On quadratic residue codes and hyperelliptic curves

A long standing problem has been to develop"good"binary linear codes to be used for error-correction. This paper investigates in some detail an attack on this problem using a connection between quadratic residue codes and hyperelliptic curves. One question which coding theory is used to attack is: Does there exist a c<2 such that, for all sufficiently large $p$ and all subsets S of GF(p), we have |X_S(GF(p))|

A long standing problem has been to develop "good" binary linear codes to be used for error-correction. This paper investigates in some detail an attack on this problem using a connection between quadratic residue codes and hyperelliptic curves. Codes with this kind of relationship have been investigated in Helleseth [H], Bazzi-Mitter [BM], Voloch [V1], and Helleseth-Voloch [HV]. This rest of this introduction is devoted to explaining in more detail the ideas discussed in later sections.
Let F = GF (2) be the field with two elements and C ⊂ F n denote a binary block code of length n. For any two x, y ∈ F n , let d(x, y) denote the Hamming metric: (1) The weight wt(x) of x is the number of non-zero entries of x. The smallest weight of any non-zero codeword is denoted d -the minimum distance if C is linear. When C is linear, denote the dimension of C by k and call C an [n, k, d] 2 -code. Denoting the volume of a Hamming sphere of radius r in F n by V (n, r), the binary version of the Gilbert-Varshamov bound asserts that (given n and d) there is an [n, k, d] 2 code C satisfying k ≥ log 2 ( 2 n V (n,d−1) ) [HP].
For each odd prime p > 5, a QQR code (i) is a linear code of length 2p. Like the quadratic residue codes, the length and dimension are easy to determine but the minimum distance is more mysterious. In fact, the weight of each codeword can be explicitly computed in terms of the number of solutions in integers mod p to a certain type of ("hyperelliptic") polynomial equation. To explain the results better, some more notation is needed.
For our purposes, a hyperelliptic curve X over GF (p) is a polynomial equation of the form y 2 = h(x), where h(x) is a polynomial with coefficients in GF (p) with distinct roots (ii) . The number of solutions to y 2 = h(x) mod p, plus the number of "points at infinity" on X, will be denoted |X(GF (p))|. This quantity can be related to a sum of Legendre characters (see Proposition 1 below), thanks to classical work of Artin, Hasse, and Weil. This formula yields good estimates for |X(GF (p))| in many cases (especially when p is large compared to the degree of h). A long-standing problem has been to improve on the trivial estimate when p is small compared to the degree of h. It turns out the work of Tarnanen [T] easily yields some non-trivial information on this problem (see for example Lemma 3 below), but the results given here improve upon this.
For each non-empty subset S ⊂ GF (p), consider the hyperelliptic curve X S defined by . Let B(c, p) be the statement: For all subsets S ⊂ GF (p), |X S (GF (p))| ≤ c · p holds. Note that B(2, p) is trivially true, so the statement B(2 − ǫ, p), for some fixed ǫ > 0, might not be horribly unreasonable.
It is remarkable that these two conjectures are related. In fact, using QQR codes we show that if, for an infinite number of primes p with p ≡ 1 (mod 4), B(1.77, p) holds then Goppa's conjecture is false. Although this is a new result, it turns out that it is an easy consequence of the QQR construction given in [BM] if you think about things in the right way. Using LQR codes (iii) we will remove the condition p ≡ 1 (mod 4) at a cost of slightly weakening the constant 1.77 (see Corollary 3).
The spectrum and Duursma zeta function of these QQR codes is discussed in Section 3 below and some examples are given (with the help of the software package SAGE [S]). We show that the analog of the Riemann hypothesis for the zeta function of an optimal formally self-dual code is false using the family of codes constructed in §2. The section ends with some intriguing conjectures.
We close this introduction with a few open questions which, on the basis of this result, seem natural.
Question 1 For each prime p > 5 is there an effectively computable subset S ⊂ GF (p) such that |X S (GF (p))| is "large"?
Here "large" is left vague but what is intended is some quantity which is unusual. By Weil's estimate (valid for "small"-sized subsets S), we could expect about p points to belong to |X S (GF (p))|. Thus "large" could mean, say, > c · p, for some fixed c > 1. The next question is a strong version of the Bazzi-Mitter conjecture.
(i) This code is defined in §2 below. (ii) This overly simplistic definition brings to mind the famous Felix Klein quote: "Everyone knows what a curve is, until he has studied enough mathematics to become confused through the countless number of possible exceptions." Please see Tsafsman-Vladut [TV] or Schmidt [Sc] for a rigorous treatment. (iii) These codes will be defined in §4 below.
Question 2 Does there exist a c < 2 such that, for all sufficiently large p and all S ⊂ GF (p), we have |X S (GF (p))| < c · p?
In the direction of these questions, a coding theory bound of McEliese-Rumsey-Rodemich-Welsh allows one to establish the following result (see Theorem 3): There exists a constant p 0 having the following property: if p ≡ 1 (mod 4) and p > p 0 then there exists a subset S ⊂ GF (p) for which the bound |X S (GF (p))| > 1.62p holds (iv) . Unfortunately, the method of proof gives no clue how to compute p 0 or S. Using the theory of long quadratic-residue codes, we prove the following lower bound (Theorem 6): For all p > p 0 there exists a subset S ⊂ GF (p) for which the bound |X S (GF (p))| > 1.39p holds. Again, we do not know what p 0 or S is.
Finally, Felipe Voloch [V2] has kindly allowed the author to include some interesting explicit constructions (which do not use any theory of error-correcting codes) in this paper (see §5 below). First, he shows the following result: If p ≡ 1 (mod 8) then there exists an effectively computable subset S ⊂ GF (p) for which the bound |X S (GF (p))| > 1.5p holds. A similar result holds for p ≡ 3, 7 (mod 8). Second, he gives a construction which answers Question 2 in the negative.

Cyclotomic arithmetic mod 2
Let R = F[x]/(x p − 1), and let r S ∈ R denote the polynomial . By convention, if S = ∅ is the empty set, r S = 0. We define the weight of r S , denoted wt(r S ), to be the cardinality |S|. (In other words, identify in the obvious way each r S with an element of F p and define the weight of r S to be the Hamming weight of the associated vector.). For the set Q of quadratic residues in GF (p) × and the set N of non-quadratic residues in GF (p) × , we have wt(r Q ) = wt(r N ) = (p − 1)/2. Note that r 2 S = r 2S , where 2S is the set of elements 2s ∈ GF (p), for s ∈ S. Using this fact and the quadratic reciprocity law, one can easily show that the following are equivalent: In particular, (iv) Moreover, we can remove the hypothesis p ≡ 1 (mod 4) if we assume Conjecture 3.
From the definition of r S , in the ring R. Let * : R → R denote the involution defined by (r S ) * = r S c = r S + r GF (p) . We shall see below that this is not an algebra involution.
This lemma follows from the discussion above by a straightforward argument. Note that R even = {r S | |S| even}, is a subring of R and, by the previous lemma, * is an algebra involution on R even .

QQR Codes
These are some observations on the interesting paper by Bazzi and Mitter [BM]. We shall need to remove the assumption p ≡ 3 (mod 8) (which they make in their paper) below.
. Let χ = ( p ) be the quadratic residue character, which is 1 on the quadratic residues Q ⊂ GF (p) × , −1 on the quadratic non-residues N ⊂ GF (p) × , and is 0 at 0 ∈ GF (p). Define where N, Q are as above. (We identify in the obvious way each pair (r N r S , r Q r S ) with an element of F 2p . In particular, when S is the empty set, (r N r S , r Q r S ) is associated with the the zero vector in F 2p .) We call this a QQR code (or a quasi-quadratic residue code). These are binary linear codes of length 2p and dimension This code has no codewords of odd weight, for parity reasons, by Lemma 1.
Remark 1 If p ≡ ±1 (mod 8) then C N Q "contains" a binary quadratic residue code. For such primes p, the minimum distance satisfies the well-known square-root lower bound, d ≥ √ p.
Based on computations using SAGE, the following statement is likely to be true.
Conjecture 3 For p ≡ 1 (mod 4), the associated QQR code and its dual satisfy: The self-dual binary codes have useful upper bounds on their minimum distance (for example, the Sloane-Mallows bound Theorem 9.3.5 in [HP]). Combining this with the lower bound mentioned above, we have the following result.
Note that these upper bounds (in the cases they are valid) are better than the asymptotic bounds of McEliese-Rumsey-Rodemich-Welsh for rate 1/2 codes. The following well-known result (v) shall be used to estimate the weights of codewords of QQR codes.
• |S| even: • |S| odd: • |S| odd: The genus of the (smooth projective model of the) curve • |S| even: The genus of the (smooth projective model of the) curve Obviously, the last two estimates are only non-trivial for S "small" (e.g., |S| < p 1/2 ).
Lemma 3 (Tarnanen [T], Theorem 1) Fix τ , 0.39 < τ < 1. For all sufficiently large p, the following statement is false: Remark 2 (1) Here the meaning of "sufficiently large" is hard to make precise. The results of Tarnanen are actually asymptotic (as p → ∞), so we can simply say that the negation of part (1) of this Lemma contradicts Theorem 1 in [T].
(2) This Lemma does not seem to imply "B(1.42, p) is false, for sufficiently large p" (so Theorem 6 below is a new result), though it would if the condition 0.42p < |X S (GF (p))| could be eliminated. Also of interest is the statement about character sums in Theorem 1 of Stepanov [St].
Proof: This is an immediate consequence of the Proposition above and Theorem 1 in [T]. ✷ Lemma 4 (Bazzi-Mitter [BM], Proposition 3.3) Assume 2 and −1 are quadratic non-residues mod p (i.e. p ≡ 3 (mod 8)). If c = (r N r S , r Q r S ) is a nonzero codeword of the [2p, p] binary code C N Q then the weight of this codeword can be expressed in terms of a character sum as if |S| is odd.
In fact, looking carefully at their proof, one finds the following result.
(b) If |S| is odd and p ≡ 1 (mod 4) then the weight is (c) If |S| is odd and p ≡ 3 (mod 4) then where k − B = {k − b | b ∈ B} and parity(x) = 1 if x is an odd integer, and = 0 otherwise. Let S ⊆ GF (p), then we have Case 1. If |S| is even and a ∈ S then 0 ∈ a − S so |Q ∩ (a − S)| odd implies that |N ∩ (a − S)| is even, Case 2. If |S| is even and a / ∈ S then parity |Q ∩ if and only if |Q| is even and if and only if |Q| is odd. The relation between wt(c) and the character sum follows from this. For the remaining part of the equation, use Proposition 1. ✷ Remark 3 It can be shown, using the coding-theoretic results above, that if p ≡ −1 (mod 8) then (for non-empty S) X S (GF (p)) contains at least √ p + 1 points. This also follows from Weil's estimate, but since the proof is short, it is given here. What part c of Proposition 2 gives is that if p ≡ −1 (mod 8) and |S| is odd then X S (GF (p)) contains at least √ p+2 points. If |S| is even then perform the substitution x = a+1/x, y = y/x |S| on the equation

Conclusion
. This creates a hyperelliptic curve X in (x, y) for which |X(GF (p))| = |X S (GF (p))| and X ∼ = X S ′ , where |S ′ | = |S| − 1 is odd. Now apply part 3 of the above proposition and Remark 1 to X S ′ . ✷ Remark 4 If |S| = 2 or |S| = 3 then more can be said about the character sums above. If |S| = 2 then a χ(f S (a)) can be computed explicitly (it is "usually" equal to −1 -see Proposition 1 in [Wa]). If |S| = 3 then a χ(f S (a)) can be expressed in terms of a hypergeometric function 2 F 1 over GF (p) (see Proposition 2 in [Wa]).
It has already been observed that the following fact is true. Since its proof using basic facts about hyperelliptic curves is so short, it is included here.

Corollary 1 C N Q is an even weight code.
Proof: Since p is odd 1 = −1 in GF (p), so every affine point in X S (GF (p)) occurs as an element of a pair of solutions of y 2 = f S (x). There are two points at infinity (if ramified, it is counted with multiplicity two), so in general |X S (GF (p))| is even. The formulas for the weight of a codeword in the above Proposition imply every codeword has even weight. ✷ As a consequence of this Proposition and Lemma 2, we have the following result.
Recall B(c, p) is the statement: |X S (GF (p))| ≤ c · p for all S ⊂ GF (p).
Theorem 1 (Bazzi-Mitter) Fix c ∈ (0, 2). If B(c, p) holds for infinitely many p with p ≡ 1 (mod 4) then there exists an infinite family of binary codes with asymptotic rate R = 1/2 and relative distance δ ≥ 1 − c 2 . This is an easy consequence of the above Proposition and is essentially in [BM] (though they assume p ≡ 3 (mod 8)).
Theorem 2 If B(1.77, p) is true for infinitely many primes p with p ≡ 1 (mod 4) then Goppa's conjecture is false.
Proof: Recall Goppa's conjecture is that the binary asymptotic Gilbert-Varshamov bound is best possible for any family of binary codes. The asymptotic GV bound states that the rate R is greater than or equal to is the entropy function (for a q-ary channel). Therefore, according to Goppa's conjecture, if R = 1 2 (and q = 2) then the best possible δ is δ 0 = .11. Assume p ≡ 1 (mod 4). Goppa's conjecture implies that the minimum distance of our QQR code with rate R = 1 2 satisfies d < δ 0 · 2p = .22p, for sufficiently large p. Recall that the weight of a codeword in this QQR code is given by Proposition 2. B(1.77, p) (with p ≡ 1 (mod 4)) implies (for all S ⊂ GF (p)) wt((r S r N , r S r Q )) ≥ 2p − |X S (GF (p))| ≥ 0.23p. In other words, for p ≡ 1 (mod 4), all nonzero codewords have weight at least 0.23p. This contradicts the estimate above. Theorem 3 For all sufficiently large primes p for which p ≡ 1 (mod 4), the statement B(1.62, p) is false.
This is of course the same as the above theorem, except that we have used Corollary 2 (which unfortunately depends on Conjecture 3) to remove the hypothesis p ≡ 1 (mod 4).

Weight distributions
In [D1] Iwan Duursma associates to a linear code C over GF (q) a zeta function Z = Z C of the form where P (T ) is a polynomial of degree n + 2 − d − d ⊥ which only depends on C through its weight enumerator polynomial (here d is the minimum distance of C and d ⊥ is the minimum distance of its dual code C ⊥ ; we assume d ≥ 2 and d ⊥ ≥ 2). If γ = γ(C) = n+k+1−d and z C (T ) = Z C (T )T 1−γ then the functional equation in [D1] can be written in the form z C ⊥ (T ) = z C (1/qT ). If we let ζ C (s) = Z C (q −s ) and ξ C (s) = z C (q −s ) then ζ C and ξ C have the same zeros but ξ C is "more symmetric" since the functional equation expressed in terms of it becomes Abusing terminology, we call both Z C and ζ C a Duursma zeta function. In fact, if ρ i denotes the i-th zero of the zeta function Z(T ) of an actual code then equations (5)-(6) of [D2] implies (for the even weight binary codes we are considering here) the relation Therefore, further knowledge of the zeros of Z(T ) could be very useful. If C is self-dual (or actually only formally self-dual) then the zeros of the ζ-function occur in pairs about the "critical line" Re(s) = 1 2 . Following Duursma, we say (for formally self-dual codes C) the zeta function ζ C satisfies the Riemann hypothesis if all its zeros occur on the "critical line".

Example 3
The following computations were done with the help of SAGE. If p = 7 then the [14,7,4] (self-dual) code C N Q has "zeta polynomial" It would be interesting to know if the Duursma zeta function Z(T ) of C N Q , for p ≡ 3 (mod 4), always satisfies the Riemann hypothesis.
A self-dual code is called extremal if its minimum distance satisfies the Sloane-Mallows bound [D3] and optimal if its minimum distance is maximal among all such linear codes of that length and dimension (see also Chinen [Ch1], [Ch2]). As noted above, the Duursma zeta function only depends on the weight enumerator. It has been conjectured that, for all extremal self-dual codes C, the ζ-function satisfies the Riemann hypothesis. The example below shows that "extremal self-dual" cannot be replaced by "optimal formally self-dual".
Based on computer computations using SAGE, the following statement appears to be true, though we have no proof.
Conjecture 4 If p ≡ 1 (mod 4) then the code C ′ spanned by C N Q and the all ones codeword (i.e., the smallest code containing C N Q and all its complementary codewords) is a formally self-dual code of Using SAGE, it can be shown that the Riemann hypothesis is not valid for these "extended QQR codes" in general, as the following example illustrates.

Long Quadratic Residue Codes
We now introduce a new code, constructed similarly to the QQR codes discussed above: We call this a long quadratic residue code, or LQR code for short, and identify it with a subset of F 4p . Observe that this code is non-linear. For any S ⊆ GF (p), let and let v S = (r N r S , r Q r S , r N r S , r Q r S ).
If S 1 ∆S 2 denotes the symmetric difference between S 1 and S 2 then it is easy to check that We now compute the size of C using Lemma 1. We prove the claim: if p ≡ 3 (mod 4) then the map that sends S to the codeword c S is injective. This implies |C| = 2 p . Suppose not, then there are two subsets S 1 , S 2 ⊆ GF (p) that are mapped to the same codeword. Subtracting c S1 − c S2 = c S1 + c S2 = v S1∆S2 , and the subset T = S 1 ∆S 2 satisfies r Q r T = r N r T = r Q r T c = r N r T c = 0. If |T | is even then 0 = (r Q + r N )r T = (r GF (p) − 1)r T = r T . This forces T to be the empty set, so S 1 = S 2 . Now if |T | is odd then similar reasoning implies that T c is the empty set. Therefore, S 1 = ∅ and S 2 = GF (p) or vice versa. This proves the claim.
In case p ≡ 1 (mod 4), we claim: |C| = 2 p−1 . Again, suppose there are two subsets S 1 , S 2 ⊆ GF (p) that are mapped to the same codeword. Then the subset T = S 1 ∆S 2 satisfies r Q r T = r N r T = r Q r T c = r N r T c = 0. This implies either T = ∅ or T = GF (p). Therefore, either S 1 = S 2 or S 1 = S c 2 . Combining this discussion with Proposition 1, we have proven the following result.
Theorem 4 The code C has length n = 4p and has size M = 2 p−1 if p ≡ 1 (mod 4), and size M = 2 p if p ≡ 3 (mod 4). If p ≡ 3 (mod 4) then the minimum non-zero weight is 2p and the minimum distance is at least If p ≡ 1 (mod 4) then C is a binary [4p, p − 1, d p ]-code.
Remark 5 If p ≡ 3 (mod 4), there is no simple reason I can think of why the minimum distance should actually be less than the minimum non-zero weight.
Lemma 5 If p ≡ 1 (mod 4) then • c S1 + c S2 = c S1∆S2 , • the code C is isomorphic to the QQR code C N Q .
In particular, C is linear and of dimension p − 1.
Proof: It follows from the the proof of Theorem 4 that if p ≡ 1 (mod 4) then r N r S1 = r N r S2 and r Q r S1 = r Q r S2 if and only if S 2 = S c 1 . The lemma follows rather easily as a consquence of this and (4). ✷ Assume p ≡ 3 (mod 4). Let Lemma 6 The code C is 1. the smallest linear subcode of F 4p containing C, 2. dimension p + 1, 3. minimum distance min(d p , 2p).
By abuse of terminology, we call C an LQR code.
It turns out Lemma 6 allows us to improve the statement of Theorem 2 in §2. The next subsection is devoted to this goal.

Goppa's conjecture revisited
We shall now remove the condition p ≡ 1 (mod 4) in one of the results in §2, at a cost of weakening the constant involved.
Theorem 5 If the B(1.57, p) is true for infinitely many primes p then Goppa's conjecture is false.
A similar argument (using h(x) and the MRRW bound in place of 1 − H 2 (x) and the hypothetical Goppa bound) gives Theorem 6 B(1.39, p) cannot be true for infinitely many primes p. In other words, for all "sufficiently large" p, we must have X S (GF (p)) > 1.39p for some S ⊂ GF (p).

Some results of Voloch
Lemma 8 (Voloch) If p ≡ 1, 3 (mod 8) then |X Q (GF (p))| = 1.5p + a, where Q is the set of quadratic residues and a is a small constant, − 1 2 ≤ a ≤ 5 2 . A similar bound holds if X Q is replaced by X N and p ≡ 1, 3 (mod 8) is replaced by p ≡ 7 (mod 8) (in which case 2 is a quadratic residue).
Claim: It is possible to find an infinite sequence of primes p satisfying p ≡ 1 (mod ℓ) and χ(r i − 1) = 1, for all 2 ≤ i ≤ ℓ (where χ denotes the Legendre character mod p). If the claim is true then we will have a lower bound for |X P ℓ (GF (p))| on the order of (2 − 1 ℓ )p, along the lines above, by Proposition 1. Proof of claim: It is a well-known fact in algebraic number theory that p ≡ 1 (mod ℓ) implies that the prime p splits completely in the cyclotomic field Q ℓ generated by the ℓ-th roots of unity in C, denoted r 1 = 1,r 2 , ...,r ℓ . The condition χ(r i − 1) = 1 means that p splits in the extension of Q ℓ obtained by adjoining √r i − 1 (here i = 2, ..., ℓ). By Chebotarev's density theorem there exist infinitely many such p, as claimed.
✷ In fact, there are effective versions which give explicit information on computing such p [LO], [Se]. This, together with the previous lemma, proves the following result.
Theorem 7 (Voloch) If ℓ ≥ 2 is any fixed integer then for infinitely many primes p there exists a subset S ⊂ GF (p) for which |X S (GF (p))| = (2 − 1 ℓ )p + a, where a is a small constant, − 1 2 ≤ a ≤ 5 2 . In fact, the primes occurs with a positive (Dirichlet) density and the set S can be effectively constructed.