Binary Goppa code

Construction and properties

A binary Goppa code is defined by a polynomial g ( x ) of degree t over a finite field G F ( 2 m ) without multiple zeros, and a sequence L of n distinct elements from G F ( 2 m ) that aren't roots of the polynomial:

Codewords belong to the kernel of syndrome function, forming a subspace of { 0 , 1 } n :

Code defined by a tuple ( g , L ) has minimum distance 2 t + 1 , thus it can correct t = ⌊ ( 2 t + 1 ) − 1 2 ⌋ errors in a word of size n − m t using codewords of size n . It also possesses a convenient parity-check matrix H in form

Note that this form of the parity-check matrix, being composed of a Vandermonde matrix V and diagonal matrix D , shares the form with check matrices of alternant codes, thus alternant decoders can be used on this form. Such decoders usually provide only limited error-correcting capability (in most cases t / 2 ).

For practical purposes, parity-check matrix of a binary Goppa code is usually converted to a more computer-friendly binary form by a trace construction, that converts the t -by- n matrix over G F ( 2 m ) to a m t -by- n binary matrix by writing polynomial coefficients of G F ( 2 m ) elements on m successive rows.

Decoding

Decoding of binary Goppa codes is traditionally done by Patterson algorithm, which gives good error-correcting capability (it corrects all t design errors), and is also fairly simple to implement.

Patterson algorithm converts a syndrome to a vector of errors. The syndrome of a word c = ( c 0 , … , c n − 1 ) is expected to take a form of

Alternative form of a parity-check matrix based on formula for s ( x ) can be used to produce such syndrome with a simple matrix multiplication.

The algorithm then computes v ( x ) ≡ s ( x ) − 1 − x mod g ( x ) . That fails when s ( x ) ≡ 0 , but that is the case when the input word is a codeword, so no error correction is necessary.

v ( x ) is reduced to polynomials a ( x ) and b ( x ) using the extended euclidean algorithm, so that a ( x ) ≡ b ( x ) ⋅ v ( x ) mod g ( x ) , while deg ⁡ ( a ) ≤ ⌊ t / 2 ⌋ and deg ⁡ ( b ) ≤ ⌊ ( t − 1 ) / 2 ⌋ .

Finally, the error locator polynomial is computed as σ ( x ) = a ( x ) 2 + x ⋅ b ( x ) 2 . Note that in binary case, locating the errors is sufficient to correct them, as there's only one other value possible. Note that in all non-binary cases, separate error correction polynomial has to be computed as well.

If the original codeword was decodable and the e = ( e 0 , e 1 , … , e n − 1 ) was the error vector, then

Factoring or evaluating all roots of σ ( x ) therefore gives enough information to recover the error vector and fix the errors.

Properties and usage

Binary Goppa codes viewed as a special case of Goppa codes have the interesting property that they correct full deg ⁡ ( g ) errors, while only deg ⁡ ( g ) / 2 errors in ternary and all other cases. Asymptotically, this error correcting capability meets the famous Gilbert–Varshamov bound.

Because of the high error correction capacity compared to code rate and form of parity-check matrix (which is usually hardly distinguishable from a random binary matrix of full rank), the binary Goppa codes are used in several post-quantum cryptosystems, notably McEliece cryptosystem and Niederreiter cryptosystem.