An algorithm for list decoding number field codes

An algorithm for list decoding nu mber field codes Jean-Franc ¸ ois Biasse Departmen t of Computer Science University of Calga ry 2500 Uni versity Drive NW Calgary , Alberta, Canada T2N 1N4 Email: biasse@lix.polytechn ique.fr Guillaume Quintin LIX ´ Ecole Polytechnique 91128 Palaiseau, France Email: quintin@lix.po lytechniq ue.fr Abstract —W e present an algorithm for list deco ding codewords of algebraic number field codes in polynomial time. This is the first explicit procedure for d ecoding number field codes whose construction were previously d escribed by Lenstra [1] and Guruswami [2]. W e rely on a n ew algorithm for computing the Hermite normal f orm of the basis of an O K -module d ue to Biasse and F ieker [3] where O K is the rin g of integers of a number field K . I . I N T R O D U C T I O N Algorithms for list deco ding Reed-Solomo n co des, and their generalizatio n th e algebraic-g eometric c odes ar e now well understoo d. The codew ords consist of sets of function s wh ose ev alua tion at a cer tain numb er of poin ts are sent, thu s allowing the receiver to retr iev e them provided th at the number of error s is m anageable. The idea behin d alg ebraic-g eometric codes can be ada pted to define algeb raic co des whose messages are en coded as a list o f residues red undant eno ugh to allow er rors du ring the transmission. The Chinese Remainder codes (CR T co des) ha ve been fairly studied by the c ommun ity [4], [5]. Th e enc oded messages ar e residues mo dulo N := p 1 , · · · , p n of nu mbers m ≤ K := p 1 · · · p k where p 1 < p 2 < · · · < p n are prim e number s. They are encod ed by using Z − → Z /p 1 × · · · × Z /p n m 7− → ( m mo d p 1 , · · · , m mo d p n ) . Decoding algorithm s for CR T c odes were significantly im- proved to reac h the same level of toleran ce to errors as those for Reed- Solomon cod es [6], [ 7], [4 ]. As algebraic-g eometric codes are a gener alization of Reed-Solomo n codes, the ide a arose that we could generalize th e results for CR T cod es to redund ant residue codes based on numbe r fields. Ind eed, we can easily d efine a n an alogue of the CR T codes where a number field K play s the ro le o f Q and its ring o f in tegers O K plays the ro le o f Z . Then, for prime ideals p 1 , · · · , p n such that N ( p 1 ) < · · · < N ( p n ) , a me ssage m ∈ O K can be encoded by u sing O K − → O K / p 1 × · · · × O K / p n c : m 7− → ( m mo d p 1 , · · · , m mo d p n ) . The con struction of good co des on numb er field s have been indepen dantly stud ied b y Le nstra [1] an d Gu ruswami [2]. They provid ed indic ations on how to chose n umber fields having go od p roperties for th e underly ing cod es. In p articular, Guruswami [2] showed the existance of asymptotically good number field co des, that is a family C i of [ n i , k i , d i ] q codes of increasing b lock length with lim inf k i n i > 0 and lim inf d i n i > 0 . Neither of th em co uld provide a decod ing algo rithm. In the conclud ing remar ks o f [2], Guruswami idendifies the ap plica- tion of the decoding p aradigm of [8 ], [9], [4 ] to number field codes as an ope n prob lem. Contribution: The main contribution o f this paper is to provide the first algo rithm for d ecoding numb er field cod es. W e first sh ow th at a direc t adap tation of an analogue of Coppersmith’ s theorem d ue to Cohn and He nninger [10] allows to follow the approach o f Bone h [6] which does not allow to reac h the Johnson bound. Then we adapt the d ecoding paradigm of [8, Chap . 7] to nu mber field cod es, by u sing methods f or m anipulating mo dules over the ring of integers of a number field recently d escribed in [3] to achieve th e Johso n bound . Throu ghout th is paper, we denote by K a number field of degree d , of discriminan t ∆ and of rin g o f integers O K . The prime ideals ( p i ) i ≤ n satisfy N ( p 1 ) < N ( p 2 ) < · · · < N ( p n ) , and we define N := Q i ≤ n N ( p i ) an d B := Q i ≤ k N ( p i ) for integers k , n such that 0 < k < n . Bef ore describ ing our algorithm in more details in the following sections, let us state the m ain re sult of the pape r . Theorem 1. Let ε > 0 , a nd a message m ∈ O K satisfying k m k ≤ B , th en th er e is a n algorithm that r etu rns all the messages m ′ ∈ O K such that k m ′ k ≤ B and th at c ( m ) a nd c ( m ′ ) have mutu al agreement t satisfying t ≥ p k ( n + ε ) . This algorithm is polyn omial in d , log ( N ) , 1 /ε and lo g | ∆ | . I I . G E N E R A L I T I E S O N N U M B E R FI E L D S Let K be a num ber field of degree d . It has r 1 ≤ d real em- bedding s ( θ i ) i ≤ r 1 and 2 r 2 complex embedd ings ( θ i ) r 1 0 and I ( O K an ideal. W e can find in polynom ial time all th e ω ∈ O K such that | ω | i := | σ i ( ω ) | ≤ λ i and N (gcd( f ( ω ) O K , I ) > N ( I ) β , pr ovided th at th e λ i satisfy Q i λ i < (2 + o (1)) − d 2 / 2 N ( I ) β 2 /l . Although not mentio ned in [1 0], a straigh tforward ad ap- tation o f Theor em 2 with β := r P i ≤ k log N ( p i ) P i ≤ n log N ( p i ) where 0 < k < n , I := Q i ≤ n p i and ∀ i, λ i := 1 2 n/ 2 Q i ≤ k N ( p i ) 1 /n provides a polyno mial time algor ithm fo r d ecoding n umber field co des. Theorem 3. Let ( r 1 , · · · , r n ) ∈ O n K and m ∈ O K satisfying ∀ i, m = r i mo d p i , then Theorem 2 a pplied to f ( ω ) := ω − m allows to r eturn in poly nomial time a list of m ′ ∈ O K with k m ′ k ≤ 1 2 n/ 2 Q i ≤ k N ( p i ) 1 /n that differ fr om m in at most e places wher e e < n − s k n log N ( p n ) log N ( p 1 ) . In the r est of the pa per , we present a method based on Guruswami’ s gen eral fr amew ork for residue co des [8] that allows us to get rid in th e depende ncy in log N ( p n ) log N ( p 1 ) in the decodin g bound thus reach ing the Johnso n bou nd. I V . J O H N S O N - T Y P E B O U N D F O R N U M B E R FI E L D S C O D E S A Johnso n-type boun d is a positive num ber J d ependin g on the distance, th e blocklen gth and th e cardin alities of th e Alphabets co nstituting the co de. It ga ranties that a “small” number of codewords ar e in any sphere of radius J . By “small” number, we mean a n umber of co dew ords which is linear in the code blockle ngth and the cardin ality of the code. In our case, the Johnson -type bo und for n umber fields c odes depen ds on ly on th e code b locklength and its m inimal d istance, a nd “sm all” means polynomial in P n i =1 log N ( p i ) . The Johnso n-type b ound of [ 8, Section 7. 6.1] remains valid for nu mber field codes. For any p rime ideal p ⊂ O K , the quotient O K / p is a finite field . Th us the i ’th symbol o f a codeword come s from an alphabet of size N ( p i ) = |O K / p i | and [8, T h. 7.10 ] can be ap plied. Let t be the lea st positive integer such that Q t i =1 N ( p i ) >  2 B d  d , wher e d = [ K : Q ] and let T = Q t i =1 N ( p i ) . Th en, by [2, Lem. 12] , the min imal hamming distance of th e number fields co de is at least n − t + 1 . Using [ 8, Th. 7 .10], we can show that f or a given message an d ε > 0 , only a “small” number o f codew ords satisfy n X i =1 a i > p ( t + ε ) n, (1) where a i = 1 if the codeword and the message ag ree at the i -th position, a i = 0 oth erwise. Thus, if o ur list decodin g alg orithm return s a ll the codewords having at most n − p ( t + ε ) n err ors then th is numb er is garantee d to be “sma ll”. Ther efore, the Johnson bound ap pears to be a g ood objective fo r our algo rithm. Note that we would derive a different b ound b y using weighted d istances. In particular, by u sing the log -we ighted hamming d istance i.e. d ( x, y ) = X i : x 6 = y mo d p i log N ( p i ) , the co ndition would be P n i =1 a i log N ( p i ) > p (log T + ε ) log N . V . G E N E R A L D E S C R I P T I O N O F T H E A L G O R I T H M In this section , we g iv e a high- lev el d escription of our decodin g algorithm . W e follow the appro ach of the gener al framework described in [ 8], mak ing the ar rangeme nts required in ou r context. Our co de is the set of m ∈ O K such that k m k ≤ B wh ere B = Q i ≤ k N ( p i ) . W e also define N := Q i ≤ n N ( p i ) . A co dew ord m is encoded via O K − → O K / p 1 × · · · × O K / p n m 7− → ( m mo d p 1 , · · · , m mo d p n ) . Let z 1 , · · · , z n be non-n egati ve real numbers, and let Z be a parameter . In this section , as well as in Section VI an d VII, we assume th at th e z i are integers. W e assume that we received a vector ( r 1 , · · · , r n ) ∈ Q i O K / p i . W e wish to retrieve all the codewords m su ch that P i a i z i > Z where a i = 1 if m mo d p i = r i and 0 o therwise (we say that m and ( r i ) i ≤ n have weighted agr eement Z ) . W e find the co dew ords m with desired weighted agreemen t by computing roo ts of a polyn omial c ∈ O K [ y ] that satisfies k m k ≤ B = ⇒ k c ( m ) k < F , (2) for an ap propr iate bou nd F . W e c hoose the p olynom ial c satisfying (2) in the ideal Q i ≤ n J z i i ⊆ O K [ y ] where J i = { a ( y )( y − r i ) + p · b ( y ) | a, b ∈ O K [ y ] and p ∈ p i } . W ith such a choice of a p olynom ial, we necessarily h av e c ( m ) ∈ Q i p z i a i i , whe re a i = 1 if c ( m ) mo d p i = r i , 0 otherwise. In par ticular , if c ( m ) 6 = 0 th en N ( c ( m )) ≥ Q i N ( p i ) z i a i . I n addition, we know fro m the arithmetic- geometric in equality that k c ( m ) k ≥ √ d N ( c ( m )) 1 /d . W e thus know that if th e weigh ted a greement satisfies X i ≤ n a i z i log N ( p i ) > − d 2 log( d ) + d log( F ) , (3) which in turns imp lies √ d ( Q i N ( p i ) z i a i ) 1 /d > F , then c ( m ) has to be zero, since otherwise it would contradict (2). Algorithm 1 Decod ing algorithm Require: O K , z 1 , · · · , z n , B , Z , r 1 , · · · , r n ∈ Q i O K / p i . Ensure: All m such that P i a i z i > Z . 1: Comp ute l a nd F . 2: Find c ∈ Q i ≤ n J z i i ⊆ O K [ y ] of d egree at most l such that k m k ≤ B = ⇒ k c ( m ) k < F . 3: Find all roo ts of c and repo rt those roots ξ such that k ξ k ≤ B and P i a i z i > Z . V I . E X I S T E N C E O F T H E D E C O D I N G P O L Y N O M I A L In this section, giv en weights ( z i ) i ≤ n , we prove the exis- tence of a polynom ial c ∈ Q i J z i i and a constant F > 0 such that for all k m k ≤ B , m ∈ O K , we have k c ( m ) k ≤ F . This proo f is not constru ctiv e. Th e actual com putation o f this polyno mial will be descr ibed in Section VI I. W e first need to estimate the number of elem ents of O K bound ed b y a gi ven size. Lemma 1. Let F ′ > 0 and 0 < γ < 1 , then the nu mber of x ∈ O K such that k x k ≤ F ′ is a t least $ π d/ 2 F ′ d 2 r 1 + r 2 − 1+ γ p | ∆ | Γ( d/ 2) % . Pr oof: As in [12, Chap. 5], we use th e standar d r esults o f Minkowski theory for our pu rposes. More precisely , there is an isomorph ism f : K R − → R r 1 +2 r 2 and a scalar pro duct ( x, y ) := P i ≤ r 1 x i y i + P r 1 m 2 d det( λ ) , th en #( f ( x ) ∩ λ ) ≥ m . As V ol( X ) = 2 r 2  2 π d/ 2 F ′ d / Γ( d/ 2)  and det( λ ) = p | ∆ | , we have the desired result. Then, we mu st derive from Lem ma 1 an analogue of [8, Lemma 7.6] in o ur co ntext. This lemma allows us to estimate the num ber of polynom ials of degree l satisfying ( 2). T o simplify the exp ressions, we use the following no tation in the rest of the paper α d, ∆ ,γ := π d/ 2 2 r 1 + r 2 − 1+ γ p | ∆ | Γ( d/ 2) . Lemma 2 . F or positive in te gers B , F ′ , the number of po ly- nomials c ∈ O K [ y ] of de gr ee at most l satisfying (2) is at least α d, ∆ ,γ  F ′ ( l + 1) B l/ 2  d ! l +1 . Pr oof: Let c ( y ) = c 0 + c 1 y + · · · + c l y l . W e want the c i ’ s to satisfy k c i m i k < F ′ / ( l + 1) whenever k m k ≤ B . This is the case when k c i k < F ′ / ( B i ( l + 1 )) . By Lemma 1 , th ere ar e at least α d, ∆ ,γ  F ′ / (( l + 1) B i )  d possibilities fo r c i . Theref ore, the n umber of po lynomials c satisfying (2) is at least ( α d, ∆ ,γ ) l +1  F ′ l + 1  l +1 l Y i =0 B − i ! d , which finishes th e pr oof. Now that we kn ow how to estimate the numb er of c ∈ O K [ y ] or degree a t most l satisfying ( 2), we need to find a lower boun d o n F to ensure that we can find such a polyno mial in Q i J z i i . The following lemma is an equ i valent of [8, Lemma 7.7]. Lemma 3 . Let l , B , F b e po sitive integ ers, ther e exists c ∈ Q i J z i i satisfying ( 2) pr ovided th at F > 2( l + 1) B l/ 2 1 ( α d, ∆ ,γ ) 1 /d Y i N ( p i ) ( z i +1 2 ) ! 1 d ( l +1) . (4) Pr oof: Let us apply Lemma 2 to F ′ = F / 2 . There are at least α d, ∆ ,γ  F / 2 ( l + 1) B l/ 2  d ! l +1 polyno mial c ∈ O K [ y ] satisfying k m k ≤ B ⇒ k c ( m ) k < F / 2 . In add ition, we kn ow from [8, Coro llary 7.5] that Q i |N ( p i ) | ( z i +1 2 ) ≥ |O K [ y ] / Q i J z i i | , which im plies that if (4) is satisfied, then necessarily α d, ∆ ,γ  F / 2 ( l + 1) B l/ 2  d ! l +1 >      O K [ y ] / Y i J z i i      . This means th at ther e are at least two distinct polyn omials c 1 , c 2 ∈ O K [ y ] of degree at most l suc h that ( c 1 − c 2 ) ∈ Q i J z i i and k c 1 ( m ) k , k c 2 ( m ) k < F / 2 whenever k m k ≤ B . The choice o f c := c 1 − c 2 finishes the pr oof. V I I . C O M P U TA T I O N O F T H E D E C O D I N G P O LY N O M I A L Let l > 0 be an integer to be determined later . T o co mpute c ∈ Q i J z i i of degree at most l satisfying (2), we need to find a sho rt pseudo -basis of the sub O K -modu le M ∩ Q i J z i i of K l +1 where M is the O K -modu le of the elements of O K [ y ] of degree at most l emb edded in K l +1 via P i c i y i → ( c i ) . W e first compute a peud o-gene rating set for each M ∩ J z i i , then we compute a pseudo -basis for their intersection, and we fin ally call the algorithm of [13] to produ ce a short peu do-basis of M ∩ Q i J z i i from wh ich we der i ve c . An algorithm f or co mputing a p seudo-ba sis of the intersec- tion of two m odules gi ven by their pseu do basis is described by Cohen in [11, 1.5.2] . It r elies on the HNF algorithm fo r O K -modu les. Th e HNF alg orithm p resented in [11, 1.4 ] is not po lynomial, but a variant rece ntly presen ted in [3] enjoys this pro perty . W e can th erefore app ly [11, 1.5 .2] with th e HNF of [3] succ essi vely for each p seudo-b asis of M ∩ J z i i to produce a pseudo-basis o f M ∩ Q i J z i i . Algorithm 2 Compu tation of the d ecoding po lynomia l Require: ( p i , z i ) i ≤ n , l , N , B , F such th at ∃ c ∈ Q i J z i i of degree at most l satisfying (2) fo r F , and th e encode d message ( r 1 , · · · , r n ) ∈ Q i O K / p i . Ensure: c ∈ Q i J z i i satisfying (2) for F ′ = 2 dl 2 √ l + 1  2 2+ d (6+3 d ) d 3 | ∆ | 2+ 11 2 d  F of degree at most l . 1: for i ≤ n do 2: ˜ z i ← min( z i , l ) . 3: For 0 ≤ j ≤ ˜ z i : a i j ← p z i − j i , a i j ← ( y − r i ) j . 4: For 1 ≤ j ≤ l − z i : a i j ← O K , a i j ← y j ( y − r i ) z i . 5: Let  ( a i j ) , ( a i j ) j ≤ l +1  be a pseu do matrix for M ∩ J z i i . 6: end for 7: Comp ute a pseudo -basis [( c i ) , ( c i )] i ≤ l +1 of M 1 = M ∩ Q i J z i i . 8: Dedu ce a pseudo ba sis [( d i ) , ( d i )] i ≤ l +1 of th e mo dule M 2 giv en by ( v 0 , v 1 , · · · , v l ) ∈ M 1 ⇐ ⇒ ( v 0 , v 1 · B , · · · , v l · ( B ) l ) ∈ M 2 . 9: Let [( b i ) , ( b i )] i ≤ l +1 be a short p eudo-b asis of M 2 obtained with the red uction alg orithm o f [1 3]. 10: Let x 1 , x 2 be a short basis of b 1 obtained with [13, Th. 3]. 11: return c ∈ M 1 correspo nding to x 1 b 1 ∈ M 2 . V I I I . G O O D W E I G H T S E T T I N G S T o der i ve our m ain resu lt, we ne ed to con sider weights z i > 0 in R rather than Z . Let β d, ∆ ,γ := d 3 − d 2 2 3(1+ d (2+ d )) | ∆ | 2+ 11 2 d α d, ∆ ,γ 1 d , then by combinin g (3), (4) an d Algorithm 2, we know that giv en ( r 1 , · · · , r n ) ∈ Q i ≤ n O K / p i , l > 0 , B = Q i ≤ k N ( p i ) and inte ger weights z i > 0 , Algorith m 2 return s a polynom ial c of degree at most l such that all m ∈ O K satisfying k m k ≤ B and X i ≤ n a i z i log N ( p i ) ≥ l 2 log(2 d 2 B d ) + 3 d 2 log( l + 1 ) + 1 l + 1 X i ≤ n  z i + 1 2  log N ( p i ) + log β d, ∆ ,γ , (5 ) (where a i = 1 if m mo d p i = r i , 0 othe rwise) are roots of c . In th e fo llowing, we no longer assume the z i to be integers. Howe ver, we will use our p revious results with the integer weights z ∗ i := ⌈ Az i ⌉ for a sufficently large integer A to be determined . Proposition 1. Let ε > 0 , non-negative r ea ls z i , B = Q i ≤ k N ( p i ) , and an encoded message ( r 1 , · · · , r n ) ∈ Q i O K / p i , th en ou r algorith m finds all the m ∈ O K such that k m k ≤ B and X i ≤ n a i z i log N ( p i ) ≥ v u u u t log(2 d 2 B d )   X i ≤ n z 2 i log N ( p i ) + εz 2 max   , wher e a i = 1 if m mo d p i = r i , 0 othe rwise. Pr oof: Note that we can assume withou t loss of generality that z max = 1 . Let z ∗ i = ⌈ Az i ⌉ for a su fficently large in teger A , which thus satisfies Az i ≤ z ∗ i < Az i + 1 . Th e de coding condition (5 ) is met whenever X i ≤ n a i z i log N ( p i ) ≥ l 2 A log(2 d 2 B d ) + 3 d 2 A log( l + 1 ) + A 2( l + 1) X i ≤ n  z 2 i + 3 A z i + 2 A 2  log N ( p i ) + 1 A log β d, ∆ ,γ . (6) Let Z i := z 2 i + 3 A z i + 2 A 2 for i ≤ n and l :=     A s P i ≤ n Z i log N ( p i ) log(2 d 2 B d )     − 1 . W e assume that A ≥ log(2 d 2 B d ) , which ensures that l > 0 . For this choice of l , condition (6) is satisfied whenever X i ≤ n a i z i log N ( p i ) ≥ 3 d 2 A log   A s P i ≤ n Z i log N ( p i ) log(2 d 2 B d ) + 1   + v u u u t log(2 d 2 B d )   X i ≤ n Z i log N ( p i )   + 1 A log β d, ∆ ,γ . (7) Assume that A ≥ 10 log N ε and A ≥ log β d, ∆ ,γ log N , then f or N large enoug h, the right side of (7) is at most O  log log N log N  + v u u u t log(2 d 2 B d )   X i ≤ n z 2 i log N ( p i ) + ε 2   ≤ v u u u t log(2 d 2 B d )   X i ≤ n z 2 i log N ( p i ) + ε   The d egree l of our d ecoding po lynomial c is ther efore polyno mial in lo g N , 1 ε , d and log | ∆ | . By [14, 2.3 ], we kn ow that the com plexity to find the roots of c is polynom ial in d , l and in the logarithm of the heigh t of c , which we alread y proved to be po lynomial in the desired values. Corollary 1. Let ε > 0 , k < n and prime ideals p 1 , · · · p n satisfying N ( p i ) < N ( p i +1 ) and log N ( p k +1 ) ≥ max(2 dk log N ( p k ) , 2 d 2 ) , then with the pr evious no tations, our a lgorithm fin ds a list of all codewor d s which agr ee with a r eceived wor d in t places pr ovided t ≥ p k ( n + ε ) . Pr oof: Th e proo f is similar to the one of [8, Th. 7.14 ]. The main difference is that we define δ := k − log(2 d 2 B d ) log N ( p k +1 ) which satisfies δ ≥ 0 since b y assumption log N ( p k +1 ) ≥ max(2 dk log N ( p k ) , 2 d 2 ) . W e ap ply Proposition 1 with z i = 1 / log N ( p i ) for i ≥ k + 1 , z i = 1 / log N ( p k +1 ) for i ≤ k , and ε ′ = ε/ log N ( p k +1 ) . It allows us to re triev e the cod ew ords whose number o f ag reements t is at least v u u t log(2 d 2 B d ) log N ( p k +1 ) log( B ) log N ( p k +1 ) + n X i = k +1 N ( p k +1 ) log N ( p i ) + ε ′ ! ≤ δ + v u u t log(2 d 2 B d ) log N ( p k +1 ) log( 2 d 2 B d ) log N ( p k +1 ) + n X i = k +1 N ( p k +1 ) log N ( p i ) + ε ! . This co ndition is met whenever t ≥ δ + p ( k − δ )( n − δ + ε ) . From the Cauchy -Schwartz inequality , w e notice that p k ( n + ε ) ≥ p ( k − δ )( n − δ + ε ) , which p roves that our dec oding algorith m works when t ≥ p k ( n + ε ) . I X . C O N C L U S I O N W e pr esented the fir st m ethod for list de coding nu mber field codes. A straightfo rward ap plication o f Th eorem 2 allo ws to derive a decod ing algorith m in polyno mial time. Howe ver, we cannot achieve the Johnson boun d with th is m ethod. T o solve this pr oblem, we describ ed an analo gue of the CR T list decodin g algo rithm for code s based on nu mber fields. This is the first algorithm allo wing list decoding of number field codes up to the Johnson bo und. W e followed the approa ch of [8, Ch. 7] that provides a general f rameworks for list d ecoding of algebraic codes, along with its app lication to CR T co des. Th e modification s to make th is strategy efficient in th e context of number fields are substan tial. W e need ed to refer to the theor y of mod ules over a Ded ekind dom ain, and caref ully analyse the process of intersecting them, as well as finding short elemen ts. W e proved th at o ur algorithm is polyn omial in the size of the input, th at is in d , log( N ) , log | ∆ | and 1 ε . A C K N O W L E D G M E N T The first author would like to than k Guillaume Hanr ot for his helpfu l comments on the a pproach based o n Copper smith’ s theorem. R E F E R E N C E S [1] H. Lenstra, “Codes from algebrai c number fields, ” in Mathematics and computer scienc e II, Fundamental contributi ons in the Nethe rlands since 1945 , ser . CWI Monograph, M. Hazewi nkel , J. Lenstra, and L . L. Meerte ns, E ds., vol. 4, North-Holland, Amsterdam, 1986, pp. 94–104. [2] V . Guruswami, “Construc tions of codes from number fields, ” IEEE T ransaction s on Information Theory , vo l. 49, no. 3, pp. 594–603, 2003. [3] J.-F . Biasse and C. Fieker , “ A polynomial time algorit hm for computing the hnf of a module ov er the intege rs of a number field, ” 2012, http:/ /www .lix.polytec hnique.fr/ biasse/papers/ HNF pol.pdf. [4] V . Guruswa mi, A. Sahai, and M. Sudan, “Soft-dec ision decoding of chinese remainder codes, ” in Pr oceedi ngs of the 41st Annual Symposium on F oundations of Comput er Sci ence . W ashington, DC, USA: IEEE Computer Society , 2000, pp. 159–168. [5] D. Mandelbau m, “On a class of arithmetic codes and a decoding algorit hm (corresp.), ” IEEE T ransactio ns on Information Theory , vo l. 22, pp. 85–88, 1976. [6] D. Boneh, “Finding sm ooth inte gers in short interva ls using crt decodin g, ” in Pr oceedi ngs of the thirty-second annual ACM symposium on Theory of computing , ser . STOC ’00. Ne w Y ork, NY , USA: A CM, 2000, pp. 265–272. [Online]. A vai lable : http:/ /doi.acm.or g/10.1145/3 35305.335337 [7] O. Goldreic h, D. Ron, and M. Sudan, “Chinese remaindering with errors, ” in Pr oceedings of the thirty-fir st annual ACM symposium on Theory of computing , ser . STOC ’99. Ne w Y ork, NY , USA: A CM, 1999, pp. 225–234. [8] V . Guruswami, List Decoding of Er r or-Correc ting Codes: W inning Thesis of the 2002 ACM Doctoral Dissertation Compet ition (Lectur e Notes in Computer Scien ce) . Secaucus, NJ , USA: Springer -V erlag New Y ork, Inc., 2005. [9] V . Guruswami and M. Sudan, “Improv ed decoding of reed-solomon and alge braic-ge ometric codes, ” in IEEE Symposium on F oundations of Computer Science , vol. 5, 1999, pp. 28–39. [10] H. Cohn and N. Heninger , “Ideal forms of coppersmith’ s theorem and gurusw ami-sudan list decodi ng, ” in Proce edings of Innov ations in computer science , 2011. [11] H. Cohen, Advanced topics in computati onal algebraic number theory , ser . Graduate T exts in Mathematic s. Springer -V erlag, 1991, vol. 193. [12] J. Neukirch , A lge braic number theo ry , ser . Comprehensi ve Studies in Mathemat ics. Springe r-V erla g, 1999, iSBN 3-540-65399-6. [13] C. Fiek er and D. Stehl´ e, “Short bases of lattices ov er number fields, ” in Algorithmi c Number Theory , 9th Internati onal Symposium, A NTS- IX, Nancy , F rance, July 19-23, 2010. Pr oceedings , ser . L ecture Notes in Computer Science, G. Hanrot, F . Morain, and E. Thom ´ e, Eds., vol. 6197. Springer , 2010, pp. 157–173. [14] A. A yad, “ A lectu re on the complexit y of fact oring polynomia ls over global fields, ” Internati onal Mathemati cal F orum , vol. 5, no. 10, pp. 477–486, 2010.