Syndrome Encoding and Decoding of BCH Codes in Sublinear Time Excerpted from Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data

We show that the standard decoding algorithm for BCH codes can be modified to run in time polynomial in the length of the syndrome. This works for BCH codes over any field GF (q), which include Hamming codes in the binary case and Reed-Solomon for the case n = q − 1. BCH codes are handled in detail in many textbooks (e.g., [vL92]); our presentation here is quite terse. For simplicity, we only discuss primitive, narrow-sense BCH codes here; the discussion extends easily to the general case. The algorithm discussed here has been revised due to an error pointed out by Ari Trachtenberg. Its implementation is available [HJR]. We’ll use a slightly non-standard formulation of BCH codes. Let n = qm − 1 (in the common binary case, q = 2). We will work in two finite fields: GF (q) and a larger extension field F = GF (qm). BCH codewords, formally defined below, are then vectors in GF (q)n. In most common presentations, one indexes the n positions of these vectors by discrete logarithms of the elements of F∗: position i, for 1 ≤ i ≤ n, corresponds to αi, where α generates the multiplicative group F∗. However, there is no inherent reason to do so: they can be indexed by elements of F directly rather than by their discrete logarithms. Thus, we say that a word has value px at position x, where x ∈ F∗. If one ever needs to write down the entire n-character word in an ordered fashion, one can choose arbitrarily a convenient ordering of the elements of F (e.g., by using some standard binary representation of field elements); for our purposes this is not necessary, as we do not store entire n-bit words explicitly, but rather represent them by their supports: supp(v) = {(x, px) | px = 0}. Note that for the binary case, we can define supp(v) = {x | px = 0}, because px can take only two values: 0 or 1. Our choice of representation will be crucial for efficient decoding: in the more common representation, the last step of the decoding algorithm requires one to find the position i of the error from the field element αi. However, no efficient algorithms for computing discrete logarithm are known if qm is large (indeed, a lot of cryptography is based on the assumption that such efficient algorithm does not exist). In our representation, the field element αi will in fact be the position of the error.