude
of agreement then we can correct more errors. Indeed, [GSM00] use similar ideas to uniquely decode
errors upto e 6 (n − k)/2.
Another way to look at the results is that the techniques shown in this report yields bounds
which depend on the ratio log pn
log p1 . This means that the higher the discrepancy in the alphabet size,
the worst these bounds become. As pointed out earlier, since we are already using a uniform notion
for decoding, it should not be too difficult to remove the log pn
log pp
1
factor. Again, [GSM00] achieves
this and give list-decoding algorithm which decodes upto n − k(n + ) errors where  > 0 is an
arbitrary small constant.
Finally, looking at the recent progress in list-decoding of variants of Reed-Solomon codes, it will
be interesting to look into the possibility of extending some of the ideas to CRT decoding.

References

[B02] D. Boneh.: Finding Smooth Integers in Short Intervals Using CRT Decoding. Journal of
Computer and System Sciences (JCSS), Vol. 64, pp. 768–784, 2002.

[GRS00] O. Goldreich, D. Ron, M. Sudan.: Chinese Remaindering with Errors. IEEE Trans. on IT
46(4):1330-1338, 2000.

[GSM00] V. Guruswami, A. Sahai, M. Sudan.: “Soft-decision” Decoding of Chinese Remainder

Codes. FOCS, 6: 83 –96, 2000.

7
[L83] H. W. Lenstra.: Integer Programming with a Fixed Number of Variables. Math. Operations
Res., vol. 8, pp 538 – 548, 1983.