Generalization of low rank parity-check (LRPC) codes over the ring of integers modulo a positive integer

Following the work of Gaborit et al. (in: The international workshop on coding and cryptography (WCC 13), 2013) defining LRPC codes over finite fields, Renner et al. (in: IEEE international symposium on information theory, ISIT 2020, 2020) defined LRPC codes over the ring of integers modulo a prime power, inspired by the paper of Kamche and Mouaha (IEEE Trans Inf Theory 65(12):7718–7735, 2019) which explored rank metric codes over finite principal ideal rings. In this work, we successfully extend the work of Renner et al. by constructing LRPC codes over the ring Zm\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\mathbb {Z}_{m}$$\end{document} which is not a chain ring. We give a decoding algorithm and we study the failure probability of the decoder.

In this paper, we partially answer this question by extending the construction of LRPC codes to residual rings Z m , with m not necessarily being a power of a prime integer. We derive a decoder depending on that of Renner et al. and analyze its failure probability.
The article is organized as follows: Sect. 2 recalls the basic notions of the Smith Normal Form of a matrix, the rank metric over the FPIRs and Galois extensions of an FPIR; Sect. 3 presents our main result which is a more general definition of LRPC codes over the rings Z m ; Sect. 4 describes the decoding for this generalization over Z m and studies the failure probability of this decoder.
Throughout this paper, unless otherwise specified, we assume that R is a finite commutative principal ideal ring, that means R is finite and all its ideals are principal.

Preliminaries
In this section, we provide basic notions needed on FPIR. Indeed, as in the case of finite fields, we need a rank metric for the LRPC codes to evaluate the distance between codewords, and this is defined using the Smith Normal Form of a matrix. We also recall the construction of Galois extensions of FPIR.

Smith normal form and rank metric
An element a ∈ R is said to be invertible (or called a unit) if there exists b ∈ R, such that ab = 1. Let a, b ∈ R, we say that a divides b, and denote a|b, if there exists c ∈ R, such that b = ca. We denote by M m×n (R) the set of all m × n matrices with entries from R. The n × n identity matrix is denoted by I n .
An m × n matrix D is diagonal if D i, j = 0, whenever i = j. If D is a diagonal matrix in M m×n (R) , we will write D = diag(d 1 , . . . , d r ), where r = min{m, n} and d i = D i,i , i = 1, . . . , r.
Theorem 2.1 [3] For all matrix A ∈ M m×n (R) , there are two invertible matrices P, Q and a diagonal matrix D = diag(d 1 , . . . , d r ) with d 1 |d 2 | · · · |d r , such that A = PDQ . The elements d 1 , . . . , d r are unique up to associates. It is well known that the rank defined above is a norm on the set of matrices with entries from an FPIR [3]. However, in the context of coding in rank metric, we need to define that metric on vectors with entries from a ring. The idea is to consider a ring S larger than the initial FPIR R (S is called an extension of R). The objective being to see the vectors, with coefficients in S, as matrices with coefficients from R and exploit the norm defined above.

Galois extension of finite local rings
Let R and S be two rings. We say that S is an extension of R if R ⊆ S. Suppose R and S are finite and local with respective residue fields K = R/m and K = S/M, respectively, where m and M are their respective maximal ideals, and such that R ⊂ S. Then, S is said to be a separable extension of R if mS = M. In this case, K is a separable field extension of K. Theorem 4.3.1 of [2] gives an equivalent definition of separable extensions: Here, the projection is the epimorphism μ : S → S/M = K . The projection of a polynomial f (x) is the polynomial which coefficients are the images of its coefficients under the projection μ.
An R−automorphism of S is an automorphism φ : S → S, such that its restriction to R is the identity map on R, i.e., φ |R = 1 R . Definition 2.5 [2] The ring S is a Galois extension of R, with Galois group G, if S is a separable extension of R and, for all R−automorphism φ ∈ G, ∀s ∈ S, φ(s) = s iff s ∈ R. Theorem 2.6 [2] The Galois extension S of R of degree r is an R−module and is unique up to isomorphism. Remark 2.7 Combining Theorem 5.1.5 and Corollary 5.1.6 of [2], we have that a local extension S of a finite and local ring R is a Galois extension if and only if there exists a monic basic irreducible polynomial

Remark 2.9
Let us consider particularly the ring R = Z p r . Then its maximal ideal is pZ p r . To construct its Galois extension of degree s, find a monic polynomial f (x) ∈ Z p r [x] of degree s that is irreducible when projected on Z p . The Galois extension in this case is Z p r [x]/( f (x)) and the Galois group is generated by Analogously to the case of finite fields extensions, we have this Definition of the rank metric of a vector over a finite Galois extension of an FPIR. Definition 2.10 Let S be a finite Galois extension of the FPIR R of degree r. Then, S is an R−module of dimension r. Let x = (x 1 , . . . , x n ) ∈ S n be a vector, and {β 1 , . . . , β r } be a basis of S over R. Then, for i = 1, . . . , n, there exists (x j,i ) j=1,...,r ∈ R r , such that Thus, we can represent x by the matrix The rank of x is then defined as the rank of the matrix E(x) over R as given in Definition 2.3 using the Smith normal form of E(x).
This definition is important, since we will deal with vectors with entries from a Galois extension of an FPIR. In the remaining, unless otherwise specified, we assume that all the vectors are free vectors, that is to say, for any vector x, f rk(x) = rk(x); and that value will be called the rank of x.
Following the generalization of Gabidulin codes [4] over FPIR [6], it was recently shown in [7] that LRPC codes [5] can be defined over the small class of rings of integers modulo a prime power. The authors of [7] also provided a decoding algorithm together with an upper bound of its failure probability.
We now proceed in the next section to our result which is the extension of LRPC codes over the ring Z m for any positive integer m.

Generalization of LRPC codes to the ring of integers modulo a positive integer
Let us consider the ring Z m , where m ∈ N. If m is a prime power, then we know how to define LRPC over Z m [7]. We focus here on the case, where m is not a prime power. In this case and from the Chinese Remainder Theorem, we have the ring isomorphism: which is the direct-sum decomposition of Z m , where m = p n 1 1 · · · p n k k , p j distinct prime numbers. In view of presenting our contribution to the generalization of LRPC over Z m , we then need to highlight some concepts on direct sum of modules and rings, especially the construction of Galois extension of a direct sums of rings. Let {R 1 , . . . , R k } be a family of modules. We denote by R = R 1 ⊕ · · · ⊕ R k their direct summand; it is the set of elements (a 1 , . . . , a k ) or a 1 + · · · + a k , where a i ∈ R i .
We will assimilate an element T = T 1 + · · · + T k to a k-tuple (T 1 , . . . , T k ) and vice versa. In this way, all the operations shall be carried out component-wise. That's to say we shall adopt the following operations: Thus, we can also assimilate the polynomial H to a k-tuple of polynomials ( The polynomial H will be said monic, irreducible or basic irreducible if and only if its components are monic, irreducible or basic irreducible, respectively.

Theorem 3.2 [6]
Let S 1 , . . . , S k be k local Galois extensions of the finite local rings R 1 , . . . , R k , respectively. Then, S = S 1 ⊕ · · · ⊕ S k is a Galois extension of the ring R = R 1 ⊕ · · · ⊕ R k , where S and R are endowed with the component-wise operations given in Definition 3.1.

Construction of a Galois extension of Z m
As in the case of finite fields, LRPC codes shall be defined over an extension of the base ring Z m to extend somewhat the notion of vector space, since the code in finite fields case is a vector subspace over the base field.
The following proposition is the application of the previous Theorem to the ring Z m Proof From the Fundamental Theorem of Arithmetic, m can be decomposed uniquely as products of prime powers, this means it can be written in the form m = p n 1 1 · · · p n k k , where the p j are distinct prime numbers, and n j ∈ N * , for 1 ≤ j ≤ k.
From the Chinese Remainder Theorem, we get the ring isomorphism  Definitely, we can only define an extension of Z m as a direct summand (or product) of the extensions of the rings R m,i . This means that defining an LRPC code over an extension of Z m leads to defining an LRPC code over a direct summand of ring extensions.

Some properties on the Galois extension S m,s of Z m
We denote by M p×q (S m,s ) the set of p × q matrices with entries from S m,s .
Proof We already know that each element of S m,s is a unique summand of elements in the S m,i . Let Since P i, j ∈ S m,s , then P i, j = P i, j,1 + · · · + P i, j,k . P = ⎛ ⎜ ⎝ P 1,1,1 + · · · + P 1,1,k · · · P 1,q,1 + · · · + P 1,q,k . . . . . . . . . P p,1,1 + · · · + P p,1,k · · · P p,q,1 + · · · + P p,q,k P p,1,k · · · P p,q,k ⎞ ⎟ ⎠ P = P 1 + · · · + P k , P l ∈ M p×q S m,l , l = 1, . . . , k with (P l ) i, j = P i, j,l . The decomposition of the entries of P is unique, so is the one of P too. Thus, every matrix P ∈ M p×q S m,s is a unique summand of matrices with entries from the S m,i . The converse is obvious, since if we have any summand of matrices with entries from the S m,i , then the matrix which entries are obtained by summation of the entries of those matrices at the same positions is in M p×q S m,s . Lemma 3.6 Let P = P 1 + · · · + P k ∈ M p×q S m,s , such that r k(P) = r. Then rk(P i ) = r, i = 1, . . . , k.
Proof Let I = {i 1 , . . . , i r }, such that the lines L(P) e , e ∈ I, of P are linearly independent over S m,s ( where L(P) e denote the e-th line of P); r is the maximum, such that this property is verified .
Thus, in this case, the lines of the matrices P i at the same positions I are linearly independent, since any linear combination of the L(P) e , e ∈ I, that is zero implies linear combinations of the lines L(P i ) e , e ∈ I, i = 1, . . . , k, that equal zero. Notice here that this hold exactly at the same positions.
If we admit that r is not the maximum, such that the property is verified for the matrices P i , then we can find r + 1 lines of those matrices P i that are linearly independent (we suppose here that the lines are exactly at the same positions).
Hence M = M 1 ⊕ · · · ⊕ M k due to the unicity of the decomposition on S m,s .

Main results: our generalization of low rank parity-check codes over Z m
We can now give the following more general Definition of LRPC codes over Z m considering the previous results of Lemmas 3.5, 3.6 and 3.7. Proof It is obvious from Lemmas 3.5 and 3.7 that H = H 1 + · · · + H k , Thus, the free R m -submodule generated by the entries of H is exactly the direct summand of the free R m,i -submodules generated by the entries of H l , l = 1, . . . , k of the same dimension d.
Thus, every LRPC code over S m,s is a direct summand of LRPC codes over the R m,i -modules S m,i .
We assume that the parity check matrix of the LRPC code fulfills, over R m , the conditions of Definition 2 in the work of Renner et al. as recalled in Appendix A. This is to say that, according to the above discussion, the same conditions will be fulfilled by the parity check matrices of the LRPC codes over the rings S m,l , l = 1, . . . , k. In the following Sect. 4, we study the decoding, the correction capacity and the failure probability of these codes.

Encoding and decoding of LRPC codes over Z m
The LRPC code is defined by a special parity-check matrix H. We suppose that the codeword c was transmitted and the word y = c + e is received, where e is the rank t error vector due to the channel. Since the error vector e is of rank t, its support is a free module of rank t. The error vector is taken among the free vectors ( f rk(e) = rk(e)) of S n m,s of rank t. The decoding algorithm, that generalizes the one in [7], is given in Algorithm 1.
We can observe that this decoding algorithm depends on the application of that in [7] on every S m,i , 1, . . . , k. Thus it may be slower in comparison, since in our case, we need to apply the decoding of [7] k times.

Algorithm 1 Decoding Algorithm for LRPC Codes C over Z m
INPUT : -LRPC parity-check matrix H y = (y 1 , . . . , y n ) = c + e ∈ S n m,s , such that c is in the LRPC code C given by H -the support of e is a free module of dimension t.

Correction capacity and failure probability
For i ∈ {1, . . . , k}, let us denote by C i the LRPC code defined on S m,i , so that C is the direct summand of the codes C i . Each C i has error correction capacity t i ≤ s. n−u n . From the precedings, a rank t vector with entries in S m,s is a summand of rank t vectors with entries from the R m,i −modules S m,i . Thus a rank t error from S n m,s is a summand of rank t errors from S n m,i . Indeed, a rank t error in S n m,s is a summand of rank t errors in S n m,i due to Lemma 3.6. Of course, e = e 1 + · · · + e k ∈ M 1×n (S m,s ) := S n m,s , with e i ∈ M 1×n (S m,i ) and rk(e i ) = t, i = 1, . . . , k. When a rank t error occurs, we suppose these occur at the same positions in the summand of errors according to the preceding. Hence, the error correction capacity of the code is still t ≤ s. n−u n , and is the same for all the LRPC codes C i .
We are given a vector y ∈ S n m,s to be decoded according to the LRPC code C. Since the decoding algorithm relies on the application of the one in [7] on every summand y i ∈ S n m,i of y (according to the LRPC code C i ), a failure occurs if it occurs at least once when applying the decoding algorithm of [7].
The failure probability thus depends on the probability for each C i to fulfill the three conditions of [7,Theorem 5]. Denote success i the event "success of the decoding according to C i ", i = 1, . . . , k (the decoding according to C i considers the algorithm of [7] applied to a vector y i from S n m,i ). We have in [7] Pr (success i ) ≥ 1 − r i Indeed, Theorems 9, 11 and 14 in [7] give upper bounds of the failure probabilities of the different conditions of Theorem 5 in [7]. So their summation gives an upper bound of the overall failure probability. Denote success the event "success of the overall decoding according to C". Notice that success is true if and only if all the events success i are true, and since we have a direct summand, the events success i are independent. Thus (1 − r i ) Set r = max{r i , i = 1, . . . , k}. Then Pr (success) ≥ (1 − r ) k .

Conclusion
We have extended the notion of LRPC codes over the rings of integers modulo a prime number, recently defined in [7], to LRPC codes over residual rings Z m for a positive integer m. We have first constructed a Galois extension of the ring Z m that is needed for our definition, and we have stated component-wise operations that was used for manipulating elements of the defined LRPC codes. We have deduced a decoding algorithm of those LRPC codes over Z m using the one of Renner et al. [7]. It is noticed that this decoder is slower than the one of [7], since it results in the application of this at least twice. We have also derived a bound for the success probability of the decoder.