Digital Object Identifier 10.1109/ACCESS.2020.3037799

Asymptotic Analysis of Blind Reconstruction of BCH Codes Based on Consecutive Roots of Generator Polynomials

MINKI SONG , (Member, IEEE), AND DONG-JOON SHIN , (Senior Member, IEEE)

Department of Electronic Engineering, Hanyang University, Seoul 04763, South Korea Corresponding author: Dong-Joon Shin (djshin@hanyang.ac.kr)

This work was supported by the research fund of Signal Intelligence Research Center supervised by Defense Acquisition Program Administration and Agency for Defense Development of Korea.

ABSTRACT In the military surveillance and security information systems, correct blind reconstruction of signal parameters from unknown signals is very important. Especially, many blind reconstruction methods of error-correcting codes have been proposed, and their theoretical performance analysis is essential for both the defender who wants to prevent information leakage and the challenger who wants to extract information from the intercepted signals. However, a proper performance analysis of most blind reconstruction methods has not been performed yet. Among many blind reconstruction methods of BCH codes proposed so far, the blind reconstruction method based on consecutive roots of generator polynomials proposed by Jo, Kwon, and Shin, called the JKS method, shows the best performance under the unknown channel information. However, the performance of the JKS method is only evaluated through simulation without performing theoretical analysis. In this paper, the JKS method is asymptotically analyzed under the binary symmetric channel with the cross-over probabilityp. Since the blind reconstruction performance heavily depends on how many and which received codewords are used even for the same channel environment, sufficiently many codewords are assumed to perform asymptotic analysis. More specifically, an asymptotic threshold onp, up to which blind reconstruction is successful, is derived when the number of received codewords is sufficiently large, which can be used as a new performance metric for blind reconstruction methods. Finally, the validity of the asymptotic analysis is confirmed through simulation.

INDEX TERMS Asymptotic analysis, BCH codes, blind reconstruction, consecutive roots, generator polynomial, military surveillance system, security information system.

I. INTRODUCTION

In the current digital communication systems, an error- correcting code (ECC) is essential to achieve reliable infor- mation communication [1]. By sharing the parameters of ECC at both transmitter and receiver, a receiver can correct channel errors. However, if the receiver does not know the parameters of ECC used by the transmitter, it is very hard for the receiver to communicate with the transmitter as well as to correct the errors in the received signals. In such a case, the receiver must blindly reconstruct the parameters of ECC to correctly recover the information from the received signals. Such blind reconstruction of ECCs is very important

The associate editor coordinating the review of this manuscript and approving it for publication was Shadi Aljawarneh .

in various areas such as military surveillance and security information systems [2]–[5]. For these reasons, blind recon- struction of ECCs has been actively studied [2]–[15].

Especially, blind reconstruction of cyclic codes, one of the most widely used ECCs, has been investigated in many ways [2]–[9] and most of the proposed meth- ods focus on recovering generator polynomials of cyclic codes. In [2], a blind reconstruction method of Bose- Chaudhuri-Hocquenghem (BCH) codes is proposed, which uses the property thatt-error correcting BCH codewords are divisible by the generator polynomial having 2tconsecutive roots, but there is a problem that random data polynomials can also be divisible by other minimal polynomial with non-negligible probability. To resolve this problem, a prob- ability compensation is used in [2] to improve the blind

reconstruction performance. In [3], a generator polynomial of binary cyclic code of lengthnis reconstructed by deriving the syndrome distribution of the received codewords for all possible factors ofxⁿ−1. In more general situations, a code- word synchronization scheme for the received bitstream, in addition to a blind reconstruction of generator polynomial, is proposed in [4]. Even if the above-mentioned blind recon- struction methods show good performance, unfortunately, clear performance analysis has not been performed.

In [5], a blind reconstruction method of BCH codes based on Galois field Fourier transform (GFFT) is proposed for the first time. All the codeword polynomials of BCH code share the roots of generator polynomial and the roots of the received codeword polynomials can be easily verified by perform- ing GFFT to them. Therefore, by checking the roots of the received codeword polynomials through GFFT, the method in [5] estimates the roots of generator polynomial. In [6], a blind reconstruction method of BCH codes is proposed, which uses the property that all the codeword polynomials of BCH code with the error-correcting capabilitytshare the same 2tconsecutive roots which are roots of generator poly- nomial. This blind reconstruction method in [6] is performed as follows. Initially, find the maximum length of consecu- tive roots (MLCR) and the corresponding starting value of consecutive roots (SVCR) for each of the received codeword polynomials. Then, the most frequent values of SVCR and MLCR are used to reconstruct the generator polynomials of BCH codes. Note that this blind reconstruction method in [6] outperforms the other blind reconstruction methods and does not even utilize channel information. However, the blind reconstruction performance of this blind reconstruc- tion method has been evaluated only by simulation, and since theoretical performance analysis has not been performed, it is hard to estimate the exact performance or the performance limit for various cases. Therefore, such lack of analysis makes it difficult to properly apply this method to various sys- tems such as military surveillance and security information systems.

It is clear that theoretical performance analysis of blind reconstruction methods is required for both a defender and a challenger. Specifically, a defender needs to guarantee security in communication and a challenger wants to blindly extract correct signal information with high probability.

Moreover, without general performance analysis, very exten- sive simulation is required to confirm the performance of the blind reconstruction methods even for a limited sit- uation. However, most of the blind reconstruction meth- ods have not been theoretically analyzed and only a lower bound on the reconstruction performance was derived for the method in [9].

In this paper, we analyze the performance of the blind reconstruction method proposed by Jo, Kwon, and Shin [6], called the JKS method, which shows the best performance among the blind reconstruction methods of BCH codes. The analysis of the JKS method is asymptotically performed under the assumption that the number of received codewords

is sufficiently large because the blind reconstruction perfor- mance heavily depends on how many and which received codewords are used even for the same channel environment.

The blind reconstruction performance of the JKS method is estimated by calculating the probability that the correct generator polynomial of BCH code is reconstructed. Based on this asymptotic analysis, an asymptotic threshold on the cross-over probability of binary symmetric channel (BSC) is derived, up to which correct reconstruction of the generator polynomial of BCH code is guaranteed with probability 1.

Since various blind reconstruction methods have been pro- posed without clear analysis [2], [3], [5], [6], [14], it is expected that an asymptotic analysis proposed in this paper can be applied to other methods for deriving their perfor- mance limit. Moreover, this asymptotic analysis will provide a new performance metric for blind reconstruction methods and will give intuition to the development of blind reconstruc- tion method or the modification of existing methods.

The rest of the paper is organized as follows. In Section II, BCH codes and the JKS method are briefly introduced. In Section III, asymptotic analysis of the JKS method is per- formed. The simulation results in Section IV confirm that the asymptotic analysis of the JKS method is valid. Finally, conclusions are given in Section V.

II. PRELIMINARIES A. BCH CODES

A BCH code of code length n, dimension k, and error-correcting capabilityt is denoted by BCH(n,k,t) and the Galois field of q elements is denoted by GF(q). The generator polynomial g(x) of BCH(n, k, t) over GF(q) is defined as follows [1].

g(x)=LCMφ_α^b(x), φ_α^b+1(x),· · · , φ_α^b+2t−1(x) , (1) whereLCMis the least common multiple,αis a primitiven- th root of unity inGF(q^m), andφ_αⁱ(x), 0 < i ≤ n, is the minimal polynomial of αⁱ over GF(q). Note that mis the smallest integer such thatndividesq^m−1,b is a positive integer, andg(x) has 2tconsecutive rootsα^b,α^b+1,· · ·, and α^b+2t−1.

The BCH codeword polynomialc(x)=c₀+c₁x+ · · · + c_n−1xⁿ⁻¹is generated by the product ofm(x)=m₀+m₁x+

· · · + m_k−1x^k−1 and g(x), where c_i, m_i ∈ GF(q). The received codeword polynomialr(x) = r₀+r₁x + · · · + r_n−1xⁿ⁻¹is the sum of the BCH codeword polynomialc(x) and the error polynomiale(x)=e0+e1x+ · · · +en−1xⁿ⁻¹, wherer_i, e_i∈GF(q).

B. JKS METHOD FOR BLIND RECONSTRUCTION OF BCH CODES

In the JKS method for blindly reconstructing the generator polynomials of BCH codes [6], it is assumed that the receiver knows the code lengthnandGF(q) over which the BCH code is defined, and the receiver does not know the channel infor- mation. Also, the transmitter sequentially transmits BCH codewords, a perfect codeword synchronization is guaranteed

at the receiver, andM codewords are received through BSC with the cross-over probabilityp<0.5.

A brief explanation of the JKS method in [6] is given as follows. Let S denote the set of M received codeword polynomials. First, the GFFT is carried out for each of the received codeword polynomials in S to identify the SVCR and MLCR of each received codeword polynomial. Note that the roots of the received codeword polynomial are searched in the order of{α¹, α²,· · · , αⁿ⁻¹, αⁿ}and when calculating the MLCR of the received codeword polynomial, the cyclic shift of the roots is not considered as explained in [6]. For example, when f(αⁿ⁻¹) = f(αⁿ) = f(α¹) = f(α²) = f(α³) = 0, the MLCR value of this polynomialf(x) is calculated as 3 by only consideringf(α¹)=f(α²)=f(α³)=0.

Moreover, the MLCR value should be larger than or equal to 2 and if the MLCR value of a received codeword poly- nomial is less than 2, this received codeword polynomial is excluded from S. Then, the JKS method carries out two majority votes on SVCR and MLCR, respectively. The first majority vote is done for the SVCR values of the received codeword polynomials inSto obtain the most frequent SVCR which is called a reference SVCRs_ref. If a SVCR value of a received codeword polynomial inSis different froms_ref, this received codeword polynomial is excluded fromS to form a new setS⁰. The second majority vote is done for the MLCR values of the received codeword polynomials inS⁰to obtain the most frequent MLCR which is called a reference MLCR lref. Finally, the generator polynomialg(x) is reconstructedˆ by using thesref andlref as follows:

g(x)ˆ =LCM

φ_α^sref(x),· · ·, φ_αsref+lref−1(x) . (2) In other words, the JKS method determinesb and 2t in (1) by derivings_ref in the first majority vote andl_ref in the sec- ond majority vote, respectively, and if both sref = b and lref =2tare satisfied, then the correct generator polynomial is successfully reconstructed by using the JKS method. Since the JKS method determines the most frequent SVCR and then the most frequent MLCR from the received codeword polynomials in this order, an asymptotic analysis will be performed by calculating the probability thats_ref andl_ref are equal toband 2t of the generator polynomial, respectively, in this order.

III. ASYMPTOTIC ANALYSIS OF THE JKS METHOD Since a blind reconstruction performance heavily depends on how many and which received codewords are used even for the same channel environment, an asymptotic analy- sis of the JKS method is performed under the assumption that the number of received codewords is sufficiently large.

Under this assumption, the reconstruction performance of the JKS method is analyzed to derive the maximum cross-over probability, which is called an asymptotic threshold, up to which the correct generator polynomial is successfully recon- structed.

An asymptotic analysis of the JKS method is performed for each majority vote since the first majority vote and the second

majority vote in the JKS method are done for the SVCR val- ues and MLCR values of the received codeword polynomials, respectively. To succeed in the blind reconstruction, the cor- rect SVCRbshould be selected ass_ref in the first majority vote, and then the correct MLCR 2t must be selected asl_ref in the second majority vote. As will be explained in detail in the next section, in order to select correct MLCR, more conditions must be satisfied compared with the case of select- ing correct SVCR. Thus, the channel conditions for selecting correct MLCR should be better than the channel conditions for selecting correct SVCR. In this section, an asymptotic threshold is obtained by deriving an asymptotic threshold in the first majority vote and then by deriving an asymptotic threshold in the second majority vote.

A. NOTATIONS

Let C_i be the conjugacy class including αⁱ ∈ GF(q^m) and letR ⊂ GF(q^m) be the set of the roots of generator polynomialg(x). For example, ifg(x) has consecutive roots α^b, α^b+1,· · · , α^b+2t−1∈GF(q^m), thenR=Sb+2t−1

i=b Ci. Let S_(b^q,_,ⁿ_l) denote the set of all polynomials having the SVCR b and the MLCR greater than or equal to l over GF(q)[x]/(xⁿ −1) where n|q^m −1. For example, all the narrow-sense binary BCH codes of lengthnare included in S₍₁^2,_,ⁿ₂₎because they are generated by the generator polynomi- als having the SVCR 1 and the MLCR 2t which is greater than or equal to 2 overGF(2)[x]/(xⁿ−1). Additionally, let S_(b^q,_,ⁿ_l)∗denote the set of polynomials having the SVCRband the MLCRl overGF(q)[x]/(xⁿ−1), i.e., the polynomials in S_(b,l)^q,n∗ do not have α^b+l as their root. Note that since all the polynomials in S_(b,l)^q,n may have α^b+l as their root, S_(b^q,n_,l)∗⊂S_(b^q,n_,l).

Letλ^q_(b^,n_,l)denote the maximum length of consecutive ele- ments starting fromα^bin a union of all conjugacy classes of α^b, α^b+1,· · · , α^b+l−1with respect toGF(q), wheren|q^m−1.

For example,λ²₍₁^,15_,3)is 4 because a union of conjugacy classes ofα¹,α², andα³with respect toGF(2) is{α¹, α², α⁴, α⁸} ∪ {α³, α⁶, α¹², α⁹}and the maximum length of consecutive ele- ments in this union is 4, i.e.,α¹,α²,α³, andα⁴. Additionally, letλ^q_(b^,n_,l)^,+denoteλ^q_(b^,n_,λq,n

(b,l)+1). Note that the correct MLCR is exactlyλ^q_(b,^,n_2t), not 2t.

B. ASYMPTOTIC ANALYSIS FOR THE FIRST MAJORITY VOTE

Suppose that q-ary BCH(n, k, t) codeword polynomials, which are included inS^q,n

(b,λ^q,n_(b,2t)), are transmitted over BSC with the cross-over probabilityp. Let suppose that the correct SVCR and MLCR ofq-ary BCH(n,k,t) areb andλ^q_(b,2t)^,n , respectively. After performing GFFT to the received code- word polynomials inS, the first majority vote is carried out to the SVCR values of the received codeword polynomials with at least MLCR value 2 inS to result ins_ref which is an estimate ofb. In order to succeed in the blind reconstruction, the largest number of received codeword polynomials must

have the correct SVCRb(i.e.,sref =b), which is statistically expressed as:

Pr

r(x)∈S_(b^q,_,ⁿ₂₎ Success

≷

Failure

Pr

r(x)∈S_(b^q,0ⁿ,2)

, (3) where b⁰ 6= b and b⁰ is an incorrect SVCR. Note that to simplify the expression we omit the given condition that the codeword polynomialsc(x) generated by a generator poly- nomial g(x) having α^b, α^b+1,· · · , α^b+2t−1 as its roots are transmitted. We will derive the probabilities that the received codeword polynomials show the correct SVCRbor an incor- rect SVCRb⁰, respectively, and then calculate the asymptotic thresholdT1of the first majority vote of JKS method.

1) DERIVATION OF THE OCCURRING PROBABILITY THAT RECEIVED CODEWORD POLYNOMIALS SHOW THE CORRECT SVCRb

In order for the received codeword polynomial r(x) to be included in S_(b,^q,n₂₎, the two conditions r(α^b−1) 6= 0 and r(α^b) =r(α^b+1)= 0 should be satisfied. Note that, in this case,α^b−1is not included in a union ofC_bandC_b+1because if so,r(α^b−1) = 0 and hencer(x) is not included inS_(b^q,n_,2). In other words, C_b−1 and a union ofC_bandC_b+1 must be disjoint. Thus, the two conditionsr(α^b−1)6=0 andr(α^b)= r(α^b+1)=0 are independent, and hence Pr(r(x)∈S_(b^q,_,ⁿ₂₎) can be calculated as follows:

Pr

r(x)∈S_(b^q,n_,2)

=Pr

r(α^b−1)6=0 Pr

r(α^b)=r(α^b+1)=0 . (4) The derivation of Pr(r(x) ∈ S_(b,2)^q,n ) will be explained by deriving Pr(r(α^b) = r(α^b+1) = 0) and Pr(r(α^b−1) 6= 0) separately.

In order for the received codeword polynomialr(x) to have α^b andα^b+1 as its roots, since the codeword polynomials c(x) already haveα^bandα^b+1as their roots, the error poly- nomiale(x) must haveα^bandα^b+1 as its roots. Therefore, to calculate the probability Pr(r(α^b)=r(α^b+1)=0) in (4), the consecutive roots of error polynomialse(x) are analyzed as follows.

The consecutive roots of error polynomiale(x) definitely depend on the number of non-zero coefficients ofe(x), which is denoted as wt(e(x)). Then, the error polynomials can be classified into three types according to the number of non-zero coefficients. The first type is the error polynomial e1(x) havingwt(e₁(x)) = 0, i.e., error-free case. Since the first-type error polynomiale₁(x) has all the elementsαⁱas its roots, i.e.,e₁(αⁱ) =0 for 0≤i <n, the received codeword polynomialsr(x) with the first-type error polynomiale₁(x) haveα^bandα^b+1as their roots, i.e.,r(α^b)=0 andr(α^b+1)= 0. Therefore, we have Pr(r(α^b) = r(α^b+1) =0|e₁(x)) = 1 and if c(α^b−1) 6= 0, the conditionr(α^b−1) = c(α^b−1)+ e₁(α^b−1) 6= 0 is satisfied. Note that the number of distinct values which c(α^b−1) can take for α^b−1 ∈ R^c is q^|Cb−1| because α^b−1 is not included in R, and α^b and α^b+1 are

included inR[12]. Since messages are randomly generated, Pr(c(α^b−1)= uC_b−1) =1/q^|Cb−1|, whereuC_b−1 ∈ UC_b−1 for the setUC_b−1of values whichc(α^b−1) can take. Thus, we have Pr(c(α^b−1)6=0)=1−1/q^|Cb−1|.

In conclusion, the probability that the received codeword polynomial r(x) with the first-type error e₁(x) shows the correct SVCRbis derived as follows:

Pr

r(x)∈S_(b^q,_,ⁿ₂₎ e1(x)

=Pr

r(α^b−1)6=0 e₁(x)

Pr

r(α^b)=r(α^b+1)=0 e₁(x)

=1− 1

q^|Cb−1| =Q1(b−1), (5) whereQ1(i) = 1− ¹

q^|Ci| for 0 < i < n. Since, in the JKS method, the roots of the received codeword polynomialr(x) are searched in the order of{α¹, α²,· · ·, αⁿ⁻¹, αⁿ}without considering the cyclic shift of the roots, the expression in (5) is valid for 2 ≤ b ≤ n, i.e.,Q₁(i) is defined for 1 ≤ i < n as given in (5). However, for the narrow-sense BCH codes, b=1 and hence the value ofQ₁(0) should be defined. Since, in this case, the probability in (5) is definitely 1,Q₁(0) should be set as 1. Therefore,Q₁(i) is defined as follows:

Q1(i),







1, i=0

1− 1

q^|Ci|, 1≤i<n. (6) The second type is the error polynomial e2(x) having wt(e₂(x))=1 or 2. It will be shown that the second-type error polynomials do not have consecutive roots overGF^∗(q^m)= GF(q^m)/{0}by Lemma1. Thus, the received codeword poly- nomials r(x) with the second-type error polynomials e₂(x) do not have rootsα^bandα^b+1, i.e., Pr(r(α^b) =r(α^b+1) = 0|e₂(x))=0 Therefore, the received codeword polynomials r(x) with the second-type error polynomials e₂(x) do not show the correct SVCRb, i.e., Pr r(x)∈ S_(b^q,n_,2)

e₂(x)

=0.

Note that the received codeword polynomials with the second-type error polynomials may show an incorrect SVCR b⁰forb⁰6=b.

Lemma 1: Any polynomials f(x)having wt(f(x)) = 1or 2in GF(q)[x]/(xⁿ−1) do not have consecutive roots over GF^∗(q^m), where n|q^m−1.

Proof: Let f1(x) = fixⁱ be the polynomial having wt(f₁(x))=1, wherefi 6=0 and 0 ≤i <n. Thenf(x) 6=0 forx ∈ GF^∗(q^m). Then, it is clear thatf1(x) =fixⁱ 6= 0 for anyx∈GF^∗(q^m).

Letf₂(x)=f_ixⁱ+f_jx^jbe the polynomial havingwt(f₂(x))= 2, wheref_i,f_j 6= 0 and 0 ≤ i < j < n. Suppose thatf₂(x) has two consecutive rootsα^b, α^b+1 ∈ GF^∗(q^m). The two equationsf₂(α^b) = 0 and f₂(α^b+1) = 0 can be expressed in matrix form as follows:

α^bi α^bj α^(b+1)i α^(b+1)j

| {z }

A

fi

fj

= 0

0

. (7)

Note that the determinant of matrix A is det(A) = α^bi+bj (α^j−αⁱ). Sinceα^bi+bj 6= 0 andα^j−αⁱ 6= 0, det(A) 6= 0.

Therefore, in order to satisfy (7), bothfiandfjmust be zeros, which is a contradiction.

In conclusion, any polynomialsf(x) havingwt(f(x)) =1 or 2 inGF(q)[x]/(xⁿ−1) do not have consecutive roots over

GF^∗(q^m), wheren|q^m−1.

Lastly, the third type is the error polynomiale₃(x) having wt(e₃(x))≥3. The received codeword polynomialsr(x) with the third-type error polynomialse3(x) may or may not have consecutive roots. If the third-type error polynomiale3(x) has α^bandα^b+1as its roots, the received codeword polynomial r(x) hasα^b andα^b+1 as its roots. Therefore, the occurring probability that the received codeword polynomialr(x) with the third-type error polynomial e3(x) has the roots α^b and α^b+1is calculated as follows:

Pr

r(α^b)=r(α^b+1)=0

wt(e₃(x))=i

=Pr

e(α^b)=e(α^b+1)=0

wt(e₃(x))=i

=

w^q_(b^,n_,2)(i)

n i

, (8) where 3 ≤ i ≤ n. Also,w^q_(b^,n_,2) = {w^q_(b^,n_,2)(0),w^q_(b^,n_,2)(1),· · ·, w^q_(b^,n_,2)(n)}denotes the weight distribution ofq-ary BCH code of the code lengthn whose generator polynomial has con- secutive rootsα^bandα^b+1, i.e.,w^q_(b^,n_,2)(i) denotes the number of this BCH codewords having the Hamming weight i. At the same time, the conditionc(α^b−1) 6= −e₃(α^b−1) should be satisfied while the conditione₃(α^b) = e₃(α^b+1) = 0 is satisfied. In fact, such third-type error polynomialse₃(x) are the codeword polynomials that do not have α^b−1 as a root among the codeword polynomials generated by a generator polynomialg⁰(x) with consecutive rootsα^bandα^b+1. Note that this generator polynomialg⁰(x) does not haveα^b−1as a root. Thus, the number of distinct values whiche3(α^b−1) can take forα^b−1 ∈ R^c isq^|Cb−1|[12]. Because an error occurs uniformly at random, Pr(e3(α^b−1) = uE_b−1) = 1/q^|Cb−1|, where uE_b−1 ∈ UE_b−1 for the set UE_b−1 of values which e3(α^b−1) can take. Therefore, since Pr(c(α^b−1)= uC_b−1)= 1/q^|Cb−1|, we obtain the following probability: Pr(c(α^b−1)6=

−e3(α^b−1)) = Q1(b − 1). In conclusion, the occurring probability that the received codeword polynomialr(x) with the third-type error polynomiale3(x) shows the correct SVCR bis derived as follows:

Pr

r(x)∈S_(b,^q,n₂₎

wt(e₃(x))=i

=Q₁(b−1)w^q,n_(b,2)(i)

n i

, (9) where 3≤i≤n.

By using the results for three types of error polynomials, the occurring probability Pr r(x)∈ S_(b^q,n_,2)

that the received codeword polynomial r(x) shows the correct SVCR b is

derived as:

Pr

r(x)∈S_(b^q,_,ⁿ₂₎

= Pr

r(x)∈S_(b^q,n_,2) e₁(x)

Pr e₁(x) +

n

X

i=3

Pr

r(x)∈S_(b^q,_,ⁿ₂₎

wt e3(x)

=i

· Pr

wt e3(x)

=i

=Q1(b−1)

n

X

i=0

w^q_(b^,n_,2)(i)pⁱ(1−p)ⁿ⁻ⁱ, (10) where Pr(e₁(x)) = (1 −p)ⁿ, Pr(wt(e₃(x)) = i) = ⁿ

i

pⁱ(1−p)ⁿ⁻ⁱ, andpis the cross-over probability of BSC. Note thatw^q,n_(b,2)(0)=1 andw^q,n_(b,2)(1)=w^q,n_(b,2)(2)=0 by the BCH bound [1].

2) DERIVATION OF THE OCCURRING PROBABILITY THAT THE RECEIVED CODEWORD POLYNOMIALS SHOW AN INCORRECT SVCRb⁰

The received codeword polynomial with the second-type or the third-type error polynomial can show an incorrect SVCR b⁰, which may degrade the blind reconstruction performance by increasing Pr(r(x) ∈ S_(b^q,0ⁿ,2)). Specifically, in order for the received codeword polynomialr(x) with the second-type error polynomiale₂(x) to be included inS_(b^q,0ⁿ,2), the conditions r(α^b0−1) 6= 0 and r(α^b0) = r(α^b0+1) = 0 should be satisfied. Note that sinceα^b0−1is not included in a union of C_b⁰ andC_b⁰₊₁, the conditions r(α^b0−1) 6= 0 andr(α^b0) = r(α^b0+1) = 0 must be independent. Thus, the probability Pr(r(x)∈S_(b^q,0ⁿ,2)) in (3) can be calculated as follows:

Pr

r(x)∈S_(b^q,0ⁿ,2)

=Pr

r(α^b0−1)6=0

Pr

r(α^b0)=r(α^b0+1)=0

. (11) The probability Pr(r(x) ∈ S_(b^q,0ⁿ,2)) will be derived by calcu- lating Pr(r(α^b0) = r(α^b0+1) = 0) and Pr(r(α^b0−1) 6= 0) separately.

In order for the received codeword polynomialr(x) with the second-type error polynomiale2(x) to have consecutive rootsα^b0 andα^b0+1, the conditionsc(α^b0) = −e2(α^b0) and c(α^b0+1) = −e2(α^b0+1) should be satisfied. Note thate2(x) cannot have both α^b0 andα^b0+1 as its roots by Lemma 1.

There are two cases which satisfy these conditions. The first case is thatα^b0 andα^b0+1are included in the same conjugacy class. In this case, if the conditionc(α^b0) = −e₂(α^b0) is sat- isfied, the conditionc(α^b0+1)= −e₂(α^b0+1) is automatically satisfied. The second case is thatα^b0 andα^b0+1are included in the different conjugacy classes. In this case, in order for the received codeword polynomial to have consecutive roots, the conditionsc(α^b0)= −e₂(α^b0) andc(α^b0+1)= −e₂(α^b0+1) should be separately satisfied. Thus, the first case occurs much more frequently than the second case. Since the JKS method is based on the majority vote, the first case affects the

blind reconstruction performance more than the second case.

Therefore, we will only derive the occurring probability of the first case for analyzing the first majority vote of the JKS method.

Consider the first case such thatα^b0andα^b0+1are included in the same conjugacy class C_b⁰. Note that the number of distinct values whichc(α^b0) can take forα^b0 ∈ R^c isq^|Cb0|. Since it is assumed that messages are randomly generated, Pr(c(α^b0) =u_C

b0) =1/q^|Cb0|, whereu_C

b0 ∈ U_C

b0 for the set U_Cb0 of values whichc(α^b0) can take [12]. Moreover, it will be confirmed that Pr(c(α^b0)=u_Cb0)=1/q^mby Theorems1 and2.

Theorem 1: The size of the conjugacy class including con- secutive elements in GF(q^m)with respect to GF(q)is m.

Proof: LetCibe the conjugacy class including the two consecutive elementsβⁱ, βⁱ⁺¹ ∈ GF(q^m). Suppose that the size |C_i|of C_i isd which clearly dividesm. Then, β^iqd = βⁱandβ^(i+1)qd = βⁱ⁺¹. Thus,iq^d = i mod (q^m−1) and (i+1)q^d=i+1 mod (q^m−1), and these equations can be expressed as:

A₁(q^m−1)+i=iq^d (12) A2(q^m−1)+i+1=(i+1)q^d, (13) where A₁ and A₂ are integers making i and i + 1 be in [0,q^m−2], respectively. From (12) and (13), we obtain

A2−A1= q^d−1 q^m−1.

SinceA2−A1is an integer,dshould bemfor (q^d−1)/(q^m−1) to be an integer. Therefore,|Ci|ism.

Theorem 2: The order of the elements in the conjugacy class including consecutive elements in GF(q^m)with respect to GF(q)is q^m−1.

Proof: Suppose that the two consecutive elements βⁱ, βⁱ⁺¹∈GF(q^m) are included in the same conjugacy class.

Then, the orders ofβⁱandβⁱ⁺¹are the same, which is denoted asswiths|q^m−1. Because (βⁱ)^s=1 and (βⁱ⁺¹)^s =1,is=0 mod (q^m−1) and (i+1)s=0 mod (q^m−1). Thus,

is=B1(q^m−1) (14) (i+1)s=B₂(q^m−1), (15) whereB1andB2are integers. From (14) and (15), we obtain

B1−B2= s q^m−1.

SinceB1andB2are integers,sshould beq^m−1 fors/(q^m−1) to be an integer. Therefore, the ordersofβⁱandβⁱ⁺¹isq^m−1.

Moreover, since all the elements in the conjugacy class have the same order, the order of all elements of the conjugacy class including consecutive elements isq^m −1 inGF(q^m)

with respect toGF(q).

By Theorem2, we know that the number of distinct values whiche₂(α^b0) can take forα^b0 ∈C_b⁰ isq^m−1, whereb⁰6=b andα^b0, α^b0+1 ∈ C_b⁰. Because an error occurs uniformly at random, Pr(e2(α^b0) = u_Eb0) = 1/(q^m −1), where u_Eb0 ∈

UE_b0 for the setUE_b0 of the values which e2(α^b0) can have.

Since the numbers of distinct values whichc(α^b0) ande2(α^b0) can take are q^m andq^m −1, respectively, in order for the received codeword polynomial to show an incorrect SVCRb⁰, the number of cases where the conditionc(α^b0) = −e₂(α^b0) is satisfied isq^m −1. Thus, the occurring probability that the received codeword polynomialr(x) with the second-type error polynomiale₂(x) shows consecutive rootsα^b0andα^b0+1 is calculated as follows:

Pr

r(α^b0)=r(α^b0+1)=0

wt e2(x)

=i

=(q^m−1) Pr

c(α^b0)=u_C

b0

wt e₂(x)=i

·Pr

e2(α^b0)=uE_b0

wt e2(x)

=i

=(q^m−1) 1 q^m

1 q^m−1

= 1

q^m, (16)

wherei=1 or 2, andb⁰6=b.

In order for the received codeword polynomialr(x) with the second-type polynomiale₂(x) to show an incorrect SVCR b⁰, the conditionr(α^b0−1)6=0, i.e.,c(α^b0−1)6= −e₂(α^b0−1), should be also satisfied. However, unlikeα^bandα^b+1,α^b0−1 may or may not be the root of the generator polynomialg(x) because it is determined byq,n,b, andt of the transmitted BCH code, i.e., we do not know whetherα^b0−1∈Rorα^b0−1∈ R^c. Note that in a case whereα^b0−1 ∈ R,c(α^b0−1) = 0 and in a case where of distinct values whichc(α^b0−1) can take is |C_b⁰₋₁| [12]. Thus, we explain separately a case where α^b0−1∈Rand a case whereα^b0−1∈R^c.

The numbers of distinct values which both the single-error polynomials and the double-error polynomials can take vary depending onqandm. In case of the single-error polynomial, since the single-error polynomials do not have a non-zero root, if|Cb⁰−1| =m, the number of distinct values which the single-error polynomial can take isq^m −1, otherwise, it is q^{|Cb0 −1|}. In case of the double-error polynomial, ifq^m−1 is the prime andq = 2, the double-error polynomial does not have a root, otherwise it has a root. Thus, whenq^m−1 is the prime andq = 2, the number of distinct values which the double-error polynomial can take isq^m−1, otherwise it is q^{|Cb0 −1|}. Note that whenq^m−1 is the prime, the size of all conjugacy classes ism[1].

In conclusion, when α^b0−1 ∈ R^c, the probability that the received codeword polynomialr(x) with the second-type polynomiale2(x) shows an incorrect SVCRb⁰is calculated as follows:

Pr

r(x)∈S_(b^q,0ⁿ,2)

wt e2(x)

=1

=Pr

r(α^b0−1)6=0

wt e₂(x)

=1

·Pr

r(α^b0)=r(α^b0+1)=0

wt e₂(x)=1

=Q₂(b⁰−1) 1

q^m, (17)