Codes On Algebraic Curves 9781461371670 9781461547853 1461371678 - Compress

Codes on Algebraic Curves
Serguei A. Stepanov
Bilkent University
Ankara, Turkey
and Steklov Mathematical Institute
Moscow, Russia
Springer Science+Business Media, LLC

Llbrary of Congress Catalog1ng-ln-Publ1catlon Data
Stepanov, S. A. (Sergel Aleksandrovlch)

Codes on algebralc curves / Serguel A. Stepanov.
p. cm.
Includes blbllographlcal references and Index.
ISBN 978-1-4613-7167-0 ISBN 978-1-4615-4785-3 (eBook)
DOI 10.1007/978-1-4615-4785-3
1. Goppa cades. 2. Curves, Algebralc. 1. Tltle.
OA268.S74 1999
003'.54--dc21 98-47576
CIP
ISBN 978-1-4613-7167-0
© 1999 Springer Science+Business Media New York
Originally published by Kluwer Academic I Plenum Publishers in 1999
Softcover reprint of the hardcover 1si edilion 1999
1098765432 1
A C.I.P. record for this book is available from the Library ofCongress.
AII rights reserved
No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form
or by any means, electronic, mechanical, photocopying, microfilming, recording, or otherwise,
without written permission from the Publisher
Preface
This is a self-contained introduction to algebraic curves over finite fields and

geometric Goppa codes. There are four main divisions in the book. The first is a
brief exposition of basic concepts and facts of the theory of error-correcting codes
(Part I). The second is a complete presentation of the theory of algebraic curves,
especially the curves defined over finite fields (Part II). The third is a detailed
description of the theory of classical modular curves and their reduction modulo
a prime number (Part III). The fourth (and basic) is the construction of geometric
Goppa codes and the production of asymptotically good linear codes coming from
algebraic curves over finite fields (Part IV).
The theory of geometric Goppa codes is a fascinating topic where two extremes
meet: the highly abstract and deep theory of algebraic (specifically modular)
curves over finite fields and the very concrete problems in the engineering of
information transmission. At the present time there are two essentially different
ways to produce asymptotically good codes coming from algebraic curves over
a finite field with an extremely large number of rational points. The first way,
developed by M. A. Tsfasman, S. G. Vladut and Th. Zink [210], is rather difficult
and assumes a serious acquaintance with the theory of modular curves and their
reduction modulo a prime number. The second way, proposed recently by A.
Garcia and H. Stichtenoth [53, 54, 56], is much easier and more explicit; the basic
tools are the ramification theory of Artin-Schreier extensions and the Hurwitz
genus formula. This book demonstrates both of these ways. Moreover, it contains
various examples of particular geometric Goppa codes of admissible length, which
have fairly good parameters and can be easily used in practice. For example,
the author's recent constructions [188, 189] of linear codes on fiber products of
hyperelliptic curves provides a family of sufficiently long codes with completely
v
vi Preface
good parameters and easy construction and decoding algorithms.

Recently, a series of effective decoding algorithms for geometric Goppa codes
was worked out by several authors. Such algorithms decode up to half the min-
imum distance and have polynomial complexity. This book provides a detailed
description of the most significant results on the decoding of geometric Goppa
codes and concrete realizations of various decoding algorithms in the simplest
case of plane projective curves.
My purpose is to present these themes in a simple, easily understandable
manner, and also to explain their close interconnection. At the same time I want to
introduce topics which are at the forefront of current research. Numerous examples
are given in the text and exercises, with the aim of making the material readable
and interesting to mathematicians in fields far removed from the subject of the
book. Some exercises are rather difficult and are intended for actively working
readers.
This book grew out of lectures I gave at the Institute of Mathematics of
Academia Sinica (Beijing) in January-April of 1992. The excellent book of
1. H. van Lint and G. B. M. van der Geer, Introduction to Coding Theory and
Algebraic Geometry [116], served as a guideline for organizing the material.
Some constructions were adopted from a fundamental (but rather difficult for non-
specialists in algebraic geometry) work by M. A. Tsfasman and S. G. Vladut,
Algebraic-Geometric Codes [208] and from the author's monograph Arithmetic of
Algebraic Curves [187]. The presentation of the theory of classical modular curves
and the construction of asymptotically good codes coming from these curves are
fairly close to the approaches in N. Koblitz's, Introduction to Elliptic Curves
and Modular Forms [96] and C. Moreno's, Algebraic Curves over Finite Fields
[129]. The excellent survey article of Hoholdt and Pellikaan, On the Decoding
of Algebraic-Geometric Codes [80], was extensively consulted to describe the
contemporary state of the decoding of geometric Goppa codes. The book also
contains a brief exposition of the theory of algebraic function fields over a finite
constant field (in particular, the Artin-Schreier extensions of the rational function
field). For a more detailed treatment of this theory see M. Deuring's, Lectures
on the Theory ofAlgebraic Functions of One Variable [24] and H. Stichtenoth's,
Algebraic Function Fields and Codes [197J.
In order to be able to read this book a fairly thorough mathematical background
is necessary. The most important area is certainly algebra (especially linear algebra
and Galois theory), but the reader must also know some facts from elementary
number theory, complex analysis and the theory of finite fields. For these I refer
the reader to standard textbooks and also to R. Lidl and H. Niederreiter's, Finite
Fields [114]. For a more extensive treatment of coding theory and the theory of
modular curves I strongly recommend: F. 1. MacWilliams and N. 1. A. Sloane's,
The Theory of Error-Correcting Codes [118J, and G. Shimura's, Introduction to
the Arithmetic Theory ofAutomorphic Functions [176].
Preface vii
I would like to express my gratitude to everyone at the Institute of Mathematics

of Academia Sinica for their hospitality. I would especially like to thank Wang
Yuan, Yang Lo and Feng Xu-ning for their constant encouragement and help during
my stay in Beijing.
I wish to express my gratitude to many people at Bilkent University (Ankara)
for invaluable help in the final stage of preparation of the manuscript. Specifically,
I would like to thank Alexander Klyachko, Vladimir Kurakin and Sinan Sertoz for
their careful reading of the original draft and their many useful comments. Finally,
I wish to thank Ferruh Ozbudak for having typed most ofthe chapters and Theresa
Caner for having proofread.
Bilkent, Ankara Serguei A. Stepanov

September 1997
Contents
I. Error-Correcting Codes
Chapter 1
Codes and Their Parameters 3
1.1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Finite Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.3. Linear Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1.4. Spectrum and Duality . . . . . . . . . . . . . . . . . . . . . . . . . 15
Exercises 20
Chapter 2
Bounds on Codes 25
2.1. Upper Bounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.2. The Linear Programming Bound . . . . . . . . . . . . . . . . . . 32
2.3. Lower Bounds . . . . . . . . . . . . . . . . . . . . . . . . ' . . . . . 35
Exercises 37
Chapter 3
Examples and Constructions 41
3.1. Codes of Genus Zero . . . . . . . . . . . . . . . . . . . . . . . . . 41
3.2. Some Families of Codes . . . . . . . . . . . . . . . . . . . . . . . 46
3.3. Constructing Codes from other Codes . . . . . . . . . . . . . . . 60
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
ix
x Contents
II. Algebraic Curves and Varieties
Chapter 4
Algebraic Curves 71
4.1. Algebraic Varieties . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.2. Non-Singular Curves . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.3. Divisors on Algebraic Curves . . . . . . . . . . . . . . . . . . . . 80
4.4. The Riemann-Roch Theorem . . . . . . . . . . . . . . . . . . . . 85
4.5. Hurwitz and Plucker Genus Formulas . . . . . . . . . . . . . . .. 93
4.6. Special Divisors . . . . . . . . . . . . . . . . . . . . . . . . . . .. 96
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Chapter 5
Curves over a Finite Field 103
5.1. Rational Points and Divisors . . . . . . . . . . . . . . . . . . . .. 105
5.2. The Zeta-Function of a Curve . . . . . . . . . . . . . . . . . . . . 111
5.3. L-Functions of Artin . . . . . . . . . . . . . . . . . . . . . . . . . 120
5.4. Algebraic Function Fields . . . . . . . . . . . . . . . . . . . . . . 130
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Chapter 6
Counting Points on Curves over Finite Fields 143
6.1. The Number of Rational Points on a Curve . . . . . . . . . . . .. 143
6.2. Character Sums . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
6.3. Asymptotics .. . . . . . . . . . . . . . . . . . . . . . . . . . . .. 157
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
III. Elliptic and Modular Curves
Chapter 7
Elliptic Curves 175
7.1. The Group Law . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
7.2. Thej-Invariant . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
7.3. Isogenies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 180
7.4. Elliptic Curves over Finite Fields . . . . . . . . . . . . . . . . . . 184
7.5. Elliptic Functions ... . . . . . . . . . . . . . . . . . . . . . . .. 186
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Chapter 8
Classical Modular Curves 193
8.1. Congruence Subgroups . . . . . . . . . . . . . . . . . . . . . . .. 193
8.2. The Curves X(N), Xo(N), and Xl (N) . . . . . . . . . . . . . . .. 195
Contents xi
8.3. Hecke Operators . . . . . . 199

8.4. The Peters son Inner Product 212
Exercises 215
Chapter 9
Reductions of Modular Curves 219
9.1. Reductions and Moduli Spaces . . . . . . . . . 219
9.2. The Igusa Theorem . . . . . . . . . . . . . . . . 224
9.3. The Eichler-Shimura Congruence Relation . . . . . . 231
9.4. The Eichler-Selberg Trace Formula ...... . 236
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
IV. Geometric Goppa Codes
Chapter 10
Constructions and Properties 243
10.1. L -Construction 243
10.2. O-Construction ... 245
10.3. Parameters . . . . . . . . 248
10.4. Duality and Spectra 251
Exercises 254
Chapter 11
Examples 257
11.1. Codes of Small Genera 257
11.2. Elliptic and Hermitian Codes 261
11.3. Codes on Fiber Products . . . . . . . 267
11.4. Codes on Classical Modular Curves 274
11.5. Codes on Artin-Schreier Coverings . 276
11.6. Codes on Trace-Norm Curves 284
Exercises 287
Chapter 12
Decoding Geometric Goppa Codes 289
12.1. The Decoding Problem . . . . . . . . . . . . . . . . . . . 289
12.2. The Basic and Modified Algorithms . . . . . . . . . . . 292
12.3. An Improvement of the Modified Algorithm . 301
12.4. Majority Voting for Unknown Syndromes 306
12.5. Faster Decoding . . . . . . . . . . . . 309
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
xii Contents
Chapter 13
Bounds 315
13.1. Asymptotic Bounds . . . . . . . . . . . . . . . . . . . . . . . . .. 315
13.2. Constructive Bounds . . . . . . . . . . . . . . . . . . . . . . . . . 316
13.3. Other Bounds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Bibliography 323
List of Notations 335
Index 343
Part I
Error-Correcting Codes
Part I is an introduction to coding theory. It discusses basic concepts of the theory,

considers the most interesting examples and constructions of some families of
linear codes, and studies asymptotic bounds for parameters of the codes. The
reader with only a minimal background in mathematics can get an idea of the
character and direction of the subject.
Chapter 1
Codes and Their Parameters
In this chapter the basic notions of the theory of error-correcting codes are in-
troduced: the Hamming distance, parameters of codes, linear codes, encoding
and decoding procedures, spectrum and duality, the Mac Williams identity and
Krawtchouk polynomials.
1.1. INTRODUCTION
Let F be a finite set of cardinality q = IFI, which we call an alphabet. The

cartesian product F n = F x ... x F of n copies of the set F can be provided with
the structure of a metric space if only we introduce the Hamming distance d (x ,y)
between x = (XI, ... ,xn ) andy = (YI,'" ,Yn) fromF n as the number of coordinates
in which X and y differ:
d(x,y) = #{i 11:::; i:::; n,Xi =/= Yi}'
Each non-empty subset C <;;:; F n is called a q-ary block code of length n. The
non-negative integer M = Iq is called the cardinality ofthe code C and the non-
negative real number k = logq IC I is called the log-cardinality of C. The minimum
distance of the code C is defined as
d = min {d(x,y)Ix,y E C,X =/=y}.
A q-ary code C with parameters n,k and d is called an [n,k,dlq-code. El-

ements of C are called code-words (or code-vectors), and their components are
called positions (or coordinates).
3
4 Chapter 1
Define the information rate R and relative minimum distance {) of an tn, k, d)q-
code C as R = k / nand {) = d / n. It is clear that 0 :::; R :::; 1, 0 :::; {) :::; 1.
Let us briefly explain why the codes are called error-correcting. The following
question is essentially one of the central problems of information theory. We con-
sider information presented as a very long sequence of symbols from an alphabet
F. In the sequence each symbol occurs with equal probability. This information
is sent to a receiver over a so-called noisy channel. In the model that we consider
there is a small fixed probability p that a symbol, which is sent over the channel, is
changed to one of the other symbols. Such an event is called a symbol-error and p
is the symbol-error probability. As a result a fractionp of the transmitted symbols
arrives incorrectly at the receiver at the end of the communication channel. The
aim of the coding theory is to lower the probability of error (considerably) at the
expense of spending some of the transmission time or energy on redundant sym-
bols. The basic idea of the theory can be explained in the sentence that follows.
When we read printed text we recognize a printing error in a word because in
our vocabulary there is only one word that resembles (is sufficiently close to) the
printed word.
In block coding the message is split into parts of k symbols. The encoding
is an injective map from Fk to F n (where n ?: k). In other words we take some
[n,k,d)q-code C with integer k and fix an embedding
y : Fk ~ C c;;, Fn.
The transmission is now R = k / n time slower, which justifies the term "information
rate" for R. Instead of the part Z E Fk of the message, we transmit the corresponding
word x = y(z) E C of the length n. On the end of the channel we obtain a distorted
wordx' E F n and we transform it into the nearest word x" E C (i.e., we decode the
message on the maximum likelihood basis). This transformation can be defined
by some decoding map C: F n -+ C. If the number of distorted symbols is at
most l d 21J, then x" = x, i.e., the decoding is correct. The maximum likelihood
decoding is an ideal that is almost unattainable. Usually we just give a map
C: U -+ C, where U is the union of all balls
Bt(x) = {y E F n Id(x,y) :::; t}
of radius t :::; l d 21 J centered in the elements x E C. In this case we speak about

decoding up to t (or correcting terrors). Usually t = l d 21 J, but sometimes it is
less.
It is fairly obvious that we can make the probability of error after decoding
as small as we like if we are willing to transmit at a very low information rate.
The reason that coding theory is interesting is suggested by Shannon's famous
channel coding theorem (see, for example, [115, Ch. 2]). To explain this, we need
a number called the capacity of the channel. This number depends on p, q and
lies between 0 and 1. If q = 2 the capacity is 1 + p log2P + (1 - p) log2(1 - p).

The theorem states that for any e > 0, any given p, 0 < p < 1/2, and any positive
R less than the capacity there is a code with information rate at least R, for which
the probability of incorrect decoding ofa received word is less than e. The"good"
code promised by the theorem will have very large word length n. If the symbol-
error probability p satisfies the condition p < p' = t / n, then such code will correct
t errors. Therefore, a "good" code is an [n,k,d]q-code with large nand R, and 8
as large as possible.
1.2. FINITE FIELDS
A considerable part of the most interesting constructions in the theory of error-

correcting codes is based on the use of finite fields. This section is a brief
introduction to the basic facts of the theory of finite fields (for more detailed
treatment of the subject we refer the reader to Lidl, Niederreiter [114], Schmidt
[159] and Stepanov [187]).
A fin ite field is a field consisting of a finite number of elements. At first we
consider the simplest example of such fields. The ring of integers Z is a principal
ideal domain, and any maximal ideal of Z has the form (P) for p a prime number.
The residue class ring Z/ (P) is a field with p elements. This field is called a prime
finite field and is denoted by Fp.
Let F be a finite extension of Fp. Then, under the field operations in F, the
field F is a finite dimensional vector space over Fp. The dimension v of F over
Fp is called the degree of the extension F over Fp and is denoted by v = [F : Fp].
Let { WI , ... , wv} be a basis of the vector space F over Fp. Then any element x of
F can be uniquely written in the form
X=XIWI +, .. +xvwv
with Xi E Fp for I ~ i ~ v. It follows that F is a finite field consisting of q = pV

elements.
Suppose that F is an arbitrary field and I is the identity element of F. The
characteristic of the field F (notation: char F) is the smallest positive integer p
(provided that it exists) such that p' I = O. If such an integer does not exist, then
we say that the characteristic of F is zero. Clearly, if the characteristic p of the
field F is not equal to zero, then p is a prime number. If Fq is a finite field with q
elements then we have q . I = 0, hence the characteristic of Fq is a prime divisor
ofq.
Proposition 1.1. Let F be a finite field. Then F consists ofpV elements, where p
is the characteristic ofF.
6 Chapter 1
Proof: Let 1 be the identity element of F. Since F has a finite number of

elements, say q, the characteristic of F is a prime number dividing q. The field F
contains a subfie1d F;
consisting of elements 1,2, ... ,p , which is isomorphic to
Fp. Since F; has p elements, F has pV elements, where v = [F : F;] is the degree
ofF over F;. •
Proposition 1.2. Let x, y be arbitrary elements ofafinite field Fq ofcharacteristic

p. Then
Proof: By the binomial theorem we have
and since p divides (~) for 1 ::; i ::; p - 1 then
This proves the proposition.

•
There is an easy way to construct explicitly a finite field Fq with q = P v elements
for any integer v> 1 and any prime p. Let Fp[u] be the ring of polynomials in
u with coefficients from Fp. The ring Fp[u] is a principal ideal domain and any
maximal ideal ofFp[u] has the form (f) forf an irreducible polynomial inFp[u]. If
f is a monic (with leading coefficient 1) irreducible polynomial in Fp [u] of degree
v (such polynomials exist for any p and v ~ 1; see below), the finite field Fq with
q = pV elements can be viewed as the residue class ring Fp[u]/(f(u)). Elements of
Fp[u]/(f(u)) are residue classes ofthe form r(u) +f(u)Fp[u] with representatives
If 8 is the residue class containing the polynomial u thenf( 8) = 0 in Fp [ull (f(u)),

and any element x E Fq can be written uniquely as a linear combination
x = Xo +Xl 8 + ... +Xv-l 8 v - 1

of elements 1,8, ... , 8v - 1 with coefficients Xi E Fp. It follows that the set
{1, 8, ... , 8 v - 1 } form a basis of Fq over Fp, and Fq is a finite extension of Fp
of the form Fq = Fp( 8).
Theorem 1.3. For any positive integer v there exists at least one monic irreducible
polynomialf E Fp[u] ofdegree v.
Proof: Let g be a monic polynomial of degree v in the ring Fp[u]. We set

N(g) = pV and call N(g) the norm of the polynomial g. It is clear that N(g· h) =
N(g) ·N(h) for any two monic polynomials g and h. Now we introduce into
consideration the zeta-Junction of the ring Fp[u]:
~(s) = TI(1-N(J)-s)-I,
f
where s = a + it is a complex variable with a = Res> 1 and the product is taken
over all monic irreducible polynomials f E Fp [u]. In view of the uniqueness of
factorization into irreducibles, we have
TI(1 + L
00
~(s) = N(J)-ms) = 1 + LN(g)-S,

f m=1 g
where the sum on the right-hand side is over all monic polynomials g in Fp [u] of
positive degree, and then
'"
~(s) = 1 + L ( L N(g)-S).
n=1 degg=n
Since there are exactly pn monic polynomials g E Fp[u] of degree n, the last
relation gives
~(s)
'"
= 1 + LP(1-s)n = (1- pl-S)-I.
n=1
Let I ( v) denote the number of monic irreducible polynomials f E Fp [u] of degree
v. From the definition of the function ~(s) we have
~(s)=
'"
TI(I_p-VS)-I(v)
v=1
and hence
'"
TI(1_p-vS)-I(v) = (l_pl-S)-I.
v=1
Taking logarithms, we obtain the equality
'"
L I(v) log(l - p-VS) = log(l _ pl-S),
v=1
which can be written as

'" '" 1 "'pn
~/(v) '"1:1 mpmvs = ~ npns·
8 Chapter 1
Comparing the coefficients ofp-ns on both sides of this equality, we find that
LvI(v) =pn,
vln
whence, from the Mobius inversion formula, we obtain
I(v) = 2. LJL(m)pv/m,
v mlv
where JL (m) is the Mobius function defined as
I ifm = 1
,,(m) = { (-It if m = PI ... Pr is the product of distinct primes
o if m is divisible by the square of a prime
The sum
LJL(m)pv/m
mlv
is positive for any p and v ::::: 1, hence I ( v) ::::: 1 for any positive integer v. •
Corollary 1.4. For any prime p and any positive integer v there exists a finite field
Fq with q = pV elements.
Algebraic Structure
Now we study the algebraic structure of finite fields.
Theorem 1.5. If the finite field Fq has q = pV elements then every x E Fq satisfies
the equation x q - x = o.
Proof: The statement is trivial for x = O. The non-zero elements of Fq form

a group under multiplication of order q - 1, hence x q - I = 1 for any 0 =I x E F q .
Multiplying this relation by x we obtain x q = x. This completes the proof. •
Corollary 1.6. If Fq is a finite field with q elements then the polynomial u q - u E

Fq[ulfactors in Fq[u] as
uq - u = IT
(u - x).
xEFq
Proof: By Theorem 1.5 the polyr.omial uq - u splits completely in F q . However,

it cannot split in any smaller field for that field would have all the roots of this
polynomial and so would have at least q elements. Thus Fq is the splitting field of
u q - u. This finishes the proof. •
Since any two splitting fields of a given polynomial are isomorphic we obtain
the following result:
Corollary 1.7. Any two finite fields having the same number of elements are
isomorphic.
The order of a non-zero element x E Fq is the least positive integer n such that
xn = 1.We note that if x is an element of order n, then the equality xl = xm is
equivalent to I == m mod (n ). In particular, we see that the order of every non-zero
element of the field Fq is a divisor of q - 1. Let us show that every finite field
Fq contains at least one element TJ of order q - 1. Such an element is called a
primitive element of Fq , and the existence of a primitive element implies that the
multiplicative group F; = Fq \ {O} ofthe field Fq is a cyclic group of order q - 1.
Theorem 1.8 (the Gauss theorem). The finite field Fq with q = pV elements
contains cp( q - 1) primitive elements, where cp is the Euler phi-function.
Proof: Let n be a divisor of q -1, and tfJ(n) the number of elements inFq of order
n. Let us assume that tfJ(n) > 0, i.e., that there exists at least one element x E Fq
of order n. The powers 1,x, ... ,xn- 1 of the element x are different and satisfy
the polynomial equation un - 1 = O. Since the number of roots of a non-zero
polynomial does not exceed its degree, these powers exhaust all the roots of the
polynomial un - 1. Hence, every element of order n has the form xm for some
m=O,l, ... ,n-1.
If (m, n) = d > 1, then the element xm is of the order n / d, which is strictly
smaller than n. Now if (m,n) = 1 and if xlm = 1 for a certain positive integer
1< n, then we have 1m == 0 mod (n), which is impossible. Thus, the elementx m
has order n if and only if (m,n) = 1, and therefore tfJ(n) = cp(n).
Now we use the obvious equality
L tfJ(n) = q - 1
nlq-l
and the well-known equality
L cp(n)=q-1
nlq-l
for the Euler phi-function cp(n). We have
L (cp(n)-tfJ(n)) =0
nlq-l
and therefore tfJ(n) = cp(n) for any n I q - 1. In particular, for n = q - 1 we obtain

the equality tfJ (q - 1) = cp (q - 1), which proves the theorem. •
10 Chapter 1
Automorphisms
Letf be a monic irreducible polynomial of degree v ~ 1 in Fp[u]. Consider the
finite field Fq = Fp[u]/(f(u)). Denote by 0 the residue class in Fp[u] containing
the polynomial u, and observe thatf( 0) = O. Raising both sides of this equality to
the power p, and using Proposition 1.2 and Theorem 1.5, we find thatf( oP) = O.
Repeating this process several times, we see that the elements oP, ... , oP v - 1 are also
the roots of the polynomialf(u). Let us show that 0,oP, ... ,oP V - 1 are distinct.
Suppose that 1} is a primitive element of the field Fq and 1} = Xo + XI 0 + ... +
Xv_Io v- 1 with~i E~p"'. Ifw~ ass~e.that.oPm ~ oP~ forO::; m < n::; v-I, then
we get the equahty ~ = ~ ,WhICh lmphes ~ -p = 1. We have I ::; pn _pm <
q - 1, and arrive at a contradiction with the definition of the element 1}. Thus, the
irreducible polynomial f E Fp [u] has in the field Fq, with q = P v , the factorization
v-I
f(u) = II (u - oP\
i=1
It follows that the map

l}f--+ lJP
induces the automorphism

a: Fq ---+ Fq
of the field Fq acting on elements
by the rule
a(x) =xo+xllJP+···+Xv_IO(v-l)p =xP
and leaving the field Fp fixed. The automorphism a is known as the Frobenius
automorphism of the field Fq.
Theorem 1.9. The Galois groupofafinitefieldFq with q = pV elements is a cyclic
group oforder v.
Proof: Let a be the Frobenius automorphism of the field F q . Its powers

I, a, ... , a v - 1 are also the automorphisms of the field Fq acting on elements
X E Fq by the rule
ai(x) =x/.
Since a i ( 0) =f: a k ( 0) for 0 ::; i < k ::; v-I, these automorphisms are distinct and
exhaust all possible automorphisms of Fq (which cannot be greater in number than
v). ..
Let Gp, be the Galois group of the finite field FpJJ. and Gil be the Galois group
of the field Fpv. The field FpJJ. is a subfield of Fpv if and only if Gp, is a subgroup
of Gil' Taking into account the cyclicity of the groups Gp, and Gil we get the
following result:
Corollary 1.10. The field FpJJ. is a subfield ofthe field Fpv if and only if IL divides
v.
If u is the Frobenius automorphism of the field Fq with q = pll elements, we
define the norm of an element x E Fq as
11-1 11-1
normll(x) = Il ui(x) = Il Xpi.
i=O i=O
In a similar way we define the trace of x as
11-1 11-1
trll(X) = Lui(x)= Lx/.
i=O i=O
The norm and trace are homomorphisms of multiplicative and additive groups of
the field Fq to multiplicative and additive groups of the field Fp, respectively.
The following result is a special case of the Hilbert theorem 90:
Theorem 1.11. Let Fq be afinitefieldwith q = pll elements. Then
(i) the norm ofx E Fq is equal to 1 if and only if there exists a non-zero element
y E Fq such that x = y /yP;
(ii) the trace ofx E Fq is equal to 0 if and only if there exists an element z E Fq
such that x = z -zp.
Proof:
(i) Let e be a generator of Fq over Fp, so that Fq = Fp( e). For every i =
0, I, ... , v-I and every non-zero x E Fq consider the Lagrange-Hilbert
resolvent
R(x, e i ) = e i +xe ip + ... +xl+p+·+pV - 2 eipV - l •
Since the Vandermonde determinant
det (e ipk ) 0$i,k::;I1-1
is not zero, at least one of the elements R(x, ei ), 0 ::; i ::; v-I, differs from
zero. Suppose it is the element
y=a+xC#+···+x 1+p+ ... +pv-2 C# v-l

12 Chapter 1
with a = ei . Ifwe assume that nonnv(x) = 1, then we obtain

xyi'=xaP+x 1+PaP2 +···+x 1+P+ '" +Pv-2 aP v-J +a=y
and hence x = y/yp. Conversely, if x = y/yP, then clearly nonnv(x) = 1.
(ii) Since
det ( eipk ) i= 0,
at least one of elements tr v(1 ), tr v( e), ... ,tr v( ev- I) differs from zero. Let
trv(f3) i= 0 for f3 = (Ji, and set
z = (tr v (f3))-1 (xf3P + (x +XP)f3P2 + ... + (x +xP + ... +xPV - 2)f3PV-l).

If we assume that trv(x) = 0, then we get x = z -zp. Conversely, if x =
z - zP, then obviously tr v (x) = o. •
We also have the following useful result:
Theorem 1.12. Let Fq be a finite field with q = pV elements, Fqn an extension of

Fq, andf(u) a non-zero polynomialin Fq[u]:
(i) If a E Fqn is a root of the polynomial f( u), then so is a q;
(ii) Let g(u) be a monic polynomial in Fqn[u], and assume that g(f3q) = Ofor
every root f3 ofg(u). Then g(u) E Fq[u].
Proof:
(i) Iff(u) = L.aiui, it follows from Proposition 1.2 and Theorem 1.5 that
if(uW = Laju iq = Lai(U q(

Hencef(a) = 0 impliesf(aq ) = O.
(ii) In a suitable extension the polynomial g(u) = L.k=1 bkUk splits into linear
factors, say g( u) = (u - f3d ... (u - f3s). Since g(f3f) = 0 for any i =
1,2, ... ,s, we have
s
g(u) = (u-f3i)··.(u-f31) = "'ib%u k .
k=1
Hence bZ = bk for 1 :s; k :s; s, and bk E Fq, by Theorem 1.5.
•
Algebraic Closure
Let us consider the sequence of finite fields
and set
co
Fp= UFpn!.
n=!
The set Fp is a field. Indeed, for any x,y E Fp there exists an integer n such that
x ,y E Fpn! , hence we can determine the sum x +y and the product xy of elements
x and y. Next, every polynomial g E Fp [u 1has coefficients in some field Fpm, and
iff is its irreducible factor in Fprn [u l, say of degree v, then all roots off lie in the
field Fpmv which is a subfield of Fpn! for a sufficiently large n. Therefore, the roots
of the polynomialf lie in Fp, and hence Fp is an algebraically closed field. The
field F p is called an algebraic closure of the prime finite field Fp.
Now we sum up our discussion of finite fields as follows:
Theorem 1.13. For each prime p and each integer v ~ 1 there exists a finite field
Fq with q = pV elements, uniquely determined as a subfield ofan algebraic closure
Fp. Thefield Fq is the splittingfield of the polynomial
and its elements are the roots of uq - u. Every finite field is isomorphic to exactly
onefield F q. The group of autom orph isms ofthefield Fq with q = pV elements is
cyclic of order v, and the multiplicative group F; of the field Fq is a cyclic group
of order q - 1.
1.3. LINEAR CODES
Both for the construction of good codes and for the design of algorithms realizing
coding and decoding procedures, the notion of a code over an arbitrary alphabet
is very poor in algebraic and arithmetical structure. It is possible to enrich this
structure by introducing the notion of a linear code.
Now let F = Fq be a finite field of characteristic p with q = pV elements. In
this case F; forms a linear metric space over Fq called a Hamming space. A q-ary
linear code C of length n is a linear subspace of the linear metric space F;. The
integer
Ilxll = #{ill :::; i:::; n,xi7i O}
14 Chapter 1
is called the weight of the element x = (Xl, ... ,Xn ) E F;. Forlinear [n,k,d]q-code
C we have k = dimC and
d = min{llxlll X E C,x::l O}.
Any choice of basis in C yields an embedding
y: F; '-+F;.
The matrix G of this map is called a generator matrix of the code C. The map )'
is included into a short exact sequence
(i.e., )' is an embedding, T/ is a sUIjection, and KerT/ = 1m )'). The matrix G has
as its rows k basis vectors of C, hence
so that encoding is multiplication by G.

The matrix H of the map T/ is called a parity-check matrix of the code C. The
code C is given by
C = {x E F; IH . X T = O}
where T denotes the transposition. According to our definition H has n columns
and (n - k) linearly independent rows. Sometimes, by abuse of language, any
matrix H' such that H' . x T = 0 only for x E C is also called a parity-check matrix.
Each such H' has r ~ n - k rows, only (n - k) of which are independent. It is
clear that H . G T = O.
Let A be defined as a subgroup in the group of linear automorphisms of F;
generated by transpositions of coordinates and by mUltiplications of ith coordinate
by elements ofF; = Fq \ {O}. The group A acts on subsets of F; and two codes C
and C' are called equivalent if and only if C' = a . C for some a E A. The subgroup
Aut C ~ A, consisting of elements preserving C, is called the automorphism group
of the code C. It is natural to consider codes up to equivalence, so that in many
cases speaking of a code we mean rather its equivalence class.
The choice of generator matrix G corresponds to choice of basis (el,"" ek)
in the k-dimensionallinear space F;. The group
GLk(Fq) = {A is k x k matrix over Fq I detA::I O}
acts on the set of such bases, and two matrices G and G' define the same code C
if and only ifG' =A· G for some A E GLk(Fq).
At last we mention a decoding method that is sometimes used in practice. For
high rate codes it is fairly effective. The method is known as syndrome decoding.
For any x E F; the syndrome is defined as H . x'T. For a code-word the syndrome
is O. A received vector x' with errors in it can be written as x' = x + e, where x
is the transmitted word and e is known as the error-vector. If we pick a certain
error-vector e and add it to all the code-words, the result is a coset of C in F;
and all words in this coset have the same syndrome, namely H . e'T. This means
that any vector in a coset is a candidate for the error-vector of a word in the same
coset. By maximum likelihood decoding we should choo~ this vector so that it
has minimum weight. Decoding now goes as follows. For each coset of C we
pick a member of minimal weight (often this member is unique). This is called the
coset leader. We make a list ofthese coset leaders and their syndromes. When x' is
received, the syndrome is calculated, the leader is found by the table examination
and x' is decoded by subtracting the leader from x'.
From now on we shall focus primarily on linear codes.
1.4. SPECTRUM AND DUALITY
An important invariant of a code is its weight enumerator or spectrum. We are

going to study spectra oflinear codes.
Let C be a linear [n,k,d]q-code. Define Ai = Ai(C) as the number of code
vectors of weight i in C. Of course, Ai :::=: 0 for 0 :::; i :::; n, Ai = 0 for 0 < i < d, and
The weight enumerator is a homogeneous polynomial
'L un-lIxllvllxll.
n
Wc(u: v) = 'LAiUn-ivi =
i=O xEC
Sometimes non-homogeneous coordinates are more convenient, then we consider

polynomials
n n
Wc(u) = 'LAiUn-i and Wc(v) = 'LAiVi.
i=O i=O
We haveAo = I,AI = ... =Ad-I = O,Ad :::=: I and hence

n-d
W.C ( u: v ) = u n +vd "A
£..J d+iU n-d-i V.
i
i=O
Since in many cases we do not know the precise value of d but have only some
lower bound for it, the following form is rather convenient. Let s be some integer
16 Chapter 1
such that s 2: n - d. Then

s
Wc(u) = un + LAn-iui.
i=O
For a linear [n,k,d]q-code C the dual code Cl. is defined as
Cl. = {x E F; Ix,y = 0 foreachy E C},

where X· Y = I7=oXiYi is the inner product of vectors x = (XI, ... ,xn) and y =
(YI,'" ,yn). Clearly Cl. is an [n,n - k,dl.]q-code. A generator matrix of the code
C is a parity-check matrix of the dual code Cl. and vice versa. The dual distance
dl. depends on the equivalence class of the code C (and not only its parameters n,
k, and d). The distance dl. can be calculated if we know the enumerator Wc(u : v).
Moreover, there is the following relation between the spectrum of a code and that
of the dual one:
WC-L (u: v) = q-kWc(u + (q -l)v: u - v).
To prove this identity, we recall first of all that an additive character of a field
Fq, q = pV, is defined as a homomorphism 1/1 from the additive group of Fq to
multiplicative group Up ofp-roots of 1. Iftr(x) = x +xp + ... +xpv - 1 denotes the
trace of an element x E Fq in its prime subfield Fp, then each additive character 1/1
of Fq has the form
I/I(x) = I/Ia(X) = exp(27Titr(ax)/p)
for some a E Fq (see below, Section 5.3). It is easy to see that
1/1 (x +y) = I/I(x)I/I(Y),
" ~ (x) = {O for a =I 0 (1.1)
L.F a q for a = 0
xE q
and that the group of additive characters of Fq is isomorphic to Fq. The character
t/Io (x) == 1 is called trivial one.
For x,y E F; and for a non-trivial additive character 1/1 of Fq define an additive
character
I/Ix (y) = I/Iy(x) = I/I(x· y)

Let A be an arbitrary Z[Up]-module. For a functionj: F; ---+ A the Hadamard
transjormj(x) is defined as
j(x) = L I/Ix(y)f(y).
YEF~
Lemma 1.14. For any linear subspace e ~ F; we have
I ~
L iCY) = -lei Li(x)
yEC.l xEC
Proof: We have
L](x) = L L tfJxCY)fCY) = L iCY) L l/Iy(x) + L iCY) L tfJy(x).

xEC YEF~ xEC yEC.l xEC y(tC.l xEC
IfY E e.l then x .Y = 0 for all x E e and hence

L l/Iy(x) = L tfJ(O) = IC!·
xEC xEC
IfY ~ e.l we can find such x' E e that l/Iy (x') i= 1. Then
l/Iy(X') L l/Iy(x) =L l/Iy(x' +x) =L tfJy(x)

xEC xEC xEC
and therefore
L tfJy(x) = O.
xEC
This completes the proof.
•
Corollary 1.15. For each linear subspace e ~ F;
Theorem 1.16 (the MacWilliams identity).
WC.l(u: v) = q-kWc(u+ (q -I)v: u -v).
Proof: Let <C be the field of complex numbers and
The left hand side of the identity of Lemma 1.14 equals WC.l (u : v). Let us
calculate j(x). If x = (XI, ... ,xn), Y = CYI, ... ,Yn) then taking into account the
equality y;-I = I for Yi i= 0 and relation (1.1) we get
](x) = L tfJxcy)un-IIYllvIIYII = L tfJ(XIYI + ... +XnYn)un-llyllvllYll

YEF~ YEF~
18 Chapter 1
= fI
;=\
(u - vyi- 1 (U + (q - 1)v) \-xi- 1 = (u + (q - 1)v)n-11x l (u - v)lIxll.
This proves the theorem.

Let g be a non-negative integer. A linear [n, k, d] q -code C is called a code of
•
genus at most g if and only if the following inequalities hold:
k+d 2n+ I-g,

(n-k)+d.L 2n+ I-g.
It is clear that in this case the dual code C.L is also a code of genus at most g.
It is not difficult to prove (see Exercise 1.1) that the parameters of each linear
[n, k, d] q -code satisfy the relation
k+d~n+1
Codes with k + d = n + 1 are called maximum distance separable, or MDS-

codes for short. The name comes from the fact that such a code has maximum
possible distance between code-words, and that the code-words may be separated
into information symbols and check symbols (i.e., symbols that are responsible for
transmission of a message and that are added to ensure the error-correction).
Let us represent the enumerator
s
Wc(u) = un + LAn-;U;
;=0
in the form
s
Wc(u) = un + LBi(U - I);,
;=0
where
Ai
;=n-l
±
= . .(-It+i+j ( n ~ I.)Bj .
The following theorem gives us some information on the value of the coefficients
Bi [90]:
Theorem 1.17. Let C be a linear [n,k,d]q-code of genus at most g and let s =

k + g - 1. Then for s - 2g + 2 ~ i ~ s the coefficients Bi satisfy inequalities
max { 0, (~)(qs-i-g+l_1)} ~ Bi ~ (~)(qS-i+l -1),

and for i ~ s - 2g + 1
Proof: Theorem 1.16 gives
WCl.(u: v) = q-kWc(u + (q -l)v: u - v)
=q-k ((U+(q-l)V)n+itBi(qV)i(U-vt-i).
Passing to non-homogeneous coordinates and setting s1- = n - k +g - 1 and

Sl.
WCl.(u) = un + LBhu _l)i
i=O
we obtain
Expanding in powers z = u - 1 we get
Hence for n - s ~ i ~ n we have
whence
for 0 ~ i ~ s - 2g + 1,
for s - 2g + 2 ~ i ~ s
20 Chapter 1
This proves the lower bound and the equality.

The proof of the upper bound we offer as an exercise (see Exercise 1.6,
providing us with a strengthening of Theorem 1.17 for an arbitrary linear code
C). •
A linear code C is called self-dual if and only if C = Cl-. A code is called
quasi-self-dual if and only if there exists a vector x = (X" ... ,xn ) E F; with non-
zero components Xi, 1 ::::: i ::::: n, such that x x C = Cl-. Here
x xC = {x xy = (xlY" ... ,xnYn) Iy = (YI ... ,Yn) E C}.

A code C is called formally self-dual if We = Wc.l. Of course, each self-dual
code is quasi-self-dual, and each quasi-self-dual code is formally self-dual. Note
also that if an [n,k,d]q-code C is at least formally self-dual then n = 2k.
The proofs of the following theorems for formally self-dual codes are based
on use of classical invariant theory. We are restricted only to statements (see [118,
Ch. 19]):
Theorem 1.18. For every formally self-dual code C there exists a homogeneous
polynomial P( u : v) such that
Wc(u : v) = P(u 2 + (q -1)v2 : v(u - v)).
Theorem 1.19. The enumerator of a binary self-dual code is a polynomial in

u 2 + v 2 and u 2 v 2 (u 2 - v 2 f The enumerator of a 3-ary self-dual code is a
polynomial in u4 +8uv 3 and u 3 (u 3 - v 3 )3. The enumerator ofa 4-aryformally self-
dual such that all its weights are even is a polynomial in u 2 + 3v 2 and u 2(u 2 - v 2 ?
The enumerator of a binary formally self-dual code such that all its weights are
divisible by 4 is a polynomial in u 8 + 14u 4 v 4 + v 8 and u4 v 4 (u 4 - v 4 )4.
Theorem 1.20. Suppose that all the weights of a formally self-dual q-ary code C
are divisible by an integer t > l. Then either C is a trivial [n, n/2,2]q-code and
Wc(u: v) = ((q -1)u 2 +v2)n/2,
or (q,t) = (2,2),(2,4),(3,3),(4,2).
EXERCISES
1.1. Use induction on n and v to prove that in a field of prime characteristic p one holds:
(
n
La;
)P = La;".
V
n
i=1 i=1
l.2. Let Fq be a finite field with q elements andf E Fq[u] an irreducible polynomial of
degreem 2': l. Provethatf(u) divides
if and only if m divides n.

1.3. Let Fq be a prime finite field with q elements. In the ring Fq [u], prove that
uq" - u = TITIfm(u),
minIm
where the inner product is taken over all irreducible monic polynomials of degree m.
If I(m) is the number of irreducible monic polynomials in Fq[u] of degree m 2': I,
deduce that
I(m) = ~ L p,(d)qm/d.
mdlm
104. Let p be a prime number andf E Fp[u] an irreducible polynomial of degree m 2': l.
In the ring Fq[u], where q = pV, prove thatf(u) splits into d = (m, v) irreducible
factors each of which has degree mid.
l.5. LetH be a parity-check matrix ofa linear [n,k,d]q-code C. Show that any (d -I)
columns of H are linearly independent (as vectors in F;-k) and there exists d
linearly dependent columns. Deduce from this fact the validity of the inequality
d:Sn-k+l.
l.6. Let V, W be linear spaces over a finite field Fq. An [n,k,d]q-system is an or-
dered finite family P = {PI, ... ,Pn } of points Pi E V such that P does not lie in a
hyperplane. The parameters of the system P are defined as
where maximum being taken over all hyperplanes H c V. Two [n,k,d]q-systems

P and pI in V and V' respectively are called equivalent if and only if there is an
isomorphism V ~ V' mapping P isomorphically onto P'. A dual [n,k,d]-system
is a finite ordered family p.l of points of a linear space W which does not lie
in hyperplane. The parameters are defined in the following way: n = Ip.ll, k =
n - dim W, d is the minimum number of linearly dependent vectors in p.l. Prove
the validity of the following assertions:
(a) There is a one-to-one correspondence between the set of equivalence classes

of [n,k,d]q-systems and the set of linear [n,k,d]q-codes. (Hint: Consider the
space V* of linear forms L on V and injective map 4> : V* -+ F; defined by
4>(L) = (4)1 (L), ... , 4>n(L )), 4>i(L) = L(Pi). Then put C = 1m 4>.)
(b) There is a one-to-one correspondence between the set of equivalence classes
of dual [n,k,d)q-systems and the set oflinear [n,k,dJq-codes.
22 Chapter 1
(c) If C is a linear [n, k, 2: d]q-code and the minimum distance of the dual code
C-L is at least d-L, then
n-d
Wc(u)=u n + LBi(u-l/,
i=O
where for 0:::; i :::; d-L - 1
and for d-L :::; i :::; n - d
max {o, (~) (l-i - I) } :::; Bi :::; (~) (qmin{n-d-i+l,k-dl.+l} - 1).
(Hint: Check the following interpretation of Bi in terms of [n, k, d]q-systems.

Let P = {PI"" ,Pn } be an [n,k,d]q-system of points Pi E V. By Hi denote
the hyperplane in V' corresponding to Pi, and for :R <;;; P put
1(:R) = dim( n Hi).

P;E1i.
Then let
Bi = L (q/(1i. l -I).
1i.c1',I1i.I=i
and make use of this interpretation.)
1. 7. Let IP' = IP'( V) be a projective space (i.e., the space oflines in a linear space V) over
Fq. Aprojective [n,k,d]q-system is a finite unordered family P of points ofIP' which
does not lie in a projective hyperplane. The parameters n, k, d are defined as
Just as for [n,k,d]q-systems, P <;;; IP' and pI <;;; JPf are called equivalent if and only
if there is a projective isomorphism IP' ':::' JPf mapping P onto P'. A linear code
F;
C <;;; is called degenerate if and only if C <;;; C F;-I F;,
where F;-I
is the
subspace of vectors having 0 in some fixed coordinate. Prove that for k > 1, d 2: 1
there is a one-to-one correspondence between the set of equivalence classes of non-
degenerate linear [n,k,d]q-codes and the set of equivalence classes of projective
[n, k, d] q -systems.
1.8. Show that if parameters of an [n,k,d]q-code C satisfy the inequality k+d 2: n+ I
then k+d = n + I and (n - k) +d-L = n + 1, i.e., Cis MDS-code (or the code of
genus 0).
1.9. Let C be a binary linear [n,k,d]-code with dual [n,n - k,d-L]-code C-L and let
. z
Pi(z)=;;;'o(-IY.
i C) ( ) n-z .
i-j ,/=0,1,2, ... ,
be Krawtchouk polynomials with generating function

00
(u+v)n-z(u -vy = LPi(Z)un-iv i .

i=O
Using the MacWilliams identity
±Afun-ivi = ;k ±Ai(U+V)n-i(u-v)i
i=O i=O
show that
(a) Af = fr r.j=OAjPi(j), 0 ~ i ~ n;
(b) r.'!- (i)Ao

I-V v =2k - v r.!'_
I 1-0
(_l)i(n-~)Al.
V _/ I'
o ~ v ~ n;
(c) r./=vG)Ai =2k - V (:), O~v<dl.;

(d) r./=oi vAi = r.j=o( -lYA! (r.1=01IS(V,i)2k - 1( : ={) ), v 2: 0, where
is a Stirling number of the second kind.

1.10. Let q = 2 or q = 3. Show that the weights of all code-vectors ofa self-dual [n,k,d]q-
code C are divisible by q.
1.11. Check that if C is quasi-self-dual with respect to some x E (F;)n and for every i,
1 ~ i ~ n, there exists Yi E F; such that Xi = y1, then there exists some y E (F;)n
such that y x C is self-dual. Show that every element of a finite field of characteristic
2 is a square, and hence if q = 2m then for each q-ary quasi-self-dual code C there
exits a self-dual code equivalent to C.
Chapter 2
Bounds on Codes
We have already explained that a good code should have large din and kin in the
unit interval [0, IJ for a given n. From Shannon's theorem we know also that we
should study long codes. However, if the channel has symbol-error probability
p, then we should expect an average of pn errors per received word of length n.
To correct these we need to have a minimum distance more than 2pn. So, if we
increase n, then d should increase proportionally.
For the set of all [n,k,dJq-codes over the field Fq we define the set Vq by
Vq =
I
{( 8,R) E [0, If there exists an [n,k,d]q-code with din = 8 and kin = R}
and denote by Uq the set oflimit points of Vq. It is clear that (8,R) E Uq if and
only ifthere exists an infinite sequence of distinct [ni, k i , d;J-codes Ci with different
8i = ddni andR i = kdn; such that
° °
If 8 > and R > such a sequence of codes Ci is called asymptotically good (or
simply good).
A description of the set Uq is provided by the following theorem of Manin [119]
(see also [1] and [208, p. 68] and Exercises 2.8-2.10): there exists a continuous
function CXq ( 8) such that
Uq = ((8,R) 10:::; 8:::; 1 and 0 :::; R:::; cxq (8)};
25
26 Chapter 2
moreover aq(O) = 1, cyq(8) = Ofor (q -l)/q:::; 8:::; 1, and cyq(8) is decreasing in

the interval 0:::; 8:::; (q -l)/q. Note that the function aq(8) has the form
CYq (8) = sup{R I(8,R) E Uq }
and tells us something about the information rate of long [n,k,d]q-codes with
din = 8.
Ifwe restrict ourselves to consideration of only linear [n,k,d]q-codes then we
can define in the same way the sets VJin and u!in (taking into account only points
(8,R) associated to linear q-ary codes). In this case there exists a continuous
function cy~n(lj) such that
u!in = {(8,R) /0:::; 8:::; 1 and 0 :::; R:::; cy~n(8)}.

It is clear that
cy~n(8):::; CYq (8).
The study of functions CYq ( 8) and cy~n (8) is one of the central problems of
the coding theory. At the present time we know only a few of the simplest facts
concerning the structure of these functions. So, we are unable to solve even the
following problems:
Problem l Are the functions CYq(8) and cy~n (8) differentiable in the interval
(0, (q -l)/q)?
Problem Il Are these functions convex?
Problem III Is it true that cy~n (8) = aq (8), or not?
Therefore we are constrained to search some upper and lower bounds for the
functions CYq ( 8) and cy~n(8) as close to each other as possible.
For the set of all [n,k,d]q-codes overFq we define the functionAq(n,d) by
Aq(n,d) = max {l/there exists an [n,k,d]q - code}.

A code C that attains this bound is called optimal. If we restrict ourselves to
consideration of only linear codes we can define in the same way the function
A~n(n,d) = max {l/there exists a linear [n,k,d]q - code}.
2.1. UPPER BOUNDS
In the first place we prove the following result:

Theorem 2.1 (the Singleton bound). An [n,k,d]q-code has
k:::;n-d+l.
Bounds on Codes 27
Proof: If C is a code with minimum distance d, then deleting the last d - 1

coordinates of each word in C yields a code C' of length n - d + 1 in which all
the words are still different. Hence Aq (n, d) ::; qn-d+ J , or k ::; n - d + 1. •
Corollary 2.2 (the asymptotic Singleton bound).
a q (8) ::; 1- 8.
In the next statement linearity is essential:

Theorem 2.3 (the Griesmer bound). For a linear [n,k,d]q-code we have
n>2: r--:-d 1
k-J
- ;=0 ql
Proof: Consider the corresponding projective system P C lP*-1 = J1D(V) (see

Exercise 1.7). Let
IPnHol =maxlPnHI =n-d.
H
Set JP>' = Ho and P' = P n Ho C JP>'. This is a projective [n', k', d']q-system, where
n' = n - d, k' = k - 1. Let H' be a hyperplane of dimension k - 3 in JP>' such that
IP' n H' I = n' - d'. There are (q + 1) hyperplanes H;, 1 ::; i ::; q + 1, in lP*-1 passing
throughH', and IPnH;i::; n -d. Therefore (since V = UiHi andH' = niHi)
q+l
(q + l)(n -d) ~ 2: IPnH;I = IPn VI +q IPnH'1 = n +q(n -d -d'),
i=O
and hence d' ~ I~l Iterating this operation k times we get an [n(k) ,O,d(k)]q-
system with
n(k) = n -d -d' - ... ::; n - 2: rid 1.
k-J
i=O q
The condition n(k) ~ 0 proves the theorem.
•
Corollary 2.4 (the asymptotic Griesmer bound).
a lin (8) < 1- -q-8.

q - q-l
The following bounds are true for arbitrary [n,k,d}q-codes.

Theorem 2.5 (the Plotkin bound). For an [n,k,d]q-code C we have
d < nl(q -1).

- (qk-l)q
28 Chapter 2
Proof: Let C C F; be an [n,k,d]q-code of cardinality M = qk. The minimum

distance d cannot exceed the average pairwise distance between the elements of
C:
d ~ M(~ -1) L XJ'EC
d(x,y)
Set mij = I{x = (XI,'" ,xn ) E ClXi =j}1 and note that
L mij =M
jEFq
for every i = 1,2, ... ,no Let SjI be the Kronecker symbol. Then we find (using
Cauchy--Schwartz inequality)
n
M(M -1)d ~ L d(x,y) = L L (1- SxiyJ
XJ'EC i=lxJ'EC
=n q - 1M2.
q
•
Corollary 2.6 (the asymptotic Plotkin bound). We have
and
q-l
CXq(S)~Rp(8)=1-~18 for 0<8<--.
- q
q-
Proof: If d > n ~ then by previous theorem we have
k d
M=q <
- d -n'L2.
I
q
This estimate does not look very useful because we do not expect d to be so large.
However we already have a result for cxq ( 8) from this inequality, namely
q-l
--<8<1.
q - -
Bounds on Codes 29
To make use of the inequality for smaller values of 8 we define the length n' :;=
l (dq~'lq Jand note that n' < n. We consider the last n - n' symbols of all the code-
words. There is a subset of M' code-words ending in the same n - n' symbols,
where
M' ;::: qn I -n M = qn I -n+ k .
For this subset the inequality derived above also holds, i.e.,
d
< M' < < d.
I
q n -n M
- - d-n,0-
q
Taking d = l8n J and n -+ 00 we obtain the required result.

•
Lemma 2.7. The volume o/a ball Bt(x) o/radius t in F; equals
Proof: The ball Bt (x) is the union of disjoint spheres
Si(X) = {Y E F; Illy -x 11= i}, 0:::; i :::; t.
We have ISi(x) I = (~) (q -' I)i and hence
This gives us the desired result. •

The following result is an easy consequence of the fact that the balls Bt(x)
of radius t :::; (d - 1)/2 centered at code-vectors of an [n,k,d]q-code C provide a
sphere packing of the space F; .
Theorem 2.8 (the Hamming bound). For an [n,k,d]q-code C we have
Proof: Consider balls in F;

of radius t = l dZ-i J centered at the code-vectors x.
These balls do not intersect and hence
30 Chapter 2

A code C that attains the Hamming bound is called perfect.
•
We define the q-ary entropy function Hq on [0, ~ 1by
Hq(O) =0,
q-l
Hq(z) =zlogq(q -I) -zlogqz - (l-z) logil-z), 0<z:::;--.(2.1)
q
The following lemma can easily be proved using Stirling's formula (see [115,
§5.1)):
Lemma 2.9. For 0 :::; t :::; (q~1 )n we have
Corollary 2.10 (the asymptotic Hamming bound).
llq(8) :::; RH(8) = I-Hq(8/2).
Lemma 2.11. Let Aq(n,d, w) be the maximum possible number of vectors of

weight w in F; such that distance between any two of them is at least d. Then for
each w, 0 :::; w :::; n, we have
( d) qn Aq(n,d, w)
Aq n, :::; ( ) .
n (q -1)w
w
Proof: Let C be an [n,k,dlq-code with largest possible number M = qk of

code-words, i.e.,M =Aq(n,d). Forx,y E F; define
I ifxECandd(x,y)=w
X(x,y) = { 0 otherwise (2.2)
We evaluate in two ways the sum
L X(x,y) =L (:) (q _l)W = (:) (q -1)wAq(n,d),

x,yEF3 XEC
L X(x,y):::; LAq(n,d,w)=qnAq(n,d,w)
x,yEF3 YEFQ
and obtain the required inequality.

•
Bounds on Codes 31
l
Lemma 2.12 (S. M. Johnson). We have
Aq(n,d,w)::::: d
d-2w+ (q-I)n
~j.
Proof: Let C be an [n, k, dq l-constant-weight code of cardinality M = qk which
attains the bound Aq(n,d, w); thus M = Aq(n,d, w). The minimum distance d
cannot exceed the average pairwise distance between the elements of C and hence
M(M -l)d::::: L d(x,y).
x,yEC
Set again mij = I{x = (XI,··· ,xn ) E C IXi = j}1 and note that
n n
LmiO = (n -w)M, L L mij=wM.
i=1 i=IJEF~
Then we obtain (using again the Cauchy-Schwartz inequality)
M(M-I)d::::: L d(x,y)=i.L (1-8J/)mijmil=i(Lmij)2

x,yEC 1=IJ,lEFq 1=1 ~EFq
:::::nM2 -n- 1 (imio)2 -(n(q-l))-I ( i L mij)2

i=1 i=IJEF~
=nM2- (n-w)2 M2 _ w 2 M2 (2.3)

n n(q-l)
and hence
d
M =Aq(n,d,w) ::::: w2 •
d - 2w+ d-J)n
The statement follows now from the fact that M is an integer.
Theorem 2.13 (the Bassalygo-Elias bound). For each [n,k,dlq-code and for
•
each integer w, 1 ::::: w ::::: n, such that
r = d -2w+qw 2j(q -l)n > 0,
the following inequality holds:
n - k ? logq (~ ) + w logq (q - 1) - logq d + logq r.

32 Chapter 2
Proof: From Lemmas 2.11 and 2.12 we have
l ~ Aq(n,d) ~ (n)
(q - I)wr
w
and hence
n - k 2: logq (:) + w logq (q - I) - logq d + logq r.
This completes the proof

•
Corollary 2.14 (the asymptotic Bassalygo-Elias bound).
a (8)~RBd8)=I-H q-I-q-IF1J;8)
(- - 1-- .
q q q q q-I
Proof: For din ---+ 8, 10gqAq(n,d)ln = kin ---+ R and win ---+ w. Theorem 2.13
yields
R ~ I-Hq(w) + ~n logq (8 -2w+8--'L\w2) +0 (~)

n
rv I-Hq(w)
q-
subject to the condition that
2 q-l q-l
w -2--w+--8>e>O.
q q-
Tending e ---+ 0 and choosing the largest w ~ 1 with this property, i.e.,
we obtain the desired result.

•
2.2. THE LINEAR PROGRAMMING BOUND
Many ofthe best upper bounds for Aq (n, d) known at present are based on a method
which was developed by Delsarte in 1973. The idea is to derive inequalities
that have close connections to the MacWilliams identity and then to use linear
programming techniques to analyze these inequalities.
Bounds on Codes 33
Let C be a linear [n,k,d]q-code. By Theorem 1.16 we know that
Wc~(u: v) =q-kWc(u+(q-l)v: u-v)
or, in terms of coefficients:

n
Af = q-k LAjPiV),
j=O
where Pi(u) is the Krawtchoukpolynomial defined as
Pi (u) = ~) -1 Y(q -
j=O
l)i-J (~)
}
(~I =}~)
(see Exercise 1.9). Note that
The generating function of polynomials Pi (u) is
(1 + (q - l)zY-U(I-zY = LPi(U)zi.
i=O
Since Af are the coefficients of Wc~ (u : v) they are non-negative integers, i.e., for
anyj= 1,2, ... ,n
n
LAiPj(i) ~ o.
i=O
We want to give an upper bound for
n
l= 1+ LA i ,
i=d
i.e., to solve the following linear programming problem:

n
M = 1+ L Zi -+ max,
i=d
(}~) (q -IY + i=d

iPj(i)Zi ~ 0 for 15:) 5: n,
Zi ~ 0 for d 5: i 5: n. (2.4)
If (Xd, ... ,xn) is a solution of this problem, then

n
Aq(n,d) 5: 1+ LXi.
i=d
34 Chapter 2
Solving the dual problem and using simplest properties of the polynomials P; (x)
(see Exercise 2.11) we obtain the following statement (see [115, §5.3) and [118,
Ch. 17, §4]):
Theorem 2.15 (the linear programming bound). For a given set ofnon-negative
real numbers al,··· ,an such that
n
1+ L a;P;(j) ~ 0, d ~j ~ n,
;=1
and for any [n, k, dJq -code C we have
In other words, if
n
f(x) = 1 + L a;P;(x)
;=1
is a polynomial of degree n with non-negative real a;, 1 ~ i ~ n, such that
f(j) ~ 0,
then
Aq(n,d) ~f(O).
The advantage of Theorem 2.15 is that any polynomial f(x) satisfying the
conditions of the theorem yields a bound for A(n,d) whereas in the above men-
tioned inequality one has to find the optimal solution ofthe corresponding system.
Note that this result can be sharpened if we apply the linear programming method
to the constant-weight (spherical) codes and then use Lemma 2.11. The linear
programming bound can also be used to get asymptotic upper bounds, but one has
to apply a rather subtle technique which does not fit into the frames of this book.
We restrict ourselves to the formulation of corresponding results (see [118, Ch. 17,
§7) and also [112, 1l3]):
Theorem 2.16 (the McElice-Rodemich-Ramsey-Welch bound).
(q-l)-8(q-2)-2 J (q-l)8(1-8))
a q(8) ~ R/p(8) = Hq ( .
q
Linear programming applied to the constant-weight codes for q = 2 leads to

Bounds on Codes 35
Theorem 2.17 (the second McElice-Rodemich-Ramsey-Welch bound).
where
Here we stop to discuss upper (i.e., possibility) bounds and pass to existence
bounds.
2.3. LOWER BOUNDS
Suppose C is a code of length .1'/ over Fq with minimum distance d and suppose
that it is not possible to find a vector not in C that has distance at least d to all
code-vectors in C. Then clearly
This simple argument is the proof of the following result:
Theorem 2.18 (the Gilbert bound).
Corollary 2.19 (the asymptotic Gilbert bound).
Suppose now that we consider only linear codes in F;. We claim that we find
a result as good as Theorem 2.18:
Theorem 2.20 (the Gilbert-Varshamov bound). If
qn-k+l> L
d-l ( ~ ) (q _1)i,
i=O 1
then there exists a linear [n,k,dlq-co~e over Fq.
Proof: For k = 0 the assertion is trivial. Suppose the inequality holds for k - 1
and that we have a linear [n, k - 1, d]q-code C. By the proof of Theorem 2.18 there
36 Chapter 2
R
/ ~ - - - - -R p
R
A~
/ - - - - - -RBE
I
I
R- -
GV
q-l
2q
Figure 2.1.
is a word x' E F; that has a distance at least d to all the words of C. If x E C and
a E F;,then
Ilx+ax' 11=11 a-1x+x' II=d(-a-1x,x') '2d.

Hence C and x' span a linear [n,k,dlq-code C' with a minimum distance d . •
Corollary 2.21 (the asymptotic Gilbert-Varshamov bound).
The Gilbert-Varshamov bound has remarkable statistical properties. The fol-

lowing facts, which can be easily stated rigorously (see Exercise 2.5), are valid:
(i) The parameters of almost all linear codes lie on the curve Rov( 8).
(ii) Let us "correct" each non-linear [n,k,dlq-code, by crossing out at most

n-:zl qk code vectors. Then almost every code can be corrected so that
the parameters of the resulting code lie on the curve Rov (8). Note that
logq (qk / n) = k -logq n '" k, i.e., such correction does not change asymp-
totic parameters.
The asymptotic Gilbert-Varshamov bound was not improved until recently.

The algebraic-geometric bound that we shall find later on is
Bounds on Codes 37
where q ~ 49 and q is square (see Fig. 2.1 and Exercise 2.7).

Note that the line
is higher than the curve

RGv(jj) = I-Hq(5)
in the interval (51, en), where 51 and en are the roots of the equation
EXERCISES
2.1. Prove that for din -+ c5, 0 ~ c5 ~ ~,
lim .!.lolL
n-+oo n ""I
(f (~)(q_1)i)
i=O I
=Hq(c5).
(Hint: Use Stirling's formula.)

2.2. Let m and w > 4 be integers. Let Cm be the binary code oflength n defined by
L iXi == m
n-I
mod(n)
}
.
i=1
Show that
nw - 1
A2(n,4,w)~-,- as n-+ oo .
w.
2.3. Show that
(~)A2(n,21) ~ 2nA2(n,21, w).
2.4. Check the following facts:
(a) On the segment [0, (q -l)/q] the curveRGv(c5) is differentiable (of class COO)
and convex;
(b) RGv(O) = 1, RGv«q - l)/q) = 0 and for c5 -+ 0 there is the asymptotical
equality
RGv(c5) = 1 +c51o~ c5+o(c51ogq c5).
In particular, the tangent at c5 = 0 is vertical;
(c) For c5 -+ (q - 1)/q there is the asymptotical equality
q
RGV ( -q--W
-1) = 2(q-1) logq W +o(w).
q2 2 2
The tangent at (q - 1) I q is horizontal and the tangent order is two.

38 Chapter 2
(d) Tangents to RGv( a) are of the fonn
Rt(a) = 1- (lo~(l +q -1) -t) -ta,

Each Rt(a) is tangent toRGv(a) at the point
q-l
c50 = qt +q-l
and
tqt
RGv(c50)=I+ t l-logq(l+q-l).
q +q-
2.5. Let G be a k x n matrix whose entries are chosen randomly fromFq , and let C be the
code with generator matrix G. Show that if kjn is fixed and n -+ 00, then C meets
the Gilbert-Varshamov bound with probability approaching 1.
2.6. Show that for q large enough the bound Rip ( a) is not convex and that for q = 2 the
curve Rlp (2) (a) is lower than RBE( a).
2.7. Prove that the equation
Hq(a) - a = (y'q _1)-1
has two roots if and only if
2.8. Suppose that there exists a linear [n,k,d]q-code C. Prove that it is possible to
construct a linear code with parameters [n + I, k, d]q, and if k ~ 1, n > d ~ 2 then
also linear codes with parameters [n -I,k-l,d]q, [n -I,k,d -1]q, [n,k-l,d]q
and [n,k,d -I]q.
2.9. State and prove the similar result for non-linear codes. (Hint: In this case (k - 1) is
changed by logq(lqk-I J).)
2.10. Prove that the curve R = aq(a) is continuous on the segment [0,1]. Show that it
satisfies the conditions Clq(O) = l,aq(a) = 0 for (q -1)jq ~ a ~ I and decreases
on the segment [0, (q -1)jq]. (Hint: Use Exercises 2.8,2.9 and Corollary 2.6.)
2.11. Prove that Krawtchouk polynomials
have the following properties:
(a) Pi(U)=L]=O(-qy(q-l)i-J(~=j)0);
(b) Pi(U) =L]=o(-I Yi/-J (n-;+j) (~=;);
(c) Pi(U) is polynomial of degree i in u, with leading coefficient (-q)iji! and
constant tenn (~) (q - l)i;
Bounds on Codes 39
(d) Orthogonality relations:
Ita G) (q - I)' Pi (l)Pj(l) = qn(q - l)i (~) aij;
(e) (q-l)'G)Pi(l) = (q-l)iG)P,(i);
(t) Il=oPi(l)P,(j) = qnaij;

(g) Recurrence:
(i + 1)Pi+ 1(u) = (( n - i) (q - 1) + i - qu )Pi (u)

-(q-l)(n-i+l)Pi-l,
Po = 1,Pl (u) ={q - l)n - qu; (2.5)
(h) Iff(u) is a polynomial of degree t and

t
feu) = I aiPi(U),
i=O
then
n
ai = q-n If(j)Pj(i).
j=O
Chapter 3
Examples and Constructions
We now tum to the problem of constructing linear codes. We present several

examples, each of which is in fact a method to construct some family of linear
codes having rather good parameters. A considerable part of these families are
predecessors of geometric Goppa codes, therefore we treat the corresponding
constructions in this way to demonstrate their close interconnection with the Goppa
construction that will be described later on in Part IV.
3.1. CODES OF GENUS ZERO
Recall that a code ofgenus zero (or anMDS-code) is an [n,k,d]q-code C such that
k+d=n+l.
Trivial Codes
For every n there are three simplest q-ary codes of genus zero which are naturally
called trivial. These are:
(i) [n,n, l]q-code Co = F~;
(ii) [n, n - 1, 2]q-code CI = { (XI, ..• ,xn ) E F~ I 2.7= I Xi = O}, called the parity-
check code;
(iii) tn, l,n]q-code C2 = {x = (XI, .•. ,xI) E F~}, called the repetition code.
Now we pass to a more conceptual construction.
41
42 Chapter 3
Reed-Solomon Codes
Let :P = {al, ... , an} ~ Fq be a subset of cardinality n. Consider a linear space
L (m) of all polynomials in one variable of degree at most m with coefficients in
Fq; its dimension over Fq is dimL(m) = m + l. For n > m a non-zero polynomial
f(u) E L(m) cannot vanish at all points of:P. Moreover, it has at least (n - m)
non-zero values at points of the set:P. Hence ifn > m, the evaluation map
is injective and its image e is an [n,m + l,n - m]q-code called a Reed-Solomon

code (RS-code) of degree m (traditionally the codes oflength n < q - 1 are called
extended or shortened Reed-Solomon codes, but it is preferable for us to use the
same name for all these codes). The parameters of such a code satisfy the condition
k + d = n + 1, and k = m + 1 can be freely chosen between 1 and n. It may be
noted that the Reed-Solomon codes form an embedded family: L (m) C L (m + 1).
Unfortunately, length n ofa Reed-Solomon [n,k,d,]q-code e can not exceed q.
Fix the basis {I, U, u 2 , ... , urn} in L (m ). In this basis the generator matrix G
ofe is
G= (rJ)
I 1:c;iS;n,OgS;rn
If:P = Fq or :P = F; it is easy to see that e..L is also a Reed-Solomon code with

m..L = n - m - 2 and parameters [n,n - m - I,m + 2]q (see Exercise 3.1). Let us
find now the dual code for a Reed-Solomon code e of arbitrary length n. Set
n
go(u) = TI(u - aj)-I,
j=1
and denote by fl( m) the linear vector space spanned by the rational functions
g,(u), 0 ::; I ::; n - m - 2. To construct e..L it is convenient to use the so-called
residue map from fl( m) to F q .
Consider a rational function F(u) = f(u)go(u ),J(u) being a polynomial, and
recall the definition of the residue of F at ai:
Res",J (u) = f (ai) TI (ai - aj )-I .
fl.i
Proposition 3.1 (the residue formula). If degf ::; n - 2 then
n
I Res",J(u) = o.
i=1
Proof: Let f( u) = Co + CI U + ... + qui be a non-zero polynomial of degree

I ::; n - 2. Consider the following system of linear equations:
l::;i5:n.
We have (using Cramer's rule)
n n
= (_1)n TI (Uk-U/)Lf(Ui)TI(Ui-Uj)-1 (3.1)
19<k~n i=l j=l
I#
and then
n n
L!(Ui)TI(Ui-Uj)-1 =0,
i=l j=l
Hi
as required.
•
Proposition 3.2. The dual code Cl. for the Reed-Solomon code C ofdegree m is
the image offi(m) under the residue map
Res: g(u) t-+ (Res al g(u), ... , Resan g(u)).
The code Cl. is equivalent to a Reed-Solomon [n,n - m - I,m + 2]q-code.
Proof: Letf E L(m) and g E fi(m). We have

n n
Lf(Ui) Res a ; g(u) = LResa;(f(u)g(u)) = 0,
i=l i=l
and since dimL(m) +dimfi(m) = n, then Cl. = ResCfi(m)).

Now we observe that if g(u) = h(u )go(u), h(u) being a polynomial, then
Resa;g(u) =Yih(Ui),
where
n
Yi = TICUi - Uj)-l,
j=l
Hi
i.e., Cl. can be obtained from a Reed--Solomon code C' = Ev(L(ml.)), ml. =
n - m - 2, by multiplying the ith coordinate of all its vectors by Yi E F; . We
write Cl. = Y X C', Y = (YI, ... ,Yn) E (17;)n, and call such a code generalized
Reed-Solomon code. It is equivalent to a Reed--Solomon code in the sense of the
definition in Section 1.2. •
44 Chapter 3
Whenever P = Fq or P = F;, multiplication by y is an automorphism of C'.

Note also that ifn is even and m = ~ + 1, then C is quasi-self-dual: Cl. = y xC;
if, moreover, P = F q , or P = F;, the code C is self-dual.
Now we study the spectrum of a Reed-Solomon code C. Applying Theorem
1.17 to codes of genus zero, we get a complete answer:
Proposition 3.3. IfC is [n,k,d]q-code ofgenus zero then
and for i =1= 0
Ai= (~X~(-IYG)(qi-d-j+I-I)
= (~)(q-I)~~(-IYCj l)qi-d-j .
Finally we describe a decoding procedure of Reed-Solomon codes. Consider

[n, n - m - 1, m + 2]q-code C dual to a Reed-Solomon code of degree m. Recall
that decoding up to t = l d 21 J means an algorithm that makes it possible, starting
with some y E F;
which is at most at distance t from some code-vector x E C, to
find this x. Let e = (el, ... , en) = y - x, II e II::; t, be the error-vector.
Given y = (YI, ... ,Yn) E F; we start with a calculation of syndromes:
n
Sj =Sj(y) = LYi<X;, o ::;j ::; 2t - 1.
i=1
Since for any x = (XI, ... ,xn ) E C the corresponding sum is equal to zero (the
matrix (~) is a parity-check matrix of the code C) we have
Sj = L.ei~'
iEI
where 1= {i lei =1= O} is the (unknown) set of error-locators.

The next step is to find coefficients of the polynomial
t
u(u) = Lz/u l = a I1(u - Ui),
1=0 iEI
which is called the error-locator polynomial. We explain that the coefficients are
uniquely determined as a solution of the following system of linear equations
t
LZISj+1 = 0,
/=0
with respect to indeterminates ZI. Indeed, since 0'( ai) = 0 for any i E 1, and
we see that (zo, ... ,Zt) is a solution of the above system. Now, if (zo,'" ,z~) is
some other solution and
t
O"(u) = L.Z[u l ,
1=0
then, setting
t-l
OJ(u) = I1(U-ai) = L.ZkjUk
iEI k=O
i#
for any j E 1, we obtain
ejOj(aj)O"(aj) = L.eiOj(ai)O"(ai)
iEI
t-l t-l t
= L. L. eiZkjarO"(ai) = L. L.zkAL.eiaf+ 1
iEI k=O k=O/=O iEI
t-l ( t )
= L. Zkj L.Z[Sk+1 = O.
k=O 1=0
Thus O"(aj) = 0 for eachj E 1, i.e., (zo, ... ,Zt) is the only solution (up to a
multiplicative constant).
Decomposing O'(u) into linear factors we find now the set of error locators
1. Finally, to find error-vector e = (el, .. . , en) itself it is sufficient to solve the
following system of linear equations
0::;j::;t-1,
with respect to ei. We note again that the elements ei we are looking for are
uniquely determined by this system. Indeed, if {en is another solution, then
L.(ei -eDa{ = 0,
iEI
and hence e - e' E C. But the weight of the vector e - e' is at most 2t ::; d - 1.
The contradiction we obtain shows us that e is determined uniquely.
46 Chapter 3
3.2. SOME FAMILIES OF CODES
In this section we introduce the reader to many other interesting constructions

and discuss some characteristic properties of the corresponding families of linear
codes.
Reed-MulJer Codes of the First Order

Consider a linear space Lm of all polynomials of degree at most 1 in m variables
over a finite field Fq: dimL m = m + 1. Let P = {Yl, . .. ,Yn} S;;; F:; be a subset
of cardinality n such that no non-zero linear polynomial vanishes at all points
Yl , ... ,Yn (it is surely so if n > qm-l, since the number of zeros of a non-zero
linear polynomial in m variables is at most qm-l).
The image of the evaluation map
is an [n,m + 1,n - qm-l]q-code with n S; qm, which is called the Reed-Muller

code oj the first order.
This construction can be easily generalized as follows. Consider all homoge-
neous linear fonns in (m + 1) variables. Together with zero they fonn a linear
space L~ of dimension (m + 1) over Fq. Let:P = {Yl, . .. ,Yn} C F:;+ 1 be such
that Yi i= (0, ... ,0),1 S; i S; n, andYi E P implies aYi I$:P for every a E F; \ {I}.
Consider again the evaluation map
°
° °
A non-zero fonnj E L~ has at most qm zeros in F:;+l (recall that 1$ :P and if
j(Yi) = for Yi E P then alsoj(aYi) = for all a i= 0, 1). Therefore the number
of zeros of j in :P is at most (qm - 1) j (q - 1). The maximum cardinality of P
is (qm+l - l)j(q - 1) (take for example all non-zero elements of F:;+l such that
their first non-zero coordinate is 1). We obtain an [n,m + 1,n - q;_ll]q-code for
n S; (qm + 1 - 1) j (q - 1), in particular a code C with parameters
qm+l -1 ]
[ q _I,m + l,qm q
This is a very good code which lies on the Plotkin bound. It is not difficult to
check (see Exercise 3.2) that the weight enumerator of the code C has the fonn
Hamming Codes
The Hamming single-error-correcting codes form an important family of linear
codes which are easy to encode and decode. The Hamming code CH can be
defined as dual to the Ree~Muller code C: CH = Cl.. Theorem 1.17 makes it
possible to find out the spectrum of CH (see Exercise 3.2). The spectrum shows
that d 2: 3. This can be seen also without knowing the weight enumerator. In fact,
the parity-check matrix of CH has no proportional columns (if for Yl,y2 E F:;+l
all linear forms are proportional andf(yJ) = Otf(Y2), thenYI = OtY2). Hence any
two columns are linearly independent and d 2: 3 (see Exercise 1.5).
So we have constructed a family of codes with parameters
[n,n-m-I,2: 3], n::; (qm+l_l)/(q_l),
and for n = (qm+ I - I) / (q - I) we know spectra of such codes. These codes are
good enough if we are interested in codes with d = 3. For n = (qm+l - I) / (q - I)
they lie on the Hamming bound.
Reed-Muller Codes of Order r

Let r < m(q - I). Consider a linear space Lm (r) of all polynomials of degree at
most r in m variables over Fq • Fix a subset P = {YI, ... ,Yn} ~ F:; and consider
the evaluation map:
Ev : Lm(r) -+F;, fH- (f(yJ), ... ,J(yn)).

Set C = Ev(Lm(r)). Finding out the parameters ofC is a rather difficult problem.
For simplicity let us suppose that P = F:;, n = qm. The map Ev in general is not
injective (in fact Ev(f) = Ev(fq) for everyf). Let L~ (r) be the space spanned by
monomials of the form Ufl ... u~,m, 0 ::; Otj ::; q - I, L Otj = r. If we take n = qm
and
r = u(q-I)+T::; m(q-l), I ::;T::;q-l,
then (see Exercise 3.3) the map
Ev: L~(r) -+ F;
is an embedding and the code C = Ev(L~ (r)) has parameters n = qm,
k = dimL~(r) = L~J () ( m -
Lr L(-l)i"! ='-fJj
I· .) ,
j=Oj=O ] m I
and
d = (q - T)qm-u-l.
In particular, for q = 2 we get a [2 m , L~=o (7) ,2m - I h-code.

48 Chapter 3
Cyclic Codes
A linear code C ~ F n is called cyclic if it is invariant with respect to the cyclic shift
of coordinates, i.e., (Xl, ... ,Xn) E C yields (X2,'" ,Xn ,Xl) E C. Note that cyclicity
is not an invariant of the equivalence class of codes.
From now on we make the convention (n,q) = 1. To describe cyclic codes
algebraically we observe that F; as vector space is isomorphic to the ring Rn =
Fq[u]/(u n -1), if only we ignore the multiplication in this ring. We now identify
the vector (Xl, ... ,Xn) E F; with the corresponding polynomial Xl + X2U + ... +
xnu n- l . Observe that multiplication by u now is nothing but a cyclic shift of the
vector. Since a cyclic code is linear by definition, we have:
Theorem 3.4. A linear code C ~ F; is cyclic if and only if C is an ideal in

Fq[uJl(u n -1).
Now we take the advantage of the following well-known facts:
Proposition 3.5. If F is a field then F [u] is a principal ideal domain.
The principal ideal generated by the polynomialf(u) is denoted by (J(u)).
Proposition 3.6. ifF is a field then the residue class ring F[u]/(u n - 1) is a
principal ideal ring and every ideal is generated by a divisor of un - 1.
It appears from this that a cyclic code C is a principal ideal generated by a

polynomial g(u), the generator polynomial, that divides un - 1. If
un -1 =fi(u) "'Is(u)
is the decomposition of un - 1 into irreducible factors we have 2S choices for g( u )

(some of these codes can be equivalent).
The code Ci with generator (un - I) Ifi (u) is called an irreducible cyclic code.
Every cyclic code is a direct sum of irreducible cyclic codes (this is an example of
a well-known structure theorem for ideals in semisimple algebras). If degff (u) = k
then the irreducible cyclic code Ci is isomorphic to F;. Note that the convention
(n, q) = 1 ensures that un - 1 has no multiple roots. In this case all the factors
fi (u) are distinct.
Let un - I = g(u)h(u) in Fq[u]. If g(u) = go + glU + ... + gn_kun-k and
h(u) = ho +hlU + ... +hkUk then
is a generator matrix for the code C with generator polynomial g( u ) and one easily
checks that
o hk ... hI hO)
...... ho 0
ho o 0 0
is a parity-check matrix for C. We call h (u ) the parity-check polynomial. Observe
that the code with h (u) as generator polynomial is equivalent to C~ (obtained by
reversing the order of the n symbols). So C~ has generator polynomial ukh(u- I ).
Let C be a cyclic code with generator g( u) =fi (u) .. ·ft (u) and let ai be a root
of.li (u), 1 ::; i ::; t, in algebraic closure Fq of the field F q . Denote by Fqm the
splitting field of the polynomial un - 1, i.e., the smallest extension of F q , where
un - 1 decomposes into a product of linear factors (see Exercise 3.4).
If degfi (u) = mi then ai E Fqm; C Fqm and
Besides, each ai can be interpreted as column-vector (ail ... , aim r of its coordi-
nates in a basis of Fqm over F q .
Now we consider the t x n matrix over Fqm:
a 2I al
H~(i
al ,-1 )
a2 a 22 a 2n-I
a t2 ... n-I
at at
This matrix can also be considered as a mt x n matrix over F q • In a sense His

a parity check matrix for the code C. Indeed x = (XI, ... ,xn) is in C if and only
if XI + X2ai + ... +xna7-1 = 0 for 1 ::; i ::; t, because X E C if and only if the
polynomial XI +X2U + ... +xnu n- I is divisible by g(u). If we interpret H as a
matrix over F q , then it is possible that the rows are not linearly independent, i.e.,
a parity-check matrix for C can be obtained from H by deleting rows if necessary.
Let n = (qm+ I - 1) / (q - 1) and let a be a primitive element of the field Fqm+ I
(i.e., a is a generator of the cyclic group F*q m+ I)' The cyclic code C, defined by
has the q-ary (m + 1) x n parity-check matrix H = (I a a 2 . . . an-I) .

Since the columns of H are pairwise linearly independent over F q , this code is the
Hamming [n,n - m - 1,3]q-code defined above.
50 Chapter 3
BCH-Codes
We now come to a generalization of Hamming codes, the so called BCH-codes
(discovered by Bose, Ray-Chaudhuri, and Hocquenghem). Let a be a primitive
nth root of I in an extension of F q . Let g( u) be the least common multiple of the
minimal polynomials of ai, a l + I, ... , a l +t - 2. The cyclic code of length n over Fq
with generator g( u) is called a BCH-code with designed distance t.
From now on we restrict ourselves to the case I = 1 (narrow-sense BCH-codes).
If n = qm - 1, i.e., a is a primitive element of Fqm, the code is called a primitive
BCH-code.
Theorem 3.7. The minimum distance d ofa BCH-code C with designed distance
t is at least t (this is called the BCH-bound).
Proof: As we saw earlier, a vector x = (XI, ... ,xn ) is the code-vector if and only
if
a2
~
a
a2 a4
Hx' ( i
at-I a 2(t-l) a(n-I)(t-I)
Any t - I columns of H form a Vandermonde matrix. Since this matrix has

non-zero determinant, the columns are linearly independent. It follows that X =
(XI, ... ,xn ) cannot have weight less than t. •
If we take n = q - I then we get a Reed-Solomon [n, n - t + I, t)q -code as a
special case of BCH-codes. The generator of such an RS-code has the form
t-I
g(u) = TI(u-a i ),
i=1
where a is a primitive element of F q .

Now we discuss briefly the asymptotic properties of BCH-codes. Consider
a sequence of primitive BCH-codes over some fixed field Fq with word-length
ni = qm; - 1, where mi --+ 00. We require each code to have minimum distance of
at least fmi and denote the information rate of the code with length ni by R i . One
can prove that Ri --+ 0 for i --+ 00. So we see that for a given channel (i.e., fixed
symbol-error probability) one cannot hope to find a good code by looking at long
primitive BCH-codes (these codes are bad; see [118, Ch. 9, §5]).
Luckily BCH-codes also have a nice property, namely that they are easy to
decode. We describe an algorithm that is used to decode BCH-codes. Consider
a BCH-code of length n over Fq with zeros a, a 2 , ... , a 2t , where a is a primitive
nth root of unity inFqm. We use the following notation. A code-wordx(u) = XI +
X2U + ... +xnu n- I is transmitted and we receive y(u) = YI +Y2U + ... +Ynun-I.
Call e(u) = y(u) -x(u) = el + e2u + ... + enu n- 1 the error-vector.

The set 1=
{i II :s; i :s; n, ei =1= O}
is the set of positions where an error has occurred and we
assume that the number of errors I = III does not exceed t. Define
a(z) = TI(I -(h),

iEI
the so called error-locator polynomial, and
w(z) = LeiaiTI(I - ciz),

iEI JEI
Hi
the error-evaluator polynomial. Clearly a(z) is a polynomial of degree I :s; t and
w(z) has degree less than I. If we know these polynomials, then we know I (by
factoring a(z)) and from w(z) we can then find the values ofthe ei by substituting
z = a-i. We now make a formal calculation:
The point of the algorithm is that the first 2t coefficients on the right-hand side
are known, because e(a i ) = y(a i ) for 1 :S;j :s; 2t by definition of the code. So, if
we write
21
S(t) = Ly(ci)zi- 1 ,
j=l
we now have to find the unknown polynomials a(z) and w(z) about which we
know that
w(z) == a(z)S(z) mod (z21).
We now perform Euclid's algorithm to calculate the g.c.d. of S(z) andz 2t . The
algorithm starts with
S(z) = 0·z2t + l·S(z)
and produces a sequence of equations
where the degree of rn(z) decreases until the g.c.d. is reached. Clearly the pair
rn(z), vn(z) satisfies the congruence
When for the first time rn (z) has degree less than t we have found the required
pair up to a constant factor (which is determined by the fact that a(O) = I).
52 Chapter 3
Quadratic-Residue Codes
The quadratic-residue codes (QR-codes) CR, C~, CN, C~ are cyclic codes of prime
length lover a field Fp , where p is an another prime which is a quadratic residue
modi. The codes CR, CN are equivalent ones with parameters [I, I~I,~ 11/2]p,
while C~ and C~ are equivalent codes with parameters [I, /;1, ~ 11/2]p. These
codes have an information rate close to 1/2, have large automorphism groups and
tend to have high minimum distance (at least ifp is not too large).
Let R denote the set of quadratic residues mod I, and N the set of non-residues.
Since pER, the sets Rand N are closed under multiplication by p. Hence, if a is
a primitive Ith root of I in some extension of Fp , the polynomials
R(u) = TI (u - a r ) andN(u) = TI (u - an)
rER nEN
have coefficients in Fp , and also
ul -I = (u -1)R(u)N(u).
The quadratic-residue codes CR, C~, CN, C~ are cyclic codes (or ideals of the
ring Fp [u] / (u l - 1» with generator polynomials
R(u),(u -1)R(u),N(u), (u-I)N(u),
respectively (see also Exercises 3.6-3.9). The permutation of coordinates in
Fp[u]/(u l -, 1) induced by u H un for a fixed non-residue n interchanges CR
and CN, and also q and C~, so that these codes are equivalent. Clearly CR :J C~
and CN :J C~. Besides, we have
cf = C~, ck = C~ if I = 4k - 1,
cf=c~, ck=c~ if 1=4k+1.
Theorem 3.8. Ifd is the minimum distance olCR or CN, then d 2 ~ I. Furthermore,
ifl=4m+3, thend 2 -d+1 ~/.
Proof: Let x (u) be a code-vector of minimum non-zero weight d in CR. If n
is non-residue, x'(u) =x(u n) is a code-vector of minimum weight in CN. Then
x(u)x'(u) must be in CR n CN, i.e., must be a non-zero multiple of
I-I I-I
TI(u _a r ) TI (u - an) = TI(u-a i ) = Lui,
rER nEN i=1 i=O
and hence x(u)x'(u) = y(I.::J for some y E F;. Thus x(u)x'(u) has weight
ui )
I. Since x (u) has weight d, the maximum number of non-zero coefficients in
x(u)x'(u) is d 2, so that d 2 ~ I. If 1= 4m + 3, we can take n = -1. Now in
the product x(u)x(u- I ) there are at most d 2 - d + 1 non-zero coefficients, so that
I ::; d 2 - d + 1. •
Alternant Codes
Altemant codes are a large family of codes obtained by a small modification of
BCH-codes (see [118, Ch. 12]). They are also closely related to the generalized
Reed-Solomon codes. Let C be a generalized Reed-Solomon [n,k,d]qm- code
over Fqm. The code C' = Cl. n F; is called an alternant code. The parameters
[n,k',d'] of the code C' satisfy
k'~n-m(d-l), d' ~ d.
Altemant codes form a very large class of codes, and the extra freedom in the
definition is enough to ensure that some long altemant codes meet the Gilbert-
Varshamov bound, in contrast to the situation for BCH-codes.
Rational Goppa Codes

F;
Let us recall that a BCH code was defined as the set of vectors x = (Xl, ... ,Xn) E
such that Xl +X2(ai) +x3(aif + ... +Xn(ai)n-l = 0, where a is a primitive nth
root of 1 and 1 ~j < d. Here d is the designed distance. We can rewrite this as
follows:
n-l n-l
= Lzi LXi+l(ai+l)i =zd-lf(z)
j=O i=O
i.e.,
~ ~ = zd-lf(z) (3.2)
i=O z - a-I zn - 1
for some polynomialf(z) and vice versa, i.e.,x = (Xl, ... ,Xn) is in the code ifand
only if the left-hand side of(3.1) written as a rational function a(z)/b(z) has a
numerator divisible by zd-l. We now generalize this as follows.
Letg(z) be a monic polynomial of degree t overFqm andletP = {al, ... ,an} C
Fqm. We require that g( ai) =1= 0, 1 ~ i ~ n. The rational Goppa code C with
Goppa polynomial g(z) is defined as
(3.3)
We can make the convention that

_1____1_ (g(z) - g( a)) (3.4)
z-a - g(a) z-a '
54 Chapter 3
where the right-hand side is the unique polynomial r(z)modg(z) such that (z-
a)r(z) == I mod (g(z)). From (3.1) we see that if we take g(z) = zd-I and
!P = {a- i I0 ~ i ~ n - I}, where a is a primitive nth root of unity, then the
rational Goppa code C is the narrow-sense BCH-code of designed distance d. We
remark that not all BCH-codes are also rational Goppa codes. .
We can also interpret (3.2) as follows. Consider the vector space of rational
functionsJ(z) with the following properties:
(i) J(z) has zeros in all the points where g(z) has zeros, with at least the same
multiplicity;
(ii) J(z) has no poles, except possibly in the points al, ... ,all and then of order
1.
Consider the code over Fqm consisting of all the vectors (ResaIJ, ... ,ResaJ).
The rational Goppa code C is the "subfield subcode" consisting of all vectors in
the code with coordinates in F q .
We shall find now a parity-check matrix for C. Let
t
g(z) = LgkZk.
k=O
Then
g::::..(,--,z)'-----==g:..:. (u-,-) =
z-u
so we have an easy expression for the polynomials on the right-hand side of (3.3).
By (3.2) we must have, with hi = g-I (ai), 1 ~ i ~ n,
II
LXihi L gk+j+l(ai)izk = 0,
i=1 OSk+j~t-1
i.e., the coefficient of zk is zero for 0 ~ k ~ t - 1. We see that x = (XI, ... ,XII)
must have zero inner product with the rows of the matrix
hlgt h2gt
hI (gt-I + gtaJ) h2(gt-1 +gta2) ... hllgt )
( hn(gt-I:+gtan) .
hl(gl + .. ~+gta~-I) hll (gl + ... +gt a~-I )

Using elementary row operation we then find the following simple parity-check
matrix for C:
h2 a 2t-I
Note that H is the generator matrix for a generalized Reed-Solomon code of

degree t - 1. It follows that C is a subfield subcode of a generalized RS-code.
Observe that we can again interpret each row of the matrix H as a set of m
rows over F q . So we find the following result:
Theorem 3.9. The rational Goppa code C has parameters In, ~ (n - mt), ~ t +
l]q.
The fact that the minimum distance is at least t + 1 follows directly from the
definition (3.2). Since the code is linear, we can consider the weight II x II of
x = (XI, ... ,xn). If this is w then the degree of the numerator a(z) of the sum
±~
i=1 Z-Cii
is w - 1 (in fact less if LXi = 0). So w - 1 is at least t. If q = 2 we can say a lot

more.
Define
n
j(z) = IT(Z-Cii)Xi,
;=1
so that
n Xi j'(z)
L - =j(z)
i=IZ-Ci;
-'
Since all exponents inj'(z) are even, this is a perfect square. If we assume that
g(z) has no multiple zeros, then the fact that g(z) dividesj' (z) implies that g2(z)
divides j' (z ) .
Theorem 3.10. Ifg(z) has no multiple roots, then the binary rational Goppa code
C has minimum distance at least 2t + 1, where t = degg(z).
We shall now show that the set of rational Goppa codes is much nicer than
BCH-codes by showing that there are good long Goppa codes. We choose n = qm,
t, d and take P = Fqm. It remains to select a Goppa polynomial g(z) of degree t
over Fqm that is monic irreducible and such that C has a minimum distance of at
least d. Suppose X = (XI, ... ,xn) is a word of weight s < d (i.e., a word that we
do not allow in the code). As we saw before the numerator of
±~
z Ci
i=l - ;
has degree s - 1 and at most l s~ I J different monic irreducible polynomials of

degree t can divide this numerator. Therefore we have to exclude at most
56 Chapter 3
monic irreducible polynomials of degree t. This number is less than
~±(n)(q_1Y
t s=o s
and we know that
!~n-\logq C~ G)(q-IY) =Hq(8).

A sufficient condition for the existence of the code we are looking for is that
~
t
± (n)(q_1 Y
s=o s
is less than the total number of monic irreducible polynomials of degree t over
Fqm, which is known to be
1
_qmt(1 +0(1)).
t
So we find a sufficient condition (after taking d = l8n J and n -+ 00)
mt
Hq(8) < - +0(1), m -+ 00.
n
From Theorem 3.9 we know that the codes we are considering have information
rate R 2: 1 - mt In. So we have proved the following result:
Theorem 3.11. There exists a sequence ofrational Goppa codes over Fq that have
information rate tending to 1 - Hq (8) (i.e.• the rate tends to the Gilbert-Varshamov
bound).
We note that the decoding method that we discussed for BCH codes can
be generalized also to Goppa codes. Consider the received word y = x + e,
x E C,e = (e\, ... ,en), and define
S(z) = f~
i=\ Z - Clti
(using the convention (3.3)). By (3.2) we can calculate S(z) fromy = (y\, ... ,Yn).
Now we again define error-locator and error-evaluator polynomials by
u(z) = I1(Z-Clti), w(z) = I1eiI1(Z-Clti).

iEI iEI JEI
IIi
Then clearly
S(z)u(z) == w(z) mod (g(z)) ,
and we can again apply Euclid's algorithm.
Justesen Codes
Consider a qm_ ary Reed-Solomon [n,k,n + 1- kJqm-code C, and let
2 ... ,a n-I) ,
y= ( 1,a,a,
a being a primitive element of Fqm. Let
i.e.,
and consider C' as aq-ary code. One can prove (see Exercise 3.5) that the Justesen
code C' has parameters
[2mn,mk, ±(2~)
i=1
i
1
(q - I/]q,
where I is the largest integer such that
LI (2m)
. (q-I)i::;n-k+l.
i=1 I
The Justesen codes form a class of asymptotically good linear codes (see van Lint
[115, §9.2]).
Golay Codes
The Golay codes, of all codes, provide probably the most interesting examples for
both practical and theoretical reasons. These codes can be described in several
different ways.
Consider the field F 2 11. We have 211 - 1 = 23 . 89 and hence the roots of unity
of degree 23 lie in this field. Let a E F211 be such a primitive root and let
The code C23 is in fact a quadratic-residue [23,12, 7h-code. Over F2 we have
U23 +1= (u + 1)
x(u ll +ulO + u6 +u 5 +u4 + u2 + I)(u ll + u9 +u 7 +u 6 +u 5 +u + 1),
58 Chapter 3
so the generator of C23 can be taken to be either
(it depends on the choice of a). The minimum distance of C23 is much larger than
might be expected.
The full automorphism group of the Golay code C23 is the 4-fold transitive
Mathieu group M23 of the order 23 ·22·21 ·20 . 48 = 10200960. The spectrum of
C23 has the form
W23(U) =u 23 +253u 16 + 506u l5 + 1288u l2 + 1288u lI +506u 8 +253u 7 + 1

= u 23 W23(U- I )
The extended [24,12, 8h-code C24 is obtained by adding an overall parity-

check to C23 (see next section). The extended Golay code C24 has a larger
automorphism group and is therefore more fundamental. The full automorphism
group of C24 is the 5-fold transitive Mathieu group M24 of the order 24·23·22·
21·20·48 = 244823040. It contains a group isomorphic to PSL2(F23).
The spectrum of C24 is
A similar situation takes place over F3. Consider the field F35 and observe that
35 - 1 = 11 . 22. Let a E F35 be a primitive root of degree 11 and let
This is a quadratic-residue [11,6, 5h -code. The generator polynomial of the Golay

code CII can be taken to be either
Adding on overall parity-check we get an extended [12, 6, 6h-code CJ2. The

automorphism group of the extended Golay code Cl2 contains a group isomorphic
to P SL2 (11) and it is isomorphic to the much larger Mathieu group MJ2. This is
a 5-fold transitive group of the order 12· 11 . 10·9·8 = 95040. The spectrum of
CJ2 is
WI2(U) = u l2 + 264u 6 + 440u 3 +24.
We note also that the extended Golay codes C24 and Cl2 are self-dual.
Perfect Codes
A code C is called perfect if d = 2t + 1 and F; is the union of balls of radius
t centered at code-vectors. It is clear that this property depends only on the
parameters [n,k,djq. The set of all perfect codes is characterized by the following
theorem (see [14, p. 252]):
Theorem 3.12 (Tietavainen and van Lint). Let an [n,k,djq-code C (linear or

nonlinear) be perfect. Then either k = 0, or k = n, or q = 2, k = 1 and n - dis
odd, or the parameters of C are exactly those of Hamming or Golay codes, i.e.,
either
qm -1
[n,n -m,3jq,n = --1-'
q-
or [23, 12,712, or [11,6,5]3.
Group Codes
The notion of a cyclic code can be extended to the case of an arbitrary finite group
G.
Recall that a group algebra of G is an algebra of functions
where the multiplication is defined as (see [107, pp. 104,664])
(ft!2)(g) = L./i(h)h(h-Ig).
hEG
The group G operates on Fq[Gj from the right: (fg)(h) = f(hg). For a subgroup
H <;;; G, the invariant space is defined as
Fq[G/Hj = (f E Fq[G]lf(gh) = f(g) for any g E G,h E H}.
Every G-space Fq[G/H] has a natural basis./i, ...j/, where I = [G: Hj, and the
functions fi have the property
ifi =j
if i 1= j ,
{gIH, ... ,g,H} being the set of right cosets of H in G.

Thus any subspace C <;;; Fq [G / Hj can be naturally regarded as a linear code
(the choice of basis {fI, ... ,j/} provides a possibility to identify F q [G / H] with
FJ). The same is valid for every G-space of the form
60 Chapter 3
where HI, ... , Hm are arbitrary subgroups in G, so that any subspace C ~ M is a

linear code over Fq .
Now let G ~ (Sn n Aut C) be a subgroup of the automorphism group of C ~ F3
operating by permutations of coordinates. Let 13 = {el, ... , en} be the natural
basis of F;. The group G acts on 13, hence 13 is a disjoint union of G-orbits:
13 = C>I U· .. U C>m, where C>j = Gej is the orbit of some element ej E 13. Let Hj be
the stabilizer of ej, so that there is an isomorphism of G-sets: C>j ~ G / Hj. Then
F; is identified with a G-space Fq[G/H] EB··· EBFq[G/Hm]. In particular, if G
acts transitively, then F; can be identified with Fq [G / H], and C can be regarded
as a G-subspace in Fq [G / H]. Since Fq [G / H] is a right ideal of the group algebra
Fq[G], the code C is in this case also a right ideal of Fq[G].
For example, ifAut C contains a cyclic subgroup of order n permuting el , ... , en
then C is embedded into the group algebra Rn = Fq[u]/(u n -1) as an ideal, i.e.,
C is a cyclic code.
3.3. CONSTRUCTING CODES FROM OTHER CODES
Many new codes can be obtained by combining and modifying previously con-
structed codes. In this section we shall describe several methods, starting with
those that do not change q.
Direct Sum
Let CI ~ F;I and C2 ~ F;2 be [nl,kl,d!]q and [n2,k2,d2]q-linear codes, respec-
tively. Their direct sum
C = C I EB C2 ~ F;I +n2
is the set of vectors x = (Xt,X2), where XI E CI andx2 E C2. Clearly C is a linear
[nl +n2,kl +k2,d]q-code with d = min(dl,d2). We can also consider direct sums
of any finite number of codes. If all these codes are equal, we obtain the power c m
of the original code C. IfC has parameters [n,k,d]q we get an [mn,mk,d]q-code.
Tensor Product
The tensor (or Kronecker) product
oflinear [nl ,kl ,dt]q and [n2,k2,d2]q-codes CI ~ F;I and C2 ~ F;2 respectively is
defined to be the [nln2,klk2,dld2]q-code whose code-words consist of all nl x n2
matrices in which the rows belong to C 1 and columns belong to C2 (the set of such
matrices can be identified with a linear subspace of F;ln2).
If GI and G2 are generator matrices for C I and C2 respectively then Kronecker

product GI ®G2 is a generator matrix for C = CI ®C2 (see Exercise 3.10). Using
this fact one can easily prove the following result:
Proposition 3.13. ljCI and C2 are cyclic codes with parameters [nl ,kl ,dJ]q and
[n2,k2,d2]q, respectively, and if(nl ,n2) = 1 then CI ® C2 is also cyclic.
We can of course, consider the tensor product of any finite number of codes,
in particular, the tensor power c®m ofa code C. Its parameters are [n m,km ,dm]q.
For example, if
C = {(OOO), (011), (101), (lIOn ~ F?

is a [3,2,2h-code, then C®2 consists of the following matrices:
Unfortunately tensor product codes usually have poor minimum distance (but
are easy to decode).
Pasting
Let CI and C2 be [nl,k,ddq and [n2,k,d2]q-linear codes, respectively, given by
encoding maps
4>1 : F; -+ F;l and
It is natural to consider the diagonal map
(4)I,4>z) :F; -+F;l ffiF;2 =F;1+n2.

The image C = Im( 4>1, 4>z) is called the pasting of CI and C2. Clearly C is an
[nl +n2,k,dl +d2]q-code.
Applying this construction several times to the same [n,k,d]q-code we get
m-times repetition of the code. Its parameters are [mn,k,md]q.
62 Chapter 3
A Code from an Embedded Pair

Let Cl J C2 be respectively [n,k,d]q and [n,k - I,d + l]q-linear codes. Choose
x E Cl and x tJ. C2. Every vector of Cl has the form Xo· x + y, Xo E F q , y E C2. If
we extend the code Cladding to Xo . x + y the (n + 1)th coordinate equal to Xo, we
obtain a linear [n + l,k,d + l]q-code.
(x,x +y)-Construction
Let linear [n,kl,dd q and [n,k2,d2]q-codes Cl ~ F; and C2 ~ F; lie in the same
vector space F;. Define
C={(X,X+y)IXECl, yECz}.
Then C is a linear [2n,kl +kz,d]q-code, where d = min(2dl ,dz).
Shortening by the Distance

This construction was described in the proof of Theorem 2.3. Applying it to a
linear [n,k,d]q-code C we can find an [n - d,k -1,::::: r~l]q-code.
Shortening by the Dual Distance

Let C be a linear [n,k,d]q-code such that its dual code C.l has the minimum
distance d.l ::; k. Choose a parity-check matrix H such that one of its rows y has
weight d.l. Deleting the row y and d.l columns where y has non-zero coordinates,
we get a linear [n - d.l,k - d.l + l,d]q-code.
Overall Parity-Check
Let C ~ Ff be a linear [n,k,dlz-code with odd d. We form a new linear code
- z+ as
C' CF n 1
Since every code-vector now has an even weight, we see that C' is an [n + I, k, d +
l]q-code.
Now we pass to the other type of constructions, where we change q. We start
with the case oflinear codes.
Subfield Restriction
Let Fq, be a subfield of Fq,q = q'm, and C be a linear [n,k,d]q-code. Set
C'=CnFq'n CF
-
n
q'
and note that C' ~ F;, is a linear Fq,-subspace. Hence C' is a linear [n,k',d']q,-code
over F q, and clearly
k' ?:. n - m (n - k), d' ?:. d.
This construction makes sense when applied to linear codes with an information
rate R = k / n close to 1.
Concatenation
Let Co ~ F;P be a linear [no, m, do ]q,-code given by an encoding map ~ : F:;: -+ F;P
and C ~ F; , q = q'm, a linear [n, k, d]q -code given by an encoding map cP : F; -+ F;
(we call Co the inner code, and C the outer code). Define a new code C' ~ Fn,on
with the help of the composition of maps q
mk ~ Fk cf> Fn ~ (Fm)n
Fq'-+qY (</>0, ... ,</>0) Fnon
q -+ q' Y q"
and call it the concatenation ofC and Co. One can show (see Exercise 3.11) that
C' has parameters [non,mk,dod]q"
When Co is an [m,m, 1]q,-code, this construction is called the field descent,
and the parameters are [mn,mk,d]q"
Now we are going to present two essentially non-linear constructions. Let C
be a [n,k,d]q-code, with k E IR, q E Z, q ?:. 2.
Alphabet Extension
Let q ::; q', and C be an [n,k,d]q-code. Let us embed an alphabetF of cardinality
q into an alphabet F' of cardinality q'. Now if we consider an embedding C Y
F n YF'n, we get an [n,klogq,q,d]q,-code.
Alphabet Restriction
Let, vice versa, q' ::; q. We embed F' into F and make F an abelian group (setting,
for example, F = Z/ qZ). Consider all qn shifts Cy of the code C by vectors
y E Fn, Cy = {y + x Ix E C}. In the totality of sets Cy each vector z E F n appears
exactly M = Ie! = qk times. Consider all intersections F'n n Cy . There are qn of
them and their total cardinality is M q'n. Hence there exists Cy such that
I
IF'n n Cy ?:. M ( ~) n
64 Chapter 3
Since the shift does not change the minimum distance, we have obtained an
[n,2: n - (n - k) logql q, 2: d]ql-code.
Decoding
In the process of combining or modifying previously constructed codes one must
also provide an easy decoding procedure for the resulting code, supposing we know
decoding algorithms for the codes we start with. In general the constructions
presented above pose no problems in finding a fast decoding algorithm. For
example, if there is a fast decoding algorithm of a q-ary code C ~ F;, the same
algorithm decodes the field restriction C ' = C n F;, F;,. ~
A more serious difficulty arises in the case of concatenation. To clarify the
situation we need the following notion: an erasure is an error whose position we
know. Suppose we have transmitted x E C and received y E F; , Y = x + e + e',
1= {i 11 :<:; i :<:; n,e; =j:. O}, I' = {i 11 :<:; i :<:; n,e; =j:. O}, I being Unknown to us (the
set of error-locators) and I' being known (the set of erasure-locators). The vector
e is called the error-vector, and e' the erasure-vector. If there is an algorithm
which finds out the nearest code vector x for every e and e' such that III :<:; t and
II'I :<:; t', we say that the code corrects t errors and t ' erasures.
Now it is not difficult to prove (see Exercise 3.12) the following result:
Proposition 3.14. Let C be a linear [n,k,d]q-code, q = q'm, which is given to-

gether with a decoding algorithm correcting t errors and t' erasures for any t and
t ' such that 2t + t ' :<:; d' -1, d ' :<:; d. Let Co be an [no,m,do]ql-code given with a
decoding algorithm correcting to :<:; l do.; 1 J errors, do :<:; d. Then the concatenated
[non,mk,dod]ql-code C' has a decoding algorithm correcting any s :<:; l dod~-1 J
errors.
EXERCISES
3.1. Let C be a Reed-Solomon [n,m + l,n - m}q-code corresponding to P = Fq. Prove

that CJ. is also a Reed-Solomon code with mJ. = n - m - 2 and parameters [n, n -
m - I,m + 2}q. (Hint: Use the fact that LaEFq (Xi = 0 for 1 ::; i < q - 1.)
q-l ,m + l,qm}q-code C
3.2. Show that all non-zero code-vectors ofa Reed-Muller [~
of order I are of the same weight qm , i.e.,
Calculate the spectrum of the Hamming code CH = CJ. dual to the code C. (Hint:
Use Theorem 1.17.)
3.3. Let n ==qm, r == a(q-I)+T 5 m(q-I), 1ST 5 q-I andL~(r) be the linear
space over Fq spanned by monomials urI .. ·u;:,m ,05 ai 5 q - I,Lai == r. Prove
that if P = F;then the Reed-Muller code C = Ev(L~ (r)) defined by
Ev: L~(r) '-+ F;
has parameters n = qm and
d = (q - T)qm-lT-l.
(Hint: To compute k one can calculate the number of ways to place m objects in i cells
such that no cell contains more thanj objects and then apply an exclusion-inclusion
argument. To compute done can just use induction on m.)
3.4. Let Fqm be the splitting field of the polynomial un - 1. The group F;m is cyclic and
its subgroup Un of nth roots of 1 is also cyclic. Hence
n-I
un - I = n(u-a i ),
i=O
where a is a generator of Un, and if g( u) I (un - I) then
g(u) = n(u-a i )
iEi
for a subset I ~ {O, I, ... , n - I}. Check that m is the smallest positive integer such
that n I (qm - I) and the coefficients of g(u) belong to Fq if and only if qI == I
mod (q).
3.5. Prove that Justesen code C constructed from a Reed-Solomon [n, k, n - k + I]qm -code
C is an
[2mn,mk, ~ e~) (q -I/]q-code,

I being the largest integer such that
i=1
. (q-I/5 n -
L (2m)
I
1
k +1.
(Hint: The hyperplane (XI ,XI ;X2, (XX2; ... ,xn , an-IXn) contains at least n - k + 1
different q-ary vectors (Xi, ai-I Xi) of length 2m. Estimate the total weight.)
=
3.6. Let Rn Fq[u]/(u n - 1) be the ring of all polynomials of degree at most n -1 with
coefficients in Fq and let a E Fqm be a primitive nth root of unity (we suppose that
(n,q) = I). Apolynomial1)(u) ERn is called idempotent if
1)(u) = 1)2(u).
66 Chapter 3
A minimal ideal in Rn is one which does not contain any smaller non-zero ideal.
The corresponding cyclic code C is called a minimal or irreducible code, and the
idempotent of this ideal is called a primitive idempotent.
The cyclotomic coset modn over Fq which contains an integer s is
=
where ms is the smallest positive integer such that sqm, s mod (n). The non-zero
elements of a minimal ideal must be {ci liE Cs } for some cyclotomic coset Cs .
We denote this minimal ideal by Ms, and the corresponding primitive idempotent by
Bs(u), so thatMs = (Bs(u)). Prove the valj4ity of the following statements (q = 2):
(a) A cyclic [n,k,d]q-code or ideal C = (g(u)) inRn contains a unique idempotent
Tj(u) such that C = (Tj(u)). Moreover Tj(u) = a(u)g(u) for some a(u) ERn;
Tj(a i ) = 0 ifand only ifg(ai ) = 0 andx(u) E C ifand onlyifx(u)Tj(u) =x(u);
(b) Tj(u) is an idempotent ifandonly ifTj(ai ) = 0 or Tj( a i ) = I for i = 0, I, ... ,n-
l. (Hint: Use the following inversion formula: If
n-l
Tj(u) = L Tji Ui ,
i=O
then
1 n-l . .. 1 " ..
Tji = - L Tj(al)a-I) = - L £." a-I),
n j=o n s jEC,
where s runs through a subset of the cyclotomic cosets);
(c) Bs (aI)
. = {I0 E
if} Cs,
otherwise;
a ( ) - ~n-la(s) i
(d) Us h
u - L...i=O Ui U, were a(s) -- 11I ~
Ui L...jEC, a -ij , 0<
_ I. <
_ n-
l',
(e) The primitive idempotents Os (u) have the following properties:
(i) L Bs(u) = 1,
(ii) Bs(u)O/(u) = 0 if s # t,
(iii) The ring Rn is the direct sum of the minimal ideals generated by the
Os(u ),
(iv) The minimal ideal Ms = (Os(u)) of dimension ms =n- degBs(u) is
isomorphic to the field Fqm"
(v) Any idempotent Tj (u) can be written in the form
Tj(u) = LasOs(u),
s
3.7. Show that for p = 2, I = 4k + 3 the primitive Ith root of I can be chosen so that the
idempotents of quadratic-residue codes CR, Ck, CN, C~ are
1'J~(u)=I+Lun,
nEN
1'JN(U) = L un,
nEN
1'JN(u) = 1 + L ur
rER
and for p = 2, I = 4k + 1 the idempotents of CR, Ch, CN, CN may be taken to be
1 + L ur , L un, 1 + L un, L ur ,
rER nEN nEN rER
respectively.
3.8. For a prime I > 2 define the Gaussian sum 7" as follows
I-I (.)
7"=L 7 (i,
1=0
where (f) is the Legendre symbol and ex E Fpm is a primitive lth root of unity. Since
7"P = 7" we have 7" E Fp. Prove that
I if / =4k+ 1
-/ if I =4k+3
3.9. Check that for p > 2 and I = 4k ± 1 the idempotents of quadratic residue codes C R,
Ch, CN, Cfy are
1'JR(U)=-1(1+-1)I +-1(1---
2 I
1) rERLU +-1(1-+-
2 I
7"
1) nEN
LU' r
2 7"
n
1'J~(u) ~ (1-~) - ~ (~+~) L ur - ~ (~-~) L un,

=
2 I I 2rER I
7" nEN 2 7"
1'JN(U) = ~ (1 +~) +-~ (~+~) L ur +~ (~-~) L un,

2 I I 2rER I
7" nEN 2 7"
1'JN(u) = ~2 (I-~)
I
- ~2 (~-~)
I 7"
L ur - ~ (~+~) L un,
rER 2 I 7" nEN
respectively. (Hint: Use Exercises 3.6 and 3.8.)
= =
3.10. Let A (aij) be an m x m matrix and B (bij) be an n x n matrix over any field.
The Kronecker product A 0 B of A and B is the mn x mn matrix ob~ained from A
by replacing every entry aij byaijE. Now let GI and G2 be generatdr matrices for
[nl ,kl ,dil2 and [n2,k2,d2b-codes CI and C2, respectively. Prove thatthe Kronecker
product GI 0 G2 is a generator matrix for C = CI 0 C2.
3.11. Prove that the minimum distance of the concatenation C' of a linear [no, m, do ]ql-code
Co and a linear [n,k,d]q-code C is at least dod.
3.12. Prove Proposition 3.14. (Hint: Decode the given vector first with the decoding
algorithm for Co, then decode the obtained vector and all vectors obtained from it
by erasing one symbol with the decoding algorithm for C.)
Part II
Algebraic Curves and Varieties
This part introduces the basic notions of algebraic geometry and provides a number
of fundamental facts we shall apply later to the theory of error-correcting codes.
Almost all of the constructions coming from algebraic geometry and being used
in the coding theory are based on consideration of algebraic curves. That is the
reason why we concentrate mostly on the theory of curves. Multi-dimensional
algebraic geometry appears here only as an instrument for the study of algebraic
curves. For a more extensive exposition of concepts and methods of algebraic
geometry we refer the reader to Fulton [47], Griffiths and Harris [67], Hartshorne
[73], and Shafarevich [172].
69
Chapter 4
Algebraic Curves
This chapter contains the basic definitions and results of the theory of algebraic
curves: valuations, divisors, the genus of a curve, finite morphisms, linear sys-
tems, Jacobians, differential forms and their residues, the Riemann-Roch theorem,
Hurwitz and Plucker genus formulas, special divisors and Weierstrass points. We
do not consider here the arithmetical properties of curves and for that reason the
ground field k is assumed to be algebraically closed.
4.1. ALGEBRAIC VARIETIES
Affine Varieties
Let k be an algebraically closed field and n ;::: 1 be an integer. Define n-dimensional
affine space over k, denoted A'k (or simply An), to be the set of n-tuples (Xl, ... ,xn)
with components in k. An element X E An will be called a point, and if X =
(Xl, ... ,xn), Xi E k, then the Xi will be called the coordinates ofx.
Let k[T] = k[Tl' ... ' Tn] be the ring of polynomials in n variables over k. We
will interpret the elements of k[T] as functions from the affine n-space An to k, by
defining F(x) =F(Xl, ... ,xn), where FE k[T] and X E An. A zero of FE k[T] is
a point X = (Xl, ... ,Xn) E An such that F(x) = O. If S is any subset of k[T], we
define the zero set V (S) of S to be the set of common zeros of all the polynomials
FES:
V(S) = {x E An IF(x) = 0 for all F E S}.
A subset X of An is an algebraic set if there exists a subset S ~ k[T] such that
X = V(S). If a is the ideal of k[T] generated by S then X can be considered
71
72 Chapter 4
as the set V(a) of common zeros of all polynomials FE a. Since k[T] is a

Noetherian ring, any ideal a has a finite set of generators. Therefore, if FI , ... ,Fr
are generators of a so that
a = k[TlFI (T) + ... +k[T]Fr(T),

then X can be expressed as the set of common zeros of a finite number of polyno-
mials FI, ... ,Fr.
It is easy to see that the union of a finite family of algebraic sets is an algebraic
set and the intersection of any family of algebraic sets is an algebraic set. The
empty set and the whole space are algebraic sets.
We define now the Zariski topology on An by taking the open subsets to be the
complements of the algebraic sets.
Consider, for example, the Zariski topology on the affine line Al . Every ideal
in k[T] is principal, so every algebraic set is the set of zeros ofa single polynomial.
Since k is algebraically closed, every non-zero polynomial F(T) can be written
as F(T) = aCT - ad .. . (T - an) with a,al, ... ,an E k. Thus the algebraic sets
in Al are just the finite subsets, the whole space (corresponding to F = 0) and
the empty set (corresponding to F = I). This example shows us in particular that
Zariski topology is not Hausdorff.
For any subset X ~ An let us define the ideal of X in k[T] by
a(X) = {F E k[T]IF(x) = 0 for all x EX}.

Theorem 4.1 (Hilbert Nullstellensatz). Let k be an algebraically closedfield, a
an ideal in k[T], and FE k[T] a polynomial which vanishes at all points ofV(a).
Then F m E a for an integer m 2: 1.
Proof: See Lang [107, p. 380] or Atiyah and Macdonald [5].

Let a be an ideal of a commutative ring R with identity element I. The radical
•
r( a) of a is defined as
r (a) = if E R If m E a for some m 2: I}.
A non-empty subset X of a topological space is irreducible if it cannot be
expressed as the union X = X' UX" of two proper subsets X' and X", each one of
which is closed in X.
An affine algebraic variety (or simply affine variety) is an irreducible closed
subset of An (with the induced topology of Zariski).
From the Hilbert Nullstellensatz we deduce the following result:
Corollary 4.2. There is a one-to-one inclusion-reversing correspondence between
algebraic sets in An and radical ideals (i.e., ideals which are equal to their own
radical) in k[T], given by X -t a(X) and a -t V(a). Furthermore, an algebraic
set is irreducible if and only if its ideal is a prime ideal in k [T].
Algebraic Curves 73
We recall that an ideal p is prime if p "I- Rand xy E p implies x E p or yEp.

Note also that each prime ideal is a radical. An ideal min R is called maximal,
ifm"l- Rand if there is no proper ideal a such that mea C R. It is easy to see
that p is prime if and only if the quotient-ring Rip is an integral domain and m is
maximal if and only if Rim is a field.
Consider now the following example. Let F be an irreducible polynomial in
k[T] = k[TI, ... , Tn] of degree m. Since k[T] is a unique factorization domain
the polynomial F generates a prime ideal in k[T], so the zero set X = V(F) is
irreducible. It is called an affine curve ofdegree m if n = 2, a surface if n = 3 and
a hypersuiface if n > 3.
By the Hilbert Nullstellensatz there is a one-to-one correspondence between
the points of An and the maximal ideals of k[T]; to a point x E An we associate
the ideal
m = m(x) = {F E k[T1IF(x) = O}
and to a maximal ideal its unique zero set. This correspondence will enable us to
translate geometry into algebra and vice versa.
The points of an affine variety X ~ An correspond in a one-to-one manner with
the maximal ideals of k[T] which contain the prime ideal p = a(X), i.e., to the
maximal ideals of k[X] = k[T]/p. This quotient-ring is called the coordinate ring
of X. It is a domain and a finitely generated k-algebra. Its field of quotients k(X)
is called the function field on X.
Morphisms
A function f : X -+ k is regular on X if it is induced by a polynomial F E

k[TI, ... ,TnJ. In otherwords,j is regular iff(x) = F(x) for any x EX. A regular
function is continuous when k is identified with Al in its Zariski topology.
Let X ~ Am and Y ~ An be two affine varieties. A map f : X -+ Y is called a
morphism (or regular map) if there exist n functions fi , ... ,In, regular on X, such
thatf(x) = (Ii (x),···,1n (x)) for all x EX.
It is clear that the map f : X -+ An, defined by the functions fi , ... ,fn, is a
morphism of X to Y if and only iffi, .. . ,In E k[X] satisfy the equations of the
variety Y. A morphism f is a continuous map (in Zariski topology). Such a
morphism induces a k-algebra homomorphismf* : k[Y]-+ k[X] as follows: if
g : Y -+ k is a regular function on the set Y then g f : X -+ k is a regular function
onX, and themapf*(g) =gf (which is called the pullback of g) can be regarded
as a k-algebra homomorphism k[Y]-+ k[X]. Conversely, let cp: k[Y]-+ k[X] be a
k-algebra homomorphism and let ti be the image under cp of a generator Ui of the
k-algebra k[Y]. The regular functions ti define a morphismf: X -+ Y. One may
check thatf* = cpo
74 Chapter 4
A morphism 1 : X ~ Y is called an isomorphism if there exists a morphism

g: Y ~Xwith/·g=idy andgI= idx.
Theorem 4.3. Two affine varieties X and Yare isomorphic (X c:::: Y) if and only if
k[X] and k[Y] are isomorphic as k-algebras.
Therefore all the information stored in an affine variety can be read from
its coordinate ring. If Mor(X, Y) denotes the set of morphisms of X to Y we
have a bijection Mor(X, Y) ++ Homk(k[Y],k[X]). In particular, Mor(X,A.1) ++
Homk(k[A' ],k[X]) c:::: k[X]. In this way the elements of k[X] can be viewed as
functions.
The topology on X ~ An has a basis consisting of open sets of the form
U(j) = {x EXlf(x) =F a},
wherel E k[X]. Then U(j) is again an affine variety (it can be given in A n by the +'
equations of X ~ An and the equation Tn+if(T" ... , Tn) = I) and the coordinate
ring of such an open set is isomorphic to k [X] [1/1].
Projective and Quasi-Projective Varieties

We define projective n-space over k, denoted by lPj; (or simply IP'), to be the set
of equivalence classes of (n + I)-tuples (xo,x" ... ,xn ) of elements of k, not all
zero, under the equivalence relation given by (xo,x" ... ,xn ) rv (Axo, Ax" ... ,Axn )
for all ,\ E k , ,\ =F O. Another way of saying this is that IP' as a set is the quotient
of the set An +' \ {O} under the equivalence relation which identifies points lying
on the same line through the origin.
An equivalence class x = (xo : x, : ... : x n) is called a point oflP'. If x = (xo :
x, : ... : x n ) is a point, then any (n + I) -tuple (Axo, Ax, , ... , Axn ) in the equivalence
class x is called a set 01 homogeneous coordinates for x.
A polynomial FE k[To, T" ... , Tn] is called homogeneous if
F(ATo, ... ,ATn) = Am F(To , ... , Tn)

for some m (called the degree ofF) and all ,\ =F 0 ink. An ideal aink[To, T" ... , Tn]
is called homogeneous if it can be generated by homogeneous elements.
A projective algebraic variety X (or simply projective variety) is the set of
zeros in projective space IP' of a homogeneous prime ideal pin k[To, T" ... , Tn].
We can again associate the homogeneous coordinate ring to it, but unfortunately
this does not possess the nice properties that we have for affine varieties.
An open subset of a projective algebraic variety is called a quasi-projective
variety.
Let x be a point of an affine (resp. projective) variety X. Let U be an open
neighborhood of x. We say that a continuous map I: U ~ A' is a regular
Algebraic Curves 75
function at x if there exist polynomials F, G E k[TI, ... , Tn] (resp. homogeneous

polynomials of the same degree in k[To, TI, .. " TnD such that G(x) i- 0 andf =
F / G in an open neighborhood of x. It is called regular on U if it is regular at all
points x E U. The regular functions on U form a ring which is denoted by <9x (U)
or <9(U).
Let x be a point of X. Consider the pairs (U,j), where U is an open neighbor-
hood ofx andf is a regular function on U. Define an equivalence relation:
(U,j) '" (U',j') if and only iff = f' on un U'.

The equivalence classes form a ring. This ring is denoted by <9 x . It is a local ring
in the algebraic sense with unique maximal ideal
mx = {equivalence class of (U,f) If(x) = O} .

The ring <9 x is called the local ring ofx.
We view elements of the local ring <9 x as functions defined on some open
neighborhood of x. In case the variety X is affine and m = m(x) is the maximal
ideal corresponding to the point x, the local ring is the localization k[X]m (see
Atiyah and Macdonald [5]) of k[X] at m, that is:
<9 x = { cp = ~ E k(X) If,g E k[X],g rf. m} .

In this case
<9(X) = n x <9x = nmk[X]m = k[X].
LetX be a quasi-projective variety and consider pairs (U,j) with U non-empty
and open in X, and f E <9 (U). Define again an equivalence relation
(U,j) '" (U',j') if and only iff = f' on Un U'.

The equivalence classes are called rational functions and form a field, called the
function field k(X) onX. In the case of an affine variety we see thatthe equivalence
classes form the field of quotients ofthe ring k[X]. In this case, if U is a non-empty
subset of X then k( U) = k(X).
Let X and Y be quasi-projective varieties. A continuous map f : X -+ Y is
called a morphism iffor every open U in Y and every g E <9(U) the composition
gf is a regular function onf-I(U). For an affine variety, morphisms in the
earlier sense are certainly morphisms in this new sense. Conversely, a morphism
in the new sense induces a k-algebra homomorphism on the coordinate rings;
therefore it is a morphism in the old sense and the two concepts coincide. We also
consider pairs (U J), where U is a non-empty open subset of X and f : U -+ Y is
a morphism. The equivalence classes under the relation
(UJ) '" (U' ,I') if and only iff =!' on un u'

76 Chapter 4
are called rational maps from X to Y.

A rational map is called dominant if for some representation (U,j) the image
f (U) is dense in Y. With respect to composition of functions, the dominant rational
map from X to Y gives rise to a k-algebra homomorphism k(Y) -+ k(X) of the
function fields. Conversely, given a k-algebra homomorphism cp* : k( Y) -+ k(X)
we find a rational map as follows: choose an open affine set V in Y and choose
generators Vi for k[V]. Let Ui = cpo (Vi) and choose an affine open set U in X such
that the Ui are regular on U. The k-algebra homomorphism k[V]-+ k[U] given by
Vi -+ Ui induces a morphism U -+ V which represents a rational map X -+ Y. We
call X and Y birationally equivalent, or simply birational if there exist rational
maps cp : X -+ Y and I/J : Y -+ X such that the compositions cp . I/J and I/J . cp are
identity maps on some non-empty open sets of Y and X, respectively. We can now
deduce the following statement:
Theorem 4.4. Two quasi-projective varieties X and Yare birationally equivalent

if and only if their function fields k(X) and k( Y) are isomorphic as k-algebras.
The parametrization cp : AI -+ X = {(x,y) E A21 x 3 - y2 = o} given by t t-+

(t2,t 3 ) is a birational map with inverse (x,y) t-+ x/y if y i:: O. However, it is
not an isomorphism since the function I/J(x,y) = x /y is not regular at the origin,
hence k[t] is not isomorphic to k[x,yl/(x 3 - y2). This example shows us that the
isomorphism concept is more delicate than the concept of birational equivalence.
At last it is necessary to point out the following important property of projective
varieties. IfX is a projective variety andf : X -+ Y is a morphism then the image of
f is closed in Y. So iff: X -+ Al C]pl is a regular function on a projective variety
X, then the image is closed in A I and]P1 and irreducible, and hence consists of one
point. Therefore, there are no regular functions other than constant functions ofa
projective variety. This shows the need for introducing concepts such as rational
functions and rational maps.
Non-Singular Varieties
If X is a topological space, we define the dimension of X (denoted dimX) to
be the supremum of all non-negative integers n such that there exists a chain
Xo C XI C ... C Xn = X of distinct irreducible closed subsets of X. We define the
dimension of an affine, projective or quasi-projective variety to be its dimension
as a topological space (with the topology of Zariski).
Theorem 4.5. The dimension ofan affine variety X is equal to the transcendence
degree ofthe field k(X) over k.
Proof: See Hartshorne [73, p. 6].

•
Algebraic Curves n
LetX ~ AP be an affine variety and let FI, ... ,Fr E k[TI, ... , Tn] be generators
for the ideal a(X) . The variety X is non-singular at a point x E X, if the rank of
the matrix
( aFj (X))
alj
is n - d, where d is the dimension of X. The variety X is non-singular (or
smooth) if it is non-singular at every point. Note that this definition depends on
the embedding of X in an affine space. To extend the concept of non-singularity
to the case of quasi-projective varieties it is convenient to describe this concept in
terms of local rings.
The height of a prime ideal P in an arbitrary commutative ring R is the supre-
mum of all non-negative integers n such that there exists a chain Po C PI C ... C
Pn = P of distinct prime ideals. We define the dimension of R to be the supremum
of the heights of all prime ideals.
Theorem 4.6. Let X ~ An be an affine variety. Then
dimX = dimk[X] = dim<9x.

Now let <9 be a Noetherian local ring with maximal ideal m and residue field
•
k = <9/m. It is a regular local ring if the k-vector space m/m2 has the same
dimension as <9.
Theorem 4.7. Let X ~ An be an affine variety and x be a point of X. Then X is

non-singular at x if and only if the local ring <9 x ofx is a regular local ring.

Since we know that the concept of non-singularity is intrinsic, we can extend
•
the definition to arbitrary varieties.
Let X be any variety. It is non-singular at a point x EX if the local ring <9 x is
a regular local ring. The variety X is non-singular or smooth if it is non-singular
at every point. It is singular at a point x E X if diIllk mx 1m; > dim <9 x. The set of
non-singular points of X is a non-empty open subset of X, which is dense in X.
4.2. NON-SINGULAR CURVES
Local Ring of a Point

Throughout this chapter the word curve shall mean a non-singular (smooth) pro-
jective curve (i.e., non-singular projective variety of dimension I). By doing so
we do not lose generality since any algebraic curve is birationally equivalent to
78 Chapter 4
a non-singular projective curve (see Hartshorne [73, p. 45], Shafarevich [172,

p. 122] and below).
Let C9 x be the local ring of a point x of the curve X and let mx be the maximal
ideal of C9 x .
Theorem 4.8. Let x be a point of the curve X. Then
(i) every proper non-zero ideal in C9x is of the form a = m~ for some integer
n 2: 1;
(ii) mx is unique non-zero prime ideal in C9 x ;
(iii) C9 x is a principal ideal domain.
Proof: It is sufficient to prove (i). Since a =f. C9 x then a ~ m x . We have (see

Atiyah and Macdonald [5, p. 90]) m~+l =f. m~ for all n 2: 0 and hence a ~ m~,
a ~ m~+ 1 for some n 2: 1. Therefore, there exists an element a E a ~ m~ such that
a ~ m~+l. The ideal mx is principal, i.e., mx = tC9x , and hence a = tnu, where
u E C9 x . Since a ~ m~+l we have u ~ mx and hence u is a unit of the ring C9 x • Thus
we have t n = au- l E a and therefore m~ ~ a, so that a = m~. •
Valuations
Let L :::> k be an extension of the ground field k. A map v : L * --+ Z of the
multiplicative group L * of L onto Z such that
(i) v(k*) = 0,
(ii) v(xy) = vex) +v(y), and
(iii) v(x+y) 2:min(v(x),v(y)),
is called a discrete valuation of the field L. It is convenient to extend the map 'Ii
to the whole L by setting v(O) = 00. Such a discrete valuation defines a discrete
valuation ring C9 v = {x E L * Iv(x) 2: O}.
The quotient field of C9 v is L. An integral domain R is called a discrete
valuation ring if there exists a discrete valuation v on its quotient field K such
that R = {x E K* Iv(x) 2: O}. Every discrete valuation ring R is a principal ideal
domain and every non-trivial ideal a c R is of the form a = mn for some integer
n 2: 1, where
m = {x E R Iv(x) > O}
is the unique maximal ideal in R.
Theorem 4.9. Let X be an algebraic curve and x a point of X. Then x is non-
singular if and only if the local ring C9 x is a discrete valuation ring.
Algebraic Curves 79
Proof: Suppose that x is a non-singular point and letf E !9 x . We define vx(f) = n

iff E m~, butf f. m~+l. Iff /g is an element of the function field L = k(X) then
we set v(j /g) = vx(j) - vx(g). This defines a discrete valuation Vx of k(X) with
discrete valuation ring !9 x with !9 vx = !9 x . Conversely, if!9x is a discrete valuation
ring then mx/m; has dimension one (it is generated by the class of an element t
with vx(t) = 1). •
An element t E !9 v with v( t) = 1 is called a local parameter or local coordinate.
Theorem 4.10. Let X be a non-singular curve and cp : X -+ F a rational map.
Then cp can be extended to a morphism.
Proof: Let x E X and let us cp be represented locally around x by y I-t (fo (y) :
Ji (y) : ... :.fn(y)).
Multiply allJi, 0::::: i ::::: n by the same power tV of t such that
v(tvJi) ~ 0 and
min(v(tVfo) , ... ,v(tVfn)) = 1.
Then cp can be represented as y I-t W.fo (y) : tVJi (y) : . .. : t".fn (y)) which shows
that cp is well-defined on X. •
Corollary 4.11. Non-singular projective curves are classified by their function
fields.
Proof: If X and Yare two non-singular projective curves and cp : X -+ Y is a

birational map, then the map can be extended to an isomorphism. •
If X is a non-singular projective curve with function field k(X) we can read
off all information about X from k(X). Indeed, we know that a point x E X gives
rise to a discrete valuation Vx of k(X), trivial on k. But conversely, every discrete
valuation v of k(X) trivial on k determines a point of X, namely, the common zero
of all cp ink(X) with v( cp) ~ 1. The above suggests one should start with a function
field L of transcendence degree lover k and attach a non-singular projective curve
X to it with k(X) = L. The curve X is called a non-singular projective model of
L. In particular, this shows us that any irreducible algebraic curve is birationally
isomorphic to a smooth projective curve.
Thus, after all, we might have started with a field of algebraic functions L
of one variable over k. The field uniquely determines the isomorphism class of
a non-singular projective curve X defined over k whose function field k(X) is
isomorphic to L. All properties of X can be derived from the function field k(X).
Later we also shall need the following result:
Theorem 4.12. Letxl, ... ,Xs be distinct points ofa curve X andml ,m2,·.· ,ms be
any preassigned integers. Then there is a function cp E K (X) such that VXi ( cp) = mi
for all i = 1,2 ... ,so
Proof: See Chevalley [20, Ch. 1] or Stepanov [187, p. 167].

•
80 Chapter 4
Non-Singular Points
The set of singular points of a projective curve is closed in the Zariski topology.
This fact is local in nature, so that we can restrict ourselves to consideration of
affine curves, which provide an open covering of the considered curve. In turn,
to check whether a point on an affine curve is non-singular, we can use the notion
of tangent space. For simplicity, we are restricted to consideration of the case of
plane affine curves (in the general case, the situation is entirely similar).
Let a plane affine curve X ~ A,2 be defined by a polynomial F (Tl , T2)' The
linear form
dxF = aF(x) (Tl -xJ) + aF(x) (T2 -X2)
aXI aX2
dxF = °
is called the differential of the polynomialF atthe point x = (Xl ,X2). The equation
defines a linear subspace ex ~ A,2 which is called the tangent space
of X at the point X E X. Then there is an isomorphism of the vector spaces
e; ~ mx/m; with mx the maximal ideal of c:Jx and e; the dual vector space of
ex. Indeed, by associating to G E k[Tl, T2J its differential dxG, one gets a map
dx : k[XJ -+ Homk(ex,k). We extend this by the formula
d (G) = HdxG-GdxH H(x) i- 0,

x H H2'
to a k-linear map dx : c:J x -+ e;. Restriction to mx C <9x gives the required

isomorphism mx/m; ~ e;. This gives the connection with the more intuitive
notion of tangent space. Hence, if dxF =1= 0, then dimk e; = 1 and we have a
non-singular point X E X.
For a projective curve given by F = 0, the projective tangent space at X = (xo :
Xl : X2) is
aF(x) (To -xo) + aF(x) (Tl -xJ) + aF(x) (T2 -X2) = 0.

axo aXI aX2
If at least one of aFa (x), aFa (x), aFa (x) is non-zero, then X is a non-singular point.
xo XI Xz
4.3. DIVISORS ON ALGEBRAIC CURVES
Let X be a smooth projective curve over algebraically closed field k. A divisor on

X is a formal linear combination
where the sum is over all points of X, and the coefficients are integers and are
zeros for all but a finite number of x. The set {x E X Iax i- o} is called the support
Algebraic Curves 81
of D and is denoted by SuppD. The set of divisors on X is denoted by Div(X).

It is a free abelian group since we can add and subtract divisors. If D = Lax·x
and D' = La~ ·X, then D ±D' = L(ax ±a~) ·x. Moreover, D = D' if and only if
ax = a~ for all x E X. The degree of D is
The degree map deg: Div(X) -+ Z, D r-+ degD, is surjective; its kernel is denoted
by Divo(X). Ifa x ~ 0 for every x E X then we call D = Lax·x an effective divisor
and write D ~ O. If, moreover, D¥-O we call it positive and write D > O. This
definition induces a partial order on Div(X) : D ~ D' if and only if D - D' ~ o.
Note that each divisor is a difference of two effective divisors.
Divisors
and
{D,D'} = Lmax(ax,a~).x
we call respectively the greatest common divisor and the least common multiple
of divisors D = Lax· x and D' = La~ . x.
Let Vx be the discrete valuation of L = k(X) associated to x and let f be a
non-zero function in L. Iff E mx (resp.j-I E mx) then x is called a zero (resp. a
pole) off and vx(f) (resp. vx(f-I» is called the order of zero (resp. the order of
pole) off atx. Set
and call (f) the divisor off. Note that (f) is indeed a divisor since eachf E L*
has only a finite number of zeros and poles and thus Vx if) ¥- 0 only for a finite
number of points x EX. Note also that (f) = (f)o - (f)"" where
(f)o = L vxif)·x
vx(f»o
and
if)", = L vx(f-I)·x
vx(f)<o
are effective divisors. The divisor (f)o is called divisor ofzeros, and (f)", is called
the divisor ofpoles off.
Divisors of the form (f) are called principal or linearly equivalent to zero.
Principal divisors form a subgroup P(X) in Div(X). There is an intrinsic iso-
morphism P(X) ~ L* jk*. If D -D' E P(X), then divisors D and D' are called
linearly equivalent (or simply equivalent). In this case we write D '" D', and call
{D' E Div(X) ID' '" D} the divisor class of D.
82 Chapter 4
Theorem 4.13. Iff E L = k(X) andf tJ. k then

deg(f)o = deg(f)oo = [L : kif)]·
Proof: See Chevalley [20, Ch. 1] or Stepanov [187, p. 176].
Corollary 4.14. The degree of a divisor ofa rationalfunctionf is zero.

•
Thus, P(X) ~ Divo(X) and we can speak about the degree of equiva-
lence classes of divisors. Factor groups Pic(X) = Div(X) / P(X) and Pico(X) =
Divo (X) / P(X) are called the divisor class group and divisor class group ofdegree
zero, respectively. These groups play a crucial role in the theory of algebraic
functions. We shall discuss the divisor class group later.
Finite Morphisms
Let cp : X -7 Y be a non-constant morphism of curves X and Y. It is called the
finite morphism and X is called the covering of Y. In this connection we get an
embedding cpo : k(Y) Y k(X). The degree of k(X) over k(Y) is called the degree
of cp and is denoted by deg cpo If k(X) is a separable extension of k( Y) then the
morphism cp : X -7 Y and the covering X is also called separable.
Let Vx be the discrete valuation associated to x E X and let t be a local parameter
aty = cp(x) E Y. The morphism cp induces also a homomorphism cpo : C9y -7 C9 x of
valuation rings C9y and C9 x, and the number ex = Vx (cp* (t» is called the ramification
index of the finite morphism cp at x. If ex > 1 we say cp is ramified at x, and that
y = cp(x) is a branch point and x is a ramification point of cpo If ex = 1, we say cp
is un ramified at x (see Fig. 4.1).
A finite morphism cp : X -7 Y induces a homomorphism cpo : Div( Y) -7 Div(X)
which is defined as follows. Set
cp*(y) = L ex·x
xEX
cp(x)=y
and observe that the sum is finite. Then we extend the definition of cpo (y) by
linearity to all divisors of Y. The image cp*(D) ofa divisor DE Div(Y) is called
the pullback of D. It is clear that cpo preserves the linear equivalence and hence
induces a homomorphism Pic( Y) -7 Pic (X) .
We can now deduce the following fact:
Theorem 4.15. Let cp : X -7 Y be a finite morphism of curves X and Y. Then for
any point y E Y
deg cpo (y) = deg cp,
and for any D E Div( Y) we have
degcp*(D) = (degD)· (degcp).
Algebraic Curves 83
y ==<p(x)
x
y
Figure 4.1.
Corollary 4.16. The degree ofa divisor of a rational function f is zero.
Proof: Note thatf defines a morphism cp : X ---+ ]pl. We have cpo (0) = (f)o and
cpo (00) = (f)oo, hence
deg(f) = deg(f)o - deg(f)oo = deg cp* (0) - deg cp* (00) = o.

•
Linear Systems
Let D be a divisor on a curve X. Consider the following vector space over k:
L (D) = if E L * I(f) + D 2: O} U {O}.

In other words, if D = - L:'=l ai . Xi + L:J= I aJ . xj where ai 2: 0, aJ 2: 0, we consider
the space of all functions in the field L = k (X) which have zeros of order at least ai
at Xi and that may have poles of order at most aJ at xJ. The dimension dimkL(D)
of the space L(D) over k is denoted by leD).
Theorem 4.17. WehaveL(D) = 0 ifdegD < oand leD) ~ degD+ IfordegD 2:

O.
84 Chapter 4
Proof: First we observe that if D,....., D' then L(D) ~ L(D') by f 1-+ fg if (g) =
D - D'. If degD < 0 then deg( if) + D) = degD < 0 for any function f E L *,
so L(D) = {O}. If degD ::::: 0 then either L(D) = {O} or there exists a divisor
D' ::::: 0 such that D' ,. . ., D (namely D' = D + if) for a functionf -I- 0 in L (D); see
Theorem 4.12). Since L(D) ~ L(D') we can replace D by D'. Therefore we may
assume that D = Ir= I mi • Xi with mi ::::: O. An element of L (D) determines for each
i = 1,2, ... ,r· an element of t;;-mi(lx)(lxi where tXi is a local parameter at Xi. This
gives a linear map
A :L(D) -+ EBr=1 t;;-mi (lX)(lxi.
The kernel Ker A of this map is k. Indeed, if Aif) = 0 then f E (lxi for all
i = 1,2 ... ,r and f is regular everywhere. But then f is constant, so
r r
I(D)::; 1 + Ldimkt;;-mi(lx)(lxi ::; 1 + Lmi = 1 +degD.
~l ~l

The projective space P(L(D)) is denoted IDI. By associating
•
fl-+ if) +D
we get a bijection
IDI-+ {D' E Div(X) ID' ,. . ., D,D'::::: O}.

The projective space IDI is called the complete linear system associated to D. A
projective linear subspace of IDI is called a linear system. Recall that if D ,. . ., D'
then L(D) is isomorphic to L(D') viaf -+ fg with (g) = D - D'.
Linear systems on curves are important because of their close relations with
morphisms. Let M ~ L(D) be a non-zero linear subspace. Choose a basis
foJ!, ... In ofM. Then we can define a rational map X -+ IP' by X 1-+ (fo(x) :fi (x) :
.. ·.fn(x)). This is a morphism by Theorem 4.10. Conversely, let cp: X -+ IP' be a
morphism such that the image is not contained in a hyperplane. Any hyperplane
H in IP' cuts out a divisor on X. All these divisors are linearly equivalent.
Jacobian of a Curve
Let G be a quasi-projective variety which at the same time is a group. Then G is
called an algebraic group if and only if the maps
cp:GxG-+G, (g,g') 1-+ g. g',
and
.p:G-+G,
Algebraic Curves 85
are morphisms. It is easy to see that every algebraic group is a smooth algebraic
variety.
If G is an algebraic group and a projective variety then G is called an abelian
variety. An abelian variety is a commutative group. IfX and Yare abelian varieties
which are isomorphic as varieties then they are also isomorphic as algebraic groups.
When X is a plane cubic curve, the factor group Pico(X) = Divo(X)jP(X) is
a one-dimensional abelian variety. The group law on X can be defined starting out
from the study ofPico(X) (see Section 4.4 below and Section 7.1). This example
is typical of a much more general situation. Starting from an arbitrary smooth
projective curve X, we can construct an abelian variety whose group of points is
isomorphic to Pico(X).
Theorem 4.18. For any smooth projective curve X there exists a unique abelian
variety J x such that
(i) 1x is isomorphic to Pico(X) as a group;

(ii) the map
jo:X --+Jx, x I--t x -Xo,
is a morphism for every point Xo EX;
(iii) for any morphism 'P : X --+ Y from X to an abelian variety Y such that 'P(xo)
is the neutral element of Y there exists a morphism of abelian varieties
'" : Jx --+ Y, with 'P =" '" )0'
The abelian variety J x is called the Jacobian of X. The dimension of the
Jacobian is called the genus of X and is denoted g(X). One can show that this
definition coincides with the definition of genus in terms of differential forms
given in the next section. For k = C it also coincides with topological definition
of genus.
It should be noted that any curve which is not isomorphic to JlDI can be embedded
into its Jacobian.
Theorem 4.19. Ijjo: X --+ 1x is not bijective then X c:::' JlDI •
Proof: Ifjo is not injective then there exist x,y E X, x i- y, such that x = y + if)
for somef E k(X),j if- k. Considerf as a morphismf : X --+ JlDI • Since if) = x - y
we have if)o = x and by Theorem 4.15 degf = 1. Hence f is an isomorphism. •
4.4. THE RIEMANN-ROCH THEOREM
There is a variety of questions concerning the geometry of algebraic curves which

are reduced to the study of I(D) = dimL(D) for various divisors D. An explicit
86 Chapter 4
determination of the dimension I(D) of the vector space L(D) is known as the
Riemann-Roch problem. The famous Riemann-Roch theorem gives a partial
answer to this problem.
Differential Forms
Let X be an affine variety over k. We define a k [X] -module n[X] as follows: it is
generated by elements df,f E k[X] satisfying the relations: dif + g) = df + dg,
°
difg) = df ·g+f ·dg andda = for all a E k. The elements ofn[X] are called
regular differential forms.
Now let X be a quasi-projective variety. Consider a family {Ui, Wi} of pairs
( Uj , Wi)' where Ui are affine open sets ensuring an open covering of X and Wi E
n[ Ui] are regular differential forms such that Wi = Wj on the intersections Ui n ~.
Define an equivalence relation on the set of all {Ui , Wi} by
{ Ui , Wi} rv {UJ, wJ} if and only if Wi = wJ on all U n U;.

j
An equivalence class of {Ui , Wi} is called a regular differential form on X. For an

affine variety this yields the same as before. We denote it again by n[X].
We can view a regular differential form as a rule which associates to each point
x E X a linear function on the tangent space e
= Homk (mx / m~, k). In fact, if X
is affine andf E (9x, then let dxf be the image off - f(x) E mx in mx/m;. Then
x H dxf is such a rule defined by df. In this case dxf is called the differential of
f atx.
If X c JP1' is a smooth projective curve, we have the following result:
Proposition 4.20. Let x E X and let t = tx be a local parameter at x. Then there
exists an open neighborhood U ofx such that n[U] = k[U]· dt.
Proof: Note at first that for every F E k [TI , ... , Tn] and any fi , ... ,In E k [U] one
has
n aF
d(F(ft, ... ,In)) = L
-(ft, ... ,/n)dji.
i=1 aTi
Now let V C An be an open neighborhood of x which is an affine curve and let
FI, ... ,Fm E k[TI, ... , Tn] be a basis of the ideal a(V). Since Fi vanishes on V for
each i = 1,2, ... ,m we have
n aFi
L-·dfj=O, 1 5, i 5, m,
j=1 a1j
where fj == 1j mod (a( V)) and fj E k[V]. Whenever x is a non-singular point, the
rank ofthe matrix
( aFi (x))
a1j
Algebraic Curves 87
equals n - 1. Without loss ofgenerality we can assume that t = tl. One can express
d t.i ' 2 ~j ~ n, using the above system, d t.i =lid t ,Ii being rational functions regular
atx. Let Ube an open subset in V such thatli E k[U] for allj = 1,2, ... ,m. Since
one can express each wE O[UJ in dtI, ... ,dtn and hence in dt, we find that
n[U] =kU·dt. •
Corollary 4.21. Let w E O[U]. Then the set V( w) ofzeros of w is closed in U.

In analogy with the definition of rational functions on a quasi-projective variety
X we can define the concept of a rational differential form: consider pairs (U, w)
with U a non-empty open subset of X and w a regular differential form on U, and
then define an equivalence relation
(U,w) I"V (U',W') if and only if w = w' on un U'.

A rational differential form is an equivalence class under the equivalence relation.
The set of rational differential forms on X is denoted by O(X); clearly O(X) is
a k(X)-module. For an affine variety X we find that the k(X)-module of rational
differential forms equals k(X) . O[A']. It is generated by elements df withf E k(X).
If X is a smooth projective curve, Proposition 4.20 implies
Theorem 4.22. Let L = k(X) be the function field ofa curve X. Then
dimL O(X) = 1.
Canonical Class
Let w be a rational differential form on a smooth curve X. We can write near a
point x E X the form w as w = fdt withf =Ix a rational function and t = tx a
local parameter. We can now define the divisor of the differential form w by
where Vx is the discrete valuation of L = k(X) associated to x E X. The divisor

class of a rational differential form on X is called the canonical divisor class
of X and is denoted by W. The canonical divisor class is well-defined because
the quotient of two rational differential forms is a rational function on X. A
representative divisor (w) is called canonical and is denoted by Kx (or simply K).
We can interpret the space L (K) as the space of differential forms: by associating
to f E L (K) the regular differential form f w we get an isomorphism of k-vector
spaces between L (K) and the space O[A'] of regular differential forms on X.
Let, for example, X = pI and let w = dt, t being a coordinate on pl. Let
u = r 1, and let
U' = {x E pI It i- O}
88 Chapter 4
so that pi = Uu U'. Then t - t(x) is a local parameter at any x E U and u - u(y)

is a local parameter at any y E U'. In U we have w = d(u- I ) = -u- 2 du. Then
(w) = -2x00, where Xoo is a point of pi with u(xoo) = O. Therefore, in this case the
canonical class W consists of divisors of degree -2.
If X is a smooth projective curve defined over k then the dimension I(K) =
dimkL(K) is called the genus of X and is denoted by g(X) (or simply g).
Residues
Let w E O(X), t be a local parameter at x E X, and w = f· dt forf E L = k(X).
Expandingf into Laurent power series in t we obtain
00
f= I a/.
i=-N
We call the coefficient a_I the residue of w at x and denote it by Resx ( w ). The
basic properties of residues can be summed up as follows:
Proposition 4.23. We have
(i) Resx (w) does not depend on the choice of local parameter t = tx ;
(ii) Resx(w) is k-linear functional on O(X);
(iii) if w is regular at x then Resx (w) = 0;
(iv) Resx (df) = 0 for any f E L *;
(v) Resx (df If) = vAf) for any f E L *.
Proof: Properties (ii), (iii) and (iv) are clear. To prove (v) we writef = tng with
vx(g) = O. Then df If = ndtlt +dglg, where dglg is regular at x, and hence
Resx(df If) = n.
We shall prove the property (i) only in the case when the characteristic of k is
zero (the case of a positive characteristic requires some additional considerations).
Let us write
w= Iavdtltv+w',
v 2': I
w' being regular at x. If u is another local parameter at x, we denote Res~ ( w) the

residue of w at x which corresponds to u. By the properties (ii) and (iii) we have
Res~(w) =I avRes~(dtltV).
v 2': I
Algebraic Curves 89
For every v > 1, the rational functiongv(t) = _t-(v-I) / (v - 1) lies in L *, and

since dt/t V = dgv(t), we deduce from (iv) that Res~(dt/tV) = Res~(dgv) = O.
Hence Res~(w) = al = Resx(w), by the property (v). •
One of basic results in the theory of algebraic curves is the following theorem:
Theorem 4.24 (the residue formula). If w is a rational differential form on a

smooth projective curve X, then
Proof: Note that the last formula makes sense since Resx ( w) = 0 for all but a
finite number of points x E X. The idea of the proof is to check the above formula
on pI and then represent a curve as a branched covering of pI and to check what
happens under a morphism (for details see Serre [165, Ch. 2], and also Lang [109,
Ch. 1], and Stepanov [187, p. 202]). •
The Riemann-Roch Theorem

Let R = R(X) be the algebra of repartitions on a curve X; elements of Rare
families {rx hEx, rx E L = k(X), such that rx E <9 x for almost all x E X (for all but
finitely many x). Let D = Lax·x be a divisor on X. Denote by R(D) the set of
repartitions r = {rx hEx such that Vx (rx) ;::: -ax for any x E X. Iff E L, we have
f E <9x for almost all x E X, so that L = k(X) is a suba1gebra of R(X). Consider
the k-vector space
/(D) =R/(R(D)+L).
We shall see below that /(D) is finite-dimensional. Let
i(D) = dim,.:l(D).
For every DE Div(X) we define the space n(D) as
n(D) = {w E n(X) \ {O}I (w)+D;::: O}U{O}.
From this definition it is clear that n(D) ~ L(K +D). In particular, n(D) is
finite-dimensional for each D E Div(X).
Now we define the pairing (w,r) as follows:
n(x) x R -+ k, (w,r) = L Resx(rx· w).

xEX
It is easy to check that:
(i) ifr E L c R then (w,r) = 0;

90 Chapter 4
(ii) (w,r) = 0 for wE O( -D) and r E R(D);

(iii) lfw,r) = (w,fr) for any f E L = k(X).
If wE O(-D) then the map r f--t (w,r) defines a linear functional 0(w) on
the space /(D).
Theorem 4.25 (the duality theorem). The map w f--t 0( w) defines an isomor-
phism ofO( -D) onto the space dual to /(D).
Now we give a preliminary version of the Riemann-Roch theorem:
Theorem 4.26. For any D E Div(X)
I(D) - i(D) = degD - g+ 1.
Proof: For D = 0 the statement follows from the previous theorem. Now it
is sufficient to prove that the theorem is valid for D if and only if it is valid for
D' = D + x, x being an arbitrary point of X. Indeed, every divisor can be obtained
from the trivial one by addition and subtraction of points. We have
degD' - g+ 1 = (degD - g+ I) + 1.
Therefore one has to show that
I(D') - i(D') = (l(D) - i(D)) + I.

In fact, we shall prove that either I(D') = I(D) and i(D') = I(D) - 1, or I(D') =
I(D) + I and i(D') = i(D).
To begin with, we note that the argument in the proof of Theorem 4.17 shows
that I(D') equals either I(D) or I(D) + 1. Since dimR(D')/R(D) = 1 it is clear
that i(D') equals either i(D) or i(D) - 1. From the definition of /(D) and /(D') it
follows that the sequences
0-+ R(D) +L -+ R -+ /(D) -+ 0,

0-+ R(D') + L -+ R -+ /(D') -+ 0
are exact (recall that a sequence of abelian groups 0 -+ A 4 B 1t C -+ 0 is exact

if and only if cp is injective, 1/1 is surjective and Imcp = Kerl/l, i.e., 1/1 induces an
isomorphism B / cp(A) -=+ C). In that case, the sequences
0-+ (R(D)+L)/L -+R/L -+/(D) -+ 0,

0-+ (R(D') +L)/L -+ R/L -+ /(D') -+ 0
are also exact. Using the Noether isomorphism theorem which is valid for any two
subgroups of an abelian group we obtain (R(D) +L)/L '::::'. R(D)/(R(D) nL), and
Algebraic Curves 91
taking into account that L(D) = R(D) nL for every DE Div(X) we get the exact
sequences
O-+R(D)/L(D) -+R/L -+l(D) -+0,

0-+ R(D')/L(D') -+ R/L -+ leD') -+ o.
Since dimR(D)/R(D') = 1, we deduce now that I(D) = I(D') implies i(D') =

i(D) - 1 and leD) = leD') + 1 implies i(D') = i(D). •
From Theorem 4.25 and Theorem 4.26 we get the following famous theorem
of Riemann---Roch (see also Chevalley [20, Ch. 1], Fulton [47], Hartshorne [73,
Ch. 4], Lang [109, Ch. 1], Serre [165, Ch. 2] and Stepanov [187, Ch. 4]):
Theorem 4.27 (the Riemann-Roch theorem). Let D be a divisor on a smooth

projective curve X ofgenus g and let K be a canonical divisor. Then
leD) -/(K -D) = degD-g+ 1.
Since the functions degD and I(D) are functions on divisor class group Pic (X)
we can give also the following version of this theorem:
Theorem 4.28. Let C be a divisor class of a smooth projective curve X of genus

g and let W be the canonical divisor class. Then
I(C) -leW - C) = degC - g+ 1.
Corollary 4.29. We have
(i) degK = 2g - 2;
(ii) I(K-D)=g-l-degD for degD<O;
(iii) I(D)=degD-g+l for degD>2g-2;
(iv) I(D)=g-1 if D=j=K and degD=2g-2;
Proof: It is sufficient to prove (i). Take D = K. Then we find
l(K) -/(0) = degK + 1 - g.
But by definition I(K) = dimkL(K) = g and since everywhere regular functions

are constant, we have I (0) = 1. •
Example 4.1. A curve X is called elliptic if g(X) = 1. On an elliptic curve, the
canonical divisor K has degree o. On the other hand, I(K) = 1, so from the
Riemann---Roch theorem we conclude that K rv O.
92 Chapter 4
Let Xo be a point of an elliptic curve X. Then the map x f-+ cx, Cx being the
divisor class of degree zero containing x - xo, gives a one-to-one correspondence
between the set of points of X and the elements of the group Pico(X). Thus we
get a group structure (with Xo as identity) on the set of points of X.
To see this it will be enough to show that if D is any divisor of degree 0, then
there exists a unique point x E X such that D '" x - Xo. We apply Riemann-Roch
to D + Xo and obtain
I(D+xo) -/(K -D -xo) = 1.

Now degK = 0, so deg(K -D-xo) = -1, and hence I(K -D -xo) = 0.
Therefore, I(D + xo) = 1. In other words, dim jD + Xo j = 0. This means that there
is a unique effective divisor linearly equivalent to D + Xo. Since the degree is
1, it must be a single point x. Thus we have shown that there is a unique point
x '" D + xo, i.e., D '" x - Xo.
Embedding into Projective Spaces

The Riemann-Roch theorem makes it possible in many cases to prove that the
map cp : X -+ JPlg-I defined by a complete linear system jKj is an embedding, i.e.,
cp gives an isomorphism of X onto its image in JPlg-I .
First we observe that if D = x is a divisor of degree 1 then leD) ::; 1 unless
g = 0. Indeed, if leD) 2: 2 we takej,g linearly independent from L(D). Then
x f--t if (x ) : g(x)) gives a morphism of X to pi which is an isomorphism since any
non-zero function from L(D) has only one zero and only one pole. This implies
by Theorem 4.15 that the degree of the morphism is one, i.e., k(X) '" k(pl).
Now let X be a smooth projective curve of genus g 2: 2. The functions in
L (K), with K a canonical divisor, form a g-dimensional vector space and define a
morphism:
cp : X -+ JPlg-I, X f--t (fj (x) : ... :/g(x)),
with the.fi a basis of L(K). In fact, by the Riemann-Roch theorem we can check
that always one of.fi(x) is non-zero: I(K -x) -I(x) = g - 2 and I(x) = 1 as was
noted above. So I (K - x) = g - 1. We find a well-defined morphism. Of course, it
depends upon the choice of a basis. Iff/ is another basis and if cp' is the associated
morphism then cp' = cp. a with a an automorphism ofJPlg-I. Despite this element
of choice, the morphism cp is called the canonical map. Suppose that cp identifies
two different points, say x' and x". Then I(K - x') = I(K - x' - x") = g - 1. By
the Riemann-Roch theorem
/(K -x' -x") -I(x' +x") = g- 3,

hence I(x' +x") = 2. Then L(x' +x") defines a morphism of degree 2 on pl. A
curve which admits a morphism of degree 2 onto pi is called hyperelliptic. In
Algebraic Curves 93
fact, by also applying the argument above for x' = x" we find that if X is not
hyperelliptic then cp is an embedding.
As an example, take a curve of genus 3 which is not hyperelliptic. Then its
image under the canonical map is a non-singular curve of degree 4 in ]p2 .
This construction can be extended as follows: consider a morphism
cp:X-+F, X t-+ (fo(x) :.fi (x) : ... :.fn(x)),

defined by a complete linear system \D\ of dimension n.
Proposition 4.30. Let D be a divisor on X such that for any x ,y E X
I(D-x-y)=I(D)-2.
Then cp : X -+ JPI is an embedding.
Proof: For x =I y the above equality implies cp(x) =I cp(y), i.e., cp is injective.
For x = y it implies that the induced homomorphism CPo : (lx! -+ (lx defines an
isomorphism ofmx!lm;! onto mxlm~, where x' = cp(x). Thus cp is an injection
which induces isomorphism of all tangent spaces. Every such injection is an
embedding. Indeed, the injectivity of cp implies that deg cp = 1. Hence there exists
an inverse rational map cp-I : Y = cp(X) -+ X. Since the map
is an isomorphism for any x, the curve Y is smooth and hence cp is an embedding.•
Corollary 4.31. If degD > 2g then cp is an embedding ofX into JPI.
4.5. HURWITZ AND PLUCKER GENUS FORMULAS
In view of the Riemann-Roch theorem it is important to be able to determine the

genus of a curve.
The Hurwitz Genus Formula

Let cp : X -+ Y be a finite morphism of smooth projective curves. The Hurwitz
genus formula gives an expression of g(X) in terms of g(Y). Let us consider
the field extension k(X) I cpo (k( Y)), and denote by L' the maximal separable over
cp*(k(Y)) subfield of L = k(X), so that cp*(k(Y)) ~ L' ~ L. In that case there
exists a smooth projective curve X' such that k(X') = L'. Therefore the morphism
cp can be decomposed as
94 Chapter 4
where cp' is purely inseparable and cp" is separable. Let us showthatg(X) = g(X).
We need the following definition. Let X be a smooth projective curve over a field
k of positive characteristic p > O. Denote by L the algebraic closure of L and by
Lp = L lip the field
Lp = {f E L IfFE L} .
There exists a unique smooth projective curveXp withLp = k(Xp) and the inclusion
L C Lp defines a morphism cpp : xp -+ X which is called the Frobenius morphism.
Since the transcendence degree of L equals 1, then degcpp = p.
Proposition 4.32. Let cp : X -+ Y be a non-constant purely inseparable morphism.
Then g(X) = g(Y).
Proof: Let deg cp = pm. By induction one can assume that m = 1. In this case
k(X) ~ cp*(k(y)llp) and since [k(X) : cp*(k(Y))] = p, the morphism cp coincides
with cpp and X = Yp, Let us show that the dimension of O[Y] over k is equal to the
dimension of O[Yp]. Indeed, let w =f dg E O[Y] and consider w' = f' dg', where
f' and g' are obtained fromf and g by raising all their coefficients to the pth power.
Then w' =f'dg' E O[Yp]. Conversely, for w' =f'dg' E O[Yp], the form w =fdg
lies in O[Y] (here f and g are obtained from f' and g' by extracting the pth power
root from all their coefficients). •
By this proposition, computation of g(X) is reduced to the case when cp is
separable. Let cp : X -+ Y be a finite separable morphism of smooth projective
curves, let x EX, cp(x) = y, and let tx and ty be local parameters at x and y,
respectively. Then cp*(dty) =gdtx for someg E C>X. Letvx(g) = ax and let
D", = Lax'x E Div(X).
The divisor is called the ramification divisor of cp (note that ax =1= 0 only for a finite
number of ramification points x of cp).
Theorem 4.33. Let cp : X -+ Y be a separable finite morphism ofdegree n. Then
2g(X) -2 = n(2g(Y) -2) +degD",.
Proof: By Theorem 4.15 it is sufficient to show that Kx = cp*Ky +D",. Let

w E O( Y) \ {O} be such that Supp( w) is disjoint from the finite set where cp is
ramified. Let us find the divisor Kx = (cp*(w)). If cp is unramified at y E Y
and w = hdty then cp*(ty) is a local parameter at any x E X with cp(x) = y,
hence Kx = cp*Ky on U = X\ SuppDcp. Now if cp is ramified at y E Y then
w = hdty with vy{h) = 0, and if cp*(dty) = gdtx then vx(cp*(w» = vx(g) = ax,
since vx(cp*(h» = O. •
A morphism cp : X -+ Y is called tamely ramified if and only if p %ex for all
x E X (here p = chark).
Algebraic Curves 95
Corollary 4.34 (the Hurwitz genus formula). Let a morphism cp : X -+ Y of

degree n be separable, non-constant and tamely ramified. Then
2g(X)-2=n(2g(Y)-2)+ L(ex -l).

xEX
Proof: It is sufficient to show that
degDIp = L (ex - 1),

xEX
provided cp is tamely ramified. Indeed, if cpo (ty) = gt;X with Vx (g) = 0 then
and since ex =1= 0 in k we obtain the above formula. •

Note that for p = char k = 0 any morphism cp is separable and tamely ramified.
A form of Hurwitz genus formula which follows is of particular interest:
Corollary 4.35. Let cp : X -+!p1 be a non-constant morphism of degree n which

is tamely ramified. Then
Example 4.2. Let k = F2 be an algebraic closure of F2, Y = !PI and X the non-
singular projective curve defined by the function field k( u, z) with z2 + z = u5 + 1.
We have an involution z I--t z + I on k(X) with fixed field k(u) = k(IPI). The
field extension k(u,z)/k(u) corresponds to a morphism cp: X -+ Y of degree 2.
Restricting X to the affine part A I with u as coordinate we can give X by the
affine equation z2 +z = u5 + 1 and cp by (u,z) I--t U. No point of Al is a branch
point. The inverse image ofyeo = (1 : 0) E!PI is the point Xeo which corresponds to
the discrete valuation vx"" with vx",,(u) = -2 and vx",,(z) = -5. A local parameter
t at yeo is t = l/u; at Xeo it is s = u2/z. We have d(z2 +z) = d(u 5 + 1), which
gives dz = u4du. Since vxoo (u 2/z) = 1, vx",,(d(u 2/z)) = 0 we find vx",,(dz) = -6,
vx",,(du) = 2. Therefore
Moreover, ax = 0 for all other points x E X. We find
g(X) = 2( -2) +6 = 2.
A basis for the two-dimensional space of regular differential forms is du, udu.
96 Chapter 4
The Plucker Genus Formula

Now let X be a non-singular plane curve of degree m in p2 given by the equation
F{uo : u\ : U2) = O. Let u = u\ /uo, v = uz/uo be coordinates on A2 C p2, and let
G{u,v) = F(l : u: v) = 0 be the equation of the affine curveX' =xnA2. Then
we can define regular differential fonns on X (in affine coordinates u, v) by
w =Hdu/G~ = -Hdv/G~,
where H E k[u, v] is an arbitrary polynomial of degree at most m - 3 (note that

we have G~du + G~dv = 0). Working out the expression for w in the other affine
parts of p2 one sees that the condition degH ~ m - 3 is necessary and sufficient
in order that the fonn w be regular there. The dimension of the space of such
polynomials H is
(m-l) = (m-I)(m-2)
22·
Hence the dimension dimk .o.[X] of the space
.o.[X] = {Hdu/G; IH E k[u, v], degH ~ m - 3}

is (m -l){m - 2)/2, and we get the well-known PlUcker genusformula
1
g= 2{m-l){m-2)
(since dimk .o.[X] = g(X) = g). The integer g is a birational invariant, hence
the Plucker genus fonnula shows us that non-singular plane projective curves of
different degrees m,m' ~ 3 are not birational to each other.
4.6. SPECIAL DIVISORS
We call a divisor DE Div{X) special if and only if I{K - D) > O. It is easy to see
that D is special if and only if D - K '" D' for an effective D'. Moreover, every
divisor of degree at least 2g - I is non-special and every divisor of degree at most
g - 2 is special. One can show that for any divisor D and D'
I{D+D') ~ I(D) +1(D') -I,

i.e.,
dimlDI + dim ID'I ~ dimID+D'I·
Theorem 4.36 (the Clifford theorem). For any special effective divisor D
dimlDI ~ ~degD.
Algebraic Curves 97
Proof: The divisor D' = K - D is equivalent to an effective divisor and hence we

have
dimlDI+dimlK -DI:::; dimlKI =g-l.
By Riemann-Roch theorem
dimlDI-dimlK -DI = degD+ I-g.
Adding these formulas we obtain the desired result.

•
Weierstrass Points
The simplest example ofaneffectivedivisorisD = a ·x,x EX, a;?: 1. Considering
divisors of such a form it is possible to define Weierstrass points which play an
essential role in the theory of algebraic curves.
Let x E X, g = g(X) ;?: 2 and let a ;?: I be an integer. We call a a gap at x if
I(a . x) = I ((a - I) . x) and a non-gap if that is not the case. In other words a is a
non-gap at x if and only if there exists f E k(X) having a pole of order a at x and
being regular outside x. If suchf does not exist then a is a gap at x.
It is easy to show that:
(i) if a and a' are non-gaps at x then a + a' is also a non-gap;
(ii) the number 1 is a gap at x;
(iii) the number of gaps at x equals g;

(iv) if a;?: 2g then a is a non-gap atx.
Define the Weierstrass gap-sequence Gx at x as
Gx = {a E Z Ia ;?: 1 and there is no f E k(X) with if)oo = a . x} .
We calIx EXa Weierstrasspointifand only if the gap-sequence Gx = {al, ... ,ag }

at x with a I < ... < ag does not coincide with { 1, ... , g}. The following conditions
are equivalent:
(i) x is a Weierstrass point;
(ii) divisor g' x is special;

(iii) divisor a·x is special for some a;?: g.
Let Gx = {al, ... ,ag }, 1 :::; al < ... < ag :::; 2g-l, be agap-sequenceatx EX.
The non-negative integer
g
w(x) = L(ai-i)
i=1
98 Chapter 4
is called the Weierstrass weight of x. Note that w(x) > 0 if and only if x is a
Weierstrass point. One can easily show that
L (l(a ·x) -
00
w(x) = 1- max{O,a - g}).

a=1
We have
L w(x) = g(i - 1) + a(X),
xEX
where a(X) ~ O. In addition, a(X) = 0 ifp = chark = 0, and for p > 0 the value
a(X) vanishes for all but a finite number of "exceptional" curves. Therefore the
number of Weierstrass points on X is finite and does not exceed g(g2 - 1) + a (X) .
One can show that w(x) ~ g(g - 1) /2 and w(x) = g(g - 1) /2 if and only if 2 is a
non-gap at x.
A point x on X with w(x) = g(g - 1)/2 is called a hyperelliptic point. For
p = char k 'I 2 any hyperelliptic curve has 2(g + 1) Weierstrass points, all of them
being hyperelliptic. In general, a curve X has hyperelliptic points if and only if X
is a hyperelliptic curve.
To construct Weierstrass points one can use the following fact:
Proposition 4.37. Let cp : X -+ Y be a morphism oj smooth projective curves

of degree n, y E Y be such that cp-1(y) is a single point x, and let g(Y) ~
Lg(X) / n j - 1. Then x is a Weierstrass point.
Proof: By the Riemann-Roch theorem we have I ((g( Y) + 1) . y) ~ 2. Hence

there exists a non-constantJ E key) having a pole of order at most g(Y) + 1 at
y and regular outside y. Let us consider the rational function cp*(f) E k(X). Its
unique pole is x and
Ivx ( cp* (f)) I = n ·Ivy(f) I :S n(g( Y) + 1),

since the ramification index ofx equals n. Besides, since n(g(Y) + 1) ~ g(X) we
see that I (g(X) . x) ~ 2, thus x is a Weierstrass point. •
EXERCISES
4.1. If a, b are ideals of a commutative ring R with identity element I, their sum a + b is
the set of all x + Y with x E a and Y E b. It is the smallest ideal containing a and b.
The product of two ideals a, b of R is the ideal ab consisting of all finite sums IXiYi
withxi E a andYi E b. Check the following properties of the radical r(a) of an ideal
a inR:
(a) a ~ r(a);
Algebraic Curves 99
(b) r(r(a)) = r(a);

(c) r(ab)=r(anb)=r(a)nr(b);
(d) r(a) = R ifand only if a = R;
(e) r(a+ b) = r(r(a)+r(b));
(f) if P is prime, r(pn) = p for all n 2: 1.
4.2. LetR be a commutative ring with identity element 1 and let X be the set of all prime
ideals of R. For each subset E of R, let V(E) denotes the set of all prime ideals of R
which contain E. Prove that:
(a) if a is the ideal generated by E, then V(E) = V(a) = V(r(a));

(b) V(O) = R, V(R) = 0;
(c) the sets V(E) satisfy the axioms for closed sets in a topological space (the
resulting topology is called the Zariski topology, and topological space X is
called the prime spectrum of R and is denoted SpecR).
4.3. Present pictures ofSpecZ, SpecR SpecC(x], SpecR[x], and SpecZ[x].

4.4. Let x be a point of X = SpecR. When thinking ofx as a prime ideal of R, we denote
it by Px. Let Y denote the closure of a subset Y c X in the topology of the space X.
Show that:
(a) x is a closed point (x = x) inX = SpecR if and only ifthe ideal Px is maximal;
(b) x=V(Px);
(c) y Ex if and only ifpx ~ Py.
4.5. A topological space X is called Noetherian if it satisfies the descending chain con-
dition for closed subsets: for any sequence Y\ ~ Y2 ~ ... of closed subsets, there is
an integer m 2: 1 such that Ym = Ym +\ = .... Show that:
(a) An and JP>" are Noetherian topological spaces (in the Zariski topology);
(b) in a Noetherian topological space X, every non-empty closed subset Y can be
uniquely expressed as a finite union Y = Y\ U ... U Ys of irreducible subsets Yj
such that Yj g; lj for i =I- j (they are called the irreducible components of Y);
(c) a Noetherian topological space is quasi-compact (i.e., every open cover has a
finite subcover);
(d) a Noetherian space which is also Hausdorff must be a finite set with discrete
topology.
4.6. Prove the homogeneous version of Hilbert Nullstellensatz: if a ~ k[To, T\, ... , Tn]
is a homogeneous ideal, and ifF E k[To, T\, ... , Tn] is a homogeneous polynomial
with degF 2: 1, such that F(x) = ofor all x E V(a) in JP>", then F m E afor some
integer m 2: 1.
4.7. An open subset of an affine variety is called quasi-affine variety. Prove that:
100 Chapter 4
(a) if X ~ lP" is a projective (resp. quasi-projective) variety, then X is covered

by the open setsXn Ui, 0::; i::; n, which are homeomorphic to affine (resp.
quasi-affine) varieties in An;
(b) on any variety X there is a base for the topology consisting of open affine
subsets. (Hint: Use (a) and the following fact: if X is a hypersurface in
An given by the equation F(TI"'" Tn) = 0 then An \ Y is isomorphic to the
hypersurface H in An+ I given by Tn+ I F = I.)
4.8. Prove that any variety X of dimension m is birational to a hypersurface Yin lP"'+I .
(Hint: Show that the function field k(X) ofX is represented in the formk(X) = k(UI,
... , Um , Um+ I), where UI, . .. , Um are algebraically independent over k and
G being an irreducible polynomial over k with aG / au m+ I =f. 0.)

4.9. Let r be a totally ordered abelian group (written additively), and let L be a field. A
valuation of L with values in r is a map v : L * -+ r such that
(a) v(xy) = v(x) +v(y),
(b) v(x+y) ~ min(v(x),v(y)),
for all x ,y E L *. A valuation v is called trivial if it maps L * to zero. Two valuations
v and v' are called equivalent if there exists a (preserving order) isomorphism A
between v(L *) and v'(L *) such that v' (x) = A· v(x) for all x E L *.
A subring <9 of L is called a valuation ring if for each x =f. 0 either x E <9 or x - I E <9.
Prove that:
(a) the valuation ring <9 is a local ring (Le., it has a unique maximal ideal);
(b) the maximal ideal m of <9 consists of all non-units of <9;
(c) the valuation ring is integrally closed in L (Le., every x E L which is a root of
a monic polynomial FE <9[T] lies in (9);
(d) every valuation ring <9 is of the form <9 = <9 v , where <9 v = {x E L * Iv(x) ~ O}U
{O} for some valuation v of L;
(e) there exists a bijection between the set of valuation rings and the set ofvaluation
equivalence classes of L.
4.10. A valuation v of L is called discrete if v is a homomorphism of L * onto Z. Let <9 be
the valuation ring of v. Prove that:
(a) the maximal ideal m of <9 contains an element t such that v(t) generates the
group Z (the element t is called a local parameter of the ideal m);
(b) every element x E L can be written in the form x = t m . u, where u is an unit
in<9andmEZ;
(c) m = t<9;
(d) any ideal a =f. (0) in <9 is principal and is of the form a = mn for some integer
n ~O.
Algebraic Curves 101
4.11. Let X = pi and D = n ·Xoo. Show that L(D) is the space of polynomials F(T) of
degree at most n, and hence /(D) = n + 1.
4.12. Let X be a smooth projective curve defined over an algebraically closed field k.
Prove that the sequence
I -1 k* -1 k(X) -1 Divo(X) -1 Pico(X) -10
is exact.
4.l3. Show that a curve X is birational to pi if and only if g(X) = O. (Hint: Use the
Riemann--Roch theorem.)
4.14. Show that a projective curve in jp>2 given over a field of characteristic p #- 2, 3 by the
equation
zf
Z~Zo = +azlz5 +bzS, 4a 3 +27b 2 #- 0,
is a curve of genus 1. Prove that any curve X of genus lover a field of characteristic
p #- 2,3 is birationally equivalent to this curve. (Hint: Use the Riemann--Roch
theorem.)
4.15. Let X be a curve and let XI, ... ,Xs E X be some points of X. Show that there exists
a rational function! E k(X) having poles at points Xi and being regular elsewhere.
4.16. Let K be a subfield of a pure transcendental extension L = k(t) of k, strictly con-
taining k. Prove that K is also pure transcendental. (Hint: Use the Hurwitz genus
formula and Exercise 4.l3.)
Chapter 5
Curves over a Finite Field
In Chapter 4 we have assumed that the ground field k is algebraically closed.

However, if we are interested in the consideration of arithmetic properties of
algebraic varieties, we must develop the corresponding theory for the case of
non-closed fields such as Q or Fq . For example, in applying algebraic geometry
to coding theory, one should study curves defined over Fq and their points with
coordinates in Fq (such points are called Fq-rational).
Closed Points
If the field k is no longer algebraically closed, the Hilbert Nullstellensatz no
longer holds in general since the corresponding points are lacking. For example,
the equation x 2 +y2 = -1 has no solution over k = lR and defines at the same time
the imaginary circumference over k' = C. Therefore, if we consider the case of
an affine variety, it seems better to start with the coordinate ring instead of with a
set of zeros. So let k' be an algebraically closed field containing k as a subfield
and let p be a prime ideal of k[T] = k[T" ... , Tn] which generates a prime ideal
p' in k'[T]. Then p' defines an affine variety X defined over k; to emphasize this
fact we say that X is absolutely irreducible (or absolute). A morphism of affine
varieties over k is a morphism of the associated varieties over k' which is given
by a homomorphism of k-algebras. Similarly a projective variety defined over k
is given by a homogeneous prime ideal of k[To, T" ... ,Tn] which remains prime
being extended to k'[To, T" ... , Tn]. To this ideal we can associate a function
field k(X) by restricting our earlier definition to those pairs (U,J) where f can be
defined by polynomials with coefficients in k. For a curve X the field k(X) can
be described as follows: it contains k as a subfield and possesses an element x
103
104 ChapterS
which is transcendental over k and such that k(X) is a finite algebraic extension of
k(x). A field with these properties is called an algebraic function field over k. By
extending the constants to k' we obtain the function field k'(X).
We calIX smooth (or non-singular) if, after extension of k to an algebraically
closed field k', the curve is a smooth curve.
We can view a curve X over k as a curve over k' of which we can see only
a fraction of all points. Over the field k', we had a one-to-one correspondence
between the points ofX and the discrete valuation rings of the function field. Since
we cannot see all points, this no longer holds, but nevertheless we can look at all
discrete valuation rings contained in k(X) such that the discrete valuation is trivial
on k. If v is a discrete valuation of k(X) and C>V is its valuation ring with maximal
ideal m, then lev = C>v/mv is called the residue field. This is a finite extension of
k. We call the pair (C>v,mv) a closed point of X and v = [lev : k] the degree of the
point. If k is an algebraically closed field then of course v = 1 for every point.
To a closed point of degree v over k we can associate a set of v points of degree
one overk' which are conjugates of each other under Gal(k' /k). This extends the
discrete valuation v of k(X) to a discrete valuation v' of k' (X) (which corresponds
to a point x EX). These v points are all distinct if k' / k is separable.
Let, for example, X = plover k = F q • Every irreducible polynomial F E k[T]
in one variable T of degree v 2: 1 defines a closed point of degree v on pl. After
extending Fq to Fqv we can see the v points of degree one over Fqv which form
this point of degree v over k.
The Klein Quartic

Let X be the projective curve of genus 3 defined over k = F2 by the equation
Over F2 the curve X has three points of degree one: (0: 0: 1), (0: 1 : 0) and
(1 : 0: 0). Its points of degree 2 become visible over F4 = F2(a), where a is a
root of the polynomial F(z) = z2 + z + 1. If we consider our curve as a curve
over F4, then the curve has two more points of degree one: (1: a : 1 + a) and
its conjugate (1 : 1 + a : a). This pair of points defines a closed point of degree
2 on X over F2. Over Fs we find many more points. To describe these we first
introduce an automorphism group of X over Fs = F2(J~), where f3 is a root of the
polynomial G(z) = z3 + z + 1. An automorphism of order 7 over Fs is given by
(T : (u : v : w) 1-+ (u : f3v : f35 w ). Besides this we have an automorphism of order
three: (u: v : w) 1-+ (w : u : v). In fact, one can show that the curve X admits GI6S,
the simple group with 168 elements, as an automorphism group. Suppose that
(u : v: w) is a point of X over Fs. If u :f:. 0 and the point is not (1 : 0 : 0) then by
applying (T we can assume that both u and v are equal to 1. The condition is then:
1 + w + W 3 = O. There are three elements of Fs satisfying this relation. Using

the automorphisms we find 21 points. They come from closed points of degree 2
and 3 over F2. Including the points over F2, 24 points over Fs have already been
found.
One can, in fact, give a formula for the number N2" of points of X over F2 v
(see Chapter 6, Exercise 6.6). The formula is:
, ifv:jEOmod(3)
if v == 0 mod(3) ,
where S3n are integers defined by the recurrent relation
S3(n+2) + 5s 3(n+ I) + 8S3n = 0

with initial values So = 6 and S3 = -15.
5.1. RATIONAL POINTS AND DIVISORS
Now we present the situation described above in a slightly different form using
the notion of k-rational points on a curve. Let k be a subfield of an algebraically
closed field k'. We say that a point X = (XI, ... ,xn) E A'ic, is k-rational if Xi E k for
all i = 0,1, ... , n. A point Xi E IPkI is called k-rational if Xi "# 0 implies Xj (Xi E k
for all j = 0, 1, ... , n. A variety X ~ A'ic, is called defined over k if its prime ideal
p = p(X) has a basis {FI, ... ,Fr } consisting of polynomials with coefficients in
k. The subset of k-rational points of X is denoted by X(k).
Let p(X) = k[T]FI + ... +k[T]Fr be a prime ideal ink[T] which generates the
prime ideal p'(X) = k'[T]FI + ... +k'[T]Fr C k'[T] of the variety X ~ A'ic, defined
over k. Then we have
p(X) = p'(X) nk[T].
Hence ifG = Gal(k' (k) is the Galois group of k' over k and if X EX then u(x) EX
for every u E G.
Example 5.1. Let k = Fq be a finite field with q elements and k' = Fq be its alge-
braic closure. If X ~ A'ic, is an affine variety defined over k, then the automorphism
u : u I--t uq of the field k defines the Frobenius automorphism
u : X = (Xl, ... ,Xn) I--t u(X) = (xi, ... ,X%)
of the variety X leaving fixed all the k-rational points X EX.

Nowletk" =Fq " be an extension of degree v:::: 1 ofthefieldk=Fq . Itisanor-
mal extension of k with the cyclic Galois group Gal(k" /k) = {u i 10:::; i :::; v-I}
of order v. The automorphisms u i E Gal( k" (k) transfer a k" -rational point X E X
106 ChapterS
to k"-rational points X,<T(x), ... ,<Tv-1(x), and <Tv leaves fixed all k"-rational
points ofX.
Similarly, we can consider the Frobenius automorphisms <Ti of a projective
variety X ~ 1Pk' defined over k = F q •
Rational Divisors on a Curve

Let k = Fq be a finite field and k' = Fq be an algebraic closure of k. Consider a
projective curve X defined over k and denote by <T the Frobenius automorphism
ofX.
Let k' (X) be the function field and Il' be the prime ideal of X over k'. Any
functionl E k'(X) has the forml = F jG in an open neighborhood U of x, where
F, G E k' [T] are homogeneous polynomials of the same degree and G f/. p' (X). A
functionl E k' (X) is called k-rational if F, G E k[T] and G f/. p(X) = p' (X) n k[T]
for every pair (U,j) of the corresponding equivalence class.
The k-rational functions on X form a field k(X) c k'(X). Any function
1 E k' (X) can be written in the form
s
1= LcyJi
i=l
with CYi E k' and!; E k(X). Thus k' (X) is the tensor product
k' (X) = k(X) tih k'
of the fields k(X) and k' over k.

A divisor D = Lax ·X onX is called k- rational if D = <T(D), where
<T(D) = Lax . <T(x).

The set of k-rational divisors form a subgroup Div(X) of the divisor group Div' (X)
on the curve X defined over k.
Let Gal(k' j k) be the Galois group of the field k' over k. Any two points x ,y EX
are called equivalent (x'" y) if and only if there exists an element T E Gal(k' jk)
such thaty = T(X). Each point x E X uniquely defines the field k(x) generated by
its coordinates. It is clear that k(x) is a finite extension of k and hence k(x) = Fqv
for some integer v ~ 1. Let us show that the equivalence class of x is entirely
defined by the action of the Galois group of k(x).
Proposition 5.1. Let x E X and k(x) = Fqv. Then the equivalence class 01x is
{ <Ti (x) 10 :s; i :s; v-I} .

Proof: At first we observe that u i (x) "" ui (x) for all i,j = 0, 1, ... , v-I. Let
°: ;
us show that all points u i (x),
generality that x = (1 : Xl : ... : xn ). If u i (x) = ui (x) for°: ;
i ::; v-I, are distinct. Assume without loss of
i <j ::; v-I, then
ui - i (xs ) = Xs for all s = 1,2, ... ,n, and hence Xs E Flj-i. This implies Fqv ~ Flj-i
which is impossible.
Now we show that all points y E X equivalent to x become exhausted by the
points u i (x), 0::; i::; v -1. Indeed, lety beequivalenttox. Theny = T(X) for some
T E Gal(k'lk). Consider a restriction ofT to the field k(x) =Fqv. The restricted
T gives an automorphism of Fqv and hence T = u i for some i = 0, 1, ... , v-I . •
A prime k -rational divisor P on X is a divisor of the form

v
P = Px = L u i - l (x).
i=l
where v = [k(x) : k] is the degree of k(x) over k. The points u i - l (x), 1 ::; i ::; v,
are called components of P. Note that P is a k-rational divisor of degree v and
thatPx = Py if and only if x "" y.
It is clear that a closed point of degree v over k corresponds uniquely to an
equivalence class { u i (x) 10 ::;
i ::; v-I} of x E X and hence to a prime k-rational
divisor P on X of degree v. This gives us the following result:
Proposition 5.2. There is a one-to-one correspondence between closed points of

X over k and prime k-rational divisors on X.
Now we are are able to give a criterion for a divisor D onX to be a k-rational
one.
Proposition 5.3. A divisor DEDiv' (X) is k-rational if and only if it can written
as
D=Lap.P, ap Ell,
where ap = °for all but a finite number ofP.
Proof: If D = Lax· x is a k-rational divisor, then for some v 2: 1 such that
U V (x) = x for all x which occur in D with non-zero coefficients ax we have
It follows from this that all points from the same equivalence class occur in D with
the same coefficients. Hence D = Lap ·P. The inverse is obvious. •
Let x be a component of a prime k-rational divisor P. The point x defines a
discrete valuation v~ of the field k'(X). Let CJx and CJy be local rings in k(X) at
points x and y, respectively. It is clear that CJx coincides with CJy if and only if
x "" y. Hence any two equivalent points of the curve X define the same valuation
108 Chapter 5
of k(X) and the map P f-t Vp = Vx gives a bijection with the set of prime k-rational
divisors on X and the set of discrete valuations of k(X). Note that if r:Jp is a
valuation ring of vp and mp is its maximal ideal, then
r:Jpjmp ~ k(x).
Proposition 5.4. A principal divisor if) is k-rational if and only iff E k(X).
Proof: Let if) = LVxif)·x be a k-rational divisor and letf = F jG, G (j. p'(X),
in an open neighborhood U of a point x E X. Since if) is k-rational it follows
that along with x each conjugate (Ii (x) is a zero of the polynomial F (resp. G)
and hence F, G E k[T). Thereforef E k(X). The inverse easily follows from the
previous proposition. •
Let Pic' (X) be the divisor class group on the curve X over k'. A divisor class
C E Pic' (X) is called k-rational if it contains at least one k-rational divisor. The set
of all k-rational divisor classes form a subgroup of Pic' (X). Denote this subgroup
by Pic(X). The embedding
Div(X) y Div' (X)
induces an epimorphism
Div(X) ----t Pic(X).
The kernel of this epimorphism is the group P(X) of principal k-rational divisors
and hence
Pic (X) ~ Div(X)jP(X).
Let D be a k-rational divisor on X. Set L' = k'(X), L = k(X) and consider
k' -vector space
L' (D) = (f E L' \ {O} Iif) + D 2: o} U {O}

and k-vector space
L(D) = L'(D) nL.
Setl'(D) = dimk,L'(D) and I(D) = dimkL(D). We have
L'(D) =L(D)0kk'
and hence I(D) = 1'(D).
Now let us consider L' -vector space
0' (X) = {equivalence classes {U, w'} Iw' E k'[U)· dt}

of rational differential forms on X and the corresponding L-vector space O(X)
consisting of equivalence classes {U, w} with w E k[U)· dt. We have
0' (X) = O(X) 0k k'

and hence
dimL .o(X) = dimL'.o' (X) = 1.
Therefore the canonical divisor class W E Pic' (X) contains at least one k-rational
divisor K and we deduce the following result:
Proposition 5.5. The canonical divisor class W is k-rational.
Now we are able to give the following version of the Riemann-Roch theorem
over an arbitrary perfect field k (see also Chevalley [20, Ch. 2], Deuring [24,
Ch. 2], Stepanov [187, Ch. 4] and Stichtenoth [197, 1.5]).
Theorem 5.6 (the Riemann-Roch theorem). Let C be a k-rational divisor class

on a smooth projective curve X ofgenus g defined over k and let W be the canonical
divisor class. Then
I(C) -1(W - C) = degC -g+ 1.
Let Divo(X) C Div(X) be the group of k-rational divisors of degree zero and
let
Pico(X) ~ Divo(X)jP(X)
be the class group of k-rational divisors of degree zero.
Theorem 5.7. Let X be a smooth projective curve defined over a finite field k = F q .
Then the group Pico(X) isfinite.
Proof: First of all we show that for a given non-negative integer v there is
only a finite number of effective k-rational divisors of degree v and we begin by
proving this assertion for prime k-rational divisors. Let x be a component of a
prime k-rational divisor P of degree v and let k(x) = Fqv. To the divisor P we can
associate a set of v such points. Hence it is sufficient to show that X contains only
a finite number of Fqv-rational points. One can assume without loss of generality
that x has the form x = (1 : Xl : •.. : xn ) with Xi E Fqv. The number of such points
is at most qvn. Hence the total number of Fqv-rational points X E X is at most
(n + I )qvn. Thus the number of the prime k-rational divisors P of degree v is
finite.
Now let D = Lax·x be an arbitrary effective k-rational divisor of degree v.
We have
degD = Lap. degP =v
and hence the number of k-rational divisors of degree v does not exceed the number
of the solutions in non-negative integers ap, degP of the equation
Lap ·degP = v.
110 Chapter 5
Let {PI, ... ,Ps } be the set of all prime k-rational divisors of degree at most v and
set degPi = Vi, aPj = ai. Then it is sufficient to estimate the number of solutions
in non-negative integers ai of the equation
s
Laivi = v.
i=1
This number does not exceed (v + I Yand hence the number of effective k-rational
divisors of degree v is finite.
Finally, let us establish the finiteness of the group Pico(X). Consider a non-
constant rational function f E k(X) and set g = F, where r is a sufficiently
large positive integer. Since f is not a constant then degif)o > 0 and hence
deg(g)o = rdeg(f)o = v 2: 2g. Let us fix g and v and prove that any k-rational
divisor of degree zero is linearly equivalent to a difference of two effective k-
rational divisors of the same degree v. Because there is only a finite number of
such divisors we can see that the number of k-rational divisors of degree zero is
also finite.
Let DE Divo(X). By the Riemann-Roch theorem we have
l((g)o -D) 2: deg(g)o - g+ 12: g+ 12: I
and hence there exists a non-zero rational function hE k(X) such that (h) + (g)o-
D 2: O. SetD' = (g)o andD" = (h) + (g)o -D. ThedivisorsD' andD" are effective
k-rational divisors of the same degree v, and therelationD =D' - D" + (h) implies
D rv D' -D". •
Let h = h(X) denote the cardinality of the group Pico(X).
Proposition 5.S. IfX is a curve ofgenus zero then h = 1.

Proof: It is sufficient to show that if g = 0 then any divisor of degree zero is
principal. If degD = 0 then by the Riemann-Roch theorem we have l( -D) 2: 1,
and hence there exists a non-zero rational functionf E k(X) such that if) 2: D.
The effective divisor if) - D has degree zero and therefore D = if). •
Denote by e the smallest degree of all positive k-rational divisors on X and
observe that the degree of every k-rational divisor D has the form degD = m . e
for some m E Z (later on we shall show that e = 1).
Proposition 5.9. Let CI, ... , Ch be all the k-rational divisor classes ofdegree zero
and let Co be a fixed k-rational divisor class of degree e. Then any k-rational
divisor class C of degree v . e can be written uniquely in the form C = vCo + Ci
for some i = 1,2 ... , h. In particular, for any v 2: 0, there are exactly h 2: 1 of the
k-rational divisor classes of degree v . e.
Proof: Since the degree of any k-rational divisor is divisible by e then the degree
of every k-rational divisor class is of the form v . e for some integer v. Let C be
a k-rational divisor class of degree v . e. The class vCo is also of degree v· e and
hence the difference C - vCo is a k-rational divisor class of degree zero. In that
case C = vCo + Ci for some i = 1,2, ... ,h. •
Theorem 5.10. Let k = Fq be a finite field with q elements. The number n (C) of
distinct effective k-rational divisors contained in a k-rational divisor class C is
expressed by the formula
ql(C) _ 1
n(C) = .
q-l
Proof: Let Do E C be a k-rational divisor. Consider the space L(Do) and to each
non-zero rational function f E L(Do) associate the k-rational effective divisor
D = Do + (f) in C. Conversely, let DEC be an effective k-rational divisor. Then
there exists a non-zero rational functionf E L(Do) such that D = Do + (f).
Thus the associationf t-+ D = Do + (f) defines a map of the set of all non-zero
rational functions of L (Do) onto the set of all effective k-rational divisors of C. If
D = Do + (f) = Do + (g) then if) = (g) and hence f = exg for some ex E k*. So
if IL(Do)1 is the cardinality of L(Do) then
(C) = IL(Do)l- 1
n q- 1 '
and since IL(Do)1 = ql(C) we obtain
ql(C) _ 1
n(C) = q-l
.

•
5.2. THE ZETA-FUNCTION OF A CURVE
Let s be a complex variable. We define the zeta-function of a smooth projective

curve X defined over a finite field k = Fq by the series
,eX,s) = ~)N(D))-S, Res> 1,

D
where D runs over all the effective k-rational divisors of X and N(D) = qdegD
denotes the norm of D.
112 Chapter 5
Note that if D = Iap . P then

N(D) = qC2:. ap-degP) = TI(N(p))a p ,
P
and if x is a component of a prime k-rational divisor P then

N(P) = q[k(x):kJ.
Theorem 5.11. Let e be the smallest degree of all positive k-rational divisors.
The series
~(X,s) = ~)N(D))-S
D
absolutely converges for Res> 1 and represents in this domain a rational function
oftheform
h q l-gq(l-s)max(O,2g-2+e) h
~(X s) - F( -S)
, - q + (q-l)(l-qe(l-s)) -(q-l)(l-q-es),
where F(q-S) is a polynomial in q-S of degree at most 2g - 2.
Proof: First of all we notice that the Riemann-Roch theorem implies

0 if degC < 0,
1 if C=O,
0 if C :I 0 and deg C = 0,
I(C) =
g-1 if C :I Wand deg C = 2g - 2,
g if C=W,
degC-g+ 1 if degC > 2g-2
Moreover, whenever deg W = v . e = 2g - 2 then (2g - 2) / e is an integer for any
g~ l.
We have
~(X,s) = L(N(D))-S = L L (N(D))-S
D C DEC
= L L q-sdegD = Ln( C)q-sdegC
C DEC C
and hence, in view of Theorem 5.10,

q l(C) _ I
~(X,s) = Lq-sdegC. -=----
C q-l
= _1_ L (l(C)-sdegc _q-sdegC)
q -1 degC2:0
= _1_ L ql(C)-sdegC _ _1_ L q-sdegC.
q - 1 degC2:0 q - 1 degC2:0
If Res > 1 we have

L
degC:;O:O
q-sdegC = i: L
v=OdegC=v·e
q-sdegC =h i:
v=O
q-esv =1 h -es
- q
and therefore
~(X,s) = _1_ L
ql(C)-sdegC - h -es.
q-1degQO (q-1)(1-q)
If g = 0 then /( C) = degC + 1, and h = 1 by Proposition 5.8. Hence in this

case we have
~(X,S) = _1_ i:
q-l v=OdegC=v.e
L qdegC+I-sdegC _
(q-l)(I-q es)
1_
__ q_ ~ e(l-s)v _ 1
- q- 1 q :=0 (q - 1) (1 - qes)
q 1
(q - 1)(1- qe(l-s)) (q - 1)(1- q-es)"
Now, let g ~ 1. Then
~(X,s) = _1_ L ql(C)-sdegc + _1_ L ql(C)-sdegC

q - 1 O:O;degC:O;2g-2 q - 1 degC>2g-2
h 1 (2g-2)/e h (ve)
-:----:--:--_--,- _ _ _ "
(q-l)(I-q-es) - q-l q :=0
-esv" I(C, )
q 6
h h
+--
co
L qe(s-l)v-g+1 - -:---:-;-----,-
q-1 v=(2g-2)/e+1 (q-1)(1-q-es),
where cive) is a k-rational divisor class of degree v· e, and hence

-s h q l-gq(1-s)(2g-2+e) h
~(X,s)=F(q )+ (q-1)(I-qe(l-s)) - (q-1)(I-q-es)"
The polynomial F(q-S) has the fonn

1 (2g-2)/e h (ve)
F(q-S) = - L q-esv Lql(Cj )
q-l v=o i=1
and therefore is a polynomial in q-S of degree at most 2g - 2. •

The above theorem provides an analytic continuation of ~(X,s) to the whole
complex plane. The only poles of the first order of ~(X,s) are sp.- = e7:;qJ.L and
- 1 - elogqm,
Sm -
27ri h
were J.L,m E u...
'71
114 Chapter 5
The Infinite Product

Let X be a smooth projective curve defined over a finite field k = Fq . Then the
zeta-function of X can be expressed as an infinite product taken over all prime
k -rational divisors on X.
Theorem 5.12. For Res> lone has
'eX,s) = IT(1- (N(p))-Sr 1,

p
where the product is over all prime k-rational divisors P on X. The product is
absolutely convergent, and hence does not depend on the order of the factors.
Proof: Since 'T > 1, we have for any integer N ~ 1,
IT
N(P)~N
(1- (N(P))-s)-l = IT
N(P)~N
(fn=O
(N(p))-ns)
and since there are only a finite number of factors in the product, each factor being
an absolutely convergent series, we may multiply these to obtain
IT (1- (N(P))-s)-l = L (N(D))-S + L ' (N(D))-S,

N(P)~N N(D)~N N(D»N
where the first summation is over all effective k-rational divisors with N(D) ~ N,
and the second is over all effective k-rational divisors D which contain no prime
divisor with N(P) > N and satisfy the inequality N(D) > N. Hence,
I IT (1- (N(P))-s)-l - L (N(D))-SI ~ L ' (N(D))-Res

N(P)~N N(D)~N N(D»N
and letting N --7 00 we obtain the desired equality, since
L ' (N(D))-Res
N(D»N
being remainder term of the convergent series for ,(X,s), tends to zero as N --7 00.
The absolute convergence of the product is deduced from the inequality

As a consequence of this theorem, we obtain that '(X, s) has no zeros for
•
Res> 1.
Proposition 5.13. There exists a k-rational divisor class ofdegree 1.
Proof: Let e be the smallest value of the degrees of all positive k-rational divisors
on X. It is sufficient to prove that e 1.=
Let us consider an extension k" = Fqe of degree e of the field k = Fq. If Pis
a prime k-rational divisor of degree v then it has the form
)J
P = Lui-I (x),
1=1
where x is a Fqv-rational point of X. Since e divides v the equivalence class over
k
{Ui-1(X) I1 ~i~ v}
splits into e = (e, v) equivalence classes over k"
{ue(i-l)+j-I(x) 11 ~ i ~ vie}, 1 ~j ~ e.
Hence the prime k-rational divisor P splits into e corresponding prime k"-rational
divisors P~' , ... ,P~ .
Let
pI!
be the zeta-function of X defined over k". We have
C"(X,s) = TI(1_q-sedegpl!)-1 =
pI!
Ii: (TI(1_q:....sede
i=1 Pf'
gp f')-I) ,
and since edegP;' = degP, then
C"(X,s) = D (I}(I-q-SdegP)-I) = (C(X,s))e.

As far as both C(X,s) and C"(X,s) have a pole of the same order 1 at s = 1,
we deduce that e = 1. •
Now we can make more precise the result of the Theorem 5.11.
Theorem 5.14. The zeta-Junction C(X,s) has theform
P(q-S)
C(X,s) = (I-q-S){l-ql-s)'
where
2g
P(q-S) = L Ujq-jS
j=O
116 Chapter 5
Proof: For g = 0 we have

q 1 1
~(X,s) = (q _ 1)(1- ql-s) (q-l)(l-q-S) = (l-q-S)(l-ql-s)"
Now let g = 1. In this case
~(X,s) = _1_ L
ql(C)-sdegC + hql-s I-s h
q-ldegC=O (q-l)(l-q ) (q-l)(l-q-S)
h -1 q hql-s h
= q-l + q-l + (q-l)(l-ql-s) (q-l)(l-q-S)
1 + (h -q _l)q-S +q oq-2s
= -~(l:-_--'q'--;-I--s7-)(7-:-1-_-q--=-s-:-=)-
Finally if g ~ 2, then
~(X,s) = _1_ L l(C)-sdegC + _1_ L l(C)-sdegC

q- 1 degC=O q- 1 l$degC<2g-2
1 h q l-gq(I-s)(2g-I)
+-- L
ql(C)-sdegc + -'--:---::-c--:-:--,---;-
q-ldegC~2g-2 (q-l)(l-ql-s)
h h+q-l
(q-l)(l-q-S) q-l
( h - 1)qg-l-s(2g-2) + qg-s(2g-2)
+-- L ql(C)-sdegC + ~-'-...!------:---=----
q - 1 l$degC<2g-2 q- 1
h q l-gq(I-s)(2g-I) h
+(q-l)(l-ql-S) (q-l)(l-q-s)
12g-3 (h+q-l)(qg-I q -2(g-I)s+1)
L
_0
= q_ 1 O!jq JS + q_ 1
;=1
hqgq-(2g-I)s h
+(q-l)(l-ql-S) (q-l)(l-q-S)
_ 1 +O"Iq-s +ooo+<T2g_lq-(2g-I)S +qgq-2gs
- (l-q-s)(1-ql-S)
This proves the theoremo

•
The Functional Equation
The following result gives a simple relationship connecting ~ (X, s) and ~ (X, 1 - s) 0
Theorem 5.15. The zeta-function ~(X,s) satisfies the equation
q(g-I)(2s-1)~(X,s) = ~(X, l-s).
Proof: For g = 0 we have

~(X,I-s)= (l_ qS)(II_ q S-l) =ql-2s~(X,s).
Now if g = 1, then
~(X 1- ) = 1 + (h -q _1)qs-l +q.q2s-2 = ~(X )

,s (l_qS)(I_qs-l) ,s .
Finally, letg ~ 2. To prove the theorem in this case we write down ~(X,s) as
~(X,s) = ~l (X,s) + ~2(X,S),

where
~l (X,s) = -1- L l(C)-sdegC
q - 1 ISdegC<2g-2
and
= 1 +q-(g-I)(2s-1)
1)
~2(X,S)
+__
h ( 1 +q-(g-I)(2s-1) + qg q -(2g-1)s _ __ .
q-l l_ q l-s l-q-S
We have
~2(X, l-s) = 1+q(g-I)(2s-1)
_h_ ( (g-I)(2s-1) qgq(2g-1)(s-l) _ 1 )
+ q- 1 1+ q + 1 - sq - 1qs-l
= q(g-I)(2s-1) ~2(X,S).
Hence it is sufficient to check that

~l (X, l-s) = q(g-I)(2s-1)~1 (X,s).
Set p( C) = I( C) - t degC. Then we have
1
~1(X,S) = - - L ql(C)-sdegC
q - 1 ISdegC<2g-2
L qP(C)-(s-I/2)degC
q - 1 ISdegC<2g-2
118 Chapter 5
and by the Riemann-Roch theorem
p(C) = p(W - C).
Now we observe that if C runs through the set of divisor classes with the condition
I:::; degC < 2g-2

then W - C runs through the same set. In that case
~1(X,S) = _1_ L qP(W-C)-(s-I/2)(2g -2-deg C)

q - 1 1:<;;deg(W-C)<2g-2
L qP(C)-(s-I/2)(2g-2-degC)
q - 1 l:<;;degC<2g-2
and hence
y
~l
(X , 1 -s ) = -11 "qP(C)-(1/2-s)de g C
£...
q- l:<;;degC<2g-2
= q(g-I)(2s-1) (_1_ L
q - 1 l:<;;degC<2g-2
qP(C)-(S-I/2)(2g -2-degC))
= q(g-I)(2s-1)~1 (X,s)

•
Connection with Rational Points
Let Nqv be the number of Fqv-rational points of a smooth projective curve X
defined over a finite field k = Fq . Set q-S = t and write ~(X,s) = Z(X, t).
Theorem 5.16. In the disc It I < q-I one has
Z(X,t) = exp (~ N:v tV) .

Proof: First of all we notice that the condition It I < q-l is equivalent to Res> 1.
For Res> 1 we have
~(X,s) = TI(1- (N(P))-s)-l = TI(1- q-sdegP)-1 = TI(1- tdegP)-1

P P P
=Z(X,t)
and hence
tmdegP
= - ~)og(l-tdegp) = L L --
00
logZ(X,t)
P P m=l m
= L 00 (
L -1 ) tV =L 00 (
L degP ) tV
-.
v=l mdegP=v m v=l degPlv v
Setting
N: = L degP
degPlv
we obtain
Z(X,t) = exp ( v~
00
-;-t
N* V
)
,
and hence it is sufficient to show that
N: = L degP =Nqv.
degPlv
Let us consider the setX(Fqv) of all Fqv-rational points of the curve X defined
over k = Fq. The set X(Fqv) is divided into equivalence classes which fonn the
k-rational divisors P. Thus
Nqv = L'degP.
P
where the sum is taken over all the mentioned equivalence classes of the setX(Fqv ).
Now we show that a prime k-rational divisor P corresponds to one of the
considered equivalence classes if and only if degP Iv. Indeed, let P correspond to
such an equivalence class and letx be a component ofP. We have degP = [k(x) : k]
and since x is an Fqv -rational point then k(x) ~ Fqv. In that case
k ~ k(x) ~ Fqv
and hence degP I v. Conversely, if degP I v and if x is a component of P, then
the condition degP I v means that [k(x) : k] divides [Fqv : k]. Therefore we have
k ~ k(x) ~Fqv
and hence the point x is Fqv-rational. Thus the divisor P corresponds exactly
to one of the equivalence classes of the set X(Fqv). It follows from the above
arguments that N; = Nqv. •
According to Theorem 5.14 the zeta-function Z(X,t) has the fonn
P(t)
Z(X,t) = (l-t)(I-qt)'
120 Chapter 5
where
2g-1
P(t) = 1 + L, 0'/ +qg t 2 , O'i E Q.
i=1
Let
2g
P(t) = TI(1- wit)
i=1
be a decomposition of P(t) into linear factors in some finite extension of the field
of rational numbers Q.
Theorem 5.17. Let N qV be the number of Fqv -rational points of a smooth projec-
tive curve X of genus g defined over Fq. Then
2g
Nqv=qv+I-L,wj.
i=1
Proof: We have
()
Z X,t =exp
~Nqv v)
(,tt--;-t =
re!I(I- wit )
(l-t)(I-qt)
and hence
co N 2g
L, 1 t v = L,log(l- wi t )-log(l-t)-log(l-qt)
v=1 v i=1
= L,
co -
1 ~)
( qV + 1- L, w[ tV.
v=1 v i=1
Comparing the coefficients under the same powers of t we obtain the required
result. •
5.3. L-FUNCTIONS OF ARTIN
Characters of Finite Abelian Groups

Given an abelian group G (with respect to multiplication), a character on G is
a homomorphism X : G --+ U, where U is the group of complex numbers z with
Izl = 1. We have X(xy) = X(x)X(y) and since X(I) = X(l)X(l) then X(I) = 1.
If XI , X2 are characters on G, then so is the homomorphism (XIX2)(X) =
XI (x) X2 (x). If XI is a character, then so is the homomorphism X-I defined by
X-I (x) =x(x), where x(x) is the complex conjugate of X(x). It is clear now that
the characters on G form a group G under multiplication, whose identity element

is the character XO having Xo(x) = I for any x E G. The group G is called the dual
to G.
Proposition 5.1S. Let G be the cyclic group of order n, and let 'TJ be a generator
of G. Then every character X on G has the form
0:::; k:::; n-l,
for some €X = 0, 1, ... ,n - 1.
Proof: Let X be an arbitrary character on G. We have Xn('TJ) = X('TJ n) = X(l) = I

and hence X is a nth root of unity. Therefore, X('TJ) = exp(21Ti~) for some
€X = 0, I, ... ,n - 1. Thus
and we obtain the desired result.

•
Corollary 5.19. The group of characters G of a cyclic group G is isomorphic to
G.
Now let G be an arbitrary finite abelian group of the order n = p~l ... p:r ,
where PI, ... ,Pr are prime numbers (not necessarily distinct). The group G can
be written as a direct product
G=GI x···xGr
of cyclic groups GI, ... , Gr of orders nl = p~l , ... ,nr = rrr, respectively. Let
'TJI, ... ,'TJr be' generators of the groups GI, ... , Gr and X be a character on G. We
have X ( 1!i) = exp( 21Ti ~) for some €Xj = 0, 1, ... ,nj - 1, and since every element
1
x EGis written uniquely in the form
then
Thus we have obtained the following result:

122 ChapterS
Proposition 5.20. Let G be afinite abelian group of the order n = p~l ... p:r and
G = Gl X .•• x Gr be its decomposition into a direct product of the cyclic groups
G 1 , ... ,Gr of orders nl = p~l , ... ,nr = p~r, respectively. Then every character X
on G has the form
for some a.j = 0, 1, ... ,nj -1, 1 $.j $. r.
Corollary 5.21. Given a finite abelian group G, its group G of characters is

isomorphic to G.
Proposition 5.22. Let G be a finite abelian group oforder n. Then
~X(x)={ ~
xEG
ifx = xo,
ifx =1= XO
and
ifx = 1,
~x(x)={~ ifx =1= 1.
XEG
Proof: For X = XO the assertion is obvious. Let X =1= xo. In this case there exists
an element Xo E G such that X(xo) =1= 1. We have
s = ~ X(x) = ~ X(xo ·x) = X(xo)S

XEG XEG
and hence S = o.
The second statement follows because the group G is isomorphic to a group
which is dual to G. •
Characters of a Finite Field Fq

The set of non-zero elements of the finite field Fq forms a cyclic group F; with
q - 1 elements. Hence, the characters X ofF; also form a cyclic group with q - 1
elements, and every character X satisfies Xq - 1 = XO, where XO is the character with
XO (x) = 1 for all x. We call Xo trivial or a principal character. The least positive
integer d such that X d = Xo is called the order of the character x. It is easy to see
that d I (q - 1). We say that X is a character of exponent s if X S = xo; clearly this
is equivalent to dis, where d is the order of x. Let us denote the order d of X by
ord X and its exponent s by ind x.
Suppose s I (q - 1). For any character X of exponent s and any x E F;, we
have X(X S) = X(xy = XS(x) = 1. Thus X(y) = 1 only ify E (F;Y, the group of
non-zero sth powers. Conversely, if XCY) = I for every y E (F;Y, then XS = xo.
Therefore, if X is a character of exponent s, then X (x) depends only on the coset of
x modulo the subgroup (F; y. Thus, a character of exponent s may be interpreted
as a character of the group F; / (F;
y. There are exactly s characters of exponent
s.
It will be convenient for us to extend the definition of characters X on F; by
putting
X(O) = { ~ifX=xo,
if X i= xo·
Such a character X we call the multiplicative character of the field F q.
Proposition 5.23. Suppose s I (q - I). Then
ifx E (F;Y,
ifx rf. (F;Y and x i= 0,
ifx = 0..
If1) is a generator-ofF; and X i= Xo is a multiplicative character ofFq ofexponent

s, then
s-1
LX('/) =0.
j=O
Proof: The characters of exponent s are characters of F; /

(F;)s. Hence the first
two cases of the proposition follow from Proposition 5.22. Ifx = 0, then
L X(x) = xo(o) + L X(O) = 1.

indx=s indx=s
x#xo
To prove the second part of the statement we note that X is a non-trivial character
of F; /
(F;)S and {I, 1), ... , 1)s-l} is the set of all representatives of the residue
classes modulo (F; y. The statement follows again from Proposition 5.22. •
We now tum to additive characters of Fq. An additive character of Fq is simply
a character of the additive group of Fq . If q = pm, where p is the characteristic of
F q , then the additive group is the direct sum of m copies of the additive group of
= x + x p + ... + x P
m-l
Fp. Denote by tr(x) the trace of the element x E Fq over
Fp.
Proposition 5.24. Every additive character", ofFq is of the form
for some f3 E Fq.

124 Chapter 5
Proof: We have
0/(3 (x +y) = 0/(3 (x) 0/(3 (y).
Thus 0/(3 (x) is Iln additive character of F q . All these characters are distinct and
their number equals q. Hence 0/(3 exhausts all additive characters of Fq . •
The Generating Function of Artin

Let Fqv be an extension of the field Fq of degree v and Fp be the prime subfield
of Fq. The Galois group Gal(Fqv /Fq) is a cyclic group of order v. Let (Tv be
a generator of Gal(Fqv / Fq). Its action on elements x E Fqv is given by the rule
(Tv(x) =x q . The map
of Fqv onto Fq is called the relative trace of x E Fqv, and the map
normv(x) = x . (Tv (x ) ... (T~-\ (x) = x .xq •• • x qV - t

of Fqv onto Fq is called the relative norm of x. Next, if tr(y) and norm(y) are
the trace and the norm from Fq to Fp, then the maps Trv(x) = tr(trv(x» and
Normv(x) = norm(normv(x» are called the absolute trace and the absolute norm
of x E Fqv, respectively.
If X is a multiplicative character of Fq , then
Xv(x) = X (normv (x»

is a character of Fqv. We call Xv(x) the mUltiplicative character induced by x.
Similarly, if 0/ is an additive character of Fq then
is a character of Fqv, which is called the additive character induced by 0/.

Let/(x)= xl + a\x l-\ + ... + ai, g(x) = boX n + b\x n -\ + ... + bn be non-
constant polynomials in Fq [x J and I = Itt .. f;r be the decomposition of the
polynomial I into distinct irreducible factors Ji , ... ,/r in Fq [x J. We consider sums
Tv = Tv(j,g) = L Xv(j(x»o/v(g(x», v = 1,2 ... , (5.1)

XEFqv
and show that they depend in a regular way on the integral parameter v. To find
the dependence Tv of v let us introduce for consideration the L-function ofArtin
L (z) of complex variable z which we define by the series
L(z) = L(j,g,z) = exp (~\ ~ zv) , (5.2)

which converges absolutely for Izl < q-I.

For each v ~ 1 we set
(5.3)
where the sum is over all non-negative integers il, ... , iv with the condition il +
2h + ... + viv = v, and note that all f3v lie in the field Q( e 271"i/p ).
Proposition 5.25. Let s be a positive divisor ofq - 1 and deg(ji .. ·fr) = m. Sup-
pose that at least one of the following conditions holds:
(i) X is a non-trivial multiplicative character of Fq of exponent sand
(s,S], ... ,sr) = 1;
(ii) tfJ is a non-trivial additive character ofFq and bo i= 0, (n, q) = 1.
Then f3v = °
for all v ~ m + n - 1.
Proof: Let i], ... , iv be non-negative integers satisfYing the condition il + 2i2 +
... + viv = v. If for each 'T = 1,2, ... , v the polynomial
a(x) =xv +U]X v- 1 +···+u v EFq[x]
has exactly iT irreducible divisors of degree 'T in Fq [x] then the v-tuple (i], ... , iv)
is called the decomposition type of a(x). Let
V iT T-]
a(x) = IlIlIl(x+(T~(xt))),
T=lj=lk=O
where
(I) (I) • . (v) (v)
xl , ... ,Xi1 EFq'···'XI , ... ,Xiv EFqv.
It is easy to see that if the non-negative integers il, ... ,iv run through all solutions of
the equationil +2i2 + ... + viv = v andxi T ), ••• ,xt) independently run through all
elements of the fields FqT, 1 ::; i ::; v, then the elementary symmetric polynomials
UI, ... ,U v of these elements independently run through all elements of the field
F q . In addition, the polynomials UI, ... ,U v are invariant under all pennutations
of elements xiT), ... ,x,t) E FqT, 1 ::; 'T ::; v, and also under all replacements of
these elements by their conjugates over Fq . Thus, if we set (according to the
fundamental theorem on symmetric polynomials)
126 Chapter 5
and to each polynomial lX(X) = XV + UIX v - 1 + ... + Uv with decomposition type

(ii, ... , iv) associate il ! ... iv nil ... v iv possibly repeating tuples
(I) ( I ) . . (v) (v)
(xI , ... ,xil ,···,xI ' ... 'Xiv )'
we obtain the relation
f3v = L X(J*(UI, ••• ,Uv))I/J(g*(UI, .•• ,U v )). (5.4)

Ul,···,uvEFq
In what follows, we assume that v > m+n - 1. Let Vi = degfi, 1 ~ i ~ r, and

Vi
J;(x) = IT (X + lXi/L)
/L=I
be a decomposition ofJ;(x) into linear factors in the ring FqVi [xl. Since
we have
r
IT IT (lXi/Lv + UI lXi/Lv-I + ... + Uv )Si .
Vi
f * (UI, ... , Uv ) --
i=I/L=1
We set
(5.5)
v v-I J;
lXrl +UIlXrl +···+Uv =y.
If UI , ... , Uv - m are fixed and Ui-m+ I, ... , Uv independently run through all ele-
ments of F q , then gl, ... , gr independently run through all elements of the fields
FqVI , ... , Fqvr , respectively. In addition,
r r
f*(UI, ••. ,U v ) = IT (normVi (gi))Si = IT~:i (5.6)
i=1 i=1
and each of non-zero elements ~i = norm Vi (gi) exactly (q Vi - 1) / (q - 1) times run

through all elements of the multiplicative group F; of F q .
By the well-known Waring formula we have
where
and hence
n
g*(Ul"" ,Uv) = L bn-tJ- L afl, ... ,AvU~1 ... u~v + vbn
tJ-=l Al +2A2+··+vAv=tJ-
= (_1)n-l bonun + gii(Ul,"" Un-d. (5.7)
Taking into account (5.4), (5.6) and (5.7) we obtain
f3v =N
Ul "",U v- m EFq
x L x(,:I ... ,;r),

i:1,···,i:rEFq
where
r
N = I1(qVi - 1)/(q - 1).
i=l
Let X be a non-trivial multiplicative character of exponent S and let 1] be a

generator of F;.
Then
i:1,···,i:rEFq
q-l
= L X(1]k l s l +"+kr Sr ),
kl,···,kr=l
where 1]ki = {j fori = 1,2, ... ,r. We have (S,Sl,'" ,sr) = 1 and, hence, ifkl, ... ,kr
independently run through all elements of the set {I, 2, ... ,q - I} then klSl + ... +
krsr runs, with the same multiplicity, through all the elements 0, 1, ... ,S - 1 of the
complete residue system modulo s. In that case the product runs several ,:1 ., .,;r
times through all elements of the factor group F; / (F;)s. Since X is a non-trivial
character of this factor group then according to Proposition 5.22 we have
L X(,:I ... ,;r) = 0.

i:1, ... ,i:rEFq
°
Thus, if X =1= Xo, then f3v = for all v > m + n - 1.
Now let I/J be a nontrivial additive character of F q • It follows from (5.5) that
Uv-m+l,··· ,Uv are uniquely determined by gl,"" gr, Ul,'" ,Uv- m, and then
f3v =N L X(,:I ... ,;r) L I/J((_1)n-luonUn)

i:1 ... !;"EFq UI,···,uv-mEFq
X I/J(g* (Ul,"" Un-d·
128 Chapter 5
We have
Ul,···,uv-mEFq
Ul,···,uv-mEFq
and since bo =I- 0, (n, q) = 1, it follows that u = ( _1)n-1 bonu n, together with Un,
runs through all elements of F q • In that case, by Proposition 5.22,
L I/J((-1)n- 1bonun ) = L I/J(u) =0

UnEFq uEFq
and hence we find again that f3v = 0. •

Let the algebraic numbers f3v be defined by relation (5.3). Consider the
polynomial
P(z) = 1 + f3lz + ... + f3m+n_\Zm+n-\
and denote by K the minimal extension of the field Q(e 21Ti / P ) in which
m+n-\
P(z) = I1 (1- Wi Z ). (5.8)
i=\
Theorem 5.26. Letf(x) = !iSl (x)·· f;r(x), g(x) = bOX n +b\xn-\ + ... + b n be
non-constant polynomials in Fq[x] of degrees I and n, respectively, let s be a
positive divisor of q - 1, and let deg(fi ···fr) = m. If at least one of the following
two conditions holds:
(i) X is a non-trivial multiplicative character of Fq of exponent sand

(s,S\, ... ,sr) = 1;
(ii) I/J is a non-trivial additive character of Fq and (n, q) = 1,

then the L-function ofArtin (5.2) has the form
L(z) =P(z).
Furthermore, if the algebraic numbers WI, ... ,Wm+n-\ are defined by (5.8) then
the sum (5.1) can be written in the form
m+n-\
Tv = - L wj, v = 1,2 ....
j=\
Proof: By the well-known combinatorial identity we have
and hence, according to Proposition 5.25,
Consequently, in virtue of(5.8),
L(z) = n
m+n-I
j=1
(1- w;z).
Next,
T m+n-I (m+n-I ) v
L: ~zv = L: L: L: wJ :.-
00 00
log(1 - Wjz) =-
v=1 v j=1 v=1 j=1 V
and hence
m+n-I
Tv = - L: wJ
j=1
for all v ?:: 1.

•
Corollary 5.27. The L-function of Artin (5.2) is regular at every point of the
complex plane C.
Proposition 5.28. Let WI , ... ,Wr be complex numbers and c, R be positive num-
bers. If
IwI+ ... +w:1 ~cRV (5.9)
for all v = 1,2, ... , then IWjl ~ Rfor j = 1,2, ... ,r.
Proof: For all sufficiently small values of Izl we have
log(l- wt) =-
v=1
i: Wv zV,
V
and then
n(I - wjZ) = -
r v
L: (WI + ... + wn :.-.
00
log
j=1 v=1 v
130 Chapter 5
In view of(5.9) the series on the right converges for Izl < R- i , and hence the
function
r
10gTI(1- Wjz)
j=i
is regular in the disk Izl < R- i . In that case 1 - WjZ =1= 0 for Izl < R- i ; hence,
IWjl :::; R for allj = 1,2, ... ,r. •
5.4. ALGEBRAIC FUNCTION FIELDS
To provide an easy way to construct smooth projective curves over a finite field
Fq with a lot Fq-rational points, we shall need some facts from the ramification
theory of Artin-Schreier extensions (for details, see Artin [4], Deuring [24], Serre
[167] and Stichtenoth [197]).
Field Extensions
At first we recall some well-known facts about finite field extensions. LetL = k(X)
be the function field on a smooth projective curve X over a field k. Let P be a
prime k-rational divisor (a closed point) onX and let vp be the normalized discrete
valuation of L associated with P (vp(L *) = Z). The field L can be regarded as a
finite field extension of the rational function field k(x).
Let L I k denote an algebraic function field of one variable with the full constant
field k. The field k is assumed to be perfect (i.e., all its algebraic extensions k' I k
are separable). For convenience, we fix some algebraically closed field L 2 Land
consider only extensions L' of L which lie in L. An algebraic function field L' I k'
is called an algebraic extension of Llk if L' 2 L is an algebraic extension of L
and k' 2 k. The algebraic extension L'lk' is called a constantfield extension if
L' = Lk', the composite field of Land k'. The algebraic extension L' I k' of L I k is
called afinite extension if degree [L' : L] of L' over L is finite. It is easy to check
thatL'lk' is a finite extension of Llk if and only if[k': k] < 00.
Let Llk = k(X) be the function field on a smooth projective curve X over k
and letP be a prime k-rational divisor on X. Let fJp be the local ring ofthe divisor
P and mp the unique maximal ideal offJp. There is a one-to-one correspondence
between the prime k-rational divisors P E Div(X) and the maximal ideals mp.
This correspondence allows us to identifY P with the corresponding equivalence
class of valuations of Llk, which is called a prime divisor of the field Llk. The
genus g = g(X) of X is also called the genus of Llk, and Div(X), Pic(X) are
denoted by Div(L), Pic(L).
Let L' I k' be a finite extension of L I k. Every prime divisor P' of L' I k' induces
the prime divisor P = P' nL E Div(L) of the field Llk. In this case we say that
P' lies over P and write p' I P. If Vp is the nonnalized valuation of L I k associated
withP and Vpl is the valuation of L' Ik' associated withP' over P, the value group
vpl(L'*) = fpl ofvpl is a subgroup of the value group vp(L*) = Z ofvp, and the
index e(P' I P) = (Z : f pI) is called a ramification index of p' over P (in other
words, Vpl if) = e(P' I P)vpif) for any f E L *). We say that p' I P is ramified if
e(P' I P) > 1, and p' I P is unramified if e(P' I P) = 1. Let (9 p, mp and (9' Pi, m' pi
be local rings and maximal ideals of valuations Vp and Vpl, respectively. The
fields Lp = (9plmp and L' = (9 'PI Im'pl are called residue fields of P andP'. The
field Lp is canonically embedded into L~" andf(P'IP) = [L~, : Lp] is called the
relative degree of p' over P. In particular, degP = [Lp : k] and degP' = [L~, : k']
are degrees of prime divisors P and P'. It is easy to see that
d P' _f(P' IP)degP

eg - [k': k] .
For every prime divisor P of Llk, there is at least one prime divisor p' of L' Ik'
lying over P, and the number of such prime divisors p' is finite. Moreover, we
have
I
e(P' IP)f(P' IP) = [L': L].
P'IP
Let L' be a finite extension of L, and L; be the subfield of L' consisting of
all separable elements of L' over L (whose minimal polynomials over L have no
multiple roots). The degree [L; : L] is known as a separable degree of L' over
L, and is denoted by [L' : L ]s. The field L' is a purely inseparable extension of
L;, and the degree [L' : L;] is called an inseparable degree of L' over L (notation:
[L' : L]i). Suppose now that L'lk' is a finite extension of an algebraic function
field Llk, and that P' E Div(L') is a prime divisor lying over a prime divisor
P E Div(L). Then!s(P'IP) = [L~, : Lp]s is called a separable degree of p' over
P, andji(P'IP) = [L~, : Lpl]i is called an inseparable degree of p' over P. The
prime divisor p' is separable, inseparable, or purely inseparable according to the
cases whenji(P' IP) = l,ji(P'IP) > 1, orji(P' IP) = f(P' IP).
Suppose that L' I k' and L" I kIf are two finite extensions of an algebraic function
field L I k, and u : L' -+ Lff is an isomorphism of fields L' and L" which maps k'
onto kIf and leaves L fixed. For every prime divisor p' of L' I k' we define the prime
divisor uP' of Lff I kIf by setting
for allf E L" Ik" (we assume Vpl(O) = 00). The mapP' -+ uP' gives a one-to-one
correspondence between the prime divisors p' of L' I k' and the prime divisors p"
of L" Ik". If Llk,L'lk' andL" Ikff fonn a tower
Llk ~ L' Ik' ~ L" Ik"

132 Chapter 5
of finite extensions, we have
e(p lI I P) = e(P" I P') . e(P'1P), f(P" IP) = f(P" IP') f(P'IP)

and
e(aP'IP) = e(P'IP) , f(aP'IP) =f(P'IP).
Galois Extensions
Let L' I L be a nonnal extension of an algebraic function field L I k with the Galois
group G = Gal(L'IL). Let P be a prime divisor of Llk and let p' be a prime
divisor of L' I k' lying over P. Then every prime divisor of L' I k', lying over P,
has the fonn aP' for some u E G. The subgroup D(P'IP) of G, consisting of
elements u E G such that uP' = P', is called the decomposition group of p' over
P. The field L~, is a nonnal extension of Lp, and every element (j of the Galois
group of this extension is induced by some element u E D(P'IP). The subgroup
I(P'IP) of elements u E D(P' I P), such that (j E G(P' I P) is trivial on L~" is
called the inertia group of p' over P. Let r denote the number of prime divisors
p' of L' Ik' lying over P. Thus the following relations holds:
r = (G: D(P'IP)), [L' :LJ =r·e(P'IP)f(P"IP),

D(uP'IP) = uD(P'IP)u- l , G(P'IP) ~D(P'IP)II(P'IP),
(G: I) = [L' :LJs =r·(D(P'IP): I),
(D(P'IP) : I(P'IP)) = [L~, : LpJ = f(P' IP),
and
(D(P'IP) . I) = e(P' IP)f(P' IP) (I(P'IP) . 1) = e(P' I P).fn(P' I P)

. [L':LJi' . [L':LJi·
Let L' I L be a finite extension of an algebraic function field L I k. Let
D= L ap·P
PEDiv(L)
be a divisor of the field Llk, letP' be a prime divisor of L' Ik' lying over P and let
e(P' I P) be the ramification index of P' over P. The divisor
conL'jdD ) = L ape(P'IP) .p'

P'EDiv(L')
of the field L' I k' is called a conorm of the divisor D. The map
con: Div(L) -+ Div(L') ,

is an embedding of the group Div(L) into the group Div(L'), which induces a
homomorphism con: Pic(L) -+ Pic(L'). For any D E Div(L) we have
[L" L]
deg(conLI/L(D)) = [k'; k] degD.
Suppose that L" Ik" is the smallest normal extension of Llk containing L', and k"
is the algebraic closure of k' in L". Then L" I k" is an algebraic function field with
the full constant field k". Let G = Gal(L" I L) and H be the subgroup of G which
leaves L' fixed. Let G I H be the set ofleft cosets of G with respect to H. If
D'= ~
£... 'P'
apl'
PIEDiv(L')
is a divisor of the field L' I k', the divisor
normLI/L(D') = [L':L]n LaD'

aEG/H
of the field Llk is called a norm of D'. The map D' 1--7 normL'/L(D') defines a
homomorphism
norm: Div(L') -+ Div(L).
If P' is a prime divisor of L' I k' lying over P E Div(L), then
normL'/L(P') =f(P'IP) .p,
and iff is an element of L' I k', then
Constant Field Extensions

Let L I k and L' I k' be algebraic function fields. We recall that L' I k' is a constant
field extension of Llk if L' = Lk' is the compositum of fields Land k'.
Proposition 5.29. In an algebraic constant field extension L' = Lk' of L I k, the

following holds:
(i) L'IL is unramified (i.e., e(P'IP) = I for all prime divisors P E Div(L) and
all prime divisors P' E Div(L') with P'IP);
(ii) L'lk' has the same genus as Llk;
(iii) for any D E Div(L), we have
degL' D = degD;
134 Chapter 5
(iv) for any DE Div(L),

l(conL'IL(D)) = I(D);
(v) if K is a canonical divisor ofL / k then conL'lL (K) is a canonical divisor of

L' /k';
(vi) the map
con: Pic(L) -+ Pic(L')
is injective;
(vii) for any prime divisor P' E Div(L') lying over P = P' nL,
Proof: See Deuring [24, §36] and Stichtenoth [197, 111.6].

•
The Different
Let L' / k' be a finite separable extension of an algebraic function field L / k and let
[L' : L J = n. Choose an algebraically closed field I containing L. An embedding
of L' /L into I is a field homomorphism 0' : L' -+ I such that O'(a) = a for all
a E L. Since L' / L is separable there are exactly n distinct embeddings 0'1, ... ,O'n
of L' /L into I, and we set, forf E L',
n
trL'lL (J) = L O'i(J).
i=1
Similarly, we define normL'IL (J) as follows
normL'lL (J) = n
i=1
n
O'i(J).
Let Vo be a real valuation of the field L. Then Vo induces a topology on L. Two

elementsf,g E L are "close" in this topology if vo(J - g) is "large." A sequence
{j;} of elements fi E L (i E Z, i ~ 1), is a Cauchy sequence if for every positive
I E Z there exists an integer m ~ 1 such that i,j ~ m implies vo(fi - jj) ~ I. A
field is complete if every Cauchy sequence converges. It is standard to embed L
in a (unique) complete field Lv with a valuation v extending the valuation Vo of L
such that L is dense in Lv.
Let P be a prime divisor of an algebraic function field L / k and let t be a local
parameter at P (i.e., an element of L/k such that vp(t) = 1). Suppose that the
residue field Lp is separable over k. Then the completion Lp is isomorphic to the
field Lp((t)) offonnal power series in t over Lp. Every element of this field has
the fonn 00
Ol = L ai ti ,
i=m
where m is an integer, ai E Lp and am ::f. O.
Suppose now that L' I k' is a finite extension of L I k. Let P be a prime divisor
ofLlk andP' a prime divisorofL' Ik'lying over P. Thenlp can be embedded in
Dpl. Since the composite field L'lp is complete, contains L' and is contained in
DpI, we conclude that L'lp = Dpl. Denote the valuation rings of DpI and lp by
(9' pI and Op, and let
(9'pl)* = {r E (9' pI Itrllpl/Lp (f(9'pl) ~ Op}.

Then (9' pI) * is a fractional ideal of (9' pi of the fonn
(9'pl)* = rd{PI/P)(9'PI ,
where d(P'IP) is a non-negative integer, which is called the different exponent

of p' over P. There are only finitely many p' for which d(P'IP) ::f. O. They are
exactly the prime divisors of L' Ik' which are ramified over Llk. The divisor
Diff(L'IL)= L Ld(P'IP),P'
PEDiv{L) pi / p
is called the different of L' I L. Observe that Diff(L'1L) is an effective divisor of

the field L' Ik'.
Let L' I k' be a finite extension of L I k and let P be a prime divisor of L I k.
(i) A prime divisor p' E Div(L') lying over P is said to be tamely (resp. wildly)
ramified if e(P' I P) > 1 and p = chark does not divide e(P" I P) (resp. p
does divide e(P' I P)).
(ii) We say that P E Div(L) is ramified (resp. unramified) in L' I L if there is at
least one p' E Div(L') over P such that p' is ramified (resp. if all p' lying
over P are unramified). The prime divisor P is tamely ramified in L' I L if
it is ramified in L'IL and no prime divisor p' over P is wildly ramified. If
there is at least one wildly ramified prime divisor p' over P we say that P is
wildly ramified in L' I L.
(iii) P is totally ramified in L' I L ifthere is only one P' over P, and the ramification
index is e(P'1P) = [L' : L].
(iv) L'IL is said to be ramified (resp. unramified) if at least one prime divisor
P E Div(L) is ramified in L'IL (resp. all Pare unramified in L'IL).
136 Chapter 5
(v) L' I L is said to be tame if no prime divisor P E Div(L) is wildly ramified in

L'IL.
There is a close connection between e(P'1P) and d(P" I P) (see, for example,
Serre [167, Ch. III] and Stichtenoth [197, III.5]):
Proposition 5.30. Let L' I k' be a finite separable extension ofan algebraic func-
tion field L I k. Then we have:
(i) if P is a prime divisor ofL I k and p' is a prime divisor ofL' I k' lying over
P, thenP' is ramified ifand only ifP' E Supp(Diff(L'IL)). IfP'isramified,
then
d(P' I P) = e(P' I P) - 1 ¢::=} p' is tamely ramified,

d(P' I P) ? e(P' I P) ¢::=} is wildly ramified;
(ii) almost all prime divisors P E Div(L) are unramified in L' I L;
(iii) (the Hurwitz genus formula) ifk' = k and g (resp. g') denotes the genus of
L I k (resp. L' I k), then
2g' - 2 = [L' : Lj(2g- 2) + degDiff(L'IL)

? [L' :Lj(2g-2)+ L L (e(P'IP)-I)degP'
PEDiv(L)P'/P
(equality holds if and only ifL' I L is tame).

Next, there is an easy way to calculate the different of L' IL. Let ()p be the
integral closure of () P in L' I k'. Then
-()p= n'()p"
P'/P
and there exists a basis {Ii, ... ,In} of L' I L such that
n
fjp = L ()p 'j;, n=[L':Lj.
i=l
Any such basis {Ii , ... ,fn} is called an integral basis of fjP over () p.
Proposition 5.31. Suppose L' = L (z) is a finite separable extension ofa function
field Llk of degree [L' : Lj = n. Let P E Div(L) be a prime divisor such that the
minimal polynomial F(T) ofz over Llk has coefficients in ()p (i.e., z is integral
over ()p), and let P;, ... ,P; E Div(L') be all prime divisors lying over P. Let fjp
be the integral closure of()p in L'. Then the following holds:
(i) d(P' /P) ~ vpl(F'(z))Jor 1 ~ i ~ r (here, F'(T) denotes the derivative oj

F(T) in the ri~g L[Tl);
(ii) {I, z , ... , zn-I} is an integral basis ojCJp over (J p if and only if d (Pi / P) =
vp((F'(z»Jor
I
1 ~ i ~ r;
(iii) ifF(T) E (Jp[TJ andvp' (F'(z) ) = OJor 1 ~ i ~ r, then P is unramified, and
{1,z, ... ,zn-I} is an in~egral basis oJCJp over (Jp;
(iv) if P' is totally ramified over P, and F(T) is the minimal polynomial oj a
local parameter t oJ(J' pI, then d(P' / P) = vpl(F'(t», and {1,t, ... , tn-I} is
an integral basis oJCJp over ()p.
Proof: See Serre [167, Ch. III] and Stichtenoth [197, III.5].
•
Arti~chreier Extensions
Let L / k be an algebraic function field of characteristic p > o. Suppose that J E L
is an element such thatJ =1= gP - g for all gEL. Let L' = L(z) with zP - z = J.
Such an extension L' /L is called an Artin-Schreier extension of L. For a prime
divisor P E Div(L) we define the integer mp by
if there is an element h E L satisfying v p if - (h P - h) )
mp ={ m
-1
= -m < 0 andm to mod(p)
ifvpif - (h P -h» 2: 0 for some hE L
From Propositions 5.29 to 5.31 we deduce the following result:
Proposition 5.32. Let L' / L be an Artin-Schreier extension oJL / k. Then we have:
(i) L' / L is a cyclic Galois extension oj degree p, and the automorphisms oj
L' /L are given by u(z) =z +1, with I = 0, 1, ... ,p -1;
(ii) a prime divisor P E Div(L) is unramified in L' /L ifand only ifmp = -I;
(iii) P is totally ramified in L' / L if and only if mp > 0; and if P' is the unique
prime divisor ojL' lying over P, then
d(P' /P) = (p-I)(mp+ I);
(iv) if at least one prime divisor P E Div(L) satisfies mp > 0, then k is alge-
braically closed in L', and
g' =pg+P; 1 (-2+ L

PEDiv{L)
(mp+ I)degp),
where g' (resp. g) is the genus oJL' /k (resp. L/k).

138 Chapter 5
Let L I k be an algebraic function field over k and letf,g, h E L. We write
f = g+E(h) at P,
iff = g+ uh with vp( u) 2: O. In particular,f = g+ E (1) means that Vp (f - g) 2: O.

An immediate consequence of Proposition 5.32 is:
Proposition 5.33. Suppose that L I k is an algebraicfunction field ofcharacteristic

p > 0 over k (where k = Fql is algebraically closed in Land q' = q2 = p2v). Let
f ELand assume there exists a prime divisor P E Div(L) such that
vp(f) = -m, m >0 and (m,q) = 1.

Then the polynomial Tq +T - f E L[T] is absolutely irreducible. Let L' = L(z)
with
zq +z =f.
Then the following holds:
(i) L'IL is a Galois extension of degree [L' : L] = q. The Galois group

Gal(L' I L) is an elementary abelian of exponent p, and k is algebraically
closed in L'.
(ii) The prime divisor P is totally ramified in L', and the ramification index ofP'
over Pis e(P' I P) = q. Moreover, degP' = degP, and the different exponent
of p' I P in the extension L' I L is given by
d(P'IP) = (q -I)(m + I).
(iii) Let Q E Div(L) be a prime divisor and assume that
for some element h E L. Then the divisor Q is ramified in L' I L. In particular,

this is the case ifvQif) is non-negative.
(iv) Suppose that the prime divisor Q E Div(L) is a zero off - '}' with'}' E Fq.
The equation a q + a = '}' has q distinct roots a E k, and for any such a
there exists a unique prime divisor Q~ E Div(L') such that Q~ lies over Q,
and Q~ is a zero of z - a; in particular, the divisor Q splits completely in
L' (i.e., e(QaIQ) = f(QaIQ) = I for all Qa lying over Q).
EXERCISES
5.1. Let Fq be a finite field of characteristic p #- 2,f(x) a polynomial in Fq [xl and (!!)
the generalized Legendre symbol (the multiplicative character of order 2) defined by
if a = 0,
if a#-O and a is a square in Fq ,
if a#-O and a is a non-square in Fq.
Show that:
(a) the number Nq of solutions of the equation y2 = f(x) in elements x,y E Fq

can be expressed as
Nq = I (l+(J(X»));
xEFq q
(b) ifJ(x) = ax 2 +bx+e is a polynomial of degree 2 andd = b 2 -4ae, then

ifd = 0,
ifd #- 0;
(c) the number Nq of solutions of the equationax 2 +by2 = e inelementsx,y E F q ,

where d = ab #- 0, is expressed by formulas
_ { q+( ~d( (q _ 1) ife = 0,

Nq - q- --d)
q
ife #- O.
5.2. Let Fq be a finite field of characteristic p #- 2 and let
be a quadratic form over Fq with non-zero discriminant d = al ... an. Show that:
(a) ifn = 2m then the number Nq of solutions ofthe equationJ(xl, ... ,xn ) = e in
elements Xl, ..• ,xn E Fq is expressed by
N _ { q2m-l + c-~md) (q - l)qm-l ife =0

q -
q 2m-1
- ((_l)m
-q-
d)
q m-l
ife #- 0;
(b) ifn = 2m + 1 then
ife = 0
if e #- O.
(Hint: Use induction on m.)
140 Chapter 5
5.3. LetFq be a finite field and X (resp. t/J) be a multiplicative (resp. an additive) character
of Fq . Prove that for the Gaussian sum
T(X,t/J) = L X(x)t/J(x)
XEFq
the following relations hold:
(a) T(Xo, t/Io) = q;
(b) if X # XO, then T(X, t/Io) = 0;
(c) ift/J# t/Io,then T(xo,t/J) =0;
(d) if X # xo, t/J # t/Io, then IT(x, t/J)I = ql/2.
5.4. Let t/J be a non-trivial additive character of a finite field F q , let s be a positive divisor
of q - 1 and let a be a non-zero element of F q . In the notations of the previous
exercise prove that:
(a) LxEFq t/J(axS) = LindX=s x(a)T(x, I/J);

(b) iLxEFq t/J(axS)i ::; (s _1)ql/2;
(c) ifp = charFq # 2 andf(x) = ax2 +bx+c is a polynomial in Fq[xJ of degree
2 then
L I/J(f(X))!=ql/2.
!XEFq
5.5. Letf(xl, ... ,xn) be a polynomial in Fq[XI, ... ,xnJ and I/J a non-trivial additive char-
acter of F q • Prove that the number N q of solutions ofthe equationf(xl,'" ,xn) = 0
in elements Xl, . .. ,Xn E Fq is expressed by
5.6. Let Sl, .. . ,Sn be positive integers, So be their least common multiple and di =
(Si,q -I), 0::; i::; n. Show that:
(a) if Nq is the number of solutions in elements Xl, .. . ,Xn E Fq of the equation
alxfl +.··+anx~n =0, al···an #0,

then
iNq -qn-li::; (dl-I) ... (dn _1)(q_l)qI- I ;
(b) ifs isa positive divisor ofq - 1 andNq is the number of solutions inxl, ... ,Xn E
Fq ofthe equation
then
(c) if Nq is the number of solutions in XI, ... ,Xn E Fq of the equation
then
5.7. Let X (resp. l{!) be a non-trivial multiplicative (resp. a non-trivial additive) character
of Fq and let
Tv = Tv(X,l{!) = L Xv (x) l{!v (x).
XEFqv
Prove the validity of the Davenport-Hasse relations
Tv = (-l)v+ITr.
5.8. Let l{! be anon-trivial additive characterofFq , andletg(x) = boxn +bIXn- 1 + .. ·+bo
be a polynomial in Fq [xl of degree n with (n, q) = 1. Then let
Tv = Tv(g) = L l{!v(g(x))
xEFqv
and
L(g,z) = exp (i ~
v=1
zv) .
Show that:
(a) the L-function of ArtinL(g,z) has the form
L(g,z) = 1 + f3lz+··· + f3n_lz n- l ;
(b) if L(g,z) = rr7~i (1- w;z), then

n-I
Tv(g) =- L w!;
j=1
0-1
(c) lf3n-ti = qT.
5.9. Let a, b be non-zero elements of a finite field Fq and let l{! be a non-trivial additive
character of F q . Then let
Tv(a,b)= L l{!v(ax+bx- I ), a,biO

XEF;v
be the Kloosterman sum and
L(a,b,z) = exp (~I ~ zv) .

Show that:
142 Chapter 5
(a) the L-function of Artin L(a,b,z) has the form
L(a,b,z) = 1 + f:llZ+ /hz 2 ;
(b) if L(a,b,z) = (1- wlz)(1 - Wzz), then
Tv(a, b) = -( wi' + w2');
(c) 1f:l21 = q.
5.10. Letf(x) = liS! (x) .. f;' (x) be the decomposition of the polynomialf E Fq[x] into
irreducible factors in Fq [x], let s be a positive divisor of q - 1 and deg(fi .. fr) =
m. Then let X be a non-trivial multiplicative character of Fq of exponent s, let
(S,SI,'" ,Sr) = 1 and let
Sv = Sv(f) = L Xv(f(x)).
XEFqv
Show that:
(a) the L-function of Artin
L(f,z) = exp (f S:
v~l
zv)
has the form

L(f,z) = 1+f:llZ+"'+f:lm_l zm - 1;
(b) if L(f,z) = rrr=ll (1- wjZ), then
m-l
Sv(f) = - L wJ;
j=l
m-!
(c) If:lm-Ii=q"''2.
Chapter 6
Counting Points on Curves over Finite Fields
In this chapter we apply the technique we have worked out earlier to prove the
Riemann hypothesis for the zeta-function C(X,s) of a curve X defined over a finite
field F q . This result was proved for the first time by Hasse (in the case of elliptic
curves) and Weil (in the general case) using the correspondence theory on X. Here
we give an elementary proof based essentially on using only the Riemann-Roch
theorem (see Stepanov [184,185,187], Bombieri [17], Schmidt [159] and Stohr
and Voloch [200]).
6.1. THE NUMBER OF RATIONAL POINTS ON A CURVE
Let X be a smooth projective curve of genus g defined over a finite field k = Fq .

Theorem 6.1 (the Hasse-Weil bound). Let Nqv = Nqv (X) be the number ofFqv-
rational points of the curve X. Then
(6.1)
We divide the proofinto two stages. At first we get the inequality
(6.2)
with some positive constant c = c (X), and then we deduce (6.1) using the properties
of the zeta-function Z(X,s), established earlier in Section 5.2.
143
144 Chapter 6
Preliminary Bound
Let k' = Fq be an algebraic closure of the field k = F q . The method which we
shall use consists in the construction of a non-zero rational function f E k' (X) that
has zeroes of a sufficiently high order at every Fqv-rational point x E X (with the
possible exception of only one such point) and that does not have too many poles.
The inequality (6.2) is obtained now if we compare the number of zeros (taken
with their multiplicities) with the number of poles of the function f. To detennine
the functionf we use the Riemann-Roch theorem.
Whenever every extension Fqv of the field k = Fq is again the definition field
of X, we can assume without loss of generality that q II = p2r, where p is the
characteristic of F q .
Lemma 6.2. If q II = p2r and q v > (g + 1)4 then
Nqv :::; qll + 1 + (2g+ l)qll/2.
Proof: We may assume that X has a point y with coordinates in Fqv, since
otherwise Nqv = O. Let Rm denote the k' -linear space of functions f E k' (X),
which are regular outside y and which have aty a pole of the order at most m, that
is vi!) ~ -m. The following facts can be easily proved:
(i) dimRm+ I :::; dimRm+ 1;
(ii) if m > 2g - 2, then dimR m = m - g + 1 (see Corollary 4.29);
(iii) iff(x) E Rm, thenf(x qv ) E Rmqv;
(iv) there is a basis {ji, ... ,/s} of Rm such that vy(fi) < vy(fi+d for i =
1,2, ... ,s-1.
Indeed, we have
so that
Rm = tIJf=oRdRi- I .
By property (i), we have dimRd Ri-I :::; 1, and the result follows, since a basis can
be obtained by picking up for each i, when possible, one element of Ri not in Ri- I.
Let n, T be non-negative integers and UI, ••• , Us be elements of Rn. Consider
the auxiliary function
f(x) = ui( (x)./i (xqv) + ... + u( (x)/s(x qv ).
We have:
(v) /fnpT < qV, thenf(x) is identically zero in k'(X) if and only if all the Ui(X)
are identically zero.
In fact, suppose thatf(x) is identically zero and that Uj(x) is the first Ui (x) which
is not identically zero. Taking the order aty of both sides of the identity
Uj (x)jj(x q )=-Uj+l(Xl!i+l(X q )-···-uf (x)!s(x q )

~ 1)7 V _1)7 7 7 V
we obtain, using property (iv),
pT vy(Uj) +qVvyCjj) ~ ~>in(pT Vy(Ui) + qVvy(ti)) ~ _npT + qVvY(!f+d.

I 'j
Therefore
pTvy(Uj) ~ _npT +qV(vy(!f+l) -vy(!f)) ~ _npT +qV > O.
This means that Uj(x) vanishes at y, and thus is a function with no poles and at
least one zero; hence Uj (x) is identically zero, contradicting our initial assumption.
(vi) /fm,n > 2g-2 and if(n -g+ l)(m -g+ 1) > npT +m -g+ 1 then we
can choose the Ui (x) not all identically zero, such that
uf7 (x).fi (x) + ... + u{ (xlfs(x)

is identically zero.
In fact, this function is regular outside y and has at the point y a pole of order
I::; npT + m, whence by (ii) the set of such functions fOnDS a linear space over
k' of dimension at most npT + m + 1. Since each Uj can vary in a vector space of
dimension n - g+ 1, and since s = m - g+ 1 (again by (ii)), we get statement (vi):
We recall that if x is a Fqv -rational point of X then xqV = x and hence, under
the conditions m,n > 2g-2, npT < qV, (m - g+ l)(n - g+ 1) > npT +m - g+ 1,
we can construct the auxiliary function f(x) so that it is not identically zero,
which vanishes at every Fqv-rational point of X, except aty. Also, sincef(x) by
construction is apT-power, we see that it must vanish there with multiplicity at
leastpT. Hencef has at least (Nqv -l)pT zeros.
On the other hand, f is regular outside y and the order of pole there can not
exceed npT +mqv. Thus we have proved that ifm,n,T satisfy m,n > 2g-2,
npT < qV, (m - g+ l)(n - g+ 1) > npT +m - g+ 1 then we have the inequality
(Nqv _1)pT ::; npT +mqv.
WechoosepT = qv/2, n = qv/2 -1, m = qv/2 +2g. The conditions are satisfied
if qV > (g+ 1)4, which we have supposed, and we obtain at once the conclusion
ofthe lemma. •
Now we tum to the proof of the inequality (6.2).
146 Chapter 6
Theorem 6.3. If q v = p2r then
Proof: The function field k' (X) contains a purely transcendental subfield k' (u)
such that k' (X) is a separable extension of k' (u). Hence there is a nonnal extension
of k' (u) which is also nonnal over k' (X); geometrically, we have a situation
X' -t X -t pI ,
where X' -t pI and X' -t X are Galois coverings, with Galois groups G and
H respectively, H being a subgroup of G. Although this situation need not be
realized over the field Fqv, it will always be realized over a finite extension of it
and therefore for our purpose we may as well assume it is in fact realized over Fqv.
Ifx is a point of pI over Fqv and unramified inX -t pI, and ifx' is a point of
X'lying over x, we have
O"(x') = x,qV
for some 0" E G, called the Frobenius substitution of G at the point x'. Let
Nqv (X', 0") be the number of such points of X' with Frobenius substitution 0". The
same argument used in the proof of Lemma 6.2 gives
where g' is genus of X'; alternatively, one may note that Nqv (X', 0") = Nqv (X~),
where X~ is a curve over Fqv isomorphic to X' over an extension Fqmv, where m
is the order of element 0" E G (X~ is thus a certain twisting of X' by means of 0"),
and the lemma can be applied directly. We have
L Nqv (X', 0") = IGI·Nqv(pl) +0(1)

CIEG
(the O( 1) takes care of the branch points of the covering) and, since Nqv (pI) =
qV + 1, the upper bound for Nqv(X',O") implies
We have also
L Nqv (X', 0") = IHI·Nqv(X)+O(l),
CIEH
whence
Nqv = Nqv (X) = qV + 0(qv/2),
and this completes the proof of the theorem.
•
The Hasse-Weil Bound

Tum now to the proof of Theorem 6.1. We have seen (Section 5.2) that the
zeta-function Z(X, t) of the curve X of genus g defined over k = Fq has the form
P(t)
Z(X,t) = (1- t)(l-qt)'
where
2g-1
P(t) = 1+ L Uiti +q gt 2g
i=1
is a polynomial with integer coefficients. Moreover, we have seen that if
2g
P(t) = I1 (1- wit),
i=1
then
2g
Nqv = q" + 1 - L wj. (6.3)
i=1
Now we show that all zeros wi- I of the function Z (X, t) lie on the circle
It I = q-I/2 in the complex plane Co This is equivalent to the condition that all
zeros of ,(X,s) = Z(X,t) lie on the line Res = 1/2. Indeed, it follows from
Theorem 6.3 that the series
Z'(X,t) _ _ q _ __1__ ~ (N v _ "-I)t,,-1

Z(X,t) 1-qt I-t-"~I q q
converges absolutely in the disk It I < q-I/2. Hence the function Z(X,t) has no
zero for It I < q-I/2. Moreover, by virtue of functional equation it also has no zero
for It I > q-I/2. In that case all the zeros ofZ(X,t) lie on the circle It I = q-I/2, so
that Iwd = ql/2 for i = 1,2, ... ,2g.
From (6.3) we obtain the following inequality
2g
INqv -q" -11 ~ L Iwd" = 2gq,,/2,
i=1
which gives the required result.
6.2. CHARACTER SUMS
The question concerning upper bounds for absolute values of character sums
L X (norm" (f(x))) and L t/I(tr" (g(x))) ,

XEFqv XEFqv
148 Chapter 6
with multiplicative and additive characters X and l/J of the field Fq is closely
connected with the question of the number of Fqv -rational points of superelliptic
and Artin-Schreier curves defined over Fq by equations
respectively.
Superelliptic Curves
Let s' = (s,q -1) and s = s'r. Since (r,q -1) = 1 then z = yr runs through all
elements of Fq as y does. Hence the number of solutions x,y E Fq
(6.4)
is the same as the number of solutions x,y E Fq of the equation yS' = f(x).
Therefore, we can assume without loss of generality that s is a divisor of q - 1.
Proposition 6.4. The number Nqv ofsolutions ofequation (6.4) in elements x,y E
Fqv is given by
Nqv = L L Xv(f(x)) = L L x(normv(f(x))),

indx=sxEFqv indx=sxEFqv
where the external sum is over all multiplicative characters X of the field Fq of
exponent s.
Proof: See Schmidt [159, p. 78] and Stepanov [187, p. 51].

Let f(x,y) be a polynomial in Fq[x,y]. The polynomial f(x,y) is called
•
absolutely irreducible if it is irreducible over each finite extension of the field Fq.
In this case we say that the equationf(x,y) = 0 defines an absolutely irreducible
(or absolute) affine curve X over F q .
Proposition 6.5. Let f(x) be a polynomialin Fq [x]. The following conditions are
equivalent:
(i) yS - f(x) is absolutely irreducible;
(ii) iff = !is) .. -//r is the decomposition off into distinct irreducible factors in
Fq[x] then (s,S), ... ,sr) = 1.

•
Corollary 6.6. Let I = degf(x). If (I,s) = 1 then the polynomial yS - f(x) is
absolutely irreducible.
Theorem 6.7. Letf(x) be a polynomial in F[x). letf = /{l .. -fir be its decom-
position into distinct irreducible factors /; E Fq [x). let m = deg(ti .. ·fr) and let
X be a non-trivial multiplicative character of Fq of exponent s. Suppose that
(S,Si, ... ,Sr) = 1. Then
L Xv(f(x)) ~ (m _1)qv/2
XEFqv
for all v ~ 1.
Proof: By Proposition 6.5 the polynomial yS - f(x) is absolutely irreducible

and hence it defines an absolute affine curve X (which is birationally isomorphic
to a smooth projective curve of the same genus). Thus, if Nqv is the number of
Fqv-rational points of X, Theorem 6.3 gives
INqv _qVI ~ cqv/2,
where c is a positive constant depending only of the polynomial yS - f(x). Now

Proposition 6.4 implies
and hence
Finally, by Theorem 5.26

m-i
L Xv(f(x)) = - L wj'(X),
XEFqv j=i
and therefore
m-i
L L wj'(X) ~ cqv/2
ind.¥=sj=i
X;eXo
for all v ~ 1. Applying Proposition 5.28 we obtain the required result. •
Corollary 6.S. Let Nqv be the number of Fqv-rational points on absolute curve
X defined over Fq by equation (6.4). and m the number of distinct roots of the
polynomialf E Fq[x) in algebraic closure Fq ofthefield Fq. Then
INqv _qVI ~ (s-l)(m _1)qv/2.

150 ChapterS
The Artin-Schreier Curve

Tum now to the question of the number of solutions x,y E Fqv of the equation
(6.5)
Proposition 6.9. Let Fq be a finite field and v > 1 an integer. Then the number
Nqv ofsolutions x,y E Fqv of equation (6.5) is given by
Nqv =L L I/Iv(g(x)) =L L 1/1 (trv (g(x))),

'" XEFqv '" XEFqv
where the external sum is over all additive characters 1/1 of the field Fq.

•
Proposition 6.10. Let f(x,y) = yS +.Ii (x )ys-I + ... +Is (x) be a polynomial with
coefficients in a field k. Set
v"'if) degfj
=max--
199 i
and suppose that 8if) = lis with (l,s) = 1. Thenf(x,y) is absolutely irreducible.
Proof: See Stepanov [185] and Schmidt [159, p. 93].

•
Corollary 6.11. Let g(x) be a polynomialin Fq[x] of degree n. If(n,q) = 1 then
the polynomial yq - y - g(x) is absolutely irreducible.
Theorem 6.12. Let g(x) = box n +b1x n - 1 + ... +bn be a polynomial in Fq[x] of
degree n ~ 1, where (n,q) = 1, and 1/1 a non-trivial additive characterofFq. Then
L I/Iv(g(x)) :::; (n _1)qv/2

XEFqv
for all v > 1.
Proof: The proof of the theorem is completely similar to the proof of Theorem
6.7. •
Corollary 6.13. Let g(x) be a polynomial in Fq [x] of degree n ~ 1 and Nqv the
number ofFq v-rational points ofthe affine curve X defined over Fq by the equation
(6.5). If(n,q) = 1 and v> 1 then
INqv-qVI:::; (n_1)(q_1)qv/2.
Lower Bounds
The results of Theorems 6.7 and 6.12 can not be improved in general (Stepanov
[186, 189]):
Theorem 6.14. Let Fq be a finite field of characteristic p > 2, let Fqv be an

extension of Fq of degree v > I and let Xv be the multiplicative character of
Fqv induced by a non-trivial quadratic character of the field Fq. There exists a
square-free polynomial f E Fq [x 1of the form
if v = 2n
if v = 2n+ I
such that
( v/2 I) v/2 if v = 2n
L Xv(f(x)) = { ~ _ 1- q
if v=2n+1
XEFqV q
Proof: Let v > I be an even number. Since xqV = x for any x E Fqv, we have
v(
- IT v
norm vf( x ) - x+x qv/2 )qi-I -_ IT (qi-I
x +x qV/2+i-l)
i=1 i=1
v/2. . v/2 . .
= IT(X ql - 1+xqV/2+I-I)IT(xqV/2+J-1 +xql-I)
i-I j=1
- IT(
-
v/2.
ql-I
.
+xqV/2+'-1)2 ,
X
i=1
and therefore
L Xv(f(x)) = L x(normv(f(x))) = qV -N,

XEFqv XEFqv
where N is the number of roots of the polynomial f(x) = x + x qv /2 in the field

Fqv. Since (qv/2 - l,qV - I) = qv/2 - I it follows from the Euler criterion that the
number of roots of the polynomial I + x qv/2 -I is equal to q v /2 - I. Thus N = q v /2
and hence
L
Xv(f(x)) = (qv/2 _1)qv/2.
XEFqv
Similarly, if v > I is an odd number then for each x E Fqv we have
-
norm v f( x ) -
IT
(v-I)/2 .
(ql-I
x +x
q(V+I)/2+,-1)2
.
IT (.
(v+I)/2
Xql-I +x
.
q(V-I)/2+ -I)2
J
i=1 j=1
152 Chapter 6
and therefore
L x,,(f(x)) = L x(norm,,(f(x))) = q" -N' ,

XEFqv XEFqv
where N ' is the number of roots of the polynomialf(x) = (x +xq(,,-I)/2)(x +

x q(V+l)/2).10 F
q v •lt'IS easy to see that N I = 1 andhence
L x,,(f(x)) = qV - I,
XEFqv
as required. •
Since a E Fqv is a square if and only if norm" (a) is a square in Fq we obtain
the following result.
Corollary 6.15. Let Nqv be the number of solutions in x,y E Fqv of the equation
y2 = f(x), where f(x) is the polynomial from Theorem 6.14 with
qv/2 if v = 2n
{
degf= q(,,-I)/2(q+l) if v=2n+1
Then
_ { q" + (q,,/2 _ l)qv/2 if v = 2n
Nqv- 2qV-I if v=2n+1
It is possible to extend the result of Theorem 6.14 to the case of arbitrary
non-trivial multiplicative character X of exponent s ~ 2, where s is a divisor of
q - 1, and construct the corresponding affine curve
X :yS = f(x)
with a lot of Fqv-rational points (see Gluhov [62]).
Theorem 6.16. Let Fq be a finite field of characteristic p ~ 2, let Fqv be an

extension of Fq of degree v > 1 and let X" be the character of Fqv induced by a
non-trivial multiplicative character X of the field Fq of exponent s ~ 2. For any
positive integers k and I with the condition k + I = s there exists a polynomial
f E Fq [x] J (j. (Fqv[x])S, oftheform
(x + Xq(V-2)/2)k (x +Xq(V+2)/2)1 if v=2nands#2t

(X+xqV/2)S/2 if v=2nands=2t,
(x +Xq (V-l)/2)k (x +Xq(V+l)/2)1 if v=2n+1
such that:
(i) ifp = 2, q > 2 and s = 2t + 1 then

if v = 2n and 4 I v
if v = 2n and 4 f v
if v=2n+l
(ii) ifp > 2 then

qV _q if v = 2n and 4 I v
qV -1 if v=2nand4fv
(qv/2 _1)qv/2 if v = 2n and s = 2t
qV -1 if v=2n+l
A similar result can be proved in the case of an additive character as shown by

the following theorem (Stepanov [186, 189]):
Theorem 6.17. Let Fq be afinitefield ofcharacteristic p > 2, let Fqv an extension

of Fq of degree v> 1 and let I/Iv be the character of Fqv induced by a non-trivial
additive character 1/1 of the field Fq. There exists a polynomial g E Fq [u 1of the
form
U
2 +2~(v-2)/2 ql+1
L.,[=I U
+ Uqv/2+1 if v = 2n
g(u) = { 2 +2~(v-I)/2 q'+1
u L.,[=I u if v=2n+l
such that
L I/Iv(g(u)) = qv-I/2.
UEFqv
Proof: Let {WI, ... , wv } be a basis of the field Fqv over Fq. Every element
x E Fqv can be uniquely written as a linear combination
X =XIWI +···+xvwv
of the basis elements WI, ... , Wv with coefficients Xj E Fq. Next, if u(x) = xq is
the Frobenius automorphism of Fqv, we have
x =XIWI+ ... +xvwv

u(x) =x!O"(wd+'" +xvu(wv)
( ) + ... +xvu v-I( Wv ) .

U v-I(x ) =XIU v - IWI
154 Chapter 6
Let us consider the above linear combinations as a system oflinear equations with
respect to unknowns Xj. The determinant
of the system differs from zero and hence (by Cramer's rule)
where
A .• _ (
alJ - -
l)i+j dt(
e u I-I( Wk )) I <O,1,k<O,v,l-cli,k-h .
Clearly
u(~) = (_1)v-I~,
U(~i-IJ) = (_1)V-2~ij
and therefore
Xj = (ajx) + u(ajx) + ... + uV-I(ajx)

= (ajx) + (fX.Jx)q + ... + (ajx)q
v-I
= trv(ajx),
where
1 '5.j '5. v.
Ifwe set now ajx = u for somej = 1,2, ... , v, then we obtain
2 2
= (u + u q + ... + uq
v-I
Xj )
=u2+u2q+ ... +u2qV-1 +2 L
and hence
XJ = trv(u2) +2 L
19<k<O,v
Let v 2: 3 be an odd number. Write the sum
L uqi-Iul-I
19<k<O,v
in the form
v-I v-i
L uqi-l Uqk - I = L L (u ql +1)qi-l
19<k<O,v i=I/=1
(1'-1)/2(1'-1)/2 .
= L L (U q1 +1 )ql-l
i=1 1=1
v-I v-i .
+ L L(Uq1+I)ql-l
i=(v+I)/2/=1
(v-I) v-i .
+ L L (U q1 +1)ql-l .
i=1 1=(v+1)/2
Since uqV = u for any u E Fqv, we have

(1'-1)/2 v-i . (1'-1)/2 v-i
L L (u q1 +1 )ql-l = L L Uq1 - 1Uq, +1- 1
i=1 1=(1'+1)/2 i=1 1=(1'+1)/2
v k-I
L L uqv-l+k-l ul - 1
k=(v+3)/21=( 1'+ 1)/2
v (1'-1)/2 .
= L L (uqf+1 )l-l
(v+3)/2}=v-k+1
v (1'-1)/2 .
L L (u q1 +1 )ql-l
i=(v+3)/21=v-i+ I
and therefore
. (1'-1)/2(1'-1)/2 .
L Uq1 - 1Uqk - 1 = L L (u q1 +1 )ql-l
I::;i<k::;v i=1 1=1
v-I v-i .
+ L L(uq1+I)ql-l
i=(v+I)/21=1
v (1'-1)/2 .
+ L L (u q1 +1 )ql-l
i=( v+3)/21=v-i+ I
= trv ((V~/2 Uq1 + 1) .

1=1
Now define
1=1
For every u E Fqv we have
xj = trv(g(u))
156 Chapter 6
and hence
L I/I,,(g(u)) = L I/I(xj) = q,,-I L I/I(xj).

UEFqv xJ, ... ,xvEFq XjEFq
Finally, using the well-known result for Gaussian sums
we obtain
L I/I,,(g(u)) = q,,-1/2,
UEFqv
and this completes the proof for v = 2n + 1.

In a similar way,"if v = 2n, we find
and setting
we obtain again
L I/I,,(g(u)) = q,,-1/2.
UEFqv

We are also able to prove the following result:
•
Proposition 6.18. Let Fq be a finite field of characteristic p = 2, let Fqv be an
extension of Fq of odd degree v > 1 and let 1/1" be the character of Fqv induced
by a non-trivial additive character 1/1 of the field Fq. There exists a polynomial
g E Fqv[u) oftheform
(,,-1)/2
g(u) = au 2 + L (a + aql)uql+1
1=1
such that
L I/I,,(g(u)) = q,,-I.
UEFqv
To prove the proposition it is sufficient to check that tr" g( u) = XrXs for r ¥= s.

The verification of this fact is left to the reader as an exercise.
6.3. ASYMPTOTICS
There are two important cases when we are able to determine the number of Fq-
rational points on a smooth projective curve X of genus g(X) defined over Fq.
In the first case, the genus g(X) is fixed and q -+ 00. This situation is typical for
various number-theoretic problems. In the second case, which is closely related
to coding theory, the field Fq is fixed and g(X) -+ 00. At first we consider the
number-theoretic aspect of the problem.
The Serre Bound

Let Nq (g) be the maximum number of Fq-rational points on a curve X of genus g
defined over F q . By the Hasse-Weil bound one has
INq(g) - q - 11 :S L2gyqJ.
This can be improved as was shown by Serre [170]:
Theorem 6.19 (the Serre bound). Let Nq = Nq(X) be the number of Fq-rational
points on a smooth projective curve X over Fq. Then
Proof: Let X be a smooth projective curve of genus g ~ 1 defined over Fq and
Z(X t) _ rri!1
(1- wit)
, - (l-t)(l-qt)
be the zeta-function of X. The complex numbers WI , ... ,W2g are algebraic integers
with IWil = ql/2. They can be ordered in such way that WiWg+i = q, hence
Wi = Wg+i = q / Wi for 1:::; i :::; g.
Set
(Xi = Wi + Wi + L2q I/2 J + 1,

{3i = -Wi - Wi + L2ql/2 J + 1
and note that (Xi, (3i are positive real algebraic integers.
Galois group Ga1(K/Q) of the fieldK = Q(WI, ... , W2g) overQ permutes WI,
... , W2g. Moreover, if U E Gal(K /Q) is such that U( Wi) = Wj then
U(Wi) = U(q/Wi) = q/U(Wi) = q/Wj = U(Wi) = Wj.

158 Chapter 6
Therefore (T E Gal(K IQ) acts as a permutation on sets {a1, ... , a g } and

{131, ... ,l3g }. Hence algebraic integers
g g
a=TIa; and 13 = TII3;
;=1 ;=1
are invariant under action of the group Gal(K IQ). This implies that a,13 E Q
(see [107, p. 301]), and since a,13 are algebraic integers then a,13 E Z (see [107,
p. 359]). The numbers a, 13 are positive, so we have
g g
TIa; ~ I and TII3; ~ l.
;=1 ;=1
Now the well-known inequality between the arithmetic and geometric mean yields
-1 La;
g ( g
~ TIa;
) l/g
,
g ;=1 ;=1
and hence
g<5": (~(W;+W;)) +gl2q1/2J+g

2g
= Lw;+gl2q 1/2J+g.
;=1
According to Theorem 5.17 we have

2g
LW; =q+ I-Nq,
;=1
and hence
N q <5": q + 1 + gl2q1/2 J.
In the same way, the inequality
implies that
N q ~ q+ l-gl2q 1/2J.
This proves the theorem. •
By a variety of methods N q (g) can be determined for low genera and for
various q (see Serre [168]):
Theorem 6.20. Let q = pm and r = L2vqJ. We have
(i) ifg = 1 then
N (1) _ {q+r if m is odd, m ~ 3 and p I r .

q - q+r+l otherwise '
(ii) ifg = 2, m is even and q =1= 4 or 9 then

Nq(2) = q+ 1 +2r;
(iii) ifg = 2 and q = 4 or 9 then
(iv) ifg = 2 and m is odd then
Nq(2) = q + 1 +2r,
with the exception of the following special q: either p I r or q = x2+X + 1

or q = x 2 +x + 2 for some integer x;
(v) if q is special then either
Nq(2)=q+2r or Nq=q+2r-l,
depending upon whether {2vq - r} > (vq - 1) /2 or not, where {lX} de-
notes the fractional part of lX.
A table for small q (see also [59, 60, 61]) is given below:
q 2 3 4 5 7 8 9 11 13 16 17 19 23 25 27
Nq(l) 5 7 9 10 13 14 16 18 21 25 26 28 33 36 38
Nq(2) 6 8 10 12 16 18 20 24 26 33 32 36 42 46 48
Nq(3) 7 10 14 16 20 24 28 28 32 38 40 44 ? 56 ?
N'l(4) 8 12 15 18 ? ? ? ? ? ? ? ? ? 66 ?
Of course one can also keep q fixed and vary g. For q = 2 a table of results is:
g 0 2 3 4 5 6 7 8 9 15 19 21 39 50
N2(g) 3 5 6 7 8 9 10 10 11 12 17 20 21 33 40
We see in particular that the Klein quartic (see Chapter 5) over Fs has the
maximum number of rational points (= 24).
160 Chapter 6
The Hermite Curve

Let X be the projective curve over Fq2, defined by
x q+1 +yq+1 +zq+1 = 0.

On this curve we have an involution given by (x : y : z) H (xq : yq : zq). Set
x' = x q ,y' = yq and z' = zq. Then the curve X can be written as
xx' +yy' +zz' = 0,
the so called Hermite/orm. The genus of X is g == q(q -1)/2. The number

of F q 2-rational points is q3 + I (see Exercise 6.10), so the Hasse-Weil bound is
attained. The Hennitian curves have been studied extensively by various authors
(see Hirschfeld [77], Serre [168], Stichtenoth [194]).
The Hermite curves over F q 2 and hyperelliptic affine curves from Corollary
6.15 (for v = 2n) belong to a class of curves for which the Hasse-Weil bound is
attained:
Nq(X) = q+ I +2gql/2.
Curves from this class are called maximal (see [54, 59, 60, 61, 97, 100, 186,
189,197,228,230] for other examples of maximal curves).
Maximal Curves
It is clear that a curve X over Fq of genus g = g(X) is maximal only when q is a
square, say q = q,2. Next, if
P(t)
Z(X,t) = (I-t)(l-qt)
is the zeta-function of X, it follows immediately from the results of Section 5.2

that the curve X is maximal if and only if
P(t) = (I +ql/2t)2g.
Moreover, we have the following result:

Proposition 6.21. Suppose that X is maximal. Then
q _ql/2
g S: 2
Proof: Let WI, ... , W2g be the reciprocals of the roots of P(t). Since
2g
Nq =q+ 1- LW; and
;=1
the assumption Nq = q + 1 + 2gq I/2 implies
ro,-
o _ _ ql/2 , 1~ i ~ 2go
Now we consider the number Nq2 of Fq2-rational points on X. We have Nq2 2: Nq
and
2g
Nq 2 = q2 + 1 - L rol = q2 + 1 - 2gq.
j=1
Thus,
and hence
q _ql/2
g~ 2
There are further restrictions on the genus of maximal curves. For example,
•
any smooth proj ective curve X over F q (q = q'2) of genus g, where g satisfies
(ql/2 -If ql/2(ql/2 -1)

2 <g< 2 '
is not maximal (see Xing and Stichtenoth [235]).
Asymptotic Bounds
One strategy for producing good codes with the help of algebraic curves is by
taking a curve of genus g over a fixed finite field Fq with a lot of Fq-rational
points, say XI, ... ,Xn . This allows us to construct codes (see Chapter 10) with
k2:n-d-g+l,
i.e., with
R>I_8_ g - 1 .
- n
Let Nq = Nq(X) be the number of Fq-rational points of a curve X of genus
g = g(X) defined over Fq. In order to maximize the last inequality asymptotically,
one looks for a family of curves X with Nq (X) as large as possible. We define
. Nq(X)
A(q) = hm sup (X)'
g(X)--t oo g
where X runs over all smooth projective curves over Fq (up to isomorphism over
Fq). From the Serre bound we deduce immediately
162 Chapter 6
In the case when g(X) is large with respect to q, Ihara [85] improved this bound
as follows:
Theorem 6.22 (the Ihara theorem). We have
() y'8q+ 1-1
A q ~ 2 .
The idea of the proof of this theorem is very simple. If the Wi (in the notation
of Theorem 5.17) have arguments near 7T' then Nq is big; but then the squares of
Wi have arguments near 27T' and hence N q2 is small. However, we have Nq ~ N q2.
This bound was improved by Vladut and Drinfeld [215] (refining Ihara's proof):
Theorem 6.23 (the Drinfeld-Vladut theorem). One has
A(q)~vq-l.
Proof: Let X be a curve of genus g over Fq and let
rr;!1
(1- wit)
Z(X,t) = (l-t)(I-qt)
be the zeta-function of X. Set ai = wd vq, 1 ~ i ~ 2g, and note that lail = l.

Since N q ~ Nqv for any v 2: 1 we obtain
2g
N q . q-v/2 ~ Nqv . q-v/2 = qv/2 + q-v/2 - L a[,
i=1
hence
2g
L a[ ~ qv/2 +q-v/2 -Nq . q-v/2. (6.6)
i=1
On the other hand for every ai E C and for any positive integer n we have
o~lia[12=
v=1
i
V,T=O
a[-T
n
= n+ 1 + L (n+ 1- v)(a[ +aiV). (6.7)
v=1
Summing (6.7) over i = 1,2, ... , 2g and applying (6.6) we obtain

n 2g
o ~ 2g(n + 1) +2 L (n + 1- v) L a[
v=1 i=1
n
~ 2g(n + 1) +2 L (n + 1- v)(qv/2 +q-v/2 -Nq .q-v/2).
v=1
Hence
Nq ~ n + 1 - v -v/2 < 1
L... +1 q - +
!"
L...
n + 1- v (v/2
1 q +q
-v/2).
g v=1 n g n+
If g and n tend to infinity in such a way that n /logq g -+ 0 then it follows that for
anye > 0
Nq 1
-·--<1+13.
g y'q-1-
Later we shall demonstrate in several ways that the above upper bound is exact
•
forq =p2v.
For an arbitrary q, it was proved by Serre that A (q) > O. In fact, he proved that
there exists a constant c > 0 such that
A(q) > clogq (6.8)

(see Serre [169]). The proof is based on class field theory (for an easy presentation
of Serre's method see Schoof [163]), and the idea can be described as follows.
Starting with a function field L = LIon a smooth projective curve X over Fq of
genus g = gl and a non-empty subset S = SI of F q -rationa1 points onX (i.e., prime
divisors of the field L of degree 1), let L2 be the S-Hilbert class field of L. By
definition, L2 is the maximal abelian unramified extension of L such that all prime
divisors of S decompose completely inL2. The extensionLz/LI is offinite degree.
We repeat this process, replacing the field LI by L2 and the set SI by S2, where S2
is the set of prime divisors of L2 lying over all prime divisors of L 1. This gives a
sequence of function fields over F q , which fonn the S-classified tower of L:
L = L1 ~ L2 ~ L3 ~ ....
Since all the above extensions are unramified, the genus g(Li) can be calculated
by the Hurwitz genus fonnula:
g(Li) = 1+ [Li : Lj· (g-1). (6.9)
The number Nq(Li) of prime divisors of Li satisfies the inequality

(6.10)
Under appropriate conditions on Land S (theorem of Golod-Shafarevich), the

S -classified tower is infinite, so that Li i= Li + 1 for all i = 1, 2, 3, ....
Now, if ~ is a smooth projective curve, corresponding to the function field Li ,
then Nq(Li) = Nq(~), g(Li) = g(~) for all i = 1,2,3, ... , and we deduce from
(6.9), (6.10) that
Nq(~)
-->--.
lSI
g(~) - g-1
164 Chapter 6
This gives a lower bound for A (q) of the form
A(q)? ~.
g-I
By an optimal choice of Land S we obtain the Serre lower bound (6.8). This
gives also a possibility to find lower bounds for A (q) in many concrete cases, for
example,A(2) ? 2/9 (see [I63]),A(3) ? 1/3, andA(5) ? 1/2 (see [233]).
The Serre lower bound can be essentially improved for many q of a special
form (see Perret [144], Schoof [163], Xing [233], Zink [237]). For example,
using deep results from the theory of Shimura varieties, Zink [237] obtained the
following lower bound
Tame Extensions
Let {Xi} be a sequence of smooth projective curves over F q , and {Li} the cor-
responding sequence of algebraic function fields. Denote by g(Li) the genus of
Li and by Nq (Li) the number of prime divisors of Li of degree 1. A tower of
function fields over Fq is a sequence £.- = {Li} of function fields Li / Fq satisfYing
the following conditions:
(i) LI (;L2 c;;. L3 c;;. ... ;
(ii) for every i ? 1, the extension LH IiLi is separable of degree [LH I : Ld > 1;
(iii) g(Li) > 1 for some i ? 1 .

By the Hurwitz genus formula, the conditions (ii) and (iii) imply that g(Li) ~ 00
as i ~ 00. Moreover, one can show that for any tower £.- = {Li} the sequence
{Nq(Li)/g(Li)} is convergent (see [56]). Now we set
A(q = lim Nq(Li) . (6.11)

Hoo g(Li)
Since 0::; A(q ::; A(q), any tower of function fields over Fq provides a lower
bound for A(q). We call £.- asymptotically good (resp. asymptotically optimal) if
A(q > 0 (resp. A(q = A(q)). The notion of asymptotically good sequences of
function fields is closely related to the notion of asymptotically good sequences
of codes. For example, let {Li} be a tower of function fields, and {Cd the
corresponding sequence of geometric Goppa codes, coming from the curves X;
(see Chapter 10). If
· Nq(X;)
1I 1
m-->
Hoo g(X;) ,
the sequence {Cj} of linear codes Cj is asymptotically good. This reduces the
problem of constructing asymptotically good codes to the problem of constructing
asymptotically good sequences of function fields over a given finite field F q .
Now we consider several examples of asymptotically good towers of function
fields over Fq for an arbitrary q, proposed recently by Garcia and Stichtenoth
[55]. Let P(L) be the set of all prime divisors of a function field L / Fq . Given a
finite extension L' / L and a prime divisor P E P(L), there are finitely many prime
divisors P' E P(L') lying over P. We recall that the extension L' / L is tame if the
ramification index e(P' / P) is relatively prime to the characteristic of Fq , for all
P E P(L) andallP'/P.
Theorem 6.24. Let f., = {Lj} be a tower offunction fields over Fq satisfying the
follOWing conditions:
(i) all extensions Li+I/Lj are tame;
(ii) the set
S = {P E P(Lt) IP is ramified in L;JLt/or some i ~ 2}
isfinite;
(iii) the set
T = {P E P(LI) I deg(P) = 1, and P splits completely

in all extensions Li / LI}
is non-empty.
Then the tower f., is asymptotically good, and
21TI
A(J:.,) ~ 2g(LI)-2+s'
where
s = L degP.
PES
Proof: Since L;JL I is tame, the degree of the different Diff(L;JL d is given by
degDiff(L;JLd= L L(e(P'/P)-l).degP'.
PESP'/P
Using the equality
L e(P' / P) . degP' = [Lj : LI]' degP,

P'/P
166 Chapter 6
we obtain
degDiff(L;/LI) :::; [L; : Ld L degP = [L; : Ld ·s.
PES
Now the Hurwitz genus fonnula implies
2g(L;) :::; [L; : Ld· (2g(LJ) - 2+s) +2.
Observe that this inequality implies that 2g(L;) - 2 + s > 0, since g(L;) -+ 00 as
i -+ 00.
On the other hand, we have Nq(L;) 2: ITI· [L; : Ld by condition (iii), and
therefore
Nq(Li) > 21TI
g(L;) - 2g(L;) -2+s +2/[L; : Ld
for all i 2: 2. This shows that
which proves the theorem. •

Our aim is to give some explicit examples of towers that satisfy the hypotheses
of the theorem.
Proposition 6.25. Let m > I be an integer with q == I mod (m), and let So ~ Fq
be a subset of Fq with 0 E So. Suppose thatf(u) E Fq[uJ is a polynomial whose
leading coefficient is an mth power in Fq satisfying the following conditions:
(a) f(u) = ul·fi (u) withfi(O) =I- 0 and (I,m) = 1;

(b) degf(u)=m;
(c) for each a E So, all roots of the equationf(u) = am lie in So.
Wedefinefunctionfields L;/Fq recursivelybyLI = Fq(xJ) andLi+1 =L;(x;+I)

with
X~I =f(x;). (6.12)
Then .c = {Li} is a tower offunction fields over Fq having thefollowing properties:
(i) Li+ 1/Li is tame extension of degree m,for every i 2: 1;
(ii) if P E P(LJ) is ramified in L;/LI for some i 2: 2 then P is a zero ofXI - a

for some a E So;
(iii) the pole Poo ofX I in LI splits completely in L;/LI,for every i 2: 2;
(iv) A(.c) 2: 2/(ISI- 2) > O.

Proof: First we consider the extension L2/ LI, where L2 = LI (X2) and
xi = f(xd = x( .Ji (xd· (6.13)
Let PIE P (L I) be the zero of XI in L I and let P2 be a prime divisorlying over PI.
Ifv2 denotes the corresponding discrete valuation of L2, we have from (6.13)
m ·V2(X2) = I·V2(XI) = l·e(P2/Pd.

As (I,m) = I, this implies [L2 : Ld = m = e(P2/PI) and V2(X2) = I. We see
by induction that [Li : LJ] = mi-l, that PI is totally ramified in Li / LI and that
Vi (Xi) = Ii-I; here Vi is the valuation of Li corresponding to the unique prime
divisor Pi E P(Li) lying over PI. In particular, it follows that Fq is algebraically
closed in Li. Since LH 1/Li is a cyclic extension of degree m (this follows from
(6.12) and from q == 1 mod(m)), the extensionLHI/L i is tame.
Next we show by induction on i that the pole of XI splits completely in Li / LI .
Let Q E P(L i ) be a pole of XI. Then Q is a pole ofxl,x2, ... ,Xi, by (6.12), and
= xl .Ji (Xi).
X~I
Dividing by x't and setting y = XH 1/Xi, we obtain
(6.14)
where (3 is the leading coefficient of f( u) and the function z has a zero at the
prime divisor Q. The reduction of the equation (6.14) modulo Q gives ym == (3
mod(Q), and since the equation um = {3 has m distinct roots onFq , it follows from
the well-known Kummer theorem (see Stichtenoth [197, 111.3.7]) that the prime
divisor Q splits completely in Li+I/Li. As a consequence, we have Nq(Li) 2: m i- I
and therefore g(Li) --+ 00 as i --+ 00.
We have proved that L = {Li} is a tower of function fields over Fq with the
properties (i) and (iii). Now we prove the property (ii). Suppose that P E P(LI) is
ramified inLdLI. Choose Q E P(L i ) with e(Q/P) > 1 and letPj = QnLj be the
restriction of Q to Lj . Since Q/ P is ramified, then Pj+1/Pj is ramified for some
j 2: 1. From the equation
(6.15)
and from the ramification theory of Kummer extensions (see [197, III.7.3]), it
follows that PHI is a zero of xHI. Denoting by x(Q) the residue class of an
element X ELi modulo Q, we obtain from (6.15) that
The condition (c) of the theorem implies thatxj(Q) E So. Repeating this process,
we find that Xj_1 (Q), ... ,X2(Q),XI (Q) E So. Hence the property (ii) holds.
168 Chapter 6
Now we can apply Theorem 6.24. We set
S = {P E J'(LJ) IP is a zero of Xl - a for some a E So}

and
T = {the pole of Xl inLJ}.
Then Theorem 6.24 yields that
2
A(,c) ~ ISol-2.
This completes the proof. •
Example 6.1. Let p be a prime number, q =p II with v > 1, and m = (q - 1) / (p -
1). Let Ln = Fq(XI, ... ,Xi) with
l:::;k:::;i-l.
Then £ = {Li} is an asymptotically good tower over Fq with
A(,c) ~ ~2.
q-
Proof: Let So = Fq andf(u) = 1- (u + l)m. Conditions (a) and (b) of Proposition
6.25 hold obviously. In order to verifY the condition (c), let a E Fq and
I - ( 1 + 1)m = am.
If am = 1 then 1 = -1 E F q . If am i- 1 then 1 - am E F; (observe that a H am
is the norm map from Fq onto Fp). Hence
(1+ l)q-1 = (( 1+ 1)my-1 = (1- amy-l = 1,
and therefore 1 + 1 E F q . The result follows now from Proposition 6.25. •

For q = 4, the tower,c = {Li} of the above example is asymptotically optimal
over F4, since A(L) ~ 1 andA(L) :::; A(4) :::; 1, by the Drinfeld-Vladut theorem.
One can show that in this case the tower ,c = {Ld corresponds to the sequence
{Xo(3 i )} of classical modular curves Xo(3 i ), reduced modulo 2 (see Chapters 8
and 9). Moreover, this example provides an elementary proof of the fact that
A (q) > 0 for all non-prime finite fields.
Example 6.2. Let q > 2 and Li = Fq2 (Xl, ... ,Xi) be the tower of function fields
over Fq2, with
xt;ll + (xs + 1)q-l = 1, 1 :::; s :::; i-I.
Then ,c = {Li} is an asymptotically good tower over Fq2 with
A(L)~~2·
q-
Proof: Choose So = Fq andf(u) = 1- (u + I)q-I. Using the same arguments

as in previous example, we arrive at the desired result. •
The tower £ = {Li} of Example 2 is asymptotically optimal for q = 9 (with
A(£) = 2), and corresponds to the sequence of classical modular curves XO(2i),
reduced modulo 3.
Asymptotics for Jacobians

If one knows the zeta-function
Z(X,t) = n;!1 (1 - wit)

(I-t)(I-qt)
ofacurveX over F q , then one can also determine the number of Fq-rational points
of the Jacobian of X.
Proposition 6.26. Let h = hq(X) = IPico(X) I be the numberofFq-rational points

of the Jacobian Jx ofX. Then
2g
hq(X) = I1(Wi -1).
i=1
In particular,
(ql/2 _I)2g::::; hq(X)::::; (qi/2+ I)2g.
Proof: See Wei! [226J.

This proposition implies that
•
One can improve upon this fact in the following situation. Let X be a curve from
a family of curves of growing genus g such that
lim Nq(X) = c > o.

g-t oo g(X)
Then we have the following result:
Proposition 6.27.
. . logq hq (X) q
hm lOf (X) ~ I+clogq(--I)·
g(X)-t oo g q-
Proof: See Tsfasman and Vladut [208, p. 185].

•
170 Chapter 6
EXERCISES
6.1. Let Fqv be a finite extension of Fq. Given positive integer s I (q - 1), s > 1 and
z E Fqv show that the number of elements y E Fqv with y' = z is equal to
L X,,(z) = L X(norm" (z)),

indx=s indx=s
where the sum is over all multiplicative characters of Fq of exponent s.
6.2. Given z E Fqv, v > 1 show that the number of elements y E Fqv with u q - y = z is
equal to
Ll/J,,(z) = Ll/J(tr,,(z)),
oJ! oJ!
where l/J runs over all additive characters of F q .
6.3. Let l/J be a non-trivial additive character of Fq and
T(a,b)= L l/J(ax+bx- 1),
xEF;
the Kloosterman sum. Prove that:

(a) the polynomial ax 2 - (yq - y)x + b is absolutely irreducible;
(b) IT(a,b)l::; 2~.
6.4. Let Fq be a finite field of characteristic p > 2 and X be a non-trivial multiplicative
quadratic character of F q . In the notations ofthe previous exercise prove that
T(a,b) = L X(x 2 -4ab)l/J(x).

XEFq
(Hint: Use the change of variables: y = ax + bx- 1 .)

6.5. Let Fq be a finite field and X (resp. l/J) a multiplicative (resp. an additive) non-trivial
character of F q . Under the conditions of Theorem 5.26 show that:
(a) Equationsy' = f(x) and zq -z = g(x) define an absolute affine curve;
(b) if
T,,(j,g) = L x"(j(x))l/J,, (g(x)),
XEFqv
then
IT,,(j,g) I ::; (m +n _1)q"j2.
6.6. Let Fq be a finite field of characteristic p > 2, and f(x) a non-zero polynomial in
Fq[xJ. Prove that all solutions x E Fq of the equation
!L.!
I ±f 2 (x) = 0
are at least double roots of the polynomial
R(x) = 2f(x)(1 ±f7! (x)) +J'(x)(x q -x).

Deduce that the number Nq of Fq-rational points on the curve X: y2 = x 3 + ax + b,

where a,b E F q , satisfies
q+3
INq -ql:s -2-'
(Hint: Check that the derivative R' (x) of R(x) has the form
R'(x) =f'(x)(l ±fi::! (x)) +f" (x) (x q -x);

q
then compare the number of roots ofthe polynomial R(x) with its degree.)
6.7. Let Fq be a finite field of characteristic p > 2, andf(x) = ax 2 + bx + c E Fq [xl a
polynomial of degree 2 with the non-zero discriminant D(J) = b2 - 4ac. Prove that
the number Nq of Fq-rational points on the curve y2 = f(x) is
N q =q- (~).
6.8. Let X be the Klein quartic defined over F2 by
x 3y+y3 z + z 3x = O.
Show that the zeta-function Z (X, t) of X has the form
1 +5t+8t6
Z(X,t) = (l-t)(1-2t)
and then deduce that the number N2v of Fq-rational points of X is given by
ifv~O mod(3)
ifv:=O mod(3) ,
where integers S3n are defined by the recurrence relation
S3(n+2) + 53(n+l) + 8S3n = 0

6.9. Let Jx be the Jacobian of the Klein quartic X over F2, and h2v the number of
F2v-rational points of Jx. Show that
h2v = 23v + 1- ~S3V if v ;j: 0 mod(3)
and
h2v=(h2v/3)3 ifv:=O mod(3),
where S3v are integers defined by the recurrence relation:
S3(v+2) + 5s3(v+l) + 8S3v = 0

172 Chapter 6
6.10. Let X be the Hermite curve defined over Fq2 by
x q+! +yq+! +zq+! = o.

Show that:
(a) thecurveXhasgenusq(q-I)/2;
(b) the number of Fq-rational points of X is q3 + I.
(Hint: Use the Plucker genus fonnula.)
6.11. Let X be the hyperelliptic curve defined over F2 by
i+y=x 5 + 1.
Show that:
(a) X has genus 2;
(b) the zeta-function Z(X,t) of X has the fonn
Z(X )= (1+2t-2t2)(1+2t+2t2).
,t (l-t)(1-2t) '
(c) the number N2v of FqV -rational points of X is given by
if v #4n
ifv=4n
6.12. Let p > 2 be a prime and I t= 0 mod (P) be an integer. For p = 4k + 3, prove that the
Jakobsthal sum
S(/)=
x=!
f:(x3+ 1X )
p
is zero. For p = 4k + 1, prove that:
(a) S(l) is an even number;
(b) S(/z2) = (~) S(/);
(c) if G) = 1 and (~) = -1, then

GS(l)r + Gs(m)r =p;
(d) IS(l) I ~ 2y1J;

(e) the equation
is solvable in integers x andy.

Part III
Elliptic and Modular Curves
The aim of this part is to give an introduction to the theory of modular curves
insofar as they apply to the construction of geometric Goppa codes on modular
curves. For reasons of space our treatment will be rather brief. In fact we shall
try to emphasize those aspects of the theory which are of a classical nature and
are easy to comprehend with a minimum knowledge of algebraic geometry. As
our program is to make available a formula for counting the number of rational
points on a modular curve over a finite field, we shall first develop some notions
leading up to Igusa's description of a model of modular curve Xo(N) defined over
the integers Z with a good reduction modulo every prime p which does not divide
the level N. Then we recall the basic results of Eichler and Shimura relating the
trace ofthe Hecke operators to the trace ofFrobenius acting on the I-primary part
of the torsion points of the Jacobian variety of Xo(N). Finally we will give the
formula of Eichler and Selberg for the trace of the Hecke operators.
173
Chapter 7
Elliptic Curves
The theory of elliptic curves (curves of genus I having a specified basepoint xo)
is varied and rich, and provides a good example of the profound connections
between abstract algebraic geometry, complex analysis, and number theory. The
most important property is that any elliptic curve is an abelian variety.
A moduli space is, roughly speaking, a variety whose points classify the
isomorphism classes of some kind of object, e.g., algebraic curves of a certain
type. The modular curves we shall be concerned with are moduli spaces of elliptic
curves.
7.1. THE GROUP LAW
In Section 4.4 we have stated that there is a bijection between an elliptic curve E
over an algebraically closed field k and Pico(E) given by x f-7 (x -xo) for some
Xo E E. Since Pico(E) is a group, E is also a group whose zero element is Xo (see
also Proposition 9.1 below).
Let us describe the group law by geometric means. To do this we consider the
map <I> : E f-7 jp>2 which is defined by the complete linear system 13 ,xol (note that
1(3 . xo) = 3 by the Riemann-Roch theorem). Then we obtain the following result:
Proposition 7.1. The map <I> is an embedding ofE into jp>2.
Therefore any elliptic curve is isomorphic to a plane cubic. Conversely, from

the Plucker genus formula we deduce that every smooth irreducible plane cubic is
an elliptic curve. Later on we shall assume E to be a plane cubic.
175
176 Chapter 7
Let XI ,X2 and x~ be points of E. The condition XI + X2 + x~ = 0 (where + is

the composition law on E) can be written as XI + X2 + x~ '" 3 . Xo. Since 3 . Xo is a
line section divisor (i.e., it is a form (L), L being a linear form) it means that Xl ,X2
and x~ belong to a line I (with the equation L = 0). If Xl = X2 it means that I is a
tangent of E at Xl , and if Xl = X2 = x~ it means that Xl is a flex point of E.
The Coordinate Expression

Now we express the composition law Xl +X2 = X3 on E in a coordinate form. In
fact, we show that coordinates of the point X3 are rational functions in coordinates
of the points Xl and X2. To derive this result we find at first a suitable polynomial
equation which defines the curve E. Let
uEL(2·xo)\k, v E L(3 ·xo) \L(2 ·xo).
Then the functions I, u, v, u2, uv, v 2 and u3 lie in L (6 . xo). It follows from the
Riemann-Roch theorem that l(n ·xo) = n for any n 2: I, hence these functions are
linearly dependent over k, so
Since only v 2 and u 3 have a pole of order 6 at xo, their coefficients in this linear
relation do not vanish. Multiplying u and v by appropriate non-zero elements of
k we can assume that the relation has the form
(7.1)
with ai E k. Thus we obtain the Weierstrass equation for an elliptic curve E.

Assume for simplicity that chark =1= 2 (similar results are also true for chark = 2).
Making the substitution v t--+ v+ (alu +a2)/2 we obtain v 2 = (u -a)(u -b )(u -c)
for some a,b,c E k. Now we substitute u t--+ (u - a)/(b -a). As a result we arrive
at the equation
v 2 = u(u - I)(u - A), A Ek. (7.2)
This is the Weierstrass equation in Legendre form. The element A is called the
Legendre modulus of E.
In homogeneous coordinates, the equation (7.2) can be written as
wv 2 = u(u - w)(u - Aw).
Now we take Xo as the point Xo = (0 : I : 0) and let v5

= a(a - I)(a - A). The
line u = aw intersects E at points xo, X = (a : Vo : I), x' = (a : -vo : I), where
the points X and x' are opposite to each other (i.e., X = -x'). Now we are able to
describe the composition law in geometric terms and write out explicit formulas
Elliptic Curves 177
Figure 7.1.
for coordinates of the point X3. If Xl = (UI : vI : 1) and X2 = (U2 : V2 : 1), then
X3 = XI + X2 can be obtained as follows: let x~ = (u~ : v~ : 1) be the third point of
intersection of the line through XI and X2 with E, then X3 = Xl +X2 is the reflection
of x~ (see Fig. 7.1). It is easy to see that
(7.3)
It follows from (7.3) that the composition map u : E x E -+ E, U(XI,X2) =

XI +X2 is a morphism (the relations (7.3) are valid only for UI ::I U2, but it is not
difficult to write out similar relations for UI = U2; in the case UI = U2 and Xl ::I X2
we have VI + V2 = 0, XI = -X2). Clearly the map X r--t -x is also a morphism.
Hence E is an abelian variety which can be identified with its Jacobian. Usually
the abelian variety E is denoted by E(k) to stress its dependence on k.
Theorem 7.2. The group E(k) is divisible, i.e.Jor any positive integer N and any
XE E(k) there exists Xl E E(k) such that N 'XI = X in the group E(k).
Proof: Since X = Xo and Xl = Xo for w = 0, the case x = (u : v : 0) is trivial, and

we can assume that X = (u : v : 1). Let Xl = (u l : VI : 1), (u l , VI) being unknown
coordinates of Xl. The group law means that it is possible to express u and v in u l
178 Chapter 7
and v'. We obtain two equations FN{U', v') = 0 and GN{U',V') = 0, whereFN and
GN are polynomials whose coefficients depend on u, v and A. One can show that
since k is algebraically closed this system has a solution. •
Automorphisms
An isomorphism cp : X -+ X of a curve X onto itself is called an automorphism.
The group of automorphisms of X is denoted Aut{X) or Autk (X). If X = pi then
Aut{X) = PGL2{k) = GL2{k)/1*, 1* being the center of GL2{k) consisting of
matrices of the form
(~ ~), a E k*.
Since E is an abelian variety we have:
Theorem 7.3. For each fixed x' E E the map x I-t x + x' is an automorphism ofE
(as of an algebraic variety).
Corollary 7.4. The group Aut{E) operates on E transitively.
We see that Aut{E) contains E as subgroup. This subgroup is normal in
Aut{E) and for p = chark =1= 2,3 the factor group G = Aut{E)/E is a finite group
of order 2,4 or 6. For p = 3 the order of G is a divisor of 12 and for p = 2 it is a
divisor of 24. Therefore for g{X) = 1, the group ofautomorphisms Aut{X) ofa
curve X defined over an algebraically closed field k is infinite. On the other hand
for g = g{X) ~ 2 we have:
Theorem 7.5. If g ~ 2 then Aut{X) is finite. Moreover, if chark = 0 then
JAut{X)J ::; 84{g-I).

•
7.2. THEJ-INVARIANT
Our first topic is to define thej-invariant of an elliptic curve, and to show that it
classifies curves up to isomorphism. Since j can be any element of the ground field
k, this will show that the affine line Al is a variety of moduli for elliptic curves
over k.
Let us assume that chark =1= 2. Note that the value Afrom (7.2) can be different
for isomorphic elliptic curves. In particular, the equations of the form (7.2) with
A and A' = 1/A define isomorphic curves. Let us set
.. 8{.\2-'\+1)3
)=)(E)=2 .\2(,\-1)2 (7.4)
Elliptic Curves 179
This value is called thej-invariant (or the absolute invariant) of E. Note that the
coefficient 28 is introduced to make sure that thej-invariant has integer coefficients
being expanded into a power series in some natural variable t (see Section 8.2
below). Our main result then is the following:
Theorem 7.6. Let k be an algebraically closed field ofcharacteristic #- 2. Then:
(i) the valuej =j(A) =j(E) depends only on the isomorphism class ofE;
(ii) two elliptic curves E and E' are isomorphic if and only ifj(E) = j(E');
(iii) every element ofk occurs as thej-invariant of some elliptic curve E over k.
Thus we have a one-to-one correspondence between the set ofisomorphism classes

ofelliptic curves over k and the elements of k = A I , given by E t-+ j (E).
Proof:
(i) Note that j(A) = j(A') for every A' E A = {A, l/A, 1 - A, 1 - 1/(1-
A),A/(A-l),(A-l)/A}, which can be checked directly. If we write
an equation of E in the form (7.2) then the projectionf(u, v) = u defines a
morphismf : E ---+ pI of degree 2 with four ramification points 0, 1, A and
00. Let
v 2 = u(u - l)(u - A')

be another equation of E. The corresponding morphism f' : E ---+ pI of
degree 2 has ramification points 0, 1, A' and 00. Let x,x' E E be such that
f(x) = A andf'(x') = A'. By Corollary 7.4 there exists U E Aut(E) with
u(x) = x'. Sincef andf' are defined by the linear systems 12 ,xl and 12 ·x'l,
respectively, the morphismsf andf' . u are defined by the same linear system
and thus differ by an automorphism of pl. Such an automorphism (being
an element ofPLG2(k)) sends the tuple (0, I,A,oo) to the tuple (O,I,A',oo)
if and only if A' E A which proves (i).
(ii) Let E, E' be elliptic curves, and A, A' their Legendre moduli. Letj(A) =
j(A'). Considering A' as a variable and A as a parameter, we obtain an
equation of degree 6 in A', vanishing on A. Therefore it has no other roots
and hence E and E' are isomorphic.
(iii) Letj E k and let A be a root of the equation
Then (7.2) defines an elliptic curve E withj(E) = j.

•
180 Chapter 7
For chark i= 2,3 another form of the equation of an elliptic curve E is quite
useful. Making the substitution U H U - (A + 1)/3 in (7.2) we get an equation of
the form
(7.5)
Usually one makes the substitution v H 4v, U H 4u in (7.5) and writes the equation
in the form
v 2 =4u 3 -g2 u -g3, (7.6)
which is called Weierstrass normal form of E. It is easy to check that
3
j(E) = 1728 3 g2 ~.
g2 -27 3
Theorem 7.6 also remains valid for chark = 2. We give no proof in this case
and only define the absolute invariantj(E). Making the substitution U H U + a in
(7.1) we get
V 2 +CIUV +C3V = u 3 +C4U +C6. (7.7)
Thenj(E) = cF /a, where
7.3. ISOGENIES
As we have seen above, over an algebraically closed field k the isomorphism

classes of elliptic curves are in one-to-one correspondence with the points of the
affine line AJ with coordinate j. We say that Al is the moduli space of elliptic
curves over k (for a precise definition of the notion of moduli space see Katz and
Mazur [94]). Note thatj does not suffice to specify an elliptic curve E if k is not
algebraically closed due to the fact that an elliptic curve (as an algebraic group)
can have a non-trivial automorphism group. Denote this group by Auto(E). To
get more moduli spaces we consider pairs (E,GN), where E is an elliptic curve
and GN is a cyclic subgroup of order N in E. Let us first look at the possibilities
for these cyclic subgroups.
Let E be an elliptic curve. Let EN be the kernel of multiplication by N. The
set EN consists ofpoints oforder N (or N-torsion points) with respect to the group
law on E. If N is the product N = N' Nil of two relatively prime integers then
EN = EN' X EN". Now letp be a prime. Then the morphism [P] : E -+ E which
is multiplication by p has degree p2. If P i= char k then Ep consists of p2 points
and is isomorphic (as a group) to Z/pZ x Z/pZ. Ifp = chark then multiplication
by p is an inseparable morphism. There are two possibilities: either the degree of
inseparability is p and Ep consists of p points and is isomorphic to Z/pZ, or the
Elliptic Curves 181
degree of inseparability is p2 and Ep consists of one point. In the former case we

say that E is ordinary, in the latter case that E is a supersingular elliptic curve.
Let f : E -t E' be a non-constant map of elliptic curves, let Xo be the zero
element of the group law on E and let Xo = f(xo) be the zero element of the group
law in E'. Then f defines a morphism of abelian varieties. We call such an f an
isogeny. Since E and E' are curves we can speak about its degree, and since E ~ J E,
any isogenyf: E -t E' gives rise to the dualisogenyf* : E' =JE, -tJE = E. Iff:
E -t E' is an isogeny of degree N andNE : E -t E is the morphism of multiplication
by N, than Kerf ~ KerNE, andNE : E L, E' ~ E.
Proposition 7.7. Let f : E -t E' be an isogeny of degree N. Then degf* = N,
f f* = NE" andj* f = NE.
In the case of complex elliptic curves this result will be proved in Section 7.5
(for the general case, see Silverman [177, III, §6]).
Corollary 7.S. The degree ofNE is equal to N 2 •
Now we describe Epv for p = char k and v 2: 1. To begin with, we assume that
v = 1. Let E(P) be the elliptic curve obtained from E by raising the coefficients
to the pth power, let f = /P : E -t E(P) be the Frobenius morphism given by
(u,v) t-+ (uP,vP), andf* : E(P) -t E be its dual morphism. Then by Proposition
7.7 we havef f* = f* f = PE and sincef is a purely inseparable morphism,PE
is not separable. Iff* is a separable morphism then E is ordinary, and ifj* is not
separable then E is a supersingular elliptic curve. Note that for supersingular E
we havej* = f, sincef is the only purely inseparable morphism of degree p.
Proposition 7.9. The kernel of the multiplication by pV on E(k) is trivial for a

supersingular E and is isomorphic to 'LjpV 'Lfor an ordinary elliptic curve E.
Proof: From the above argument it follows that the proposition holds for v = 1.
For any v > 1 it can be easily deduced by induction on v. •
Supersingular Elliptic Curves

Given p there exists only a finite number of non-isomorphic supersingular curves
in characteristic p > 0. Their moduli can be found out.
Theorem 7.10. Let p = chark > 2 and let E be the curve defined by v 2 = u(u-
1) (u - ,.\). Then E is supersingular if and only if
±(~)2,.\;
;=\ I
=0, (7.8)
182 Chapter 7
where s = (p - 1)/2. Infact, there are exactly lP/12 J+ l>p supersingular elliptic
curves E (up to isomorphism) over k, where l>3 = 1, and for p :::=: 5,
l>p = 0, I, 1,2 if p == 1,5,7,11 mod(12)
Proof: See Hartshorne [73, p. 333], Husemoller [81, Ch. 13, §4], or Silverman
[177, V, §4] •
Therefore all supersingular values of the modulus A and ofthej-invariant lie
in a finite field. Moreover, one has the following fact:
Proposition 7.11. Let p = chark > 2, and letj = j(E) be a supersingular value
ofj-invariants. Thenj E Fp 2.
Proof: We see from Theorem 7.10 thatj E Fp , hence it is sufficient to show that
jP2 = j. For supersingular curve E we have f =f* and since PE : E 4 E (P) C E
is purely inseparable isogeny of degree p2, we conclude that PE = fi,
where fi :
E -+ E(p2) is the Frobenius morphism. Hence E ~ E(P2), andj(E) = jp2 (E). •
Note that for p = 2 there exits only one supersingular curve E (withj(E) = 0)
which can be given by v 2 + V = u3 .
Homomorphisms
Let E and E' be elliptic curves. The set of algebraic group morphisms f : E -+ E'
(i.e., ofmorphisms which are group homomorphisms) is denoted by Hom(E,E').
If E = E' it is denoted by End(E). Note that Hom(E,E') is an abelian group since
we can add its elements: if + g)(x) =f(x) + g(x). Moreover, End(E) is a ring:
multiplication is the composition of morphisms. It is clear that Hom(E, E') has
no torsion since the condition N f = 0 implies thatf(E) is contained in the finite
set EN and hence is trivial.
Studying the behavior of morphism at torsion points of E one can prove the
following proposition:
Proposition 7.12. The rankofHom(E,E') equals 0, 1,2,3 or 4. !fit is equal to 4

then E and E' are supersingular.
Proof: See Lang [108, Ch. 13, §I and §2].

If Hom(E,E') 1= 0 then we call the curves E and E' isogenous. Note that if
•
E and E' are isogenous then Hom(E ,E') ® Q = End(E) ® Q, which follows from
Proposition 7.7. Note that End(E) is embedded in Endo(E) = End(E) ® Q since
End(E) and Endo(E) have no torsion. Moreover from Proposition 7.7 it follows
that Endo(E) is a division algebra.
Elliptic Curves 183
Theorem 7.13. These are the following possibilities for the division algebra
Endo(E):
(i) Endo(E) = Q;
(ii) Endo(E) is an imaginary quadratic field;
(iii) Endo(E) is a quaternion algebra over Q which is ramified at p and at 00;

this is the case ifp = char k > 0 and E is a supersingular curve over k.
Proof: See Lang [108, Ch. 13, §I and §2], or Husemoller [81, Ch. 12, §4] and
[81, Ch. 13, §6]. •
Therefore End(E) is a free Z-module generating Endo(E) over Q. In other
words End(E) is an order in the division algebra Endo(E).
Theorem 7.14. These are the following possibilities for the order End(E):
(i) End(E) = Z;
(ii) End(E) = Z+m(9k, where mE Z, m:j. 0 mod(p), (9k being the maximal
order in the imaginary quadratic field k = Endo (E) (in this case m is called
the conductor ofEnd(E));
(iii) End(E) is a maximal order in the quaternion algebra Endo(E).
Proof: See Lang [108, Ch. 13, §I and §2], or Silverman [177, III, §9]. •
Automorphisms
Theorem 7.14 makes it possible to determine the group Auto (E) of automorphisms
of an elliptic curve E as an algebraic group (i.e., of those preserving the initial
point xo) which is isomorphic to the group End' (E) of units ofEnd(E).
Theorem 7.15. Let E be an elliptic curve over k. Then
(i) ifj(E) =F 0 or 1728 then Auto(E) = {±I};

(ii) for p = chark =F 2,3 one has: ifj(E) = 0 then Auto(E) = U6, and ifj(E) =
1728 then Auto(E) = U4, where Un = g E C* I~n = I} is the cyclotomic
group of order n;
(iii) ifp = 2 andj(E) = 0 = 1728 then Auto(E) = SL2(F3) is of order 24;

(iv) if p = 3 and j(E) = 0 = 1728 then Auto(E) is the semi-direct product of
7l/371 by 7l/4Z of order 12.
184 Chapter 7
Proof: See Hartshorne [73, p. 321], Lang [l08, Appendix 1] or Exercise 7.1. •
Note that Theorem 7.15 also gives a description of Aut(E) since the group
Aut(E) of automorphisms of the curve E is a semi-direct product of E(k) by
Auto (E). One has the following "mass-formula" of Eichler and Deuring (see
Husemoller [81, Ch. 13, §4)):
-I p-l
LIAut(E)1 = 24'
where the sum is taken over the set of isomorphism classes of supersingular curves
in characteristic p > o.
7.4. ELLIPTIC CURVES OVER FINITE FIELDS
The theory of elliptic curves outlined above concerns the case of algebraically
closed ground field, while we are mainly interested in elliptic curves over a finite
field k = Fq with q = pI! elements. To study this case one should make some
changes in the theory. The definition of an elliptic curve over a finite field is the
same as in the case of an algebraically closed field, except that we need to check
that an elliptic curve has at least one Fq-rational point. This follows from Theorem
6.1, since
IE(Fq)l2: q + 1-2y'q = (y'q _1)2> 0
and hence IE(Fq)l2: 1. Letxo E E(Fq). Ifwe consider Xo as the zero element, we
obtain a group structure on the finite set E(Fq). Moreover, using the Riemann-
Roch theorem which is valid over an arbitrary ground field, we can write down an
equation of E in the form
v 2 +aluv+a3v = u 3 +a2u2 +a6·
We have seen above that for an algebraically closed ground field, the j-invariant
classifies isomorphism classes of elliptic curves. This is not the case over a finite
field (nor for the most part over non-closed fields). From Theorem 7.15 one can
deduce:
Proposition 7.16. Letj(E) = j(E'). Then E and E' are isomorphic over afinite
extension K o/the groundfield k such that [K : k] divides 24. More preCisely, we
have:
(i) Ifp = char k i= 2,3 then [K : k] divides 4 or 6.
(ii) Ifj(E) i= 0 or 1728 then [K : k] = 1 or 2.
Note also that there exist elliptic curves E and E' over Fq such thatj(E) =
j(E') E Fq and HomFq (E ,E') = 0, i.e., E and E' are not isogenous over Fq.
Elliptic Curves 185
Theorem 7.17. Let E and E' be elliptic curves over a finite field F q. Then E is
isogenous to E' iJand only iJIE(Fq) I = IE'(Fq)l.
Endomorphisms
Elliptic curves over finite fields have an abundant set of endomorphisms. To
be more precise, let EndFq (E) be the subring of End(E) which is formed by
morphisms defined over F q .
Proposition 7.1S. EndFq (E) :j:. Z
Proof: We prove this proposition for ordinary curves and supersingular curves
E withj(E) E Fp. Indeed, let q = pV and letfV : E --+ Eq be the v-power of
the Frobenius morphismf = /po Since E is defined over F q , Eq = E and hence
JV E EndFq (E). If E is an ordinary curve thenJV .;. Z, since no NEZ is purely
inseparable. If E is defined over Fp then v = 1 andf .;. Z since its degree equals p
(the degree of NEZ equals N 2 ). For supersingular curves E withj(E) .;. Fp one
needs a slightly more elaborate argument. •
Therefore EndFq (E) contains an order in an imaginary quadratic field.
The Structure of E(Fq)

It is possible to describe all the possible types of the groups E(Fq) of Fq-rational
points of the elliptic curves E defined over Fq • We begin with a description of
their order (note that E (Fq) ~ EN ':::::. Z/ NZ x Z/NZ, where N = IE (Fq) I).
By Theorem 5.14, the zeta-function Z (E, t) of an elliptic curve E over Fq is of
the form
1+ut+qt 2
Z(E,t) = (l-t)(l-qt)'
where u E Z and IE(Fq)1 = q+ 1 +U.

Theorem 7.19. The set ofisogeny classes ofelliptic curves over Fq is in a natural
bijection with the set of integers u satisfYing lui::; 2.;q and one of the following
conditions holds (p = charFq):
(i) (q,u) = 1;
(ii) q is a square and u = ±2.;q;
(iii) q is a square, p ct 1 mod (3), and u = ±.;q;
(iv) q is not a square, p = 2 or 3, and u = ±Vfiij;
(v) q is not a square and u = 0;
186 Chapter 7
(vi) q is a square, p =ft 1 mod (4), and u = o.

Moreover, IE(Fq)1 = q + 1 + u for any curve E from the isogeny class which
corresponds to u.
Proof: See Waterhouse [222].

Now we can give a description of all possible types of groups E(Fq).
•
Theorem 7.20. A group GN of order N = q + 1 + u is isomorphic to E (Fq ) for
some elliptic curve E over Fq if and only if one of the following conditions holds
(p = charFq):
(i) (q, u) = 1, lui '5:. 2,jq and GN:::::' 'lLII'lL x 'lLlm'lL, where mil andm I (u - 2);
(ii) q is a square, u = ±2,jq, and GN:::::' 'lLII'lL x 'lLII'lL, where 1= ,jq ± 1;
(iii) q is a square, p =ft 1 mod(3), u = ±,jq, and GN is cyclic;

(iv) q is not a square, p = 2 or 3, u = ±y1Hi, and GN is cyclic;
(v) q is not a square and p =ft 3 mod(4), or q is a square and p =ft 1 mod (4),
u = 0, and GN is cyclic;
(vi) q is not a square, p == 3 mod(4), u = 0, and GN is either cyclic or GN :::::.

'lLlm'lL x 'lL12'lL, where m = (q+ 1)/2.
Proof: See Schoof [161], Tsfasman [205] or Voloch [218].

•
7.5. ELLIPTIC FUNCTIONS
It is difficult to discuss elliptic curves without bringing in the theory of elliptic

functions of a complex variable. This classical topic from complex analysis gives
an insight into the theory of elliptic curves over C which cannot be matched by
purely algebraic techniques.
Let A be a lattice in C, i.e., a free subgroup in C of rank 2 which generates
Cover lR. Therefore if A = 'lL. WI + 'lL. CO2 then T = WI I CO2 .;. lR. Without loss of
generality we can assume that 1m T > 0 and that A = 'lL. T + 'lL.
An elliptic function with the period lattice A is a meromorphic functionf(z)
of the complex variable z such thatf(z + w) = f(z) for all W E A.
Because of the periodicity, an elliptic function is determined if one knows its
values on a single period parallelogram such as
{a· T+ J3la,J3 E JR., 0'5:. a,J3 < I}.

Elliptic Curves 187
An example of an elliptic function is the Weierstrass p-function defined by
Z
I
p(z) = 2" + L
wEA\{O}
(I
(z-w )2 - I )
2
W
.
One shows that this series converges at all Z (j. A, thus giving a meromorphic
function having a double pole at the points of A, and which is elliptic. Its derivative
p/(Z) = -2 L (z-1)3
wEA W
is another elliptic function. If one adds, subtracts, multiplies, or divides two elliptic
functions with period lattice A, one gets another such function. Hence the elliptic
functions for a given A form a field.
Theorem 7.21. Thefield ofelliptic functions for given lattice A is generated over
C by the Weierstrass p-function and its derivative p'. They satisfy the algebraic
relation
where
Proof: See Lang [108, pp. 8-11], Husemoller [81, Ch. 9, §4], or Exercise 7.11..
Thus if we define a map cp : C -t JPl2 (q by sending Z H (p (z) , p' (z )) in affine
coordinates, we obtain a holomorphic map whose image lies inside the curve E
with the equation
v 2 = 4u 3 - g2 U - g3·
In fact, cp induces a bijection between Cj A and E, and E is non-singular, and hence
is an elliptic curve. Under this map the field of elliptic functions is identified with
the function field on the curve E. Thus for any elliptic function, we can speak of
its divisor L aj . Zj with Zj E Cj A.
Theorem 7.22. Given distinct points Z\, ... ,Zm E Cj A, and given integers
a\ , ... ,am, a necessary and sufficient condition that there exists an elliptic function
f with divisor (f) = L aj . Zj is that L aj = 0 and L aj . Zj = 0 in the group Cj A
Proof: See Lang [108, pp. ~7].
In particular, this says that Z\ +Z2 == Z3 mod(A) if and only if there is an

•
elliptic function with zeroes at Z\ and Z2, and poles at Z3 and O. Since this function
is a rational function on the curve E, this says that cp(zJ) + CP(Z2) rv CP(Z3) + cp(O)
as divisors on E. Ifwe let Xo = cp(O), which is the point at infinity on the v-axis,
188 Chapter 7
and give E the group structure with origin xo, this says that rp(Z\) + rp(Z2) = rp(Z3)
in the group structure on E. In other words, rp gives a group isomorphism between
C/ A under addition, and E with the above-mentioned group law.
Theorem 7.23. Given g2,g3 E C, with.l = ~ - 27~ =1= 0, there exists an T E C.

T rt ~ such that the lattice A( T, 1) gives g2, g3 by formulas
g2 = 60 L 4 and g3 = 140 L 6".

wEA\{O} W WEA\{O} W
Proof: See Lang [108, p. 39].

This shows that every elliptic curve over C arises in this way. Indeed, if E
•
is any elliptic curve, we can embed E in JID2 to have an equation of the form
v 2 = u (u - 1) (u - '\), with ,\ =1= 0, 1. By a linear change of variable in u, one can
bring this into the form v 2 = 4u 3 - g2u - g3, with g2 = (W/3)(,\2 -,\ + 1) and
g3 = (1/27)(,\ + 1)(2,\2 - 5,\ + 2). Then.l = ,\2(,\ - 1)2 =1= O. Another way to
see this is to observe that an elliptic curve over C is a compact complex Lie group
of dimension 1, and is therefore a torus of the form C/ A for some lattice A.
Next we define J( T) = ~/.l. Then the j-invariant of E which we defined
earlier is just j = 1728J (T). Thus J ( T) classifies the curves E up to isomorphism.
Theorem 7.24. Let T, T' be two complex numbers. Then J( T) = J( T') if and only
if there are integers a,b,c,d E Z with ad - bc = ±1 and
, aT+b
T=--.
cT+d
Furthermore, for any given T', there is a unique T with J ( T) = J (T') such that T
lies in the region F (fundamental domain) defined by
-1/2:::; ReT < 1/2

and
if ReT :::; 0
if ReT > 0
Proof: See Lang [108, p. 39].

Now we deduce some consequences from this theory.
•
Theorem 7.25. Let E be an elliptic curve over C. Then as an abstract group, E
is isomorphic to IR/Z x IRjZ. In particular, for any N ~ 1, the subgroup ofpoints
of order N is isomorphic to Z/NZ x Z/NZ.
Elliptic Curves 189
Proof: We have seen that E is isomorphic as a group to C/ A, which in turn is

isomorphic to R/Z x R/Z. The points of order N are represented by NT+ ~ with
a, b = 0, 1, ... ,N - 1. The points, whose coordinates are not rational combinations
of I and T, are of infinite order. •
This theorem implies Proposition 7.7 for complex elliptic curves.
Corollary 7.26. The morphism of multiplication by N, NE : E -7 E is a finite
morphism ofdegree N 2.
Proof: Since it is separable and a group homomorphism, its degree is the order
of the kernel, which is N2. •
Now we investigate the ring of endomorphisms End{E) of the elliptic curve E
determined by the elliptic functions with periods 1 and T.
Proposition 7.27. There is a one-to-one correspondence between endomorphisms
f E End(E) and complex numbers a E C such that aA ~ A This correspondence
gives an injective ring homomorphism ofEnd{E) to C
Proof: Sincef E End{E) is a group homomorphism, under the identification of

E with C/ A it gives a group homomorphismf' : C -7 C, such thatf' (A) ~ A On
the other hand, sincef is a morphism, the induced mapf' : C -7 C is holomorphic.
Now expandingf' as a power series in a neighborhood of the origin, and expressing
the fact thatf'(z+u) = f'{z) +f'(u) for any u andz there, we see thatf' must be
multiplication by some complex number a.
Conversely, given a E C, such that aA ~ A, the multiplication by a induces
a group homomorphism f: C/ A -7 C/ A. The map f is holomorphic, hence
it is in fact a morphism of E to itself. It is clear under this correspondence that
the ring operations of End(E) correspond to addition and multiplication of the
corresponding complex numbers a. •
Let E be an elliptic curve over C. We say that it has complex multiplication if
the ring End(E) is strictly larger than Z.
Theorem 7.28. If E has complex multiplication, then T E Q(~) for some
square-free integer d :2: 1, and in that case, End(E) is a subring (# Z) of the
ring of integers Zk of the field k = Q( ~). Conversely, ifT = r +s~, with
r, SEQ then E has complex multiplication, and in fact
End(E) = {a +bT la,b E Z and 2rb E Z,b(r2 +ds 2) E Z}.
Proof: For given T we can determine End(E) as the set of all a E C such that
aA ~ A. A necessary and sufficient condition for aA ~ A is that there exist
integers a,b,l,m such that
a = a+bT and aT = I +mT.

190 Chapter 7
If a E lR, then a E Z, and we see that End(E) nlR = Z. On the other hand, if E has
complex multiplication, then there is an a f/. Z, and in this case, b i- O. Eliminating
a from these equations, we find that
bT 2 +(a-m)T-I=0,
which shows that T lies in a quadratic extension of Q. Since T f/. lR,. it must
be an imaginary extension, so T E Q( vi -d) for some square-free d E Z, d 2: 1.
Eliminating T from the same equations, we find that
a 2 - (a - m)a + (am - bl) = 0,

which shows that a is integral over Z. Therefore End(E) must be a subring of the
ring of integers of the field k = Q( ~).
Conversely, suppose T = r +s~ with r,S E Q. Then we can determine
End(E) as the set of all a = a + br, with a,b E Z, such that aT E A. Since
aT = aT+bT 2, we must have bT2 E A. Now
T2 = r2 - ds 2 + 2rsN,
which can be written
T2 = -(r 2 +ds 2)+2rT.
So in order to havebT 2 E Awe must have 2br E Zandb(r 2 +ds 2) E Z. Thesecon-
ditions are necessary and sufficient so we get the required expression for End(E).
In particular, End(E) is strictly larger than Z, so E has complex multiplication. •
Corollary 7.29. There are only countably many values ofj E C for which the
corresponding elliptic curve E has complex multiplication.
Proof: Indeed, there are only countably many elements of all quadratic extensions
~Q •
For a more detailed treatment of the deep theory of elliptic curves we refer the
reader to Silverman and Tate [178], Husem611er [81], Koblitz [96], Lang [108] and
Silverman [177].
EXERCISES
7.l. Let the elliptic curve E be embedded in nn2 so as to have the equation v 2 = u(u-
1) (u - A). Show that any automorphism of E leaving Xo = (0, 1, 0) fixed is induced
by an automorphism ofjpZ coming from the automorphism of the affine (u, v)-plane
given by
ul =au+b, VI =CV.
Describe these automorphisms of jpZ explicitly and prove Theorem 7.15 for p =
chark =I- 2.
Elliptic Curves 191
7.2. Let E be an elliptic curve in jp>2 given by an equation ofthe form
Show that the j-invariant is a rational function of the ai with coefficients in IQ. In
particular, if the ai are all in some field ko C k, thenj E ko also. Furthermore, for
every Dl E ko there exists an elliptic curve defined over ko, with thej-invariant equal
to Dl.
7.3. Letf: E -+ E' be an isogeny of elliptic curves E and E' defined over an algebraically
closed field k. Show that:
(a) f is a group homomorphism of E(k) into E'(k);

(b) iff is non-zero isogeny then Kerf is a finite subgroup of E(k);
(c) if G is a finite subgroup of E(k), there is a unique elliptic curve E' and a
separable isogenyf : E -+ E' such that Kerf = G;
(d) the isogeny is an equivalence relation;
(e) for any elliptic curve E the set of elliptic curved E' isogenous to E, up to
isomorphism, is countable. (Hint: E' is uniquely determined by E and Kerf.)
7.4. LetE be an elliptic curve over a field k ofcharacteristicp > 0 andletp YN. Show that
EN ~ 'l./N'l. x 'l./N'l.. (Hint: Study the case of a prime N and then use induction
on the number of divisors of N.)
7.5. Letf be an isogeny of elliptic curves E and E' of degree N = N'N", where N' and
Nil are coprime. Show that there exist isogenies f' and f" such that f =f' .f" ,
degf' = N' and degf" = Nil.
7.6. Let E : v 2 + v = u3 + u and E' : v 2 + v = u3 be elliptic curves over F2. Show that:
(a) j(E) = j(E') = 0;
(b) E and E' are not isomorphic over F2 and F22;
(c) E and E' are not isomorphic over F24, but they are isomorphic over F28.
7.7. Let E : v 2 + v = u3 + u and E" : v 2 + v = u 3 + u + 1 be elliptic curves over F2.

Show thatj(E) = j(E"). Compute IE (F2v )1 and IE"(F2v)1for all v 2: 1. Find the
least field over which E and E" are isomorphic.
7.8. Find all elliptic curves over F3 up to isomorphism over F3. Show that there are four
withj = 1 or -1 and four withj = O. Determine their groups of points over F32 and
which ones are isomorphic over F32.
7.9. Show that the series
p(z)=2"+
z
1wEA\{O}
L (1(z-w)
3-2"
W
1)
converges absolutely and uniformly on any compact C such that en A = 0.
192 Chapter 7
7.10. Show that the Weierstrass p-function is an elliptic function with the period lattice
A which has a double pole at any w E A and no other poles. Show also that its
derivative
, ,,1
p (z) = -2 £.., ( )2
wEA z-w
is an odd elliptic function with the period lattice A which has a pole of order 3 at any
w E A and no other poles.
7.11. Prove Theorem 7.21. (Hint: Consider expansions p(z) and p'(z) into Laurent series
at the origin.)
7.12. LetE be an elliptic curve over 1(:, defined by the elliptic functions with periods 1 and
T. Let End(E) be the ring of endomorphisms of E. Show that:
(a) iff E End(E) is a non-zero endomorphism corresponding to complex multi-

plication by a, then degf = lal 2 ;
(b) iff E End(E) corresponds to a E I(: again then the dual endomorphismJ*
corresponds to the complex conjugate a of a;
(c) ifT E Q( A) happens to be integral over Z then End(E) = Z[T].
Chapter 8
Classical Modular Curves
This chapter contains an analytical description of classical modular curves and

introduces the Hecke theory of modular fonns which later on will be used for the
study of arithmetical properties of modular curves of a special fonn.
8.1. CONGRUENCE SUBGROUPS
Denote by H the Poincare upper half-plane of the complex plane C:
H = {z E q Imz > O}.

The modular group
operates naturally on H (on the left) via linear fractional transfonnations
_az+b
() -
yz --d.
cz+
The element -I = ( - ~ _ ~ ) operates trivially, so under the action of f( 1)

on H we can identify f( 1) with the factor group
193
194 Chapter 8
Every elliptic curve E over C corresponds to a complex torus C/ Az , with

Az = Zz + Z, z E H, and C/ Az , C/ Az ' are isomorphic if and only if there exists
l' E f( 1) with z' = y(z). Under this action off( 1) on H, we can identify f( 1) \H
with isomorphism classes of elliptic curves over C. Such a space is called a moduli
space for elliptic curves. From now on we are interested in moduli spaces of more
general form, called modular curves, which are closely related to the existence of
Q-rational points of finite order on elliptic curves.
First we consider the following subgroups of f( 1). Given a positive integer N
we put
f(N) = { (~ ~) E f(I) I (~ ~) == (~ ~) (modN) },
fo(N)={(~ ~)Ef(I)I(~ ~)==(~ :)(mOdN)},
f1 (N) = { (~ ~) E f(1) I (~ ~) == (~ ;) (mod N) }.
The group f(N) is called the principal congruence subgroup of level N. Clearly
feN) C f,(N) C fo(N) C f(I) for N > 1.
Proposition 8.1. There are natural group isomorphisms
f(I)/f(N)":; SL2(Z/NZ)
and
fo(N)/f(N)":; { (~ a~') E f(I)}.
In particular, f(N) is normal in f(I) and f1 (N) is a normal subgroup offo(N).
Corollary 8.2. For any integer N > 1, we have:
(i) [f(I): f(N)] = N 3 ITp[N(I- p-2);
(ii) [f(I): fo(N)] = NITp[N(I + p-');

(iii) [f(I): fl(N)] =N2 ITp[N(I _p-2).
A subgroup f off( 1) is called a congruence subgroup (oflevel) N if it contains

feN) for some N ~ 1.
Riemann Surface
Suppose that f is equipped with a discrete topology while H has the usual complex
topology. The space f\H is canonically equipped with a (non-compact) Riemann
surface structure. Indeed, let N 2: 3 and let rN = r n f(N). The group rN

contains no elements of finite order and the action of r N on H is free, i.e., has
no fixed points. Moreover, for every z E H there exists an open neighborhood Uz
homeomorphic to its image U: c rN\H. Thus on rN\H there exists a unique
Riemann surface structure such that homeomorphisms between Uz and U: are
complex-analytical isomorphisms. Since r;.., = r IrN is a finite group, we define
the Riemann surface r\H as a factor of rN\H over r;..,. Clearly, the Riemann
surface structure on r\H does not depend on the choice of N.
Compactification
An essential deficiency of the Riemann surface r\H is that it is not compact.
A canonical compactification r\H* of the surface r\H is provided as follows.
Consider the set WI (Q) = Qu {oo} consisting of rational numbers and the symbol
00 (or i . 00 in other notations). Each element r E WI (Q) can be written in the form
r = lin, with l,n E Z, and for n = 0 we put r = 00.
The group f(l) acts naturally on WI (Q): ih=( ~ ~ ).then')l(r)=~;!~,
where ')1(00) = alc and ')I(r) = 00 if cr +d = O.
Let r\H* = (r\H) u (r\WI (Q)). From Proposition 8.1 it follows that the
factor set r\WI (Q) is finite. This set is called the set of cusps of the Riemann
surface r\H* (or of the group f).
Let us define a complex structure on r\H* such that its restriction to the open
subset f\H coincides with the one defined above, complex-analytic neighborhoods
of r E Q being open discs tangent to the line Irnz = 0 at r and neighborhoods of
00 being open half-planes of the form Imz > M.
Theorem 8.3. The set r\H* with the above complex structure is a connected
compact Riemann surface.
8.2. THE CURVESX(N), Xo(N) ANDXt(N)
r
If is an arbitrary congruence subgroup of f( 1), then there exists a unique (up to
isomorphism) smooth projective curve Xr over C (see Springer [183]) such that
Xr considered as a Riemann surface is isomorphic to r\H*, and the Riemann
surface r\H is naturally isomorphic to the smooth affine curve Yr over Co We
call Xr and Yr modular curves. If r is a congruence subgroup of level N, then the
curvesXr and Yr are called modular curves oflevel N. We are mostly interested in
curves corresponding to the groups r = f(N), r = ro(N) and r = r l (N), which
are denoted by X(N), Y(N), Xo(N), Yo(N) and XI (N), YI (N), respectively.
196 Chapter 8
The group f(I)jf(N) ~ SL2(ZjNZ) acts on the curveX(N) (and on Y(N»

according to the usual formula: if (~ !) E f( 1) and z is the image of
z E HUJPlI (Q) in X(N) , then
az+b )
'Y : z -+ ( cz + d .
Since feN) is normal in f(I), the action is well-defined.

The subgroup fo(N) is not normal in rei). Nevertheless one has:
Proposition 8.4. IfN = mn then the element
Tm
1 (0 1)
= y'm -m 0 E SL2(lR.)
lies in the normalizeroffo(N) in SL2(lR.) and defines an automorphism ofXo(N).

Moreover
Aut(Xo(N)):2 (Z/2Z)Uo(N),
where U'o(N) is the number ofdivisors ofN.
Let i = R and p = (A - 1) /2. A well-known calculation based on the
Hurwitz genus formula for the covering
fo(N)\H* -+ f(I)\H*
gives (see Shimura [176, p. 23 and 25] or Miyake [127, §4.2]):

Proposition 8.5. One has
(i) ifN ~ 3, the genus ofX(N) equals
g(N) = 1+ (N - 6)N2
24
II (1 _~) ;
piN P
(ii) the genus ofXo(N) equals

IL V2 VJ Jlco
go(N) = 1 + 12 - '4 - 3 - 2'
where IL = [f(l) : fo(N)], Jlco = Lttln cp((d,N jd)) is the number of cusps
of Xo(N), cp being the Euler phi-junction, and V2 being the number of
non-fo(N)-equivalent points ofH which are f( 1)-equivalent to z = i:
if41N
otherwise.
Also, V:3 is the number ofnon-ro(N)-equivalent points ofIf, which is r(l)-

equivalent to p:
if91N
otherwise
(here (-;1) = (-;3) = 0 and (~) for p 2: 3 denotes the quadratic residue
symbol);
(iii) ifN 2: 5, the genus ofXI (N) equals
The Taniyama-Weil Conjecture

Some modular curves are actually elliptic curves themselves. For example, the
curve Xo ( 11) has genus 1, and it has two cusps defined over Q, one of which can
be used to make Xo( 11) into an elliptic curve. This curve has a lot of additional
structure, due the fact that it is a modular curve, and it is possible to use that extra
information to study the arithmetic ofXo(ll). It follows from Proposition 8.5 that
the genus of Xo(N) grows with N, so there are only finitely many curves Xo(N)
of any given genus. Moreover, we have the following result.
Proposition 8.6. For N 2: 72, the curve Xo(N) is not hyperelliptic.

Let E / Q be an elliptic curve defined over the rational numbers. In many cases
(in particular, if E /Q is an elliptic curve with complex multiplication), there is a
surjective morphism Xo(N) -+ E defined over Q. If this happens, we say that E
is parameterized at N by modular functions, or that E is a modular elliptic curve.
Such elliptic curves have a very rich structure, which can be used to study their
arithmetic properties.
Conjecture 8.7 (Taniyama-Weil). Every elliptiC curve defined over Q is a mod-
ular elliptic curve.
For a stronger version ofthe Taniyama-Weil conjecture and its close connection
with other conjectures for elliptic curves over Q, see Husemoller [81, Ch. 16, 17]
and Silverman [177, Appendix C].
Automorphic Functions
The elements of the function field onXr, or, in other terms, meromorphic functions
on the Riemann surface r\H*, can be considered as functions on H invariant
198 Chapter 8
under r such that their only singularities are poles. These functions are called
automorphic under r.
If r = r(1), so that r\H* ~ pI (C), then the field of automorphic functions
coincides with C(j), wherej = j(z) is thej-invariant of an elliptic curve Ez(C) =
C/ Az associated with the lattice Az = Z'z+Z (see Lang [108, p. 63]). Every such
function has a canonical Laurent series expansion in the neighborhood of infinity
which is called a t-expansion. Since T = (~ ~) E r( 1), for any J E C(j) and
z E HwehaveJ(T(z)) =J(z+ 1) =J(z). Ifnowt(z) = e 27riz , thent(T(z)) = t(z),
and we can take t = t(z) as a local parameter in a neighborhood of infinity.
A local expansion with respect to t of the function J on r\H* is called the
t-expansion ofJ:
n=-m
The theory of elliptic function yields the following result (see Lang [108, p. 45]):
Proposition 8.8. For the t-expansion oJj = j(z) we have
j(z) = t- I (I + n~ c(n)tn+I) ,
c(n) being integers.

Note thatj is normalized (multiplied by 1728) in order to satisfy the proposition.
Now let r be a congruence subgroup such that r :::> r(N). Then
TN = (~ ~) E r(N),
so that for any automorphic function J with respect to the subgroup r we have
J(T N (z)) = J(z+N) = J(z). Therefore each suc4 function in a neighborhood of
infinity has at-expansion of the form
J(z) = I a(n)tn/N.
n=-m
Note that T E ro(N), and therefore the functions automorphic under r = ro(N)
have expansions in integral powers of t. The field oj automorphic Junctions under
To(N) has the following explicit description:
Theorem 8.9. Thefield oJJunctions automorphic under ro(N) coincides with the
field C(j(z),j(Nz)).
In particular the functionjN(z) = j(Nz) is invariant under ro(N). There exists
the canonical involution of the field C(j,jN) which corresponds to to the element
Tm E SL2(JR). This involutionpermutesj andjN.
The Modular Equation

Since j(z) and j(Nz) are fo(N)-invariants they satisfy a relation of the fonn
F(j(z),j(Nz)) = 0, F being a polynomial in two variables. Moreover, since all the
coefficients of the t-expansions ofj(z) andj(Nz) are integers, one can choose F
having coefficients in Z. The minimum relation of the fonn F (j, u) = 0 satisfied
by j = j (z) and u = j (Nz) is called the modular equation.
Let AN be the set of all matrices a = (~ ~) with a, b, dE Z, a > O,d > 0,
ad = N, 0 ~ b ~ d, (a,b,d) = 1 and let a(z) = az;jh, /L(N) = [f(l) : fo(N)J.
The basic properties of the modular equation can be summed up as follows:
Theorem 8.10. Let

<PN(j,U) = IT (u - j( a (z))).
aEAN
Then
(i) <PN(j,U) E Z~,uJ and
<PN(j,U) = r(N) +u/L(N) + L Aabfu b;

a,b</L(N)
(iii) the polynomial <PN (j, u) is absolutely irreducible and <PN (j,jN) = 0;
(iv) if N is non-square, then <PN(j ,j) is a polynomial in j oj degree m > 1 and

with leading coefficient 1.
Thus, the modular equation <PN (j, u) = 0 provides an affine model for the curve
Xo(N). Moreover, since <PN has integer coefficients, the curve Xo(N) is defined
over Q. Unfortunately, this model is highly singular.
8.3. HEeKE OPERATORS
Let'Y= (~ ~) Ef(I),letJ(z)beafunctiononH*=HUQUoowithvalues
in CU {oo}, and let k be an integer. We define the operator ['YJk by
J(z) 0 ['Ylk = J( 'Y(z))(cz+d)-k.

200 ChapterS
Modular Functions
Letf(z) be a meromorphic function on H and let f c f(l) be a congruence
subgroup of level N, i.e., f:> f(N). We callf(z) a modular function of weight k
for f if
fo[ylk=f
for all y E f and if, for any a E f(l), the functionf(z) 0 [alk has a Fourier series
expansion at infinity of the fOnD
00
f(z) 0 [a1k = L a(n)t~, (8.1)

n=-m
Such anf(z) is called a modular form (resp. a cusp-form) of weight k if it is

holomorphic on Hand a(n) = 0 for all n < 0 (resp. for all n ::; 0) in (8.1).
Iff is a meromorphic function on H which is invariant under [y1k for y E f,
and if r E QU {oo} with r = a(oo), a E f(l), then we say thatf is meromorphic
(resp. is holomorphic, vanishes) at the cusp riff 0 [a1k has a Fourier expansion
(8,1) with a(n) = 0 for almost all n < 0 (resp. with a(n) = 0 for all n < 0, with
a(n) = 0 for all n ::; 0). Thus, the condition (8.1) is really a set condition, one
corresponding to each cusp r off.
We let Mk(f) and Sk(f) denote the set of modular fOnDS of weight k for f and
the set of cusp-fonDS of weight k for f, respectively. It is easy to see that these
are C-vector spaces, thatf E Mk(f) and g E MI(f) impliesfg E Mk+/(f), and
that the space of weight zero modular functions for f is a field. Also note that if
-1 E f, then there are no non-zero modular functions for f of odd weight k, since
fo[~11k = -f·
It follows immediately from the definition that if f' c f, then a modular
function (modular fOnD, cusp-fOnD) for f is also a modular function (modular
fOnD, cusp-fOnD) for fl.
There are more interesting ways to get modular fOnDS for a congruence sub-
group f from forms for another subgroup P. For example, iff(z) = La(n)t n E
Mk(f(l)), thenf(Nz) = 'La(n)t NZ andfx(z) = 'La(n)x(n)t n (the ''twist'' off
by a Dirichlet character X) turn out to be modular fOnDS, although for a smaller
congruence subgroup than f( 1) itself. We recall that a Dirichlet character mod-
ulo N is a group homomorphism X : (Z/NZ)* --+ C* from the multiplicative
group of Z/NZ to the multiplicative group of non-zero complex numbers. The
next proposition gives two important classes of constructions of this type. We
use the notation Mk(N,X) with a Dirichlet character X modulo N to denote the
subspace of Mk(fl (N)) consisting of f(z) for which f 0 [y1k = X(d)f when-
ever y = (~ ~) E fo(N). In particular, for X = XO the trivial character
Mk(N,xo) = Mk(fo(N)). We also put Sk(N,X) = Mk(N,X) nSk(f1(N)) and
note thatSk(N,xo) = Sk(fo(N)).
Proposition 8.11.
(i) Let f be a congruence subgroup of [(1), let a E GL2(Q), deta > 0, and
f' = (a-' fa) n f. Then f' is a congruence subgroup of [( 1), and the
map f t-+ f 0 [a]k = f(a(z))(cz + d)-k(deta)k/2 takes Mk(f) to Mk(f'),
and takes Sk(f) to Sk(f'). Inparticular, iff E Mk(f(l)) and g(z) = f(Nz),
then g E Mk(fo(N)) and one has g(oo) = f(oo), g(O) = N-kf(O).
(ii) Let X be a Dirichlet character modulo N, and X' a primitive Dirichlet

character modulo N'. If f(z) = z:.;=oa(n)t n E Mk(N,X) and fx'(z) =
z:.;=oa(n)x'(n)t n , then f x' E Mk(NN'2,XX,2). Iff is a cusp-form, then
so is fx'. In particular, iff E Nk(fo(N)) and X' is quadratic (i.e., takes
values ±1), thenfx' E Mk(fo(NN,2)).
Proof: See Koblitz [96, p. 127].

We also have the following useful fact (see Koblitz [96, p. 137]):
•
Proposition 8.12. Mk(f, (N)) = (J3Mk(N,X), where the sum is over all Dirichlet
characters X modulo N.
The Modular Interpretation

A basic feature of modular forms is their interpretation as functions on lattices. We
consider the most important cases ofa congruence subgroup f: f = [(1), fo(N),
f, (N) or f(N). By a modular point for f we mean (see also Section 9.1 below):
(i) for f = [(1): a lattice A c C;
(ii) for f = f, (N): a pair (A, T), where A is a lattice in C, and T E Cj A is a

point of exact order N;
(iii) for f = fo(N): a pair (A, G), where A is a lattice in C, and G c Cj A is a

cyclic subgroup of order N; i.e., G = ZT for some point T E Cj A of exact
order N;
(iv) for f = f(N): a pair (A, {T', T2}), where T" 1"2 E Cj A have the property
that every T E kAj A is of the form T = mT, +nT2, i.e., T" T2 form a basis
for the points of order N.
Given a lattice A, in general there will be several modular points of the form
(A, T), (A, G) or (A, {T, , 1"2} ). However, when N = 1, there is only one modular
point corresponding to each A, and we identify it with the modular point A for
f(1).
In each case (i) to (iv), we consider complex-valued functions F on the set of
modular points which are of weight k in the following sense. Ifwe scale a modular
202 ChapterS
point by a non-zero complex number A, then the value of F changes by a factor

of A-k ,k E IE. That is, for A E C* we consider AA = {AU Iu E A}, ATE C/ AA,
AG = {AT IT E G} c C/ AA. Then F is defined to be of weight k if for all A E C*:
(i) F(AA) = A-k F(A) for all modular points A;
(ii) F(AA, AT) = A-kF(A, T) for all modular points (A, T);
(iii) F(AA,AG) = A-kF(A,G) for all modular points (A,G);
(iv) F(AA, {AT!, AT2}) = A-k F(A, {T!, Tz}) for all modular points (A, {T!, T2}).
Given a function F of weight k, we define the corresponding functionJ(z) on

the upper half-plane H as follows. Let Az = IE· z + IE be the lattice with basis
w= ( ~ ). Given F as above, we put:
(i) J(z) = F(Az );
(ii) J(z) = F(Az, liN);
(iii) J(z) = F(Az,IE/N);
(iv) J(z) = F(Az, {z/N, l/N}).
For'YE (~ ~) Ef(l)wedefinetheactionof'YonfunctionsJ(z)bythe
rule 'YoJ(z) =J('Y(z)) =J(~:!~).

Proposition 8.13. Let k E IE and let f = f( I), f o(N), f! (N) or f(N). The above
association oj F with J gives a one-to-one correspondence between the set oj
complex-valued Junctions F on the modular points which have weight k and the
set oJcomplex-valuedJunctionsJ on H which are invariant under ['Y]kJor 'Y E f.
Proof: We shall treat case (ii) and leave the other cases as exercises. Suppose
'Y E f! (N) and F is a weight k function on modular points (A, T). Let w = ( ~ )
az+b )
and 'YW = ( cz+d . We have
CZ+d) ,
J('Y(z))=F(Ay(z),I/N) = (cz+d) k F ( Ayw,---y;r-
because F has weight k. But A,\w = A z, (cz+d)/N =- I/N (mod Az) and hence
J('Y(z)) = (cz+dlF(Az, I/N) = (cz+d)kJ(z).
To show correspondence in the other direction, givenf(z) we define F(A, T)

to be F(A, W'J./N), where w = ( : ) is chosen to be any basis of A such that
W'J./N == T (mod A). One must first check that the definition ofF makes sense (i.e.,
that such a basis w exists) and that the definition F is independent of the choice of
such a basis w. The first point is routine, using the fact that T has exact order N
in C/ A, and the second point follows immediately because any other such basis
must be of the form '}'W with'}' E f I (N). It is also easy to check that, once f is
invariant under ['}']k for,}, E fl (N), it follows that F has weight k.
The construction going from F to f and the construction going from f to F are
clearly inverse to one another. This concludes the proof. •
We say that F is a modular function (modular form, cusp-form) if the cor-
respondingf is a modular function (resp. modular form, cusp-form) as defined
above.
Heeke Operators
We now discuss the Hecke operators acting on modular forms of weight k for
fl(N). We could define them directly onf(z) in Mk(fl(N)). However, the
definition appears more natural when given in terms of the corresponding functions
F on modular points.
Let L (Q) denote the Q-vector space of formal finite linear combinations of
modular points, i.e., L(Q) = EBQLA, .. is the direct sum of infinitely many one-
dimensional spaces, one for each pair (A, T), where A is any lattice in C and
T E C/ A is any point of exact order N. A linear map T: L(Q) -+ L(Q) can be
given by describing the image
for each basis element LA .. ; here Sn is a finite set of modular points.

For each positive integer n we define a linear map Tn : L(Q) -+ L(Q) by the
following formula giving the image of the basis vector LA, .. :
(8.2)
where the summation is over all lattices A' containing the A with index n such
that (A' , T) is a modular point (here for T E C/ A we still use the letter T to denote
the image of T modulo the larger lattice A'). In other words, A' / A c C/ A is a
subgroup of order n, and T must have exact order N modulo the larger lattice A'
as well as modulo A. The latter condition means that the only mUltiples ZT which
are in A' / A are the multiples m T which are in A. In the case N = 1 this condition
disappears, and we sum over all lattices A' with [A' : A] = n. The condition on T
204 Chapter 8
is also empty if (n,N) = 1. To see this, suppose that N'7 E N. Then the order
of N' 7 in N I A divides N (because N'N 7 E A) and divides n (because n is the
cardinality of N I A), and so divides (n, N) = 1. Thus N' 7 E A. Note that the sum
in (8.2) is finite and T\ is the identity map.
Next, for any positive integer n prime to N we define another linear map
Tn,n : L(Q) -+ L(Q) by
(8.3)
Since (n,N) = 1 then 7 has exact order N modulo ~A. Again we are using the
same letter 7 to denote an element in CI A and the corresponding element in CI ~ A.
It is easy to check the commutativity of the operators:
(8.4)
Proposition 8.14.
(i) If(m,n) = 1, then Tmn = TmTn; inparticuiar TmTn = TnTm.
(ii) IfP is a prime dividing N, then Tp " = T;.

(iii) IfP is a prime not dividing N, then for a 2': 2
(8.5)
Proof:
(i) In the sum (8.2) for Tn, the N correspond to certain subgroups G' of order mn
in ~n AI A, namely, those which have trivial intersection with the subgroup
1:7 c CIA. Since (m, n) = 1, it follows that any such G' has a unique
subgroup Gil of order n; if A" ::> A is the lattice corresponding to Gil, then
G'I Gil gives a subgroup of order m in ~ A" IA". Both Gil and G' IGil have
non-trivial intersection with 1:7. Conversely, given Gil = A" IA c ~ AI A
of order n and a subgroup G' = NIA" c ~ AI A of order m, where both
subgroups have trivial intersection with 1:7, we have a unique subgroup
NIA c ~n AI A of order mn with non-trivial intersection with 1:7. This
shows that the modular points that occur in
and in
are the same.

(ii) By induction, it suffices to show that Tpa-l Tp = T; for a ~ 2. Let -r' = ~-r.
Then
Tpa-l (LA,"/") = p-a'L.LA',"J")
where the summation is over all A! :J A such that A! I A c p-a AI A has
order pa and does not contain -r'. Notice that A! I A must be cyclic, since
otherwise it would contain a (P,p)-subgroup ofp-aAI A. There is only one
such (P,p)-subgroup, namely j;A/A, and T' E j;A/A, sincepT' =NT E A.
Once we know that A! I A must be cyclic, we can use the same argument as
in part (i). Namely, for each A! that occurs in the sum for Tpa (LA,"/") there
is a unique cyclic subgroup of order p in A! I A; the corresponding lattice
A" occurs in the sum for Tp (LA,"/") and A' is one of the lattices that occur in
Tpa-l (L A","/"). This shows the equality in part (ii).
(iii) Since (P,N) = 1, the condition about the order of T in CIA is always
fulfilled. We have
where the first summation is over all lattices A" such that Gil = A" I A has
order p, and the second summation is over all A! such that G' = A! I A" has
order pa-l. On the other hand,
Tpa(LA,"/") = p-a'L.LA',"J")
A'
where the summation is over all A! such that A! I A has order pa. Clearly,
every A' in the inner sum for Tpa-l Tp is an A! of the form in the sum for
Tpa, and every A! in the latter sum is an A! of the form in the former sum.
But we must count how many different pairs A", A' in the double sum lead
to the same A!. First, if A! I A is cyclic, then there is only one possible A'.
But if A' I A is not cyclic, i.e., if A! I A:J j;AI A, then A" can be an arbitrary
lattice such that A" I A has order p. Since there are p + I such lattices, it
follows that there are p extra times that LA',"/" occurs in the double sum for
Tpa-l Tp. Thus,
A'-:J(I/p)A
[A':(I/p)A]=pa-2
But
Tpa-2Tp,p(LA,"/") = ~Tpa-2(L(J/P)A,"/") =p-a 'L. LA',"/"

P [A':(I/p)A]=pa-2
This concludes the proof of part (iii).
•
206 ChapterS
If n = pfl .. .pr;s is the prime factorization of the positive integer n, then we

have
Parts (ii) to (iii) of the proposition show that each Tpa is a polynomial in Tp and
Tp,p. From this and (8.4) we see that all of the Tn's commute with each other.
Thus, the operators Tm,m (m prime to N) and Tn generate a commutative algebra
A of linear maps from L ('01) to L ('01); actually, A is generated by the Tp,p (p )' N a
prime) and Tp (p any prime).
There is an elegant way to summarize the relations in Proposition 8.14 as formal
power series identities, where the coefficients of the power series are elements in
A. First, for piN, we have from (ii)
piN. (8.6)
Similarly, for p )'N, part (iii) is equivalent to the identity
p)'N. (8.7)
Now we consider functions F on modular points and the corresponding func-

tionsf(z) on H. If T : L('01) --+ L('01) is a linear map given on basis elements LA,,.
by equations of the form
then we have a corresponding linear map (which we also denote T) on the vector
space of complex-valued functions on modular points: ToF(A, T) = La{n)F{xn).
For example:
[d]F(A,T) =F(A,dT), (d,N) = 1,
Tm,mF(A,T) = m-2F (!A'T)' (m,N) = 1,
TnF(A,T) = n- 1 LFA',,., (8.8)
where the last summation is over all modular points (A', T) such that [A' : A] = n,
as in (8.2).
This correspondence provides the following properties of operators [d], Tm,m,
and Tn (see Koblitz [96, p. 159]):
Proposition 8.15. Suppose that F(A, T) corresponds to a function f(z) on H

which is in Mk(rl (N)). Then [d]F, Tm,mF, and TnF also correspond to functions
(denoted [d)f, Tm,mf, and T,J) in Mk{f l (N)). Iff is a cusp-form, then so are
[d)f, Tm,mf and T,J. Thus [d], Tm,m and Tn may be regarded as linear maps
on Mk (f I (N)) or on Sk (f I (N)). In this situation, let X be a Dirichlet character
modulo N. Thenf E Mk{N,X) ifand only if[d]F = X{d)F, i.e., ifand only if
F(A,dT) = X(d)F(A, T) for dE (ZjNZ) * . (8.9)
We saw before (Proposition 8.12) that a functionf E Mk{f l (N)) can be written
as a sum of functions in Mk{N,X) for different Dirichlet character x. Thus, using
the one-to-one correspondence in Proposition 8.13 we can write a modular form
F(A, T) as a direct sum of F's which satisfy (8.9) for various X.
Proposition 8.16. The operators Tm,m and Tn commute with [d], and preserve the
space ofF{A,T) of weight k which satisfies (8.9). IfF{A,T) has weight k and
satisfies (8.9) then Tm,mF = mk- 2x(m)F.
Proof: That the operators commute follows directly from the definitions. Next,
if [d]F = X{d)F, it follows that [d]TnF = Tn [d]F = X(d)TnF and [d]Tm,mF =
Tm,m[d]F = X(d)Tm,mF. It is a fact of linear algebra that the eigenspace for
an operator [d] with a given eigenvalue is preserved under any operator which
commutes with [d]. Finally, if F{A,T) satisfies (8.9), then
Tm,mF {A,T)=m 2F(!A,T) =m k- 2F(A,mT)
= mk-2[m]F(A, T) = mk- 2x{m)F(A, T).

This proves the proposition. •
If we translate the action of Tm,m, Tn, and [d] from the functions F{A, T) to
functionsf(z) onH, then Proposition 8.16 becomes:
Proposition 8.17. Tm,m and Tn preserve Mk{N,X), and also Sk{N,X)· For f E
Mk(N,X) the action ofTm,m is given by Tm,mf = mk - 2x(m)f.
As a special case of this proposition, suppose we take X to be the trivial
character XO on (ZjNZ)*. Then Mk{N,Xo) = Mk{fo(N)), and the modular forms
f E Mk{N,Xo) correspond to F{A,T) on which [d] acts trivially, i.e., F(A,T) =
F(A,dT) for all d E (ZjNZ) * . Such F(A, T) are in one-to-one correspondence
with functions F(A, G), where G is a cyclic subgroup of order N in Cj A. Namely,
choose T to be any generator of G, and set F(A,G) = F{A,T). The fact that
F(A, T) = F{A,dT) means that it makes no difference which generator of Gis
chosen. Conversely, given F{A, G), define F(A, T) = F(A, GT ), where GT = ZT
is the subgroup of Cj A generated by T. SO we just verified that functions of
modular points in the sense of case (iii) at the beginning of this section correspond
to modular form for fo(N).
208 Chapter 8
Corollary 8.18. Tm,m and Tn preserve Mk(fo(N)), and also Sk(fo(N)). For
J E Mk (fo (N)) the action oJTm,m is given by Tm,,J = mk- 2f.
Now we examine the effect of the Hecke operators Tm on the t-expansion at
00of a modular fonnJ(z) E Mk(N,X), that is, if we writeJ(z) = I:a(n)tn and
T,J(z) = I:b(n)t n, t = e27riz , we want to express b(n) in tenns of the a(n).
IfJ E q[t]],J = I:a(n)tn, we define
V,J= ~a(n)tmn, U,J= ~a(n)tn/m,

where the latter summation is only over n divisible by m. Note that Um0 Vm is the
identity, while Vm 0 Um is the map on power series which deletes all terms with n
not divisible by m. Suppose thatJ(z) = I:a(n)tn, t = e27riz , converges for z E H.
Then we clearly have
V,J(z) = J(mz), U,J(z) = ~ m:fJ (z+j).

m j=O m
Proposition 8.19. LetJ E Mk(N,X),f = I:;=oa(n)t n, t = e27riz , and let Tp.[(z) =

I:;=ob(n)zn. Then
b(n) = a(pn) + X(p)pk-Ia(n/p),

where we take X(P) = 0 ifp I Nand a(n/p) = 0 ifn is not divisible by p. Or,
equivalently,
Proof: We have
Tp.[(z) = ~ t;F (AI, ~),
where F is the function on modular points which corresponds to J and the sum is
over all lattices A' containing Az with index p such that 1/N has order N modulo
A'. Such A' are contained in the lattice ~ Az generated by ~ and ~, and the lattices
of index p are in one-to-one correspondence with the projective line plover the
finite field Fp = Z/pZ withp elements. Namely, the point in pI with homogeneous
coordinates (a, b) corresponds to the lattice generated by Az and (az + b) / p. Thus,
there are p + 1 possible A' corresponding to (1 J) forj = 0, 1, ... ,p - 1 and (0, 1).
Ifp 'IN, then allp+ 1 of these lattices A' are included; ifp IN, then the last lattice
must be omitted, since -k has order ~ in that case. Note that the lattice generated
by Az and (z+j)/p is A(z+j)/p. Thus, ifp I N we have
TP/(z) = -I ~
-
P I
F ( A(z+j)fp, N = -I1) p
-
~J
I
(z+j)
- = Up.[(z).
p j=o P j=O P
Ifp YN, then we have the same sum plus one additional tenn corresponding to the
lattice generated by Az and ~; this lattice is ~ Apz. Thus, in that case
TP/(t) = UP/(z) + ~F (~Apz, ~ ) = UP/(z) +pk-1F (Apz , ~)

= UP/(z) +pk-I X(P)F ( Apz, ~) = UP/(z) +pk-lx(P)f(Pz).
Now from the definition of Up we obtain
b(n) = a(pn) + X(p)pk-1a(pjn).

As a consequence ofthe proposition we get the factorization
•
1- Tpu + X(p)pk- 1u2 = (1- Upu)(1- X(p)pk-I Vpu).
Corollary 8.20. Iff(z) E Mk(fo(N)), then in the notations ofthe previous propo-
sition we have
Tp = Up +pk-I Vp on Mk(fo(N)),
b(n) = a(pn) +pk-1a(njp)
and
1- Tpu +pk- 1u2 = (1- Upu)(1- pk-I Vpu).
Ifwe introduce a new variable s by putting u = p-s for eachp in (8.6) or (8.7)
and then take the product of (8.6) over p with piN and (8.7) over all p with p YN
we obtain
L Tnn- s = TI(1- Tpp-S)-l TI (1- Tpp-s + Tp,ppl-2s)-1

00
n=1 piN pVN
(the proof is exactly like the proof of the Euler product fonnula for the Riemann
zeta-function). From Proposition 8.17 we see that
L Tnn- s = TI(l- Tpp-s + X(p)pk-I-2s)-I,

00
(8.10)
n=1 p
therefore the operators Tn on Mk(N,X) satisfY the following fonnal power series
identity
L Tnn- s = TI ((1- X(p)pk-l Vpp-s)-l(l- Upp-s)-l)

00
n=l p
210 Chapter 8
or, equivalently
Tn = LX(d)dk- 1 Vd 0 Un/d. (8.11)
din
Theorem 8.21. Under the conditions ofProposition 8.19, if

00
T"J(z) = L b(n)tn,
n=O
then
ben) = L x(d)dk- 1a(mn/d 2 ). (8.12)
dl(m,n)
Proof: According to (8.11), we have

00 00
Tm L a(n )tn = L X(d)d k- 1 Vd 0 Um/ d L a(n )tn

n=O dim n=O
= LX(d)dk- 1 L a(n)t d2n / m.
dim (m/d)ln
If we set r = d 2 n/m, the inner sum becomes Ia(rm/d 2 )tr with the sum taken
over all r divisible by d. Replacing r by n and gathering together coefficients of
tn, we obtain the expression (8.12) for nth coefficient. •
Most of the important examples of modular forms turn out to be eigenforms for
the action of all of the Tm on the given space of modular forms. Iff E Mk(N, X) is
such an eigenform. then we can conclude a lot of information about its t -expansion
coefficients.
Theorem 8.22. Letf(z) E Mk(N,X). Assume thatf is a non-zero eigenformfor
all of the operators Tm, m = 1,2 .... Let
T"J = A"J,
and 00
fez) = L a(m)tm.
m=O
Then
(i) a(m) = Ama(l);
(ii) ifk i- 0 andf is not a constantfunction, then a(l) i- 0;
(iii) if a(O) i- 0, then
Am = LX(d)dk- l •
dim
Proof: Using (8.12) with n = 1, we find that the coefficient of the first power. of
t in T"J' is a (m ). If T"J' = A"J', then this coefficient is also equal to Am a( 1). This
proves the first assertion. Ifwehad a(l) = 0, then it would followthatalla(m) = 0
andJ would be a constant. Finally, suppose that a(O) =I- O. If we compare the
constant terms in T"J' = A"J' and use (8.12) with n = 0 we obtain
Ama(O) = b(O) =L X(d)dk-1a(O).
diM
Dividing by a(O) =I- 0 gives the formula for Am. •

IfJ is an eigenform with k =I- 0, then we can multiply it by a constant to get
the coefficient of t equal to 1. Such an eigenform is called normalized. In that
case, Theorem 8.22 tells us that a(m) = Am is simply the eigenvalue of Tm. If
we then apply the operator identity (8.10) to the eigenformJ, we obtain identities
for the t-expansion coefficients ofJ. Namely, applying both sides of (8.10) to a
normalized eigenformJ E Mk(N,X),J(z) = r.;=oantn, we have
00
L ann- s = I1{l-ap p-s + X(p)pk-I-2s)-I.

n=1 p
Differential Forms
Let X be a compact Riemann surface. We let O[X] be the complex space of regular
differential forms on X. It has dimension g, where g is the genus of X. Suppose
that X = Xr for some congruence subgroup f ~ f( I), and let w E O[X]. Under
the map
Tr:H-tf\HCX
we can take the pullback w* = Tr* (w). Then w* is a holomorphic differential form
on H, which can be written in the form
w* =J(z)dz
with some holomorphic function J on H. For'Y E f we have (by abuse of notation,
we write w instead of w*)
w 0 'Y = J( 'Y(z))(cz+d)-2dz,
and hence
JO['Y12=J·
Furthermore, le~ TN = (~ ~) where N is the ramification index of f at
infinity (see Exercise 8.7). Since w is invariant under TN we can write
J(z) = La(n)tn/N = La (n)e21Tinz/N.
212 Chapter 8
Since d(t I/N ) = t l/N 2;i dz we see that
N d(t I/N )
f(z)dz = f(z) 2'Tf'i tl/ N
We know that t l/N is a local parameter at 00. Hence w is holomorphic at infinity

if and only iff(z) has a zero at infinity, i.e., the power series is of the form
co
f(z) = L a(n)tnIN.
n=1
Let r be a cusp for f, and let a E f(l) be such that a(r) = 00. Then
woa-I(z) =g(z)dz
for some holomorphic function g(z) on H. The same analysis as above shows that
co
g(z) = L b(n)tn/N.
n=1
Therefore we have:
Theorem 8.23. The map to which each regular differential form w = f(z)dz on
Xr associates the function f, is an isomorphism between n[xrJ and the space
S2 (f) ofcusp-forms of weight 2 with respect to f.
8.4. THE PETERSSON INNER PRODUCT
Letf(z) and g(z) be two functions in Mk(f) and let GLi(Q) be the subgroup of
GL2 (Q) consisting of matrices with positive determinants. If f is a congruence
r r
subgroup of f( 1) we denote by its projectivization, i.e., = f· {± 1} / {± 1}.
We consider the functionf(z)g(z)yk, where the bar denotes complex conju-
gation andy = Imz. If we replace the variable z by a(z) for a E GLi(Q), we
obtain
But this is just
Thus, the effect of the change of variables is to replace f by f 0 [alk and g by

go [alk (recall thatf(z) 0 [alk = f(a(z))(cz + d)-k (det a)k/2).
Let f ~ f( 1) be a congruence subgroup, let F be a fundamental domain for f

(see Exercise 8.4), and letf, g E Mk(f), with at least one of the two functionsf,
g a cusp-fonn. Then we define the Petersson inner product as
1 ( - kdxdy
/f,g) = [f(I): f] lFf(z)g(z)y y' (8.13)
It follows immediately from this definition that /f,g) is linear inf and anti-
linear in g (i.e., /f,cg) = c/f,g)), it is antisymmetric (i.e., (g,f) = /f,g)), and
/f,f) > 0 forf =I O.
Ifz = x + iy, we can write
dxl\dy i -2 _
y2 = "2(lmz) dz I\dz,
and then
- kdxdy - k 1 i
f(z)g(z)y - 2 = f(z)g(z) (Imz) - ( )2 -dz I\dz.
y Imz 2
In particular, for k = 2, when we can identify a cusp-fonn of weight 2 and a
regular differential on Xr, if we put
w = f(z )dz and TJ = g(z )dz,
then the inner product can be written in the fonn
1 (i
/f,g) = (w, TJ) = [[(1) : fl lXr "2w 1\ Tj.
Of course, we must verify that the Peters son inner product makes sense. In
other words, we shall verify that
(i) the integral is independent of the choice of fundamental domain;
(ii) it converges absolutely;
(iii) it is independent of the choice off.
Proposition 8.24. The integral in (8.13) is absolutely convergent, and does not
depend on the choice of F. If f' is another congruence subgroup such that
f, g E Mk(f'), then the definition of /f,g) is independent of whether f, g are
considered in Mk(f) or in Mk(f').
Proof: See Koblitz [96, p. 170] or Lang [110, p. 38]. •
Now we note that if a E GL{ (Ql) then a can be multiplied by a positive scalar
without affecting [ak So without loss of generality we shall assume in what
follows that a = (~ ~) has integer entries. Let D = ad - bc = det a, and set
a' = Da- i = ( d -b).

-c a
Then [a-ilk = [a'k
214 Chapter 8
Proposition 8.25. Letj, g E Mk(f) withj orga cusp-form, and leta E GLi(Q).
Then
(i) if 0 [a]k,go [a]k) = if,g);
(ii) ifo[a]k,g) = if,go[a']k);
(iii) the inner product if 0 [a]k,g) depends only on the double coset faf oj a
modulo f.
Proof: Let f' = fn (afa- I ). Thenj, g E Mk(f'), andjo [alb go [a]k E

Mk(a-If'a) by Proposition 8.11 (here a-If'a = (a-Ifa)nf). Let F' be a
fundamental domain for a-I fa. Then
ifo[a]k,go[alk) = 1 I"
[[(1) : (a- I a)]
1a-IF'
j(z) 0 [a]kg(z) 0 [a]kY kdxdy
-2
y
1 r - kdxdy
= [[(1) : (a-II" a)] JF'j(z)g(z)y y'
The first part of the proposition now follows from the fact that [f( 1) : (a- I I" a)] =
[f(I) : r].
The second part follows from the first, and the fact that go [a']k = go [a-Ilk-
The third part is obvious from (ii), since
for'Y E f. -
Corollary 8.26. Let f = fl (N), and let j, g E Sk(N,X). Then (T,J,g) =

x(n) if, Tng).
A Basis of Eigenforms
From the Riemann-Roch theorem it follows that for any congruence subgroup f
and any integer k, the <C-vector space Mk(f) is finite dimensional (see Shimura
[176, §2.6]). The Petersson inner product gives a Hermitian inner product on
the finite dimensional <C-vector space Sk(f). Thus if,g) is linear in j (i.e.,
(cj,g) = cif,g)) and anti-linear in g (i.e., if, cg) = cif,g)). It is anti-symmetric
(i.e., (g,j) = if,g)), and if,j) > 0 forj =1= o.
Proposition 8.27. Let n be a positive integer prime to N, and let X be a Dirichlet

character modulo N. Let C n be either square root ojx(n). Then the operator C n Tn
on Sk(N,X) is Hermitian, i.e., (cnT,J,g) = if,cnTng).
Proof:
(cnT,/,g) =cn(T'/,g)
= cnX(n)Ij,Tng)
= CnC~ if, Tng)
=cnif,Tng)
= lj,cnTng),
as claimed. •
We saw before that the eigenfonns for the Tn have nice properties: the coeffi-
cients can be expressed in tenns ofthe eigenvalues for the Tn, and the corresponding
Dirichlet series have Euler products. Because of Proposition 8.27, it is possible to
find a basis of such fonns.
Theorem S.2S. There exists a basis ofe-vector space Sk(N,X) whose elements
are eigenformsfor all of the Tn for which (n,N) = 1.
Proof: For any fixed Tn with (n,N) = I and any subspace S c Sk(N,X) which is
preserved by Tn, there exists a basis of S consisting of eigenfonns of Tn. To see
this we consider the Hennitian operator CnTn and apply to it the following general
fact: given any Hennitian operator T on a finite dimensional vector space, there
exists a basis of the space consisting of eigenvectors for T. We further note that
any eigenspace for Tn is preserved by all Tn" which follows from the fact that Tn
and Tn' commute: if Tn = A,/, then Tn (Tn,f) = Tn' (T,/) = An Tnt/· Thus, to prove
the theorem we list the Tn for n prime to N. We write Sk(N,X) as a direct sum of
eigenspaces S for the first Tn in the list. Then we write each S as a direct sum of
eigenspaces for the next Tn; then we write each one of those spaces as a sum of
eigenspaces for the third Tn; and so on. Because Sk(N,X) is finite dimensional,
after finitely many steps this process must stop giving us any new smaller spaces.
At that point Sk (N, X) is expressed as a direct sum of subspaces on each of which
the Tn for n prime to N acts as a scalar. Any basis consisting of fonns in these
subspaces will satisfY the requirements of the theorem. •
EXERCISES
8.1. Prove that for any integer N 2:: 1 the map SL2 (Z) -+ SL2 (Zj NZ) obtained by reduc-
ing the matrix entries modulo N is a surjective group homomorphism.
8.2. Let N = pf' ... pf; be the prime factorization of the positive integer N. Show that
the reductions modulo P( , 1 ~ i ~ s, give isomorphisms
GL2(ZjNZ) ~ IT GL2(Zjpf'Z)
i
216 Chapter 8
and
SLz(Z/NZ) ~ nSLz(Z/pfiZ).
i
8.3. Find the indices WI (N) : r(N)], [ro(N) : r l (N)] and [ro(N) : r(N)].
8.4. Let r(1) = u7=1 air be a disjoint union of n cosets air, where r is a subgroup
of index n in r(1), and let F(1) be a fundamental domain for r(1). Show that
F = U7=1 a i- I F(I) is ajundamental domain for r.
8.5. Let {ai} be a complete set of coset representatives for r in r( 1), where r is a
subgroup of finite index in r(1). Show that the cusps of r are among the set
{aj- I (oo)}, but that at I (00) and aj - I (00) are r -equivalent if and only if there exists
n E Z such that
aj -IT naj E -r.
8.6. Letp be a prime number. Prove that ro(p) has two cusps 00 and 0; and that ro(pZ)
hasp + 1 cusps: 00,0, and -I/mp for m = 1,2, .. . ,p - 1.
8.7. Let r be a congruence subgroup of r(1) of level N, and denote rs =
{y E fI y(s) = s} for s E QW {oo}. Let s = a-I (00), a E r(I). Prove that:
(a) arsa- I = (ara- I )00;
(b) there exists a unique positive integer I (called the ramification index of rat s)
such that
(i) in the case -1 E r
rs = ±a-I{T1m}mEza,
(ii) in the case -1 rf r either
rs=a-I{T1m}mEZa, or rs=a-I{(-TI)m}mEZa;
(c) the integer I is a divisor of N;

(d) the integer I does not depend on the choice of a E r with s = a-I (00), and it
only depends on the r -equivalence class of s.
8.8. Find the ramification indices of r at all its cusps when:
(a) r= ro(p) (p a prime);
(b) r = ro(p2);
(c) r = r(2).
8.9. Prove that ifr c r( 1) is a normal subgroup, then all cusps have the same ramification
index, namely [r(1)oo : ±r00].
8.10. Show that if r c r( 1) is a normal subgroup, and if j(z) is r-invariant, then so is
j(a(z)) for any a E r(1). Then show that the field of weight zero modular functions
for r is a Galois field extension ofC(j) whose Galois group is a quotient ofr(1 )/r.
8.11. Prove that if k is even andj(z) has period 1 and satisfiesj( -1/4z) = (-4z)k/2j(z),
thenj 0 [Y]k = j for all Y E ro(N).
8.12. Let f C f(l) be a congruence subgroup andF be a fundamental domain for f. Show
that
(a) the integral
lL(f) = r dx~y
iF y
converges and is independent of the choice of F;
(b) [1'(1): f] = lL(f)/IL(f(I));
(c) if a E GLi(Q) and (a-Ifa) c f, then [f(I): f] = [f(l): (a-Ira)].
Chapter 9
Reductions of Modular Curves
The existence of good codes coming from classical modular curves is substantiated
by the following three phenomena:
(i) the existence of modular curves, i.e., curves whose points have an interpre-
tation as modular points;
(ii) the zeta-function of such curves over Fp is expressible in terms of Fourier

coefficients of normalized eigenforms for the algebra ofHecke operators;
(iii) the Eichler-Selberg trace formula, which computes the trace of a Hecke
operator on the space of modular forms.
We give a sketch of these ideas but must refer to the literature for more
detailed treatment of deep arithmetical theory of modular curves (see Gunning
[69], Koblitz [96], Lang [108, 110], Miyake [127], and especially Eichler [38] and
Shimura [176]).
9.1. REDUCTIONS AND MODULI SPACES
The most important property of the curve Xo (N) is the fact, first proved by Igusa,
that Xo(N) has a non-singular projective model which is defined by an equation
over Q whose reductions modulo primes p, (P,N) = 1, are also non-singular.
219
220 Chapter 9
Reduction of a Curve
Let An (k) be n-dimensional affine space over a field k, and C) a valuation ring in
k with the unique maximal ideal m. Let us assume that the quotient field of C)
coincides with k. Consider the residue field k = C) 1m and denote by x the image
of x E C) under the canonical map C) -+ k. Now we define the reduction map
C)n -+ An (k) by (X\, ... ,xn) H (X\, ... ,xn), and extend it to the whole space An (k)
as follows:
Let X C An be a smooth affine curve over a field k. Denote by a(X) the ideal
of X in the ring k[T) = k[T\, ... , Tn) and assume that F\, ... ,Fr form a basis of
a(X) in k[T), so that a(X) = (F\, ... ,Fr). Since the quotient field of C) is k, we
can assume that all coefficients of the polynomials Fi lie in C) and each Fi has at
least one coefficient which does not lie in m. Thus for every i = 1,2 ... , r, the
polynomial Fi E k[T) obtained fromFi by reduction modulo m of its coefficients,
does not vanish in the ring k[T\, ... , Tn). Let us consider a closed subset X in
An (k) which is defined by the system of equations F\ (T) = ... = Fr(T) = O.
One can show that there exists a basis F\, ... ,Fr of a(X) such that dimX = l.
The set X is called a reduction of X modulo m. It should be pointed out that X
depends on the choice of basis in a(X); in general, another choice of basis can give
another reduction X', which is not isomorphic to X; moreover X' can be reducible
while X is irreducible. If X is an irreducible smooth curve, we say that X has a
good reduction modulo m. An affine curve X may possess non-isomorphic good
reductions X and X'.
Now if X is a smooth projective curve we can define its reduction choosing
a basis (F\, ... ,Fs) in the ideal a (X) of homogeneous polynomials vanishing on
X. For a smooth projective curve one can prove that its good reduction is unique
(up to an isomorphism). Thus good reduction of a smooth projective curve is
well-defined.
Let X and Y be smooth projective curves having good reductions modulo m,
and let cp : X -+ Y be a morphism. We can define its reduction ip : X -+ Y as
follows. Let r be the graph of cp, i.e., the set
f= {(x,cp(x)) EXx Ylx EX},
which is a smooth projective curve isomorphic to X. Hence it has good reduction

t C X x Y, and one can show that there exists a unique morphism ip : X -+ Y
whose graph is t. Similarly one can define reductions of other objects connected
with X such as differential forms, divisors, etc.
Unfortunately, the definition of reduction modulo m sketched above has some
deficiencies. First of all it gives no idea of how to find an appropriate basis
{FI, ... ,Fr } in a(X) ensuring the existence of good reduction. Next, if X has no
good reduction it is not clear how to define "correct" reduction modulo m. Note
that the above definition of reduction of a morphism is also not satisfactory for its
use in practice.
The theory of schemes gives an adequate technique to study the above ques-
tions, but this assumes a fairly thorough acquaintance with algebraic varieties over
arbitrary commutative rings. We describe some aspects of the reduction process
in connection with the special case of modular curves without any reference to the
theory of schemes. The fundamental fact which will be used in the future is that
modular curves possess an interpretation as moduli varieties of elliptic curves with
additional structures.
Moduli Spaces
To get more moduli spaces of elliptic curves over a field k which is not algebraically
closed, we consider pairs (E, GN), where E is an elliptic curve and GN a cyclic
subgroup of order N in E.
Under the action
() _az+b 1'= (~ ~) Ef(l),

l' z - cz+ d'
the orbits of the group f( 1) can be identified with the points in the fundamental
domain F = f(I)\H (see Theorem 7.24). This domain can be made into a
compact Riemann surface F* of genus g = 0 by adding the point 00 and prescribing
that any subset FM of F of the form FM = {z E F I Imz > M} shall be an open
neighborhood of 00. This space is an algebraic curve over C whose field of
meromorphic functions is isomorphic to that of the projective line pi (q. This
correspondence gives the equality
and also permits us to think of pi (q as the parameter space for the family of
isomorphism classes of elliptic curves over C, with the understanding that the
point 00 corresponds to the singular cubic curve v 2 = 4u 3 . Let us try to clarify
the situation. For our purpose it is convenient to think of an elliptic curve over
C as a one-dimensional torus, i.e., quotient space of C by a lattice Az = 'k + Z:
Ez = C/ Az , where z E H. The Weierstrass function p(Z') provides an analytic
isomorphism C/ Az .:t Ez between Ez and the Weierstrass model
Ez.. V2 = 4 u2 -g2u-g3.
An important property ofthej-invariant
j(Ez) = 1728~/(g~ -27~)

222 Chapter 9
is the fact that two elliptic curves E and E' withj(E) = j(E') are isomorphic. The
isomorphism need not be defined over the field which contains the coefficients
g2,g3. Each point z E F then defines an elliptic curve Ez with finitej-invariant
j(z). To make the correspondence complete we observe that if a value ofj = j(z) is
given it is possible to write an equation for a representative curve in the isomorphic
class of elliptic curves with the givenj-invariant, namely:
(i) ifj i= 0 or 1728, then E : v 2 = 4u 3 - j_2?428 (u + 1);
(ii) ifj = 0, then E : v 2 = 4u 3 - 1;
(iii) ifj = 1728, then E : v 2 = 4u 3 - 3u.
As the pointz E H approaches the point 00, the value ofj(z) becomes unbounded,
thus reflecting the fact that Ez degenerates into a plane cubic curve with singularity
for which a model can be chosen to be v 2 = 4u 3 .
To recapitulate what we have just said, we observe that two points z and z' in
H related by a transformation z' = y(z), Y E f( 1), give rise to two elliptic curves
Ez and EZI which are birationally isomorphic, i.e., they have isomorphic function
fields. On the other hand, the functionj(z) on H is invariant under f(I) and its
value characterizes the isomorphism class of elliptic curve Ez . The projective line
]p'1 (C) with the field of rational functions <C(j) as its function field, can now be
considered as a parameter space for the isomorphism class of elliptic curves over
<C; in this sense we shall refer to ]p'1 (C) = Xo( 1) simply as thej-line.
Let us now describe the moduli spaces corresponding to the congruence sub-
groups of f(l); this will correspond to a finite algebraic extension of the function
field <C(j) on the j-line which possesses many pleasant properties. Let N be a pos-
itive integer and E = <C/ Az be an elliptic curve with period lattice Az = Zz + Z,
z E H. Let GN be a cyclic subgroup of E of order N, which without loss of
generality we may identify with integral multiples of 1/N modulo Az . Under
the action of y = (: ~) E fo(N) the lattice Az is mapped to the lattice
Az, = (az + b )Z+ (cz + d)Z; the generator of GN is mapped to
cz+d =~ mod (Az) .

N N
Therefore the group GN remains invariant under f 0 (N).
The Riemann surface fo(N)\H ~ Yo(N), i.e., the space of orbits inHunderthe
action offo(N), can be thought of as a covering off(l )\H which parameterizes
isomorphic classes of pairs (E, GN) consisting of an elliptic curve E together with
a fixed cyclic subgroup GN of E of order N. The space Yo (N) is the complement of
a finite number of points of the compact Riemann surfaceXo(N) ~ fo(N)\H* =
(fo(N)\H) U (fo(N)\]p'1 (Q)).
A useful set of representatives for the orbits f 0(N) \IP'I (Q) is described as
follows. Consider the set of all pairs {c, d} of positive integers satisfying
(c, d) = 1, diN, 0<c < N I d.
If fs is the stabilizer of a cusp s in fo(N)\1P'1 (Q), then the cardinality of
fo(N)\Jll>1 (Q) is the same as the cardinality of the double cosets fs \f(I)/fo(N).
Ifwe take for s the cusp 0, this cardinality is simply the number of the pairs {c,d}
modulotheequivalence: {c,d}rv{c',d'}whentherearematricesy= ( : ~)
and y' = (:; ~:) in f( 1) satisfying y' = y (~ ~) for some m E Z. Thus
for a fixed d the number of inequivalent cusps is cp((d,N Id)), and hence the num-
ber of cusps for f 0 (N) is
Voo = L cp((d,N Id)).
diN
In particular, if N is a prime then Voo = 2.

The interpretation of Xo(N) as a moduli space now requires that the cusps
(i.e., the points at infinity) be associated with "generalized elliptic curves," i.e.,
curves which are no longer of genus 1 and where a group law can be defined and
distinguished, and a cyclic group GN of order N can be isolated.
Now let x be a point on E = ICI Az of order N ~ 1. Without loss of generality
we may take x = liN. Under the action of an element y = ( : ~) E f(l),
the point x is mapped to the point
cz+d
-;:;- mod (Az) .
Now the point x is left fixed by y if and only if c == 0 mod (N) and d == 1 mod (N).
This is precisely the condition that y be an element of the congruence subgroup
f I (N). The orbits of points in H under f I (N) correspond to isomorphism classes
of pairs (E ,x) consisting of an elliptic curveE together with a point x E E of order
N. The quotient YI (N) = fl (N)\H can also be compactified to obtain a compact
Riemann surface
representing the complex points of an algebraic curve which possesses a non-

singular model defined over Q, with good reduction modulo primes p, (p, N) = 1.
Its genus is also given by a formula similar to that for go(N). The moduli inter-
pretation of the projective curve XI (N) requires the consideration of generalized
elliptic curves to account for the points at infinity. In a certain sense XI (N) is a
more pleasant object to study; for example it is a Galois covering of the projective
line IP'I and hence also of Xo(N)
224 Chapter 9
9.2. THE IGUSA THEOREM
As we have seen, the curve Yo(N) is in a natural bijection with the set of is omor-
phism classes of pairs (E, GN) consisting of a complex elliptic curve E = CI Az
together with a fixed subgroup GN of E of order N (clearly GN ~ EN, where
EN = -it Az I Az ~ 'lL1 N'lL x 'lL1 N'lL is the group of points of order N on E).
To state a similar result for Y(N) ~ f(N) \H we need some technical construc-
tions with the group EN, one of which is the Weil pairing eN(x,y). Let UN be the
cyclic group of complex Nth roots of 1, and x ,y be points of EN, corresponding
to pairs (s,t), (u, v) E 'lLIN'lL x 'lLIN'lL. The skew-symmetric Wei! pairing
is defined by
eN(X,y) = exp(2'7Ti(sv - tu)IN).
A level N -structure on E is simply an isomorphism
with det aN = 1. If such a level N -structure aN is given, let '(aN) denote the
primitive Nth root of 1:
The curve Y (N) is in a natural bijection with isomorphism classes of elliptic curves
over C endowed with a level N -structure aN satisfying '( aN) = e2wi / N. In other
words, the modular curve Y(N) can be interpreted as a moduli variety over C.
The Igusa theorem (Igusa [82]) provides a sort of universal model for the
parameter space of the families of elliptic curves with a level N -structure. As
a preliminary to Igusa's main result on the modular curves Xo(N) and X(N) we
need a thorough study of the Galois theory of the corresponding fields of elliptic
functions over a field of characteristic p 2:: 0 (see Lang [108] for more detailed
treatment). This requires some extension of the Weil pairing eN(x,y) considered
above.
Weil Pairing
Let E be an elliptic curve defined over a field of characteristic p 2:: O. Let Xo be the
origin for the group law on E and N be a positive integer relatively prime to char k.
To construct the Weil pairing in this general situation one needs the following
version of Theorem 7.22.
Proposition 9.1. Let Xl, ..• ,Xs be points ofE and ai, ... ,as be integers satisfying
(i) L7=1 ai = 0;
(ii) L7=1 aiXi = xo, with addition in group law on E.
Then
s
D = Lai· (Xi)
i=1
is a principal divisor on E.
Proof: Since the assertion involves only a finite number of points we may assume
without loss of generality that the ground field k is algebraically closed. We have
seen, as a consequence of the Riemann-Roch theorem that the map X I-t L (x - xo)
induces a bijection between the set of points of E and the group Pico(E). Thus the
set of points on E forms a group, with Xo as the zero element. Moreover, x +y = z
if and only if the corresponding divisors, on E are equivalent: (x + y) rv (z + xo).
Since D = Lax· (Xi) is the divisor of degree zero, the proposition follows now
from this group structure on E. •
Let EN be the group of points of order N on E and UN be the cyclic group
of roots of 1 in the algebraic closure of k. If we use the above proposition, the
skew-symmetric Wei! pairing eN (x ,y):
(x,y) -+ eN(x,y),
is constructed as follows. Fix a point y E EN. Since the divisor N . (y) - N . (xo)
of degree zero satisfies the hypothesis of the proposition, it is principal, say
N· (y) -N· (xo) = (f)
forsomej E k(E). Takeapointz E E withN·z = yandagainapplytheproposition

to obtain a function g satisfying
L (x+z) - L (x) = (g).

XEEN XEEN
Clearly we have
(?)= LN.(x+z)- LN.(x).
XEEN xEEN
Since x +z is a zero ofj(Nt) and x is a pole ofj(Nt) we see that
L N·(x+z)- L N·(x)=(f(Nt))
xEE(N) XEE(N)
and thus, up to a constant factor, we have ~ (t) = j(Nt) for any tEE. Since
x E EN then ~ (x + t) = ~ (t) and hence
g(x+t) = eN (x,y)g(t)
226 Chapter 9
for some root of unity eN in UN.

The pairing eN(x,y) has the following properties:
(i) eN (x' +x",y) = eN(x',y)eN(x",y);
(ii) eN (x,y' +y") = eN(e,y')eN(x,y");
(iii) eN(x,y) = eN(y,x)-I;
(iv) ify is of order N, eN (x,y) generates UN for some x;
(v) eN(x,y) is non-degenerate, i.e., if eN(x,y) = I for ally, then x = Xo;
(vi) for every automorphism a E Gal(ks/k), ks being the separable closure of k,
The Field of Modular Functions over Q

Consider now the elliptic curve with Weierstrass model E : v 2 = 4u 3 - g2U - g3,
where ~ = ~ - 27.rl =I- O. We define three Weber functions hk, I ~ i ~ 3, on the
curve E, which we denote generically by h:
hl:( (u, v)) = g2g3U/ ~ if g2g3 =I- 0,

hi((u,v))=g~u2/~ if g3=0,
h~((u,v)) =g3u3 /~ if g2 = O.
These functions are defined over k and have the property that if a : E -+ E' is an
isomorphism then h~ = h~ 0 a for i = 1,2,3. In particular two points x and y on
E satisfy
hE(X) = hE(y)
ifand only ifx = a(y) for some automorphism a E Aut(E) (see Lang [lOS, p. 20]).
In describing the Galois theory of elliptic function fields, we consider a ground
field k and variable e1ementj over k. Representative elements of the isomorphism
classes of elliptic curves defined over k(j) withj as their j-invariant are given as
follows: in chark =I- 2,3 we take the projective model
E: v 2w = 4u 3 -27j(j -172S)-I(u+w)w2,
in char k = 2 or 3 we take respectively for E the projective models
These curves are non-singular and the group law can be defined with reference
to the point Xo = (0 : 1 : 0) as origin. Ifj is allowed to take special values then
the resulting specializations Ej remain elliptic curves and have j as j-invariant

providedj is different from 0, 1728,00.
We now take N to be a positive integer which is not divisible by the character-
istic of k and let EN be the group of points of order N on the elliptic curve E chosen
above. Let k(j ,EN) be the finite algebraic extension of k(j) obtained by adjoining
to k(j) the coordinates of the points in EN. Similarly we define k(j,h(EN)) to
be the field obtained by adjoining to k(j) the values h(x) of the Weber function
h at the points x E EN. The fields k(j,EN) and k(j,h(EN)) are Galois extensions
of k(j) which are intrinsically defined by N, i.e., do not depend on the choice of
model for E. If k is extended to its algebraic closure k', then k'(j,h(EN)) is called
the field of modular functions of level N.
Proposition 9.2. Let j be transcendental over k. Let N be a positive integer not

divisible by charko and let EN be the group ofpoints of order Non E. Then the
field kN = k((N). where (N is a primitive Nth root of 1, is algebraically closed in
kN(j,EN). Moreover
Gal(k(j,EN)/kN(j)) ~ SL2(Z/NZ),
Gal(k(j,EN)/k(j)) ~ GL2(Z/NZ)
and
Gal(k(j,h(EN ))/kN(j)) ~ SL2(Z/NZ)/{ ±1},

Gal(k(j,h(EN))/k(j)) ~ GL2(Z/NZ)/{±1},
Proof: See Lang [108, pp. 66--68], Shimura [176, p. 135].

We proceed to describe the construction of a non-singular model of the field
•
of the modular function of level N in characteristic zero, i.e., k = Q, with the
property that its reduction with respect to every prime p not dividing N is a
non-singular model for the field of modular functions of level N over Fp. Let
Q be the algebraic closure of Q and ~ = Q( (N ), (N = e 27ri / N, the cyclotomic
field. Let j be transcendental over Q and, as before, pick an elliptic curve E = Ej
defined over Q(j) withj as itsj-invariant. Let EN be the group of points of order
N on E and denote by h : E -+ Wi the map defined by the Weber function h.
The field Q(j, h (EN)) is the field of modular functions with level N -structure in
characteristic 0. If the field of algebraic numbers Q is extended to C we recover the
classical field of modular functions oflevel N. We know that the field Q(j, h (EN))
does not depend on the choice of model Ej and that ~ is the algebraic closure
of Q in Q(j,h(EN )). We now fix two generators x, y of EN and letjN be the
228 Chapter 9
j-invariant of the elliptic curve E / (y), where (y) is the cyclic group generated by
y. The numberjN is algebraic over Q(j) and the field
L = Q(j,jN ,h(x))
is an intrinsically defined algebraic extension of Q(j) which depends only on N

and notthe choice of model Ej or on the choice of generators x and y for EN. From
Proposition 9.2 we see that Q(j,h(EN)) and Q(j) are respectively the compositum
and the intersection of L and ~ (j):
Q(j,h(EN ))
Q(j)
The Field of Modular Functions over Fp

Let p be a prime number and let us extend the p-adic valuation vp of Q to the field
of rational function Q(j) as usual: write any rational functionJ E Q(j) as a rational
number a times the quotient of two polynomials in Z[;], each with coefficients
free of common divisors, and assign to it the value vp(a). Denote by (Jp the
corresponding valuation ring of Q(j):
(Jp = {f(j) I
E Q(j) vp (f(j)) ~ O} .
Let j be transcendental over the finite field Fp. Then (Jp is the localization of
the ring Z[;] with respect to the prime ideal which defines the reduction map
Z[;] --+ Fp[;].
The following two propositions, which we state without proof, are essential
ingredients in the Igusa construction of the smooth model for the field L. First
recall that the integral closure of a ring A contained in a field k is the ring of all
elements in k which are roots of monic polynomials inA[t].
Proposition 9.3. Ifp does not divide the level N, the integral closure (J oJ(Jp in
L is an unramified valuation ring.
To state the second result we need some notation. Let R be the integral closure
ofZ[;] inL. By picking a basis WI,.'" Ws of Lover Q(j), with discriminant d and
observing that as Z[;]-module R is contained in Z[;][WI /d, ... ,ws/dj, we obtain
from the Noetherian property of Z[;] that R is finitely generated over Z[;]. Also
let R* be the integral closure ofZ[l/i]; for reasons similar to those above, R* is
a finitely generated module overZ[l/i]. As Z~] and Z[l/j] are contained in the
valuation ring <9p, both Rand R* are contained in the integral closure <9 of <9p in
L. If P f N, Proposition 9.3 guarantees that <9 is a local ring with maximal ideal
m = p<9. In fact, it is easily verified using a theorem of Krull that m nR = pRo
Similarly we get m n R* = pR*; thus pR and pR* are prime ideals respectively
of Rand R*. Let k be the residue class field of <9, i.e., k = <9/m. Let Rand
R* be the images of Rand R* under the residue homomorphism <9 -+ k = <9/m,
i.e., R = RIpR and R* = R* IpR*. The residue class field k is exactly the field of
quotients of R and R*; the integral domain Rand R* are integrally closed in k.
Proposition 9.4. The residue class field k = <9/m is a regular extension of Fp,
that is Fp is algebraically closed in k and k is a separable extension. Furthermore
the compositum of k and the algebraic closure Fp of Fp is the field of modular
functions of level N in characteristic p.
The so-called Kronecker model of the field of modular functions of level N is
the union V of all discrete valuation rings of Rand R*. The union U of all discrete
valuation rings ofZ~] and Z[I/}] is the universal projective line and V is in some
sense "the derived normal model" of U in L. If the discrete valuation rings of
V are classified according to the characteristic of the corresponding residue class
fields, the model V is the disjoint union of local models, each parameterized by
primes ofZ:
V= Vo+ }2Vp,
p
where Vo is the model corresponding to characteristic zero. The main idea of

Igusa is to construct a projective model of Vo such that Vp is the union of the local
rings of points on the reduction of Vo modulo p. We recall that a curve X is called
normal, if every local rings <9 x , x E X, is integrally closed (see Exercise 9.11).
Let m be a positive integer and let Rm be the set of elements f in R such
thatflr is integral over Q[I/}]. Put R:n = R* n (1!J)mR. Clearly Rm contains
1J, ...,r and R:n contains 1, 1Ii, ... , (1 /})m. If we take m sufficiently large we
obtain Z[Rm] = Rand Z[R:n] = R*. Applying the reduction map <9 -+ k = <9/ m, we
get Fp [Rm] = Rand Fp [R*] = R*. Letfo,Ji, ... .fm be a basis for the free Z-module
Rm. Let X be the abstract curve corresponding to the field L, i.e., the collection of
closed points corresponding to the discrete valuation rings of L, and let
x~r, x I-t (fo(x) , ... ,1m (x)).
Once m is fixed, the image of 7T is a curve, also denoted by X, which is uniquely

determined up to a projective transformation induced by a matrix in SL m +l (Z).
A simple argument shows that it is possible to normalize X by taking as a basis
fo = 1Ji =}, ... ,1m =}m.
230 Chapter 9
The ring theoretic properties of Rand R* can now be translated into the
geometric properties of X. First of all X is non-singular. In fact the projection
of X on the hyperplane at infinity in F' corresponding to the first coordinate is
an affine curve with coordinate ring R ®z Q which is the integral closure of Q~]
in L. This affine curve is normal over Q and hence non-singular. Similarly the
projection ofX on the hyperplane in infinity inF' corresponding to the (m + 1)-st
coordinate is an affine curve with coordinate ring R* ®z Q which is the integral
closure of Q[ I /j] in L. The resulting affine curve is also normal over Q and hence
non-singular. These two affine curves, which provide a complete open cover for
X, are fixed in the discussion which follows. The crucial property ofX is the claim
that for a prime p which does not divide N, the reduction Xp of X with respect to
p remains non-singular. As indicated in Proposition 9.4, pR is a prime ideal of R
and the field of quotients k of R = R / pR is regular over Fp. This implies that the
reduction of one open set of X with respect to p is an irreducible affine curve over
Fp. Now, since Fp[Rm] = Rand R is integrally closed in k, this curve is normal
over Fp and hence non-singular. Similarly the reduction of the other open set of
X with respect to p is non-singular. These two affine curves determine a complete
open cover of Xp, and hence the curve Xp is non-singular. The following is the
fundamental theorem in the theory of elliptic modular functions.
Theorem 9.5 (the Igusa theorem). There exists a non-singular projective model
X of the field Lover Q such that the local model Vp is the union of the discrete
valuation rings corresponding to the closed points ofits reduction Xp with respect
to p. If p f N then Xp is a non-singular projective model of the field k = 1:)/pI:)
over Fp.
The same reasoning outlined above provides non-singular projective models

for any function field intermediate between Land Q(;) with similar properties
under reduction modulo p. In particular this applies to the field Lo = Q(;,jN).
Corollary 9.6. Thefield Q(;,jN) has a non-Singular projective model X defined

over Q with good reductions modulo primes p which do not divide N.
The smooth projective model X defined over Q, whose existence is ascertained

by the corollary above, is the curve associated to the Riemann surface
Xo(N) = (fo(N)\H) U (fo(N)\pl (Q)).
The Kronecker Congruence Relation
Using some simple properties of the binomial coefficients, one can prove the
following property of polynomial <PN (;, n) defined earlier in Section 8.2.
supersingular point
,-
P(l;: )
,-
P(~)
Figure 9.1.
Theorem 9.7 (the Kronecker congruence relation). For p a prime number we

have
q,p(j,u) == (u - jP)(uP - j) mod(p).
The Kronecker congruence relation gives a hint of the rich structure of the
curve Xo(P) in characteristic p. In fact, over the algebraic closure Fp ,
i.e., the union of two projective lines (see Fig. 9.1). The singularities are ordinary
double points, all defined over Fp 2. A more refined analysis using the moduli
interpretation of Xo (P) reveals that the singularities actually occur at the points
corresponding to supersingular elliptic curves.
9.3. THE EICHLER-SHIMURA CONGRUENCE RELATION
On the curve Xo(N) over Q the space !lo(N) of regular differential forms is
isomorphic to the C-vector space S2(ro(N)) of holomorphic cusp-forms on H
of weight 2 for the group ro(N). Hence S2(ro(N)) is g-dimensional space over
C, where g = go(N) is genus of Xo(N). Such forms are defined by functions
f : H -t C which are holomorphic, vanish about all cusps, and under the action
'Y E (~ ~) E ro(N) satisfy
aZ+b) 2
f ( cz+d = (cz+d) fez).
The isomorphism is given byf(z) t--+ w =fez )dz. Lett = e2'friz be a local parameter
about the cusp at infinity and let
00
fez) = L a(n)tn
n=!
232 Chapter 9
be the expansion of cusp-fonn in powers of t. If p is a prime not dividing N, and

Tp is the Hecke operator, we have
00 00
TP[(z) = L a(pn)t n + Lpa(n)tpn.

n=! n=!
The operator Tp leaves invariant the space S2(fo(N)) and hence Oo(N).
The 19usa theorem for Xo(N) shows that for a prime p,p %N, the space of
regular differential fonns on the reduction Xo(N) of Xo(N) modulo p is obtained
by reducing modulo p the corresponding space for Xo(N). This theorem in fact
provides the existence of a basis for Oo(N) whose t-expansions have rational
coefficients in Z[I/N]; the reduction of these fonns provide a basis for the regular
differential fonns on Xo(N). Using this procedure it makes sense to reduce the
Hecke operator Tp modulo p. The resulting operator Tp turns out to be the
Frobenius operator on Xo(N) acting on the space of regular differential fonns.
This is basically the content of the congruence relation; a proof of this result,
which is originally due to Eichler, can be based on the congruence relation
CPp(j,n) == (u - f)(uP - j) mod(p).

As the trace of the Frobenius operator is related to the number of points of
Xo(N) (Fp), we state the following result.
Theorem 9.8 (the Eichler-Shimura congruence relation). Let p be a prime
number not dividing N. Then we have
where tr Tp is the trace ofthe Hecke operator Tp acting on the space ofcusp-forms
of weight 2for fo(N).
We would like to add a few words about the proof of this important theorem.
Our brief discussion is intended to suggest only how the main line of the argument
runs and we invite the interested reader to consult the Eichler paper [37] and
Shimura's book [176, Ch. 7].
To begin with we start with a prime p which does not divide the level N. As
implied by Igusa theorem, the physical appearance of the curve Xo (N) is the same
over the complex numbers as over the algebraic closure Fp of Fp.
We can interpret the Hecke operator Tp in the following way. Consider the
product Xo(N) x Xo(N). Its points correspond to pairs (E, GN), where E is an
elliptic curve and GN is a cyclic subgroup of order N. We consider in this product
the correspondence (algebraic curve) ~p consisting of all pairs ((E, GN), (E', Gfv ))
with E' = E / G, Gfv being the image of GN in E / G, and G being a subgroup of E
of order p. Over C we can describe this correspondence as follows. We consider

in H x H all equations
aZlz2 +bzl +CZ2 +d = 0, a,b,c,d EZ,
where (ZI,Z2) E H x H and ad - bc = p. They define a curve in (fo(N)\H) x

(fo(N)\H). It extends to a correspondence onX~(N) xX~(N), whereXO(N) =
(fo(N)\H)) U (fo(N)\JP>1 (Q)), again denoted by tlp. It is called the pth Hecke
correspondence. If w is a regular differential fonn onX~(N) we can pull it back
to tlp and push it forward to X~(N). Then we find a differential fonn on X~(N)
and denote it by T;w. If w comes fromJ(z)dz onH and T;w comes fromg(z)dz
then we have Tp,[ = g, where Tp is the Hecke operator on S2 (f0 (N)).
The congruence relation is the equality between the Hecke correspondence
acting on Xo(N) (C) and the Frobenius correspondence acting on Xo(N)(Fp).
Now we briefly describe the Frobenius correspondence. It is defined on points
as follows. A point x of Xo(N) (Fp) corresponds to an isomorphism class of pairs
(E, GN). Now the isomorphism class of E is detennined by thej-invariant; hence
x +-+E +-+j =j(E).
The Frobenius correspondence J takes x into the point y associated to the elliptic
curve E(P) obtained from E by raising the coefficients to the pth power; that is to
say, E(P) is an elliptic curve in the isomorphism class detennined by the j -invariant
jP; thus
J(x) = y +-+ E(P) +-+ jP.
We also needJ', which is the dual correspondence. This is defined as
J*(x) = Xl +X2 + ... +xP '

where
Xi +-+ Ei +-+ ji == j(Ei)
and the isomorphism class of Ei is that characterized by the invariantji satisfying
jf= j or equivalently Ei satisfies Ei(P) = E (see Section 7.3). The sumJ +J*
defines a correspondence on the points x of the curve Xo (N) (Fp) by setting
if+J*)(x) =Y+XI + ... +xp.

We can extend this correspondence by additivity to the group of divisor classes.
We now pass to the situation in characteristic zero and suppose that the point
x E Xo(N)(Fp) comes from reduction modulo p of a point x (which by abuse of
notation we also denote by the same symbol) inXo(N)(C). Recall that such a point
x is associated to an isomorphism class of elliptic curves, of which a representative
234 Chapter 9
can be expressed asE(z) = C/(Zz + Z), withz a complex numberinH. Such an

isomorphism class is characterized by the value ofthej-invariant
co
j(z) = r' + L c(n)tn,
n=O
Thus we have
x ++ E(z) = C/(Zz +Z) ++ j =j(z).
Since c(n) are integers, a simple extension of the Fennat little theorem to the ring
of formal power series in t over Z gives the congruence
j(zY' =}(pz) mod(p)
with the invariant j (pz) associated to the isomorphism class of the elliptic curve
E(pz) = C/(Zpz +Z). This then suggests the congruence
E(Pl =E(pz) mod(p) ,
where the bar means that the equation for E(pz) has been reduced modulo p.
This is not always possible and requires thatj-invariant of E does not lie in Fp2
(in the case of supersingular values j E Fp2 the reducing is carried out modulo a
prime ideal dividingp in the unique quadratic subfield KN ofQ(e21Ti / N ».Again
a straightforward application of the Fennat little theorem gives the congruence
j (PZ+i)P =j(z) mod(p), O:S;i:S;p-l.
Thereforeji = j( 7f) can be considered as thej-invariant of the isomorphism class

of the elliptic curve E ( Z;i) = C/ (Z(z + i) /p +Z). This suggests the congruence
Ei=E -(Z+i)
P mod (P) .
The map
Tp(z) =! ((pZ)+~i: (Z+i))

p /=0 P
acting on the points of Xo (N) (q is just the Hecke correspondence, and hence Tp
is simply the ordinary Hecke operator on the space of cusp-forms of weight 2 for
ro(N). The foregoing discussion makes the relation
quite plausible. To obtain the actual equality claimed in the theorem it is necessary
first to represent correspondencesf,f* and Tp on the vector space of characteristic
zero and then to take traces, using the fact that the fixed points of the Frobenius
morphism acting on Xo(N)(Fp) correspond to those which have coordinates in
Fp. IfJi , ... ,/g is a basis of common normalized eigenforms in S2 (f0 (N)) for all
Hecke operators Tn with (n,N) = 1, and if
00
Ii (z) = L. ai (n )t n , ai (1) = 1, 1::; i ::; g,

n=1
we have Tp./i = aj (P)Ji, and a representation of the Frobenius and Hecke corre-
spondence on the same vector space over a field of characteristic zero leads, via the
congruence relation, to the following identity for the zeta-function Z (Xo (N), u) of
the curveXo(N) defined over Fp
From this identity we obtain

g
Np(Xo(N)) = jXo(N)(Fp)j = p+ 1- L.aj(p) = p+ 1- trTp.
i=1
We know that Z(Xo(N),u) can be written in the form
where
Therefore, if
then
Setting now
TI =2id,
T;v = Tpv - pTpv-2,
236 Chapter 9
and observing that

g
trT;v = trTpv -p(trTpV-2) = L(wT + w/V)
j=1
we obtain
The following is then a restatement of the congruence relation.
Corollary 9.9. With notation as above, and p a prime which does not divide N
we have
9.4. THE EICHLER-SELBERG TRACE FORMULA
Now we give an explicit formula for tr T;v. This will be based on the following
special case of the Hijikata version [76] (see also Miyake [127, §6.8]) of the
Eichler-Selberg trace formula for the Hecke operators acting on S2 (f0 (N) ). Let
Theorem 9.10 (the Eichler-8elberg trace formula). Let n be a positive integer

relative prime to N. Then
trTn = u(n) + 8( Vn)1L - La(s) Lb(s,J)c(s,J),

s f
where8(Vn) = 1 ifn is a square and 0 otherwise, IL = [[(1): fo(N)] = N ThiN (1 +

I-I), I being a prime, and the meaning ofthe other symbols is given asfollows. Let
s run through all integers such that d = s2 - 4n is negative or square; hence for
some positive integer t it has one of the following forms, designated respectively
by (a), (b), (c), (c'):
o (a)
{ (b)
=
t2
d-
- t 2m < Oandm 1 mod(4) (c)
4t2m < Oandm =2,3 mod(4). (c')
For each ofthese we have
(a)
(b)
(c,c')
For each fixed s corresponding to its type let f run as follows:
(a)
f = { !ll positive divisors oft (b,c,c')
and let
(a)
b(s,J) ={ !c,o(t If) (b)
h(d)/w(d), (c, c')
where cp is the Euler phi-function, h (d) denotes the class number of primitive
ideals of the order Od ofQ( Jd) with discriminant d, and wed) is the order of the
group of units OJ. For fixed s andf and a prime II N, let AI(S,J) (resp. BI(S,!))
be a complete system of representatives modulo lv/(N)+v/(J) for the set ofintegers
x E Z satisfYing
x 2 - sx + n == 0 mod (IV,(N)+2v/(J)) ,
2x == s mod (F,(J))
(resp. the subset of elements of the system satisfYing
x 2 - sx + n == 0 mod (I V/(N)+2V/(J)+I)).
Put
CI(S,!) ={ IAI(S,!) I
if St
4n 1=- 0 mod (I)
IAI(S,!) I+ IBI(S,J)I ifs p4n == 0 model)
and let
c(s,!) = I1 CI(S,!).
liN
The Number of Fq-Rational Points on Xo(N)

As indicated in the previous section, the congruence relation provides a count
for the number Np 2(Xo(N)) of Fp 2-rational points on the curve Xo(N) of genus
g =go(N):
238 Chapter 9
Now in the Eichler-Selberg trace fonnula we take N as a prime number different

ofp and n = p2. Then we get
trTp2 =p2+ l+go(N) - ~~~~ (1+ (~)),

where the sum is over all pairs (sJ) of integers s with -2p < s < 2p such that
D = (s2 - 4p2)/J2 is an integer and also D == 0 or 1 ( mod 4), and (~) is the
Legendre symbol. Substituting this into the above fonnula we obtain
Np2(Xo(N» =go (N)(p -1) + ~~~~~ (1 + (~) ).

As N -+ 00, the sum Lsi remains bounded and the dominant tenn is go(N) (p -
1). Thus we have the following theorem (see (210)):
Theorem 9.11 (the Tsfasman-Vladut-Zink theorem). For q = p2 one has
lim sup Nq(Xo(N» = ..;q - 1.
N ...... oo go(N)
Note that we know (see Section 6.3) that
lim sup Nq(Xo(N» < ..;q-1.

N--+oo go(N)-
Therefore the above result is exact. The original proof is based on the lower
bound for the number of points on Xo(N), rational over Fp2' which correspond to
the supersingular values ofj-invariant. The Fp2-rational points that we find also
correspond to supersingular elliptic curves. These curves are defined over Fp2 (see
Section 7.3). The approach using the Eichler-Selberg trace fonnula was proposed
by C. J. Moreno [128, 129].
The works of Ihara [84, 85], Manin and Vladut [120] and Tsfasman and
Vladut [208, 209], which use more powerful techniques from algebraic geometry,
especially the theory of Shimura varieties and Drinfeld modular curves, lead to a
stronger result. Let q = p2v be fixed, Nq(X) be the number of Fq-rational points
on a curve X defined over Fq and g(X) be its genus.
Theorem 9.12 (the Ihara--Tsfasman-Vladut-Zink theorem). One has
. Nq(X)
hmsup g(X) =..;q -1,
where the limsup is taken over all absolutely irreducible non-singular projective
curves X defined over F q .
A fairly elementary proof of this result based on construction of an explicit
tower of Artin--Schreier coverings was recently proposed by Garcia and Stichtenoth
[53, 54, 56] (see Sections 11.5 and 11.6).
EXERCISES
9.1. Let p be a prime number, and X ~ JPl2 the conic defined by uw - p3 v 2 = O. Show
that X is non-singular over Q, and its reduction X modulo p has a singular point at
(uo : vo : wo) = (0 : 1 : 0).
9.2. Let E be the elliptic curve defined over Q by v 2 = j(u), wherej E l2:[u] is a cubic
polynomial. Prove that E has bad reduction modulo p = 2 and modulo every prime
p which divides the discriminant Dif) ofthe polynomialj(u).
9.3. Prove that the elliptic curve E : v 2 + v = u3 - u2 has bad reduction both modulo
p = 2 and modulo p = 11.
9.4. Show that the curve E : v 2 = u3 - 2u 2 - u has good reduction both modulo p = 3
and modulo p = 5. Find all torsion points on E. (Hint: Use the following fact:
if (u, v) E Q2 is a torsion point of an elliptic curve defined over Q by v2 = j (u ),
where j E l2:[u], then (u, v) E 12:2 and v divides the discriminant Dif) of the cubic
polynomialj(u), or v = 0.)
9.5. Show that in characteristic p = 2 there exists only one supersingular curve E, which
can be given by v 2 + v = u 3 withj(E) = O.
9.6. Prove that for every prime p 2: 3, the number of Fp-rational points of the elliptic
curve E : v 2 = u 3 + u satisfies Np == 0 mod(4).
9.7. Prove that for non-zero a E Q the equation v 2 = u3 -a determines an elliptic curve
E over any field k whose characteristic p does not divide 6 or the numerator or
denominator of a. Show that:
(a) for q == 2 mod (3) the number N q of Fq-rational points of E is Nq = q + 1;
(b) if q == 2 mod (3), then E has exactly three Fq-rational points of order 3;
(c) if q == 2 mod(3) and 6 XN, then there are at most N Fq-rational points of
order NonE.
9.8. LetE be an elliptic curve defined over F q , and let! be a prime not equal to p = char F q .
Suppose that Fq contains alllth roots of 1, i.e., q = plL == 1 mod(l), and that there
are z2 Fq-rational points of order! on E. Show that:
(a) the splitting field ofu l - a, where a E Fq, has degree either lor lover Fq;
(b) ify E E(Fq) and if Fqv is the extension of Fq generated by the coordinates of
a solution x to the equation Ix = y (i.e., Fqv is the smallest extension of Fq
containing such an x), then there are 12 Fqv-rational points Xi such that IXi = y;
(c) given a point x E E(Fqv) such that Ix = y, the map u -+ u(x) - x gives an
embedding of Gal (Fqv /Fq) into the group of points of order Ion E;
(d) v = lorl.
9.9. Letaw= (~ ~l ).letF(Z) =L:n=2t+I>OU[(n)tn, where u[(n) =L:dlnd,let
8(z) = L:mEZt m2 , t = e27riz , and let 84(z) = L::=oa(n)t n. Prove that:

240 Chapter 9
(a) [awlk preserves Mdfo(N»;

(b) the Heeke operator Tn commutes with [aN lk for n prime to N;
(c) T2 does not commute with [CX41k;
(d) F(z) and (;I4(z) form a basis of M2(fo( 4»;
( e) if n is odd, then the operator Tn on 2-dimensional space M2 (f0 (4» is simply
multiplication by UI (n);
(f)
8uI(n) for n = 2t+ I
a(n) ={ 24uI (n') for n = 2a n',a 2 1,2Jn';
(g) write the matrix T2 in the basis { (;14 , F} and find a basis of normalized eigen-
forms for T2; find the trace tr T2 of T2.
9.10. Let! E Mk(fo(P» (p a prime) and let tr(f) = r!!=o!o ['Y;], where 'Yo = 1 and
'Y;= (~ ~I ).O<i:<:;P. Show that:
(a) 'Yo and 'Y;, 0 < i :<:;p, are right coset representatives for f(l) modulo fo(P);
(b) tr(f) EMk(f(I»;
(c) if! E Mdf(1», then tr(f) = (p + 1)[ and tr ~o [( ~ ~1)]J =

pl-k/2Tp!.
9.11. Prove that a projective curve X is normal if and only if it is smooth.
Part IV
Geometric Goppa Codes
Geometric Goppa codes were introduced by V. D. Goppa [64] in 1981. This class
of codes is a very natural generalization ofReed-Solomon codes, which have been
well-known in coding theory for a long time, and rational Goppa codes, described
in Chapter 3. At present there is a variety of examples of algebraic curves over
a finite field Fq (with a lot of Fq-rational points), which can be used for explicit
constructions of good geometric Goppa codes (see Chapter 11). Furthermore,
there are several ways to construct asymptotically good geometric Goppa codes
on algebraic curves defined over a finite field. One is based on the use of classical
modular curves and makes it possible to produce a family of linear [n,k,dlq-codes
over a finite field F q , q 2: 49 being a square of a prime p, for which R + [) comes
above the Gi1bert-Varshamov bound. A second (and much easier) is based on
construction of a special sequence of Artin-Schreier coverings of the projective
line pI (Fq) and provides the existence of a similar family of [n,k,dlq-codes in
more general situations, when q 2: 49 is an even power of a prime number p. This
result can also be obtained through the use of Drinfeld modular curves. However,
the third approach allows us to construct only extremely long codes, which are
not suitable for practical applications. On the other hand, the first and second
ways are completely constructive and allow one to rather easily produce linear
[n,k,dlq-codes of acceptable length n. For this reason we restrict ourselves to
consider only asymptotically good geometric Goppa codes arising from classical
modular curves and Artin-Schreier coverings. The reader can find an extensive
presentation of the third approach in the book by Tsfasman and Vladut [208].
One can note also that the use of some Shimura modular curves (which generalize
classical modular curves) gives one more way to construct asymptotically good
[n,k,d]q-codes for any q = p2v.
241
Chapter 10
Constructions and Properties
This chapter describes Goppa's construction of linear error-correcting codes com-

ing from algebraic curves over finite fields. There exist several essentially equiv-
alent ways to construct such codes. The first to be considered is the so-called
L-construction.
10.1. L-CONSTRUCTION
Let X be a smooth projective curve defined over a finite field F q . Goppa introduced
the remarkable idea of associating to a set of distinct Fq-rational points Xl , •.. ,Xn E
X a linear code by evaluating a set of rational functions on X at the points Xl, •.. ,Xn •
To be precise, let Xl, •.. , Xn be Fq-rational points of X and
Let D be a Fq-rational divisor on the curve X with the condition degD ;::: O. We
assume that D has support disjoint from the divisor Do, i.e., SuppDo n SuppD = 0.
The linear q-ary code C = C(Do, D) of length n associated to the pair (Do,D)
is the image of the Fq-linear evaluation map
Note that this definition makes sense: for f E L(D), we have VXj if) ;::: 0, 1 :::; i :::; n,
because SuppDo n SuppD = 0. Such a code C is called a geometric Goppa code.
The analogy with the definition of Reed-Solomon codes is obvious. In fact,
243
244 Chapter 10
choosing a curve X over Fq and the divisors Do and D in an appropriate manner,

RS-codes are easily seen to be a special case of geometric Goppa codes.
Let us compute the parameters n,k,d of the code C = C(Do,D).
Theorem 10.1. Let X be a smooth projective curve of genus g and XI , •.. ,Xn be
Fq-rational points ofX. Then C(Do,D) is a linear [n,k,dlq-code with
k = I(D) -1(D-Do) = degD- g+ I +1(K -D) -1(D-Do)
and
d?n-degD.
Proof: The kernel of the map Ev is
L(D-Do)={fEL(D)lvx;(f»O for l::;i::;n}
and hence
C(Do,D) ~L(D)/L(D-Do).
Therefore
k = dimC(Do,D) = dimL(D) - dimL(D - Do) = I(D) -1(D - Do)

and by the Riemann-Roch theorem
k = degD- g+ 1 +1(K -D) -1(D -Do).
Now, if the weight of Ev(f) is d, thenf vanishes at n - d points of SuppDo,

say XiI' .•• ,Xin_d' so
T-I
is an effective divisor. By taking degrees we find
degD -n +d? O.

•
Corollary 10.2. Suppose that degD < n. Then the evaluation map
Ev: L(D) -+ F;
is an embedding, and we have:
(i) C(Do,D) is an [n,k,dlq-code with
k ? degD - g + 1 and d ? n - degD;

(ii) if, in addition, 2g - 2 < degD < n, then

k = degD - g + 1;
(iii) if {Ii , ... Jk} is a basis 0/L (D), then the matrix
fi (~I) fi (~2)
(
!k(XI) !k(X2)
is a generator matrix/or C(Do,D).
Proof: By assumption, deg(D - Do) = degD - n < 0, so L(D - Do) = O. Now,

since L(D - Do) is the kernel of Ev, the map Ev is injective. The remaining
statements are trivial consequences of Theorem 10.1. •
The parameters ke = degD - g + 1 and de = n - degD are called, respectively,
the designed dimension and designed distance of the code C = C (Do, D). Theorem
10.1 states that the minimum distance d of a geometric Goppa code C can not be
less then de. By Corollary 10.2, if n > degD > 2g - 2 then k = ke.
Example 10.1. Let X = JlDI (Fq) and D = m ·Xoo. Then L(D) is the space of
polynomials / E Fq [T] of degree at most m. If SuppDo consists of all Fq-rational
points ofJIDI (Fq) \ {xoo}, i.e., SuppDo = F q, then we arrive at a [q,m + l,q - m]q-
code which is a Reed-Solomon code.
10.2. a-CONSTRUCTION
There is another geometric Goppa code that we can associate to the pair (Do,D),
where degD ::; n + 2g - 2. Consider the linear space of rational differential forms
O(Do -D) = {w E O(X)* I(w) +Do -D ~ O} U{O},

i.e., the space of differential forms having appropriate zero multiplicities in Supp D
and at most simple poles at every point Xi E SuppDo. The map
Res: O( Do - D) -+ F; , w H (ResX1 ( w ), ... , Resxn ( w ))

defines a q-ary linear code C* = C*(Do,D) oflength n.
Alternatively, since we can identify O(Do - D) with L(K + Do - D) via w H
w / WO = /, where wo is a fixed rational differential form on X, we can identify the
image of the map Res with the image of
Reso : L (K + Do - D) -+ F; , / H (Res X1 if wo), ... , Resxn if wo)).

Again let us compute the parameters n, k* , d* of the code C*.
246 Chapter 10
Theorem 10.3. Let X be a smooth projective curve of genus g defined over F q,

and Xl, ... ,xn be Fq-rational points of X. Then C* = C* (Do,D) is a linear
[n,k* ,d*]q-code with
k* = I(K +Do -D) -1(K -D) = n -degD+g-l +1(D-Do) -1(K -D)

and
d* ~ degD-2g+2.
Proof: Let K be the canonical divisor onX corresponding to a rational differential

form ~, degK = 2g - 2. We have again
k* = I(K +Do -D) -1(K -D)

and hence, by the Riemann-Roch theorem,
k* = n - degD+g-I +1(D -Do) -1(K -D).
Now, if (Res xI if ~), ... ,Resxn if ~)) has Hamming weight d*, i.e.,f ~ is
regular at n - d* points ofSuppDo, say Xii' ... ,Xin _ d*, thenf E L(K +Do -XiI -
... - Xin _ d * - D). By taking degrees we arrive at the inequality 2g - 2 + n - (n -
dO) - degD ~ 0, which completes the proof. •
Corollary 10.4. If degD > 2g - 2 then the map Res is an embedding, and we
have
k* ~ n - degD + g - 1.
Moreover, if2g - 2 < degD < n then
k* = n - degD + g - 1.
The following result gives an exact connection between codes C*(Do,D) and
C(Do,K +Do -D) (which shows that the O-construction leads us to the same
class of codes as the L-construction; in particular, all results that we derive for the
codes C*(Do,D) can be carried over to the codes C(Do,D)).
Proposition 10.5. There exists a rational differential form ~ on X having simple
poles with residue 1 at all points Xi E SuppDo such that C*(Do,D) = C(Do,K +
Do - D) with K the divisor of ~.
Proof: The existence of the form ~ is provided by the Riemann-Roch theo-

rem (see Proof of Theorem 10.13 below). The theorem follows now from the
commutativity of the diagram:
O(Do-D) ~ L(K+Do-D)
Res..l- ..l-Reso
F; F;
where ex. is an isomorphism sending w to w / wo, and from the fact that Resx; (f wo) =
f(Xi) for 1 ~ i ~ n. •
The parameters kc* = n - degD + g - 1 and dc* = degD - 2g + 2 are called
designed parameters of the code C* = C*(Do,D). The designed parameters of
both L- and O-constructions satisfy
kc + dc = n - g + 1.
Remark
If degD < n, the lower bound k ~ kc is non-trivial only for degD > g - 1,
and if degD > 2g - 2 then the lower bound k* ~ kc* is non-trivial only for
degD ~ n + g - 1. In addition, k ~ n - g for degD ~ n, since /(D - Do) ~
deg(D-Do) + 1 = degD-n+ 1, andk* ~ n -g for degD ~ 2g-2, since /(K-
D) ~ deg(K - D) + 1 = 2g - 1 - degD. Similarly, the lower bound d ~ dc is
non-trivial only for degD < n, and the lower bound d* ~ dc* is non-trivial only
for degD > 2g - 2.
Removal of the Condition SuppDo n SUppD = 8

Both considered constructions have an essential deficiency, namely, we have to
choose points Xi rf. SuppD. For codes C = C(Do,D), there exists an elementary
construction of lengthening which makes it possible to remove the condition
suppDonSuppD = 0.
Let X be a curve and let D = D' + D", where SuppDo n SuppD' = 0 and
SuppD" ~ SuppDo. For any pointYi E SuppD" choose a local parameter ti. If
D" = Lf=) mi .Yi then for any f E L (D) the function t'('if is regular at Yi. Set
r = n - s and consider the evaluation map
Ev' :L(D) -+F;, ff-t (f(xJ), ... J(xr),tr1f(yJ), ... ,t,:sf(ys)),

where {X), ... ,xr } = SuppDo \SuppD". ConsiderthecodeC' = C'(Do,D), which
is the image of the map Ev'. The code C' is a lengthening of C(DQ,D), where
SuppDo = SuppDo \ SuppD", by s positions corresponding to the points Yi E
SuppD". The parameters n,k',d' of the code C' also satisfy the inequalities of
Theorem 10.1. In particular, if 0 ~ degD < n then
k' ~ degD-g+ 1 and d' ~ n -degD.
P-Construction
Recall (see Exercise 1.7) that the equivalence class of a non-degenerate linear
[n,k,d]q-code C is uniquely determined by a projective [n,k,d]q-system:P.
248 Chapter 10
LetX c F be a smooth projective curve over Fq andP = {Xl, ... ,Xn } S;;;X(Fq)
be a subset such that IPI > m and P does not lie in a hyperplane. Any choice of
P yields a projective [n,k,d]q -system with n = IPI, k = m + I and d = n-
maxH{IHnpl}, the maximum being taken over all Fq-hyperplanes He F.
For a curve Xc F over Fq its degree degX is defined as the number of points
X E X over Fq (counted with proper multiplicities) in its intersection with a general
hyperplane (which does not containX). In any case we have maxH{IHnpl}:::;

degX, so we have proved the following result:
Proposition 10.6. Let Xc F be a curve and Nq = IX(Fq) I. For any n such that
Nq 2: n > max{m,degX} there exists a non-degenerate linear [n,k,d]q-code C
with k = m + I and d 2: n - degX.
10.3. PARAMETERS
It is helpful to remember that parameters of a geometric Goppa code are not

determined exactly but only estimated. Some of these codes can possess better
parameters.
For example, Theorem 10.1 states that the minimum distance of a code C =
C(Do,D) can not be less then its designed distance de = n - degD. Suppose that
I (D) > 0 and de > O. Then d = de if and only if there exists a divisor D' with
o :::; D' :::; Do, degD' = degD and I (D - D') > O. Indeed, if d = de then there is
an element 0 =1= IE L(D) such that the code-vector if(XI), ... ,/(xn)) has precisely
n - d = n - de = degD zero coordinates, say I(Xir ) = 0 for r = 1,2, ... ,degD.
Put
degD
D' = L Xi r •
r=l
Then 0 :::; D' :::; Do, degD' = degD and I (D - D') > O. Conversely, if D' has the
above properties, we choose an element 0 =1=1' E L (D - D'). The weight of the
corresponding code-vector if' (xd, ... ,f'(xn )) is n - degD = dc, hence d = de.
On the other hand, if degD < n the L-construction gives k = degD - g +
I +1(K -D), where I(K -D) = 0 for degD > 2g-2, and 0:::; I(K -D):::;
2g - degD - I for degD :::; 2g - 2.
It can therefore happen that k > ke or d > de and there are cases when it is
possible to prove one of these inequalities (or both). As we have already seen, such
an improvement of the lower bound k 2: ke is possible only for degD :::; 2g - 2,
when I(K - D) > 0 (i.e., D is a special divisor). Unfortunately, the information
on Fq-rational special divisors we dispose of is rather poor.
One of the few classes of special divisors which we know a bit better are
multiples of Weierstrass points (see Section 4.6). Let X be a smooth projective
curve over Fq of genus g 2: 2, supposing that 2g - I < n. Let X E X(Fq) be a
Weierstrass point on a curve X and {a I , ... , ag_l} be the sequence of its non-
gaps, 2 ~ al < ... < ag_1 ~ 2g-I, i.e., /(ai ·x) > /((ai -1) ·x) for each i =
I,2, ... ,g - 1. Then /(ai ·x) = i + 1 and choosing D = aj·x we get a code
C = C(Do,D) with k = /(D) = i + 1, de = n - ai. The obtained value of k is
better than ke = degD - g + 1 for every i satisfying i + 1 > ai - g + 1. Since x is
a Weierstrass point this inequality holds at least for one i.
Therefore we have proved the following result:
Proposition 10.7. Let X be a smooth projective curve over Fq of genus g ~ 2
and XI, ... ,Xn be Fq-rational points of X. If n > 2g - 1 then there exists an
[n,k,d]q-code C = C(Do,D) with k > ke and d = de.
Weierstrass points and some more subtle techniques using Cartier operators
(see Lang [108, p. 311] and Tsfasman and Vladut [208, p. 166]) sometimes lead
also to better lower bounds for the parameters of geometric Goppa codes obtained
by the O-construction. Let C* = C*(Do,D) and D = 'Lf=1 mi ·pi , where Pi is a
prime Fq-rational divisor. Let mi = ni . q + ri, 0 ::; rj ~ q - I, and ail < ... < aig
be the Weierstrass gap-sequence at the closed point Pi. Let
W. _ { sup{j Iaij ::; nil ifni> 0

1- 0 ifni = 0
and
{ I ifmi=-I mod(q) and (mi+ I)/q is not a gap at Pi

eli = 0 otherwise .
Proposition 10.S. Let C*(Do,D) be the linear [n,k,d]q-code associated to the

pair (Do,D). Ifn ~ degD ~ n+2g-2 then
s
k ~ n - ~)mj - nj + Wi) degPj + g - 1
i=1
and
s
d ~ degD+ LeljdegPi -2g+2.
i=1
Proof: See Tsfasman and Vladut [208, p. 281].

•
Subfield Restriction
Let X(Fqv) be the set of all Fqv-rational points of a curve X of genus g defined
over Fqv, let {XI, ... ,xn} £;;; X(Fqv ) be a subset of X(Fqv ) of cardinality n, and let
Do = XI + ... +xn. Let D be an effective Fq-rational divisor on X. Suppose that
2g- 2 < degD < n, and consider an [n,n -degD+g-I,~ degD -2g+2]qv-
code CO = CO(Do,D).
250 Chapter 10
Theorem 10.9. If D = qD' and D' = Iai . Yi, O:S ai :S q - 1, then the field
restriction gives a code c· = Co
n F; with parameters
[n,2 n - vdegD(q -l)/q -1,2 degD -2g+2]q.
Proof: Later on we shall see that CO is dual to Co(Do,D): CO = Ct. Let

m = degD / q = degD', and suppose that m > g. By the Riemann---Roch theorem
we have I(D') 2 m - g + 1. Let 1,./i, ... ,Jm-g be linearly independent elements
in L (D'). We claim that the elements 1,./i, ... ,!m-g,fiq, ...,Pm-
g are also linearly
independent over Fqv. Indeed, suppose that
In view ofthe condition ai :S q - 1, the left-hand side has a pole ofthe order at most
q - I. The order of any pole of the right-hand side is divisible by q. Hence if we
assume that the function I f3J( has at least one pole, we arrive at a contradiction. If
it has no pole then I f3J( = f30 and hence (I yJi)q = Y6 with y? = f3i. Therefore
I yJi = Yo, contradicting the linear independence of 1,./i , ... ,1m-g.
Extend the set F = {1,./i, ... '!m-g,j(, ... ,Pm-g} to a basis of the space L(D).
Since C' = ct F;,
n F;
an element v = (VI, .. . , vn ) E lies in C' if and only if
n
v-/= Lv/(xi) =0
i=1
for any f in this basis. Iff #- 1, in general we have v -/ E Fqv, and hence each
equation v -/ = 0 generates v linear equations over Fq (iff = 1 we obtain just
one linear equation). Observe also that the equation v .f; = 0 is equivalent to the
equation v·j( = O. Thus we see that the number of the linear equations over Fq
is at least by
v(m -g) + v-I
less than the a priori bound vl(D) = v(degD - g+ 1). This yields
dimC' 2 n - v(q -1}m-1.
In the case m :S g we set F = {I} and proceed as before. The a priori bound
v (degD - g + I) is sharpened by (v - 1), and we arrive at the inequality
dimC· 2 n - v(degD - g) -1,
which is slightly better than the inequality of the theorem.
Corollary 10.10. Let gq :S degD < n. If D = qD' and D' = Iai . Yi,
•
0 :S ai :S
q -1, then C' = C'(Do,D} has the parameters
[n,2 n -degD(q-1}/q -1,2 degD-2g+2]q.
Automorphlsms
Let G ~ AutFq (X) be a subgroup of the group of all Fq-automorphisms of X.
Suppose that SuppDo and the divisor D are G-invariant. Then G operates on C =
C(Do,D). Indeed, in this case for any g E G andanyf EL(D) the function g* (j),
whereg*(j) (x) =f(g(x)), lies inL(D). Therefore a code-vector (j (x I) , ... ,j(xn))
is mapped to (g* (j)(xI) , ... ,g*(j)(xn)) = (j(g(XI)), ... ,j(g(Xn))), which is also
a code-vector. Thus G is naturally mapped to Aut(C) nSn and, according to the
properties of group codes, we have
where Hi is the stabilizer OfYi E SuppDo.

Proposition 10.11. Let G ~ AutFq (X), let SuppDo be a G-invariant subset of
X(Fq) and let D be a G-invariant Fq-rational divisor on X. Suppose that SuppDo n
SuppD = 0. Then C = C(Do,D) is a group code:
where Hi is the stabilizer of Yi E SuppDo, {YI, ... ,Ym} being the set of orbit
representatives ofthe action ofG on SuppDo.
10.4. DUALITY AND SPECTRA
First of all we establish the (L - O)-duality of geometric Goppa codes.

Theorem 10.12. The codes C = C(Do,D) and C* = C*(Do,D) are dual to each
other.
Proof: Consider first the case 2g - 2 < degD < n when both maps Ev and Res
are embeddings. Forf E L(D) and wE O(Do -D) the residue formula yields
n
(Ev(j),Res(w)) = LResxj(jw) = L Resx(jw) = O.
i=1 xEX
Thus any code-vector of C is orthogonal to any code-vector of C* , i.e., C* ~ Cl..

On the other hand,
dimCl. = n - dimC:5 n - (degD - g+ 1) :5 dimC*,
hence C* = Cl. and dimCl. = dimC*.

For arbitrary degD we have Ker(Ev) = L(D - Do), Ker(Res) = O( -D),
and the Riemann-Roch theorem tells us that the dimensions of C and C* are
complementary. •
252 Chapter 10
Self-Dual Geometric Goppa Codes

Let a = (al, ... , an) E F;, and ai =J 0 for each i = 1,2, ... , n. Recall that a code
C ~ F; is called quasi-self-dual with respect to a E (F; y, if n = 2m and for any
u = (UI, ... ,Un ) E C, v = (v" ... ,vn ) E C and
n
Laiuivi = o.
i=1
A code C is quasi-self-dual if there exists such a and is self-dual if a = (1, ... , 1).
Theorem 10.13. Letn > 2g-2 be even, anddegD = nI2+g-1. IfK +Do rv 2D
then an [n,nI2, 2: nl2 - g+ Ijq-code C = C(Do,D) is quasi-self-dual. Moreover,
there exists a unique (up to a multiplicative constant) differentialform WO E O(Do -
2D) such that the code C is quasi-self-dual with respect to a = (al' ... ' an), where
ai = ResXi (wo) =J O. In particular, ifResx1 (WO) = ... = Resxn (wo) then C is self-
dual.
Proof: We have n > degD > 2g - 2, 2D rv K + Do and hence k = degD -

g + 1 = n12, d 2: n - degD = nl2 - g + 1, dimO(Do - 2D) = dimO( -K) =
dimL(O) = 1. Let WO E O(Do - 2D) be anon-zero differential form. Ifwe suppose
that ResXi (wo) = 0 for some i = 1,2, ... , n then WO E O(Do - 2D - Xi) which is
impossible because in that case 2 ~ deg(Do - 2D - x;) < 2 - 2g. Therefore
ai = ResXi (WO) =J 0 for all i = 1,2, ... ,n, and whenever w = fgWO E O(Do) for
any f,g E L(D), then
n n
L aJ(xi)g(X;) = LResXi(w) = o.
i=1 i=1

In some cases the condition of the theorem is not only sufficient but also
•
necessary.
Theorem 10.14. Let n be even, g 2: 1, D = Iaj . Yj be an effective divisor of
degree degD = n 12 + g - 1 > 4g - 1 such that aj ~ degD - 2g + 1 for each j,
and SuppDo ~ X(Fq) \ SuppD. The code C = C(Do,D) is self-dual if and only if
there exists a non-zero differential form WO E O(Do - 2D) with ResXi (wo) = 1 for
any i = 1,2, ... ,n.
Proof: Let C = CJ. = C*(Do,D). Since 1 E L(D), there exists a differential

form WO E O(Do - D) with ResXi (wo) = 1. Let us show that WO E O(Do - 2D).
It is enough to prove that (wo) 2: 2aj .Yi for each j. Let Y be one of the points Yi
and let D = a .Y + D', where degD' 2: 2g - 2 and Y ¢ Supp D'. We can suppose
without loss of generality that Y is a F q -rational point (otherwise we can consider
an extension of the ground field). By the supposition of the theorem there exists a
:s :s
divisor iJ = a ·y+iJ', 0 iJ D such that deg(D - iJ) = 2g - 1 and degiJ ~ 2g.
The Riemann--Roch theorem yields L (iJ) =I L (iJ - y ). Letf E L (iJ) \ L (iJ - y ). It
follows from self-duality that there exists a differential form wE O(Do - D) with
Resx;(w) =f(Xi). We havefwo E O(Do - (D -iJ)) and Resxjifw) = Resx;(w),
i.e., w - fwo E O(iJ -D). On the other hand deg(D -iJ) = 2g - 1, and since
a non-zero regular differential form can not have (2g - 1) zeros then w = f WOo
Hence the order of zero of WO at Y satisfies
vy(WO) = vy(w) - vyif) = vy(w) +a ~ 2a.
This is valid for eachy E SuppD; therefore (wo) ~ 2D, that is wo E O(Do - 2D) .
• Self-dual geometric Goppa codes have been studied by Driencourt and
Stichtenoth [29], Scharlau [158] and Stichtenoth [193].
Spectra
Determination of the weight distribution of a geometric Goppa code leads to very
subtle questions on the geometry of corresponding projective curve X. We are
restricted to description of some general facts.
Theorem 10.15. The minimum distance d* ofC*(Do,D) is the smallest number

of distinct points XiI' ... ,Xid * E SuppDo such that
"x·
d*
D-K", £..J 1T -D" ,
T=l
where D" is an effective divisor on X with the support SuppD" disjoint from {XiI'
... , Xid *}·
Proof: Let f E L (K + Do - D) and suppose that there are exactly s points, say
,xs , wheref wo has a pole. Then we have
Xl, .•.
s
if wo) = - L Xj + D + D"
j=l
with D" ~ 0, i.e.,

D - K '" Xl + ... + Xs - D".
:s
Another way of phrasing this is as follows. Let D' Do be a positive divisor
•
contained inDo. We haveL(K +D' -D) ~ L(K +Do -D). IfL(K +D' -D) =I
254 Chapter 10
{O} then C*(Do,D) possesses a code-vector of weight at most degD'. To find

the minimum distance we have to look for the divisor of smallest positive degree
such that L (K + D' - D) i= {O}. Also the weight distribution can be read off
these spaces. For example, the number of code-vectors with minimum distance
d is (q - 1) times the number of positive divisors D' :::; Do of degree d which are
linearly equivalent to a divisor of the form D - K + D" with D" 2: O.
Dually, the code C(Do,D) has minimum distance n - d', where d' is the
maximum degree of a divisor D' with 0 :::; D' :::; Do and I(D - D') i= {O}.
EXERCISES
10.1. Let X = IP'I (Fq), and Xl , •.• ,Xn be distinct Fq-rational points onX. Let
n
Do= LXi
i=l
and D be a Fq-rational divisor onX with the condition SuppDo n SuppD = 0. Prove
that the geometric Goppa [n, k, d]q-code C = C(Do, D) associated to the pair (Do, D)
has the following properties:
(a) n :::;q+l;
(b) k = n if and only if degD > n - 2;
(c) for 0:::; degD :::; n - 2,
k = I + degD and d = n - degD;
(d) every generalized Reed-Solomon code can be represented as a geometric

Goppa code C(Do,D);
(e) ifxl,'" ,Xn E Fqm, then the rational Goppa code defined in Section 3.2 can be
represented as the restriction of the code C.L = C.L(Do,D' -xoo) over Fqm to
Fq , where D' is the zero divisor of the Goppa polynomialg(z).
10.2. Let Do = Xl + ... +xn be a Fq-rational divisor and suppose that D, D' are linearly
equivalent divisors with supports disjoint from SuppDo. Show that geometric Goppa
codes C(Do,D) and C(Do,D') (resp. c*(Do,D) and C*(Do,D')) are equivalent
(Hint: For (g) = D - D' consider the isomorphism
L(D) --+ L(D'), fHfg,
and check that if a = (g(Xt) , .. . ,g(xn)) then C(Do,D') = a x C(Do,D).)
10.3. Show that ifW '" K +Do then the code C(Do,D) is equivalent to C*(Do,D).
10.4. Let D > 0, degD < nand n = 2m. Suppose that there exists a differential form
W() E !l(Do - 2D) with Resx,(w) = 1 for all Xi E SuppDo, I :::; i :::; n. Show that
in this case the code C*(Do,D) is self-dual. (Hint: Check that iff E L(D) then
fw E !l(Do -D). Using this show that C(Do,D) S;;; C*(Do,D) = C(Do,D).L, then
apply dimension reasons.)
°
10.5. The Fermat elliptic curve u3 + v 3 + w3 = is birationally isomorphic to the curve
X defined over F2 by the equation v 2w + vw 2 = u3 + w 3. Verify that the rational
points of X over F4 = {O, l,a,a} are the point at infinity xoo = (0,1,0) and eight
points
xl=(O,a,I), x2=(1,I,I), x3=(a,I,I), x4=(a,I,I),
xs=(O,a,I), x6=(1,0,1), x7=(a,0,1), xs=(a,O,I),
where a, a are roots ofthepolynomiaIF(t) = t 2 +t+ I. Let Do =Xl + .. ·+xs +Xoo
and letD = x + o-(x) + 0- 2(X) be a primeF2-rational divisor, where X is a Fs-rational
point of X such that x f/. SuppDo. Using the map
Res: O(Do-D) ~F!
construct an [9,6,2': 3]4-code C*(Do,D).
10.6. Let X be the non-singular projective curve of genus 1 given over F4 = {O, 1, a, a}
by the equation
u 2 v + av 2 w + aw2 u = 0.
This curve has nine F 4-rational points:
xl=(I,O,O}, x2=(0,1,0), x3=(0,0,1), x4=(I,a,a),
xs=(I,a,a), x6=(I,I,I), x7=(a,I,I), xg=(1,a,I), x9=(I,I,a).
Let Do =Xl + .. ,+x6 andD = 2x7 +xg. Using the map
Ev:L(D)~F2
construct an [6, 3,4]4-code C(Do,D).
10.7. Let C ~ (Fqv)n be a linear code over Fqv and
trv :Fqv ~Fq
be the trace map. For x = (Xl,'" ,Xn) E (Fqv)n, define

trv(x) = (trv(xJ), ... ,trv(xn)) EF;.
The code
trv(C) = {trv(x} Ix E C} ~ F;
is called a trace code of C. Let C' = C n Fq be the subfield subcode (the restriction
of C to Fq). Prove that:
(a) the map
is Fq-linear;
(b) (C')-L = trv(C-L);
(c) if C, C' and c" = trv(C) have parameters [n,k,d]qv, [n',k',d']q and
[n",k",d"]q, respectively, then
ks,k"s,v·k
and
k- (v-l)(n-k) S, k' S, k.
Chapter 11
Examples
In this chapter we describe several examples of geometric Goppa [n,k,d]q-codes

coming from various algebraic curves defined over a finite field Fq .
11.1. CODES OF SMALL GENERA
First we consider the simplest case, that of linear codes coming from curves of
genus zero.
Codes of Genus Zero

Any smooth curve of genus zero over Fq is Fq-isomorphic to the projective line JIDI •
Let X = JID1• We choose for Do the q - I points of JIDI minus the origin Zo and the
point at infinity xoo and for D we choose a multiple m . xoo of the point at infinity. If
we choose as a basis for L(D) the functions 1,t, ... , t m then the geometric Goppa
code C = C(Do,D) is given by a matrix (1]ij) with 1] a primitive element of Fq .
The code C that we find is a Reed-Solomon code. This code is an MDS-code. In
fact all geometric Goppa codes obtained from curves of genus zero are optimal or
MDS-codes. Now if we take for D a divisor of the formD = I-L ·xo + v ·Xoo we find
examples of BeR-codes (Michon [125]).
If degD < n we have for the code C = C(Do,D)
k+d~n+(l-g)
or
l-g
R+8>
- 1+--.
n
257
258 Chapter 11
In particular, for the codes coming from curves of genus zero, one has
k+d=n+l,
i.e., the Singleton bound is attained. So we have the following result:

Proposition 11.1. Ifg = 0 then C = C(Do,D) is optimal.
More generally, if we suppose that degD 2:: 2g - 2 we find for the geometric
Goppacode C* = C*(Do,D) that
degD -2g+2 ~ d* ~degD-g+2,
where the right hand side is the Singleton bound.
Codes of Genera 1, 2, and 3

Consider an elliptic curve E defined over FI6 with the maximum possible number
of F 24-rational points. We have already pointed out that on E there are 25 points.
Let us consider geometric Goppa codes starting with this curve E, and having
a divisor D of degree 8 and a divisor Do of degree 21 consisting of some 21
points of these 25. Then we obtain a geometric Goppa code C = C(Do,D) with
parameters [21,2:: 8,2:: 13l!6. Concatenation of the outer code C with the inner
parity-check [5, 4, 2]z-code gives a [105, 32, 26]z-code, which is rather good (the
best [104, k, 26] z-code known before geometric Goppa codes was non-linear and
had k = 31.585).
Let Nq(g) be the maximum possible number of Fq-rational points on curves
of genus g defined over Fq . Consider codes on curves of genus g = 2. They exist
for all n, k such that
3~n ~ N q (2) and 1~ k ~ n - 2,
and we have
k+d2::n-1.
Codes on curves of genus g = 3 satisfy
k+d2::n-2
for all n, k such that
4 ~ n ~ Nq (3) and 1~ k ~ n - 3.
The information concerning all possible values for Nq (2) is given by Theorem
6.22 (see also the corresponding table of values of Nq (3) for small q placed in the
same section).
Examples 259
Codes on the Klein Quartic

Let X be the Klein quartic (ofgenusg = 3): u 3 v +v 3w+w 3 u = O. We take for Do
the divisor consisting of all 24 points of X over Fg• Over F4 there are two points
of degree one. They define a closed point (a prime divisor) of degree 2 over F2,
denote it by P. They are intersection points with the bitangent line u + v + w = 0
(a bitangent is a line which is a tangent for two distinct points ofX). Let D = m . P
with 3 :S m :S 11. We have for the code C* = C*(Do,D):
n = 24, k* = 26 - 2m, 2m - 4 :S d* :S 2m - 1.
Now we apply arguments presented in the previous chapter. If we take m = 3,
then we obtain d* ~ 2. We have d* = 2 if and only if L(D' - P) i= {O} with
o:S D' :S Do a divisor of degree 2 (note that K rv 2 . P). Suppose L (D' - P) i= {O}.
Then the two points over Fg are flex points, so the tangent there is not a bitangent
(aflex point is a point where the tangent has at least a 3-fold intersection withX).
So this is not possible and d* ~ 3. Again, d* = 3 if and only if there exists a
divisor 0 :S D' :S Do of degree 3 with L(D' - P) i= {O}, i.e., there exists a point
x E X of degree one over Fg such that x + P rv D'. But then they belong to a linear
system JP'(L(D")), with I(D") = 2, degD" = 3, and we can find a pointy over Fg
such that
x+P+y rvD' +y rv K.
In fact, by the Riemann-Roch theorem one has I(D') -1(K -D') = I, and we know
I(D') ~ 2, therefore I(K - D') ~ 1. This means that x + y rv P, i.e., 2·x + 2· y rv
2· P rv K, i.e., x ,yare two intersection points of a bitangent. But we do not have
bitangents which are tangent in Fg-rational points. Therefore d* ~ 4. By the
Hamming bound d* can not be 5. We have proved the following result:
Proposition 11.2. Let X be the Klein quartic: u 3 v + v 3 w + w 3 u = 0 in]p>2 defined

over F2. if P is an F2-rational prime divisor of degree 2 corresponding to the
bitangent u + v + w = 0 and Do is the divisor consisting of al/24 flex Fg-rational
points ofX then the code C* = C*(Do,D) over Fg, withD = 3 .p, has parameters
[24,20,4]g.
The fact that d* i= 5 implies that there exists a divisor 0 :S D' :S Do of degree
4 such that L(D' - P) i= {O}, i.e., there exists an effective divisor P' of degree 2
over Fs such that D' rv P + P'. One can take P' = P.
We can try to get good codes from this curve with D = m . P and m ~ 5.
However, here one can not improve above the minimum value for d*: d* ~ 2m - 4.
In fact, let us show this for m = 5 and for m = 11. If m = 5 then 6 :S d* :S 9. We have
d* = 6 ifandonly if there exists a divisor 0 :S D' :S Do withL(K +D' - 5 ·P) i= {O},
i.e., D' '" 3 . P. This happens if and only if D' + P '" 2K, i.e., there exists a conic
which passes through P and the six points of D'. For suitable D' such a conic
260 Chapter 11
exists: uv + uw + vw = O. So d* = 6 for m = 5. For m = 11 we have d* = 18 if

and only if there exists a divisor 0 :'S D' :'S Do of degree 18 with D - K '" g. P '" D' .
Now Do '" 6 . K '" 12· P, therefore 9 . P ,...., D' if and only if 3 . P ,...., Do - D'. As
we saw above we can find such a divisor D'.
By suitable concatenation one gets reasonably good codes over F2. Indeed,
applying a [4,3,2h-code, i.e., viewing each element of Fs as a vector of length
3 over F2 and replacing it by its image in Fi under the encoding map for the
[4, 3,2h-code, we obtain a [96,60, 8h-code over F2 from the [24,20,4]s-code over
Fs.
Hyperelliptic Codes
Let X be the hyperelliptic curve of genus g = 2 defined over F2 by the equation
v 2 +v = u5 + 1.
It has a 2-fold covering of pI ramified over the point at infinity and the genus of
X can be computed by the Hurwitz formula (see Section 4.5). We denote by r the
hyperelliptic involution. Let Xoo be the point of X lying over the point at infinity.
The number N2v of F2v-rational points of X is given by
if v =1= 41
if v = 41
So over F24 we find 33 points: Xoo plus two over each of the 16 points of the affine
line AI, namely points x and r(x). Now let Do be the sum of all 32 F 24-rational
points differentfromxoo andD = m ·Xoo with m 2: 3. For the code C' = C*(Do,D)
we find n = 32, k = 33 - m and m - 2:'S d* :'S m.
Suppose d* = m - 2. In that case there exists a divisor 0 :'S D' :'S Do of degree
m - 2 such thatD' ,...., (m - 2) ·Xoo. This is possible for m even by taking (m - 2)/2
pairs of conjugate points x and rex). We now assume that m is odd. Then
D' ,...., (m - 2) . Xoo is impossible if m = 3, since X is not rational. If m = 5, there
exists a divisor 0 :'S D' :'S Do with D' ,...., 3 . Xoo. Then 2· D' ,...., 2· K. The hyperelliptic
involution r acts as the identity on 12 . K 1since L (2 . K) is generated by products
of elements of L(K), hence 2· D' is a 2-canonical divisor invariant under the
involution. But then also D' is invariant. This contradicts the fact that degD' = 3.
Next, let m 2: 7. Then we can find a divisor D' with D' ,...., (m - 2) . Xoo. Indeed, the
points lying over the 5th roots of 1 on the affine line Al with v = 0 form a divisor
linearly equivalent with 5 . Xoo. By adding suitable pairs of conjugate points x and
r(x) one gets a D' of required form. We have proved the following result:
Proposition 11.3. Let X be the hyperelliptic curve defined over F2 by v 2 + V =
u 5 + 1 and let D = m . xoo with 3 :'S m :'S 31. Let Do be the sum of all F24 -rational
Examples 261
points ofX minus Xoo. Then the code C* = C*(Do,D) is a linear [32,33 -m,d*b-
code with d* = m - 1for m = 3,5 and d* = m - 2 otherwise.
Let m = 3. We detennine the number of code-vectors of the [32,30, 2h4-code

C* = C*(Do,D) with Hamming weight 2. The number of code-vectors of weight
2 equals 15 times the number of effective divisors D' < Do of degree 2 such that
D' '" D - K + P '" xoo + P for P a prime F2 -rational divisor distinct from D'. Then
ID'I is a linear system with I(D') = 2 and degD' = 2, but on a curve of genus
g = 2 there is only one such system, namely 12 ·xool. We see that there are 16
such divisors D', all of the fonn x + T (x) with x #- Xoo. Thus we find 15 . 16 = 240
code-vectors of Hamming weight 2.
11.2. ELLIPTIC AND HERMITIAN CODES
From the beginning we consider the following example:
Codes on the Fermat Cubic

Let E be the Fermat elliptic curve in jp>2 given by u 3 + v 3 + w3 = O. This curve
has 3 points over F2, 9 points over F4, and 9 points over F8. In fact, the number
N2 v of F2v -rational points on E is
if v = 21 + 1
if v = 21
The nine points over F4 are flex points and they give the points of order 3 in the
group law. Choose D as a prime F2-rational divisor which corresponds to a close
point of degree 3 over F2 (consisting of 3 new points Xi, 1 :5 i :5 3, of degree
one over F8), and choose Do as the sum of nine F4-rational points. The space
L(K +Do -D) has dimension 6. We get a linear [9,6, 2: 3kcode C* = C*(Do,D).
The curve E is an elliptic curve with origin (1 : 1 : 0). We have d* = 3 if and only
if Xl + X2 + X3 is a point of order 3 in the group. This is the case because this sum is
an F2-rational point and all points over F2 are points of order 3. The configuration
of the nine points of order 3 has a large automorphism group which is the group
of affine transformations of p} over F3.
Codes on Elliptic Curves

A detailed analysis of a very interesting class of geometric Goppa codes coming
from elliptic curves over F2 has been made by Driencourt and Michon [26, 27]. We
consider here a certain aspect of the construction from an elementary point of view
and note that the codes obtained in this way admit an easy decoding procedure.
262 Chapter 11
Let E be an elliptic curve defined by
v 2 +v =g(u),
where g(u) is a polynomial in F2[u] of degree 3. The number N2 of F2-rational

points x = (u,v, w) of E is 1, 3 or 5. In general the number N2v of F2v-rational
points is expressed in terms of N2. Here we need to use the fact that this number
is odd and that all points except the point at infinity xoo = (0, 1, 0) form the pairs
(X,T(X)) with X = (a,/3, 1) and T(X) = (a,/3+ 1, 1).
Let A be the subset of F2v consisting of the distinct non-zero w-coordinates of
F2v-rational points of E. Then the complete set of F2v-rational points of E is
Xoo, xa =(a,/3,1), T(xa)=(a,/3+1,1) with a EA.
Set a = IA I and for a positive integer m define the divisors Do, D as

Do = L (xa + T(Xa)), D = m ·Xoo.
aEA
We suppose that 2a - m ~ 1. It is clear that the supports of both divisors are
disjoint and that degDo = 2a. Set [= lm/2J, [* = l(m - 3)/2J, then define a
function on E by
/(u,w) = TI(u+aw),
aEA
and choose the basis {Wi, w/l,
0 :::; i :::; a - [ - 2, 0 :::; j :::; a - [* - 2, in the space
O(Do - D) consisting of differential forms
where u, v and ware projective coordinates on E. Using the fact that t = u + a

can serve as a local parameter atxa = (a,v(a), 1), one calculates readily that the
residues of the corresponding differential forms are given by
where
/'(a) = TI (a + a').
a'EA
a'i-a
With n = 2a and q = 2", we define the residue map
Res: O(Do-D) -+F;,

Examples 263
where
w ~ Res(w) = (ResX1 (w), ... ,Resxa (w ),ResT(xl)( w), ... ,Res,,(xa)(w )).
The resulting geometric Goppa code is a linear [n,n - m, 2: mlzv-code, generated

by the vectors Res( w ), as w varies over n(Do - D).
We remark that the elliptic codes over binary and ternary fields are related
to very interesting number theoretic sums, such as that of Kloostennan. The
interested reader would do well to consult the original papers of Driencourt and
Michon [26, 27] and Lachaud and Wolfmann [105].
We have also the following result (Janwa [86]):
Proposition 11.4. If q + 1 < n < N q (I), the elliptiC [n,k,d]q-codes are optimal.
Codes on Hermitian Curves

The Hermitian curve X C jp>2 is a smooth projective curve given over Fq by
uq+l +v q+l +wq+l = o.

The genus g = g(X) of X can be easily calculated by the Plucker genus fonnula:
q(q - 1)
g= .:;...c..::-2--'-·
The curve X has (q + 1) Fq2 -rational points at infinity (ofthe fonnxco = (1, ~,o),
where ~ is a (q + 1)th root of -1). Next, there are (q + 1) F q2 -rational points
of the fonn x = (u, v, 1), where u satisfies 1 - uq+l = 0, and (q2 - q - 1)(q + 1)
Fq2 -rational points of the fonn x = (u, v, 1) for each u such that 1 + uq+I :I: 0 and
for each v satisfYing v q + I = -1 - uq+ 1 • Thus the curve X has exactly
N q 2 = 2( q + 1) + (q + 1)(q2 - q - 1) = q3 + 1
F q 2 -rational points. Because N q2 = q2 + 1 + 2gq, the Hennitian curve X is maxi-
mal.
Choosing a, /3 E Fq such that a q + a = /3q+ I = -1, and setting
/3_
y __ /3(I+a)u-av
z=uy-a=
- v- /3u' v-/3u
we can transfonn
to the equation
264 Chapter 11
which is more suitable for applications to coding theory.

From now on we shall assume that the Hermitian curve X is given over Fq by
zq+z=yq+l.
The curve X given by the above equation has one F q2 -rational point Xao = (0,1,0)
at infinity and q3 F q 2-rational points of the form X = (y,z), where zq +z = yq+l.
Indeed, the non-zero elements u E Fq2 with u q+l E Fq form a subgroup of F;2
of the order (q - I)(q + 1) = q2 - 1, and the equation zq + z = t has exactly q
solutions in z E F q2 for each t E F q .
For n = q3 let Xl, ... ,Xn be all F q 2-rational points of X different from Xao. Set
Do =Xl + ... +xn and D = m ·Xao.

The Goppa construction gives us a Hermitian [n,k.dlq-code C = C(Do,D) with
k = l(m ·Xao) -l(m ·Xao -Do)
and
d?:.n-m.
Note that if m > n + 2g - 2, the Riemamr-Roch theorem yields
k=m-g+ 1- (m-n -g+ 1) =n.
In that case the code C ~ F22 q

is trivial, and it remains to study Hermitian codes
with 0 :::; m :::; n + 2g - 2.
From Proposition 10.5 and Theorem 10.12 it follows thatthe code C = (Do,m·
Xao) is dual to C (Do, I.L . Xao) with I.L = n + 2g - 2 - m, and it is self-dual if and only
ifq = 2 V and m = (n +2g-2)/2.
Set k' = F q2 and consider the set 'N of non-gaps atxao:
'N = {n ?:. 0 I there exists f E k' (X) with (f)ao = n .Xao } .

For s ?:. 0 let
'Ns = {n E N In:::; s} .
Then INsl = l(s ·Xao), and for s > 2g- 2 = q2 - q - 2 the Riemamr-Roch theorem
gives
q2 _q
lJ\fsl =s+ 1- -2-.
It is easy to see that elements lzj with i ?:. 0, 0 :::;j :::; q - I and iq +j(q + 1) :::; s
form a basis of the space L (s . Xao). Therefore,
'Ns = {n:::; sin = iq+j(q+ 1) with i?:. 0 and O:::;j:::; q -I}.

Examples 265
Proposition 11.5. Suppose that 0 :::; m:::; q3+2g-2, andsetp,=q3+2g-2-m.

Then:
(i) the dimension k ofC = C(Do,m . x",,} is given by
if 0:::;m<q3
if q3:::; m :::; q3 + 2g - 2
if 2g - 2 < m < q3
and the minimum distance d satisfies
d? q3 -m;
(ii) if 0 < m < q3 and both numbers m and q3 - m are non-gaps at xoo then
d=q3- m.
Proof:
(i) For 0:::; m < q3 we have k = l{m . x",,}. For q3 :::; m:::; q3 +2g-2 and
p, = q3 + 2g - 2 - m we find 0 :::; p, :::; q3, and then
k = q3 - dimC(Do,p, .xoo} = q3 -l{p, ·x",,}.
Remaining assertions follow from Theorem 10.1.

(ii) First let us consider the case m = q3 - q2. Choose r = q2 - q distinct
elements ai, ... , a r E Fq . Then the rational function
r
f= I1(y-a/} EL{m·xoo}
1=1
has exactly qr = m distinct zeros x = (a,f3) over F q , and the weight of

the corresponding code vector Evlf} E C is q3 - m. Hence in this case
d=q3- m.
Let us consider now the case m < q3 - q2. We write m = iq +j (q + 1) with
i ? 0 and 0 :::;j :::; q - 1, so i :::; q2 - q - 1. Fix an element 0 =1= 'Y E Fq2, and
consider the set
A= {a E Fq21 aq+ 1 =1= 'Y}.
Then IAI = q2 - (q+ 1) ? i, and we can choose distinct elements al,'" ,aj EA.
The rational function
266 Chapter 11
has iq distinct zeros x = (a, 13) E SuppDo. Next, we choose j distinct elements
131, ... ,J3j E F q2 with J3~ + J3T = 'Y and set
j
h= TI(Z-J3T).
T=I
The rational function h hasj(q + I) zeros x = (a,J3) E SuppDo, and all of them
are distinct from the zeros of/because J3~ + J3T = 'Y i= aZ+ 1 for I ::; p ::; i and
I ::; T ::;j. Hence the function
/ = gh E L(iq +j(q + I) ·xoo) = L(m ·xoo)
hasm distinct zeros x = (a,J3) E SuppDo. The corresponding code-vector Ev(() E

C has weight d = q3 - m.
Finally, let q3 - q2 < m < q3. By assumption, s = q3 - m is a non-gap at Xoo
and 0 < s < q3 - q2. As above there exists a rational function/ E k' (X) with (() =
D' - s . Xoo, where 0 ::; D' ::; Do and degD' = s. The function g = yq - Y E k' (X)
has the divisor (g) = Do - q3 . Xoo, hence
The code-vector Ev((-Ig ) E C has weight d = q3 - m, and this completes the

proof. •
As all integers s ~ 2g are non-gaps, the proposition yields d = q3 - m whenever
q2 _ q ::; m ::; q3 - q2 + q. One can also easily specify a generator matrix for the
Hermitian code C = C(Do,m ·xoo). Let P = {x = (a,J3) IJ3q + 13 = a q+ l } be an
ordering set of F q 2-rational points on X. For s = iq +j(q + I), where i ~ 0 and
o ::;j ::; q - I, we define the n-dimensional vector over F q2 as
Vs = (a i J3i) (a,f3)E'Y·
Corollary 11.6. Suppose that 0 ::; m < n = q3. Let 0 = Sl < S2 < ... < Sk ::; m
be all non-gaps at Xoo not exceeding m. Then the k x n matrix G whose rows are
V S1 ' ••• ' V Sk is a generator matrix a/the code C.
Finally, we study automorphisms of Hermitian codes C = C(Do,D). Let '1/, e E

Fq2 be such that eq + e = '1/q+ I, and let A E F;2. There exists an automorphism a
of the field k'(X) with
a(y) = Ay+ '1/, a(z) = Aq+lz+A'1/qy+ e.
(the existence of the automorphism a for above mentioned parameters A, '1/ and
e follows from the fact that a(y) and a(z) satisfy the equation a(z)q + a(z) =
Examples 267
O"(y)q+l). Denote by H C Aut(k'(X)) the group of all such automorphisms 0"

and observe that IHI = q3 (q2 - 1). Clearly O"(xoo) = xoo for all 0" E H, and 0" acts
transitively on the points x = (a, (3) of the curve X. Hence H is a subgroup of the
group of automorphisms of the Hermitian code C.
Proposition 11.7. The group ofautomorphisms ofthe Hermitian code C contains

a subgroup of order q3 (q2 - 1).
11.3. CODES ON FIBER PRODUCTS
Now we consider a class of rather long linear [n,k,d]q-codes over a finite field Fq
coming from fiber products of hyperelliptic curves with a lot of Fq-rational points
(Stepanov [188, 189]). Our approach allows us to determine explicitly a basis of
the space O(Do - D), and this provides an easy way to write out the generator
matrices for codes in the class and to find a fast decoding algorithm.
Let p be a prime number, v ~ 1 an integer and Fq a finite field with q = pV
elements. The field Fq is a Galois extension of Fp degree v with a cyclic Galois
group of order v. The action of a generator e of this group on an element v E Fq
is given by the rule e( v) = vI', and the map
1 v-I
normv(v) = V· e(v)··· e v- (v) = v·vP···vP
of Fq onto Fp is known as the norm of v. Let X be a non-trivial multiplicative
character of Fq and van element of Fq. Set
Xv(v) = X (normv (v))
and call Xv a multiplicative character of Fq induced by the character X.

Assume now thatp = charFq > 2. Letf E Fq[u] be a square-free polynomial
of degree m ~ 1, and let Xv be a character of Fq induced by a non-trivial quadratic
character X of the field Fp. Consider the curve Y defined over Fq by the equation
Z2 = f(u),
and observe that the genus of Y is g = l m;-l J and the number N q of Fq-rational
points of Y is
Nq = l:(1 + Xv(f(u))).
UEFq
If v is an even number and the polynomialf has the form

1(2
f(u)=u+u q ,
268 Chapter 11
it follows from Theorem 6.14 that

2: xvlf(u)) =q_ql/2,
UEFq
and therefore
Nq = 2q _ql/2.
Thus the curve Y given by the equation
z2 = U+Uql / 2
is maximal over the field F q •
Denote by X a smooth projective model of Y. Let I, n ::; Nq be positive integers
and Xl , ••• ,Xn be Fq -rational points of X different from the point xoo at infinity. Set
DO=XI+···+Xn , D=I·xoo
and consider the geometric Goppa [n,k,dlq-code C = C(Do,D) associated to the
pair (Do,D).
Theorem 11.8. Let v > 1 be even and Fq a finite field of characteristic p > 2
with q = pV elements. For any integer I, t.
q 1/2 < 1 < n, there exists a geometric
Goppa [n,k,dlq-code C = C(Do,D) with
n ::;2q_ q l/2,
k > I - ! .ql/2
- 2 '
d?:.n-I.
Corollary 11.9. The relative parameters R = k / nand 8 = d / n of the code C =
C(Do,D) satisfy
ql/2
R?:.I-8- 2n .
In particular, for n = 2q - ql/2 we have
R?:. 1- 8 - 2(2ql/2 -1)"
Now we extend the above approach to the case of the curve Y defined over
Fq as a fiber product in the corresponding affine space. Letfi, ... ,Is be pairwise
coprime square-free polynomials in Fq [ul of the same degree m?:. 1. Consider the
fiber product given over Fq by equations
zl=jj(u), l::;i::;s. (11.1)

To calculate the genus g = g(Y) and the number Nq of Fq-rational points of the
curve Y we first prove the following result:
Examples 269
Proposition 11.10. Let v > 2 be even, Fq be a finite field of characteristic p > 2

with q = pV elements and A be the set of roots in Fq ofthe polynomial
vl2
f(u)=u+u P .
Then
(i) the set A forms a subgroup of the additive group F: of the field Fq;
(ii) if {AI = A,A2, ... ,Ar} is the set of all cosets in F: jA and {aI, a2,.··, a r }
are distinct representatives of the cosets, then the polynomials
are pairwise coprime in Fq [u];
(iii) r = IF: 1= pv/2.

Proof: The main point is (i). First of all we note thatf(O) = O. Now, if a and f3
are roots off(u), then
vl2 vl2 vl2
f(a+ (3) = (a+ (3) + (a+ (3)P = a+ai' +f3+f3P
=f(a) +f(f3) = 0,
so that a + f3 is also a root of the polynomialf(u). Thus A is a subgroup of Ft
To prove (ii) let us suppose that Ji (u) and jj (u) for i i= j have a common root
in Fq , say u = O. In that case
and therefore
This yields
vl2
ai -aj+(ai -aj)p = 0,
and we find that ai - aj is a root off(u), hence ai - aj EA. But ai - aj (j. A
according to the choice of aI, ... ,ar , and we arrive at a contradiction.
Finally, since IAI = pv/2 we find that
r = IF: JAI =pv jpv/2 =pv/2.
This completes the proof. •

Now we find the number N q of Fq-rational points ofthe curve Y.
270 Chapter 11
Proposition 11.11. Let Fp be a prime finite field of characteristic p > 2, Fq an

extension ofFp ofeven degree v > 1 and s :S q 1/2 a positive integer. Let N q be the
number ofFq-rational points of the curve Y C As + 1 given over Fq by equations
zf=fi(x), l:Si:Ss,
with polynomials
v/2
fi(x)=(x+ai)+(x+a;)P,I:Si:Ss,
defined by (11.1). Then
Proof: We have
Nq = L (I+Xv(fi(u)))···(I+Xv(fs(u)))
UEFq
and hence
s
N q =pv+ L
It follows from Proposition 11.10 and Theorem 6.14 that
Xv(f;(u)) = {
o if u E Ai
1 if u E Fq \Ai '
and since any two distinct sets Ai and Aj have no common elements we obtain
N q = pV + ~I (~) (pv _ apv/2) = pV + (2 S _ l)pV _s2s - lp v/2
= (2pv/2 _s)pv/22s - 1 = (2ql/2 _s)ql/22 s - l .

This proves the proposition.
Finally, let us calculate the genus of the smooth projective model X of curve
•
Y. Let Fq be a finite field of characteristic p > 2, k' = Fq be an algebraic closure
of the field Fq and AHI be the (s + I)-dimensional affine space over k'.
Examples 271
Proposition 11.12. Letfi, ... ,Is be painvise coprime square1'ree polynomials in

Fq [u] of the same degree m ~ 1 and let Y be the fiber product in AS + I given over
Fq by Equations (11.1). Then the genus g = g(X) of the smooth projective model
ofYis
g = (ms - 3)2 S - 2 + 1.
Proof: Without loss of generality we can assume thatfi, ... ,Is are monic poly-
nomials. Let X be a smooth projective model of the curve Y. Denote by Vx the
canonical valuation of the function field k'(X), and by n[X] the space of regular
differential forms on X. The affine curve Y is easily seen to be smooth. IfY is its
projective closure, then X is a normalization ofY and we have the map l/J : X --t Y,
which is an isomorphism between Y and l/J-I(y).
The rational map (U,XI,'" ,zs) --t u of the curve Y in Al determines a mor-
phism cp : X --t pi of degree 2s , so that for Uo E A I either cp -I (uo) consists of
2s points of the form x' = (uo, ±ZI, ... ,±zs) in each of which Vx' (t) = 1 for
a local parameter t at Uo, or else cp -I (uo) consists of 2s- 1 points of the form
x;' = (uo, ±ZI,"" ±Zi-I ,0, ±Zi+I,"" ±zs), and VXIl(t)
I
= 2.
Let us consider the point at infinity Uoo E pl. If the coordinate on AI is
denoted by u, then t = u -I is a local parameter at Uoo. If cp -I ( uco) were to
consist of 2S points X~T), then at each Xoo = x~'T) the function t would be a local
parameter. Hence it would follow that vx,,(t) = 1 and vx,,(fi(t)) = -m. But
since m is odd, this contradicts the condition that vx,,(fi(u)) = 2Vxoo (Zi). Thus
cp-I (uoo) consists of r = 2s - 1 points X~T), 1 :S 7' :S r, with projective coordinates
X~T) = (0,±1, ... ,±l,O). It follows that X = Yu {x~} u··· u {x~}. At any such
point xoo = x~'T) we have vx,,(u) = -2 and Vx",(Zi) = -m.
Let us now find a basis of the space n[X] over the field k'. Any element
W E n[Y] can be written as a k'-linear combination of the differential forms
wo =Po(u)du and
p.l} ,lu. (u)du
=
J •••
Wil,···,i u z···
1I
·z·lu '
where il,"" ia are integers satisfying the condition 1 :S i I < ... < ia :S sand
are polynomials in k'[u]. Indeed, the differential form
Pi] , ... ,io-
, du
Wij, ... ,icr = z· .. ·z·
It lu
is regular at any point Uo E Al with the condition Zi(UO) =f. 0 for i E {il,"" ia}.
Now if Zi(UO) = 0 for a unique i E {il,"" ia }, then Zi is a local parameter at x? =
(UO,±ZI, ... ,±Zi-\,O,±Xi+I , ... ,±zs), so that Vxll(Zi) = 1 and vxn(u - uo) = 2.
Therefore, vxi,(du) = 1 and again wI j , ••• ,;" is re~lar at Uo. The f~rm Wo = du is
272 Chapter 11
also regular at any point Uo E AI. Thus, the differential forms w~ = du and w;I, ... ,iu
form a basis of the k'[u]-module n[Y].
It remains to clarify which of the forms wo and Wil, ... ,iu are regular at points
xii), ... ,xt). Let x", be one of these points. If I is a local parameter at x"" then
u = 1-2 U' , Zi = rmz;, where u' and z; are units in the local ring Ox",. Therefore
Wil, ... ,iu = I
I mu-3 T/il, ... ,i d·th
u I, WI
. . In hence (wiJ,
T/iI, ... ,iu a unIt m vx""
' ... ,i ) -- (mu-
u
3) ·X",. Thus, the differential form
. (u)du
p.'1,···,10'
Wil,···,iu = z···
II
·z·Is
is regular at x", if and only if
VXoo (PiJ, ... ,iu (U)):2: -(mu-3).

This means that
mu-3
. (u) -< -2-
degP·11,···,lu
and hence
mu-4
. ( u) <
deg p.II ,... ,Iu { -2-
if u:= 0 mod(2)
- m,";-3
if u:= I mod(2)
The differential form wo = Podu is not regular at x", for any non-zero polynomial
Po E k'[u], so the regular differential forms
.
W!'1, •.. ,10" UW!·
'I,···,ler'···'
un W!'}, ... ,IO".
where 1 :::; il < ... < iu :::; s and
mu-4 if u:= 0 mod(2)
n=
{
mJ-3 ifu:=l mod(2) ,
-2-
form a basis of the space n[XJ over k'. Therefore

s
dimk, n[X] = ~ L L (mu-2)
u=1 191 <···<iu$s
u=o mod(2)
s
1
+-2
u=1
L 191<···<iu $s
L (mu-l)
u=1 mod(2)
=~
2 u=1
±u(s) _ ± (;) U u=1
u=O mod(2)
= ~ (ms2 S- 1- 2s - 2s - 1 + 2)
2
Examples 273
and hence
g = g(X) = diIDk' fi[XJ = (ms - 3)28 - 2 + 1.
Now we use the curve Y ~ A8+ I defined over Fq by Equations (1Ll), where
•
Ji, ... ,Is E Fq [u] are pairwise coprime square-free polynomials of the same degree
ql/2 given by (11.2), to construct rather good linear codes over Fq. Let X bea
smooth projective model of Y over k' = Fq and letMq be the number ofFq-rational
points of X. From Proposition ILl 1 and Proposition lLl2 we have
and
g = g(X) = (sql/2 - 3)28 - 2 + 1.
Let 1 and n ::::; Nq be positive integers, XI, ••• ,Xn be Fq-rational points of X
different from the point Xoo at infinity, and
Do = XI + ... + X n , D=[·xoo.
Applying to X the L-construction for (sql/2 - 3)28 - 2 < [ < n we obtain the fol-
lowing result:
Theorem 11.13. Let p > 2 be a prime, v > 1 be an even number, and Fq be a

finitefieldwith q = pV elements. For any positive integers s ::::; ql/2 and I, (sql/2-
3)2S - 2 < I < n, there exists a geometric Goppa [n,k,d]q-code C = C(Do,D) with
n < (2ql/2 _s)ql/228 - 1,
k ~ 1- (sql/2 - 3)28 - 2,
d ~ n -I.
Corollary 11.14. The relative parameters R = kin and S = din of the code
C = C(Do,D) satisfy
(sql/2 _ 3)2S - 2
R>l-S- .
- n
In particular, for n = (2ql/2 _s)ql/228 - 1 we have
sql/2_3
R>l-S- .
- 2(2q l/2 -s)ql/2
274 Chapter 11
By a suitable concatenation one gets reasonably good codes over Fp. Indeed,
letko> I be an even number. Applying a linear [no,ko,dojp-code Co to an [n,k, djq-
code C = C(Do,D) over Fq, where q = pko, we obtain an [n',k',d'jp-code C' with
parameters
n' = non, k' = kok, d' = dod.
Let us denote by Ro = ko I no and 80 = do I no the relative parameters of the code
Co.
Corollary 11.15. For any positive integers no > 1, s ~ ql/2 and I, (sql/2_
3)2 S - 2 < I < n, there exists a linear [n',k',d'jp-code C' with
n' = non ~ no(2ql/2 _s)ql/22s - l ,

k' ~ ko(l- (sql/2 - 3)2 S - 2),
d' ~ do(n -I).
Relative parameters R' = k'ln' and S' = d'lnl of the code C' satisfY
R' + S' ~ Ro (~_ (sql/2 ~ 3)2 S

-
2) + 80 (1- ~) .
The above results can be easily extended to the case of fiber products of
curves over Fq , where q = pV is an odd power of p (Stepanov-
~yperelliptic
Ozbudak [191, 192]), and to the case of fiber products of superelliptic curves
(Ozbudak [136]) defined over a finite field Fq by equations of the form
zi = fi(u), I ~ i ~ s,
where f.L ~ 2 is a divisor of q - 1. The curves (11.1) provide sufficiently long

geometric Goppa codes (with n ~ q. 2y'q-1). Moreover, some modification of
the polynomialsfi(u) (Ozbudak [138]) allows construction of very good linear
[n,k,djq-codes for any n ~ q(q - 1) ·2q. Another construction of rather long
geometric Goppa codes coming from fiber products of Artin-Schreier curves was
proposed by van der Geer and van der Vlugt [60].
11.4. CODES ON CLASSICAL MODULAR CURVES
Let us now consider some properties of geometric Goppa codes obtained by

reduction of classical modular curves.
Let Xo(N) be an absolutely irreducible smooth projective curve over Fp of
genus g = go(N). Let Xl, ... ,xn be Fp 2-rational points of Xo(N) (lying over
supersingular values ofj), and let N ~ 3 be a prime number, different from p.
Examples 275
Proposition 11.16. Let Do = Xl + ... +Xn , let D be a Fp 2-rational divisor on

Xo(N), and let SuppDo n SuppD = 0. IfN ~ 3 is a prime number and N =I p, the
linear [n,k,dl p 2-code C = C(Do,D) has parameters
1 :::;: n :::;: n',

k ~ degD - go(N) + 1,
d ~ n -degD,
where n' ~ (N + 1)(P - 1)/12.
Proof: The proposition follows immediately from Corollary 8.2, Proposition 8.5,
Corollary 9.9 and Theorem 9.10. •
Note that the assertion of Theorem 9.10 remains correct for all positive integers
N relatively prime to p (see Tsfasman and Vladut [208, p. 426]), and we arrive at
Proposition 11.17. Let Do = Xl + ... + X n , let D be a Fp 2-rational divisor on

Xo(N), and let SuppDo n SuppD = 0. If N is relatively prime to p, the linear
[n,k,dl p 2-code C = C(Do,D) has parameters
1:::;: n :::;: n',

k ~ degD - go(N) + 1,
d ~n-degD,
where
n'~ N(P-1)n(1+I-I)
12 liN
and the product is taken over all prime numbers I dividing N.
Since the length n of the code C can be at least
we can assume that
n = rN (P-1)
12
n(1 +r )1·
liN
l
The set of numbers of such form is rather dense.

Using Weierstrass points, we can improve the code parameters for small k. We
consider only the point xoo on Xo (N) and restrict ourselves to the values N = 2 m
276 Chapter 11
(in this case the effect obtained by using Weierstrass points is maximal). Then we
have
where
ifm =2v
ifm = 2v+ 1
Proposition 11.18. Let D = I·xoo be a divisor of degree I on Xo(N) and C =

C(Do,D) be a linear [n,k,d)p2-code. Thenfor the parameters ofC we have:
1::; n::; n',

k ~ k(l,m),
d~n-I,
where n' ~ 2m - 3 (p -1) and k(l,m) is defined asfollows: k(l,m) = r ifand only
if
with 1 ::; r ::; l if J- 1.
11.5. CODES ON ARTIN-SCHREIER COVERINGS
Let Fq be a finite field with q = pI) elements and Fq2 a quadratic extension of Fq.
Let Nq2 (X) be the number of Fq 2 -rational points of a smooth projective curve X
of genus g(X) defined over Fq 2 and
2. Nq2(X)
A(q ) = lIm sup -(X) ,
g(X)-t oo g
the supremum being taken over all smooth projective curves X of genus g = g(X)
(up to isomorphism over Fq2). As was shown before, there exists a family of
modular curves Xi such that
A( 2) _ r N 2 (Xi)
q - _1
q - j!! g(Xi) -q . (11.3)
For q ~ 7, the equality (11.3) asserts the existence of an asymptotically good

sequence of geometric Goppa codes over Fq2, whose parameters lie above the
Gilbert-Varshamov bound.
The proof of the equality (11.3) exposed in Part III requires very deep facts
from algebraic geometry and the theory of modular curves. Now we present a
Examples
much easier proof of (11.3), proposed recently by Garcia and Stichtenoth [52] and
based on construction of a sequence of (modified) Artin-Schreier coverings
···~X2~XI~XO
such that the ratio N q 2 (Xi) / g(Xi) tends to the Drinfeld-Vladut bound q - 1 as
g(Xi) ~ 00.
Let k = Fq2 and Lo = k(x) be the rational function field over k. We define the
sequence of smooth projective curves Xi over k recursively by
(11.4)
(11.5)
and
v
A;+l' {Z~+l
I
+ZHI =j(+l
I (11.6)
I' Ji = zdJi-1
for i 2: 1. Consider the corresponding tower of function fields
Lo ~LI ~L2 ~ ... , (11.7)
where L j = k(Xi) for i 2: 0, and note that
L j = Li-l (Zi).
Our purpose is to calculate the genus of the curve Xi for each i 2: 0 and determine
the number of k-rational points of Xi. To do this we use the ramification theory of
Artin-Schreier extensions described in Section 5.4.
The Genus of L;
From now on, we consider the tower (11.7) of algebraic function fields Li = k(Xi),
where the smooth projective curvesXo,XI ,X2, ... are defined by Equations (11.4)
to (11.6).
Lemma 11.19. Suppose that a prime divisor P E Div(Li) is a simple pole of
Ji = zdJi-1 E L j • Then the extension LHI/L j has degree [LHI : L;J = q, and Pis
totally ramified in LHI/Li. The prime divisor pI E Div(LHJ) lying over P is a
simple pole ofJi+I.
Proof: By assumption, vp(j(+l) = -(q+ 1). From Equations (11.4) to (11.6)

and Proposition 5.32 it follows that [Li+I/Lil = q and thatP is totally ramified in
LHI/Li. Let pI E Div(Li+d denote the prime divisor lying over P. Then
vpl(zi+l +Zi+J) = vpl(j(+I) = -q(q+ 1),

278 Chapter 11
hence Vpl(Zi+1) = -(q + 1) and, by relations (11.5),(11.6),

vp,(fi+d = vpl(zi+d - vp,(f;) = -(q+ 1) - (-q) =-1.
As x has a simple pole in Lo = k(x), we obtain by induction the following
•
result:
Lemma 11.20. For all i ~ 1, the field k = Fq2 is algebraically closed in L i, and
the degree of the extension Ld Lo is [Li : Lo] = qi.
The following lemma is an immediate consequence of Proposition 5.33.
Lemma 11.21. For all i ~ 0, there is a unique prime divisor Qi E Div(Li) which is
a common zero ofthefunctions X,Z1,'" ,Zi. Its degree is degQi = 1. ForO:::; p, :::; i,
the divisor Qi is also a zero offJL , and we have vQJfJL) = qJL. In the extension
L i+ 1/L i, the divisor Qi splits into q prime divisors of Li+ I of degree one (one of
them being Qi+I)'
Our purpose is to calculate the genus of Xi for i ~ 0 using the Hurwitz genus
formula. Hence we must determine precisely all prime divisors P E Div(Li) that
ramify in Li+I /L i . For a prime divisor P E Div(Li) and 0:::; p, :::; i, the restriction
of P to LJL will be denoted by P n LIL" We introduce the following sets of prime
divisors:
(i) For i ~ 1, let
S~i) = {P E Div(Li) IPnL i = Qi-1 andP i= Q;}.

(ii) For 1 :::; 'T :::; l i22 J, let
S~i) = {p E Div(Li) IpnLi-1 E S~i-=-II)}.
(iii) If Poo E Div(Lo) denotes the pole of x in Lo, let
S(O) = {Poo} and S(1)={PEDiV(LdlpEs~l)orpnLoES(O)};
i.e., S(l) contains all prime divisors of LI which are either a pole of x or a
common zero of x and ZI - a, for some a E k* satisfying a q + a = O.
(iv) For i ~ 2 and i == 0 mod (2) we define
S(i) = {p E Div(Li) IpnLi-1 E S(i-I)},

and for i ~ 3 and i == 1 mod (2),
S (i) -- {p E D'IV (L) Ip n Li-I E (S(i-I) U S(i-i)

i (i-3)/2 )} .
Examples 279
Now we define the (modified) Artin-Schreier operator p : L -* L by
p(h) = h q +h.
To proceed to the critical step of the calculation of the genus gi = g(Li) we need
two lemmas.
Lemma 11.22. Let 1 :::; J.L :::; i, and let P E Div(Li) be a prime divisor ofLi lying
over Q/L (i.e., P is a common zero ofx ,ZI, ... ,z/L). Then (in the notation ofSection
5.4), we have at P:
r =J,q (l_J,(q-I)(q+I) +E(f,(q2_ I)(q+I)))

J/L /L-I /L-I /L-I
and
Proof: The equation
yields
Z -J,q+ 1 - zq -J,q+ 1 - (f,q+ 1 - zq )q

/L - /L-l JL - /L-I /L-1 /L-l
= PJ+I (1-J,(q-I)(q+l) +E(f,(q2_ I)(q+I))).
J/L-I JL-I /L-I
Asf/L = z/Llf/L-I, this gives the first assertion .. Now we setg = f:~: and obtain
f;1 =fJL-IZ;;,I = f;!1 (l_gq-l +E(gq))-I

= f;!, (I + gq-I +E(gq)),
hence
f;(q+l) =g-q(l +gq-l +E(gqW+ 1

=g-q(1 + gq-l +E(gq))
= p(g-l) +E(I).
This finishes the proof.

•
Lemma 11.23. Let 0 :::; T :::; l i21 J and P E S~i). Then, we have at P
(q+l = 'V (-(q+l) +E(l)

Ji lJi-2/L-l ,
for some element 'Y E F;.
280 Chapter 11
Proof: (By induction on T.) Suppose first that T = O. A prime divisor P E S6i )
is the common zero OfX,ZI, ... ,Zi-l andzi - a, with an element a E k* satisfying
a q + a = o. We have (Zi - a)q + (Zi - a) = J;~+;l, hence
Zi - a =ff-il + E(f!-5r+ 1)).

It follows from (11.6) that
ff+lff-i l = ((Zi - a) + a)q+1

= a q+1+ a q ~il +E(ff-(r+ I))) +E(ff-(r+ I))
= a q+1+aqff-i l +E(ff-(r+ I)).
We divide by ff-i I, set 'Y = a q + I and obtain
Observe that 'Y E F q , since a E k.

Suppose now that T 2': 1. Then P lies over Qi-r-I and P nLi-1 E S~i-=-/). By
induction hypothesis,
rJ+ I = ·C(q+l) +E(I) (11.8)
Ji-I 'YJi-2r '
with 0 -j. 'Y E F q • Lemma 11.22 yields
(-(q+l)
Ji-2r
= .~Vi-2r-l
Mtr-(q+I)) +E(I)
'
and as 'Y E F q , this implies
We have zj + Zi - ff-i 1, hence
so that
Zi
r(q+l) +E(I) .
= 'YJi-2r-1 (11.9)
Since.li =Zd.li-I' then
.Ii = (zJi-2r )q+1 = Aq+1 B-1, (11.10)

(fi- Ji-2r )q+l
with A =JJi-2r andB =ff-ilff-i~.

Examples 281
Note that VP(/i-2T) > 0 (since i - 27:::; i - 7 - 1), and./i-2T = E(/i-2T-J) by

Lemma 11.22. From (11.8), B = 'Y + E~i~), hence
B -1 -- 'Y I + EU·q+l)
Vi-2T -
_
'Y
-I
+ EfI·q+1 )
Vi-2T-I· (11.11)
Using (11.9) and Lemma 11.22 with J.L =i- 27, we find
A =ZJi-2T
= ('YJ;:::~~~?+E(1))J;~2T_I (1+EW~2~~I))
= 'YJ;=~T-I +E(f;~2T-I)·
It follows that
Aq+1 = ",q+I~-(q+l) +E(l) = ",2~-(q+l) +E(l). (11.12)

I Ji-2T-I I Ji-2T-I
Substituting (11.11) and (11.12) into (11.10) we obtain
~q+1 = ",~-(q+l) +E(l)

Ji lli-2T-I ,
as desired.
•
Proposition 11.24. Let 0 :::; 7 :::; l i22 J and P E S~i). Then, the prime divisor P is
unramified in LH 1/Li.
Proof: We consider a prime divisor P E S~i) , where 0 :::; 7 :::; l i-:/ J. From Lemma
11.23, we have at P
,rl]+1 = ",~-(q+l) +E(l)
Ji lli-2T-I '
with 0 # 'Y E Fq and i - 27 -1 ~ 1. By Lemma 11.22,
C(q+l)
Ji-2T-I
= PVi-2T-2
(C(q+I)) +E(l)
'
hence
,rl]+1
Ji
= ,vVi-2T-2
Vl(~-(q+I)) +E(l). (11.13)
Since Li+1 = Li(ZHJ) andzi+1 +Zi+1 = J;q+l, it follows from Proposition 5.33(iii)
that the divisor P is unramified in the field L i + I. •
Lemma 11.25. In notations as before:
(i) ifP E S~i) with 0:::; 7:::; li 22 J, then vp(/i) = -l-2T-I;

(ii) for P E s(i), we have vp(/i) = -1.
282 Chapter 11
Proof:
(i) The assertion follows from Lemma 11.23, since VP(j;-2T-d = qi-2T-l (see
also Lemma 11.21) and Proposition 11.24.
(ii) (By induction on i.) The assertion is obvious for i ::; 1. Suppose now that
i ~ 2. If i == 0 mod(2), then pnLi-l E S(i-l) and, from the induction
assumption, the prime divisor P nLi-l is a simple pole of.Ii-I. By Lemma
11.19, the divisor P is then a simple pole of.Ii.
The same argument applies when i == 1 mod(2) and pnLi-\ E S(i-l). It

remains to consider the case i ~ 3, i == 1 mod (2) and
(i-l)
Po = ( pnLi-l ) E S j-3 •
""2
From (i) we know that vpo (j;-l) = -q. Since zi + Zi = I!-~! and P / Po is unrami-
fied, by Proposition 11.24, we conclude that
qvp(Zi) = (q+ I)VP(j;-I) = -q(q+ 1),

hence Vp(Zi) = -(q + 1). It follows that
vp(j;) = Vp(Zi) - VP(j;-I) = -(q + 1) - (-q) = -1.

This proves the lemma.
In the next lemma, we denote by
•
(j;)(i) = L vp(j;)·p
PEDiv(Lj)
the principal divisor of.li in the field L i .
Lemma 11.26.
lYJ .
(j;) (i) = qi Qi - L qi-2T-l D~') - D(i) ,
T=O
where
D¥)= L P and D(i) = L P.
PES~i) PES(i)
The degree ofD~i) (resp. D(i)) is degD~i) = qi+l (q - 1) (resp. degD(i) = ql ¥ J).
Examples 283
Proof: This is straightforward induction based on the use of Lemma 11.25 and
the equations zf+1 +ZHI =1(+1 and.fi+1 = zHdk •
By Lemma 11.26, Proposition 5.33 and Proposition 11.24, the prime divisors
of Li ramified in L i+II Li are exactly the divisors P E S(i), and they are totally
ramified. The different exponent of a prime divisor pi E Div(LHd lying over
P E S(i) is d(PI/P) = (q - 1)(q + 2) (see Proposition 5.33(ii)), and the degree
of the divisor n(i) is equal to ql!¥ J. Hence, the Hurwitz genus formula (see
Proposition 5.30) gives the following recursion for the genus gi = g(Li ):
2gHI - 2 = q(2gi - 2) +ql!¥ J(q -1)(q+2).
By induction it then follows:
Theorem 11.27. The genus gi = g(Li) is given by
qHI +qi -qi:¥ -2q~ + 1 ifi == 0 mod(2)

gi = { HI i I ;+3 3 HI 1
ifi == 1 mod (2).
;-1
q +q - 'iqT - 'iqT -qT +
The Prime Divisors of Degree 1

Now we determine the number of the prime divisors of Li / Fq 2 of degree one (i.e.,
the number of F q 2-rational points of the corresponding curve X;). The following
statements are easily verified:
(i) Let P E Div(Lo) be the zero of x - a with a E k*. Then, the prime divisor
p splits completely in Li / Lo, i.e., there are exactly qi prime divisors pi over
Pin Div(Li ), all of them having degree one (this follows from Proposition
5.33(iv)).
(ii) The prime divisors P E S(I) have degree one, and they are totally ramified
in Li / L I. Hence, over each of these prime divisors there is a unique prime
divisor pi of L i , and this divisor has degree one.
(iii) The prime divisors P E S~i} U {Qi} are of degree one.
There are (q2 - 1)qi prime divisors of type (i), q prime divisors of type (ii),
and q divisors of type (iii). So, we have:
Theorem 11.28. LetNq2(Li ) be the number o/prime divisors o/L;JFq2 o/degree

one. Then,for all i ~ 2, we have
284 Chapter 11
Since N q 2(Li) = N q2(X;) andgi =g(Li) =g(X;), from Theorems 11.27 and
11.28 we deduce the following result.
Theorem 11.29. We have
. Nq2(X;)
~lm
1--)00 g
(X)
i
= q - 1,
hence
11.6. CODES ON TRACE-NORM CURVES
Explicit examples of asymptotically good towers of function fields are of high

interest for coding theory, since they can be used for the explicit construction of
asymptotically good families of codes. At the same time such examples provide
explicit constructions of sequences {X;} of smooth projective curves over Fq2, for
which
. Nq 2(Xi )
hm
1--)00 g (X)
i
>0.
Here we briefly discuss the tower £., = {Li} of function fields on smooth
projective curves Xi, given over k = F q 2 by equations
q
q Xs
xs+I +Xs+I = -q-_-;I-- (11.14)
Xs +1
This tower was firstly introduced by Garcia and Stichtenoth [54, 56]. In fact
£., ={Ld is isomorphic to a sub-tower of the tower considered in Section 11.5,
since we can rewrite the equation (11.6) in the form
q+1 q+1 q
q _ q+ I _ zi _ ZI _ zi
+Zi+1 -x· - -q- I - -q-- -
z. + Zi zq+ + 1
z'+1 I .
I I x +
I-I I I
Equations (11.14) can also be written as

norm(xs)
tr(Xs+I) = tr(xs) ,
and we call X; the trace-norm curve.

Let
and
A*=A\{O}={aEkl aq-I=-l}.
Examples 285
First we observe that the fieldL = k(X), with
has the following nice properties:
(i) [L:k(y)]=q;
(ii) the functiony has a unique pole Poo in L; and the prime divisor Poo is totally
ramified inL/k(y);
(iii) for any a E A, the function y - a has a unique zero POI in L, and the prime
divisor POI is totally ramified in L / k (y);
(iv) for any l' E A, there is a unique common zero Qy ofy andz -1' in L;
(v) the principal divisor in L of the functions y - a and z - l' are as follows:
(y) = L Qy - qPoo,
yEA
(y - a) = qPOl
qPoo, - fora E A*,
(z-1')=qQy-Poo- L POI' for l' E A;
OlEcalA
(vi) the prime divisors of L that are ramified over k(y) are exactly the prime
divisors P00 and POI' with a E A *; their different exponents with respect to
the extensionL/k(y) are
d(Poo) = d(POl ) = 2(q -1);
(vii) the prime divisors of L that are ramified over k(z) are exactly the prime
divisors Qy, with l' EA.
These properties follow immediately from Proposition 5.33.

Now we investigate the tower.c = {Li} over k, which is defined by the equation
(11.14). Let 'Y(Li) be the set of all prime divisors of Li/k. The tower.c has the
following properties (see [56]):
(i) [Li: k(xs)] = qi-l, for s = 1,2, ... ,i;

(ii) if P E 'Y(Li) is a pole of XI or a zero of XI - a for some a E A *, then P is
a pole ofx2,X3, ... ,Xi; the prime divisor P is totally ramified in LdLI and it
is unramified in Li /k(xn); the different exponent d(P) of P with respect to
Li/Li-I is given by d(P) = 2(q -1);
286 Chapter 11
(iii) if P E ':P(Li) isa prime divisor which is neither the pole of XI nor a zero of
XI - a, for all a E A, then P is unramified in Li / LI.
Our aim is to calculate the degree of the different Diff(Ld Li-d, for all i 2: 2.
By the previous properties, it remains to. investigate the behavior of the zeros Q of
XI in Li / Li- I . From the properties of the function field L = k(X), where
one has the following possibilities for such prime divisors Q E ':P:
(a) the prime divisor Q is a common zero of the functions XI ,X2, ... ,Xi;
(b) there is some r, I ~ r < i, such that

(b') Q is a common zero of XI ,X2, ... ,Xr ,
(b") Q is a zero OfXr+1 - a, with a E A*,
(b"') Q is a common pole of X r +2, ... ,X;.
In case (a), the prime divisors below Q are unramified in k(xs,xs+I )/k(xs ), for
s = I, 2, ... ,i - 1. This implies that Q is unramified in LdLi -I .
In case (b), the ramification indices of the prime divisors Q are determined as
follows:
(i) if i ~ 2r + I, then the prime divisor Q is unramified in L; / L;_I ;
(ii) for 2r + 1 < i, the prime divisor Q is totally ramified in Li / L2r+ I, and for
2r ~ s ~ i, the restriction of Q to Ls is unramified in Ls / k(xs);
(iii) if 2r + 1 < i, the different exponent d(Q) of Q in L;/L;_I is given by
d(Q)=2(q-l).
For 1 :S r < (n - 1)/2 and a E A*, set
':Pr,a = {Q E ':PI Q is a zero OfXr+1 - a}

and
Dr,a= L Q.
QEPr,a
Then we have
and
degDiff(Li/L;-d = 2(q - l)qln/2J.
Examples 287
Moreover, any prime divisor Pa E !J'(LJ), which is the zero of XI - a, for a fj. A,
splits completely in all extensions Li / LI.
Summing up the above properties of the tower J:., = {Li} and applying the
Hurwitz genus formula we find that
(qn/2_1)2 ifi::O mod(2)

{
g(Li) = (q(m-I)/2 _1)(q(n+I)/2 -1) ifi:: 1 mod(2)
Since
Nq2(Li) ~ (q _l)qi+l
we obtain the following result:
Theorem 11.30. The tower J:., = {Li} attains the Drinfeld-Vladut bound over
k= Fq2, so that
EXERCISES
11.1. Let X be a smooth projective curve defined over Fq . Write out the relation between
n = IX(Fq)l, degD and /(D) corresponding to upper bounds for codes given in
Chapter 2 and applied to geometric Goppa codes on X.
11.2. Let n = 2m. Show that a geometric Goppa [n, n /2, n /2 + l]q-code C of genus zero is
always quasi-self-dual, and that for an even q there exist self-dual geometric Goppa
codes with these parameters. (Hint: If g = 0 then any divisor of even degree is
divisible by 2 and all the divisors of a given degree are equivalent.)
11.3. Check that any elliptic code with n = 2m is formally self-dual.
11.4. Let N = Nq be the number of Fq-rational points of an elliptic curve E. Prove that:
(a) if N is odd, there exists a quasi-self-dual [N -1, (N -1)/2, (N -1)/2]q code
onE;
(b) if N is even, there exists either a quasi-self-dual [N,N /2,N /2]q-code or a
quasi-self-dual [N - 2, (N - 2)/2, (N - 2)j2]q-code;
(c) if q is even, there exist com;:sponding self-dual codes.
11.5. Let E be the plane curve over F2 given by the affine equation v 2 + v = u3 + u + 1.
Show that:
(a) the curve E c Jp>2 is absolutely irreducible and non-singular, i.e., E is an elliptic
curve;
(b) IE(F2 )1 = 1, IE (F4) I = 5, and IE(F16) I = 25;
(c) E is maximal curve over F24;
288 Chapter 11
(d) the spaceL(m ·xoo), wherexoo = (0: 1 : 0), has a basis {u i viI2i+3j:::; m}.
Write out the generator matrices of codes C(Do,m .xoo) and C(Do,m ·xoo) over F4
andF16, respectively, where SuppDo = E(F4) \ {xoo}, and SuppDo = E(F16) \ {xoo}
for m = 2, S, 12, 16. Calculate their spectra.
11.6. Let E be the curve over F52 given by v 2 + v = u 3 . Show that E c]p>2 is a maximal
over F52 elliptic curve. Write out generator matrices of codes C(Do,m ·xoo) for
m = 2,S, 16, where SuppDo = E(F52) \ {xoo}.
11.7. Let E : v 2 + v = u 3 + bu + c be an elliptic curve defined over F 2. Prove that
for v 2 + v = u3 + u + 1
for v 2 + v = u3 or u3 + 1
for v 2 + v = u3 + u.
Check that the curve E : v 2 + v = u 3 + u is maximal over F2.

II.S. Let E be the curve defined over F2 by v 2 + v = u3 + u. Prove that:
(a) the zeta-function of E is
1 +2t+2t 2
Z(E,t) = (l-t)(1-2t);
(b) the number N2" of F2" -rational points on E is given by
2v + I ifv==2,6 mod(S)
2 v + 1 +2 v/ 2+1 if v == 4 mod(S)
{
N2"= 2v+I_2v/2+1 if v == 0 mod(S)
2 v + 1 +2(v+l)/2 if v == 1,7 mod(S)
2v + 1 _ 2(v+l)/2 if v == 3,5 mod(S).
Chapter 12
Decoding Geometric Goppa Codes
This chapter concerns the decoding problem for geometric Goppa codes. We
consider various aspects of the problem beginning with results on the existence
of decoding algorithms and ending with ones on the construction of efficient
algorithms which can easily be used in practice. For a detailed treatment of the
complexity of algorithms we refer the reader to Aho, Hopcroft and Ulman [2].
12.1. THE DECODING PROBLEM
Let C ~ F; be a linear [n,k,d]q-code. Define C' as C' = C U {?}. A map
~:
such that ~(u) = u, for all U E C, is called a decoder or a decoding map for the
code C. We allow the decoder to give as outcome "?" when it fails to find a
code-vector.
We recall that a minimum distance decoding for a code C is a decoder ~ such
that ~(v) E C' is a nearest code-vector to v, for all v E F;. A decoding error of a
decoder occurs when the decoded vector is different from the transmitted vector.
A maximum likelihood decoding minimizes the probability of a decoding error.
Minimum distance decoding is equivalent to maximum likelihood decoding for
a q-ary symmetric channel (in which the probability that a symbol is changed to
another one is the same for all symbols in the alphabet and does not depend on the
position in the transmitting vector).
289
290 Chapter 12
Now we discuss two essentially different decoding methods for a linear

[n,k,d]q-code C. Let
H = (aij)I::;i:s;n-k,lg:s;n
be a parity-check matrix for the code C, so
C = {u E F; IH . U T = o} .
For a received vector v = (VI"", v n ) E F; and the parity-check matrix H for C,
the syndromes are defined as
n
Si(V) = ~>ijVj, I ~ i ~ n.
j=1
We can extend the matrix H to an n x n matrix H' such that the rows
I ~ i ~ n,
of H' form a basis of the space F; and the first n - k rows are from H. Let
e = v - {(v) = (el, ... , en) E F; be the error-vector. The n syndromes
n
si(e) = L aijej, I ~ i ~ n,
j=1
determine the error-vector uniquely, but only the first n - k syndromes are known,
since s i ( e) = S i ( V ), for i = I, 2, ... , n - k. The remaining syndromes are called
unknown syndromes. Later we will show that the unknown syndromes can be
obtained recursively from known syndromes s i ( e) = S i ( V ), I ~ i ~ n - k, by a
majority vote.
The set of all vectors with the same syndrome as v = (VI, . .. , v n ) is the coset
v + C. If v'is a coset leader of v + C (an element of v + C of minimal weight),
a simple minimum distance decoding consists of an exhaustive search for a coset
leader. Alternatively, we can produce a list of all coset leaders. It is clear that
both these decoding procedures have exponential complexity as a function of n,
since either one has to search among qRn elements of the coset v + C to find one
of minimal weight, or one has to store q(I-R)n coset leaders.
Now we briefly describe the decoding problem for linear codes. Let A be an
algorithm which has as input a pair (C,v), where C is a linear [n,k,d]q-code and
v is a vector of the same length n. Then Ac is the restriction of the algorithm A
to C, if Ac has as input a vector v = (v I , ... , v n ) and as output A ( C , v) computed
by A. Consider the following problem: Find an algorithm A which has as input
(C,v), where C is a linear [n,k,djq-code and v = (VI, ... ,vn ) a received vector,
and as output a vector A( C, v) in C ' such that Ac is a minimum distance decoder
for C. This problem is NP-hard, and it can be divided into two parts. First, for
an appropriate code C the preprocessing part provides a decoder Ac. Second,
the algorithm Ac should work very fast. Thus, the decoding problem can be
formulated as the problem of minimum distance decoding with preprocessing.
All the known decoding algorithms which have polynomial complexity decode
only up to some bound depending on the code (for example, up to halfthe designed
minimum distance). We say that a decoder
corrects t errors if ,(v) E C is a nearest code-vector for all v E F; such that

d (v, C) ~ t. A decoder' for a linear [n, k, d]q-code C decodes up to half the
minimum distance if '(v) is the nearest code-vector for all v E F; such that
d (v, C) ~ (d - I) 12. All decoding algorithms for geometric Goppa codes, which
will be considered later, decode up to half the designed minimum distance and
have complexity at most O(n 3 ) for n -t 00. Whether this is the case for all linear
codes can be posed as the following mass problem (see Barg [10]).
Problem 1. Is there an algorithm A which has as input ( C , v), where C is a linear
[n,k,d]q-code and v = (VI, ... ,v n ) E F; is a vector of the same length n, and has
as output a vector A( C, v) in C' such that the restriction Ac of A to C is a decoder
for C which decodes up to half the minimum distance, and the complexity of the
algorithm Ac is polynomial as a function of n and is independent of C?
We complete the discussion of the decoding problem by demonstrating a well-
known fact that errors can be corrected if we have enough information about the
error-positions.
Proposition 12.1. Let C be a linear [n,k,d]q-code with parity-check matrix H,

let v = (VI, ... , v n) be a received vector with error-vector e = (el,"" en), and
suppose that we know a set J of cardinality at most d - 1, which contains the set
of error-positions. Then the error-vector e = (el' ... ,en) is the unique solution of
the following system of linear equations:
and Zj = 0, for all j(j.J.
°
Proof: Clearly, the error-vector is a solution. Now, if Z = e' is another solution,
then H . (e' - e) = and hence e' - e E C. On the other hand, we have II e' - e II ~
d - 1. This implies e' - e = 0, so e' = e. •
Thus we have shown that we can reduce error-correcting to the problem of
finding the error-positions. To decode all received vectors with t errors, we have to
consider ( ~) possible t -sets for error positions. This number grows exponentially
with n when tin tends to a positive real number. Proposition 12.1 shows us that
292 Chapter 12
it is enough to find an (n,d - I,t)-covering system (a collection J of subsets

J C {I,2, ... ,n} such that IJI =d -1 and every subset of {I,2, ... ,n} of size t is
contained in at least one J E J). The size of such a covering set is considerably
smaller than the number of t -sets, but is at least
This number still grows exponentially with n.
12.2. THE BASIC AND MODIFIED ALGORITHMS
For a code to have practical use, it is essential that it possess an effective de-
coding algorithm. We present a generalization of the decoding algorithm for
Reed--Solomon codes in the case of an arbitrary geometric Goppa code (see Juste-
sen, Larsen, Jensen, Havemose, Hoholdt [87], Skorobogatov, Vladut [180] and
Tsfasman, Vladut [208, 209]).
The Basic Algorithm

Consider an [n,k*,d*]q-code C* = C*(Do,D) with Do = XI + ... +xn , SuppDo n
Supp D = 0, and 2g - 2 < degD ~ n + g - 1. Then the designed parameters of C*
are
ke* = n - degD + g - 1
and
de* = degD-2g+2.
For a vector v = (VI, ... ,v n ) E F; and a function f E L (D) we define the
syndrome
n
s(v,J) = L vJ(x;),
;=1
and observe that the function s( v,J) is bilinear. Moreover, if v = u + e, where

U = (UI, ••• , un) E C* and e = (el, ... ,en) is the error-vector, then
s(V,J) = LeJ(xi),
iEI
I = {i Iei #- O} being the set of error-locators.

Let III ~ t and let D' be an auxiliary Fq-rational divisor such that SuppDo n
SuppD' = 0. Specify bases {/i, ... ,.Ii} of L(D), {g\, ... ,gm} of L(D'), and
{hl, ... ,hr } ofL(D-D'). Clearly,glLhp EL(D) for I ~ IJ. ~ m, I ~ p ~ r, and
the parity-check matrix of the code C* is given by (!J. (Xi)). Define elements s/LP
as
s/LP = s/Lp(v) = s(v,g/Lhp), 1 ~ J.L ~ m, 1 ~ p ~ r,
and note that the following system of linear equations plays the crucial role for
decoding of the code C*:
1 ~ p ~ r. (12.1)
Proposition 12.2. IfI(D') > t then the system (12.1) has a non-trivial solution in
elements Zi E Fq . Moreover, if
degD > degD' +2g-2+t
then for any solution Z = (ZI, ... ,Zm) E F:;' o/the system, the/unction
vanishes at all points Xi with i E I.
Proof: As I(D') > t, we have

I(D' - LXi) ~ I(D') - t > o.
iEI
Choose 0 f. g' E L(D' - LiEIXi) and write
Theng'h p E L(D) for 1 ~ p ~ r, and we obtain

m m
s(v,g'hp) = L s(v,g/Lhp)z~ = L S/LPz~.
/L=I /L=I
On the other hand, since u E C* and gh~ E L(D) then s(u,g'hp ) = 0, and since
ei =0 for i f/. I and g' (Xi) = 0 for i E I (because g' E L (D' - LiEI Xi) then
s(v,g'hp) = s(u+e,g'hp) = s(e,g'hp) = Leig(Xi)hp(Xi) = O.

iEI
This shows that z' = (zi, ... ,z~) is a solution of(12.1).

294 Chapter 12
Now we take an arbitrary solutionz = (z" ... ,zm) of the system (12.1) and set
m
gz = L z/Lgw
/L=l
Suppose there is an error-locator io E I such that gz (Xio) =I- o. We have
deg (D-D' - LXi) ~ degD-degD' -[ > 2g-2

iEI
and hence
L (D-D' - LXi) cL (D-D' - LXi).

iEI iEI\{io}
So we find an element h E L(D - D') with h(Xio) =I- 0 and h(Xi) =0 for all
i E I \ {io}. As a result we obtain
s(v,gzh) =s(e,gzh) = L eigz(Xi)h (Xi)
iEI
= eiogz (xi)h (Xi) =I- O. (12.2)
However, h is a linear combination of hi, ... ,hr, say
and hence
m r
s(v,gzh) = L z/L LYp(v,g/Lhp)
/L=l p=l
r m
= LYp L s/Lpz/L = 0,
p=l /L=l
since Z = (Zl, • •• ,zm) is a solution of (12.1). This contradicts (12.2). •

The above properties of the divisor D' are sufficient to find a function gz
vanishing at all points Xi E SuppDo withi E I. Denote the set ofpoints Xi E SuppDo
such thatgz(xi) = 0 by I(gz); we have just proved thatI(gz) ::) I.
In order to determine coordinates ei of the error-vector e, we consider another
system of linear equations:
L f>.(Xi)Wi=S(V,J>.), I~A~I. (12.3)

iEI(gz)
The error-vector e = (eJ, ... ,en) is a solution of this system, since s(v,J>.) =
s(eJi).
Proposition 12.3. If
degD > degD' + 2g - 2
then the system (12.3) has at most one solution.
Proof: Suppose that wand w' are two different solutions of (12.3). Then w - w'
is a solution of
L f>..(Xi)Ui = 0, I "'5: A "'5:1,
iEI(gz)
i.e., the vector U = (UI,'" ,un) with Ui = Wi - wI for i E I(gz) and Ui = 0 for
i (j. I(gz) is a non-zero code-vector. Since gz E L(D') the weight of U can be
estimated as follows:
Ilull"'5: II(gz) I "'5: degD' < degD-2g+2 = de* "'5: d*.
But the weight of a non-zero code-vector cannot be less than the minimum distance
d* , and we arrive at a contradiction. •
Decoding Algorithm A(D')

Given an element v E F;:
(I) Find a basis {Ii, ... ,it} of L(D), a basis {gl,'" ,gm} of L(D') and a basis
{hi, ... ,hr} of L(D -D').
(2) Calculate syndromes s( v,gp.hp) and s( v,j>..).
(3) Find a solution Z = (ZI,'" ,zm) ofthe linear system (12.1).

(4) Set
and determine I(gz) = {i 11 "'5: i "'5: nand gz(Xi) = O}.

(5) If the system (12.3) has a unique solution (ei)iEI(gz) , we set e = (el,'" ,en)
with ei = 0 for i (j. I(gz) (if the system is not uniquely solvable, we cannot
decode v).
(6) Calculate the syndromes s( v - e,j>..) and check whether U = v - e is an

element of C* = C*(Do,D) and whether Ilell :::: t (if the answer is yes, we
decode v to the code-word u; if the answer is no, we cannot decode v).
296 Chapter 12
Theorem 12.4. Let C* = C*(Do,D) and 2g - 2 < degD ::; n + g - 1. Iffor a

positive t there exists a divisor D' such that SuppDo n SuppD' = 0 and
I(D') > t,
degD > degD' +2g-2+t,
then
(i) the algorithm corrects all errors of weight ::; t;
Oi) one can choose the divisor D' in such a way that the algorithm corrects all
errors of weight
Ilell::; (dc* -g-I)/2.
Proof: The assertion (i) is obvious from Proposition 12.2 and Proposition 12.3.
To prove (ii) we assume that t ::; (dc* - g - 1) /2, and choose a divisor D' such
that degD' = g + t and SuppDo n SuppD' = 0. By the Riemann-Roch theorem,
I(D') ~ degD' - g+ 1 = t+ 1> t.
The assumption t ::; (dc* - g - 1) /2 implies
degD- (2g-2) - t -degD' = dc* -2t - g > 0,
and hence
degD> degD' +2g-2+t.
To use the basic algorithm we must know D' explicitly. The degree of D' has
•
to satisfy the following two inequalities:
degD' ~g+t and degD' < degD-2g-t+2,
which contradict each other when t is large enough. The largest possible value for
t which satisfies both the inequalities is
Lett = L(dc* - g-I)/2 J, and take a divisor D' ofdegreeg+t with support disjoint
from Do. One can easily show that such a divisor always exists. If we insert the
construction of such a divisor D' and bases for L(D), L(D') and L (D - D') in the
preprocessing part, the complexity of the basic algorithm is at most O(n 3 ).
The assumptions of Theorem 12.4 can be weakened as follows. Let v =

(VI, ... , vn ) be a received vector, and
L(v,D') = {g E L(D') IL Vigh (Xi) = ° for all hE L(D -D')}
Next, let E be the divisor of error-positions defined by
and let L(D' - E) be the space of error-locator functions in L(D'), that is, the
space of rational functions g' E L(D') which vanish at all points Xi E SuppE.
Since L( v,D') contains all the error-locator functions of L(D'), we have
L(D' -E) ~ L(v,D').
The linear space L (V, D') can be determined as soon as we know the received vector
v. Moreover, if L(D' - E) = L( v,D'), we can find a non-zero rational function
g' which vanishes at all error-positions. In that case, Proposition 12.1 allows one
now to find the corresponding error-vector e. In this way one can easily remove
the condition SuppDo n SuppD' = 0, and we obtain the following version of the
basic algorithm (see Duursma [31, 33] and Ehrhard [35]):
Proposition 12.5. Let H be a parity-check matrix of the code C* = C*(Do,D).

Let v be a received vector, e the corresponding error-vector, E the divisor of
error-positions and D' an arbitrary divisor.
(i) If fl(D' - D + E) = 0, then L( v,D') = L(D' - E), so all elements of the

space L (v, D') are error-locator functions. Moreover, if L (D' - E) i= 0,
there exists a non-zero element ofL( v,D').
(iO If fl(D' - °
D + E) = 0, L(D' - E) i= and g' is a non-zero element of
L(v,D') with the set of zero -positions J = {j 19'(Xj) = OJ, then the system
of equations
H·z T =H·v T and Zj = ° for all j (j. J
has the unique solution z = e.
One deficiency of the basic algorithm is that it corrects only errors of weight
S (dc' - g - I) /2, but not all errors of weight S (dc' - 1)/2. The following
heuristic argument shows that the basic algorithm corrects L(dc' - 1) /2J errors
most ofthe time. Indeed, let E be the divisor of error-positions, and let L(D' - E)
be the space of error-locator functions. If t = L(dc' - 1) /2 J, and degD' ? g + t,
°
then L(D' - E) i= for all divisors of t error-positions. The set of divisors E
298 Chapter 12
of degree t such that fl(D' - D + E) i- 0 defines a hypersurface in the variety

of all effective divisors of degree t. If this hypersurface is irreducible, then the
percentage of error patterns of weight t, where the basic algorithm fails, is roughly
l/q.
It may be the case that fl(D'-D+E) i- 0, but we still have L(v,D') =
L (D' - E). The following result is more precise than the previous proposition (see
Duursma [33]).
Proposition 12.6. Let D' be a divisor with support which is disjoint from the
support ofDo, and let v be a received vector with the error-vector e. Then
L(D'-E) =L(v,D')
if and only if
ex C(E,D')nC*(E,D -D') = O.
The basic algorithm can be improved in several ways. The first way is based
on the use ofa divisor D such that degD > degDo = n. We define the gonality of
a smooth projective curve X as the smallest degree of a non-constant morphism
cf> : X --+ pI, or equivalently, as the smallest degree of a divisor D E Div(X)
such that I(D) > 1. The minimum distance of codes C = C(Do,D) such that D
is abundant, that is, equivalent to a divisor of the form Do + A, where A is an
effective divisor of degree a, is at least m - a, where m is the gonality of the
curve. If the curve has at least n + 2 points over F q , then abundant divisors can be
used to show that there exists a divisor D' such that the basic algorithm corrects
l(de* - g-I +m)!2J errors (see Pellikaan [140]).
Another way to improve the basic algorithm is to use special divisors. We
recall that the basic algorithm depends on the choice of the divisor D'. So one may
try to find a divisor D' which has a lager dimension I (D') than is expected from its
degree. We took the lower bound I (D') ~ degD' - g + I, but the Riemann-Roch
theorem provides the more precise result:
I(D') = degD' - g+ 1+/(K -D').
A divisor D' is special if both I(D') and I(K -D') are not zero. The degree of
a special divisor is between 0 and 2g - 2. The Clifford theorem gives an upper
bound for I(D'): if 0 S degD' S 2g - 2, then
I
I(D') S "2 degD' + 1.
Ifwe take for the basic algorithm a special divisor D' and assume I (D') > t instead
of degD' ~ g + t, and moreover degD' < degD - 2g + 2 - t, then we find that
de* - I
t<---
- 3
(see Pellikaan [139]).
The Modified Algorithm

One more way to improve the basic algorithm is to apply it with a sequence of
:s :s ... :s
divisors Db D~ D;. The modified algorithm can be briefly described in
the following way. For the smallest i E {O, I, ... ,s} such that the corresponding
space L ( v,DD is not zero, we take a non-zero function g' E L ( v, DD
and apply the
basic algorithm for D;. In the case when D is of the form D = sA, we use the
sequence D; = iA, for i = 0, I, ... ,so If degA = a, we define s(A) as
Then we have the following result (see Skorobogatov, Vladut [180] and Tsfasman,
Vladut [208, 209]).
Theorem 12.7. The modified algorithm corrects
lDe;-l_ S (A)J
errors. The complexity of the algorithm is at most O(n 3 ).
Clifford defect 0" (A ) of a divisor A such that °:s

The modified algorithm was extended by Duursma [31, 33] as follows. The
:s
degA 2g - 2 is defined by
1
O"(A) = "2 degA + 1 -1(A).
It follows from the Clifford theorem that O"(A) ~ 0. Suppose that the designed
minimum distance of C* = C*(Do,D) is odd. IfQ( = {Ao,AI, ... ,Ag-I} is a set
of divisors such that degAi = 2g - 2 - 2i, then define O"o(Q() to be the maximum
over all 0" (Ai ), for i = 0, 1, ... ,g - 1. Let Db,D~, ... ,D~ be a sequence of divisors,
with supports disjoint from the support of Do, defined recursively by letting Db
be a divisor of degree (g - 1) /2 and D; be a divisor which is equivalent to D -
D;_I -Ai-I. Let
de* -1
t = - 2 - - O"o(Q().
Then O(Db - D +E) = 0, L (D~ - E) =1= 0, and for any divisor E of terror-positions
zero function in L (v,DD

°
we find that L (D; -E) = implies O(D;+I -D+E) = 0. Ihus we can take a non-
for the smallesti such that L (v,DD °
=1= and proceed with
the basic algorithm for this D;. Similarly, if the designed minimum distance is even,
we define a sequence of divisors D~ , ... ,D~ for a given set Q( = {A I, ... ,Ag_I} of
divisors such that degAi = 2g - 1 - 2i, then define 0"1 (Q() to be the maximum over
all O"(Ai) for i -1,2, ... ,g-1.
In this way we obtain the following result (see Duursma [31, 33]):
300 Chapter 12
Theorem 12.8. The extended modified algorithm corrects
dc* -1
-2--O"i(~)
errors, where i = 0 when the designed minimum distance is odd and i = 1, other-
wise. The complexity of the algorithm is at most O(n 3 ).
The Clifford defect is computed for several curves (see [31]) and is aboutg/4
for plane curves.
It is possible to give an upper bound for the number s of divisors D;, ... ,D~
which are needed in order that for each received vector v :;:: (VI, ... , v n ), with at
most l(dc* -1)/2J errors, at least one of the basic algorithms A(DD will correct
v (see Pellikaan [139] and Vladut [214]).
Again we consider the decoding of codes C* = C*(Do,D). Assume that
degD > 2g - 2. Let t = l (Dc* - 1) /2 J, and suppose for simplicity that dc* > 1 is
an odd number. Let D; , ... ,D~ be a collection of effective divisors of degree g + t.
Then I(DD > t, so L(D; - E) is not zero for all i = 1,2, ... ,s and all divisors E
of t error-positions. Let v be a received vector with divisor of error-positions E.
If there exists an index i such that fl(D; - D + E) = 0, then A(DD will decode v
by Proposition 12.5. So suppose on the contrary that fl(D; - D + E) =I=- 0 for all
i = 1,2, ... , s. Then there exist a differential form Wi such that ( Wi) ;:::: D - D: - E;
that is, there exists an effective divisor Ai such that
(Wi) = D-D; -E +A i .
Taking degrees we obtain degAi = g - 1 for all i. Denote the class of a divisor
B E Div(X) by [B]. We have [Ai - D:] = W - [D - E], hence [Ai - Dn
does not
dependoni. In that case [Ai -Aj ] = [D: -Dj] for all i,j = 1,2, ... ,s, SOAi -Aj and
D; - Dj represent the same divisor class in Pico (X) for all i,j. Let ~ m denote the
set of all effective divisors in Div(X) of degree m, so Ai E ~g_1 and D: E ~g+l.
Now we consider the map
defined by
I/I:"(BI, ... ,Bs ) = ([BI- B2], ... ,[Bs -I-Bs ]).
It is an obvious consequence of the Riemann-Roch theorem that the map 1/1:,. is
sUljective for all m ;:::: g and s. Suppose now that 1/1:-1 is not surjective. Then
we could have started with an s-tuple (D;, ... ,D~) such that 1/1:+1 (D; , ... ,D~) rf.
Im( 1/1:-1). In this way we would arrive at a contradiction with the assumption that
fl(D: - D + E) =I=- 0 for all i. Thus there exists an i such that fl(D: - D + E) = 0,
and therefore the basic algorithm A(D;) corrects the errors of the received vector
v. We have sketched the proof of the following result (see [139]):
Proposition 12.9. Let (D~, ... ,D~) be an s-tuple of effective divisors in Div(X)
of degree g+ t such that I/I:+t(D~, ... ,D~) is not in the image of 1/1;_1· Thenfor
every received vector v with at most L(de' - 1) /2 J errors there is at least one
i = 1,2, ... , s such that the basic algorithm A(DD corrects v.
Now let
P(u)
Z(X,u) = (l-u)(l-qu)
be the zeta-function of the curve X. The enumerator P (u) is a polynomial in u of

degree 2g and if
2g
P(u) = TI(1-aiu)
i=1
is a decomposition of P(u) into linear factors in some finite extension ofQ, then
lail = ql/2, for all i = 1,2, ... ,2g. The number h = hq(X) of elements ofPico(X)
is equal to P( 1), so
This allows one to prove that the map I/I~~ I is not smjective for all maximal curves
(see [139]), for all curves when q ?: 37, and for all curves ofgenusg?: go(q) when
q ?: 16 (see [214]). As a result we obtain the following theorem:
Theorem 12.10. There exist s divisors D~, ... ,D~ such that for every received
vector v = (VI' ... ' v n ) with at most L(de. - 1) /2 J errors, at least one of the
basic algorithms A(DD, ... ,A(D~) corrects the errors with respect to the code
C* = C*(Do,D) over Fq,forall q ?: 37 andalldivisorsDsuchthatdegD > 2g-2.
Furthermore, s = O( n) and the complexity of the algorithm is O( n 4 ) for n -+ 00.
Unfortunately, this result is not not effective, since it does not provide any
construction of the divisors D~, ... ,D~. On the other hand, if the curve X has
gonality m and at least two Fq-rational points, then the map tfJ:::- I is not smjective
and there exist 2m divisors D~, ... ,D~m' which can be constructed explicitly, such
that the corresponding basic algorithms, run in parallel, correct L(de' - g - 1 +
m)/2J errors.
12.3. AN IMPROVEMENT OF THE MODIFIED ALGORITHM
Another decoding algorithm, which can be considered as a generalization of

solving the key equation for rational Goppa codes by Euclid's algorithm in the ring
of polynomials in one variable, was proposed by Porter [146]. The correctness of
this algorithm was proved in [34, 35, 147].
302 Chapter 12
One can regard the ring of polynomials in one variable as the ring of rational
functions on the projective line pi with poles only at the point xoo at infinity.
The ring of polynomials in one variable is replaced by the ring Roo (x) of rational
functions on the curve X with poles only at a fixed Fq-rational point x E X, where
x differs from the points XI, ... ,Xn used to construct the geometric Goppa code
C* = C*(Do,D). The weight ofa rational functionf E Roo(x) is defined as the
order of the pole off at x and is denoted by w(f). The ring Roo (x) with the weight
function w(f) is not an Euclidean domain unless the genus of X is zero, but it still
has very similar properties. For allf, h E Roo (x ) we have:
(i) w(fh) = w(f) +w(h),

(ii) w(f +h) ::; max(w(f), w(h)),
(iii) if w(f) = w(h), then there exists an element ,.\ E F; such that w(f -"\h) <
w(f).
If the number of rational points on the curve X is greater than n, the divisor D
in the definition of the code C* = C*(Do,D) can be taken in the form J.L·X -A,
where A is an effective divisor and J.L is a positive integer. Next, we can always
find n linearly independent differential forms WI , ..• , Wn E n( Do + J.L . x) such that
ifi =j
otherwise
Now, for every differential form W E n(Do - A + J.L . x) we have

n
W = LResx;(w)Wi.
i=1
n
w(v) = L ViWi,
i=1
then (Resxj (w( v)), ... , Resxn (w( v))) = v. Therefore, the map
w: F; -tn(Do-A+J.L·x)
is the right inverse of the map
Res: n(Do -A + J.L ·x) -t F;

and
if and only if
v E C*(Do, f.L·x - A).
Suppose that A is the divisor of a function h E Roo (x) which does not vanish
at all points XI, ... ,Xn • We want to define the syndrome s( v) of a received vector
v. In order to present the syndrome as a rational function, one first proves the
existence of a particular differential form w'. The syndrome s (v) is now defined
as follows:
, n h(xi)-h
s(v)w = LVi h( .) Wi·
i=1 X,
The syndrome is an element of the ring Roo(x). If A is the divisor of zeros of

h E Roo (x ), then
v E C*(Do, f.L·X -A)
if and only if
s(v) == 0 mod (h) . (12.4)
Let us assume for simplicity that w' is a differential form such that (w') =
(2g - 2)·x (this assumption is satisfied, for example, for Hermitian curves). Now
one searches for solutions of the key equation (12.4), that is for pairs if, cp) with
f, cp E Roo (x) such that there exists an r E Roo (x) with the property
fs(v) = cp+rh.
A solution is called valid if, moreover
w( cp) - wif) ::; 2g - 2 + f.L.
A valid solution if, cp) is called minimal if w if) is minimal among all the weights
off', such that if', cp') is a valid solution. In this way we get the following result
(see Ehrhard [34, 35] and Porter, Shen, Pellikaan [147]):
Theorem 12.11. Let v E F; with v = u + e, where u is a code-vector of the code

C* = C* (Do, f.L . X - A) and e is an error-vector:
(i) There exists a valid solution if, cp) afthe key equation (12.4) such that
cpw'lf E n(Do + f.L' x) and (ResX1 (cpw' If),··· ,Resxn (cpw' If)) = e.
(ii) Let t = (de -1 )/2 - (j, where (j is the Clifford defectofx. Suppose Ilell ::; t.
If if, cp) is a minimal solution of the key equation (12.4), then
cpw'lf E n(Do + f.L' x) and (ResX1 (cpw' If), .. ·, Resxn (cpw' If)) = e.
304 Chapter 12
The explicit computation of the differential forms WI, ... ,Wn and finding for-
mulas for the syndromes is, in general, quite elaborate, but we consider this as
part of the preprocessing of the algorithm. The above algorithm is worked out in
details for Hermitian codes (see Porter, Shen, Pellikaan [147]).
Now we compare Porter's and the modified algorithm, and describe Ehrhard's
algorithm [36] which gives an effective solution of the decoding of geometric
Goppa codes.
The valuef(x) ofa rational functionf at a point x is defined only iff does not
have a pole at x. As we have seen, one can take the space L (V, D') in such a way
that SuppD' n SuppDo =1= 0. The code C* = C*(Do,D) is the image of the residue
map
Res: O(Do -D) -+ F;
and this map is injective if we assume that degD > 2g - 2. There exists a divisor
D" :::; D such that the map
Res: O(Do - D") -+ F;
is sUljective. Moreover, there exists a linear map
Fqn -+ O(D0 -D") , v f-t Wv,

such that Res( wv ) = v for all v E F;.
The map W defined above provides a more
explicit description of such a map. Let D' be a divisor such that degD' < de* or
equivalently deg(D - D') > 2g - 2. Then
O(Do - D + D') n O(D' - D") = O(D - D') = O.
Thus O(Do - D + D') EEl O(D - D') is a direct sum. Let
7T : O(Do - D + D') EEl O(D - D') -+ O(D - D')
be the projection along O(Do -D +D'). Define L'(v,D') as
L'(v,D') = (r E L(D') IfWv E O(Do -D+d') EElO(D-D')}.
One can show that L'( v,D') = L(v,D') when D' has support disjoint from the
support of Do and
degD' > max (degD",deg(D -Do)).
The following result is similar to Theorem 12.11 (ii) (see Ehrhard [34, 35]):
Proposition 12.12. Suppose L (D' - E) ::f. 0 and O(D' - D + E) = O. Iff is a
non-zero element ofL(v,D'), then
is the error-vector of v.
We can easily compare the modified algorithm and Porter's algorithm in the
special case when D = m . x and there exists a differential form w' with divisor
(w') = (2g - 2)x. Iff is a non-zero element of L(v,i ·x) for the smallest i E
{I, 2, ... , n} such that L (v, i . x) =f. 0, then there exists an cp E Reo (x) such that
if, cp) is a valid solution ofthe key equation (12.4). Conversely, if if, cp) is a valid
solution of(12.4) and i = wif), thenf is anon-zero element ofL(v,i ·x), and i is
the smallest integer such that L (v, i . x) =f. 0.
Now we describe Ehrhard s algorithm which produces a sequence of divisors
{Di ,... ,D; }. It depends on the received vector v and has the property that the
basic algorithm A(D;) decodes v when there are at most t = L(dc' - I) /2 J errors.
In this way, the elaborate problem of constructing the sequence of divisors is
circumvented, although this algorithm still has the complexity of solving a system
of linear equations.
Decoding Algorithm 'B(D')

Let an element v E F; be given:
(1) Input v.
(2) Set i := 1 and Di := D'.
(3) Look for an index j E {1,2, ... ,n} such that dimL'(v,D; -Xj) :S
dimL'(v,DD - 2. If there is such aj, then: setD;+1 = D; -Xj, incrementi
and continue at step (3), else
(4) If dimL (v, DD = 0, then continue at step (5), else continue at step (6).
(5) Output?
(6) Compute e = (ResX1 (7Tifw,;)/f), ... , Resxn (7Tifw,;)/f)) for some non-zero
f EL'(Di ).
(7) Output v-e.
An alternative of the above algorithm is to apply the basic algorithm A(D;) at

step (6). As a result we have the following theorem (see Ehrhard [36] and Duursma
[33]):
Theorem 12.13. Let X be a smooth projective curve over Fq ofgenus g, and C* =

C*(Do,D) an geometric Goppa code with designed minimum distance dc* ~ 4g.
Let t = L(dc* -1)/2J and D' be any divisor of degree 2g+t. Then ~(D') is a
decoder for C* which corrects t errors. The complexityof~(D') is at most O(n 3 ).
306 Chapter 12
If we apply both algorithms 'B(D') and 'B(D - D') for a divisor D' such that
degD' = g + t, then it is enough to assume that de* 2: 4g - 2m, where m is the
gonality of the curve X (see [33]). Moreover, it is shown in an example that this
cannot be improved.
12.4. MAJORITY VOTING FOR UNKNOWN SYNDROMES
Now we restrict our attention to one-point codes, that is geometric Goppa codes
of the form C = C(Do,m ·x) or C* = C*(Do,m ·x), where m is an integer and
x E X is an Fq -rational point which is distinct from the points Xl, . .. , Xn. We
shall show how for one-point codes one can extend the parity-check matrix H
with rows ai = (ail, ... ,ain), 1:::; i:::; n -k, to an n x n matrix H' with rows
ai = (ail, ... , ain), I :::; i :::; n. This will be done in such a way that the unknown
syndromes Si (e) = ai . eT , i > n - k can be obtained recursively from known
syndromes Si = SiC V), 1 :::; i :::; n - k, by a majority vote (see Feng and Rao [39],
Duursma [32, 33], Kirfel and Pellikaan [95] and Pellikaan [141]).
Let Nx = {O = ml < m2 < m3 < ... } be the non-gap sequence of x. The
non-gaps form a semi-group in the set of non-negative integers which is generated
by m2,m3, ... ,mg +2. Let gi be a rational function on X which has a pole of
order mi at X and no other poles. Then {gl, ... , gr } is a basis for L (m r . x). Let
ai = (gi(XJ), ... ,gi(Xn)), and Hr be the r x n matrix with ai, 1 :::; i :::; r, as rows.
Then Hr is a parity-check matrix of the code C' = C*(Do,m r ·x). We note that
the rows of Hr need not be linearly independent. Define a matrix of syndromes
with respect to an error-vector e = (el, ... ,en) by

n
sij(e) = Le/gi(Xt)gj(Xt).
1=1
If v is a received vector with error-vector e with respect to C* (Do, mr . x), and

mi + mj :::; mr, then gigj E L(mr ·x), so sij(e) = sij(v). Thus sij(e) is a known
entry of the matrix of syndromes for all i,j such that mi + mj :::; mr.
Now we define the set of pairs N r by
Let nr = INr I, and define the Fen~Rao minimum distance dFR (r) of the code
C* = C*(Do,mr ·x) by
dFR(r) = min {ns Is 2: r}

Note that the definition of dFR (r) depends only on the semi-group of non-gaps
of x. One can check that dFR (r) 2: de' and equality holds if r > 3g - 2. In many
examples dFR(r) is greater than de' strictly for small r (see Kirfel and Pellikaan
[95]).
The entries ofthe matrix of syndromes with (i ,j) E Nr are the first unknown
syndromes we encounter with respect to C* (Do, mr . x). As soon as we know one
sij(e) with (i,j) E N r , we know all the others Sen with ((I", T) E N r , since each one
of the functions gig}, gUgT' or gr+1 is a generator of the one-dimensional vector
space L(mr+1 ·x) modulo L(mr ·x). In other words, there exist aij,aijl E Fq such
°
that aij =I- and
gig} = aijgr+ 1 + L aijlgl
ISr
for all i ,j with mi + m} = mr+ I. Therefore
sij(e) = aijsr+l(e) + Laijlsl(e) (12.5)

ISr
and this relation is the same for all error-vectors. Consider the matrix
If mi + m} = mr+l, then all entries of this matrix, except sij(e), are known. Next,
if mi + m} = mr , then S (i ,j) is a matrix of the linear map from L (m) . x) to
L(mi ·x) which is used to compute the space L(v,m} ·x) in the basic algorithm
A(m} ·x) for the code C* = C*(Do,mr ·x). The rectangular sub-matrices S(i,j)
with mi + m} = mr , is the collection of matrices which one encounters in the
modified algorithm for C*(Do,mr ·x). If g' E L(m} ·x) is a non-zero error-locator
function and
}
g' =L bTgT)
T=I
then the columns of the matrix S(i,j) are linearly dependent:
}
L bTsU,T(e) = 0, for all 1::; (I" ::; i.
T=I
If (i,j) E N r and the three matrices S(i -l,j - 1), S(i -l,j), and S(i,j -1)
have equal rank, then (i,j) is called a candidate with respect to C*(Do,mr ·x). If
(i,j) is a candidate, then there is a unique value sij(e) to assign to the unknown
entry S ij (e) such that the matrices S (i ,j) and S (i - I ,j - I) have equal rank. The
element sij (e) is called the candidate value of the unknown syndrome sij (e). A
candidate is called correct when sij = sij and incorrect otherwise. Denote the
number of correct candidates by M and the number of incorrect candidates by N.
308 Chapter 12
An entry (i,j) is called discrepancy if the three matrices S(iJ), S(i -I,j), and
S(i,j - I) have equal rank and the matrices S(iJ) and S(i -I,j -I) do not have
equal rank. The total number P of discrepancies is equal to the rank of the matrix
of syndromes, soP:::; Ileli.
Let v be a received vector with error-vector e which has at most (nr - I) /2
errors with respect to C*(Do,m r ·x). Then all syndromes sij (e) such thatmi +mj :::;
mr are known, and the remaining syndromes are unknown. Denote the number of
known discrepancies by Q. A candidate is correct if and only if it is a discrepancy,
so
N + Q:::; P :::; lIell.
If (i ,j) is a known discrepancy, then all entries (i, T) in the ith row with T > i, and
all entries ((T ,j) in the jth column with (T > i are not candidates. If (i ,j) E 'Nr
is not a candidate, then there is at least one known discrepancy in the same row
or column. Thus the number of pairs (i,j) E 'Nr which are not candidates is at
most 2Q. The number of pairs (i,j) E 'Nr which are candidates is equal to M + N.
Therefore,
nr :::;M+N+2Q.
Furthermore, we assume that
Ilell :::; (n r - 1)/2.

Combining the above inequalities gives
N:::;M-l.
There is no direct way to see whether a candidate is correct or incorrect. But

we assigned a candidate value sij of the syndrome sij to every candidate, and this
gives a candidate value or vote Sr+1 (i,j) for Sr+l, in view of(12.5). Thus we have
proved the following result:
Proposition 12.14. /fthe number oferrors ofa received vector with respect to the
code C* (Do, mr . x) is at most (nr - 1) /2, then the majority of the candidates vote
for the correct value ofSr+ I.
In this way, all unknown syndromes can be found by induction and this allows
determination of the error-vector. Thus the proof of the following result has been
sketched:
Theorem 12.15. Majority votingfor unknown syndromes corrects L(dFR - I) /2 J
errors with complexity O(n 3 ).
The decoding by majority-voting provides a new bound for geometric Goppa
codes and this is the basis for an elementary treatment of these codes (see Feng, Rao
[40, 41 D. Note also that the majority voting is incorporated in Porter's algorithm.
Problem II. What is the relation between Ehrhard's decoding algorithm and ma-
jority voting?
Problem III. Does majority voting correct more than l (dFR - 1) /2 J errors?
12.5. FASTER DECODING
The basic and the modified algorithms as well as the majority scheme have the
complexity of solving systems of linear equations, for finding both the error-
locations and the error-values. If one uses the special structure of the syndrome
matrix, the complexity of the majority-voting scheme can be reduced from O(n 3 )
to O(n 7 / 3 ). This is done by Feng, Wei, Rao and Tzeng, using the block-Hankel
structure of codes on plane curves. The Berlekamp-Massey-Sakata algorithm,
which is a generalization of well-known Berlekamp-Massey algorithm on linear
recurring relations in one variable to the case of several variables, allows one to
get fast implementations of the modified algorithm, of Porter's algorithm and of
the majority-voting scheme (see [87, 156, 157]). In this section we show how the
Berlekamp-Massey--Sakata algorithm is used for decoding one-point codes up to
half of the Feng-Rao distance.
Consider codes of the fonn
C* = C*(Do,m ·x) = C.1.(Do,m ·x),

where Do =XI + ... +xn and x f/. SuppDo. Let {ml,m2, ... ,ms } be a minimal set
of generators for the semi-group of non-gaps at x in increasing order, and let gj
be a rational function on X with pole of order mj at x and with no other poles.
Then to any vector a = (aI, ... , as) with integer coordinates there corresponds the
function
having a pole only at x of order

s
w(g") = w(a) = L aimj'
j=1
For the fixed rational function g" we associate with each vector v =
(VI, ... , vn ) E F; a syndrome s" (v) by
n
s,,(v) = L Vig" (Xi)'
i=1
Then we find that U = (UI, ... , un) E C* if and only if s,,(u) = 0 for all a with
w(a) ::; m. In the decoding situation, v = U+e is received and s,,(u + e) = s,,(e)
310 Chapter 12
ifw(a) ::::; m. These can be easily calculated when all syndromes are known. The
following version of the discrete Fourier transformation method gives an explicit
formula.
Proposition 12.16. Assume that all coordinates of the points Xi are non-zero. If
all syndromes s,,(e), 0::::; aj ::::; q - 2, 1 ::::;j::::; s, are known, then
q-2
ei=(-I)i L s"g-"(Xi)'
"1,···,"5=1
Now, applying the Berlekamp-Massey-Sakata algorithm, we obtain a fast

algorithm e(m) which can decode the one-point geometric Goppa codes up to half
of the Feng-Rao bound (see Sakata, Justesen, Madelung, Jensen, Hoholdt [157]).
Theorem 12.17. The algorithm e(m) corrects t::::; l(dFR - 1)/2J errors. The
complexity of the algorithm is O(n 7/3).
The general problem of solving linear equations can be done faster than Gaus-
sian elimination. Its complexity can be reduced from O(n 3 ) to O(n 2 .38), where n
is the number of variables.
Problem IV. Is there a decoding algorithm which decodes all geometric Goppa
codes up to half the designed minimum distance with complexity O( n 2 ) for n -+ oo?
EXERCISES
12.1. Let X be the Hermitian curve given over F q 2 by the equation
uq+ l +v q+ l +wq+ l = o.
The curve X is isomorphic to the curve Y with affine equation
which has exactly one point xoo at infinity and n = q3 points Xl, ... ,Xn in the affine
plane. Show that:
(a) the semi-group of non-gaps at xoo is generated by q and q + 1;
(b) the ring Roo(xoo) of rational functions on the curve Y with only poles at xoo is
generated over Fq2 by rational functions gl, g2 such that VXoo (gl) = -q and
V xoo (g2) = -(q + 1), that is
Roo(Xoo) = Fq2 [gl,g2];

(c) Roo(xoo) ~Fq2[U,V]/(vq +v-u q+ 1).
12.2. The Klein quartic X over Fs has the affine equation
u 3v+v 3 +u = O.
It has genus g = 3 and three rational points Zl = (1 : 0 : 0), Z2 = (0 : 1 : 0), and
Z3 = (0: 0: 1) over F 2, and 21 points Xl, ... ,X21 which are rational over Fs, but
not over F2. Let us consider the code C· = C*(Do,D), coming from X, where
Do =Xl + .. ,+x21 +Zl +z3 andD =m ·Z2. It has parameters [23,25-m, ~m-4ls,
for 4 < m < 23. The homogeneous equation of the Klein quartic is
and from this we readily see that the intersection divisor of the curve with the line
u = 0 is 3Z3 +z2, with the line v = 0 is 3Z1 +z3, and with the line w = 0 is 2Z2 +zl.
Letf = u/w and h = v /w. Prove that:
(a) (/h k ) = (2k - i)ZI - (2i+ 3k)Z2 + (3i+ k)Z3;

(b) the non-gaps at Z2 less than or equal to 2g+ 1 are 0,3,5,6,7 and the corre-
sponding functions in Roo (Z2) (which have only poles atz2 of orders 0, 3, 5, 6, 7
respectively) aregl = 0,g2 = h, g3 = fh, g4 = h 2, andg5 = f 2h; furthermore,
g3k-2 = hk, g3k-1 = f 2h k - l , andg3k = fh k for k ~ 2;
(c) there are the following relations between gi:
and
(d)
where
a = (uw+v2,u 4 +v+vw,u 3v+w+w3 );
(e) the effective divisors 3z 1 +z3, 3Z2 +ZI and 3Z3 +Z2 are canonical divisors on
X;
(f) (df) = 2z3 +4Z2 - 2z1 and therefore
(Jdf ) =ZI +3Z2·
(Hint: Let t be a local parameter at a point x E X. Write
f= Lai ti , dJrr = "

£... ./ait i-I ,
i?m i?m
where m = Vx if), and deduce that

312 Chapter 12
where A is an effective divisor. Now for t = f / h, which is a local parameter

at Z2, show that
and
h = t3 +alt2 +aotl +al + ....
Next, show that t = h 2(1 + ht 3 ) and deduce from this that
df = (t 4 + higher order terms )dt,
so (dx) = 2Z3 + 4Z2 - 2z1 + B with an effective divisor B. Finally, using the
equality deg(df) = 2g - 2 = 4, find that B = 0.);
(g) when the basic algorithm A(3 ·Z2) is applied to the code C*(Do, II ·Z2) it
corrects single errors (as well as three errors when the error-positions lie on
the line v + cw = 0). (Hint: Take D' = 4· Z2, so D - D' = 7· Z2, and show
that rational functions I, h form a basis for L (4 . Z2) = L (3 . Z2) and the rational
functions l,h,fh,h 2,f2h form a basis for L(7 ·Z2).)
(h) the number of decoding failures of the basic algorithm A(5· Z2) to decode
two errors is equal to 7 out of Ci) . 72, the number of all possible error-
vectors with two errors. (Hint: Let (YI ,Y2) be a couple of distinct points of
the points XI, ... ,X2I ,ZI,Z3 and Y = YI + Y2. Then L(5 ·Z2 - y) oF 0, and if
n(y - 6 .Z2) oF 0, then 6 ·Z2 '" 3 ·Z2 +zl and hence Y +ZI '" 3· Z2. Thus there
exists anon-zero rational functiong' E L(3 ·Z2) which is zero atzi. So g' = ch,
c E F g, and furthermore YI = Z3 and Y2 = ZI. Now the code
C(y,5 .Z2) = C(y,6· Z2) = C* (y, 6 .Z2)
is generated by (I, I), and therefore
L(v,5 ·Z2) = L(5 ·Z2 - y)
for a received vector v with Y as error-positions and error-vector e if and only
if
ex C(y,5 .Z2) n C*(y,6 ·Z2) = o.
By Proposition 12.6 this is equivalent to el oF e2.)
12.3. The code C*(Do,m ·Z2) coming from the Klein quartic X over Fs has designed
distance dc' = m - 4, and is therefore t = l (m - 5) /2 J-error-correcting, but since
(de- -g-I)/2 = (m -8)/2, the basic algorithmA(D') corrects 1-2 errors when
m == 1 mod(2) and t - 1 errors when m == 0 mod (2). The modified algorithm
corrects t - 1 errors by Theorem 12.7, since S(Z2) = 1. Show that the extended
modified algorithm corrects 1 - I errors when m == I mod(2), and t errors when
m == 0 mod(2). (Hint: Ifm == 1 mod (2), takeAo = 4 ·Z2, Al = 2 ·Z2, A2 = 0, and
let Ql = {Ao,AI,A3}, so <To(Ql) = 1. The correspondingdivisorsD: are Db = t·Z2,
D; = (t + 1) ·Z2, D~ = (I +2) ·Z2, and D~ = (/+3) ·Z2. If m == 0 mod(2), take
Al = z2,A2 = 3 ·Z2, and Ql = {AI ,A2}, so <TI = 1/2. The corresponding divisorsD:
are D; = (t + 1) ·Z2, D~ = (t + 2) . Z2, and D~ = (t + 3) ·Z2. Then use the result of
Theorem 12.8.)
12.4. Consider the code C*(Do,23 'Z2) coming from the Klein quartic X over F8. It has
dimension k* = 2 and designed minimum distance d* = 19, and therefore is 9-error-
correcting. Show that it is possible to choose an error-pattern of weight 9 where the
modified algorithm fails. (Hint: LetYJ,Y2, andY3 be the affine points on the quartic
X and the line u + 1 = 0, that iSYI = (1, nY2 = (1, ,2), andY3 = (1,,4), where ns
a primitive element ofFq such that ,4+,+ 1=0. LetY4 = (,6,,3),Y5 = (,6,,4),
Y6 = (,4, ,3), Y7 = (" ,6), Y8 = (,3, ,3), and Y9 = (,2, I). The latter six points
together with the points ZI and Z3 lie on the intersection of X and the quadric
u2 + ,5 uv + ,3vw + ,yv = O.
Put
9
y=LYi.
i=1
The rational function
has as divisor Y + 2· Z3 - 11 . Z2, so g' is a non-zero element of L(1I . Z2 - y).

Now L (10 . Z2 - y) = 0, since otherwise there exists a rational point Z such that
IO'Z2 ""' y+z. Therefore, 11 'Z2 ""' Z2 +y+z, which givesy+2 'Z3 ""' Z2 +y+z. So
2 . Z3 ""' Y + z, in contradiction to the fact that 2 is a gap at Z3. Next, n(y - 12 .y) i= 0,
since 12 . Z2 - Y ""' Z2 + 2 . Z3 ~ Z2 + Z3 is a canonical divisor. Show that C* (y, 12 . Z2)
is generated by e = (,3, " ,3, " " ,2, ,3, ,2,1) and deduce from this that
ex C(y, l1'Z2)nC*(y, I2'Z2) i= O.

which means thatL (e, 11 . Z2) contains rational functions which are not error-locators
by Proposition 12.6.)
12.5. Consider again the code C*(Do,23 'Z2) coming from the Klein quartic X over
F8. Show that Ehrhard's algorithm manages to correct the error-pattern which was
discussed in Exercise 12.4. (Hint: Write out the matrix S = (sij) of known syndromes
with respect to the functions 1, h,fh, h 2,f2h,fh 2, h 3,f2h 2,fh3, h4 ,f2h 3,fh4, h 5,
f2 h4 ,fh 5, h 6,f2 h 5,fh 6, h 7 ,f2 h 6 ,fh 7 , and h 8. Check that sij = 0 for all i,j such
that mi + mj ~ 12. Show that the ninth column linearly depends on the previous
ones, since
,3
g' = h(f + 1)(h 2 + ,5fh + h + if)
is an error-locator function. So
L(v, l1'Z2) = (l,g').

Show that the tenth column linearly depends on the previous columns and one relation
corresponds with the function
g" = h+,6fh + ''Y2h +,3fh 2 +,3h 3 +if2h 2 +h 4 ,
which is not an error-locator function. Deduce from the above that
L(12·z2-y)=(g') and L(v, 12 'Z2) = (I,g',g").

314 Chapter 12
Now there are nine known discrepancies and they are located at the entries (1, 11),
(2,8), (3,6), (4,5), (5,4), (6,3), (7,7), (8,2), and (11, 1). Thus there is exactly one
candidate at the entry (10,10), which gives as outcome that SI = 0.)
12.6. The Suzuki curve X is defined over Fs by the equation
v s +v = u2 (u S +u).
It has 64 rational pointsxl, ... ,X64 in the affine plane, one rational point x'" at infinity,
and genus g = 14. The homogeneous equation of the curve X is
w2 (v S +vw7 ) = u2 (us +uw7 ).

Show that:
(a) the semi-groups of non-gaps at x'" are generated by 8, 10, 12, 13 and the corre-
sponding rational functions are/, h,r + h4 and/h4 +/20 + h 16;
(b) the code C*(Do,m . x",), where Do = XI + ... +X64, has parameters [64,:2::
77 -m,:2:: m -26]s for 26 < m < 64.
12.7. Compare the designed minimum distances dc> and dFR of the codes C* (Do, mr .xoo)
coming from the Suzuki curve X in the range 4 ~ r ~ 21. Prove thatdc> = dFR, for
r:2:: 41.
12.8. Check that if the bases of L(D), L(D'), and L(D -D') are already given then the
basic decoding algorithm for a geometric Goppa [n,k,d]q-code C* uses at most cn 3
arithmetical operations in the fieldFq , where the positive constant c does not depend
ofn andq.
Chapter 13
Bounds
The significance of geometric Goppa codes is clarified when we consider asymp-

totic problems.
13.1. ASYMPTOTIC BOUNDS
We have seen in Chapter 10 that the Goppa construction gives the following
inequality for the parameters of an [n, k, d]q -code C:
k'2n-d-(g-I).
Ifwe now apply this construction to modular curve Xo (N) over Fp2, from Theorem
9.11 we obtain:
Theorem 13.1 (the Tsfasman-Vladut-Zink theorem). There exists afamily of
geometric Gappa codes over Fq , q = p2, such that
It follows from Theorem 6.23 that the above result can not be improved in this
way.
Corollary 13.2. If q = p2 then
0'~n(8) '2 RAa(8) = 1- 8 - (y'q _1)-1.
Theorems 9.12,11.29, and 11.30 show that this result is also true for any q
that is an even power of a prime p.
315
316 Chapter 13
Theorem 13.3. The AG-bound RAG lies completely below the Gilbert-Varshamov
bound for q = p2v < 49. For q = p2v 2: 49 these bounds intersect, and RAG lies
above RGV on the interval (8 1 , 8z), where 81 and 82 are zeros of the equation
Proof: Consider the tangent to RGV parallel to the AG-bound
If it is above the AG-bound then the bounds do not intersect; otherwise they do
intersect, and in this case first coordinates of the intersection points are defined as
zeros of the equation
Hq (8)-8= ("fij_1)-I.
The tangent line is given by
R = 1- 8 - (logq (2q - 1) - I),
and the equation Hq - 8 = (yiq - I) -1 has two zeros if and only if ( yiq - 1) -I <
logq (2q - I) - 1. It is easy to see that for q = p2v the last inequality holds if and
only if q 2: 49. •
Recall that the AG-bound does not depend on the construction of the geometric
Goppa codes we use. Using the L-constriction (or the O-construction) we can put
D = m ·Xo, where Xo E X(Fq), and construct codes of length n = IX(Fq)l- I
evaluating at the other Fq-rational points of X.
Note also (see Tsfasman and Vladut [208, Ch. 3.4] that the inequality
a~n(8) 2: RAG(8) = 1- 8 - ("fij _1)-1

may be sharpened for q = p2v on intervals (8;,8;') and (8~, 8n containing 81 and
2
8z, respectively, where 8;, 8 are zeros of the equation
Hq(8) +.-!Ll (1- 8) = 1 + ("fij _1)-1,
q-
and 8;', ~ are zeros of the equation
Hq(8) +(1- 8)logq(q -1) = 1 + ("fij _1)-1.
13.2. CONSTRUCTIVE BOUNDS
Effectiveness problems play an essential role for concrete applications of the

results of coding theory. With that point of view there are three problem areas
Bounds 317
associated with a code (or a class of codes): construction, encoding and decoding.
Therefore we arrive at three corresponding questions concerning the complexity of
construction, encoding, and decoding of some classes of codes (see Aho, Hopcroft
and Ulman [2] for a more detailed treatment of the complexity theory). Let us
note at once that for linear codes their encoding procedure is trivial.
Let {C;} be a family oflinear [n;,k;,d;Jq-codes over a finite field Fq of steadily
growing length ni, and let G; be a generator matrix of C;. The family {C;} is
called polynomial (or having a polynomial structure complexity), if and only if
there exists an algorithm to construct matrices G; whose complexity is bounded by
a polynomial in n;. In general, a family { C;} of [n;, k;, d;]q-codes (not necessarily
linear) is said to be polynomial if and only if both the construction and encoding
algorithms for each C; are polynomial in n;.
We define families of [n;,k;,d;]q-codes having a polynomial decoding proce-
dure in a similar way. Let {Ci } be a family of codes equipped with algorithms
{Ai} of decoding up to l (d; - I) /2 J. Then we say {C;, A;} is a family having a
polynomial decoding complexity if and only if there exists a universal algorithm A
generating all the A;, where Ai is polynomial in ni, and the number of operations
needed to apply each Ai to a received vector is also polynomial as a function of ni.
Define U¥ol,lin as the set of those limit points (8,R) E v~in for which there
exists a polynomial in ni families of linear [ni, k i , d;]q -codes with d;/ ni --+ 8 and
k;/ni --+ R.
Theorem 13.4. There exists a continuous function ago1,lin (8) on the interval [0, I]
such that
U¥OI,lin( 8) = {( 8,R) 10 ::;
R ::; ago1,lin( 8)} .
It is fairly obvious that ago1,lin (8) ::; a~n (8) ::; a q (8). Unfortunately, we do
not know a specific polynomial upper bound. All the known upper bounds are
those for a q ( 8). Codes on the Gilbert-Varshamov bound are constructed by an
essentially non-polynomial method. On the other hand, concatenation gives the
following result.
Theorem 13.5 (the Zyablov bound).
ago1,lin(8) ~ Rz(8) = max {(I- 8/8')(I-Hq(8'))}.
5~JY$(q-I)/q
Using generalized concatenation one can improve this result as follows:

Theorem 13.6 (the Blokb--Zyablov bound).
1r rRGv (5) dR
ago' In( 8) = RBZ( 8) = Rev( 8) - 8 Jo 8ev(R)'
where 8e v (R) is an inverse of the function
Rev(8) = I-Hq(8).
318 Chapter 13
If now we use concatenation with outer codes over a fixed finite extension Fqk
we get (see [216]):
Proposition 13.7. If there exists a linear [n,k,dlq-code Co then
a Po1 ,lin(8) > ~ . apo1,lin (!.!..8) .

q -n qk d
In particular,
a P01 ,lin(8) > max {~ . apo1,lin (!.!.. .8)}
q - C n qk d '
where the maximum is taken over all linear [n, k, dl q-codes C.
Geometric Goppa codes make it possible to sharpen the above lower bound
for ago1,lin(8) (see Manin and Vladut [120]).
Theorem 13.8 (the Vladut theorem). If q is an even power ofa prime p then
To prove this theorem it is sufficient to find a polynomial algorithm of construc-

tion for geometric Goppa codes on some family of curves X; over Fq of growing
genus gi = g(X;) such that
lim sup IX; (Fq) I = Jq-l.

gj-+OO gi
The Concatenation Bound

Applying Proposition 13.7 to geometric Goppa codes and using the result of
Theorem 13.8 we obtain the following statement valid for any q (see [216]):
Theorem 13.9. Let
the maximum being taken overall linear [n,k,dlq-codes C such thatqk is a square.
Then
ago1,lin (8) :::: R8 n (8).
R8
Unfortunately, we do not know the precise value of n ( 8). The reason is, of
course, that we do not know the parameters of linear q-ary codes. However, each
code from the set described in the theorem gives a lower bound for ago1,lin (8) (see
[216]).
Bounds 319
Theorem 13.10. For any q = pV andfor any 8 E (0, (q - I)jq) we have
R8n(8) > RBZ(8).

°
For 8 --+ the bound R8n( 8) behaves twice as bad as Rov( 8). Now we shall
give another bound which is good for small values of 8.
The Restriction Bound

Let us apply the field restriction.
Theorem 13.11. Let
Rlin(8)=max{l-v(q-I).8- 2v(q-I)},
v q q(qv/2 -I)
the maximum being taken over all integers v ~ I such that qV is a square. Then
ago l,lin(8) ~ Rlin(8).
Proof: See Katsman and Tsfasman [91].

•
13.3. OTHER BOUNDS
Now we consider the question concerning asymptotic bounds for non-linear codes
having a polynomial decoding complexity. For the set of all polynomial families
of [n, k, d]q-codes (linear, or non-linear), let us introduce into consideration the
function a Pol (8) (its definition is quite similar to the definition of the function
agol,lin( 8)).
Bounds for Non-Linear Codes

Since concatenation can be applied to non-linear codes as well, Theorem 13.8 has
the following obvious analogue.
Theorem 13.12. Let
Ro (8) = mr {~ .(I - (l /2 - I) -I) - ~ . 8} ,

the maximum being taken over all [n,k,d]q-codes such that k ~ I is an integer
and qk is an even power ofa prime. Then
320 Chapter 13
Ifnowwe apply alphabet extension to the boundRo( 8), we obtain the following
result for ago l ( 8) :
Theorem 13.13. Let
2v) ((pv -2)2v 2v )}

(pv -l)n - d' 8
I {(
Ro(8) = mgx 10gMP ,
where the maximum is taken over all [n,k,d]p2v-codes C, and where the prime P
and an integer v 2: 1 are such that M = qk 2:p2v. Then
Bounds for Polynomially Decodable Codes

In the preceding subsection we have considered asymptotic bounds for polynomial
families of codes, but we have not considered decoding problems.
Let us considernow a polynomial family of[n, k, d]q -codes Cj with the property
that for each Cj , there is a polynomial in the nj decoding algorithm correcting
tj ::; l dill J errors. Let
· . f tj
T= 11m In - .
nj-+oo n;
The family Cj corresponds to the point (2T,R) in the unit square [0, IF of the
(8,R)-plane. Then we can define
ag°l. dec ( 8) and agol. dec ,lin( 8)
similarly to the definition of agol,lin( 8).

Just as for agol,lin( 8) we have:
Theorem 13.14. Let q = p2v. Then
agol.dec,linu» 2: 1 - 8 - 2( vq _1)-1.
Moreover, we have the following results (see Skorobogatov and Vladut [180]):
Theorem 13.15. Let
Rolin(8) =mgx{~. (1-2(l/2-1)-I) - ~.8}

and
Bounds 321
the maximum being taken over all linear [n,k,d]q-codes C and over all (not only
linear) codes C', respectively, such that l is a square. Then
agol. dec ,lin(8) ;::: Rolin(8)
and
Theorem 13.16. Let
R*lin(8)=max{l- v(q-I)8_ 3v(q-l) },

I v q q(qv/2 -I)
the maximum being taken over all integers v ;::: 1 such that q v is a square. Then
agol. dec ,lin(8);::: Rjlin(8).
EXERCISES
13.1. Prove Theorem 13.4.

13.2. Prove Theorem 13.5. (Hint: Consider a family of Reed-Solomon [n;,k;,d;]qki -
codes, where q; = li, such that k; ~ 00, d;/n; ~ 80, k;/n; ~ Ro, 80 +Ro = I,
n; = q;, and a family of [n;,ki,df]q-codes with n; ~ 00, di/n; ~ 8', kiln; ~ R',
R' = I-Hq (8'); then show that concatenation gives [n;n;,k;ki,d;df]q-codes with
R = RoR' = (1- 8o)(I-Hq (8')), 8 = 808', and that the construction is polynomial
in n;n;.)
13.3. Let
Show that:
(a) I-RBz(8)~~L8.lo~8 for 8~00;
(b) RBZ(W) ~ 6(q-f;ZIOgq . w 2 for W = (q -I)/q - 8 ~ o.

13.4. Prove Proposition 13.7 and Theorem 13.9.
13.5. Show that:
(a) for 8 ~ 0 the bound Rgn(8) behaves at worst as
R ~ I + 28 logq 8;
(b) for w = (q -1)/2 - 8 ~ 0 the bound Rgn(8) behaves at worst as
if q =p2v
if q =p2v+!
322 Chapter 13
13.6. Show that

RliO(8),,-,1+2Q-l.810gq8 for 8--+0.
q
13.7. Prove Theorem 13.13. (Hint: Show that agol(8) ;::: maxq':<:;q( agO\
8) logq q') under
the alphabet extension, and then apply the obtained result to the bound Ro( 8).)
13.8. Prove that:
(a)
agoJ.dec,lio(8);::: Rz(8) = max {(1- 8j8')(1-Hq (8'))};
1l:<:;Il':<:;(q- 1)/q
(b)
poJ.dec,Jio(8) > R (8) =R (8) _ 8 rRGv(IJ) dR
Cl'.q - HZ GV io 8(R) .
13.9. Prove Theorems 13.14 to 13.16.
Bibliography
[I] Aaltonen M. J., Notes on the asymptotic behavior of the infonnation rate of block codes, IEEE
Trans. Info. Theory, 1984, IT-30, p. 84-85.
[2] Aho A., Hopcroft J., Ulman 1., The Design and Analysis o/Computing Algorithms, Addison-
Wesley, Reading, MA, 1974.
[3] Artin E., Quadratische Korper im Gebiete der hohern Kongruenzen I, 2, Math. Zeitschr., 1924,
19, p. 153-246.
[4] Artin E., Algebraic Numbers and Algebraic Functions, Gordon and Breach, New York, 1967.
[5] Atiyah M. E, Macdonald I. G., Introduction to Commutative Algebra, Addison-Wesley, Read-

ing, MA, 1969.
[6] Atkin A. O. L., Weierstrass points of cusps offo(N), Ann. Math., 1967,85, no. 1, p. 42-45.
[7] Aubry Y., Perret M., A Weil theorem for singular curves, Proc. 0/ Arithmetic, Geometry and
Coding Theory IV, De Gmyter, 1995.
[8] Aubry Y., Perret M., Coverings of singular curves over finite fields, Manuscripta Math., 1995,
88, p. 467-478.
[9] Barg A. M., Exponential sums and constrained error-correcting codes, Lect. Notes in Compo
Science, 573, Springer-Verlag, Berlin, 1991, p. 16-22.
[10] Barg A. M., Some new NP-complete coding problems, Probl. In/o. Trans., 1994,30, no. 2, p.
23-28.
[II] Barg A. M., Katsman G. L., Tsfasman M. A., Algebraic-geometric codes on curves of small
genus, Probl.lnfo. Trans., 1987,23, p. 34-38.
[12] Bassalygo L. A., Zinoviev V. A., Litsyn S. N., A lower estimate of complete trigonometrical
sums in tenns of multiple sums, Soviet Math. Doki., 1988,37, p. 756-759.
323
324 Bibliography
[13] Berlekamp E. R., Algebraic Coding Theory, McGraw-Hill, New York, 1968.
[14] Berlekamp E. R., (Editor) Key Papers in the Development ofCoding Theory, IEEE Press, New
York, 1974.
[15] Beth T., Some aspects of coding theory between probability, algebra, combinatorics and
complexity theory, Combinatorial Theory, Lecture Notes in Math., 969, Springer-Verlag, New
York, 1982, p.12-29.
[16] Blahut R. E., Theory and Practice of Error Control Codes, Addison-Wesley, Reading, MA,
1983.
[17] Bombieri E., Counting points on curves over finite fields [d'apres S. A. Stepanov], 8em.
Bourbaki, 25 erne annee, 1972/73,430, p. 1-8; Lecture Notes in Math., 383, Springer-Verlag,
New York, 1974, p. 234-241.
[18] Carlitz L., Uchiyama S., Bounds for exponential sums, Duke Math. J., 1957,24, p. 179-193.
[19] Chebotarev N. G., The Theory ofAlgebraic Functions, M.-L., 1948 (in Russian).
[20] Chevalley C., Introduction to the Theory ofAlgebraic Functions ofOne Variable, Math. Surv.,
6, AMS, New York, 1951.
[21] Conway 1. H., Sloane N. J. A., Sphere Packings, Lattices and Groups, Springer-Verlag, New
York,1988.
[22] Deligne P., Cohomologie Etale, Lecture Notes in Math., 569, Springer-Verlag, New York,
1977.
[23] Deligne P., Husemoller D., Drinfeld modular curves, Contemp. Math., 1987,67, p. 25-91.
[24] Deuring M., Lectures on the Theory ofAlgebraic Functions ofOne Variable, Lecture Notes in
Math., 314, Springer-Verlag, New York, 1973.
[25] Driencourt Y., Some Properties ofElliptic Codes over a Field of Characteristic 2, Lec!. Notes
in Compo Science, 229, 1985.
[26] Driencourt Y., Michon J. E, Remarques sur les codes geomeetriques, c. R. Acad. Sci. Paris,
Ser. 1,1985,301, p. 15-17.
[27] Driencourt Y., Michon J. E, Rapport sur les codes geometriques, Preprint, 1986.
[28] Driencourt Y., Michon 1. E, Elliptic curves over field of characteristic 2, 3, Pure Appl. Algebra,
1987,45, p. 15-39.
[29] Driencourt Y., Stichtenoth H., A criterion for self-duality of codes, Commun. Algebra, 1989,
17, no. 4, p. 885-898.
[30] Drinfeld V. G., Elliptic modules 1,2, Math. USSR Sbornik, 1974, 23, no. 4, p. 561-592; 1977,
31,no.2, p. 159-170.
[31] Duursma I. M., Algebraic decoding using special divisors, IEEE Trans. Info. Theory. 1993,
1T-39, p. 694-698.
[32] Duursma I. M., Majority coset decoding, IEEE Trans. Info. Theory, 1993, 1T-39, p. 1067-1070.
Bibliography 325
[33] Duursma I. M., Decoding codes from curves and cyclic codes, Ph. D. Dissertation, Eindhoven
Univ. Techn., The Netherlands, 1993.
[34] Ehrhard D., Uber das Dekodieren algebraisch-geometrischer codes, Ph. D. Dissertation, Uni-
versit at Dusseldorf, Germany, 1991.
[35] Ehrhard D., Decoding algebraic-geometric codes by solving a key equation, Proc. AGCT-3,
Luminy 1991, Lect. Notes in Math., 1518, Springer-Verlag, New York, 1992, p. 18-25.
[36] Ehrhard D., Achieving the designed error capacity in decoding algebraic-geometric codes,
IEEE Trans. Info. Theory, 1993, 1T-39. p. 743-751.
[37] Eichler M., Quaternare quadratische Formen und die Riemannsche Vermutung fUr die Kon-
gruenzzetafunktion, Arch. Math., 1954,5, p. 355-366.
[38] Eichler M., Introduction to the Theory ofAlgebraic Numbers and Functions, Academic Press,
New York, 1966.
[39] Feng G. 1., Rao T. R. N., Decoding algebraic-geometric codes up to the designed minimum
distance, IEEE Trans. Info. Theory, 1993, IT-39, p. 37-45.
[40] Feng G. 1., Rao T. R. N., A simple approach for construction of algebraic-geometric codes
from affine plane curves, IEEE Trans. Info. Theory, 1994, IT-40, p. 1003-1012.
[41] Feng G. 1., Rao T. R. N., Improved geometric Goppa code-Part I: Basic Theory, IEEE Trans.
Info. Theory, 1995,41,no.6,p. 1678-1693.
[42] Frey G., Perret M., Stichtenoth H., On the different of abelian extensions of global fields,
Coding Theory and Algebraic Geometry, Lect. Notes in Math., 1518, Springer-Verlag, Berlin,
1992, p. 2~32.
[43] Fried M. D., Jarden M., Field Arithmetic, Springer-Verlag, New York, 1986.
[44] Forney G. D. Jr., Concatenated Codes, MIT Press, Cambridge, MA, 1966.
[45] Fuhrmann R., Torres F., The genus of curves over finite fields with many rational points,
Manuscripta Math., 1996,89, p. 103-106.
[46] Fuhrmann R., Torres F., On curves over finite fields with many rational points, Preprint, 1996.
[47] Fulton w., Plane Algebraic Curves, W. A. Benjamin, New York, 1969.
[48] Garcia A., The curveyn =f(x) over finite fields, Arch. Math., 1990,54, p. 3~.
[49] Garcia A., On Goppa codes and Artin--Schreier extensions, Preprint, 1991.
[50] Garcia A., Kim S. J., Lax R. F., Consecutive Weierstrass gaps and minimum distance ofGoppa
codes, J. Pure and Appl. Algebra, to appear.
[51] Garcia A., Lax R. F., Goppa codes and Weierstrass points, Coding Theory and Algebraic
Geometry, Lect. Notes in Math., 1518, Springer-Verlag, Berlin, 1992, p. 33-42.
[52] Garcia A., Stichtenoth H., Elementary abelian p-extensions of algebraic function fields,
Manuscripta Math., 1991,72, p. 67-79.
[53] Garcia A., Stichtenoth H., A tower of Artin--Schreier extensions of function fields attained the
Drinfe1d-Vladut bound, Invent. Math., 1995, 121, p. 211-222.
326 Bibliography
[54] Garcia A., Stichtenoth H., Algebraic function fields over finite fields with many rational places,
IEEE Trans. Info. Theory, 1995, IT-41, no. 6, p. 1548-1562.
[55] Garcia A., Stichtenoth H., On towers and composita of towers of function fields over finite
fields, Finite Fields and their Appl., to appear.
[56] Garcia A., Stichtenoth H., On the asymptotic behavior of some towers of function fields over
finite fields, J. Number Theory, to appear.
[57] Garcia A., Voloch J. E, Fermat curves over finite fields, J. Number Theory, 1988, 30, p.
345-356.
[58] van der Geer G., van der Vlugt M., Artin-Schreier curves and codes, J. Algebra, 1991,139, p.
256-272.
[59] van der Geer G., van der Vlugt M., Curves over finite fields of characteristic 2 with many
rational points, C. R. Acad. Sci. Paris, Ser. I, 1993,317, p. 593-597.
[60] van der Geer G., van der Vlugt M., Fibre products of Artin-Schreier curves and generalized
Hamming weights of codes, J. Comb. Theory A, 1995, 70, no. 2, p. 337-348.
[61] van der Geer G., van der Vlugt M., How to construct curves over finite fields with many points,
Preprint, 1996.
[62] Gluhov M. M., On lower bounds for character sums over finite fields, Diskret. Mat., 1994,6,
no. 3, p. 136-142.
[63] Gluhov M. M., Ozbudak E, Codes on superelJiptic curves, Turkish Journ. ofMath., to appear.
[64] Goppa V. G., Codes on algebraic curves, Soviet Math. Dokl., 1981,24, p. 170-172.
[65] Goppa V. G., Codes and information, Russ. Math. Surveys, 1984,39, no. 1, p. 87-141.
[66] Goppa V. G., Geometry and Codes, Kluwer Acad. Pub!., Dordrecht, 1988.
[67] Griffiths P. A., Harris J., Principles ofAlgebraic Geometry, Wiley, New York, 1978.
[68] Grothendieck A. (with Dieudonne J.), Elements de Geometrie Algebrique, Pub!. Math. IHES,
4(1960),8,11(1961), 17(1963),20(1964),24(1965),28(1966),32(1967).
[69] Gunning R. C., Lectures on Modular Forms, Ann. Math. Studies, 48, Princeton Univ. Press,
Princeton, NJ, 1962.
[70] Hansen J. P., Codes on the Klein quartic, ideals and decoding, IEEE Trans. lrifo. Theory, 1987,
IT-33, p. 923--925.
[71] Hansen J. P., Group Codes on Algebraic Curves, Mathematica Gottingensis, Heft 9, 1987.
[72] Hansen J. P., Delign~Lusztig varieties and group codes, Coding Theory and Algebraic Ge-
ometry. Lect. Notes in Math., 1518, Springer-Verlag, Berlin, 1992, p. 63-81.
[73] Hartshorne R., Algebraic Geometry, Springer-Verlag, New York, 1977.
[74] Hasse H., Zur Theorie der abstracten elJiptischen Funktionenkorper I - -3, J. reine angew.
Math. 1936,177, p. 55-62; 69--88; 193-208.
Bibliography 327
[75] Helleseth T., On the covering radius of cyclic linear codes and arithmetic codes, Discr. Appl.
Math., 1985,11, p. 157-173.
[76] Hijikata H., Explicit formula for the traces of the Hecke operators for fo(N), J. Math. Soc.
Japan, 1974,26,p.56-80.
[77] Hirschfeld J. W. P., Projective Geometries over Finite Fields, Oxford Univ. Press, Oxford, U.
K.,1979.
[78] Hirschfeld J. W. P., Linear codes and algebraic curves, Geometric Combinatorics, Pitman,
Boston, 1984, p. 35-53.
[79] Hirschfeld J. W. P., Tsfasman M. A., Vladut S. G., The weight hierarchy of higher-dimensional
Hermitian codes, IEEE Trans. Info. Theory, 1994, 1T-40, p. 275-278.
[80] Hoholdt T., and Pellikaan R., On the Decoding of Algebraic-Geometric Codes, IEEE Trans.
Info. Theory, 1995,41, no. 6, p. 1589--1614.
[81] Husemiiller D., Elliptic Curves, Springer-Verlag, New York, 1997.
[82] 19usa J., Kroneckerian model of fields of elliptic modular functions, Amer. J. Math., 1959,81,
p.561-577.
[83] Igusa J., Theta Functions, Springer-Verlag, Berlin, 1972.
[84] Ihara Y., Hecke polynomials as congruence' functions in elliptic modular case, Ann. Math.,
1967,85,p.267-295.
[85] Ihara Y., Some remarks on the number of rational points of algebraic curves over finite fields,
J. Fac. Sci. Tokyo, Ser. 1 A, 1981,28, p. 721-724.
[86] Janwa H., Some optimal codes from algebraic geometry and their covering radii, Europe. J.
Combinatorics, 1990, 11, p. 249--266.
[87] Justesen J., Larsen K. J., Jensen H. E., Havemose A., Hoholdt T., Construction and decoding
ofa class of algebraic geometry codes, IEEE Trans. Info. Theory, 1989, IT-35, p. 811-821.
[88] Kabatyanski G. A., Levenshtein V. I., Bounds for packing on a sphere and in a space, Probl.
Info. Trans., 1978, 14, no. 1, p. 1-17.
[89] Kamiya N., Miura S., On a fast decoding algorithm for geometric Goppa codes defined on
certain algebraic curves with at most one higher cusp, IEEE Intern. Symp. on Info. Theory,
San Antonio, TX, 1993.
[90] Katsman G. L., Tsfasman M. A., Spectra of algebraic-geometric codes, Probl. Info. Trans.,
1987,23,p.262-275.
[91] Katsman G. L., Tsfasman M. A., A remark on algebraic-geometric codes, Contemp. Math.,
1989,93, p. 197-199.
[92] Katz N., Sommes Exponentielles, Asterisque 79, Soc. Math. de France, Paris, 1980.
[93] Katz N., Gauss Sums, Kloosterman Sums, and Monodromy Groups, Princeton Univ. Press, NJ,
1988.
[94] Katz N., Mazur B., Arithmetic moduli of elliptic curves, Ann. Math. Studies, Princeton, 1985.
328 Bibliography
[95] Kirfel C., Pellikaan R.; The minimum distance of codes in array coming from telescopic semi-
groups, The fourth Workshop on Arithmetic Geometry and Coding Theory, Luminy, France,
1993; IEEE Trans. Info. Theory, 1995,41, no. 6, p. 1720-1732.
[96] Koblitz N., Introduction to Elliptic Curves and Modular Forms, Springer-Verlag, New York,
1984.
[97] Kodama T., Washio T., A family of hyperelliptic function fields with Hasse-Witt invariant
zero, J. Number Theory, 1990, 36, no. 2, p. 187-200.
[98] Kumar P. v., Yang K., On the true minimum distance of Hermitian codes, Coding Theory and
Algebraic Geometry, Lect. Notes in Math., 1518, Springer-Verlag, Berlin, 1992, p. 99-107.
[99] Lachaud G., Les codes geometriques de Goppa, Sem. Bourbaki, 1985, no. 641, p. 1-19;
Asterisque, 1986, 133-134, p. I 89-207.
[100] Lachaud G., Sommes d'Eisenstein et nombre de points de certaines courbes algebriques sur
les corps fini, C. R. Acad. Sci. Paris, Ser. I, 1987,305, p. 729-732.
[101] Lachaud G., Exponential sums and the Carlitz-Uchiyama bound, Lecture Notes in Camp.
Science, 1989,338, p. 63-75.
[102] Lachaud G., The parameters of projective Reed-Muller codes, Discr. Math., 1990, 81, p.
217-220.
[103] Lachaud G., Artin-Schreier curves, exponential sums, and the Carlitz-Uchiyama bound for
geometric codes, J. Number Theory, 1991, 39, p. 18-40.
[104] Lachaud G., Number of points of plane sections and linear codes defined on algebraic varieties,
Preprint, 1994.
[105] Lachaud G., Wolfmann J., Sommes de Kloosterman, courbes elliptiques et codes cycliques en
caracteristique 2, C. R. Acad. Sci. Paris, Ser. I, 1987,305, p. 881--883.
[106] Lachaud G., Wolfmann J., The weights of the orthogonals of the extended quadratic binary
Goppa codes, IEEE Trans. Info. Theory, 1990, IT-36, no. 3, p. 686-692.
[107] Lang S., Introduction to Modular Forms, Springer-Verlag, New York, 1976.
[108] Lang S., Introduction to Algebraic and Abelian Functions, Graduate Text in Math., 89,
Springer-Verlag, New York, 1982.
[109] Lang S., Elliptic Functions, Addison-Wesley, Reading, MA, 1987.
[110] Lang S., Algebra, 3-rd edition, Addison-Wesley, Reading, MA, 1993.
[III] Lang S., Weil A., Number of points of varieties in finite fields, Amer. J. Math., 1954, 4, p.
819-827.
[112] Levenshtein V. r., Bounds for packing in metric spaces and certain applications, Probl. Kiber-
netiki, 1983,40, p. 40-1 10.
[113] Levenshtein V. 'r., Krawtchouk polynomials and universal bounds for codes and designs in
Hanuning spaces, IEEE Trans. Info. Theory, 1995,41, no. 5, p. 1303-1321.
[114] Lidl R., Niederreiter H., Finite Fields, Addison-Wesley, Reading, MA, 1993.
Bibliography 329
[115] van Lint 1. H., Introduction to Coding Theory, Grad. Text in Math., 86, Springer-Verlag, New
York,1982.
[116] van Lint J. H., van der Geer G., Introduction to Coding Theory and Algebraic Geometry,
Birkhiiuser, Basel, 1988.
[117] van Lint 1. H., Springer T. A., Generalized Reed-Solomon codes from algebraic geometry,
IEEE Trans. Info. Theory, 1987, IT-33, p. 30>-309.
[118] MacWilliams F. J., Sloane N. J. A., The Theory of Error-Correcting Codes, North-Holland,
Amsterdam, 1977.
[119] Manin Yu. I., What is the maximum number of points on a curve over F2?, J. Fac. Sci. Tokyo,
Ser. lA, 1982,28, no. 3, p. 71>-720.
[120] Manin Y. I., Vladut S. G., Linear codes and modular curves, J. Soviet. Math., 1985, 30, p.
2611-2643.
[121] Matsumura H., Commutative Algebra, W. A. Benjamin, New York, 1970.
[122] McElice R. J., The Theory of Information and Coding, Encyclopedia of Math. and its Appl.,
v. 3, Addison-Wesley, Reading, MA, 1977.
[123] McElice R. J., Finite Fieldsfor Computer Scientists and Engineers, Kluwer, Boston, 1987.
[124] Michon 1. F., Codes de Goppa, Sem. Theorie Nombres, Bordeaux, 1983/84,7, p.l-17.
[125] Michon 1. F., Les Codes BCH comme codes geometriques, Preprint, 1985.
[126] Michon 1. F., Amelioration des parameters des codes de Goppa, Preprint, 1986.
[127] Miyake T., Modular Forms, Springer-Verlag, Berlin, 1989.
[128] Moreno C. J., Goppa codes and modular curves, Preprint, 1985.
[129] Moreno C. J., Algebraic Curves over Finite Field, Cambridge Univ. Press, 1991
[130] Moreno C. J, Moreno 0., Exponential sums and Goppa codes 1,2,3,4, Preprints, 1988-89.
[131] Moreno C. J, Moreno 0., Exponential sums and Goppacodes I, Proc. Amer. Math. Soc., 1991,
111, p. 523-531; 2, IEEE Trans. Info. Theory, 1992, IT-38, p. 1222-1229.
[132] Moreno C. J, Moreno 0., An improved Bombieri-Weil bound in characteristic two and appli-
cations to coding theory, J. Number Theory, 1992, 42, p. 32-46.
[133] Moreno 0., Counting traces of powers over GF(2m), Congr. Numer., 1980,29, p. 673--680.
[134] Moreno 0., Kumar P. V., Minimum distance bounds for cyclic codes and Deligne's theorem,
IEEE Trans. Info. Theory, to appear.
[135] Ogg A., Hyperelliptic modular curves, Bull. Soc. Math. France, 1974, 102, p. 449-462.
[136] Ozbudak F., On lower bounds for incomplete character sums over finite fields, Finite Fields
and their Appl., 1996,2, p. 173-191.
[137] Ozbudak F., Codes on fibre products of some Kummer coverings, Preprint, 1996.
330 Bibliography
[138] Ozbudak E, On configurations of lines in Fq x Fq and fibre products of some Kummer

coverings, Preprint, 1997.
[139] Pellikaan R, On a decoding algorithm for codes on maximal curves, IEEE Trans. Info. Theory,
1989,IT-35,p.1228-1232.
[140] Pellikaan R, On the gonality of curves, abundant codes and decoding, Coding Theory and
Algebraic Geometry, Lect. Notes in Math., 1518, Springer-Verlag, Berlin, 1992, p. 132-144.
[141] Pellikaan R., On the efficient decoding of algebraic-geometric codes, Proc. Eurocode 92,
CISM Courses and Lectures, 339, Springer-Verlag, New York, 1993, p. 231-253.
[142] Perret M., Sur Ie nombre de points d'une courbe sur un corps fini; application aux codes
correcteurd'erreurs, C. R. Acad. Sci. Paris, Ser. 1,1989,309, p. 177-182.
II43] Perret M., Multiplicative character sums and nonlinear geometric codes, Lect. Notes in Camp.
[144] Perret M., Tours ramifiees de corps de classes, J. Number Theory, 1991,38, p. 300-322.
[145] Peterson W. w., Weldon E. J., Error-Correcting Codes, MIT Press, Cambridge, MA, 1972.
[146] Porter S. C., Ph. D. Dissertation, Yale University, New Haven, CT, 1988.
[147] Porter S. C., Shen B.-Z., Pellikaan R., Decoding geometric Goppa codes using extra place,
IEEE Trans. Info. Theory, 1992, IT-38, p. 1663--1676.
[148] Quebbemann H. G., Cyclotomic Goppa codes, IEEE Trans. Info. Theory, 1988, IT-34, no. 5,
p. 1317-1320.
[149] Quebbemann H. G., On even codes, Discr. Math., 1991,98, p. 29--34.
[150] Rodier E, Minoration de certaines sommes exponentialles binaries, Lect. Notes in Math.,
1518, Springer-Verlag, Berlin, 1992, p. 199--210.
[151] Rodier E, Minoration de certaines sommes exponentielles II, Preprint, 1993.
[152] Roland R, On hypersurfaces over a finite field and the parameters of the projective Reed-
Muller codes, Preprint, 1990.
[153] Roquette P., Abschiitzung der Automorphismezahl von Funktionenkorpem bei primzahl Char-
acteristic, Math. Zeitschr., 1970, 117, p. 157-163.
[154] Riick H. G., On Goppa codes defined by Kummer and Artin--Schreier extensions, J. Pure and
Appl. Algebra, 1990,64, p. 163--169.
[155] Riick H. G., Stichtenoth H., A characterization of Hermitian function fields over finite fields,
J. reine angew. Math., to appear.
[156] Sakata S., Jensen H. E., Hoholdt T., Generalized Berlekamp-Massey decoding of algebraic-
geometric codes up to half the Feng-Rao bound, Trans. Info. Theory, 1995, 41, no. 6, p.
1762-1768.
[157] Sakata S., Justesen J., Madelung Y., Jensen H. E., and Hoholdt T., A fast decoding method of
AG codes from Miura-Kamiya curves Cab Up to half the Feng-Rao bound, Finite Fields and
Their Appl., 1995,1, p. 83--101.
Bibliography 331
[158] Scharlau W., Selbstduale Goppa Codes, Math. Nachr., 1989,143, p. 119-122.
[159] Schmidt W. M., Equations over Finite Fields, Lecture Notes in Math., 536, Springer-Verlag,
New York, 1976.
[160] Schoeneberg B., Uber die Weierstrasspunkte in der Korpern der elliptischen Modulfunktionen,
Abh. Math. Sem. Univ. Hamburg, 1951,17, p. 104-111.
[161] SchoofR, Nonsingular curves over finite fields, J. Combin. Theory, Ser. A, 1987,46, no. 2, p.
183-211.
[162] SchoofR, Algebraic curves and coding theory, UTM, 336, Univ. ofTrento, 1990.
[163] SchoofR, Algebraic curves over F2 with many rational points, J. Number Theory, 1992,41,
p.6-14.
[164] SchoofR, van der Vlugt M., Hecke operators and the weight distribution of certain codes, J.
Combin. Theory, Ser. A, 1991,57, p. 163-186.
[165] Serre J. P., Groups Algebriques et Corps de Classes, Hermann, Paris, 1959.
[166] Serre J. P., Majoration de sommes exponentielles, Astmsque 41-42,Soc. Math. France, Paris,
1977.
[167] Serre J. P., Local Fields, Springer-Verlag, New York, 1979.
[168] Serre J. P., Nombre de points de courbes algebriques sur Fq , 8em. Theorie Nombres Bordeux,
1982-83,22,p.I-8.
[169] Serre J. P., Sur Ie nombre des points rationnels d'une courbe algebrique sur un corps fini, C.
R. Acad. Sci. Paris, Ser. I, 1983, 296, p. 397-402.
[\70] SerreJ. P., Resume des cours de 1983-1984, Annuaire du College de France, 1984, p. 79-83.
[171] Serre J. P., Rational points on curves over finite fields, Lectures given at Harvard University,
Sept.-Dec. 1985.
[172] Shafarevich I. R, Basic Algebraic Geometry, Springer-Verlag, Berlin, 1977.
[173] Shen B.-Z., Tzeng K. K., Decoding geometric Goppa codes up to designed minimum distance
by solving a key equation in a ring,lEEE Trans. Info. Theory, 1995,41, no. 6, p. 1709-1719.
[174] Shen B.-Z., Tzeng K. K., Generation of matrices for determining minimum distance and
decoding of algebraic-geometric codes, IEEE Trans. Info. Theory, 1995,41, no. 6, p. 1703-
1708.
[175] Shimura G., Correspondances modulaires et les fonctions , de courbes algebriques, J. Math.
Soc. Japan, 1958, 10, p. 1-28.
[176] Shimura G., Introduction to the Arithmetic Theory of Automorphic Functions, Pub\. Math.
Soc. Japan, Princeton Univ. Press, 1971.
[177] Silverman J. H., The Arithmetic of Elliptic Curves, Graduate Texts in Math., 106, Springer-
Verlag, 1986.
[178] Silverman J. H., Tate J., Rational Points on Elliptic Curves, Springer-Verlag, New York, 1992.
332 Bibliography
[179] Skorobogatov A. N., The parameters of subfield subcodes of algebraic-geometric codes, Discr.
Appl. Math., 1991,33, p. 205-214.
[180] Skorobogatov A. N., Vladut S. G., On the decoding of algebraic-geometric codes, IEEE Trans.
Info. Theory, 1990, IT-36, no. 5, p. 1051-1060.
[l81] Sloane N. J. A., Sphere packing constructed from BCH and Justesen codes, Mathematika,
1972,19, p. 183-190.
[182] Sorensen A. B., Projective Ree~Muller codes, IEEE Trans. Info. Theory, 1991, IT-37, p.
1567-1576.
[183] Springer G., Introduction to the Theory ofRiemann Surfaces, Addison-Wesley, Reading, MA,
1957.
[184] Stepanov S. A., The number of points ofa hyperelliptic curve over a finite prime field, Math.
USSR Izv., 1969,3, p. 1103-1119.
[185] Stepanov S. A., Congruences in two unknowns, Math. USSR Izv., 1972,6, no. 1, p. 677-709.
[186] Stepanov S. A., On lower bounds of character sums over finite fields, Discr. Math., 1991,3,
no. 2,p. 77---S6 (in Russian); Discr. Math. Appl., 1992,2, no. 5, p. 523-532.
[187] Stepanov S. A., Arithmetic of Algebraic Curves, Plenum, New York, 1994.
[188] Stepanov S. A., Character sums and coding theory, Finite Fields and Applications. London
Math. Soc. Lect. Note Series, 233, Cambro Vniv. Press, Cambridge, 1996, p. 355-376.
[189] Stepanov S. A., Codes on fibre products of hyperelliptic curves, Diskret. Mat., 1997,9, no. 1,
p. 83-94; Discr. Math. Appl., 1997,7, no. 1, p. 77---S8.
[190] Stepanov S. A., Character sums, algebraic curves and Goppa codes, Algebraic Geometry, Lect.
Notes in Pure and Appl. Math., Ser. 193, Marcel Dekker, New York, 1997, p. 313- 345.
[191] Stepanov S. A., Ozbudak F., Fibre products of hyperelliptic curves and geometric Goppa codes,
Discr. Math., 1997,7, no. 3, p. 223-229.
[192] Stepanov S. A., Ozbudak F., Fibre products of superelliptic curves and codes therefrom, Proc.
1997 IEEE Intern. Symp. on Info. Theory, Vim, Germany, 1997, p. 413.
[193] Stichtenoth H., Self-dual Goppa codes, J. Pure Appl. Algebra, 1988,55, p. 199-211.
[194] Stichtenoth H., A note on Hermitian codes over GF(q2), IEEE Trans. Info. Theory, 1988,
IT-34, no. 5, p. 1345-1348.
[195] Stichtenoth H., On automorphism of geometric Goppa codes, J. Algebra, 1990,130, no. 1, p.
113-l2l.
[196] Stichtenoth H., Algebraic-geometric codes associated to Artin- Schreier extensions of Fq[z],
Proc. of the second Intern. Workshop on Algebraic Geometry and Combinatorial Coding
Theory, Leningrad, 1990, p. 203-206.
[197] Stichtenoth H., Algebraic Function Fields and Codes, Springer-Verlag, Berlin, 1993.
[198] Stichtenoth H., Algebraic geometric codes, Proceedings ofSymposia in Applied Mathematics,
50, AMS, New York, 1995, p.139-152.
Bibliography 333
[199] Stichtenoth H., Xing C. P., On the structure of the divisor class group of a class of curves over
finite fields, Arch. Math., 1995, 65, p. 141-150.
[200] Stohr K. 0., Voloch J. F., Weierstrass points and curves over finite fields, Proc. London Math.
Soc. (3), 1986, 52, p. 1-19.
[201] Tate J., The arithmetic of elliptic curves, Invent. Math., 1974,23, p. 179--206.
[202] Tate J., Endomorphisms of abelian varieties over finite fields, Invent. Math., 1996, 2, p.
134-144.
[203] Tiersma H. J., Remarks on codes from Hermitian curves, IEEE Trans. Info. Theory, 1987,
IT-33,p.605-609.
[204] Tsfasman M. A., On Goppa codes which are better than the Varshamov-Gi.!bert bound, Probl.
Info. Trans., 1982, 18, p. 163--166.
[205] Tsfasman M. A., Group of points of an elliptic curve over a finite field, Preprint, 1985.
[206] Tsfasman M. A., Algebraic-geometric codes and asymptotic problems, Discr. Appl. Math.,
1991,33, p. 241-256.
[207] Tsfasman M. A., Global fields, codes and sphere packings, Asterisques, 1991, 198-200, p.
373--396.
[208] Tsfasman M. A., Vladut S. G., Algebraic-Geometric Codes, Kluwer Acad. Pub!., Dordrecht,
1991.
[209] Tsfasman M. A., Vladut S. G., Geometric approach to higher weights, IEEE Trans. Info.
Theory, 1995,4I,no.6,p. 1565-1588.
[210] Tsfasman M. A., Vladut S. G., Zink T., Modular curves, Shimura curves and Goppa codes,
better than the Varshamov-Gilbert bound, Math. Nachr., 1982, 109, p. 21-28.
[211] Vladut S. G., On the polynomiality of codes on classical modular curves, Preprint, 1983.
[212] Vladut S. G., An exhaustion bound for algebraic-geometric "modular" curves, Probl. Info.
Trans., 1987,23, p. 23--43.
[213] Vladut S. G., Algebraic-geometric "modular" codes as group codes, Preprint, 1989.
[214] Vladut S. G., On the decoding of algebraic-geometric codes over Fq for q ~ 16, 1990, IEEE
Trans. Info. Theory, IT-36, no. 6, p. 1461-1463.
[215] Vladut S. G., Drinfeld V. G., Number of points of algebraic curves, Func. Anal., 1983,17, no.
1, p. 68-69.
[216] Vladut S. G., Katsman G. 1., Tsfasman M. A., Modular curves and codes with polynomial
construction complexity, Probl. Info. Trans., 1984,20, p. 35-42.
[217] Voloch J. F., Codes and curves, Eureka, 1983,43, p. 53--61.
[218] Voloch J. F., A note on elliptic curves over finite fields, Bull. Soc. Math. France, 1988, 116, p.
455-458.
[219] Voss C., On the weights of trace codes, Coding Theory and Algebraic Geometry, Lect. Notes
in Math., 1518, Springer-Verlag, Berlin, 1992, p. 193--198.
334 Bibliography
[220] Voss C., Hoholdt T., A family ofKummer extensions ofthe Hennitian function fields, Commun.
Algebru, 1995,23,no.4,p. 1551-1566.
[221] Voss C., Stichtenoth H., Asymptotically good families of subfield subcodes of geometric
Goppa codes, Geometriae Dedicata, 1990,33, p. 111-116.
[222] Waterhouse W. C., Abelian varieties over finite fields, Ann. Sci. E. N. S. (4), 1969, 2, p.
521-560.
[223] Weil A., On some exponential sums, Proc. Nat. Acad. Sci. USA, 1948,34, p. 204-207.
[224] Weil A., Sur les Courbes Algebriques et les Varietes qui s •en Dtiduisent, Hennann, Paris, 1948.
[225] Weil A., Varietes Abeliennes et Courbes Aigebriques, Hermann, Paris, 1948.
[226] Weil A., Number of solutions of equations in finite fields, Bull. Amer. Math. Soc., 1949,55, p.
497-508.
[227] Wirtz M., On the parameters of Goppa codes, IEEE Trans. Info. Theory, 1988, IT-34, no. 5, p.
1341-1343.
[228] Wolfinann J., Nombre de points rationnels de courbes algebriques sur des corps finis associees
Ii des codes cycliques, C. R. Acad. Sci. Paris, Ser. 1,1987,305, p. 345-348.
[229] Wolfinann J., The weights of the dual code to the Melas code over GF(3), Discr. Math., 1989,
74, p. 327-329.
[230] Wolfinann J., New bounds on cyclic codes from algebraic curves, Lecture Notes in Compo
[231] Wolfinann J., The number of points of certain algebraic curves over finite fields, Commun.
Algebra, 1989,17, p. 2055-2066.
[232] Wolfinann J., The number of solutions of certain diagonal equations over finite fields, J.
Number Theory, 1992,42, p. 247-257.
[233] Xing C. P., Multiple Kummer extensions and the number of prime divisors of degree one in
function fields, J. Pure and Appl. Algebra, 1993, 84, p. 85-93.
[234] Xing C. P., On automorphisms groups of the Hermitian codes, IEEE Trans. Info. Theory, 1995,
IT-41,no.6,p.1629-1635.
[235] Xing C. P., Stichtenoth H., The genus of maximal function fields over finite fields, Manuscripta
Math., 1995, 86, p. 217-224.
[236] Yang K., Kumar P. V., Stichtenoth H., On the weight hierarchy of geometric Goppa codes,
IEEE Trans. Info. Theory, 1994, IT-40, p. 913--920.
[237] Zink T., Degeneration of ShimuTa surfaces and a problem in coding theory, Lecture Notes in
Compo Science, 199, Springer-Verlag, Berlin, 1996, p. 503-511
[238] Zinoviev V. A., Ericson T., On concatenated constant weight codes ameliorating the
Varshamov--Gilbert bound, Prahl. Info. Truns, 1987,23, no. I, p. 110-111.
[239] Zinoviev V. A., Litsyn S. N., Codes that exceed the Gilbert bound, Prabl. Info. Trans., 1985,
21,no. l,p. 105-108.
List of Notations
General Notations
AcB proper subset {A =1= B}
AyB injective map
o empty set
IMI cardinality of a set
f·g composition of maps
Imcp image of a map
Kercp kernel of a map
Z ring of integers
N set of positive integers
Q field of rational numbers
~ field of real numbers
c field of complex numbers
min m divides n in the ring Z
min m does not divide n in the ring Z
Fq finite field with q elements
Fq[u] ring of polynomials in U over Fq
I(v) number of monic irreducible polynomials in
Fq[u] of degree v
{(s) zeta-function of Fq[u]
J.L(n) Mobius function
cp(n) Euler phi-function
R(x,e i ) Lagrange-Hilbert resolvent
ZjnZ residue ring modulo n
335
336 List of Notations
laJ integer part, laJ :::; a < laJ + 1

fal upper integer part, a :::; fa 1< a + 1
loga = loge a
(a,b) g.c.d. of integers a and b
(~) generalized Legendre symbol
Rez real part of z E C
Irnz imaginary part of z E C
(~) binomial coefficient
L/K field extension

[L:K] degree of a field extension
k algebraic closure of a field
chark characteristic of a field
nonn(a) nonnofa
tr(a) trace ofa
k[Tl, ... ,Tn] ring of polynomials in n variables over k
k[[Tl, ... , Tn]] ring of fonnal series in n variables over k
degF degree of a polynomial
k* multiplicative group of a field
GLn(R) general linear group of order n over a ring
Resx(f) residue of a function f at a point x
x·y inner product of vectors
V* dual linear space
diIllk V dimension of a linear space over a field k
VEBW direct sum of linear spaces
V®W tensor product of linear spaces
vn nth power of a linear space
Vli!m nth tensor power of a linear space
A®B Kronecker (tensor) product of matrices
G dual group
G/H factor-group
[G :H], or (G: H) index of a subgroup
(g) cyclic group generated by g
Gx stabilizer
k[G] group ring
'Unn primitive nth root of unity

group of nth roots of unity
X mUltiplicative character
additive character
'"
Coding Theory
C code
M=ICI cardinality of a code
k = logq ICI log-cardinality of a code
[n,k,d)q parameters of a code
d(x,y) Hamming distance
d minimum distance of a code
d.l minimum distance of a dual code
R=k/n information rate
8=d/n relative minimum distance
Ilxll Hamming weight of a vector
Bt(x) ball of radius t centered at x
G generator matrix
H parity-check matrix
C.l dual code
Wc(u: v) weight enumerator
Wc(u), Wc(v) non-homogeneous weight enumerators
j(z) Hadamard transform
Pi(U) Krawtchouk polynomial
MDS maximum distance separable code
Aq(n,d) = max {qk Ithere exists an [n, k, d) q-code over
Fq}
A~n(n,d) = max{qk Ithere exists a linear [n,k,d)q-code
over Fq}
Hq(8) q-ary entropy function
RH(8) asymptotic Hamming bound
Rp(8) asymptotic Plotkin bound
RBE(8) asymptotic Bassalygo-Elias bound
R/p(8) asymptotic linear programming bound
RG(8) asymptotic Gilbert bound
RGv(8) asymptotic Gilbert-Varshamov bound
RAG(8) asymptotic algebraic-geometric bound
RBZ(8) asymptotic Blokh-Zyablov bound
Rz(8) asymptotic Zyablov bound
RS Reed-Solomon code
CH Hamming code
CR,CN quadratic-residue codes
q,c~ extended quadratic-residue codes
BCH Bose--Chaudhuri-Hocquenghem code
Cll,C23 Golay codes
Cl2, C24 extended Golay codes

C(Do,D), C*(Do,D) geometric Goppa codes
dc,dc' designed minimum distance of codes C(Do,D)
and C*(Do,D)
A(D') basic decoding algorithm
~(D') Ehrhard's decoding algorithm
dFR(r) Feng-Rao minimum distance
Ev evaluation map
Res residue map
xxy Kronecker product of vectors
C!$C2 direct sum of linear codes
cm power of a linear code
C!®C2 tensor (or Kronecker) product oflinear codes
c®m tensor power of a linear code
Vq = {(8,R) Ithere exists an [n,k,dlq-code with
din = 8 and kin =R}
Uq set oflimit points of Vq
aq(8) =sup{R I(8,R) E Uq }
vlin
q = {(8,R) Ithere exists a linear [n,k,dlq-code
with din = 8 and kin = R}
set of limit points of v~in
I
=sup{R (8,R) E u~in}
function Clq for a polynomial family of codes
function Clq for a polynomial family of linear
codes
function age! for a family of codes having a
polynomial decoding complexity
age1.dec,lin(8) function ago! for a family of linear codes having
a polynomial decoding complexity
Algebraic Geometry
An affine n-dimensional space
lP" projective n-dimensional space
YeS) zero set
a(X) = {F E k[TlIF(x) = 0 for all x EX}
m maximal ideal
p prime ideal
rea) mdical of an ideal
X algebmic variety, smooth projective curve
dimX dimension of an algebraic variety

k[X] coordinate ring of an affine variety
k(X) field of rational functions on a variety
U open subset of a variety
<9(U) ring of regular functions on U
<9 x local ring of a point
<9 v valuation ring
degcp degree of a finite morphism
ex ramification index
L =k(X) field of rational functions on a curve over k
D divisor on a curve
degD degree of a divisor
(D,D') g.c.d. of divisors
{D,D'} l.c.m. of divisors
(f) divisor of a function (principal divisor)
(f)o divisor of zeros
(f)oo divisor of poles
Div(X) divisor group of a smooth projective curve
Divo(X) divisor group of degree zero
P(X) group of principal divisors
Pic (X) divisor class group
Pico(X) divisor class group of degree zero
L(D) = if EL* I (f)+D 20}U{O},k-linearvectQr
space of rational functions
IDI linear system
/(D) =dimkL(D), dimension of L(D) over k
R(X) algebra ofrepartitions of L = k(X)
R(D) subalgebra of R(X)
O[X] space of regular differential forms
O(X) space of rational differential forms
O(D) = {w E O(X)* I(w) +D 2 O} U {O},k-linear
vector space of rational differential forms
K=Kx canonical divisor
w canonical divisor class
g=g(X) genus of a curve
u(A) Clifford defect of a divisor
CPp Frobenius morphism
Jx Jacobian of a curve
(, ) pairing
lev residue field
Gal(k' /k) Galois group of an extension k' of k
P=Px prime Fq-rational divisor

h = heX) cardinality of Pico (X) (the class number)
N(D) norm of an effective Fq-rational divisor
nX,s) = Z(X,t) zeta-function of a curve over Fq
L(z) = Lif,g,z) Artin L-function
Nq=Nq(X) number of Fq-rational points on a curve
Nq(g) maximum number of Fq-rational points on
curves of genus g
N~ =N~(X) number of Fq-rational points on the Jacobian of
a curve X
X(Fq) set of Fq-rational points ofa curve
A(q) = limsupXNq(X)/g(X) as g(X) -+ 00
Tvif,g) hybrid character sum
T(x,"') Gaussian sum
Tv (g) rational Weyl's sum
Tv(a,b) Kloosterman sum
P prime divisor
fJp local field of a prime divisor P
vp normalized valuation
L/k algebraic extension with full constant field k
gel) genus of an algebraic function field L
Div(L) divisor group of L
Pic(L) divisor class group of L
Lp residue field of a prime divisor P
L'/L extension of a field L
P'/P prime divisor P' lying over P
e(P' /P) ramification index
J(P' /P) relative degree of p' over P
[L': L) degree of an extension L' / L
[L' :L)s separable degree of L' / L
[L' :L]n non-separable degree of L' / L
Is (P'/P) separable degree of p' / P
/n(P'/P) non-separable degree of P' / P
D(P'/P) decomposition group
J(P' /P) inertia group
conL' /L (D) conorm of a divisor D
normL1/dD ) norm of a divisor D
Lk' composition field (compositum) of L and k'
d(P' /P) different exponent
Diff(L' /L) different of L' / L
p(h) Frobenius operator
Elliptic and Modular Curves

j =j(E) absolute invariant
A Legendre modulus
Hom(E,E') set of group homomorphisms f : E ~ E'
End(E) endomorphism ring of an elliptic curve
Endo(E) = End(E)0Q
Aut(E) automorphism group of an elliptic curve E (as
an algebraic variety)
Auto (E) automorphism group of an elliptic curve E (as
an algebraic group)
En kernel of mUltiplication by n
f* dual isogeny
/p Frobenius morphism
A,Az period lattices
p(z) Weierstrass function
f(1) = SL2('Z) modular group
fcf(l) congruence subgroup
f(N) principal congruence subgroup of level N
fo(N), fl (N) congruence subgroups of level N
Xr modular curve
X(N),Xo(N),XI(N) projective modular curves, corresponding to
f(N), fo(N) and fl (N), respectively
Y(N), Yo(N), YI (N) affine modular curves, corresponding to f(N),
fo(N) and fl (N)
Mk(f) linear space of modular forms of weight k for
the group f
Sk(f) linear space of cusp-forms of weight k for f
x(n) Dirichlet character
Mk(N,X) subspace of Mk(f 1(N))
Sk(N,X) subspace of Sk (f 1(N))
LQ space of formal finite linear combinations of
modular points
Tn, Tm,m Hecke operators
Idl operator of multiplication by d
if,g) Peters son inner product
Ez = CjAz complex elliptic curve
eN(x,y) Weil pairing
h~ Weber function
GLi(!Q) subgroup of G L2 (Q) consisting of matrices with
positive determinant
EN set of points of order N on an elliptic curve

k' (j, h(EN)) field of modular functions of level N
Oo(N) space of regular differential forms on Xo (N)
Ap Hecke correspondence
trTn trace of Hecke operator
Index
Absolute invariant, 179 Bound, (continued)

Absolutely irreducible polynomial, 148 algebraic-geometric, 36, 315, 318, 320
Algebraic closure, 13 Bassalygo-Elias, 31
Algebraic Bassalygo, asymptotic, 32
group, 84 Blokh-Zyablov, 317
group morphism, 182 concatenation, 318
Algebraic set, 71 constructive, 316
Alphabet, 3
Drinfeld-Vladut, 162
extension, 63
Gilbert, 35
restriction, 63
asymptotic, 35
Artin generating function, 124
Artin L-function, 124 Gilbert-Varshamov,35
Artin-Schreier operator, 279 asymptotic, 36
Asymptotically good tower of function Griesmer, 27
fields, 164 asymptotic, 27
Asymptotically good sequence of codes, 25 Hamming, 29
Asymptotically optimal tower of function asymptotic, 30
fields, 164 Hasse-Weil, 143, 147
Asymptotic bounds, 161,238,276,284,287 Ihara,162
Automorphisms of a(n) linear programming, 34
code, 14 lower, 35
curve, 178 McEllice-Rodemich-Ramsey-Welch,
finite field, IO 34
geometric Goppa code, 251 second, 35
elliptic curve, 178, 183 Plotkin, 27
Ball, 4, 29 asymptotic, 28
Basis, integral, 136 restriction, 319
Basis ofeigenforrns, 214 Singleton, 26
Birational varieties, 76 asymptotic, 27
Birationally equivalent varieties, 76 Serre, 157, 163
Bitangent, 259 upper, 26
Block-coding, 4 Vladut,318
Bound, 26,32, 35, 315, 316, 319 Zyablov,317
343
344 Index
Candidate, 307 Code(s), (continued)

correct, 307 Goppa
incorrect, 307 geometric, 243, 245
Candidate-value of an unknown syndrome, rational, 53
307 group, 59
Canonical class, 87 Hamming, 47, 49
Canonical map, 92 Hermitian, 264
Cauchy sequence, 134 hyperelliptic, 260
Channel capacity, 4 information rate, 4
Channel coding theorem, 4 inner, 63
Channel, noisy, 4 Justesen, 57
Channel, q-ary symmetric, 289 linear, 13
Character, 16,120 degenerate, 22
q-ary, 13
additive, 16, 123
log-cardinality, 3
induced,l24
maximal distance separable, 18, 23,41
Dirichlet, 200
MDS, 18,23,41
multiplicative, 123
minimum distance, 4
induced, 124,267
relative, 4
of exponent s, 122
[n,k,dl q , 3
of a finite field, 122 of genus
oforderd,122 atmostg,18
principal, 122 one,258
sum, 147 two or three, 258
trivial, 16,122 zero, 22, 41, 257
Characteristic of a field, 5 on Artin-Schreier coverings, 276
Check-symbol,18 on classical modular curves, 274
Clifford defect, 299 on elliptic curves, 261
Clifford theorem, 96 on Fermat cubic, 261
Code(s),3 on fibre products, 267
altemant, 53 on Hermitian curve, 263
asymptotically good, 25 on hyperelliptic curves, 260
automorphism group, 14,251,267 on Klein quartic, 259'
BCH,50 on trace-norm curves, 284
narrow-sense, 50, 54 one-point, 306
primitive, 50 optimal,26
with designed distance t, 50 outer, 63
block oflength n, 3 parameters, 3, 248
designed, 245, 247
block, q-ary, 3
parity-check,41
cardinality, 3
perfect, 30, 59
-coordinates, 3
polynomial, 317
cyclic, 48
-positions, 3
irreducible, 48, 66
quadratic-residue, 52
minimal,66 quasi-self-dual, 20, 252
dual,16 QR,52
elliptic, 263 Reed-Muller, 46, 47
error-correcting, 4 of first order, 46
formally-self-dual, 20 of order r, 47
from an embedded pair, 62 Reed-Solomon, 42, 50
Golay, 58 extended,42
extended,58 generalized, 43
good,5,25 shortened,42
Index 345
Code(s), (continued) Curve, (continued)

repetition, 41 projective, 77
RS,42,50 smooth, 77, 104
self-dual, 20, 252 superelliptic, 148
trace, 255 Suzuki,314
trivial,41 trace-norm, 284
-vector, 3 Cusp, 195
with a polynomial decoding complexity, Cusp-form. 200, 203
317,320 of weight k, 200, 203
with a polynomial structure complexity, Cyclotomic coset, 66
317
-word,3 Davenport-Hasse relation, 141
Compactification, 195 Decoding, 4,44, 50, 56,64,289
Complex multiplication, 189 algorithm
Component of a prime divisor, 107 basic, 292
Concatenation, 63 Berlekamp-Massey-Sakata, 309
Conductor of End(E), 183 Ebrhard,305
Congruence subgroup, 194, 200 Feng-Rao, 306
of level N, 194, 200 modified,299
principal, 194 error,289
Conorm of a divisor, 132 map,4,289
Constant field extension, 130, 133 maximum likelihood, 4, 289
Constructions of codes, 41, 60, 243, 245, 247 minimum distance, 289
Coordinate ring, 73 with preprocessing, 291
Coordinates of a geometric Goppa codes, 289
code-vector, 3 BCH-codes,51
point, 71 concatenated codes, 64
homogeneous, 74 rational Goppa codes, 56
Correspondence, 232 Reed-Solomon codes, 44
dual,233 syndrome, 14,290
Frobenius,233 up to half the minimum distance, 291
Hecke,233 up to t, 4, 291
Correcting terrors, 4, 291 Decoder,289
Coset leader, 15,290 Decomposition group, 132
Covering, 82 Decomposition type, 125
ramified, 82 Degree map, 81
separable, 82 Degreeofa
unramified, 82 closed point, 104
Curve,73,77 curve, 73, 248
absolute, 148 divisor, 81
absolutely irreducible, 148 finite extension, 5, 131
affine, 73, 80 inseparable, 131
of degree m, 73 separable, 131
algebraic, 73, 77 finite morphism, 82
Artin-Schreier, 148, 150 prime divisor, 131
elliptic, 91, 175 inseparable, 131
having a good reduction, 220 relative, 131
Hermite, 160, 172,310 separable, 131
hyperelliptic, 92 Descending chain condition, 99
maximal, 160 Different, 135
modular, 195 Different exponent, 135
non-singular, 77,104 Differential, 80, 86
normal,229 Differential form. 86,211
346 Index
Dnffe~tialf~(connnued) Eicbler-Selberg trace formula, 236

rational, 87 Eicbler-Sbimura congruence relation, 232
regular, 86,211 Eigenf~210
Dimension, designed, 245 norma1ized,211
Dimension of a Elliptic curve, 91,175
commutative ring, 77 automorphism group, 178, 183
minimal ideal, 66 coordinate expression, 176
topological space, 76 endomorphism ring, 182,185, 189
variety,76 Fermat, 255, 261
unreet sum of codes, 60 group law, 175
Discrepancy, 308 j-invariant, 179
Discrete Fourier transformation, 310 Legendre modulus, 176
Distance modular, 197
designed, 50, 245 ordinary, 181
Hamming, 3 parameterized by modular functions,
minimum, 3 197
Feng-Rao, 306 supersingular,181
relative, 4 with complex multiplication, 189
Divisor, 80,187 Weierstrass equation, 176
Weierstrass normal form, 180
abundant, 298
Elliptic function, 186
canonical, 87
Embedded family, 42
class, 81
Encoding,4
canonical, 87
Entropy function, 30
group, 82
Entropy function, q-ary, 30
group of degree zero, 82
Erasure,64
k-rational,108
Erasure-locator, 64
effective, 81
Erasure-vector, 64
k -rational, 106
Error-evaluator polynomial, 51
prime, 107
Error-locator, 44, 64
linearly equivalent to zero, 81 function, 297
of a differential form, 87 polynomial,44, 51
of a function, 81 Error-vector, 15,64
of poles, 81 Equivalent
of zeros, 81 codes,14
positive, 81 divisors, 81
principal, 81 [n,k,dJq-systems,21
prime, 130 projective, 22
inseparable, 131 points, 106
purely inseparable, 131 valuations, 100
ramified, 131, 135 Evaluation map, 42, 46, 47, 243
separable, 131 Existence bounds, 35
tamely ramified, 135 Extension
totally ramified, 135 algebraic, 130
unramified,131,135 Artin-Schreier, 137
wildly ramified, 135 finite, 130
ramification, 94 purely inseparable, 131
special, 96, 298 ramified, 135
Drinfeld-Vladut theorem, 162 separable, 131
Dual group, 121 tame, 136,165
Dual [n,k,d)q-system, 21 unramified,135
Duality theorem, 90 Galois,132
Index 347
Feng-Rao minimum distance, 306 Geometric Goppa code, (continued)

Field spectrum, 253
complete, 134 Gonality,298
descent, 63 Goppa polynomial, 53
extension, 130 Greatest common divisor, 81
finite,S Group algebra, 59
prime,S Group code, 59
of algebraic functions, 104, 130
Hadamard transform, 16
of automorphic functions, 198
Hamming
of modular functions, 227, 228 bound,29,30
of level N, 227 distance, 3
perfect, 130 metric, 3
Flex point, 259 space, 13
Frobenius weight, 14
automorphism, 10, 105 Hecke operator, 203, 208
morphism,94,181 Height of a prime ideal, 77
operator, 232 Hermite form, 160
substitution, 146 Hilbert Nullstellensatz, 72, 99
Function Hilbert theorem 90, 11
automorphic, 198 Homogeneous
field, 73, 75, 104 coordinates, 74
algebraic, 104, 130 ideal,74
k-rational, 106 polynomial, 74
modular Hurwitz genus formula, 95, 136
of weight k, 200, 203 Hypersurface, 73
holomorphic at cusp, 200 Ideal
meromorphic at cusp, 200 maximal,73
vanishing at cusp, 200 minimal, 66
on the set of modular points, 201 of an algebraic set, 72
rational, 75 prime, 73
regular, 73, 74 Idempotent, 65
Weierstrass, 187 primitive, 66
Weber, 226 Igusa theorem, 230
Fundamental domain, 188,213,216 Ihara theorem, 162
Ihara-Tsfasman-Vladut-Zink theorem, 238
Gap,97 Inertia group, 132
Gauss sum, 67, 140 Information, 4
Gauss theorem, 9 rate, 4
Generator matrix, 14 symbol,18
Generator polynomial, 48 Inner product, 16
Genus ofa Petersson,213
curve, 85,88 Inversion formula, 66
function field, 130 Irreducible component, 99
Geometric Goppa code, 243 Irreducible subset, 72
automorphisrns, 251 Isogenous elliptic curves, 182
decoding algorithms, 289, 292, 301, Isogeny, 181
306,309 dual,181
Isomorphism of algebraic varieties, 74
duality,251
L-construction, 243 Jacobian, 85
~construction,245 Jakobsthalsum, 172
parameters, 248 j-invariant, 179
P-construction,247 Johnson lemma, 31
348 Index
Key equation, 303 (n, d - 1, t )-covering system, 292

Klein quartic, 104, 159, 171,311 [n,k,d]q-system, 21
Kloosterman sum, 141, 170 dual,21
Krawtchouk polynomials, 23, 33,38 projective, 22
orthogonality relations, 39 Non-gap, 97
recurrence, 39 Non-sequence, 306
Kronecker Non-singular projective model, 79
congruence relation, 231 Norm of a(n)
model of the field of modular functions, divisor, Ill, 133
229 element
product of codes, 60 absolute, 124
product of matrices, 67 in Fq , 11, 124
relative, 124
Lagrange-Hilbert resolvent, 11 polynomial in Fq[u], 7
Lattice, 186 N -torsion point, 180
Least common multiple, 81
Level of N -structure, 224 Order of a(n)
element, 9
Legendre modulus, 176
pole, 81
Legendre symbol, generalized, 139
zero, 81
Linear system, 84
Overall parity-check, 62
Linear system, complete, 84
Linearly equivalent divisors, 81 Pairing, 89
Local Pairing, Weil, 224, 225
coordinate, 79 Parity-check
parameter, 79, 100 matrix, 14
ring of a point, 75 polynomial, 49
ring, regular, 77 Pasting, 61
Log-cardinality of a code, 3 Period
lattice, 186
MacWilliams identity, 17 parallelogram, 186
Majority vote, 290 Pliicker genus formula, 96
Manin theorem, 25 Point, 71, 74, 99
Mass-formula,184 affine, 71
Minimal solution of the key equation, 303 branch,82
Mobius function, 8 closed, 99, 104
Modular fiex, 259
curve, 195 hyperelliptic, 98
curve oflevel N, 195 k-rational, 103, 105
equation, 199 modular, 201
form of weight k, 200, 203 non-singular, 77, 80
function of weight k, 200, 203 N -torsion, 180
group, 193 of order N, 180
interpretation, 201 projective, 74
point, 201 ramification, 82
Moduli space, 175, 180,194,221 singular, 77, 80
Morphism, 73, 75 Pole, 81
finite, 82 Polynomial family of codes, 317
Frobenius, 94, 181 Possibility bounds, 35
ramified at a point, 81 Power of a code, 60
separable, 82 Preprocessing, 291
tamely ramified, 94 Primitive element, 9
unrarnified at a point, 82 Product of ideals, 98
Index 349
Projectivization, 211 Subfield subcode, 255

Pullback of a Sum of ideals, 98
divisor, 82 Support of a divisor, 80
regular function, 73 Surface, 73
Symbol-error, 4
Radical,72 Symbol-probability, 4
Ramification Syndrome, 15,290
divisor, 94 unknown, 290
index,82,131,216
point, 83 Taniyama-Weil conjecture, 197
Rational Tensor power of a code, 61
function, 75 Tensor product of codes, 60
map, 76 t -expansion, 198
map, dominant, 76 TIetiiviiinen-Van Lint theorem, 59
Reduction map, 220 Tower offunction fields, 164
Reduction of a Trace, 11, 123
curve,220 absolute, 124
good,220 relative, 124
Redundant symbol, 4 Tsfasman-Vladut-Zink theorem, 238, 315
Regular map, 73
Repartitions, 89 Valid solution of the key equation, 303
Repetition of a code, 61 Valuation, 78, 100
Residue, 42, 88 discrete, 78, 100
field, 104, 131 normalized, 130
formula, 42, 89 ring, 100
map, 43, 245 discrete, 78, 100
Restriction of an algorithm, 290 trivial, 100
Riemann hypothesis, 143 Variety, 72, 74
Riernannsurface, 194 abelian, 85
Riernann-Roch absolute, 103
problem, 86 absolutely irreducible, 103
theorem, 91, 109 affine, 72
algebraic, 72, 74
Separable element, 131 defined over k, 103, 105
Shannon's channel coding theorem, 4 non-singular, 77
Shortening by distance, 62 at a point, 77
Shortening by dual distance, 62 of moduli, 178
Space projective, 74
affine, 71 algebraic, 74
n-dimensional, 71 algebraic, defined over k, 103, 105
Hamming, 13 quasi -affine, 99, 100
irreducible, 72 quasi-projective, 74
projective, 74 singular at a point, 77
n-dimensional, 74 smooth,77
tangent, 80 Vladut theorem, 318
topological, irreducible, 72
Noetherian, 99 Weber function, 226
quasi-compact, 99 Weierstrass
Spectrum, 15 equation, 176
Spectrum of a ring, prime, 99 in Legendre form, 176
Sphere, 29 normal form, 180
Stirling number, 23 gap-sequence, 97
Subfield restriction, 63, 255 p-function, 187
350 Index
Weierstrass, (continued) Zariski topology, 72, 99

point, 97 Zero, 71, 81
weight, 98 Zero-set, 71
Weight Zeta-function
enumerator, 15 connection with Fq-rational points, 118
ofa point, 14 functional equation, 116
of a rational function, 302 infinite product, 114
of a vector, 14 of a smooth projective curve over a
Weierstrass, 98 finite field, III
of Fp[x], 7
(x,x + y)-construction, 62 rationality, 112, 115

Codes On Algebraic Curves 9781461371670 9781461547853 1461371678 - Compress

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Codes On Algebraic Curves 9781461371670 9781461547853 1461371678 - Compress

Uploaded by

Copyright:

Available Formats

Codes on Algebraic Curves

Codes on Algebraic Curves

Springer Science+Business Media, LLC

Stepanov, S. A. (Sergel Aleksandrovlch)

This is a self-contained introduction to algebraic curves over finite fields and

good parameters and easy construction and decoding algorithms.

I would like to express my gratitude to everyone at the Institute of Mathematics

Bilkent, Ankara Serguei A. Stepanov

II. Algebraic Curves and Varieties

III. Elliptic and Modular Curves

8.3. Hecke Operators . . . . . . 199

IV. Geometric Goppa Codes

List of Notations 335

Part I is an introduction to coding theory. It discusses basic concepts of the theory,

Codes and Their Parameters

Let F be a finite set of cardinality q = IFI, which we call an alphabet. The

d(x,y) = #{i 11:::; i:::; n,Xi =/= Yi}'

d = min {d(x,y)Ix,y E C,X =/=y}.

A q-ary code C with parameters n,k and d is called an [n,k,dlq-code. El-

of radius t :::; l d 21 J centered in the elements x E C. In this case we speak about

lies between 0 and 1. If q = 2 the capacity is 1 + p log2P + (1 - p) log2(1 - p).

1.2. FINITE FIELDS

A considerable part of the most interesting constructions in the theory of error-

with Xi E Fp for I ~ i ~ v. It follows that F is a finite field consisting of q = pV

Proof: Let 1 be the identity element of F. Since F has a finite number of

Proposition 1.2. Let x, y be arbitrary elements ofafinite field Fq ofcharacteristic

Proof: By the binomial theorem we have

and since p divides (~) for 1 ::; i ::; p - 1 then

This proves the proposition.

If 8 is the residue class containing the polynomial u thenf( 8) = 0 in Fp [ull (f(u)),

x = Xo +Xl 8 + ... +Xv-l 8 v - 1

Proof: Let g be a monic polynomial of degree v in the ring Fp[u]. We set

~(s) = N(J)-ms) = 1 + LN(g)-S,

which can be written as

where JL (m) is the Mobius function defined as

Proof: The statement is trivial for x = O. The non-zero elements of Fq form

Corollary 1.6. If Fq is a finite field with q elements then the polynomial u q - u E

Proof: By Theorem 1.5 the polyr.omial uq - u splits completely in F q . However,

and the well-known equality

for the Euler phi-function cp(n). We have

and therefore tfJ(n) = cp(n) for any n I q - 1. In particular, for n = q - 1 we obtain

It follows that the map

induces the automorphism

Proof: Let a be the Frobenius automorphism of the field F q . Its powers

Since the Vandermonde determinant

det (e ipk ) 0$i,k::;I1-1

y=a+xC#+···+x 1+p+ ... +pv-2 C# v-l

with a = ei . Ifwe assume that nonnv(x) = 1, then we obtain

and hence x = y/yp. Conversely, if x = y/yP, then clearly nonnv(x) = 1.

z = (tr v (f3))-1 (xf3P + (x +XP)f3P2 + ... + (x +xP + ... +xPV - 2)f3PV-l).

Theorem 1.12. Let Fq be a finite field with q = pV elements, Fqn an extension of

(i) If a E Fqn is a root of the polynomial f( u), then so is a q;

if(uW = Laju iq = Lai(U q(

1.3. LINEAR CODES

d = min{llxlll X E C,x::l O}.

Any choice of basis in C yields an embedding

so that encoding is multiplication by G.

GLk(Fq) = {A is k x k matrix over Fq I detA::I O}

1.4. SPECTRUM AND DUALITY

An important invariant of a code is its weight enumerator or spectrum. We are

The weight enumerator is a homogeneous polynomial

Sometimes non-homogeneous coordinates are more convenient, then we consider

We haveAo = I,AI = ... =Ad-I = O,Ad :::=: I and hence