finite geometry and co ding theory - peter cameron's blog · 1 and 2 is the set all ords w...
TRANSCRIPT
Finite geometry and oding theory
Peter J. Cameron
S hool of Mathemati al S ien es
Queen Mary and West�eld College
London E1 4NS
So rates Intensive Programme
Finite Geometies and Their Automorphisms
Potenza, Italy
June 1999
Abstra t
In these notes I will dis uss some re ent developments at the inter-
fa e between �nite geometry and oding theory. These developments,
are all based on the theory of quadrati forms over GF(2), and I have
in luded an introdu tion to this material. The parti ular topi s are
bent fun tions and di�eren e sets, multiply-resolved designs, odes
over Z
4
, and quantum error- orre ting odes.
Some of the material here was dis ussed in the Combinatori s
Study Group at Queen Mary and West�eld College, London, over
the past year. This a ount is quite brief; a more detailed version will
be published elsewhere. Many of the parti ipants of the study group
ontributed to this presentation; to them I express my gratitude, but
espe ially to Harriet Pollatsek and Keldon Drudge.
1 Codes
There are many good a ounts of oding theory, so this se tion will be brief.
See Ma Williams and Sloane [18℄ for more details.
Let A be an alphabet of q symbols. A word of length n over A is simply
an n-tuple of elements of A (an element of A
n
). A ode of length n over A
1
is a set of words (a subset of A
n
). A ode of length n ontaining M words is
referred to as an (n;M) ode.
The Hamming distan e d(v; w) between two words v and w is the number
of oordinates in whi h v and w di�er:
d(v; w) = jfi : 1 � i � n; v
i
6= w
i
gj:
It satis�es the standard axioms for a metri on A
n
. The minimum distan e
of a ode is the smallest distan e between two distin t words in C. A ode
of length n having M odewords and minimum distan e d is referred to as
an (n;M; d) ode.
The basi idea of oding theory is that, in a ommuni ation system,
messages are transmitted in the form of words over a �xed alphabet (in
pra ti e, usually the binary alphabet f0; 1g). During transmission, some
errors will o ur, that is, some entries in the word will be hanged by random
noise. The number of errors o urring is the Hamming distan e between the
transmitted and re eived words.
Suppose that we an be reasonably on�dent that no more than e errors
o ur during transmission. Then we use a ode whose minimum distan e d
satis�es d � 2e+ 1. Now we transmit only words from the ode C. Suppose
that u is transmitted and v re eived. By assumption, d(u; v) � e. If u
0
is
another odeword, then d(u; u
0
) � d � 2e + 1. By the triangle inequality,
d(u
0
; v) � e+1. Thus, we an re ognise the transmitted word u, as the ode-
word nearest to the re eived word. For this reason, a ode whose minimum
distan e d satis�es d � 2e+ 1 is alled an e-error- orre ting ode.
Thus, good error orre tion means large minimum distan e. On the other
hand, fast transmission rate means many odewords. In reasing one of these
parameters tends to de rease the other. This tension is at the basis of oding
theory.
Usually, it is the ase that the alphabet has the stru ture of a �nite
�eld GF(q). In this ase, the set of words is the n-dimensional ve tor spa e
GF(q)
n
, and we often require that the ode C is a ve tor subspa e of GF(q)
n
.
Su h a ode is alled a linear ode. A linear ode of length n and dimension
k over GF(q) is referred to as a [n; k℄ ode; it has q
k
odewords. If its
minimum distan e is d, it is referred to as an [n; k; d℄ ode. Almost always,
we will onsider only linear odes.
The weight wt(v) of a word v is the number of non-zero oordinates of
v. The minimum weight of a linear ode is the smallest weight of a nonzero
2
odeword. It is easy to see that
d(v; w) = wt(v � w);
and hen e that the minimum distan e and minimum weight of a linear ode
are equal.
Two linear odes C and C
0
are said to be equivalent if C
0
is obtained from
C by a ombination of the two operations:
(a) multiply the oordinates by non-zero s alars (not ne essarily all equal);
and
(b) permute the oordinates.
Equivalent odes have the same length, dimension, minimum weight, and
so on. Note that, over GF(2), operation (a) is trivial, and we only need
operation (b).
A linear [n; k℄ ode C an be spe i�ed in either of two ways:
� A generator matrix G is a k � n matrix whose row spa e is C. Thus,
C = fxG : x 2 GF(q)
k
g;
and every odeword has a unique representation in the form xG. This
is useful for en oding: if the messages to be transmitted are all k-tuples
over the �eld GF(q), then we an en ode the message x as the odeword
xG.
� A parity he k matrix H is a (n� k)�n matrix whose null spa e is C:
more pre isely,
C = fv 2 GF(q)
n
: vH
>
= 0g:
This is useful for de oding, spe i� ally for syndrome de oding. The
syndrome of w 2 GF(q)
n
is the (n� k)-tuple wH
>
. Now, if C orre ts
e errors, and w has Hamming distan e at most e from a odeword v, it
an be shown that the syndrome of w uniquely determines w � v, and
hen e v.
If h
1
; : : : ; h
n
are the olumns of the parity he k matrix H of a ode C,
then a word x = (x
1
; : : : ; x
n
) belongs to C if and only if x
1
h
1
+� � �+x
n
h
n
= 0,
that is, the entries in x are the oeÆ ients in a linear dependen e relation
between the olumns of H. Thus, we have:
3
Proposition 1.1 A ode C has minimum weight d or greater if and only if
any d� 1 olumns of its parity he k matrix are linearly independent.
There is a natural inner produ t de�ned on GF(q)
n
, namely the dot prod-
u t
v � w =
n
X
i=1
v
i
w
i
:
If C is an [n; k℄ ode, we de�ne the dual ode
C
?
= fv 2 GF(q)
n
: (8w 2 C) v � w = 0g;
it is an [n; n � k℄ ode. Then a generator matrix for C
?
is a parity he k
matrix for C, and vi e versa.
Sometimes, in the ase when q is a square, so that the �eld GF(q) admits
an automorphism � of order 2 given by x
�
= x
p
q
, we will use instead the
Hermitian inner produ t
v Æ w =
n
X
i=1
v
i
w
�
i
:
We now give a family of examples.
A 1-error- orre ting ode should have minimum weight at least 3. By
Proposition 1.1, this is equivalent to requiring that no two olumns of its
parity he k matrix are linearly dependent. Thus, the olumns should all be
non-zero, and should span distin t 1-dimensional subspa es of V = GF(q)
k
,
where k is the odimension of the ode. Multiplying olumns by non-zero
s alars, or permuting them, gives rise to an equivalent ode. So linear 1-
error- orre ting odes orrespond in a natural way to sets of points in the
proje tive spa e PG(k � 1; q).
Many interesting odes an be obtained by hoosing suitable subsets
(ovoids, unitals, et .). But the simplest, and optimal, hoi e is to take all
the points of the proje tive spa e. The ode thus obtained is the Hamming
ode H(k; q) of length n = (q
k
� 1)=(q� 1) and dimension n� k over GF(q).
To reiterate: the parity he k matrix of the Hamming ode is the k � n ma-
trix whose olumns span the n one-dimensional subspa es of GF(q)
k
. It is a
[n; n� k; 3℄ ode.
One further ode we will need is the famous extended binary Golay ode.
This is a [24; 12; 8℄ ode over GF(2), and is the unique ode (up to equiv-
alen e) with this property. The o tads, or sets of eight oordinates whi h
4
support words of weight 8 in the ode) are the blo ks of the Steiner system
S(5; 8; 24) (or, in other terminology, the 5-(24; 8; 1) design).
We dis uss brie y some operations on odes. Let C be a linear ode.
� Pun turing C in a oordinate i is the pro ess of deleting the ith oor-
dinate from ea h odeword.
� Shortening C in a oordinate i is the pro ess of sele ting those ode-
words in C whi h have entry 0 in the ith oordinate, and then deleting
this oordinate from all odewords.
� Extending C, by an overall parity he k, is the pro ess onsisting of
adding a new oordinate to ea h odeword, the entry in this oordinate
being minus the sum of the existing entries (so that the sum of all
oordinates in the extended ode is zero). We denote the extension of
C by C.
� The dire t sum of odes C
1
and C
2
is the set of all words obtained by
on atenating a word of C
1
with a word of C
2
.
The weight enumerator of a linear ode is an algebrai gadget to keep
tra k of the weights of odewords. If C has length n, its weight enumerator
is
W
C
(x; y) =
n
X
i=0
a
i
x
n�i
y
i
;
where A
i
is the number of words of weight i in C. Note that W
C
(1; 0) = 1,
and W
C
(1; 1) = jCj.
The weight enumerator has many important properties. For example,
the weight enumerator of the dire t sum of C
1
and C
2
is the produ t of the
weight enumerators of C
1
and C
2
. For our purposes, the most important
result is Ma Williams' Theorem:
Theorem 1.2 Let C be a linear ode over GF(q), and C
?
its dual. Then
W
C
?(x; y) =
1
jCj
W
C
(x + (q � 1)y; x� y):
We illustrate this theorem by al ulating the weight enumerators of Ham-
ming odes. It is easier to �nd the weight enumerators of their duals:
5
Proposition 1.3 Let C be the q-ary Hamming ode H(k; q) of length n =
(q
k
� 1)=(q � 1) and dimension n� k. Then every non-zero word of C
?
has
weight q
k�1
.
We say that C
?
is a onstant-weight ode.
Proof Let h
1
; : : : ; h
n
be the olumns of the parity he k matrix H of C.
We laim that ea h word of C
?
has the form (f(h
1
); : : : ; f(h
n
)), where f
belongs to the dual spa e of the k-dimensional spa e V of olumn ve tors
of length k; and every element of V
�
gives rise to a unique word of C
?
.
This holds be ause H is a generator matrix of C
?
, so the words of C
?
are
linear ombinations of the rows of H. Now the ith row of H has the form
(e
i
(h
1
); : : : ; e
i
(h
n
)), where e
i
is the ith dual basis ve tor. So the laim is
proved.
Now for any non-zero f 2 V
�
, the kernel of f has dimension k�1, and so
ontains (q
k�1
� 1)=(q � 1) one-dimensional subspa es, and so it vanishes at
this many of the olumns of H. So the orresponding word of C
?
has weight
(q
k
� 1)=(q � 1)� (q
k�1
� 1)=(q � 1) = q
k�1
:
It follows that the weight enumerator of C
?
is
x
(q
k
�1)=(q�1)
+ (q
k
� 1)x
(q
k�1
�1)=(q�1)
y
q
k�1
;
and so the weight enumerator of C is
1
q
k
�
(x + (q � 1)y)
(q
k
�1)=(q�1)
+ (q
k
� 1)(x+ (q � 1)y)
(q
k�1
�1)=(q�1)
(x� y)
q
k�1
�
:
Finally on this topi , we mention that the weight enumerator of the ex-
tended binary Golay ode is
x
24
+ 759x
16
y
8
+ 2576x
12
y
12
+ 759x
8
y
16
+ y
24
:
A ode C is self-orthogonal if C � C
?
, and is self-dual if C = C
?
. The
extended binary Golay ode just mentioned is self-dual; other examples are
the extended binary Hamming ode of length 8 (a [8; 4; 4℄ ode with weight
enumerator x
8
+ 14x
4
y
4
+ y
8
), and the binary repetition ode of length 2 (a
[2; 1; 2℄ ode with weight enumerator x
2
+ y
2
).
6
Using Ma Williams' Theorem, we see that the weight enumerator of a
self-dual ode C of length n over GF(q) satis�es
W
C
(x; y) =
1
q
n=2
W
C
(x + (q � 1)y; x� y): (1)
This gives a system of equations for the oeÆ ients of W
C
, but of ourse not
enough equations to determine it uniquely.
Gleason [13℄ found a simple des ription of all solutions of these equations,
using lassi al invariant theory. We des ribe his te hnique for self-dual binary
odes.
Let G be a �nite group of 2 � 2 matri es over C . Let f(x; y) be a poly-
nomial of degree n. We say that f is an invariant of G if
f(ax+ by; x+ dy) = f(x; y) for all
�
a b
d
�
2 G:
Sin e the sum and produ t of invariants is invariant, the set of G-invariants
is a subalgebra of the algebra C [x; y℄ of all polynomials in x and y over C .
We denote this subalgebra by C [x; y℄
G
.
If f(x; y) is a G-invariant, then its homogeneous omponent of degree k
(the sum of all terms a
ij
x
i
y
j
with i + j = k) is also G-invariant. So the
algebra C [x; y℄
G
is graded, a ording to the following de�nition:
Let A =
L
k�0
A
k
be an algebra over C . We say that A is graded if
A
i
� A
j
� A
i+j
for all i; j � 0. If dim(A
k
) is �nite for all k � 0, then the
Hilbert series of A is the formal power series
X
k�0
dim(A
k
)t
k
:
Molien's Theorem gives an expli it formula for the Hilbert series of C [x; y℄
G
for any �nite group G:
Theorem 1.4 Let G be a �nite group of 2 � 2 matri es over C . Then the
Hilbert series of C [x; y℄
G
is given by
1
jGj
X
A2G
(det(I � tA))
�1
:
7
Now let C be a self-dual binary ode. Sin e all words in C have even
weight, the weight enumerator of C satis�es
W
C
(x;�y) = W
C
(x; y):
Also, sin e W
C
(x; y) is homogeneous of degree n, we an rewrite Equation 1
as
W
C
�
x + y
p
2
;
x� y
p
2
�
= W
C
(x; y):
These two equations assert that the polynomial W
C
is an invariant of the
group G = hA
1
; A
2
i, where
A
1
=
�
1 0
0 �1
�
; A
2
=
�
1=
p
2 1=
p
2
1=
p
2 �1=
p
2
�
:
Now it is easily he ked that
A
2
1
= A
2
2
= (A
1
A
2
)
8
= I;
so G is a dihedral group of order 16. Now Molien's Theorem, and some
al ulation, shows that the Hilbert series of C [x; y℄
G
is
1
(1� t
2
)(1� t
8
)
:
>From this we see that the dimension of the nth homogeneous omponent is
equal to the number of ways of writing n as a sum of 2s and 8s.
We know some examples of self-dual odes: among them, the repetition
ode of length 2 and the extended Hamming ode of length 8, with weight
enumerators respe tively
r(x; y) = x
2
+ y
2
;
h(x; y) = x
8
+ 14x
4
y
4
+ y
8
:
Moreover, any polynomial of the form r
i
h
j
is a weight enumerator (of the
dire t sum of i opies of the repetition ode and j opies of the extended
Hamming ode). It an be shown that, for �xed n, these polynomials (with
2i + 8j = n) are linearly independent; thus they span the nth homogeneous
omponent of the algebra of invariants of G. This proves Gleason's Theorem:
8
Theorem 1.5 A self-dual binary ode has even length n = 2m, and its
weight enumerator has the form
bn=8
X
j=0
a
j
(x
2
+ y
2
)
(n�8j)=2
(x
8
+ 14x
4
y
4
+ y
8
)
j
for some a
j
2 Q , j 2 f0; : : : ; bn=8 g.
The te hnique has other appli ations too. We give one of these. A self-
orthogonal binary ode has the property that all its weights are even. Su h
a ode is alled doubly even if all its weights are divisible by 4.
If C is a doubly even self-dual ode, then the weight enumerator of C is
invariant under the group G
�
= hA
�
1
; A
2
i, where A
2
is as before and
A
�
1
=
�
1 0
0 i
�
:
It an be shown that G
�
is a group of order 192, and the Hilbert series of its
algebra of invariants is
1
(1� t
8
)(1� t
24
)
:
Now there exist doubly even self-dual odes whi h have lengths 8 and 24,
namely the extended Hamming ode and the extended Golay ode. The
weight enumerator of the extended Hamming ode is given above. The weight
enumerator of the extended Golay ode is
g(x; y) = x
24
+ 759x
16
y
8
+ 2576x
12
y
12
+ 759x
8
y
16
+ y
24
:
Again, these two polynomials are independent, and we have Gleason's se ond
theorem:
Theorem 1.6 A doubly even self-dual ode has length n divisible by 8, say
n = 8m, and its weight enumerator has the form
bn=24
X
j=0
a
j
(x
8
+ 14x
4
y
4
+ y
8
)
(n�24j)=8
�
� (x
24
+ 759x
16
y
8
+ 2576x
12
y
12
+ 759x
8
y
16
+ y
24
)
j
for some a
j
2 Q , j 2 f0; : : : ; bn=24 g.
Several further results of the same sort are given in Sloane's survey [26℄.
9
The �nal topi in this se tion on erns the overing radius of a ode. This
is a parameter whi h is in a sense dual to the pa king radius, the maximum
number of errors whi h an be orre ted.
Let C be a ode of length n over an alphabet A. The overing radius of
C is
max
v2A
n
min
2C
d(v; ):
That is, it is the largest value of the distan e from an arbitrary word to the
nearest odeword. Said otherwise, it is the smallest integer r su h that the
spheres of radius r with entres at the odewords over the whole of A
n
.
We saw that, if the number of errors is at most the pa king radius, then
nearest-neighbour de oding orre tly identi�es the transmitted odeword.
The overing radius has a similar interpretation: if the number of errors
is greater than the overing radius, then nearest-neighbour de oding will
ertainly give the wrong odeword.
We give one result on the overing radius of binary odes whi h will be
used in Se tion 5. We say that a ode C has strength s if, given any s
oordinate positions, all possible s-tuples over the alphabet o ur the same
number of times in these positions. The maximum strength is the largest
integer s for whi h the ode has strength s.
Theorem 1.7 Let C be a ode of length n over an alphabet A of size q and
v an arbitrary word in A
n
.
(a) If C has strength 1, then the average distan e of v from the words of C
is n(q � 1)=q.
(b) If C has strength 2, then the varian e of the distan es of v from the
words of C is n(q � 1)=q
2
.
Proof (a) For 1 � i � n, let d
i
( ) = 0 if v and agree in the ith oordinate,
1 otherwise. Then
d(v; ) =
n
X
i=1
d
i
( ):
So the average distan e from v to C is
1
jCj
n
X
i=1
X
2C
d
i
( ):
10
Now sin e C has strength 1, for any i we have d
i
(C) = 0 for jCj=q words
2 C, and d
i
( ) = 1 for the remaining (q � 1)jCj=q. So the inner sum is
(q � 1)jCj=q, and the result follows.
(b) Similarly, we have
d(v; )(d(v; )� 1) =
X
i 6=j
d
i
( )d
j
( );
and if C has strength 2, then
X
2C
d
i
( )d
j
( ) = (q � 1)
2
jCj=q
2
:
Thus, the average value of d(v; )(d(v; )� 1) is equal to (q� 1)
2
n(n� 1)=q
2
.
Now simple manipulation gives the result.
Theorem 1.8 Let C be a linear binary ode of length n ontaining the all-1
word.
(a) The overing radius of C is at most n=2.
(b) If C has maximum strength at least 2, then its overing radius is at most
(n�
p
n)=2.
Proof (a) The hypothesis guarantees that C has strength at least 1. (For
this, the all-1 word is not ne essary; it is enough to assume that the support
of C is f1; : : : ; ng.) Sin e the average distan e from v to C is n=2, there is a
word of C with distan e at most n=2 from v.
(b) Suppose that the overing radius is n=2 � s. Sin e d(v; + 1) =
n�d(v; ), all distan es from v to C lie in the interval from n=2�s to n=2+s.
Sin e the varian e of these distan es is n=4, we must have s �
p
n=2.
Note that equality in (a) implies that d(v; ) = n=2 for all 2 C, while
equality in (b) implies that d(v; ) = (n�
p
n)=2 for all 2 C.
Exer ise 1.1 (a) Show that, if C is a linear binary ode of odd minimum
weight d, then the minimum weight of C is d+ 1.
(b) Investigate how the dimension and minimum weight of odes hange
under the operations of pun turing, shortening and extending.
11
Exer ise 1.2 If C
1
and C
2
are linear [n
1
; k
1
; d
1
℄ and [n
2
; k
2
; d
2
℄ odes over
GF(q), prove that the dire t sum C
1
�C
2
is a linear [n
1
+n
2
; k
1
+k
2
;minfd
1
; d
2
g℄
ode.
Exer ise 1.3 (a) Let C be a binary or ternary Hamming ode (that is, over
GF(2) or GF(3)). Prove that C � C
?
; that is, C
?
is self-orthogonal.
(b) Let C be a Hamming ode over GF(4). Prove that C � C
?
holds, if
C
?
is al ulated with respe t to the Hermitian inner produ t.
Exer ise 1.4 (a) Prove that, if all weights in a linear binary ode C are
divisible by 4, then C is self-orthogonal.
(b) Prove that, if a linear binary ode C is self-orthogonal and is generated
by a set of words whose weights are divisible by 4, then C is doubly
even.
Exer ise 1.5 Express the weight enumerator of the Golay ode as a ombi-
nation of r and h.
Exer ise 1.6 Show that all doubly even self-dual odes of length 16 have
weight enumerator h
2
. Find two di�erent examples of su h odes.
Exer ise 1.7 Can you �nd a more dire t proof that a doubly-even self-dual
binary linear ode has length divisible by 8?
Exer ise 1.8 Fill in the details of the proof of Theorem 1.7.
Exer ise 1.9 What is the overing radius of the binary dual Hamming ode
of length 7?
Exer ise 1.10 Let C be an (n;M) ode over an alphabet of size q, with
pa king radius e and overing radius r. Prove that
q
n
P
e
i=0
�
n
i
�
(q � 1)
i
�M �
q
n
P
r
i=0
�
n
i
�
(q � 1)
i
:
12
2 Symple ti and quadrati forms
In this se tion, we des ribe some of the properties of symple ti and quadrati
forms over the �eld GF(2), and the geometries they de�ne.
Let V be a ve tor spa e over a �eld F . A quadrati form on F is a
fun tion Q : V ! F whi h satis�es the onditions
(a) Q(�v) = �
2
Q(v) for all � 2 F , v 2 V .
(b) The fun tion B : V � V ! F de�ned by
Q(v + w) = Q(v) +Q(w) +B(v; w)
is bilinear (that is, linear in ea h variable).
We express (b) by saying that the form B is obtained from Q by polari-
sation.
The form B de�ned in (b) is symmetri , that is, B(v; w) = B(w; v).
Now, if the hara teristi of F is not 2, then it follows from (a) and (b) that
Q(v) =
1
2
B(v; v) for all v 2 V , so that Q an be re overed from B: that is,
quadrati forms and symmetri bilinear forms arry the same information.
Things are very di�erent in hara teristi 2, however. We are interested in
this ase, spe i� ally F = GF(2).
From now on, we assume that F = GF(2).
Now we �nd that the form B is alternating, that is, B(v; v) = 0 for all
v 2 V . In general, an alternating bilinear form is skew-symmetri , that is,
B(v; w) = �B(w; v) for all x; y 2 V . Of ourse, in hara teristi 2, this just
says that B is symmetri .
Clearly, Q annot be re overed from B. Instead, we see that, if Q
1
and
Q
2
both polarise to B, then Q = Q
1
�Q
2
polarises to the zero form, that is,
Q(v + w) = Q(v) +Q(w):
Also, be ause �
2
= � for all � 2 F , we have
Q(�v) = �Q(v):
Thus, Q is linear. Conversely, two quadrati forms di�ering by a linear
form polarise to the same bilinear form. So ea h alternating bilinear form
orresponds to a oset of the dual spa e of V in the spa e of all quadrati
forms.
A bilinear form B is said to be non-degenerate if it has the properties
13
(a) if B(v; w) = 0 for all w 2 V then v = 0;
(b) if B(v; w) = 0 for all v 2 V then w = 0.
If B is skew-symmetri (or symmetri ), then ea h of these onditions implies
the other, and we need only assume one. A non-degenerate alternating bi-
linear form on V exists if and only if V has even dimension. For any su h
form, there is a basis fv
1
; : : : ; v
n
; w
1
; : : : ; w
n
g for V su h that
B(v
i
; v
j
) = 0 = B(w
i
; w
j
) for all i; j;
B(v
i
; w
i
) = 1 = �B(w
i
; v
i
) for all i;
B(v
i
; w
j
) = 0 = B(w
j
; v
i
) for i 6= j:
This is alled a symple ti basis. A linear transformation of V whi h preserves
the form B is alled symple ti ; the symple ti group is the group of all su h
transformations.
A quadrati form on an m-dimensional ve tor spa e is non-singular if it
annot be written as a form in fewer than m variables by any linear hange
of variables.
Equivalently, the only subspa e W with the property that Q vanishes on
W and B(v; w) = 0 for all v 2 V and w 2 W is the zero subspa e. (Here B
is the bilinear form obtained by polarising Q.) If the �eld has hara teristi
di�erent from 2, then Q is non-singular if and only if B is non-degenerate;
but this is not true over Z
2
, as we will see. In the ase of an even-dimensional
ve tor spa e over Z
2
, we will see that a quadrati form Q is non-singular if
and only if the bilinear form obtained by polarisation is non-singular.
Given a subspa e U of V , we set
U
?
= fx 2 V : B(x; u) = 0 for all u 2 Ug:
The non-singularity of B guarantees that
dim(U) + dim(U
?
) = dimV;
but unlike the Eu lidean ase it is not true in general that V = U � U
?
,
sin e we may have U \ U
?
6= f0g. A subspa e U of V is said to be totally
isotropi if B vanishes identi ally on U , in other words, if U � U
?
.
A ve tor x is said to be singular for the quadrati form Q if Q(x) = 0. A
subspa e U is totally singular if Q vanishes identi ally on U . By polarising
14
the restri tion of Q to U , we see that a totally singular subspa e is totally
isotropi ; but the onverse is not true. (Any 1-dimensional subspa e is totally
isotropi , but the span of a non-singular ve tor is not totally singular.)
Here is a small example. Take a 2-dimensional ve tor spa e over Z
2
, with
typi al ve tor (x
1
; x
2
). The four quadrati forms 0, x
2
1
, x
2
2
and x
2
1
+ x
2
2
=
(x
1
+ x
2
)
2
are all singular, and are in fa t equal to the four linear forms 0,
x
1
, x
2
and x
1
+ x
2
. The other four forms x
1
x
2
, x
1
x
2
+ x
2
1
= x
1
(x
1
+ x
2
),
x
1
x
2
+ x
2
2
= x
2
(x
1
+ x
2
), and x
1
x
2
+ x
2
1
+ x
2
2
, are non-singular, and polarise
to the bilinear form x
1
y
2
+ x
2
y
1
. The �rst three are equivalent under linear
hange of variable; ea h has value 0 at three of the four ve tors and 1 at the
fourth. The last form takes the value 1 at all three non-zero variables.
Let Q be a quadrati form on V = Z
n
2
.
A subspa e W of V is anisotropi if, for all w 2 W , we have Q(w) = 0 if
and only if w = 0.
A hyperboli plane is a subspa e U = he; fi with Q(e) = Q(f) = 0 and
B(e; f) = 1 (So we have Q(xe + yf) = xy.)
Two quadrati forms Q
1
on V
1
and Q
2
on V
2
are equivalent if there is an
invertible linear map T : V
1
! V
2
su h that Q
2
(vT ) = Q
1
(v) for all v 2 V
1
.
The next result gives the lassi� ation of non-singular quadrati forms.
Theorem 2.1 (a) An anisotropi spa e has dimension at most 2.
(b) Let Q be a quadrati form on V . Then
V =W � U
1
� � � � � U
r
;
where W is anisotropi , U
1
; : : : ; U
r
are hyperboli planes, and the sum-
mands are pairwise orthogonal.
( ) If quadrati forms Q
1
; Q
2
on V
1
; V
2
give rise to de ompositions
V
1
= W
1
� U
11
� � � � � U
1r
;
V
2
= W
2
� U
21
� � � � � U
2s
;
as in (b), then Q
1
and Q
2
are equivalent if and only if r = s and
dim(W
1
) = dim(W
2
).
As a result we see that quadrati forms over Z
2
are determined up to
equivalen e by two invariants, the number r of hyperboli planes (whi h is
15
alled the Witt index ), and the dimension of the anisotropi part. We say
that the form has type +1, 0 or �1 a ording as dim(W ) = 0, 1 or 2. Note
that the bilinear form obtained by polarising Q is non-degenerate if and only
if Q has non-zero type (that is, if and only if dim(V ) is even).
Proof (a) If W is anisotropi , then the polarisation formula shows that
B(u; v) = 1 for all distin t non-zero u; v 2 W . If u; v; w were linearly inde-
pendent, then
1 = B(u; v + w) = B(u; v) +B(u; w) = 0;
a ontradi tion. So dim(W ) � 2.
(b) The proof is by indu tion on dim(V ), the ase where V = f0g being
trivial. If V is anisotropi , there is nothing to prove. So we may suppose that
there is a ve tor u 2 V with u 6= 0 and Q(u) = 0. Sin e Q is non-singular,
there is a ve tor v with B(u; v) = 1. Then Q(v)+Q(u+v) = 1, and so either
Q(v) = 0 or Q(u+v) = 0. Thus, U
1
= hu; vi is a hyperboli plane. Moreover,
dim(U
?
1
) = dim(V )� 2, and it is easily he ked that the restri tion of Q to
U
?
1
is non-singular. By the indu tion hypothesis, U
?
1
has a de omposition of
the type spe i�ed, and we are done.
( ) It is lear that the ondition given is suÆ ient for equivalen e; we must
show that it is ne essary. It is also lear that equivalent quadrati forms are
de�ned on spa es of the same dimension; so we must prove that they have
the same Witt index. This follows immediately from the next lemma.
Lemma 2.2 The Witt index of a quadrati form is equal to the maximum
dimension of any totally singular subspa e.
Proof Let
V = W � U
1
� � � � � U
r
;
where W is anisotropi , U
1
; : : : ; U
r
are hyperboli planes, and the summands
are pairwise orthogonal. Let U
i
= hu
i
; v
i
i, where Q(u
i
) = Q(v
i
) = 0 and
B(u
i
; v
i
) = 1. Then X = hu
1
; : : : ; u
r
i is totally singular and has dimension r.
We have to show that no larger totally singular subspa e exists. This is
proved by indu tion on r; it is true when r = 0 (sin e then V is anisotropi ).
So let X be a totally isotropi subspa e, with dim(S) = s > 0.
Choose a non-zero ve tor x 2 X. As in the proof of the theorem, we
an take x to lie in one of the hyperboli planes, say U
1
. Now Q indu es
16
a non-singular quadrati form Q on V = hxi
?
=hxi, and learly this spa e
has Witt index r � 1; moreover, X=hxi is a totally singular subspa e, with
dimension s� 1. By the indu tive hypothesis, s� 1 � r � 1, so s � r.
Finally, if X is maximal totally singular in V , then X is maximal totally
singular in V ; in this ase, the indu tive hypothesis shows that s�1 = r�1,
so that s = r, as required.
>From now on, we onsider only non-singular quadrati forms on spa es
of even dimension. A form of type +1 in 2n variables is equivalent to
x
1
x
2
+ x
3
x
4
+ � � �+ x
2n�1
x
2n
;
while a form of type �1 is equivalent to
x
1
x
2
+ x
3
x
4
+ � � �+ x
2
2n�1
+ x
2n�1
x
2n
+ x
2
2n
:
Theorem 2.3 For � = �1, let Q be a quadrati form of type � on a ve tor
spa e V of even dimension 2n over Z
2
. Then there are 2
n�1
(2
n
+ �) ve tors
v 2 V su h that Q(v) = 0.
Proof The proof is by indu tion on n. We begin with n = 1. On a 2-
dimensional spa e Z
2
2
, the quadrati form x
1
x
2
has Witt index 1 (so type
+1) and has three zeros (0; 0), (1; 0) and (0; 1). The form x
2
1
+ x
1
x
2
+ x
2
2
has
Witt index 0 (the spa e is anisotropi ), so type �1, and vanishes only at the
origin.
Now assume the result for n � 1. Write V = U � V
0
, where U is a
hyperboli plane and dim(V
0
) = 2(n� 1); the restri tion of Q to V
0
has the
same type as Q, say �. So Q has (2
n�2
(2
n�1
+ �) zeros in V
0
. Sin e U and V
0
are orthogonal, we have Q(u+ w) = Q(u) +Q(w) for u 2 U , w 2 V
0
. Thus,
Q(u + w) = 0 if and only if either Q(u) = Q(w) = 0 or Q(u) = Q(w) = 1.
So there are
3 � 2
n�2
(2
n�1
+ �) + 2
n�2
(2
n�1
� �) = 2
n�1
(2
n
+ �)
zeros, as required.
This gives an alternative proof of Theorem 2.1( ), sin e the two types of
quadrati form on an even-dimensional ve tor spa e have di�erent numbers
of zeros, and annot be equivalent.
Finally, we ount the number of maximal totally isotropi or totally sin-
gular subspa es.
17
Theorem 2.4 (a) Let B be a symple ti form on a ve tor spa e V of di-
mension 2n over Z
2
. Then the number of subspa es of V of dimension n
whi h are totally isotropi with respe t to B is
n
Y
i=1
(2
i
+ 1):
(b) Let Q be a quadrati form of type +1 (that is, of Witt index n) on a
ve tor spa e V of dimension 2n over Z
2
. Then the number of subspa es
of V of dimension n whi h are totally singular with respe t to Q is
n�1
Y
i=0
(2
i
+ 1):
Proof (a) The proof is by indu tion on n, the result being trivially true
when n = 0. Suppose that it holds for spa es of dimension 2(n � 1), and
let V have dimension 2n. For any non-zero ve tor v 2 V , the spa e v
?
=hvi
has dimension 2(n � 1) and arries a symple ti form. By the indu tion
hypothesis, v lies in N =
Q
n�1
i=1
(2
i
+1) totally isotropi n-spa es in V . Sin e
there are (2
n
+1)(2
n
�1) non-zero ve tors, and ea h totally isotropi n-spa e
ontains (2
n
� 1) of them, double ounting shows that the number of su h
spa es is (2
n
+ 1)N , as required.
(b) The argument is similar. Assume the result for spa es of dimen-
sion 2(n � 1), and let V have dimension 2n. By Theorem 2.3, the number
of non-zero singular ve tors is (2
n�1
+ 1)(2
n
� 1), and ea h totally singular
n-spa e ontains 2
n
� 1 of them, so the indu tion works as in ase (a).
Exer ise 2.1 Let Q be a quadrati form in 2n variables with Witt index n�
1. How many totally singular (n� 1)-subspa es are there for Q?
3 Reed{Muller odes
This se tion gives a very brief a ount of Reed{Muller odes, whi h are very
losely onne ted with aÆne geometry over Z
2
.
Let V be a ve tor spa e of dimension n over Z
2
. We identify V with Z
n
2
,
and write a typi al ve tor as v = (x
1
; : : : ; x
n
). We regard the 2
n
ve tors in
18
V as being ordered in some way, say v
1
; v
2
; : : : ; v
2
n
. Now nay binary word of
length N = 2
n
, say (
1
; : : : ;
n
), an be thought of as a fun tion f from V to
Z
2
(where f(v
i
) =
i
for i = 1; : : : ; N).
Lemma 3.1 Any fun tion from V to Z
2
an be represented as a polynomial
in the oordinates (x
1
; : : : ; x
n
), in whi h no term ontains a power of x
i
higher
than the �rst, for any i.
Proof It is enough to show this for the fun tion f = Æ
a
given by
Æ
a
(v) =
�
1 if v = a,
0 otherwise,
for a 2 V , sin e any fun tion is a sum of fun tions of this form (spe i� ally,
f =
X
a2V
f(a)Æ
a
:
But, if a = (a
1
; : : : ; a
n
), then we have
Æ
a
(v) =
n
Y
i=1
(x
i
� a
i
� 1);
where v = (x
1
; : : : ; x
n
).
Corollary 3.2 The monomial fun tions f
I
on V are linearly independent
for I � f1; : : : ; ng, where
f
I
(v) =
Y
i2I
x
i
for v = (x
1
; : : : ; x
n
).
Proof These 2
n
fun tions span the 2
n
-dimensional spa e of all fun tions
from V to Z
2
.
For 0 � r � n, the rth order Reed{Muller ode of length N = 2
n
is
spanned by the set of polynomial fun tions of degree at most r on V = Z
n
2
.
It is denoted by R(n; r).
The next result summarises the properties of Reed{Muller odes.
19
Theorem 3.3 (a) R(n; r) is a
"
N = 2
n
; k =
r
X
i=0
�
n
i
�
; d = 2
n�r
#
ode.
(b) R(n; r)
?
= R(n; n� r � 1).
Proof (i) The ode has length N = 2
n
by de�nition, and dimension k =
P
r
i=0
�
n
i
�
sin e this is the number of monomials of degree at most r.
(ii) Next we prove part (b). Sin e
dim(R(n; r)) + dim(R(n; n� r � 1)) = 2
n
;
it is enough to prove that these odes are orthogonal, and hen e enough to
prove it for their spanning sets. Now, if f and f
0
are monomials of degrees
at most r, n� r � 1 respe tively, then there is a variable (say x
n
) o urring
in neither of them, and so the values of f and f
0
are una�e ted by hanging
x
n
from 0 to 1. Thus, the interse tion of the supports of f and f
0
has even
ardinality, and so f � f
0
= 0.
(iii) Finally, we establish that R(n; r) has minimum weight 2
n�r
by in-
du tion on r. This is true for r = 0 sin e R(n; 0) onsists of the all-0 and
all-1 words only. So assume the result for r � 1.
Take f 2 R(n; r): we must show that the support of f has size at least
2
n�r
. By the indu tion hypothesis, we may assume that f =2 R(n; r� 1). By
(b), there is a monomial of degree n�r not orthogonal to f ; we may suppose
that it is x
1
� � �x
n�r
. Thus, if S is the support of f , and
A = f(x
1
; : : : ; x
n
) 2 V : x
1
= � � � = x
n�r
= 1g;
then jS\Aj is odd. Now A is an aÆne at in V of dimension r. So the union
of any two translates of A is an aÆne at of dimension r + 1, and supports
a word in R(n; n � r � 1) = R(n; r)
?
; so jS \ (A [ (A + v))j is even for all
v =2 A. Thus, jS \ (A + v)j is odd for all v 2 V . In parti ular, S meets all
2
n�r
distin t translates of A, so jSj � 2
n�r
, and we are done.
Corollary 3.4 The ode R(n; n� 2) is equivalent to the extended Hamming
ode H(n; 2) of length 2
n
.
20
Proof If we pun ture this ode in one position, we obtain a [2
n
� 1; 2
n
�
n � 1; 3℄ linear ode. This ode is equivalent to a Hamming ode: for its
minimum weight is 3, so the olumns of its parity he k matrix are pairwise
linearly independent; and the number of olumns is 2
n
�1, so every non-zero
n-tuple o urs on e.
The weight enumerator of R(n; 1) is
x
2
n
+ (2
n+1
� 2)x
2
n�1
y
2
n�1
+ y
2
n
:
For this ode ontains the all-0 and all-1 words, and also the linear fun -
tions and their omplements (ea h of whi h have weight 2
n�1
). This ode is
equivalent to the dual extended Hamming ode.
Note that, if we shorten this ode, we obtain the dual Hamming ode,
whi h (as we have seen) is a onstant-weight ode.
We will be parti ularly interested in the se ond-order Reed{Muller ode
R(n; 2). Sin e x
2
= x for all x 2 Z
2
, every linear fun tion on V is quadrati ,
and we have the following des ription:
R(n; 2) = fQ+ : Q a quadrati form on V; 2 Z
2
g:
Re all that two quadrati forms polarise to the same bilinear form if and
only if they di�er by a linear form. This means that the osets of R(n; 1) in
R(n; 2) are in one-to-one orresponden e with the alternating bilinear forms
on V .
The weight enumerators of these odes are known. They are al ulated
by the following series of steps:
� Choose m � (n=2). Count the number of subspa es W of V of odi-
mension 2m.
� Count the number of symple ti forms (non-degenerate alternating bi-
linear forms) on the 2m-dimensional spa e V=W . Ea h su h form ex-
tends uniquely to an alternating form on V with radi al W . Let B be
su h a form.
� There are 2
2m
quadrati forms on V whi h polarise to V and are zero
on W . Su h a form has weight 2
n�1
+ �2
n�m�1
. Adding the all-1 word,
we obtain a word of weight 2
n�1
� �2
n�m�1
. So we obtain 2
2m
words of
ea h su h weight.
21
� Any other quadrati form whi h polarises to B indu es a non-zero linear
form onW . Su h a form has weight 2
n�1
. We obtain 2
n+1
�2
2m+1
forms
of weight 2
n�1
.
� Add the ontributions from the last two steps, multiply by the fa tors
oming from the �rst two steps, and sum over m, to �nd the weight
enumerator of R(n; 2)
Exer ise 3.1 Show that the ode obtained by shortening the extended Go-
lay ode on the eight positions of an o tad is equivalent to R(4; 1), while the
ode obtained by pun turing on these positions is equivalent to R(4; 2).
Exer ise 3.2 Cal ulate the weight enumerator of R(5; 2)
(a) using the method outlined above;
(b) using Theorem 3.3 and Gleason's Theorem (Theorem 1.6).
Exer ise 3.3 Show that a oset of R(n; 1) in R(n; 2) ontains words of at
most three di�erent weights, and that only two weights o ur if and only if
the bilinear form indexing the oset is non-degenerate.
(Su h a oset is alled a two-weight oset.)
Exer ise 3.4 Prove that the blo ks of the design D(C) formed by the words
of minimum weight in the se ond-order Reed{Muller ode C = R(2; n) are
the (n�2)-dimensional aÆne ats in AG(n; 2). Dedu e that D is a 3-design.
4 Self-dual odes
We now apply these results to the problem of ounting self-dual and doubly
even self-dual binary odes.
A binary self-dual ode C of length n has the property that all its words
have even weight. This means that the all-1 word 1 is orthogonal to every
word in C, that is, C � h1i
?
. Sin e C is self-dual, 1 2 C.
Now let W = h1i
?
, the even-weight sub ode of GF(2)
n
. Then x � x = 0
for all x 2 W , so the dot produ t is an alternating bilinear form on W . It is
not non-degenerate, sin e 1 lies in its radi al; but it indu es a non-degenerate
bilinear form B on the (n � 2)-dimensional spa e V = W=h1i. Now a ode
C ontaining 1 is self-orthogonal if and only if C = C=h1i is totally isotropi
for B; so C is self-dual if and only if C is maximal totally isotropi . Thus,
from Theorem 2.4, we have:
22
Theorem 4.1 The number of binary self-dual odes of length n = 2m is
m�1
Y
i=1
(2
i
+ 1):
>From this theorem, the numbers of binary self-dual odes of length 2, 4,
6, 8 is 1, 3, 15, 135 respe tively.
For n < 8, the only self-dual odes are dire t sums of opies of the rep-
etition ode of length 2. The number of odes of this form is equal to the
number of partitions of the set of oordinates into subsets of size 2, whi h
is 1, 3, 15, 105 for n = 2, 4, 6, 8. So for n = 8, there are 30 further odes,
whi h as we shall see are all equivalent to the extended Hamming ode of
length 8.
For any two binary words x and y, we have
wt(x + y) = wt(x) + wt(y)� 2wt(x \ y):
Now wt(x\ y) � (x � y)mod 2. So, if x has even weight, and n is divisible by
4, then we an set Q(x) =
1
2
wt(x) mod 2; we have Q(x) = Q(1+ x), so Q is
well-de�ned on V , and we have
Q(x + y) = Q(x) +Q(y) +B(x; y):
In other words, Q is a quadrati form on V whi h polarises to B. Further-
more, a ode C is doubly even if and only if C is totally singular (with
respe t to Q), and C is doubly even self-dual if and only if C is maximal
totally singular of dimension n� 1.
Thus, from Theorem 2.4(b), we have:
Theorem 4.2 The number of doubly-even self-dual odes of length n = 2m
divisible by 8 is
m�2
Y
i=0
(2
i
+ 1):
This shows that there are indeed 30 doubly-even self-dual odes of length 8
(all equivalent to the extended Hamming ode).
23
Exer ise 4.1 Verify that tthere are 30 odes of length 8 equivalent to the
extended Hamming ode by showing that the automorphism group of the
ode has index 30 in the symmetri group S
8
.
Exer ise 4.2 Count the number of binary words of length n with weight
divisible by 4. [Hint: Let a and b be the numbers of words whi h have weight
ongruent to 0 or 2 mod 4 respe tively. Then a + b = 2
n�1
. Cal ulate a� b
by evaluating the real part of (1 + i)
n
.℄
Hen e show that the quadrati form q de�ned earlier has Witt index n�1
if n � 0 mod 8, and n� 2 if n � 4 mod 8.
This gives an alternative proof that doubly even self-dual odes must have
length divisible by 8.
Exer ise 4.3 Classify doubly-even self-dual odes of length 16. Use Theo-
rem 4.2 to show that your lassi� ation is omplete.
5 Bent fun tions
Let n be even, say n = 2m. The ode R(n; 1) has strength 3 (sin e, by
Theorem 3.3, its dual has minimum weight 4). By Theorem 1.8, its overing
radius is at most 2
2m�1
� 2
m�1
. This bound is attained. For, if Q is a non-
singular quadrati form, then the distan es from Q to words of R(n; 1) are
equal to the weights of words in the oset R(n; 1)+Q, and we have seen that
these weights are 2
2m�1
� 2
m�1
.
Let n = 2m, and let V = Z
n
2
. A fun tion f : V ! Z
2
is alled a bent
fun tion if its minimum distan e from R(n; 1) is 2
2m�1
� 2
m�1
.
As the name ( oined by Rothaus [23℄) suggests, a bent fun tion is a
fun tion whi h is at the greatest possible distan e from the linear fun tions.
As we observed, a non-singular quadrati form is a bent fun tion. In fa t,
a quadrati form is a bent fun tion if and only if it is non-singular; and there
are just two su h fun tions up to equivalen e.
Bent fun tions of higher degree exist: see the Exer ises. The problem
of lassifying bent fun tions appears to be hopeless. Various authors have
atta ked this problem for reasonably small numbers of variables; see [19, 2℄.
Bent fun tions have a range of appli ations, both theoreti al and pra -
ti al. Here is one example. Let f be a bent fun tion. Then R(n; 1) + f is
a two-weight oset of R(n; 1). (This follows from the remark following the
24
proof of Theorem 1.8(b): the weights are 2
2m�1
� 2
m�1
.) Conversely, any
two-weight oset onsists of bent fun tions.
Theorem 5.1 (a) Let B be the set of supports of all words whi h have
weight 2
2m�1
�2
m�1
in a two-weight oset ofR(n; 1). Then the stru ture
(V;B) is a 2-(2
2m
; 2
2m�1
� 2
m�1
; 2
2m�2
� 2
m�1
) design.
(b) A design with the parameters given in (a) arises from a two-weight oset
of R(n; 1) if and only if it has the following property: the symmetri
di�eren e of any three blo ks of the design is either a blo k or the om-
plement of a blo k.
Part (a) of this theorem appears in a number of pla es. Part (b) is due
to Kantor [16℄, who alls his ondition the symmetri di�eren e property.
See also [3℄ for another appli ation of bent fun tions.
Exer ise 5.1 Show that the fun tion
x
1
x
2
+ x
3
x
4
+ � � �+ x
2m�1
x
2m
+ x
1
x
3
� � �x
2m�1
is a bent fun tion.
6 Kerdo k odes
We have seen that, if Q is a quadrati form whi h polarises to a bilinear form
of rank 2m, then the weight of Q is 2
n�1
� 2
n�m�1
or 2
n�1
; in parti ular, it
is at least 2
n�1
� 2
n�m�1
.
Let B be a set of alternating bilinear forms on V . Let K(B) denote the
set
fQ+ : Q
�
2 B; 2 Z
2
g
of fun tions on V , where Q
�
is the bilinear form obtained by polarising Q.
Then K(B) is a
(N = 2
n
;M = 2
n+1
jBj; d = 2
n�1
� 2
n�m�1
)
ode, where 2m is the minimum rank of the di�eren e of two forms in B. In
parti ular, to make d as large as possible, we should require that n is even
and the di�eren e of any two forms in B is non-degenerate. (We all su h
a set B a non-degenerate set.) Furthermore, the ode K(B) is linear if and
only if B is losed under addition.
25
Lemma 6.1 A non-degenerate set of alternating bilinear forms on a 2m-
dimensional ve tor spa e has ardinality at most 2
2m�1
.
Proof Ea h form an be represented by a skew-symmetri matrix with
zero diagonal: if fe
1
; : : : ; e
2m
g is a basis for V , the (i; j) entry of the matrix
representing B is B(e
i
; e
j
). Now, if B � B
0
is non-degenerate, then the �rst
rows of the matri es representing B and B
0
are unequal. Sin e there are at
most 2
2m�1
possible �rst rows (remember that the diagonal entry is zero),
there are at most 2
2m�1
forms in a non-degenerate set.
AKerdo k set is a non-degenerate set of bilinear forms on a 2m-dimensional
ve tor spa e V over Z
2
, having ardinality 2
2m�1
, that is, attaining the upper
bound. A Kerdo k ode is a ode of the form K(B), where B is a Kerdo k
set. Thus, it is a (2
2m
; 2
4m
; 2
2m�1
� 2
m�1
) ode.
It an be shown that, for m > 1, a Kerdo k ode must be non-linear.
(The largest additively losed non-singular set has ardinality 2
m
; we will
onstru t it in the next se tion. In the ase m = 2, the unique example of a
Kerdo k ode is the Nordstrom{Robinson ode, a (16; 256; 6) ode. The �rst
onstru tion for all m was given by Kerdo k [17℄. A simpli�ed onstru tion
by Dillon, Dye and Kantor is presented in [8℄, Chapter 12.
Although Kerdo k odes are non-linear, they have re ently been \lin-
earised" in a remarkable way by Hammons et al. [15℄. This is the subje t of
the last se tion.
Sin e non-quadrati bent fun tions exist, it is natural to ask whether
`Kerdo k sets' of higher degree an exist too. So far, no examples have been
found.
Exer ise 6.1 Let O = f1; 2; : : : ; 8g be an o tad in the extended Golay ode
G
24
. Consider the set of words of G
24
whose supports interse t O in one of
the following eight sets:
;; f1; 2g; f1; 3g; : : : ; f1; 8g:
Now restri t these words to the omplement of O. Show that the result is a
(16; 256; 6) ode, and identify it with a Kerdo k ode.
Show that, if we use instead the set
;; f1; 2g; f1; 3g; f2; 3g;
we obtain a linear [16; 7; 6℄ ode.
26
7 Some resolved designs
Some in�nite families of systems of linked symmetri BIBDs (or SLSDs,
for short) were onstru ted by Cameron and Seidel [9℄. The smallest of
these systems was used by Pree e and Cameron [21℄ to onstru t ertain
resolvable designs (whi h they alled fully-balan ed hyper-grae o-latin Youden
`squares' ). For example, they gave a 6 � 16 re tangle, in whi h ea h ell
ontains one letter from ea h of three alphabets of size 16, satisfying a number
of onditions, in luding:
� No letter o urs more than on e in ea h row or olumn of the re tangle.
� The sets of letters from ea h of the three alphabets in the olumns of
the re tangle form a 2-(16; 6; 2) design.
� Ea h pair of alphabets arry a 2-(16; 6; 2) design, where two letters are
in ident if they o ur together in a ell of the re tangle.
� The number of olumns ontaining a given pair of letters from distin t
alphabets is 1 if the two letters are in ident, 3 otherwise.
In this se tion we onstru t an in�nite sequen e of su h designs.
A symmetri balan ed in omplete-blo k design (SBIBD) an, like any
in iden e stru ture, be represented by a graph (its in iden e graph or Levi
graph). The vertex set of the graph � is the disjoint union of two sets X
1
and X
2
, and ea h edge has one end in X
1
and the other in X
2
. If the design
is a 2-(v; k; �) design, the graph has the properties
� jX
1
j = jX
2
j = v;
� for fi; jg = f1; 2g, any point in X
i
has exa tly k neighbours in X
j
;
� for fi; jg = f1; 2g, any two points in X
i
have exa tly � neighbours in
X
j
.
>From su h a design, we obtain a resolved design with r = 2 lasses of
blo ks as follows: the treatments are the t = vk edges of �; for i = 1; 2, the
blo ks in the ith lass onsist of the sets of edges on ea h of the verti es of
X
i
(so that there are v blo ks of k in ea h lass).
Any regular bipartite graph has a 1-fa torisation, a partition of the edge
set into k lasses of v edges ea h, where the edges of ea h lass partition the
27
verti es. (This follows from Hall's Marriage Theorem.) This partition of the
edge set (treatment set) is orthogonal to the two blo k partitions. Using it,
we an represent the design by a Latin re tangle as follows. Number the
elements of X
i
from 1 to v for i = 1; 2, and number the 1-fa tors from 1 to
k; then the (i; j) entry in the k � v re tangle is the number of the vertex in
X
2
joined to the vertex j of X
1
by an edge of the 1-fa tor numbered i.
In the ase of a SBIBD arising from a di�eren e set in a group A, we
have an a tion of A on the graph � so that the orbits are X
1
and X
2
and
the a tion on ea h orbit is regular. In this ase, A permutes the edges in k
orbits ea h of size v, forming the desired 1-fa torisation.
A system of linked SBIBDs, or SLSD for short, an be represented by a
multipartite graph � with r lasses X
1
; : : : ; X
r
, satisfying the onditions
� for any distin t i; j, the indu ed subgraph on X
i
[X
j
is the in iden e
graph of a SBIBD (with partsX
i
andX
j
), having parameters 2-(v; k; �)
independent of i and j;
� there exist integers x and y su h that, for any distin t i; j; k, and any
verti es p
i
2 X
i
and p
j
2 X
j
, the number of ommon neighbours of p
i
and p
j
in X
k
is equal to x if p
i
and p
j
are adja ent, and to y otherwise.
We annot onstru t a resolved design from a SLSD unless an extra on-
dition holds. A full lique in a SLSD is a set of verti es, ontaining one from
ea h of the sets X
i
, whose verti es are pairwise adja ent. (So a full lique
ontains r verti es.) A full lique over is a set of full liques with the prop-
erty that every edge is ontained in exa tly one full lique in the set. (So
the number of full liques in a full lique over is vk.) Now if we have a full
lique over of a SLSD, we onstru t a design as follows: the treatments are
the t = vk full liques; for i = 1; : : : ; r, the blo ks in the ith lass are the sets
of full liques in the over ontaining ea h of the verti es in X
i
. Ea h of the
r blo k lasses ontains v blo ks of size k.
A 1-fa tor is a set of v full liques overing all verti es just on e; a 1-
fa torisation is a partition of the full liques into 1-fa tors. (Thus, it is a
partition of the treatments into k sets of v, whi h is orthogonal to ea h blo k
partition.) I do not know whether 1-fa torisations always exist. However,
if there is a group A of automorphisms whose orbits are X
1
; : : : ; X
r
and
whi h a ts regularly on ea h orbit, then the orbits of A on full liques form
a 1-fa torisation.
28
If we have a 1-fa torisation, then we an represent the design by a k � n
re tangle whose entries are (r � 1)-tuples, similarly to before. We number
the elements of ea h set X
i
from 1 to n, and the 1-fa tor from 1 to k; then
the (i; j) entry of the re tangle is the (r� 1)-tuple (l
2
; : : : ; l
r
), where l
i
is the
point of X
i
lying in a full lique of the ith 1-fa tor with the jth point of X
1
.
This is the representation used in [21℄.
The onstru tion of the designs is based on properties of bilinear and
quadrati forms over F = GF(2). Let B be any alternating bilinear form
on a 2n-dimensional ve tor spa e over F . The set Q(B) of quadrati forms
whi h polarise to B has 2
2n
members. If Q is one member of this set, then
all others an be obtained by adding linear forms to Q. Suppose that B is
non-degenerate. Then any linear form an be written as L(x) = B(v; x) for
some ve tor v 2 V . So
Q(B) = fQ(x) +B(v; x) : v 2 V g = fQ(x+ v) +Q(v) : v 2 V g:
Let X = fx 2 V : Q(x) = 0g be the set of zeros of Q. Then the set of zeros
of Q(x)+B(v; x) is obtained by translating X by v, and omplementing this
set in V if Q(v) = 1. So any quadrati form in Q(B) has either N or 2
2n
�N
zeros, for some N . We an take N = 2
2n�1
+ �2
n�1
, where � = �1; the form
Q has type � if it has 2
2n�1
+ �2
n�1
zeros (Theorem 2.3).
Now the set X of zeros of Q is a di�eren e set in the additive group of
the ve tor spa e V , and so gives rise to a symmetri BIBD, whose points are
the ve tors in V and whose blo ks are the translates of X; as we have seen,
these are the zero sets of the quadrati forms in Q(B), omplemented in the
ase of forms of type opposite to that of B.
This design has a more symmetri al des ription, as follows. (The proof
that this is the same is an exer ise, or is given in [9℄.) Let B
1
and B
2
be two
alternating bilinear forms on V , whose di�eren e B
1
�B
2
is non-degenerate.
Then the points and blo ks of the SBIBD are the sets Q(B
1
) and Q(B
2
)
respe tively; a point Q
1
and blo k Q
2
are in ident in the design D
�
if and
only if the form Q
1
�Q
2
(whi h is non-singular) has type �.
The design D
�
has v = 2
2n
, k = 2
2n�1
+ �2
n�1
and � = 2
2n�2
+ �2
n�1
.
Let V be a ve tor spa e of dimension 2n over the �eld F = GF(2). Given
a non-degenerate set B of alternating bilinear forms and a value � = �1, we
de�ne a SLSD S
�
(B) as follows: the elements are the quadrati forms in the
sets Q(B) for B 2 B; forms Q
i
2 Q(B
i
) and Q
j
2 Q(B
j
) are in ident if
Q
i
� Q
j
has type �. It follows from the des ription of the designs that the
29
�rst ondition in the de�nition of a SLSD is satis�ed; see [9℄ for a proof that
the se ond ondition holds too.
The largest non-degenerate sets are the Kerdo k sets; but these do not
have full lique overs in general. However, there is a onstru tion whi h
produ es sets of ardinality 2
n
; it is these whi h we use.
Let K = GF(2
n
). There is a F -linear map from K onto F , the tra e map,
given by
Tr(x) = x + x
2
+ x
2
2
+ � � �+ x
2
n�1
:
(Note that x
2
n
= x for all x 2 K.)
Let V be a 2-dimensional ve tor spa e over K. By restri ting s alars
from K to F , V be omes a 2n-dimensional ve tor spa e over F . If b is an
alternating bilinear form on V as K-spa e, then B = Tr(b) is an alternating
bilinear form on V as F -spa e; and B is non-degenerate if and only if b is.
Similarly, the tra es of the quadrati forms (on the K-spa e V ) polarising to
b are pre isely the quadrati forms (on the F -spa e V ) polarising to B.
Now take b to be any non-degenerate alternating bilinear form on the
K-spa e V (for example, take b((x
1
; x
2
); (y
1
; y
2
)) = x
1
y
2
� x
2
y
1
). Then �b is
also a non-degenerate alternating bilinear form, for any non-zero � 2 K. We
have
Tr(�
1
b)� Tr(�
2
b) = Tr((�
1
� �
2
)b)
for �
1
6= �
2
. So the 2
n
forms
fTr(�b) : � 2 Kg
omprise a non-degenerate set of ardinality 2
n
, and so give rise to a SLSD
with r = 2
n
.
We must now produ e the full lique over and its 1-fa torisation. The
argument uses a little group theory.
The expli it form of b given in the last se tion is the determinant of the
matrix
�
x
1
x
2
y
1
y
2
�
. It follows from this that the spe ial linear group SL(2; 2
n
)
of 2� 2 matri es of determinant 1 over K preserves b, and hen e ea h of the
forms Tr(�b). Thus the produ t A � SL(2; 2
n
), where A is the additive group
of V , a ts on the SLSD, �xing ea h of the sets X
1
; : : : ; X
r
. (In fa t it a ts
doubly transitively on ea h X
i
.)
The subgroup �xing a point p
i
of X
i
is a omplement to A in this produ t,
and so is isomorphi to SL(2; 2
n
); it is transitive on the remaining points of
30
X
i
and has two orbits on X
j
for all j 6= i, namely, the points in ident and
non-in ident to p
i
. If p
j
2 X
j
is a point in ident with p
i
, then the stabiliser of
p
i
and p
j
is a dihedral group of order 2(2
n
� �). Now all su h dihedral groups
in our group A � SL(2; 2
n
) are onjugate (they are the normalisers of Sylow
p-subgroups, where p is a prime divisor of 2
n
� �); so this subgroup �xes one
point p
l
in ea h set X
l
. Moreover, these points p
l
are pairwise in ident. For,
if p
l
and p
m
were not in ident, their stabiliser would be a dihedral group of
order 2(2
n
+ �); but this number does not divide 2(2
n
� �).
Now the set of all these points p
l
is a full lique. It is the unique full
lique ontaining p
i
and p
j
whi h is stabilised by a dihedral group of order
2(2
n
� �). So we have onstru ted a full lique over.
Now the orbits of the group A on these full liques form the required
1-fa torisation, as we des ribed earlier.
Exer ise 7.1 Complete the proof that a non-degenerate set of alternating
bilinear forms gives rise to a SLSD.
8 Extraspe ial 2-groups
An extraspe ial 2-group is a 2-group whose entre, derived group, and Frattini
subgroup all oin ide and have order 2. Su h a group E has order 2
2n+1
for
some n. If �(E) is the entre, then we an identify �(E) with the additive
group of F = Z
2
. Sin e squaring (the map e 7! e
2
) is a fun tion from E
to �(E), the fa tor group E is elementary abelian of order 2
2n
, and an be
identi�ed with the additive group of a 2n-dimensional ve tor spa e over F .
Now the stru ture of the group an be de�ned in terms of the ve tor
spa e. Commutation (the map (e; f) 7! [e; f ℄ = e
�1
f
�1
ef) is a fun tion
from E � E to �(E). Observing that [ez; f ℄ = [e; fz℄ = [e; f ℄ for z 2 �(E),
we see that it indu es a map from E�E to F . It is readily he ked that this
map is a non-singular alternating bilinear form B. (This explains why jEj is
an even power of 2.) We also have that (ez)
2
= e
2
for z 2 �(E), so squaring
indu es a quadrati form Q : E ! F , whi h polarises to B.
The ve tor spa e E, with the bilinear form B and quadrati form Q,
determine the stru ture of the extraspe ial group E. From the lassi� ation
of quadrati forms, we on lude that there are just two extraspe ial groups
of order 2
2n+1
for any n (up to isomorphism).
A subgroup S of E is normal in E if and only if it ontains �(E). For
su h a subgroup, S = S=�(E) is a subspa e of E. If we start with S < E we
31
ould have the orresponding S < E ontaining �(E) or not, but normality
of S does not matter in what follows. The following are immediate:
(a) S is abelian if and only if S is totally isotropi ;
(b) S is elementary abelian if and only if S is totally singular.
Consider the ase n = 1. The quadrati form x
1
x
2
orresponds to a
group generated by two elements of order 2 with produ t of order 4; this is
the dihedral group D
8
. The form x
1
x
2
+ x
2
1
+ x
2
2
orresponds to a group in
whi h all six non- entral elements have order 4; this is the quaternion group
Q
8
. The singular forms orrespond to groups whi h, while having a entral
subgroup of order 2 with elementary abelian quotient, are not extraspe ial;
x
2
1
orresponds to C
2
� C
4
, and 0 to C
2
� C
2
� C
2
.
Two extraspe ial 2-groups are isomorphi if and only if the orrespond-
ing quadrati forms are equivalent. So our lassi� ation of quadrati forms
(Theorem 2.1) gives the following result:
Theorem 8.1 For ea h m � 1, there are (up to isomorphism) just two
extraspe ial 2-groups of order 2
2m+1
.
The groups are determined by the quadrati forms. They an also be
des ribed in a more group-theoreti manner as follows.
Let G
1
, G
2
be groups, Z
1
; Z
2
subgroups of �(G
1
) and �(G
2
) respe tively,
and � : Z
1
! Z
2
an isomorphism. The entral produ t G
1
ÆG
2
of G
1
and G
2
with respe t to � is obtained from the dire t produ t G
1
�G
2
by identifying
ea h element z 2 Z
1
with its image z� 2 Z
2
; in other words, it is the group
G
1
ÆG
2
= (G
1
�G
2
)=N;
where N = f(z
�1
; z�) : z 2 Z
1
g.
Now if the quadrati forms Q
1
and Q
2
on V
1
and V
2
give rise to groups
E
1
and E
2
as above, and we take � to be the unique isomorphism from �(E
1
)
to �(E
2
), then the group asso iated with the form Q
1
+Q
2
on V
1
� V
2
is the
entral produ t E
1
Æ E
2
.
Hen e the two extraspe ial groups of order 2
2m+1
an be written as
D
8
ÆD
8
Æ � � � ÆD
8
ÆD
8
(m fa tors) and
D
8
ÆD
8
Æ � � � ÆD
8
ÆQ
8
(m fa tors).
32
Exer ise 8.1 Let Q be a non-singular quadrati form on a spa e of odd
dimension V over Z
2
. Show that Q vanishes on half of the ve tors in V .
Exer ise 8.2 Let Q be a (possibly singular) quadrati form on a ve tor
spa e V of dimension 2n over Z
2
, whi h polarises to B. The radi al of B is
de�ned to be the set
fv 2 V : B(v; w) = 0 for all w 2 V g:
(a) Show that the radi al has even dimension 2d.
(b) Show that the number of zeros of Q is
2
2n�1
+ �2
n+d�1
;
for some � 2 f+1; 0;�1g.
Exer ise 8.3 Prove that the quadrati forms
x
1
x
2
+ x
3
x
4
and
x
2
1
+ x
1
x
2
+ x
2
2
+ x
2
3
+ x
3
x
4
+ x
2
4
are equivalent.
Dedu e that D
8
ÆD
8
�
=
Q
8
ÆQ
8
.
9 Quantum omputing
We give a brief review of the on ept of publi -key ryptography, the RSA
system (its most popular realisation), and the relevan e a fast quantum algo-
rithm for fa torising large integers would have for this system. No attempts
at rigorous de�nitions of omplexity lasses or proofs of the assertions will
be given.
In any ryptosystem, the plaintext to be transmitted is en rypted by
some algorithm depending on additional data alled the key, to produ e
iphertext. The re ipient uses another algorithm to re over the plaintext
from the iphertext and key. The simplest example is the one-time pad, the
only provably se ure ipher system. The plaintext is �rst en oded as a string
33
of bits of length n, say a
1
a
2
: : : a
n
. The key onsists of a string b
1
b
2
: : : b
n
of n random bits, produ ed by some physi al randomising pro ess su h as
tossing oins. The en ryption algorithm is bitwise addition; so the iphertext
is
1
2
: : :
n
, where
i
= a
i
+ b
i
(addition mod 2). The de ryption algorithm
in this ase is identi al to the en ryption algorithm: add the key bitwise
(sin e
i
+ b
i
= a
i
). The iphertext is itself a random string of bits, so an
inter eptor without knowledge of the key is unable to gain any information.
(The se urity of this system was proved by Shannon.)
Note that both the sender and the re ipient must have the key, whi h
must be kept se ret from the inter eptor. The key must either be shared on
a previous o asion, or onveyed by a hannel whi h is known to be se ure.
Publi -key ryptography was invented by DiÆe and Hellman in 1975. (In
fa t, the same idea had been invented six years earlier by James Ellis, an em-
ployee of GCHQ, who was unable to publish it be ause of his employment.)
The idea is that the en ryption algorithm and the key are made publi , but
the de ryption is so demanding of omputational resour es that this knowl-
edge is of no use to the inter eptor. However, the re ipient (who publishes
the key) has some additional information, the se ret key, whi h makes the
de ryption mu h easier.
More formally, letM be the set of plaintext messages, C the set of ipher-
text messages, and K the set of keys. An en ryption system onsists of a pair
of fun tions, en ryption e : M � K ! C, and de ryption d : C � K ! M ,
su h that d(e(m; k); k) = m for all m 2 M and k 2 K. A publi -key system
also has a set S of se ret keys, and an inverse pair of fun tions p : S ! K
and q : K ! S su h that
� omputation of e(m; k) and p(s) are easy;
� omputation of d( ; k) and q(k) are diÆ ult;
� if q(k) is known, then omputation of d( ; k) is easy (in other words,
omputation of d( ; p(s)) is easy).
Ea h user i of the system sele ts an element s
i
2 S, omputes k
i
= p(s
i
),
and publishes the result. If user j wants to send a message m to user i, she
looks up k
i
in the publi dire tory, omputes = e(m; k
i
), and transmits
this iphertext. Now i omputes d(m; q(s
i
)) = d(m; k
i
) = m. An inter eptor
knows and k
i
but is fa ed with the diÆ ult tasks of either omputing
d(m; k
i
) dire tly or omputing s
i
= q(k
i
).
34
The RSA system works as follows. Ea h se ret key onsists of a pair p; q
of large prime numbers (of hundreds of bits), and an integer a oprime to
(p � 1)(q � 1). From this, by Eu lid's algorithm, one omputes b su h that
ab � 1 (mod (p � 1)(q � 1)). Now the publi key is the pair (N; a), where
N = pq. The en ryption algorithm takes the message m, whi h is en oded
as an integer less than N , and omputes the iphertext = m
a
mod N . The
possessor of the se ret key an de rypt this by raising it to the power b mod
N , sin e
b
= m
ab
� m
1
= m mod N:
(We use the fa t that �(N) = (p � 1)(q � 1), and Fermat's Little Theorem
asserting that m
�(N)
� 1 (mod N).
Of the inter eptor's two strategies, the se ond ( al ulating the se ret key)
involves fa torising N , so that b an also be al ulated. It is thought that,
for most hoi es of se ret key, the �rst strategy (de rypting using the publi
key) is also equivalent to fa torising N . An intermediate strategy would be
to �nd b su h that m
ab
� m (mod N) for all m. This amounts to �nding
u su h that m
u
� 1 (mod N), for then b an be found by the Eu lidean
algorithm. But the smallest su h u is the least ommon multiple of (p � 1)
and (q � 1); knowledge of this determines (p� 1)(q � 1) and hen e p and q.
So the se urity of the method depends on the assumption that fa torising
large numbers is a hard problem.
In a dramati re ent development, Peter Shor gave a randomised algo-
rithm for fa torising an integer in polynomial time on a quantum omputer.
We give only a brief a ount of quantum omputing: see [22℄ for more details.
Classi ally, a single bit of information an take either the value 0 or
1, whi h we regard as lying in the set Z
2
. By ontrast, a quantum state
an be a superposition, or linear ombination, of these two opposite states,
with omplex oeÆ ients. A ordingly, a qubit, or quantum bit, lives in a
2-dimensional Hilbert spa e (a ve tor spa e over the omplex numbers with
Hermitian inner produ t). A state is a 1-dimensional subspa e, whi h we
normally represent by a unit ve tor spanning it. So we take an orthonormal
basis of the spa e to onsist of the two ve tors e
0
and e
1
, orresponding to
the values zero and one of the qubit. An arbitrary state of the qubit is
represented by �e
0
+ �e
1
, where j�j
2
+ j�j
2
= 1.
A ording to the usual interpretation of quantum me hani s, we annot
observe the state dire tly. We an make a measurement, orresponding to a
Hermitian (self-adjoint) operator on the spa e. The result of the measure-
35
ment will be an eigenvalue of the operator. This result is not deterministi ;
di�erent results will o ur with appropriate probabilities. For example, we
ould measure the qubit in our example. The measurement ould orrespond
to the operator of orthonormal proje tion onto the spa e spanned by e
1
(in
matrix form,
�
0 0
0 1
�
). The eigenvalues of this operator are 0 and 1, orre-
sponding to the eigenve tors e
0
and e
1
. If the system is in the state �e
0
+�e
1
,
then we obtain the result 0 with probability j�j
2
, and the result 1 with prob-
ability j�j
2
. However, the measurement hanges the state of the system;
after the measurement, the system is in a state spanned by an eigenve tor
orresponding to the eigenvalue obtained in the measurement. (If we �nd
the value 0 for the qubit, the system will be in the state e
0
, and information
about � and � is lost.)
Again, in the lassi al ase, we an represent n bits by an n-tuple of whi h
ea h entry is zero or one, that is, an element of V = Z
n
2
. Correspondingly,
an n-tuple of qubits lives in a omplex Hilbert spa e having an orthonormal
basis orresponding to V . We write a typi al ve tor in V as v, and denote by
e
v
the orresponding basis ve tor of the 2
n
-dimensional Hilbert spa e C
2
n
.
Note that the Hilbert spa e is isomorphi to the tensor produ t of n
opies of the 2-dimensional Hilbert spa e in whi h a single qubit lives. If
v = (v
1
; v
2
; : : : ; v
n
), where v
i
2 Z
2
= f0; 1g for i = 1; 2; : : : ; n, then
e
v
= e
v
1
e
v
2
� � � e
v
n
:
Why the tensor produ t? Peter Shor [25℄ says:
One of the fundamental prin iples of quantum me hani s is that
the joint quantum state spa e of two systems is the tensor produ t
of their individual state spa es.
The tensor produ t of two spa es is the `universal bilinear produ t' of the
spa es. If fe
1
; : : : ; e
m
g and ff
1
; : : : ; f
n
g are bases for the two spa es V andW ,
then a basis for the tensor produ t V W onsists of all symbols e
i
f
j
, for
i = 1; : : : ; m and j = 1; : : : ; n. (Note that dim(V W ) = dim(V ) � dim(W ).)
For v =
P
m
i=1
�
i
e
i
2 V and w =
P
n
j=1
�
j
f
j
2 W , we set
v w =
m
X
i=1
n
X
j=1
�
i
�
j
(e
i
f
j
):
36
Note that, in ontrast to the ase of a dire t sum, not every ve tor in the
tensor produ t an be written as a pure tensor v w.
A remark on notation. We do not use Dira 's bra and ket notation beloved
of physi ists. However, we do have to keep straight several di�erent ve tor
spa es arrying various forms: we already have an n-dimensional spa e V
over Z
2
, and a 2
n
-dimensional omplex Hilbert spa e. Shortly we will meet
a 2n-dimensional Z
2
-spa e E with a symple ti form! We will use v; a; b for
typi al ve tors of V ; its standard basis will be fu
1
; : : : ; u
n
g (where u
i
is a
ve tor with 1 in the ith position and 0 elsewhere), and the usual dot produ t
on V will be denoted by
a � b =
n
X
j=1
a
j
b
j
:
We do not give a spe ial name to the Hilbert spa e. Its ve tors have the
form
P
v2V
�
v
e
v
where �
v
2 C ; the inner produ t of
P
�
v
e
v
and
P
�
v
e
v
is
P
�
v
�
v
.
The theoreti al quantum omputers whi h we will dis uss will be built
from `quantum ir uits'. A quantum ir uit is built out of \logi al quantum
wires," ea h orresponding to one of the n qubits, and quantum gates, ea h
a ting on one or two wires [25℄. A quantum gate is a unitary transformation,
sin e all possible physi al transformations of a quantum system are unitary.
Shor assumes that ea h gate a ts on either one or two wires; that is, ea h
maps 1 qubit to 1 qubit or 2 qubits to 2 and a ts as the identity on the
remaining qubits. The reason that we are able to restri t ourselves to one- or
two-bit gates is the fa t that, as in lassi al �rst-order logi , a small number of
operations forms a `universal set' up from whi h all possible operations an be
built. In the ase of quantum omputing, in the words of Shor [25℄, \CNOT
together with all quantum one-bit gates forms a universal set." CNOT here
refers to the two-bit ontrolled not gate whi h takes the basis ve tor e
(x;y)
of
C
4
= C
2
C
2
to e
(x;x+y)
. It is learly a unitary transformation, and is given
the name ` ontrolled not' be ause the target bit y is negated or not a ording
as the ontroller bit x equals 1 or 0.
It is the two-qubit gates, and therefore CNOT in parti ular, whi h pro-
vides a quantum omputer with its inherent parallelism. These gates are
intrinsi ally global: there is no way to des ribe them by restri ting attention
to a single qubit. Be ause they a ept as input the tensor produ t of super-
positions (linear ombinations) of e
0
and e
1
, they are the gates that makes
the omputation quantum rather than lassi al.
37
As we mentioned, Shor [25℄ found a probabilisti algorithm whi h runs
in polynomial time on a quantum omputer. It depends on the following
observation. Suppose that we have omputed the order of x mod N , the
smallest number t su h that x
t
� 1 (mod N). Suppose that t is even, say
t = 2r. Then N divides x
t
� 1 = (x
r
� 1)(x
r
+ 1). If x
r
is not ongruent to
�1 mod N , then both x
r
� 1 and x
r
+ 1 have fa tors in ommon with N .
We an �nd the g. .d.s of the pairs (N; x
r
� 1) and (N; x
r
+ 1) by Eu lid's
algorithm; then we know two di�erent fa tors of N , and hen e the omplete
fa torisation in the RSA ase.
The basi idea of quantum omputation is to exploit the inherent paral-
lelism of quantum systems. Suppose, for example, that we want to ompute
2
n
values f(0); f(1); : : : ; f(2
n
� 1) of a fun tion simultaneously. We repre-
sent the integer i by the binary ve tor v 2 V = Z
n
2
whi h is its expression
in base 2. Now, if n qubit registers are available, we an load them with a
superposition of the states e
v
, for v 2 V , as follows: �rst load ea h register
with 0 (so that we have state e
0
); then apply the Hadamard transforma-
tion with matrix (1=
p
2)
�
1 1
1 �1
�
( orresponding to a 45
Æ
rotation of the
2-dimensional Hilbert spa e) to ea h qubit. The resulting state is
1
p
2
n
X
v2V
e
v
:
Now suppose that some quantum omputation repla es e
v
by a state rep-
resenting f(i), where v represents the integer i. Then, by the linearity of
the S hr�odinger equation, the same omputation repla es the above super-
position by a superposition of the values f(i) for i = 0; : : : ; 2
n
� 1. In the
fa torisation algorithm, we take f(i) = x
i
(mod N), where 2
n
� N and x is
some hosen integer oprime to N .
The last stage involves �nding the period of f from the above superpo-
sition, whi h is done by use of the dis rete Fourier transform. The Fourier
transform of f is on entrated on multiples of the period, so an observation
of the result will with high probability give a small multiple of the period.
Let us take as an example the urrent obje tive of quantum omputing,
the fa torisation of 15. We take x = 2. Suppose that we have 8 qubit registers
arranged in two banks of four, so that states of the system have the form
X
v;w2V
a
vw
(v w)
38
in the spa e C
2
4
C
2
4
. For onvenien e we write e
i
in pla e of e
v
, where
i is the integer in the range [0; 15℄ whose base 2 representation is v. We
begin with the state e
0
e
0
(that is, all registers ontain zero). Then by
applying a Hadamard transform to ea h of the �rst four qubits, we obtain
(up to normalisation)
�
P
i2[0;15℄
e
i
�
e
0
. The ru ial part of the omputation
repla es e
i
e
0
with e
i
e
2
i
mod 15
. Apart from normalisation, the state is
now
(e
0
+ e
4
+ e
8
+ e
12
) e
1
+ (e
1
+ e
5
+ e
9
+ e
13
) e
2
+ � � � :
We extra t the period 4 from the �rst four registers by a dis rete Fourier
transform. Now we know that 15 divides (2
4
� 1) = (2
2
� 1)(2
2
+ 1) = 3 � 5,
so the two fa tors of 15 are (15; 3) = 3 and (15; 5) = 5.
See Shor [24, 25℄ for further details.
10 Quantum odes
We see that quantum omputing is a te hnology with very great potential
uses. What stands in the way of its implementation is the large error rate,
aused by the fa t that a single bit or qubit is stored by a single ele tron,
instead of by billions of ele trons as in a onventional omputer. It is widely
believed that a quantum omputer large enough for real appli ations will
have to be `fault-tolerant', that is, error- orre tion must be built in so that
the errors introdu ed by the gates and wires an be orre ted faster than
they o ur. The theory of quantum error- orre tion will be outlined below;
it has not been implemented yet.
The evolution of a quantum system is des ribed by a unitary transforma-
tion of the state spa e. We onsider `errors' to a single qubit represented by
the following unitary matri es:
X =
�
0 1
1 0
�
(bit error)
Z =
�
1 0
0 �1
�
(phase error)
The e�e t of X is to inter hange the basis ve tors e
0
and e
1
(the zero and
one states of the qubit). The e�e t of Z is to hange the relative phase of
the oeÆ ients � and � of an arbitrary state (the argument of �=�) by 180
Æ
.
39
(The arguments of � and � have no absolute signi� an e, so we ould as well
use �Z, but the given hoi e is more onvenient.)
Along with X and Z, we also allow the identity I (no error) and the
produ t Y = XZ = �ZX. (It is more usual in quantum me hani s to set
Y = iXZ; then X; Y; Z are the standard Pauli spin matri es. Note that X,
Z and iXZ are Hermitian (or self-adjoint). However, Y = XZ is unitary,
and then everything an be written with real oeÆ ients. A reason to use
Y = iXZ is that then Y is onjugate to both X and Z, whi h means a
hange of basis transforms any one to any other, and we an regard all three
non-trivial errors are equally likely. However, we shall see that the dis rete
mathemati s is the same whether we make this hoi e or the simpler real
hoi e, so in what follows, we use Y = XZ.)
There is a simple expression for the e�e t ofX and Z on the basis fe
0
; e
1
g.
We use the onvention that (�1)
0
= 1 and (�1)
1
= �1, where the exponent
is taken from the �nite �eld Z
2
. Then we have, for v 2 Z
2
,
Xe
v
= e
v+1
; Ze
v
= (�1)
1�v
e
v
:
Now we an apply these errors ` oordinatewise' to n qubits. If u
j
denotes
the jth basis ve tor for V = Z
n
2
, then the errors to the jth qubit a t on the
2
n
-dimensional Hilbert spa e with basis fe
v
: v 2 V g as
X(u
j
) : e
v
7! e
v+u
j
;
Z(u
j
) : e
v
7! (�1)
v�u
j
e
v
:
Then we an de�ne X(a), Z(b) for any ve tors a; b 2 V by
X(a) : e
v
7! e
v+a
;
Z(b) : e
v
7! (�1)
v�b
e
v
:
Then fX(a) : a 2 V g and fZ(b) : b 2 V g are groups of unitary transforma-
tions of C
2
n
whi h are both isomorphi to the additive group of V . Together
they generate the group
E = hX(a); Z(b) : a; b 2 V i = f�X(a)Z(b) : a; b 2 V g;
a group of order 2 � 2
n
� 2
n
= 2
2n+1
.
We all E the group of allowable errors, or, for short, the error group. It
an also be written in the form
E = f�A
1
� � � A
n
: A
j
2 fI;X; Y; Zg for j = 1; : : : ; ng:
40
Why do we only onsider these parti ular errors? A quantum ode an
orre t any one-qubit error if and only if it an orre t the errorsX(u
j
), Y (u
j
)
and Z(u
j
) for all j. This follows from the fa t that the matri es I;X; Y; Z
span the 4-dimensional spa e of all 2� 2 matri es: see [4, 9℄.
In our set-up, the error group
E = f�X(a)Z(b) : a; b 2 V g
is an extraspe ial 2-group of order 2
2n+1
. Its entre is �(E) = f�Ig, and
E = E=�(E) is a ve tor spa e over F . This is the third, and most important,
ve tor spa e with whi h we have to deal. (See Se tion 8.)
We use the notation (ajb) for the element of E whi h is the oset of �(E)
ontaining X(a)Z(b). (This oset is fX(a)Z(b);�X(a)Z(b)g.) We use � for
the bilinear form on E derived from ommutation on E. In other words,
[X(a)Z(b); X(a
0
)Z(b
0
)℄ = (�1)
(ajb)�(a
0
jb
0
)
I:
A short al ulation shows that
(ajb) � (a
0
jb
0
) = a � b
0
� a
0
� b;
where � is the dot produ t on V . (Of ourse, we an repla e the � sign by a
+ sign sin e the hara teristi is 2.) Thus, two elements e; f 2 E ommute
if and only if e � f = 0.
The quadrati form will be denoted by Q: that is,
(X(a)Z(b))
2
= (�1)
Q(ajb)
I:
Note that in fa t Q(ajb) = a
1
b
1
+ � � �+ a
n
b
n
. (If we had made the hoi e
Y = iXZ instead of Y = XZ, we would need to enlarge our group E to
in lude iI. As a onsequen e, E would have a larger enter, �(E) = f(i
`
)I :
` = 0; 1; 2; 3g. Nonetheless, the fa tor group E=�(E) would be \the same"
elementary abelian 2-group of order 2
2n
, and ommutation on E would give
the same bilinear form on this version of E. However, we would lose the
quadrati form on E in this ase sin e e
2
would not be well-de�ned on E.)
More on notation. The basis f(u
j
j0); (0ju
j
) : j = 1; : : : ; ng is a symple ti
basis for E. We will reserve the symbol? for orthogonality in this spa e (with
respe t to the form �). We also make another use of ?, derived from this
one. If S is a subgroup of E, then we let S
?
be the entraliser of S in E. (If
S
0
= C
E
(S), then S
0
= S
?
, so the notation is onsistent.)
41
To avoid onfusion with orthogonality in E, we use a non-standard symbol
for orthogonality of ve tors in V . For U � V we'll write U
z
= fv 2 V : v �u =
0 for all u 2 Ug.
We will use h: : :i
V
, h: : :i
E
, h: : :i
C
for the subspa e of V , E or C
2
n
respe -
tively, spanned by a set : : :; and h: : :i (without adornment) will denote the
subgroup generated by : : :.
We are interested in abelian subgroups of E. Note that any set of mu-
tually ommuting transformations on the Hilbert spa e C
2
n
whi h ontains
the adjoints of all its elements is simultaneously diagonalisable, and has an
orthonormal basis onsisting of eigenve tors. Said otherwise, the ommon
eigenspa es of the transformations in the set are mutually orthogonal. Any
abelian subgroup of E satis�es this.
Choose an abelian subgroup S of E. (Equivalently, hoose a subspa e S
of E for whi h S � S
?
.) Let dim(S) = n� k. As in the previous se tion, let
Q be an eigenspa e of S. Then the following hold.
(a) For s
0
2 S
?
, q 2 Q, we have s
0
(q) 2 Q.
(b)Any e 2 E permutes the eigenspa es Q
u
; it �xes Q if and only if it lies
in S
?
; so E=S
?
permutes the eigenspa es regularly.
( ) The eigenspa es of S are in one-to-one orresponden e with the har-
a ters of S: an eigenspa e Q
0
determines a hara ter � of S satisfying
s(q) = �(s)q for s 2 S and q 2 Q
0
with �(�I) = �1 if �I 2 S; � thus
de�nes a hara ter of S.
Now ( ) implies that S has 2
n�k
eigenspa es, one for ea h hara ter of S;
sin e E=S
?
permutes these regularly ea h must have the same dimension,
and sin e they form an orthogonal de omposition of C
2
n
, this dimension must
be 2
k
.
Choose Q to be the eigenspa e orresponding to the trivial hara ter.
Then we have, as in the example above:
(d) For s 2 S, q 2 Q, we have s(q) = q.
Now Q has dimension 2
k
, and is isomorphi to the spa e of k qubits, but
the embedding of Q in the larger spa e `smears out' the k qubits over the
spa e of n qubits. (This is exa tly analogous to the situation in lassi al
error- orre ting odes: there, V = Z
n
2
is the spa e of n bits, and if G is a
42
generator matrix for C then C = fxG : x 2 Z
k
2
g is a k-dimensional linear
ode, whi h `smears out' the k information bits of x over the spa e V .) So
Q will be our quantum error- orre ting ode.
In the lassi al ase, a message onsists of n bits, that is, it is a ve tor in
V . Errors are also ve tors in V : we have `re eived word equals transmitted
word plus error'. The zero error has no e�e t. If we use a ode C, then errors
in C are undete table. There will be a set E of so- alled orre table errors.
They have the property that, if e; f 2 E with e 6= f , then e � f =2 C n f0g,
that is, e � f is not an undete table error. This means that we an dete t
the addition of an error to a odeword, and we do not onfuse the e�e ts
of di�erent errors (as long as they lie in E). The ommonest situation is
that when C has minimum weight at least d, when E onsists of all words of
weight at most b(d� 1)=2 .
Table 1 ompares the situation in the lassi al and quantum ases.
Classi al Quantum
Message n bits, in Z
n
2
= V n qubits, in C
2
n
Error group V E
e(z) = z + v e(z) as before
Code C � V , dim(C) = k Q � C
2
n
, dim(Q) = 2
k
Undete table C � V S
?
� E
errors
Errors with f0g � C S � S
?
no e�e t
Corre table E � V E � E
errors e; f 2 E ) e; f 2 E )
e� f =2 C n f0g f
�1
e =2 S
?
n S
Table 1: Classi al and quantum error orre tion
We now give the basi result of Calderbank, Rains, Shor and Sloane,
whi h is the quantum analogue of the observation on page 2.
Theorem 10.1 With the notation as above, assume that the minimal q-
weight of S
?
n S is d � 2e + 1. Then Q orre ts errors in e qubits.
Here, the quantum weight, or q-weight, of (ajb) 2 E (or, equivalently, of
�X(a)Z(b) 2 E) is the number of oordinates j in whi h either a
j
6= 0 or
43
b
j
6= 0 (in other words, the number of qubits whi h have su�ered a bit error,
a phase error, or both). The theorem asserts that, if E is the set of elements
with q-weight at most b(d� 1)=2 , then we have e; f 2 E ) f
�1
e =2 S
?
n S.
We will use [[n; k; d℄℄ to denote su h a ode; the double bra kets to distinguish
it from a lassi al [n; k; d℄ binary ode.
Suppose Q is an additive ode, that is, Q is the +1 eigenspa e for S � E,
and E is the set of orre table errors for Q. Here is how de oding works.
Suppose the odeword q 2 Q is sent, but the re eived message is z = e(q) for
some e 2 E . If s
1
; : : : ; s
n�k
are a set of generators for S, then by al ulating
s
j
(z) = �(s
j
)z for 1 � j � n � k (the syndrome of e) , we an identify
the hara ter � and therefore the eigenspa e Q
0
ontaining z. We know Q
0
=
f(Q) for some f 2 E , and we de ode z to f
�1
(z) = f
�1
e(q). (Noti e that this
de oding step does not require knowing e or q.) In order for this pro edure
to lead us to the orre t odeword q it's ne essary that e(Q) = f(Q) for
e; f 2 E should imply f
�1
e(q) = q. But that is exa tly our ondition on E :
f
�1
e annot be in S
?
n S.
Now, the extra ondition that distin t e and f in E should produ e inde-
pendent ve tors e(q) and f(q) means that f(Q) = e(Q) implies f = e. We
will say that the ode is non-degenerate (or pure) if it satis�es the stronger
ondition that e; f 2 E implies f
�1
e =2 S
?
n f0g. So, in the spe ial ase of a
non-degenerate ode, identifying the oset ontaining z a tually identi�es e
(rather than just enabling e to be orre ted).
Following the theorem in the previous se tion, to obtain an additive ode
mapping k qubits to n and orre ting errors in b(d�1)=2 qubits, we need to
�nd a totally isotropi (n�k)-dimensional subspa e S of the 2n-dimensional
binary spa e E with S
?
n S having minimum q-weight d. In this se tion we
onstru t a spe i� example of an [[8; 3; 4℄℄ ode adapted from [7℄ and [14℄.
To begin, we need a 5-dimensional subspa e S � S
?
of the 16-dimensional
binary spa e E, and we would like the minimal non-zero q-weight of ve tors
in S
?
to be 4.
Ve tors in E have the form (ajb) for a; b 2 V , where V is a binary spa e
of dimension 8. We base our onstru tion of S on the [8; 4; 4℄ extended
Hamming ode
d
mH
3
= H(3; 2), the self-dual ode obtained by extending the
[7; 4; 3℄ Hamming ode H(3; 2) by adding a parity- he k bit to ea h ve tor.
(We now use the hat notation for the usual dual ode, to avoid onfusion
with our overloaded overbar.)
44
We onstru tH
3
by spe ifying a 3�7 parity- he k matrixH. The olumns
of H will onsist of all possible non-zero ve tors in Z
3
2
' GF(8). We do this
by hoosing a generator � = �
3
+1 of the multipli ative group of GF(8), and
letting the olumns of H be �
6
; : : : ; �; 1, (where x�
2
+ y� + z is written as
the olumn [x; y; z℄
>
) giving
H =
2
4
1 1 1 0 1 0 0
0 1 1 1 0 1 0
1 1 0 1 0 0 1
3
5
This onstru tion of H makes it easy to see that H
3
is a y li ode: if
v = (v
1
; : : : ; v
7
) is in H
3
, so is its y li shift v
0
= (v
n
; v
1
; : : : ; v
n�1
). From H
we easily obtain a generator matrix G for H
3
|re all a ode is the row spa e
of its generator matrix.
G
0
=
2
6
6
4
1 0 0 0 1 0 1
0 1 0 0 1 1 1
0 0 1 0 1 1 0
0 0 0 1 0 1 1
3
7
7
5
Sin e the ve tor 1 = (1; 1; 1; 1; 1; 1; 1) is in H
3
, we get another generator
matrix G
1
by adding 1 to ea h row of G
0
.
G
1
=
2
6
6
4
0 1 1 1 0 1 0
1 0 1 1 0 0 0
1 1 0 1 0 0 1
1 1 1 0 1 0 0
3
7
7
5
We obtain the [8; 4; 4℄ extended Hamming ode
b
H
3
by adding a parity he k
bit to the front of ea h ve tor in H
3
so that the resulting ve tor has even
H-weight. The minimum H-weight of nonzero ve tors in H
3
is 3, and the
minimum H-weight is 4 for
b
H
3
. Moreover,
b
H
3
=
b
H
z
3
.
Finally, we're ready to des ribe a 5� 16 generator matrix for S. Let a be
the last row of G
1
and b be its �rst. Let a
1
be the extension of a and b
1
be
the extension of b, two ve tors in
b
H
3
. Next a
2
is the extension of the y li
shift a
0
, and b
2
is the extension of b
0
. Similarly a
3
and b
3
are extensions of a
00
and b
00
. We take a
4
= b
5
to be the 8-tuple 1 and a
5
= b
4
to be the 8-tuple 0.
45
The 5� 16 matrix G
(0)
has for its rows the ve tors (a
1
jb
1
); : : : ; (a
5
jb
5
).
G
(0)
=
2
6
6
6
6
4
0 1 1 1 0 1 0 0 j 0 0 1 1 1 0 1 0
0 0 1 1 1 0 1 0 j 0 0 0 1 1 1 0 1
0 0 0 1 1 1 0 1 j 0 1 0 0 1 1 1 0
1 1 1 1 1 1 1 1 j 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 j 1 1 1 1 1 1 1 1
3
7
7
7
7
5
The rows of G
(0)
are linearly independent, so its row spa e S is of dimension
5. Be ause
b
H
3
=
b
H
z
3
, we see that (a
i
jb
i
)� (a
j
jb
j
) = a
i
�b
j
+a
j
�b
i
= 0 for i; j =
1; : : : ; 5, so S � S
?
. The dimension of S
?
is 16� 5 = 11, and so S
?
= S�T
for T of dimension 6. We an hoose a basis f(a
j
j0); (0jb
j
) : j = 1; 2; 3g for
T , and from this we an see that the minimum q-weight of S
?
is 4.
Our ode Q is the +1 eigenspa e of the subgroup S < E a ting on the
2
8
-dimensional omplex ve tor spa e C
2
: : : C
2
. The subspa e Q is of
omplex dimension 2
3
; Q thus maps 3 qubits to 8 qubits and orre ts errors
in E that a�e t 1 qubit.
We now return brie y to the general theory, to des ribe a theorem of
Calderbank et al. [6℄ whi h shows how to onstru t additive quantum odes
from ertain self-orthogonal odes over GF(4). Re all that we have asso iated
a [[n; k; d℄℄ additive quantum odes to a n�k-dimensional subspa e S of E (a
2n-dimensional ve tor spa e over Z
2
= GF(2)) whi h is totally isotropi with
respe t to a symple ti inner produ t and for whi h the q-weight of S
?
n S
is d.
In order to make the asso iation with odes over GF(4), we onstru t
yet another ve tor spa e, an n-dimensional ve tor spa e F
n
over the �eld
F = GF(4) We will write F as f0; 1; !; !g where ! = !
2
= 1 + !. Note
that the ube of every non-zero element is equal to 1, sin e the multipli ative
group has order 3. Sin e ! and ! form a basis for F as ve tor spa e over
GF(2), we an write any ve tor of F
n
as !a+ !b, where a and b are ve tors
of length n over GF(2). In other words, a; b 2 V . Now the map � : E ! F
n
de�ned by
�((ajb)) = !a+ !b
is a bije tion, and is an isomorphism of GF(2)-ve tor spa es (if we regard
F
n
as a GF(2)-spa e by restri ting s alars). Sin e !a
j
+ !b
j
6= 0 if and only
if either a
j
6= 0 or b
j
6= 0, we have a very important property of �: the
q-weight of a ve tor (ajb) 2 E is equal to the Hamming weight of its image
�((ajb)) = !a+ !b 2 F
n
.
46
Let Æ be the Hermitian inner produ t on F
n
,
v Æ w =
n
X
j=1
v
j
w
j
:
There is a tra e map Tr from F to GF(2) de�ned by
Tr(�) = � + �;
so that Tr(0) = Tr(1) = 0 and Tr(!) = Tr(!) = 1. The tra e map is linear
over GF(2). Now the map (x; y) 7! Tr(x Æ y) takes pairs of ve tors in F
n
to
GF(2). We have:
Tr((!a+ !b) Æ (!a
0
+ !b
0
)) = a � b
0
+ a
0
� b = (ajb) � (a
0
jb
0
):
The proof of this fa t is just al ulation. Using the fa t that the Hermitian
inner produ t is linear in the �rst variable and semilinear in the se ond, and
the fa t that a Æ b = a � b for a; b 2 GF(2)
n
, we have
(!a+ !b) Æ (!a
0
+ !b
0
) = a � a
0
+ !a � b
0
+ !b � a
0
+ b � b
0
:
Taking the tra e now gives the result (using the linearity of tra e and the
fa t that Tr(1) = 0 and Tr(!) = Tr(!) = 1).
Next we show that a subspa e of F
n
is totally isotropi (with respe t to
Æ) if and only if the orresponding subspa e of E is totally isotropi (with
respe t to �). The forward impli ation is lear. So suppose that W � F
n
is the image under � of a totally isotropi subspa e of E. This means that
Tr(x Æ y) = 0 for all x; y 2 W . Take x; y 2 W , and let x Æ y = �. Then
Tr(�) = 0, and
Tr(!�) = Tr((!x) Æ y) = 0
(sin e !x 2 W ); it follows that � = 0.
To summarise: the spa e F
n
, on restri tion of s alars, be omes isomorphi
to E, by a map � taking q-weight to Hamming weight; and subspa e of F
n
is the image of a totally isotropi subspa e of E (with respe t to �) if and
only if it is totally isotropi (with respe t to Æ). Of ourse, not every totally
isotropi subspa e of E orresponds to a subspa e ofW . (The image under �
of a subspa e of E is a GF(2)-subspa e but not ne essarily a GF(4)-subspa e.)
These observations, together with Theorem 10.1, imply the following re-
sult of Calderbank et al. [6℄:
47
Theorem 10.2 If W is a totally isotropi (with respe t to the hermitian
inner produ t) `-dimensional subspa e of F
n
su h that W
?
n W has mini-
mum Hamming weight d, then the above asso iates an additive [[n; n� 2`; d℄℄
quantum ode to W .
So, in order to onstru t good quantum error- orre ting odes, we need
subspa es C of W su h that C
?
nC has large minimum weight (where C
?
is
de�ned by the Hermitian inner produ t Æ. Examples an be obtained from
dual Hamming and BCH odes. We do not give details here.
11 Z
4
- odes
We already noted the existen e ofKerdo k odes, whi h are non-linear (2
2n
; 2
4n
)
odes with weight enumerator
x
2
2n
+ (2
4n
� 2
2n+1
)x
2
2n�1
+2
n�1
y
2
2n�1
�2
n�1
+ (2
2n+1
� 2)x
2
2n�1
y
2
2n�1
+(2
4n
� 2
2n+1
)x
2
2n�1
+2
n�1
y
2
2n�1
�2
n�1
+ y
2
2n
:
Moreover, these odes are distan e-invariant ; that is, the weight distribution
of u+ C is the same as that of C for all u 2 C.
At about the same time, another family of non-linear binary odes, the
Preparata odes, were dis overed. They are also distan e-invariant, and their
weight enumerators are obtained from those of the Kerdo k odes by applying
the Ma Williams transformation. Thus, the Kerdo k and Preparata odes
behave formally like duals of ea h other. This strange formal duality was not
understood for a long time, until the paper of Hammons et al. [15℄ showed
that they arise from dual odes over Z
4
by applying the so- alled Gray map.
The Gray map takes elements of Z
4
to pairs of elements of Z
2
, as follows:
0 7! 00; 1 7! 01; 2 7! 11; 3 7! 10:
Note that it is an isometry between the set Z
4
with the Lee metri
d(x; y) = minfjx� yj; 4� jx� yjg
(so that d(x; y) is the number of pla es round the y le separating x from
y) and Z
2
2
with the Hamming metri . (More generally, a Gray ode is a
Hamiltonian y le in the n-dimensional ube; it is used for analog-to-digital
48
onversion, sin e adja ent points in the y le are represented by words dif-
fering in only one oordinate. We are interested in the ase n = 2.)
The Gray map an be extended to a map from Z
n
4
to Z
2n
2
, for any n.
It is non-linear, so that it will in general take a linear ode in Z
n
4
(a subset
losed under addition) to a non-linear ode in Z
2n
2
. Hammons et al. showed
that the Kerdo k and Preparata odes do indeed arise from linear odes over
Z
4
in this way; these linear odes are the Z
4
analogues of the dual Hamming
and Hamming odes.
In the remainder of this se tion we outline the onstru tion of the binary
and quaternary odes and their onne tion with symple ti and orthogonal
geometry.
11.1 Orthogonal and symple ti geometry
Re all the de�nition of the error group E of isometries of a real ve tor spa e
R
N
, N = 2
m+1
, m odd. Let V = GF (2)
m+1
, and let fe
v
: v 2 V g be
an orthonormal basis of R
N
. The isometry X(a) takes e
v
to e
v+a
and Z(b)
takes e
v
to (�1)
b�v
e
v
for a; b 2 V ; X(a) des ribes \bit errors" in ea h qubit
for whi h the orresponding oordinate of a is nonzero, and Z(b) des ribes
\phase errors." The error group for a system of m + 1 qubits is
E = f(�1)
`
X(a)Z(b) : a; b 2 V; ` 2 Z
2
g:
Then E is an extraspe ial 2-group of order 2 � 2
2(m+1)
.
From the group stru ture of E it follows that the quotient E = E=�(E) '
GF(2)
2(m+1)
has an orthogonal geometry. The quadrati formQ on E is given
by
e
2
= (�1)
Q(e)
I;
and the orresponding symple ti form is given by
[e; f ℄ = (�1)
e�f
I;
where e and f are in E and e and f are their images in E. The abelian
subgroups
X(V ) = fX(a) : a 2 V g and Z(V ) = fZ(b) : b 2 Bg
give totally singular (m+1)-dimensional subspa es X(V ) and Z(V ) of E (that
is, subspa es on whi h Q vanishes identi ally). These totally singular spa es
49
are also totally isotropi : the symple ti form vanishes identi ally on them.
In fa t, every maximal totally singular subspa e of E has dimension m + 1
and arises as the image of an elementary abelian subgroup of E. Similarly,
every maximal totally isotropi subspa e of E also has dimension m+1 and
arises as the image of an abelian subgroup of E. Thus, the quadrati form
has type +1 (or Witt index m+1), and the extraspe ial group E is a entral
produ t of m+ 1 opies of the dihedral group D
8
(see Se tion 8.)
We don't need the physi s, but by way of motivation, re all from Se -
tion 10 that we might alternatively have onsidered an error group onsisting
of (Hermitian) symmetries of the omplex spa e ontaining the qubits. In
our urrent setting we need to onstru t this omplex geometry, but now we
do it entirely within the group E of symmetries of the real ve tor spa e.
First, we need a bit more notation. As before, let fu
1
; : : : ; u
m+1
g be the
standard basis for V , and let V
0
= hu
1
; : : : ; u
m
i ' GF(2)
m
. Let
! = X(u
m+1
)Z(u
m+1
) 2 E;
so !
2
= �I. This element of order 4 will play the role of i in our onstru tion
of a omplex ve tors spa e and a group of unitary transformations of it.
Let F be the entraliser in E of !,
F = C
E
(!) = f(�1)
`
X(a)Z(b) : a � u
m+1
= b � u
m+1
; ` 2 Z
2
g:
Exer ise 11.1 Show that if X(a)Z(b) is in F , then there are a
0
; b
0
2 V
0
so
that either X(a)Z(b) = X(a
0
)Z(b
0
) or X(a)Z(b) = !X(a
0
)Z(b
0
).
By the previous exer ise, an alternative des ription of F is
F = f!
`
X(a
0
)Z(b
0
) : a
0
; b
0
2 V
0
; ` 2 Z
4
g;
whi h orresponds to the omplex error group of the pre eding hapter. It
is easily seen that F has order 4 � 2
2m
and that F = F=�(F ) ' GF(2)
2m
.
Be ause ! is of order 4, we may think of R+R! as C . As a onsequen e,
we may regard the 2-dimensional real spa e he
v
; e
v
!i as a 1-dimensional om-
plex spa e. Under this identi� ation, we an onsider fe
v
0
: v
0
2 V
0
g as an
orthonormal basis of the omplex unitary spa e C
N
0
, for N
0
= 2
m
= (1=2)N ,
and regard F as a subgroup of the unitary group U(C
N
0
).
Sin e the square of an element !
`
X(a
0
)Z(b
0
) of F depends on ` as well as
on a
0
and b
0
, we annot de�ne a quadrati form on F . However, ommutators
50
depend only on osets modulo �(F ), so F does have a symple ti geometry
given by the bilinear form e � f where e and f are preimages in E and
[e; f ℄ = (�1)
e�f
I:
Caution: Our overbar notation is now ambiguous, sin e E and F are binary
spa es of dimensions 2(m+1) and 2m respe tively; however, ontext should
make lear whi h we intend.
Finally, following [5℄, we will need to onstru t two �nite groups L �
O(R
N
) and L
\
� U(C
N
0
) normalizing E and F respe tively for whi h L=E '
O(2m+ 2; 2) on E and L
\
=F ' Sp(2m; 2) on F .
Exer ise 11.2 Let x
j
= X(u
j
) and z
j
= Z(u
j
), j = 1; : : : ; m+ 1.
(a) Show that the images of these elements of E in E form a symple ti
basis of singular ve tors, with fx
j
: j = 1; : : : ; m + 1g a basis for the
maximal totally singular subspa e X(V ) and fz
j
: j = 1; : : : ; m+ 1g a
basis for the maximal totally singular subspa e Z(V ).
(b) Show that fx
j
; z
j
: j = 1; : : : ; mg are in F , and their images in F are
a symple ti basis with fx
j
: j = 1; : : : ; mg a basis for the maximal
totally isotropi subspa e X(V
0
) and fz
j
: j = 1; : : : ; mg a basis for the
maximal totally isotropi subspa e Z(V
0
).
In our onstru tions of L and L
\
, we will be guided by the following
theorem.
Theorem 11.1 Let V be a ve tor spa e of dimension 2n with an alternating
bilinear form and a quadrati form of Witt index n polarising to it. If V
is a sum of maximal totally isotropi subspa es U and V , then Sp(V ) =
hSp(V )
U
; Sp(V )
W
i. Further, if U and W are totally singular, then O(V ) =
hO(V )
U
; O(V )
W
; T i, where T is the orthogonal transformation inter hanging
u
1
and v
1
and �xing the other ve tors of a symple ti basis of singular ve tors
fu
1
; : : : ; u
n
; w
1
; : : : ; w
n
g formed of bases of U and W .
The referen e for this theorem in [5℄ is to 43.7 in [1℄. Other useful ref-
eren es in lude the introdu tory material on the lassi al groups in [12℄, the
\di tionary" translating between matrix and Lie theoreti des riptions of
lassi al groups in [10℄, and the explanatory material in [20℄.
51
First we onstru t L. For an invertible binary (m+ 1)� (m+ 1) matrix
A, we want an element of O(R
N
) normalizing E and produ ing X(A;A
�>
)
on E. Choose
~
A taking the basis ve tor e
v
of R
N
to e
vA
.
Exer ise 11.3 Verify that
~
A
�1
X(a)Z(b)
~
A = �X(aA)Z(bA
�>
).
The des ription of the element of O(R
N
) produ ing Y (C) is more om-
pli ated. Choose an (m + 1) � (m + 1) binary alternate matrix C. De�ne
an alternate bilinear form B
C
on V by B
C
(u; v) = uCv
>
. Let Q
C
be any
quadrati form polarising to B
C
. De�ne an element D(C) 2 O(R
N
) by
D(C)(e
v
) = (�1)
Q
C
(v)
e
v
for v 2 V:
Exer ise 11.4 Verify that D(C)
�1
X(a)Z(b)D(C) = �X(a+ aC)Z(b), and
that the map on E produ ed by D(C) is independent of the hoi e of the
quadrati form Q
C
.
Now O(V )
W
is generated by the X(A;A
�>
) and the Y (C) for A invertible
and C alternating.
As in Se tion 10.7, let H
m+1
be the tensor produ t H : : :H, so
H
m+1
(e
b
) =
1
p
2
m+1
X
v2V
(�1)
b�v
e
v
:
Then H
m+1
X(V )H
m+1
= Z(V ). And
~
H
2
= I : : : I H
2
normalizes E
and has the e�e t on E of inter hanging x
m+1
and z
m+1
and �xing the other
basis ve tors. Now let
L = h
~
A; D(C); H
m+1
;
~
H
2
: A invertible, and C alternate (m+1)� (m+1)i
Then we have L=E ' O(E) as desired.
Exer ise 11.5 Verify that L=E ' O(E).
The des ription of L
\
is almost the same as that of L, ex ept that the
basis ve tors on whi h the transformations of L
\
a t are the e
v
0
for v
0
2 V
0
.
The di�eren e is in the element of U(C
N
0
) produ ing what we'll all Y
0
(C
0
)
on F for C
0
a binary m � m symmetri matrix. Rather than using C
0
to
de�ne a quadrati form on V
0
, we instead de�ne a map T
C
0
: Z
m
4
! Z
4
as
52
follows. Given
b
v
0
2 Z
m
4
, hoose v
0
= (v
1
; : : : ; v
m
) 2 Z
m
2
with v
0
�
b
v
0
(mod 2),
and let
T
C
0
(
b
v
0
) =
X
j
C
0
jj
v
2
j
+ 2
X
j<k
C
0
jk
v
j
v
k
;
where the C
0
ij
are the entries of C
0
, and the arithmeti is done mod 4. Now
we de�ne D
0
(C
0
) in U(C
N
0
) by
D
0
(C
0
)(e
v
0
) = i
T
C
0
(v
0
)
e
v
0
for v
0
2 V
0
:
Exer ise 11.6 Verify that
D
0
(C
0
)
�1
X(a
0
)Z(b
0
)D
0
(C
0
) = �X(a
0
+ a
0
C
0
)Z(b
0
):
Finally, let
L
\
= h
~
A; D
0
(C
0
); H
n
: A invertible and C
0
symmetri m�mi:
Exer ise 11.7 Verify that L
\
=F ' Sp(F ).
11.2 Orthogonal spreads and binary Kerdo k odes
In this se tion we on entrate on the orthogonal geometry of the 2(m + 1)-
dimensional GF(2) spa e E and use it to give a de�nition of a binary Kerdo k
ode of length N = 2
m+1
. Re all that we assume m is odd.
By Theorem 2.3, the spa e E ontains
2
m
(2
m+1
+ 1)� 1 = (2
m+1
� 1)(2
m
+ 1)
totally singular 1-spa es. Clearly, ea h maximal totally singular subspa e of
E ontains 2
m+1
� 1 singular 1-spa es.
If a set � of 2
m
+ 1 maximal totally singular subspa es of E partitions
the set of all singular 1-spa es, we all � an orthogonal spread for E.
Let A be an abelian subgroup of E so that A is a maximal totally singular
subspa e of E. Let F(A) be the set of eigenspa es for A in R
N
. Re all from
the pre eding hapter that F(A) is an orthogonal frame for R
N
|a family of
N mutually orthogonal 1-spa es. For an orthogonal spread � of E, let
F(�) = [
A2�
F(A);
a set of (2
m
+ 1) � 2
m+1
1-spa es of R
N
.
53
We de�ned a binary Kerdo k ode K(B) of length N = 2
m+1
in terms
of a non-degenerate set B of alternate bilinear forms on a ve tor spa e V of
even dimension m + 1. We will give an alternative des ription of the ode
as a set K(�) of ve tors in Z
N
2
asso iated with an orthogonal spread � of E
and with the hoi e of a distinguished element W of �.
First note that by repla ing � by a suitable image under L (whi h is
transitive on ordered pairs of su h spa es sin e it indu es O(V ) on E), we
may assume that the two maximal totally singular spa es U = X(V ) and
W = Z(V ) are in �. By Proposition 9.5(a), ea h spa e A 2 � n fWg has
the form A = UY (C) for a unique alternate (m+ 1)� (m+ 1) matrix C; in
other words, A = D(C)
�1
X(V )D(C). >From Example 10.3, we know that
F(X(V )) =
(
h
X
v2V
(�1)
b�v
e
v
i : b 2 V
)
;
from whi h it follows that
F(A) =
(
h
X
v2V
(�1)
b�v
D(C)(e
v
)i : b 2 V
)
:
Sin e D(C) takes e
v
to (�1)
Q
C
(v)
e
v
, where Q
C
is a quadrati form on V
polarising to the alternate form B
C
(v; w) = vCw
>
, we may write
F(A) =
(
h
X
v2V
(�1)
v
e
v
i :
v
= Q
C
(v) + b � v; b 2 V
)
:
Somewhat abuse notation and regard fe
v
: v 2 V g as a basis for Z
N
2
as
well as for R
N
.
Let � be an orthogonal spread of E. We say the following set K(�) of
ve tors in Z
N
2
is a binary Kerdo k ode of length N = 2
m+1
:
K(�) =
(
X
v2V
v
e
v
:
X
v2V
(�1)
v
e
v
2 F(�)
)
:
(This notation suppresses the dependen e on the distinguished elementW =
Z(V ) in �.)
Allowing for multipli ation by (�1), we see that for ea h ve tor
P
v2V
v
e
v
in K(�), we have
v
= Q
C
(v) + b � v + � for �xed b 2 V and � 2 Z
2
. Thus
jK(�)j = (j�j � 1) � jV j � jZ
2
j = 2
m
� 2
m+1
� 2 = 2
2m+2
:
54
Now we onne t the two des riptions of the binary Kerdo k ode. Distin t
elements A
1
and A
2
of �nZ(V ) orrespond to alternating matri es C
1
and C
2
whose di�eren e is invertible. In other words, the set of matri es C o urring
in the de�nition of K(�) orresponds to a non-degenerate set of alternating
bilinear forms on V of ardinality 2
m
. In fa t, a Kerdo k set of matri es
is a set of 2
m
binary alternating (m + 1) � (m + 1) matri es su h that the
di�eren e of any two is invertible.
The set of quadrati forms polarising to the alternating form B
C
on V
is given by fQ
C
+ ' : ' 2 V
�
g, for a �xed hoi e of Q
C
, where V
�
is the
dual spa e of V . But we may take V
�
= f'
b
: b 2 V g, where '
b
(v) = b � v.
Finally, we identify the ve tor
P
v2V
v
e
v
with the fun tion on V taking v to
v
to omplete the equivalen e of the two de�nitions.
11.3 Symple ti spreads and quaternary Kerdo k odes
Now we turn to the symple ti geometry of F ' Z
2m
2
and use it to de�ne a
Z
4
Kerdo k ode whi h, we will show in the next se tion, maps via the Gray
map onto the binary Kerdo k ode of the previous se tion.
The spa e F has 2
2m
� 1 = (2
m
+ 1)(2
m
� 1) 1-spa es, ea h of whi h is
totally isotropi (sin e v � v = 0 for every v 2 F ). Ea h maximal totally
isotropi subspa e of F has 2
m
� 1 isotropi 1-spa es.
A set �
0
of 2
m
+1 maximal totally isotropi subspa es of F is a symple ti
spread if it partitions the set of all totally isotropi 1-spa es of F .
Choose an abelian subgroup A
0
< F so that A
0
is maximal totally isotropi ,
and let F
C
(A
0
) be the set of eigenspa es of A
0
; this set of N
0
= 2
m
omplex
1-spa es forms a unitary frame for C
N
0
| that is, it is a set of perpendi ular
1-spa es with respe t to the Hermitian form on C
N
0
.
For a symple ti spread �
0
, let
F(�
0
) =
[
A
0
2�
0
F(A
0
);
a set of 2
m
(2
m
+ 1) 1-spa es of C
N
0
.
As in the previous se tion, without loss of generality, we may assume our
symple ti spread �
0
ontains U
0
= X(V
0
) and W
0
= Z(V
0
). By Proposition
9.6, ea h A
0
in �
0
n fW
0
g has the form U
0
Y
0
(C
0
) for a unique symmetri
55
matrix C
0
, and A
0
= D
0
(C
0
)
�1
X(V
0
)D
0
(C
0
) gives
F(A
0
) =
(
h
X
v
0
2V
0
(�1)
b
0
�v
0
D
0
(C
0
)(e
v
0
)i : b
0
2 V
0
)
:
Now D
0
(C
0
) takes e
v
0
to i
T
C
0
(v
0
)
e
v
0
, where
T
C
0
(v
0
) =
X
j
C
0
jj
v
2
j
+ 2
X
j<k
C
0
jk
v
j
v
k
2 Z
4
:
Using (�1)
b
0
�v
0
= (i
2
)
b
0
�v
0
, we may write
F(A
0
) =
(
h
X
v
0
2V
0
i
d
v
0
e
v
0
i : d
v
0
= T
C
0
(v
0
) + 2b
0
� v
0
; b
0
2 V
)
:
Somewhat abuse notation and regard fe
v
0
: v
0
2 V
0
g as a basis for Z
N
0
4
as
well as for C
N
0
.
Let �
0
be an symple ti spread of F . Let
K
4
(�
0
) =
(
X
v
0
2V
0
d
v
0
e
v
0
:
X
v
0
2V
0
i
d
v
0
e
v
0
2 F(�
0
)
)
:
We all this set of ve tors in Z
N
0
4
a Z
4
-Kerdo k ode; it has length 2
N
0
=
(1=2)2
N
, N
0
= 2
m
, m odd. (This notation suppresses the dependen e on the
distinguished element W
0
= Z(V
0
) in �
0
.) We don't all this a quaternary
ode be ause K
4
(�
0
) is not always Z
4
-linear.
Allowing for multipli ation by i, we see that for ea h ve tor
P
v
0
2V
0
d
v
0
e
v
0
in K
4
(�
0
), we have d
v
0
= T
C
0
(v
0
) + 2b
0
� v
0
+ �
0
for �xed b
0
2 V
0
and �
0
2 Z
4
.
Thus
jK
4
(�
0
)j = (j�
0
j � 1) � jV
0
j � jZ
4
j = 2
m
� 2
m
� 4 = 2
2m+2
:
We would like to relate the Z
4
ode K
4
(�
0
) to the Z
2
ode K(�) of
the previous se tion. To do this, we will work in E to de�ne a map from
symple ti spreads �
0
of F to orthogonal spreads � of E.
Re all that ! is in E, and write ! for the orresponding ve tor in E and
h!i
?
for the subspa e of ve tors orthogonal to ! with respe t the symple ti
form on E. Let � be the natural map from E to E=h!i. Sin e F is the
entraliser of ! in E and h!i is the enter of F , we an identify the 2m-
dimensional binary spa e F with �(h!i
?
).
56
We have symple ti bases
fx
1
; : : : ; x
m+1
; z
1
; : : : ; z
m+1
g of E
and
fx
1
; : : : ; x
m
; z
1
; : : : ; z
m
g of F
orresponding to the dire t sums E = X(V )�Z(V ) and F = X(V
0
)�Z(V
0
).
Given a maximal totally isotropi subspa e A
0
of F , there is a unique maximal
totally singular subspa e A of E su h that A \ Z(V ) = f0g and
�(A \ h!i
?
) = A
0
:
Moreover, if A
0
= X(V
0
)Y
0
(C
0
), then A = X(V )Y (C), where
C =
�
C
0
+ d(C
0
)
>
d(C
0
) d(C
0
)
>
d(C
0
) 0
�
;
and the (n � 1)-tuple d(C
0
) = (
0
11
; : : : ;
0
n�1;n�1
) onsists of the diagonal
entries of C
0
.
Now, de�ne � by
� =
n
Z(V )
o
[
n
A : A \ Z(V ) = f0g; �(A \ h!i
?
) = A
0
2 �
0
o
:
We all � the lift of �
0
; note that � is an orthogonal spread of E.
Exer ise 11.8 Show that the 2
m
totally singularm+1-spa es in � interse t
pairwise in f0g, and therefore � is an orthogonal spread of E.
Let us summarize where we are so far. Starting with the symple ti spread
�
0
in the 2m-dimensional binary symple ti spa e F ' �(h!i
?
) we obtain
the Z
4
-Kerdo k ode K
4
(�
0
) of length 2
m
. The lift of �
0
is an orthogonal
spread � in the 2(m + 1)-dimensional binary orthogonal spa e E, and from
it we obtain the binary Kerdo k ode K(�) of length 2 � 2
m
. In the next
se tion, we show that the Gray map takes K
4
(�
0
) to K(�).
Now we quote without proof the following theorem from [5℄.
Theorem 11.2 The Gray map sends K
4
(�
0
) to K(�).
57
Referen es
[1℄ M. As hba her, Finite Group Theory, Cambridge Studies in Advan ed
Mathemati s 10, Cambridge University Press, Cambridge, 1994.
[2℄ T. D. Bending, Ph.D. thesis, University of London, 1993.
[3℄ T. D. Bending and D. G. Fon-Der-Flaass, Crooked fun tions, bent fun -
tions, and distan e-regular graphs, Ele troni Journal of Combinatori s
5 (1998), #R34, 14pp. Available from
http://www. ombinatori s.org/Volume 5/v5i1to .html.
[4℄ C. H. Bennett and P. W. Shor, Quantum information theory, IEEE
Transa tions on Information Theory (1998).
[5℄ A. R. Calderbank, P. J. Cameron, W. M. Kantor and J. J. Seidel, Z
4
-
Kerdo k odes, orthogonal spreads, and extremal Eu lidean line sys-
tems, Pro eedings of the London Mathemati al So iety (3) 75 (1997),
436{480.
[6℄ A. R. Calderbank, E. M. Rains, P. W. Shor and N. J. A. Sloane, Quan-
tum error orre tion via odes over GF(4), IEEE Transa tions on In-
formation Theory 44 (1998), 1369{1387.
[7℄ A. R. Calderbank, E. M. Rains, P. W. Shor and N. J. A. Sloane, Quan-
tum error orre tion and orthogonal geometry, Physi al Review Letters,
78 (1997), 405{409.
[8℄ P. J. Cameron and J. H. van Lint, Designs, Graphs, Codes and their
Links, London Mathemati al So iety Student Texts 22, Cambridge Uni-
versity Press, Cambridge, 1991.
[9℄ P. J. Cameron and J. J. Seidel, Quadrati forms over GF(2), Pro . Kon.
Nederl. Akad. Wetens h. (A) 76 (1973), 1{8.
[10℄ R. W. Carter, Simple Groups of Lie Type, Wiley Inters ien e, New York,
1972.
[11℄ R. Cleve and D. Gottesman, EÆ ient omputations of en odings for
quantum error orre tion, Physi al Review A, 56 (1997) 76{82.
58
[12℄ J. H. Conway, R. T. Curtis, S. P. Norton, R. A. Parker, and R. A. Wilson,
A TLA S of Finite Groups, Oxford University Press, Oxford, 1985.
[13℄ A. M. Gleason, Weight polynomials of self-dual odes and
the Ma Williams identities, A tes du Congr�es International de
Math�ematique (vol. 3), 211{215.
[14℄ D. Gottesman, Class of quantum error- orre ting odes saturating the
quantum Hamming bound, Physi al Review A, 54 (1996), 1862{1868.
[15℄ A. R. Hammons Jr., P. V. Kumar, A. R. Calderbank, N. J. A. Sloane and
P. Sol�e, The Z
4
-linearity of Kerdo k, Preparata, Goethals and related
odes, IEEE Transa tions on Information Theory 40 (1994), 301{319.
[16℄ W. M. Kantor, Symmetri designs, symple ti groups, and line ovals,
Journal of Algebra 33 (1975), 43{58.
[17℄ A. M. Kerdo k, A lass of low-rate nonlinear binary odes, Information
and Control 20 (1972), 182{187.
[18℄ F. J. Ma Williams and N. J. A. Sloane, The Theory of Error-Corre ting
Codes, North-Holland Publishing Co., Amsterdam, 1977.
[19℄ C. Parker, E. Spen e and V. D. Ton hev, Designs with the symmetri
di�eren e property on 64 points and their groups, Journal of Combina-
torial Theory (A) 67 (1994), 23{43.
[20℄ H. S. Pollatsek, First ohomology groups of some linear groups over �elds
of hara teristi two, Illinois Journal of Mathemati s (3) 15 (1971),
393{417.
[21℄ D. A. Pree e and P. J. Cameron, Some new fully-balan ed Grae o-Latin
Youden `squares', Utilitas Math. 8 (1975), 193{204.
[22℄ J. Preskill, Le ture notes for Physi s 229 at Calte h,
http://theory. alte h.edu/
~
preskill/ph229.
[23℄ O. S. Rothaus, On \bent" fun tions, Journal of Combinatorial Theory
(A) 20 (1976), 300{305.
59
[24℄ P. W. Shor, Polynomial-time algorithms for prime fa torization and dis-
rete logarithms on a quantum omputer, SIAM Journal on Computing
26 (1997), 1484{1509.
[25℄ P. W. Shor, Quantum Computing, Do umenta Mathemati a, spe ial
ICM 1998 volume, I, 476{486. Available at
http://www.mathematik.uni-bielefeld.de/DMV-J/xvol-i m/
00/Shor.MAN.dvi.
[26℄ N. J. A. Sloane, Weight enumerators of odes, pp. 115{142 in Combi-
natori s (ed. M. Hall Jr. and J. H. van Lint), NATO ASI Series C16,
Reidel, Dordre ht, 1975.
60