0 valutazioniIl 0% ha trovato utile questo documento (0 voti)

68 visualizzazioni460 pagineJun 10, 2013

© Attribution Non-Commercial (BY-NC)

PDF, TXT o leggi online da Scribd

Attribution Non-Commercial (BY-NC)

0 valutazioniIl 0% ha trovato utile questo documento (0 voti)

68 visualizzazioni460 pagineAttribution Non-Commercial (BY-NC)

Sei sulla pagina 1di 460

NATO Science for Peace and Security Series This Series presents the results of scientific meetings supported under the NATO Programme: Science for Peace and Security (SPS). The NATO SPS Programme supports meetings in the following Key Priority areas: (1) Defence Against Terrorism; (2) Countering other Threats to Security and (3) NATO, Partner and Mediterranean Dialogue Country Priorities. The types of meeting supported are generally Advanced Study Institutes and Advanced Research Workshops. The NATO SPS Series collects together the results of these meetings. The meetings are co-organized by scientists from NATO countries and scientists from NATOs Partner or Mediterranean Dialogue countries. The observations and recommendations made at the meetings, as well as the contents of the volumes in the Series, reflect those of participants and contributors only; they should not necessarily be regarded as reflecting NATO views or policy. Advanced Study Institutes (ASI) are high-level tutorial courses to convey the latest developments in a subject to an advanced-level audience. Advanced Research Workshops (ARW) are expert meetings where an intense but informal exchange of views at the frontiers of a subject aims at identifying directions for future action. Following a transformation of the programme in 2006 the Series has been re-named and reorganised. Recent volumes on topics not related to security, which result from meetings supported under the programme earlier, may be found in the NATO Science Series. The Series is published by IOS Press, Amsterdam, and Springer Science and Business Media, Dordrecht, in conjunction with the NATO Emerging Security Challenges Division. Sub-Series A. B. C. D. E. Chemistry and Biology Physics and Biophysics Environmental Security Information and Communication Security Human and Societal Dynamics Springer Science and Business Media Springer Science and Business Media Springer Science and Business Media IOS Press IOS Press

Sub-Series D: Information and Communication Security Vol. 29 ISSN 1874-6268 (print) ISSN 1879-8292 (online)

Information Coding and Combinatorics

Edited by

Dean Crnkovi

University of Rijeka, Rijeka, Croatia and

Vladimir Tonchev

Michigan Technological University, Houghton, Michigan, USA

Proceedings of the NATO Advanced Study Institute on Information Security and Related Combinatories Opatija, Croatia 31 May - 11 June 2010

2011 The authors and IOS Press. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without prior written permission from the publisher. ISBN 978-1-60750-662-1 (print) ISBN 978-1-60750-663-8 (online) Library of Congress Control Number: 2010941318

Publisher IOS Press BV Nieuwe Hemweg 6B 1013 BG Amsterdam Netherlands fax: +31 20 687 0019 e-mail: order@iospress.nl

Distributor in the USA and Canada IOS Press, Inc. 4502 Rachael Manor Drive Fairfax, VA 22032 USA fax: +1 703 323 3668 e-mail: iosbooks@iospress.com

LEGAL NOTICE The publisher is not responsible for the use which might be made of the following information. PRINTED IN THE NETHERLANDS

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved.

Preface

This book contains papers based on lectures presented at the NATO Advanced Study Institute "Information Security and Related Combinatorics", held in the beautiful town of Opatija at the Adriatic Coast of Croatia from May 31 to June 11, 2010. On behalf of all participants, we would like to thank the NATO Science for Peace and Security Programme for providing funds for the conference, as well as the local sponsors, which included the Ministry of Science and Education of the Republic of Croatia, the Croatian Academy of Sciences and Arts, the Primorsko-goranska County, the University of Rijeka and its Mathematics Department, the Foundation of the University of Rijeka, the Society of Mathematicians and Physicists, the Login Co., the Opatija Tourist Board, the City of Opatija, the City of Rijeka, and Brodokomerc.nova. The Advanced Study Institute had fourteen lecturers: K.T. Arasu (USA), C. Colbourn (USA), F. Fuji-Hara (Japan). W. Haemers (The Netherlands), M. Jimbo (Japan), J.D. Key (USA), H. Kharaghani (Canada), C. Lam (Canada), S. Magliveras, (USA), J. Moori (South Africa), T. Shaska (USA), L. Storme (Belgium), V.D. Tonchev (USA), R. Wilson (USA), and was attended by over 60 graduate students and junior scientists from Albania, Armenia, Belgium, Bosnia and Herzegovina, Bulgaria, Croatia, Germany, Italy, Macedonia, The Netherlands, Russia, Turkey, and USA. The unifying theme of the conference was combinatorial mathematics used in applications related to information security, cryptography, and coding theory. The book will be of interest to mathematicians, computer scientists and engineers working in the area of digital communications, as well as to researchers and graduate students who are willing to learn more about the applications of combinatorial mathematics to problems arising in communications and information security. The majority of papers are surveys on topics that are subject to current research and are written in a tutorial text book style that makes this volume a good source as an additional text for a course in discrete mathematics or applied combinatorics. The book can be used in graduate courses of applied combinatorics with a focus on coding theory and cryptography.

vii

Contents

Preface Dean Crnkovi and Vladimir Tonchev Crypto Applications of Combinatorial Group Theory Ivana Ili and Spyros S. Magliveras Generating Rooted Trees of m Nodes Uniformly at Random Kenneth Matheis and Spyros S. Magliveras On Jacobsthal Binary Sequences Spyros S. Magliveras, Tran van Trung and Wandi Wei Applications of Finite Geometry in Coding Theory and Cryptography A. Klein and L. Storme The Arithmetic of Genus Two Curves T. Shaska and L. Beshaj Covering Arrays and Hash Families Charles J. Colbourn Sequences and Arrays with Desirable Correlation Properties K.T. Arasu Permutation Decoding for Codes from Designs, Finite Geometries and Graphs J.D. Key Finite Groups, Designs and Codes J. Moori Designs, Strongly Regular Graphs and Codes Constructed from Some Primitive Groups Dean Crnkovi, Vedrana Mikuli Crnkovi and B.G. Rodrigues Matrices for Graphs, Designs and Codes Willem H. Haemers Finding Error-correcting Codes Using Computers Clement Lam Quantum Jump Codes and Related Combinatorial Designs Masakazu Jimbo and Keisuke Shiromoto v

17

27

38

59

99

136

172

202

231

253

278

285

viii

Unbiased Hadamard Matrices and Bases Hadi Kharaghani Multi-structured Designs and Their Applications Ryoh Fuji-Hara and Ying Miao Recent Results on Families of Symmetric Designs and Non-embeddable Quasi-residual Designs Mohan S. Shrikhande and Tariq A. Alraqad Codes and Modules Associated with Designs and t-uniform Hypergraphs Richard M. Wilson Finite Geometry Designs, Codes, and Hamadas Conjecture Vladimir D. Tonchev

312

326

363

404

437

449 451

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-1

Ivana Ili c and Spyros S. Magliveras CCIS, Department of Math. Sciences, Florida Atlantic University, Boca Raton, FL 33431, USA e-mail: iilic@fau.edu, spyros@fau.edu

Abstract. The design of a large number of cryptographic primitives is based on the intractability of the traditional discrete logarithm problem (tDLP). However, the well known quantum algorithm of P. Shor [9] solves the tDLP in polynomial time, thus rendering all cryptographic schemes based on tDLP ineffective, should quantum computers become a practical reality. In [5] M. Sramka et al. generalize the DLP to arbitrary nite groups. The DLP for a non-abelian group is based on a particular representation of a chosen family of groups, and a choice of a class of generators for these groups. In this paper we show that for P SL(2, p) = , , p an odd prime, certain choices of generators (, ) must be avoided to insure that the resulting generalized DLP is indeed intractable. For other types of generating pairs we suggest possible cryptanalytic attacks, reducing the new problem to the 1 earlier case. We note however that the probability of success is asymptotic to p as p . The second part of the paper summarizes our successful attack of the SL(2, 2n ) based Tillich Zmor cryptographic hash function [2], and show how to construct collisions between palindromic strings of length 2n + 2. 2000 Mathematics Subject Classication: 68P25, 94A60. Keywords. Discrete logarithm, nite groups, intractability, representations and presentations of groups, P SL(2, p), public key cryptosystems, Tillich-Zmor hash function.

Introduction In a recent quote, P. Nguyen states Due to Shors algorithms for computing prime factorizations and discrete logarithms on quantum computers, most of present day public key cryptosystems must be considered insecure , if sufciently large quantum computers became available. ... One interesting line of research in this direction is the use of computational problems in non-abelian groups ... [6]. In this article we discuss recent results on the generalized discrete logarithm problem (GDLP) in the family of non-abelian simple groups P SL(2, p), p an odd prime. In particular we examine these groups in their representations as matrices over GF (p), and investigate weak generator choices for the generalized DLP problem. In the second part of the paper we summarize the interest-

ing approach in [2] which culminated with the demise of the well known Tillich-Zmor cryptographic hash function [13].

1. Preliminaries The authors of [5] generalize the discrete logarithm problem from nite cyclic groups to arbitrary nite groups. We restate the denition. Let G be a nite group generated by 1 , . . . , t , i.e., G = 1 , . . . , t . Denote by = (1 , . . . , t ), the ordered tuple of generators of the group G. As dened in [5], for a given G, the generalized discrete logarithm problem (GDLP) of with respect to is to determine a positive integer k and a (kt)-tuple of non-negative integers x = (x11 , . . . , x1t , . . . , xk1 , . . . , xkt ) such that

k

=

i=1

xi1 xit (1 . . . t ).

We can write this formally as = x . The (kt)-tuples (x11 , . . . , x1t , . . . , xk1 , . . . , xkt ) are called the generalized discrete logarithms of with the respect to = (1 , . . . , t ). Denote by

k

Sk =

i=1

where nj denotes the order of element j . Then, the smallest positive integer k0 such that for all k k0 G Sk is called the depth of group G with respect to (1 , . . . , t ). There could be more than one generalized discrete logarithm of with respect to . Actually, there will be innitely many generalized discrete logarithms: if x is a generalized discrete logarithm of with respect to and if x = 1, then, the catenations x||x and x ||x are also generalized discrete logarithms of with respect to . The generalization of the discrete logarithm problem to nite groups has potential applications in cryptography. To be able to construct secure cryptographic primitives based on the generalized discrete logarithm problem in nite groups, care must be taken to ensure that the groups along with their representations and choice of generators have an intractable generalized discrete logarithm problem. The traditional discrete logarithm problem is generally considered computationally intractable. However, there exist groups and their representations in which the problem can be solved efciently. For example, in Zn , the additive group of integers modulo n, the discrete logarithm can be easily computed. For a given element in Zn and generator of Zn , it is easy to nd a non-negative integer x such that x = . Since is a generator, gcd(n, ) = 1, and the multiplicative inverse in the ring (Zn , +, ) of can be computed by the extended Euclidean algorithm. In general, one may speak of a tractable/intractable GDLP problem for a given innite family of pairs {(G , A )} L indexed by L, where the G are groups in a common representation , and A a particular set of generators for G.

The generalized discrete logarithm problem may be tractable for some groups and generators in representation . We examined the groups P SL(2, p) as potential candidates for cryptographic applications, but our results show that when P SL(2, p) is represented by matrices, the generalized discrete logarithm problem with respect to several types of generating sets does not provide the required strength. As is customary, we denote by Z the ring of integers. We also denote by Z+ the positive integers, and by Z0 the non-negative integers.

2. Generalized discrete logarithm problem in P SL(2, p) Suppose that for an odd prime p the group G = P SL(2, p) is represented by matrices of SL(2, p), up to a factor I , where I is the 2 2 identity matrix. Suppose further that G is generated by two elements, i.e., G = A, B . We have examined the tractability of the generalized discrete logarithm problem in this setup with respect to different generating pairs of elements (A, B ). The results of our research show that the hardness of computation of the generalized discrete logarithm problem will depend not only on the group representation, but also on the choice of generators. To perform a detailed analysis on whether the generalized discrete logarithm can be computed efciently, we con1 sidered the following cases: 1) group G is generated by special elements: A = ( 1 0 1 ), 1 0 and B = ( 1 1 ); 2) group G is generated by two elements both of order p; 3) group G is generated by two elements, one of which is of order p; 4) group G is generated by two elements none of which is of order p. We have analyzed the rst two cases in [4]. b Suppose that M = a c d G, with a, b, c, d Fp , the eld of order p. The matrices

A= 11 01 , B= 10 11

are both of order p, non-commuting and generate G, i.e., G = A, B . Moreover, the authors of [5] show that the depth of group G with the respect to the (A, B ) is two, so that the element M G can be written as M = Ai B j Ak B . We have

.

Ai B j Ak B =

1 i 01

10 j1

1k 01

10 1

Hence,

ab cd = 1 + ij + ((1 + ij ) k + i) (1 + ij ) k + i j + (jk + 1) jk + 1 .

By equating corresponding entries in the previous equality we obtain the system of equations

1 + ij + ((1 + ij ) k + i) = a (1 + ij ) k + i = b j + (jk + 1) = c jk + 1 = d

which can be solved for i, j, k, by computing Grbner basis of the ideal I = 1 + k + ij + ijk + i a, k + ijk + i b, j + jk + c, jk + 1 d . A Grbner basis for the above ideal is computed over the set of rational numbers: [ jic + ja c, k + id b, jibc + ji jab a + bc + 1, jid jb + d 1, ad bc 1 ], which yields the following system of equations: in i, j, k, Zp . jic + ja c = 0 k + id b = 0 jid jb + d 1 = 0 whose solutions in i, j, k, l represent the generalized discrete logarithms of M with respect to (A, B ). The solutions are given by the following proposition: Proposition 2.1 Let A, B and M be as above. Then, there exists a non-negative integer n < p such that nd b = 0 over Zp , and such that the 4-tuple (i, j, k, ) with i = n, j = (1 d)(nd b)1 , k = b nd, = (1 d)(nc a)(nd b)1 + c provides a solution to M = Ai B j Ak B . Proof. It can be directly veried that the given values for i, j, k, satisfy the above system of equations. The existence of n is ensured since M P SL(2, p) and hence b and d can not simultaneously be equal to zero. 2 We have shown that the generalized discrete logarithm problem can be solved efciently in P SL(2, p) with respect to the special given generators (A, B ) as dened above. Further, as in [4], we construct an algorithm for computing the generalized discrete logarithm problem in P SL(2, p) with respect to any two generators of order p. Assume that C , D are two non-commuting elements of order p in P SL(2, p). Then, since any two non-commuting elements of order p from P SL(2, p) generate the whole group, it follows that P SL(2, p) = C, D . To determine non-negative integers i, j, k, such that: M = C i Dj C k D , we look for an element g G which satises C = g 1 As g and D = g 1 B t g , for some non-negative integers s, t < p and where A and B are the matrices dened above. Then,

M = C i Dj C k D = (g 1 As g )i (g 1 B t g )j (g 1 As g )k (g 1 B t g ) = (g 1 Asi g )(g 1 B tj g )(g 1 Ask g )(g 1 B t g ) = g 1 Asi B tj Ask B t g Denote by x = si, y = tj , v = sk and w = t . Then, gM g 1 = Ax B y Av B w . Let M1 = gM g 1 . Obviously, M1 G and M1 = Ax B y Av B w . We have transformed the generalized discrete logarithm problem of P SL(2, p) with respect to (C, D) to the generalized discrete logarithm problem of P SL(2, p) with respect to (A, B ) which we are able to solve as described earlier. To determine an element g for which the conditions C = g 1 As g and D = g 1 B t g hold simultaneously, we write the system of equations: gC = As g and gD = B t g , for 1 g2 some non-negative integers s, t < p. Since, g = ( g g3 g4 ), we obtain a system of equations in g1 , . . . , g4 and s and t from which an element g is determined. The existence of such an element g is ensured since P SL(2, p) acts doubly transitively by conjugation on its (p + 1) Sylow-p subgroups. Then, for any two pairs of p-Sylow subgroups, and hence for the particular pairs ( A , B ) and ( C , D ), there exists an element g G such that ( C , D ) = ( A g , B g ) . The third case in our analysis of hardness of the generalized discrete logarithm problem in P SL(2, p), with respect to a pair of generators, is when one of the generators is of order p. Suppose now that P SL(2, p) = A, B where |A| = p. Note that the order of element B can only be divisor of the order of the group p(p2 1)/2. Given an element M P SL(2, p) our goal is to write M in terms of the generators (A, B ). In the construction of a word in A and B that represents element M , we will use the result of the following proposition. Proposition 2.2 If G = P SL(2, p) = A, B where AB = B 1 AB . where |A| = p, then G = A, AB ,

Proof. Every two non-commuting elements of order p from P SL(2, p) generate the whole group. So we prove that elements A and AB are non-commuting of order p. Conjugate elements have the same order, so |AB | = |A| = p. Now, suppose that elements A and AB commute. Then, AB is in the centralizer of element A, i.e., AB CG (A) = A . So, AB = Ai for some i {0, . . . , p 1}. But then, B normalizes A , hence, A is a proper normal subgroup of A, B . But P SL(2, p) is simple, thus A, B can not be all of P SL(2, p), a contradiction to the fact that A and B generate G. 2 The proposition that follows provides an upper bound for the depth of P SL(2, p) with respect to two generators one of which is of order p and its proof provides an algorithm for constructing a word in generators A and B that represents a given element M. Proposition 2.3 Suppose that G = P SL(2, p) = A, B , where |A| = p, with no further assumptions on |B | = m. Then, the depth of G with respect to the generating tuple (A, B ) is less than or equal to four.

Proof. Let C = AB = B 1 AB . By Proposition (2.2) the group P SL(2, p) is generated by elements A and C , both of order p. The generalized discrete logarithm problem can be solved efciently in P SL(2, p) represented by matrices, with respect to two generators of order p. By the method described earlier, the generalized discrete logarithm (i, j, k, ) can be found such that M = Ai C j Ak C . To represent the element M in terms of the generators A and B we write the following sequence of equalities. M = Ai C j Ak C = Ai (B 1 AB )j Ak (B 1 AB ) = Ai B 1 Aj BAk B 1 A B = Ai B m1 Aj BAk B m1 A B Therefore, the generalized discrete logarithm of M P SL(2, p) with respect to generating tuple (A, B ), where |A| = p and |B | = m is (i, m 1, j, 1, k, m 1, , 1). It follows that every element M from P SL(2, p) = A, B , where |A| = p and |B | = m can be represented as M = Ax1 B y1 Ax2 B y2 Ax3 B y3 Ax4 B y4 for some integers x1 , x2 , x3 , x4 {0, ..., p 1} and y1 , y2 , y3 , y4 {0, ..., m 1}. The proposition follows. 2 The described method for writing element M as a word in generators A and B does not assure obtaining the shortest possible word that represents M in these generators. Next, we take a look into a possible strategy for writing an element M of group P SL(2, p) in terms of two generators none of which is of order p. Suppose that we have an efcient method for constructing an element of order p in terms of the generators A and B . In the following proposition we will use the notation wp (A, B ) to represent a word in A and B which is of order p as an element of G. Proposition 2.4 If G = P SL(2, p) = A, B where the orders of A and B are relatively prime to p, and if P = wp (A, B ), is a word in A and B , of order p as an element of G, then G = A, P or G = B, P . Proof. Let N be the normalizer in G of P , i.e. N = NG ( P ). Then, at least one of the elements A, B is not in N . Otherwise if A, B were both in N , then A, B would be a subgroup of N , that is G = A, B N , and therefore we would have that N = G. This would imply that P is a non-trivial, proper, normal subgroup of G, contradicting the fact that G is simple. Without loss of generality, suppose that A / N. Then A, P = P SL(2, p), because the only proper subgroups of P SL(2, p) containing P are subgroups of the normalizer of P . Similarly, if B / N , it follows that P SL(2, p) = B, P . 2 If A, B and P are as in Proposition 2.4 we can solve efciently the generalized discrete logarithm problem with respect to (A, P ) since P SL(2, p) = A, P and |P | = p. Therefore, we can solve the generalized discrete logarithm problem with respect to (A, B ). Given M P SL(2, p) = A, B and P = wp (A, B ) as in the Proposition 2.4 we can write element M as a word in A, B as follows. Without loss of generality, assume that A / NG . Conjugate element P by element A, i.e., compute P A = A1 P A. Based

on the Proposition 2.2, P SL(2, p) = P, P A . Based on the proof of the Proposition 2.3, if |A| = s, we have: M = P i (P A )j P k (P A ) = P i As1 P j AP k As1 P A = wp (A, B )i As1 wp (A, B )j wp (A, B )wp (A, B )k As1 wp (A, B ) A The direct consequence is that the depth of the P SL(2, p) with respect to the generators both of order relatively prime to p, will depend on the word P = wp (A, B ). We examine a bit further possible attacks to the GDLP for G = P SL(2, p) based on Proposition 2.4. A word of shortest possible length in A and B to produce an element of order p is AB or BA. We will consider the case where |A| = |B | = d = (p 1)/2 and |AB | = p. This condition occurs systematically in P SL(2, p), however, unfortunately for the cryptanalyst, the probability of this occurrence goes to zero as p . We will need some well known facts about the group P SL(2, q ), q = pm , p an odd prime, which we state below, without proof, as a proposition. In what follows stands for Eulers function. Proposition 2.5 Suppose that G = P SL(2, q ), q = pm , p an odd prime. Then, (a) The Sylow-p subgroup of G is elementary abelian of order q , (b) If x G is of order d, then d divides (q 1)/2, or d = p, or d divides (q +1)/2, (c) There is a single conjugacy class of subgroups of order (q 1)/2, and these are cyclic. Similarly, there is a single conjugacy class of subgroups of order (q + 1)/2, and they are cyclic. (d) If x G is of order d = 2 dividing (q 1)/2 then x belongs to one and only one cyclic subgroup of G of order (q 1)/2. 1) (e) If d = 2 divides (q 1)/2 there are (q2 conjugacy classes of element of order d in G. (f) If x G is of order d|(q 1)/2, d = 2, then the centralizer CG (x) is x , while the normalizer NG ( x ) is dihedral of order q 1. We will now examine the very special case where G = P SL(2, p) is generated by two elements of order (p 1)/2. Similar results can be derived for the other possible cases. In what follows, Let X be the set of all elements of order d = (p 1)/2 in G. We will consider the action of G by conjugation on X X . Note that all pairs (A, B ) in a Gorbit on X X share almost all critical properties of interest to our problem, as conjugation by an element g G induces an automorphism of G. For example if (A, B ) generate G so does (A, B )g = (Ag , B g ), for g G. Similarly, the order of AB is the same as the order of Ag B g = (AB )g , etc. Thus it sufces to examine one representative from each orbit of G on X X . Since G acts transitively by conjugation on the cyclic subgroups of order (p 1)/2, without loss of generality, we will select one such subgroup, say C and one xed generator x C , so that C = x . Now, CG (x) = {y G | xy = yx} = x = C . We have the following consequences of Proposition 2.5:

Proposition 2.6 If G and X are as above, and d = (p 1)/2, then: (a) |X | = (d)p(p + 1)/2, (b) Let x be any xed element of X . In the action of C = CG (x) on X by conjugation there are exactly (d) orbits of length 1, and v = ((d)p(p + 1) 2)/2d orbits of length d. (c) Of the v orbits Oi of length d exactly 2(d) 2 are such that if y Oi then |xy | = p. Proof. (a) Since each of the (d)/2 conjugacy classes of elements of order d has |G|/d = p(p + 1) elements, it follows that |X | = [(d)p(p + 1)]/2. (b) C = CG (x) = x has exactly (d) elements y of order d in it, and since these elements commute with x, the orbit y C = {y } and has length 1. If y X \ C then K = CG (y ) = y , and K C = {1}, hence the orbit y C has exactly |C | elements. Thus, the number of orbits of length d is [((d)p(p +1))/2 (d)]/d = [(d)(p(p +1) 2]/2d. (c) We will only give an idea about the proof here. The result follows from calculations in the center of the group ring ZG. In particular, if {Ki }c i=1 are the conjugacy classes c of G, they form a basis for the center of ZG and Ki Kj = k=1 aijk Kk , with the aijk computable from the character table of G. We have that X is the sum of the (d)/2 classes {Ki } with elements of order d. Thus, in the group ring, the number of elements in xX of order p is the sum of the coefcients of the two classes Kp and Kp+ in (d)/2 (d)/2 1 Ki = p(p1 Kx Ki . Since each C orbit on X \ C are of i=1 i=1 |Kx | Kx +1) length d, we further divide by d for the number of C orbits. 2 We are now able to state a proposition which is not of much help to the cryptanalyst, but which lends evidence to the notion that strong generators may be possible for a GDLP based system. Proposition 2.7 Let G = P SL(2, p) and let d, X and x X be as above. If we select a second element y X randomly, then the probability that the order of xy is p is 2((d)1)(p1) 2 which is of course asymptotic to p as p . (d)p(p+1) Proof: Having xed x X , by Proposition 2.6 the number of elements y X such d) |G| that |xy | = p is 2((d) 1)d. Since |X | = ( 2 d we have: P r{|xy | = p} = 2((d) 1)d

(d) 2

p(p + 1)

hence the result. 2 It is clear of course that if (A, B ) X X with |AB | = p, then A, B = G.

3. Relations By solving the generalized discrete logarithm problem for a nite group with respect to a given set of generators we are factorizing group elements in terms of the generators. By equating two different factorizations of the same group element, we obtain a relation. This observation holds in any nite group as we discuss in the next section. Let G be a nite group generated by 1 , . . . , t , i.e., G = 1 , . . . , t . Denote by = (1 , . . . , t ) the ordered tuple of generators of the group G. For a given G, assume that

k

=

i=1

xi1 xit (1 . . . t )

i.e., = x , where x = (x11 , . . . , x1t , . . . , xk1 , . . . , xkt ). Recall that x = (x11 , . . . , x1t , . . . , xk1 , . . . , xkt ), the generalized discrete logarithm with respect to the generators = (1 , . . . , t ), is not unique, in fact there will exist innitely many diss yi1 yit . . . t . For tinct y = (y11 , . . . , y1t , . . . , ys1 , . . . , yst ) such that = y = i=1 1 any such y we have:

k xi1 xit 1 . . . t = i=1 i=1 s yi1 yit 1 . . . t .

In this way we obtain non-trivial relations among the generators. Further, by collecting different relations we may obtain a presentation of the group : G = X |R , where X is the set of generators, and R a set of relations of the above type, sufciently many to completely determine the group. Relations of particular interest in cryptography are those which represent the identity element of the group, that is of the form 1G = a word in the generators. Moreover, in a nite group G we can always convert a presentation of the form G = X |R , into one of k xi1 xit . . . t = the form G = X |R , where R is a set of relations of the type: i=1 1 1G .

xi1 xit . . . t in the symbols 1 , . . . , t , where The length of word w = i=1 1 k t the xij are non-negative integers, is dened to be the integer |w| = i=1 j =1 xij . Moreover, if w1 and w2 are words in the symbols 1 , . . . , t and : w1 = w2 is a relation, the length of the relation is dened to be the integer || := |w1 | + |w2 |. k

If G is a nite group generated by 1 , . . . , t , a relation in the 1 , . . . , t is said to be short if || = O(log (|G|)), otherwise is said to be long. Relations of importance to cryptographic hash functions of the Tillich-Zmor type are those which are short. We turn to our group of interest, P SL(2, p), and examine the length of some relations there.

1 10 Let G = P SL(2, p), and consider the elements A = ( 1 0 1 ), B = ( 1 1 ) in G. The matrices A and B are both of order p, non-commuting and thus generate P SL(2, p). As we have seen earlier, the depth of P SL(2, p) with respect to the generating tuple (A, B )

10

is two. Therefore, the identity matrix I P SL(2, p) can be written as I = Ai B j Ak B for some non-negative integers i, j , k and . In the next proposition we establish that for any prime p, any relation of the form I = Ai B j Ak B in P SL(2, p) is long. Proposition 3.1 Let A, B and I be matrices in P SL(2, p) as above. Then, a solution (i, j, k, ) to the generalized discrete logarithm problem I = Ai B j Ak B is such that either i + j + k + p or i = j = k = = 0. Proof. Ai B j Ak B = Therefore, 10 01 = 1 + ij + ((1 + ij )k + i) j + (jk + 1) (1 + ij )k + i jk + 1 . 1i 01 10 j1 1k 01 10 1 .

Then, jk + 1 = 1 (mod p) and hence jk = 0 (mod p). By using jk = 0 (mod p), we obtain 10 01 = 1 + ij + k + i k + i j+ 1

So, j + = 0 (mod p) and k + i = 0 (mod p) i.e., j + = s1 p, s1 Z0 and k + i = s2 p, s2 Z0 . If s1 1, then j + p. Hence, i + j + k + p. If s1 = 0, i.e., j + = 0, then j = = 0. Similarly, s2 1 leads to i + j + k + p, and s2 = 0 leads to k = i = 0. The length of the word 1G = Ai B j Ak B , is i + j + k + p or i = j = k = = 0. Thus, i + j + k + p. 2 We remark that since for p > 7, p > 3 log p > log(|P SL(2, p)|), any relation of the form I = Ai B j Ak B is long, for all p > 7.

4. The demise of the Tillich-Zmor hash function Let V = {0, 1} be the Kleene closure of {0, 1}, i.e. the set of all binary sequences of arbitrary but nite length. Moreover, for n Z+ , denote by Vn = {0, 1}n the set of all binary sequences of length n. For a given parameter n Z+ , by a hash function we mean any function h : V Vn . If v V , we denote by v r the reversal of v , i.e. the reection of v with respect to a central axis. For example if v = 00111, v r = 11100. Denition 4.1 For a xed parameter n Z+ , a hash function h : V Vn is said to be a cryptographic hash function if h has the following additional properties : 1. preimage resistance: For essentially all y Vn it is computationally infeasible to nd x V such that h(x) = y ,

11

2. 2nd-preimage resistance : For any given x V it is computationally infeasible to determine any x V , such that x = x and h(x ) = h(x), and 3. collision resistance: It is computationally infeasible to nd any x, x V such that x = x and h(x) = h(x ). It is clear that the three properties are not independent, but if for a given h a cryptanalyst succeeds in breaching any one of the three, then h is considered compromised. However, a satisfactory attack on the collision resistance property must also satisfy a rather severe length requirement that the lengths of x and x must be polynomial in the parameter n. In their paper Hashing with SL2 [13], Tillich and Zmor propose a cryptographic hash function based on computing matrix products in the non-abelian group SL(2, q ). A brief history of the evolution of the Tillich-Zmor hash function (TZ) is given in the introduction of [2]. We give here a brief description of the scheme in its nal form and a summary of the main steps that led to its cryptanalysis. 4.1. The nal version of the Tillich-Zmor hash function Input parameters are a positive integer n, and an irreducible polynomial q (x) of degree n over the eld of two elements F2 = GF (2). Let F be the nite eld of order 2n represented as F = F2 [x]/(q (x)). Let be a root of q (x) and dene s0 := 1 10 , s1 := +1 1 1

Then the matrices s0 and s1 generate the group G = SL(2, F) of all unimodular matrices is dened as follows: over F. The Tillich-Zmor hash function h (v ) := sb sb sb G. For bitstring v = b0 b1 bm V dene h 0 1 m maps a binary string v of arbitrary length to a matrix in G which requires Note that h 4 entries from F, thus maps V to V4n . Any satisfactory attack must work for any n and any irreducible polynomial q (x) of degree n over F2 . Thus, we note that the problem is specic to the representation of F as well as to the generators. The orders k, of s0 and s1 could be very large, for example any divisors of 2n + 1 or 2n 1 and can be efciently calculated. If k or is small, then the system can be effectively attacked because one can write a short relation, such as sk 0 = I , or s1 = I , I the identity of G. Thus a successful attack must assume nothing about the orders k and . In the proposition that follows we prove the existence of short relations in any nite group G generated by two elements. Proposition 4.1 Let G be a nite group generated by two elements A and B . Then there exist a relation : w1 = w2 where w1 and w2 are two different words in A and B , such that |w1 | + |w2 | O(log2 |G|).

12

Proof. We construct the blocks of all words of successive lengths in A and B . Let B0 = {I }, where I is the identity of the group G. Let Bk be the collection of all words in A and B of length k . Then |Bk | = 2k . Let n be the positive integer such that and such that k=0 |Bk | > |G| n n+1 |G|. Since 1 we can write 2n+1 1 |G|, k=0 |Bk | = 2 i.e., 2 |G| + 1. By taking logarithms of both sides of the inequality, we obtain that n + 1 log2 (|G| + 1).

n k=0 |Bk | n+1 n+1

By the pigeon-hole principle, two distinct words, say w1 and w2 belonging to {B0 B1 Bn+1 } must correspond to the same element of G. Then, |w1 | + |w2 | 2(n + 1) 2log2 (|G| + 1) = O(log2 (|G|)). 2 Of course the proof can be generalized to any nite group G generated by k generators. A direct consequence of Proposition 4.1 is that short relations in two generators do exist in SL(2, q ). In particular, for G = SL2 (2n ), |G| = 2n (22n 1), and there are short relations of length at most 6n. The question, of course, is how does one nd them ? 4.2. Experimentation Early cryptanalytic experiments [2] were restricted to cases in which the dening irreducible polynomial q (x) was of degree small enough to allow brute force searching for collisions. Data analysis of experimental results showed that for every input q (x) of degree n, collisions of words of length 2n + 2 were obtained and that among those collisions there were colliding palindromes. Computations were preformed on a standard PC, using computer algebra system Magma [1]. For example, Example 4.1 With irreducible polynomial q (x) = x5 + x4 + x3 + x + 1 used to dene the eld F25 = F2 [x]/(q (x)) and with Tillich-Zmor generators s0 , s1 , the following collisions of palindromes of length 2n + 2 occur:

palindrome

v vr v vr

(011101101110) = h (111101101111) h Experimental results showed that for each tested choice of F2n = F2 [x]/(q (x)) two bit strings v1 , v2 {0, 1}n , |v1 | = n, |v2 | = n, with (0vi v r 0) = h (1vi v r 1) h i i are obtained. (i = 1, 2),

13

4.3. The successful attack It was shown in [2] how to construct collisions between palindromes of length 2n+2 for any dening irreducible polynomial of degree n, that is, pairs (u, v ) V V such that (u) = h (v ). It was demonstrated that the attack is practical: by constructu = v and h ing collisions for the challenge parameters. The method nds collisions of length a few hundred bits on a standard PC within a second. For the challenge polynomial of largest degree x2039 + x10 + x9 + x8 + x7 + x5 + x4 + x2 + 1 computation still took a few seconds. With very few exceptions we will only state lemmas, propositions or theorems here but will refer to [2] for their proof. 4.3.1. Change of generators Recall that for a root of irreducible q (x) of degree n in F2 [x] s0 := and (b1 . . . bm ) := sb sb G h 1 m by conjugating the pair of generators (s0 , s1 ) by any element of G we clearly get another s0 0 pair of generators of G. In particular, conjugating (s0 , s1 ) by s0 yields (ss 0 , s1 ) = 1 (s0 , s 0 s1 s0 ) = (c0 , c1 ). Computation results in: c0 := 1 10 , c1 = +1 1 1 0 , 1 10 , s1 := +1 1 1

and the two new generators c0 and c1 dene a new hash function by: h(b1 . . . bm ) := cb1 cbm G We have the following: (v ) = h (v ) if and only if h(v ) = h(v ). Lemma 4.1 Let v, v V . Then h Lemma 4.1. transforms the original problem with respect to s0 , s1 into the equivalent problem of nding short collisions with respect to the new, symmetric generators c0 , c1 . This is critical in our solution. More generally, conjugating by any element t G transforms the generators and hash values but preserves collisions.

14

4.3.2. The structure of palindrome collisions Since a solution must be independent of the choice of the irreducible polynomial q (x), we proceed to work in SL2 (F2 [x]). Accordingly, matrices C0 , C1 SL2 (F2 [x] are dened with polynomial entries as follows: C0 := x1 10 , C1 = x+1 1 1 0 ,

and a new hash function H : V SL2 (F2 [x]) is dened by: H (b1 . . . bm ) := Cb1 Cbm We further have:

b Lemma 4.2 Let v V be a palindrome, and write H (v ) = a c d . Then b = c, i. e., H (v ) is symmetric. Moreover, deg(a) = |v |, and max{deg(b), deg(d)} |v |.

22

by:

(v ) := H (0v 0) + H (1v 1)

0 For a given irreducible polynomial q (x) , (v ) ( 0 0 0 ) mod q (x) if and only if h(0v 0) = h(1v 1) is a collision in SL2 (F2 [x]/(q (x))). a Lemma 4.3 If v V is a palindrome of length |v |, then (v ) = ( a a 0 ), where a F2 [x] has degree |v |. Moreover, a is the upper left entry of H (v ).

a2 b b d2

for some

Proof. If u V denote by ur the reversal of u. Let v = uur for some u V . The proof is by induction on |u|. When |u| = 0 the hash H (uur ) is the identity matrix and the statement holds trivially. Suppose now we extend a string u of given length by one bit, yielding a palindrome v = (u)(ur ) with {0, 1}. By the induction hypothesis we have that H (v ) = 2 H (uur ) = ab db2 , so that: H (v ) = C a2 b b d2 C = (x + )2 a2 + d2 (x + )a2 + b (x + )a2 + b a2

Consequently, both diagonal entries of H (v ) are squares, and the result follows. 2 Combining Lemmas 4.3 and 4.4 yields:

15

a2 a2 a2 0

2

for

some a F2 [x] with deg(a) = |v |/2. In particular, the entry a is the upper left entry of H (v ). Further, from the proof of Lemma 4.4. we are able to deduce the following recurrence relation: Corollary 4.2 Let bn . . . b1 b1 . . . bn V be a palindrome of length 2n. Then, for 0 i n, the square root pi of the upper left entry of H (bi . . . b1 b1 . . . bi ) is given by if i = 0; 1, pi = x + b1 + 1, if i = 1; (x + bi )pi1 + pi2 , if 1 < i n. Now, for the given irreducible polynomial q = q (x) F2 [x] of degree n, we 0 seek a palindrome v V of length 2n such that (v ) = H (0v 0) + H (1v 1) ( 0 0 0) (modulo q (x)) in F2 [x]. 4.3.3. Mesirov and Sweet In view of Corollaries 4.1. and 4.2. , nding such a v V can be accomplished by determining a second polynomial p(x) F2 [x] of degree n 1 such that: 1. gcd (q (x), p(x)) = 1, 2. during the execution of the Euclidean algorithm with input (q (x), p(x)), the successive quotients are all of degree 1, 3. the degree of each remainder is only one less than the degree of the respective divisor. This will ensure a Euclidean algorithm chain of maximal length and adherence to the recurrence relation in Corollary 4.2. The existence of such a polynomial p(x) follows from a 1987 result by J.P. Mesirov and M.M. Sweet [8]. Proposition 4.2 [Mesirov and Sweet [8]] Given any irreducible polynomial q of degree n over F2 , there is a sequence of polynomials pn , pn1 , . . . , p0 with pn = q and p0 = 1, such that the deg (pi ) = i, and pi pi2 mod pi1 . Once we know a polynomial p = pn1 , as mentioned in Proposition 4.2. , which matches our given polynomial pn = q , the Euclidean algorithm will uniquely complete the sequence pn , pn1 , . . . , p1 , p0 = 1. The linear quotients x + i (i = 1, . . . , n) occurring in Euclids algorithm allow us to derive the bits bi of the palindrome in Corollary 4.2. This has been a brief summary of the cryptanalysis of the last variant of the

16

Tillich-Zmor cryptographic hash function published in [2]. A much more comprehensive development occurs in [2] including an efcient algorithm for determining from irreducible q (x) = pn (x) the two solutions for p(x) = pn1 (x) satisfying the MesirovSweet conditions. The paper [2] also contains the solution to all suggested challenge parameters for the Tillich-Zmor hash function.

5. Conclusions With the advent of P. Shors quantum algorithms for solving the traditional DLP in linear time on a quantum computer, attention has been drawn to the generalized discrete logarithm problem in non-abelian groups. In this paper we consider the family of groups P SL(2, p), p an odd prime, and expose certain bad choices for generators, for which GDLP can be easily solved. We delineate some strategies for solving the GDLP in these groups, but point out that, for these strategies, the probability of success goes to zero as p gets large. We still believe that if generators are chosen wisely, the GDLP in the P SL(2, p) will be intractable. In a related problem, we summarize the general successful attack presented in [2], which breaches the Tillich-Zmor hash function. In this segment, we give no proofs for the structure lemmas, and no details in the nal solution based on a theorem of Mesirov and Sweet [8].

References

[1] [2] Wieb Bosma, John Cannon, and Catherine Playoust. The Magma algebra system. I. The user language. J. Symbolic Comput., 24(3-4):235-265, 1997 Markus Grassl, Ivana Ili c, Spyros Magliveras, Rainer Steinwandt. Cryptanalysis of the Tillich-Zmor hash function. To appear in the Journal of Cryptology, 2010. Cryptology ePrint Archive: Report 2009/376, 2009. Available at: http://eprint.iacr.org/2009/376 Derek Holt, Bettina Eick, Eamonn A. OBrien. Handbook of computational group theory. Chapman & Hall/CRC Press, Boca Raton, 2005. Ivana Ili c and Spyros S. Magliveras. Weak discrete logarithms in non-abelian groups, to appear in the Journal of Combinatorial Math. and Comb. Computing (JCMCC), 2009. Lee C. Klingler, Spyros S. Magliveras, Fred Richman, Michal Sramka. Discrete logarithms for nite groups. Computing 85, (2009), pp. 319. P. Nguyen, New Trends in Cryptology, European project STORK - Strategic Roadmap for Crypto" (IST2002-38273). Alfred Menezes, Paul C. van Oorschot, Scott A. Vanstone. Handbook of Applied Cryptography, CRC Press, 1996. Jill P. Mesirov and Melvin M. Sweet. Continued Fraction Expansions of Rational Expressions with Irreducible Denominators in Characteristic 2. Journal of Number Theory 27 pp. 144148, 1987. P. W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J. on Computing, 26(5), pp. 1484-1509, 1997. Michal Sramka. New Results in Group Theoretic Cryptology. Ph.D. Thesis, Florida Atlantic University, Boca Raton, FL 2006. Douglas R. Stinson. Cryptography: Theory and Practice, 2nd ed, CRC Press, New York, NY, 2002. Michio Suzuki. Group Theory I. Springer-Verlag, New York, 1982. Jean-Piere Tillich and Gilles Zmor. Hashing with SL2 . LNCS 839, Advances in Cryptology CRYPTO 94, pp. 4049, 1994.

[3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-17

17

Kenneth Matheis and Spyros S. Magliveras CCIS, Department of Mathematical Sciences, Florida Atlantic University, 777 Glades Road, Boca Raton, FL 33431 kmatheis@fau.edu, spyros@fau.edu

Abstract. A rooted tree is an ordinary tree with an equivalence condition: two trees are the same if and only if one can be transformed into the other by reordering subtrees. In this paper, we construct a bijection and use it to generate rooted trees (or forests) of any specied nodecount m uniformly at random. As an application, Raddum and Semaev [6] Raddum and Semaev propose a technique to solve systems of polynomial equations over F2 as occurring in algebraic attacks on block ciphers. This approach is known as MRHS. In [3] Geiselmann, Matheis, and Steinwandt propose an ASIC hardware design to implement MRHS, and they show that the use of ASICs seems to enable signicant performance gains over a software implementation of MRHS. What hasnt been asserted is the total time complexity of their platform, though individual components runtimes are provided. If one supposes that deletions in MRHS occur as rooted trees generated uniformly at random, then one application of the proposed algorithm would be to contribute to such a time complexity; experiments are generated to provide statistical averages of key quantities. Keywords. rooted tree, rooted forest, uniform random generation, genetic programming, MRHS, PET SNAKE

Introduction We view a rooted tree as an equivalence class of ordinary trees, where two trees are equivalent if one can be transformed into the other by re-ordering subtrees [7]. Similarly, we view a rooted forest as an equivalence class of forests, where two rooted forests are equivalent if one can be transformed into the other by re-ordering the rooted trees. Alternately, we may consider a rooted forest as nothing more than the subtrees of a rooted tree (of one node more) whose root is hidden. The idea of a rooted tree has been around since 1875 [2] when countings for smaller nodecounts have been computed. Since then there have been a few proposals constructing bijections between all rooted trees and N. For each m N, we dene Tm to be the set of rooted trees of m nodes, and Fm to be the set of rooted forests of m nodes. Our contribution is an implicit construction of a bijection between Fm and Z|Fm | . Such a bijection can then be used to generate a rooted forest of m nodes uniformly at random. As an immediate application to cryptography, we note that some statistics generated from these trees can be used to help calculate a time estimate for PET SNAKE. Now, In

18

K. Matheis and S.S. Magliveras / Generating Rooted Trees of m Nodes Uniformly at Random

[6] Raddum and Semaev proposed a technique known as MRHS (Multiple Right Hand Sides) to handle polynomial systems of equations over F2 . This algorithm is particulary well-suited for describing systems of equations for an algebraic key recovery attack against common block ciphers such as AES or DES, but a complete time estimate of it was not forthcoming. Later, the hardware platform PET SNAKE [3] was designed to implement MRHS attacks in hardware, but PET SNAKEs time estimate is also hard to calculate. The statistics mentioned can help contribute to such a time estimate. Related Work It has been established that we can map rooted trees to natural numbers [5] and that there is a rooted tree for every natural number [4]. If one relaxes the equivalence condition and merely examines arbitrary trees, then a uniform random generation algorithm is known [1] by modeling them using a context-free grammar for use in a genetic algorithm. However, it is not clear that it is possible to create rooted trees using a context-free grammar, so we do not use this algorithm. We instead develop a different algorithm which, as it happens, shares some features with the one in [1]. Further, much information about rooted trees is available in [8, sequence A000081], and some of those facts will be used in this paper. Structure of the Paper We rst discuss the construction of the bijection between Fm and Z|Fm | . Once this is established, we review the relevant details about MRHS and show how Fm is related to the processing of PET SNAKE (notably the deletion count therein). Finally, we generate some statistics based on Fm for m 1000 and relate those to time estimate processing for PET SNAKE.

1. Generating Rooted Forests Uniformly at Random We begin with some notation: we dene the natural numbers N to be {1, 2, 3, . . . }, the whole numbers W to be N {0}, and for each n N, we dene segn to be {1, 2, . . . , n}. In order to generate a rooted forest of m nodes uniformly at random, we rst construct some data tables dynamically (so that no unneeded space is allocated), and then we perform many lookups on those tables. We view a rooted forest of m nodes as being constructed by a collection of r rooted trees a1 , a2 , . . . , ar , for some r segm , with respective nonincreasing node counts c1 , c2 , . . . , cr such that ci = m. We then construct sequences of counts bi such that b11 , b12 , . . . , b1s1 are the s1 counts starting with c1 that are equal to c1 , and b21 , b22 , . . . , b2s2 are the s2 counts starting with c1+s1 that are equal to c1+s1 , and so on, and we suppose there are d such sequences. This breaks up the counts into subsequences of equal-valued terms. For example, if the counts c were 9, 8, 8, 8, 7, 7, 6, 4, 3, 3, 3, 3, 2, 1, 1, 1, then b1 has one term (namely 9), b2 has three terms (all of which are 8), b3 has two terms (both of which are 7), b4 has one term (namely 6), and so on, ending with b8 having three terms (all of which are 1) and d = 8.

K. Matheis and S.S. Magliveras / Generating Rooted Trees of m Nodes Uniformly at Random

19

Since we envision the trees Tk (for any k N) as being ordered, for each i segd we must count the number of ordered arrangements of si trees in Tbi1 . Call this number Bi . We then calculate the number of rooted forests with this count sequence as Bi . In order to correlate a number in Z|Fm | to a forest in Fm , we must have a way to obtain the number of forests of subtrees with any nonincreasing count sequence. As one might imagine, this is done recursively using the building blocks described below. 1.1. Setup The setup phase of the algorithm consists of building three tables. First, for each i segm , |Ti | is calculated using the recurrence formula |Ti | = 1 i1

i1 k=1

d|k

d |Td | |Tik |

with |T1 | = 1 [8]. This takes O(i2 ) time for each i, totalling a time of O(m3 ). Then an m m table R called the runtable is created. Its purpose is to store forest counts in the following way: for any two i, j segm , Rij is the number of sequences u : segj Ti such that u1 u2 uj ; in other words, it is the number of nondecreasing j -length sequences of i-node rooted trees. (Note that we have not mentioned how to order the trees Ti , but certainly one exists. Indeed, a side effect of this process 11 is to construct the bijections fm : Z|Fm | Fm , which in turn constructs the bijections tm : Z|Tm | Tm , so for two trees p and q , p q if and only if the index that onto constructs p is less than or equal to the index that constructs q . Since R simply concerns itself with the number of sequences u, and not the individual sequences themselves, we run into no difculty constructing R.) To calculate these values, we take advantage of the following theorem: Theorem 1

n 11 onto

(n N)(k W)

i=1

i+k k+1

n+k+1 k+2

To prove this, simply use induction on n. Five lines are all that are necessary. We now make an observation about sequences of nite length. (To be clear, we make no claim about the originality of Theorems 1 and 2, but absent appropriate references, proofs are provided to justify their correctness.) Theorem 2 For each i, j N, let Sij be the number of nondecreasing sequences u : segj segi . Then i+j1 j

(j N)(i N) Sij =

20

K. Matheis and S.S. Magliveras / Generating Rooted Trees of m Nodes Uniformly at Random

1 Let k N and assume (k ): (i N) Sik = i+k . k (k + 1): Let i N. Consider Si(k+1) . These are all the nondecreasing sequences u : segk+1 segi . Now let us consider the possibilities for u1 . If u1 = 1, then the remaining terms comprise a k -length nondecreasing sequence to segi . But the number of such sequences is just Sik . Now, if u1 = 2, the remaining terms comprise a k -length sequence to segi 1. But the number of such sequences is the same as the number of k length sequences to segi1 (just subtract 1 from each term), which is S(i1)k . Similarly, for each v segi , if u1 = v , then the remaining terms comprise a k -length sequence to segi segv1 , whose count is the same as the count of k -length sequences to segi(v1) (by subtracting v 1 from each term), which is S(iv+1)k . Hence,

To prove this, we proceed by induction on j . (1): Let i N. Then Si1 is the number of nondecreasing sequences u : seg1 i segi . But there are only i such things, one for each choice of u1 . Hence, Si1 = i = 1 = i+11 . Thus, (1) . 1

i

=

v =1 i

Svk v+k1 k

=

v =1

= =

Thus, (k + 1). The rest follows by the Principle of Mathematical Induction and routine steps. Since, for each j segm , Rij is the number of nondecreasing sequences from segj to Ti , this is the same as the number of nondecreasing sequences from segj to seg|Ti | , j 1 by Theorem 2. Hence, we build the R table by populating it with this which is |Ti |+ j binomial coefcient for each i segm and j segm such that j m i ; j is restricted in this way since, for any choice of tree size i in an m-node forest, you can only have at most m i such trees. As a side effect, we see that |Ti | is stored in Ri1 by this process. As a point of interest, note that we had to use this binomial simplication when populating the R table. Otherwise, since |Ti | is asymptotically 0.4399 2.9558i i3/2 [8, sequence A000081], asking the computer to perform the sum listed in the proof of Theorem 2 would become infeasible very quickly. We construct two more tables, the two-dimensional partable denoted P , and the three-dimensional table lentable denoted L. For each i, j segm , Pij is the number of rooted forests of i nodes whose rst tree has j nodes. It could be that the rst few trees have j nodes, so we keep track of this using the lentable: Lijk is the number of rooted forests of i nodes whose rst k trees have j nodes. To calculate Lijk , we use

K. Matheis and S.S. Magliveras / Generating Rooted Trees of m Nodes Uniformly at Random

21

Rjk Lijk =

j 1 q =1

if i jk = 0 P(ijk)q otherwise

Then,

i j

Pij =

k=1

Lijk .

Finally, we recognize that |Fm | = |Tm+1 | gives us no intuitive breakdown of all the counts, but

m

|Fm | =

j =1

Pmj

does. Note that, though we concern ourselves with how a given number of nodes m breaks down into each partition of m, this setup prevents us from having to loop through each partition of m, which also would be infeasible very quickly. We remark that the storage for R is O(m2 ) but is signicantly less than m2 since, for each i segm , we only populate Rij when j m i . Further, for similar reasons the storage for L is O(m3 ), but is signicantly less than m3 . 1.2. Teardown In order to generate a forest in Fm uniformly at random, we rst generate a number r in Z|Fm | (called an index) uniformly at random. Then, we go through the process of whittling down r by successively discovering which count sequence to use for that forest, and which indices to use for each tree of that forest. (Such data collectively is called a decomposition of the index r.) After the decomposition is constructed, we recur on each tree size of the decomposition, noting that if the ith tree has ci nodes, it can be viewed as a forest (of its subtrees) of ci 1 nodes, the root itself being one node. The recursion terminates when we are faced with generating a forest of one node with index zero, at which point we return a leaf. 1.2.1. Composing Decompositions For any forest of n nodes whose rst tree can have as many as h nodes (called the head size), composing a decomposition is itself a recursive process which relies on three algorithms which we call PTCOORDS, LENREM , and RUNCOORDS . The process produces two vectors, sizes and idxs. PTCOORDS identies which column of Pn that r is in (say its the j th) and reduces the index and provides a new head. LENREM identies which tower of Lnj that the reduced index is in (say its the k th) and produces a re-reduced index, remainder index, and a remaining node count for subsequent trees. RUNCOORDS converts the re-reduced

22

K. Matheis and S.S. Magliveras / Generating Rooted Trees of m Nodes Uniformly at Random

index into a sequence of indices for each of the k trees. We then recur on the remaining node count, the new head minus 1, and the remainder index, and we append a sequence of k entries of j to the front of the results sizes, and also the sequence of indices to the front of the results idxs. This process is started with a call to DECOMP(m, m, r). Algorithm 1 DECOMP Require: A nodecount n, a head h, an index r Z|Fn | .

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12:

set sizes and idxs to be empty lists if n 0 or h < 1 then return (sizes, idxs) else if h > n then hn end if (r , h ) PTCOORDS(n, h, r) (k, n , r , x) LENREM(n, h , r ) f rontidxs RUNCOORDS(h , r , k ) set f rontsizes to be a list of k copies of h (backsizes, backidxs) DECOMP(n , h 1, x) return (append(f rontsizes, backsizes), append(f rontidxs, backidxs))

1: 2: 3: 4: 5: 6:

LENREM sends two of its outputs to RUNCOORDS, which uses a binary search to determine what the indices should be for each of the k trees of nodesize h , based on the re-reduced index r . This approach is needed since r is an index into one of the |Th |+k1 nondecreasing sequences from segk to seg|Th | , but this quantity is a sum k (as per Theorem 1), so we have to gure out where r is in that sum without examining |Th | 2 individual binomial coefcients, as |Th | can get very large. (Indeed, this is the part that is signicantly different than the uniform random generation algorithm in [1].) We remark in passing that, after the Setup phase, building a rooted forest of m nodes corresponding to an index r takes slightly more than O(m) time but denitely within O(m2 ) time.

K. Matheis and S.S. Magliveras / Generating Rooted Trees of m Nodes Uniformly at Random

23

2. Application to MRHS and PET SNAKE Now that we have a reliable method to generate rooted forests uniformly at random, one application would be to compute relevant statistics from them to help predict PET SNAKEs run time. We recall the relevant facts about MRHS and PET SNAKE. MRHS operates on a collection of pairs of matrices called symbols, and one phase of its processing is called the Agreement Phase, where each symbol must be agreed to each other symbol. Sometimes the act of agreeing a pair of symbols induces a deletion in one (or both) symbols; other times, nothing changes. If a deletion occurs, then the process starts over: each symbol must be re-agreed to each other symbol. This continues until no (more) deletions are detected, at which point the symbols are said to be pairwise agreed. Hence, for a body of n symbols, at least n 2 agreements must be performed. In software, each agreement must be performed one at a time. PET SNAKE is a hardware design employing lots of processors, and it uses them to perform half of the n 2 agreements simultaneously. If no deletion is detected, it then performs half of the remaining agreements simultaneously. And so on. Since some deletions cannot occur until other deletions occur rst, we choose to model the deletions as a collection of rooted trees. In each tree, each node symbolizes a deletion after two symbols are agreed, and each child of a node symbolizes deletions that can now occur as a result of the parent nodes deletions taking place. In the beginning of an agreement phase, it is certainly possible that many deletions do not depend on each other, so these deletions are the roots of the trees in this collection. We observe that the order of subtrees of a given node is irrelevant; it does not matter which subtree is the rst subtree, which is the second, and so on; hence the choice of a rooted forest is appropriate. We notice that at any stage, PET SNAKE will perform half of the agreements necessary simultaneously, so at any point, about half of the deletions that can be performed will be performed on average. Now, if a deletion gets performed, then that deletions children will then be available to be deleted. Examining the consequences for the model, we see that only the roots of the trees in the forest are available for deletion, so when such a deletion is performed, the corresponding root must be eliminated. This, however, means that that roots children are now roots in the forest. This operation of deleting a root and promoting its children we call a lift. Algorithm 3 LENREM Require: A nodecount n, a new head h , a reduced index r .

1: 2: 3: 4: 5: 6: 7: 8: 9: 10:

k n/h while Lnh k r do r r Lnh k k k1 end while n n (k h ) c Lnh k /Rh k r r /c x r mod c return (k, n , r , x)

24

K. Matheis and S.S. Magliveras / Generating Rooted Trees of m Nodes Uniformly at Random

1: 2: 3: 4: 5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18: 19: 20: 21: 22: 23: 24:

set idxs to be an empty list top Rh 1 , prev 0 for t {k, k 1, . . . , 2} by 1 do i top + 1, j 1, mid (i + j )/2 t1 total top+ , pen total 1 r t f ound false while not f ound do t1 t2 > pen, c2 pen mid+ c1 mid+ t t f ound (c1 and c2 ) if not f ound then if c1 then i mid else j mid end if mid (i + j )/2 end if end while prev top mid + prev insert prev onto the back of the list idxs t1 top mid, r r (total mid+ ) t end for insert r + prev onto the back of the list idxs return idxs

Hence, about half of the roots are lifted in a given stage. (Such an action we will refer to as a parallel lift.) The agreement phase is not complete until all the nodes in the forest are eliminated. To get a handle on time estimates, it is pertinent to ask how many roots exist at a given time, and how many times to we expect to perform parallel lifts until the forest is eliminated. Since we do not have theoretical answers to these questions, we assume that the m deletions in an agreement phase occur as a forest of m nodes chosen uniformly at random. With this assumption, we design an experiment as follows: for various m 1000, we perform the Experimental Procedure (see Figure 1) several times (say, s times). Throughout each procedure run, we count the number of roots that the forest has (once before each parallel lift) so as to calculate the average when the forest is eliminated, and we also count the number of times we have to parallel lift. Once the number of parallel lifts and the average number of roots are calculated, we do it again for the same forest. This is repeated s times. Once these s procedures are complete, we choose another rooted forest of m nodes uniformly at random and perform the procedure again. We construct t such forests (each giving rise to s procedures), and a global average of number of parallel lifts required and number of roots appearing at any point are calculated. This procedure was performed for s = t = 1000 and m {50, 100, 150, . . . , 1000} and the results are summarized in Table 1.

K. Matheis and S.S. Magliveras / Generating Rooted Trees of m Nodes Uniformly at Random

25

Construct a rooted forest of m nodes uniformly at random. While it is nonempty, take note of the number of roots of the forest, uniformly at random choose half of the roots, and lift them from the forest. Calculate the average number of roots the forest had.

Figure 1. Experimental Procedure

Table 1. Experimental Procedure Results (s = t = 1000) m 50 100 150 200 250 300 350 400 450 500 Avg parallel lifts 25.4741 38.7107 49.2455 56.9224 65.1864 71.7676 78.5635 83.6236 89.7707 94.8623 Avg roots 3.9869 5.3268 6.330 7.3193 7.9930 8.7246 9.3096 10.0201 10.4778 11.0328 m 550 600 650 700 750 800 850 900 950 1000 Avg parallel lifts 100.283 105.187 109.466 112.619 119.717 123.128 125.295 129.423 133.577 135.625 Avg roots 11.4762 11.9226 12.4351 13.01 13.1435 13.6412 14.2402 14.5746 14.9439 15.4812

If we multiply the average roots by the average parallel lifts and plot this result for all twenty pairs, we discover that the plot forms a near-straight line of slope approximately 40 19 . This isnt too surprising, since in each parallel lift we eliminate about half the roots, and the roots multiplied by the parallel lifts (if we eliminated every root per lift) should give us the total number of nodes in the forest. Further, if we multiply the number of 9 roots by itself and plot this, we get a near-straight line of slope approximately 38 . From these two observations, we propose the following: Proposition 1 A rooted forest of m nodes chosen uniformly at random will have, on 9 m 0.4866 m roots on average as its corresponding set of deletions get average, 38 deleted through an agreement phase. Further, the number of parallel lifts required to eliminate such a forest is on average approximately 40 19 m/0.4866 m 4.3264 m. These estimates can be used in conjunction with estimates of how many deletions to expect per agreement phase to help predict the runtime of PET SNAKE. As a point of interest, if we choose not to lift half of the roots, but instead all of them, we can use a similar procedure to determine the average depth and the average number of nodes per depth for these trees.

26

K. Matheis and S.S. Magliveras / Generating Rooted Trees of m Nodes Uniformly at Random

3. Conclusion We have provided a way to implicitly construct bijections between Tm and Z|Tm | , and between Fm and Z|Fm | with reasonable time and space consumption, for any m N, and we hope that this proves useful in many environments. One such environment is in the realm of cryptography, where we aid in the construction of a time estimate for a hardware platform implementing an algebraic attack on block ciphers. Another might be in genetic programming to create initial trees corresponding to non-context-free grammars.

References

[1] [2] [3] W. Bhm and A. Geyer-Schulz, Exact Uniform Initialization for Genetic Programming, Foundations of Genetic Algorithms IV (1997), 379403. A. Cayley, On the Analytical Forms called Trees, American Journal of Mathematics 4 (1881), 266268. W. Geiselmann and K. Matheis and R. Steinwandt, PET SNAKE: A Special Purpose Architecture to Implement an Algebraic Attack in Hardware. Cryptology ePrint Archive, Report 2009/222 (2009), available at http://eprint.iacr.org/2009/222. F. Gbel, On a 1-1 Correspondence between Rooted Trees and Natural Numbers, Journal of Combinatorial Theory B 29 (1980), 141143. D. Matula, A Natural Rooted Tree Enumeration by Prime Factorization, SIAM Review 10 (1968), 273. H. Raddum and I. Semaev, Solving Multiple Right Hand Sides Linear Equations, Designs, Codes and Cryptography 49 (2008), 147160. F. Ruskey, Information on Rooted Trees. The Combinatorial Object Server, University of Victoria, Canada (2003), available at http://www.theory.cs.uvic.ca/~cos/inf/tree/ RootedTree.html. N. J. A. Sloane, The On-Line Encyclopedia of Integer Sequences. AT & T Research Labs (2009), available at http://www.research.att.com/~njas/sequences/.

[8]

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-27

27

Spyros S. Magliveras a , Tran van Trung b and Wandi Wei a a CCIS, Department of Math. Sciences, Florida Atlantic University, Boca Raton, FL 33431, USA e-mail: spyros@fau.edu, wei@brain.math.fau.edu b Institute for Experimental Mathematics, University of Duisburg-Essen, Essen, Germany e-mail: trung@iem.uni-due.de

Abstract. Let = {0, 1} be the binary alphabet, and A = {0, 01, 11} be the set of three strings 0, 01, 11 over . Let A denote the Kleene closure of A, Z0 the set of nonnegative integers, and Z+ the set of positive integers. A sequence in A is called a Jacobsthal binary sequence. Let J (n) denote the set of Jacobsthal binary sequences of length n. For k Z+ , {s1 , s2 , . . . , sk } Z0 , and n 1 s1 > s2 > . . . > sk 0, let J1 (n; s1 , s2 , . . . , sk ) denote the subset J1 (n; s1 , s2 , . . . , sk ) = {an1 an2 . . . a1 a0 J (n) : asi = 1 (1 i k)}, of J (n), and let N1 (n; s1 , s2 , . . . , sk ) = |J1 (n; s1 , s2 , . . . , sk )|. When k = 1, a formula for N1 (n; s) has been derived recently. In this paper we consider the general case of N1 (n; s1 , s2 , . . . , sk ), and study some other special types of Jacobsthal binary sequences. Some identities involving these numbers are also given. Keywords. Jacobsthal numbers, combinatorial identities, combinatorial enumeration

Introduction Let = {0, 1} be the binary alphabet, and A = {0, 01, 11} the set of three strings 0, 01, 11 over . Let A denote the Kleene closure of A, Z0 the set of nonnegative integers, and Z+ the set of positive integers. A sequence in A is called a Jacobsthal binary sequence. Let J (n) denote the set of Jacobsthal binary sequences of length n and let |J (n)| denote the cardinality of J (n). The Jacobsthal numbers are dened by the recursion Jn = Jn1 + 2Jn2 , together with the initial values J0 = J1 = 1. (2) n>2 (1)

Note that some other authors use the initial values J0 = 0, J1 = 1 instead. Using the initial values in (2), a known result can be stated more conveniently as

28

|J (n)| = Jn . Jn is also called the nth Jacobsthal number. For convenience, we also dene Jm = 0, m Z, m < 0.

(3)

(4)

Based on (4), we state an obvious fact and a known result as a lemma for easy reference. Lemma 1 The recursion (1) can be extended as Jt = Jt1 + 2Jt2 , The value of Jn (n Z0 ) can be computed by Jn = 1 n+1 + (1)n ), (2 3 n Z0 . (5) t Z, t = 0.

The Jacobsthal numbers have applications in such areas as tiling, graph matching, alternating sign matrices, etc. ([1,2,4,5]). Let k Z+ , {s1 , s2 , . . . , sk1 , sk } Z0 ; n 1 s1 > s2 > . . . > sk 0. Let J1 (n; s1 , s2 , . . . , sk ) denote the following subset of J (n): J1 (n; s1 , s2 , . . . , sk ) = {an1 an2 . . . a1 a0 J (n) : asi = 1 (1 i k )}, i.e., the subset of Jacobsthal binary sequences that have the digit 1 at each of the sth i (1 i k ) positions from the right. Let N1 (n; s1 , s2 , . . . , sk ) = |J1 (n; s1 , s2 , . . . , sk )|. R. Grimaldi[4] considers the case where k = 1, establishing a recursion for N1 (n; s1 ) and then deriving the following formula: 1 N1 (n; s) = (2n + (1)n + (1)ns 2s ) 3 2s = Jn (2ns + (1)ns1 ). 3 (7) (8) (6)

For the general case, nding a formula for N1 (n; s1 , s2 , . . . , sk ) by using a recursion seems extremely difcult. In this article we employ a different approach to dealing with this problem, namely, considering the following dual problem of N1 (n; s1 , s2 , . . . , sk ). Let r Z+ , {t1 , t2 , . . . , tr1 , tr } Z0 , n 1 t1 > t2 > . . . > tr 0. Let J0 (n; t1 , t2 , . . . , tr ) denote the following subset of J (n): (9)

29

J0 (n; t1 , t2 , . . . , tr ) = {an1 an2 . . . a1 a0 J (n) : ati = 0 (1 i r)}, i.e., the subset of Jacobsthal binary sequences that have the digit 0 at each of the tth i (1 i r) positions from the right. Let N0 (n; t1 , t2 , . . . , tr ) = |J0 (n; t1 , t2 , . . . , tr )|. In the next section we present characterizations of the sets J (n) and J0 (n; t1 , t2 , . . . , tr ). Based on them, some combinatorial identities involving Jn , N0 (n; t1 , t2 , . . . , tr ) and N1 (n; s1 , s2 , . . . , sk ) are derived in Section 3. From these identities, formulas for N0 (n; t1 , t2 , . . . , tr ) and N1 (n; s1 , s2 , . . . , sk ) are obtained in the last section.

For easy reference we state a trivial fact, that is Lemma 2 For any i, j Z+ , J (i)||J (j ) J (i + j ), where J (i)||J (j ) = {a||b : a J (i), b J (j ) and stands for the concatenation operation on strings. We now characterize the set J (n). We need Lemma 3 Let l Z+ . The string of the 0-digit followed by l 1 1-digits is a Jacobsthal binary string of length l. Proof. If l = 2m + 1 for some m Z0 , the l 1 = 2m 1-digits in can be regarded as m copies of the string 11. Since both strings 11, 0 A, we know A. If l = 2m for some m Z0 , the last l 2 = 2m 2 1-digits in can be regarded as m 1 copies of the string 11. Since both string 11, 01 A, we know A. 2 Theorem 1 For any n Z+ , a binary sequence of length n is in J (n) if and only if it is an all-1 sequence of even length or its rst 0-digit from the left is preceded by an all-1 subsequence of even length. Proof. Since the string 1 A but the string 11 A, the all-1 sequence of length n is in J (n) if and only if n is even. Therefore, in what follows we only need to consider the case in which the sequence an1 an2 . . . a1 a0 has at least one 0-digit. Let ani be the rst 0-digit from the left. Then an1 = an2 = . . . = an(i1) = 1. Since the two strings 1, 10 A, in order for an1 an2 . . . a1 a0 to be in J (n), the subsequence an1 an2 . . . an(i1) has to be formed by copies of the element 11 A. This is impossible when i 1 is odd. We now prove that when i 1 is even, the sequence an1 an2 . . . a1 a0 is in J (n) by induction on the number, say u, of 0-digits in the sequence. For the case where u = 1, let ai = 0,. By Lemma 3, the subsequence ai ai1 . . . a1 a0 J (i + 1). Recalling that

30

an1 an2 . . . ai+1 J (n i 1) we know an1 an2 . . . a1 a0 J (n) by Lemma 2. This establishes the induction basis. For the inductive step, suppose that u > 1 and the conclusion is true for any sequence having exactly u 1 0-digits. Let al be the rst 0-digit from the right in a sequence having u 0-digits. By Lemma 3, we know al al1 . . . a0 = 011 . . . 1 . . . a0 J (l + 1). By the induction hypothesis, an1 an2 . . . al+1 J (n l 1). Therefore, an1 an2 . . . a1 a0 J (n) by Lemma 2. This completes the induction. 2 From this theorem, one can obtain the known formula (5) for |J (n)|. Corollary 1 |J (n)| = 2n+1 + (1)n , 3

Proof. Let J (n, i) denote the set of such Jacobsthal binary sequences that have their rst 0-digit at the (2i + 1)st position from the left, and n the set consisting of the all-1 sequence of length n when 2 | n, and n = when 2 n. Then J (n) = (

0i(n1)/2

J (n, i) ) n

m1 i=0

22m(2i+1) + 1 =

m1 i=0

1 2

m

m1 i=0 1 3 )

4(mi) + 1 =

1 2

m i=1

4i + 1 =

= 2

4i + 1 = 2( 4

+1 =

2n+1 +(1)n 3

m i=0

22m+1(2i+1) =

m i=0

m i=0

22(mi) = . 2

m i=0

22i =

4i =

4m+1 1 3

2n+1 +(1)n 3

By Theorem 1 we can give a characterization of the set J0 (n; t1 , t2 , . . . , tr ). Recall that the parameters satisfy (9): r Z+ , {t1 , t2 , . . . , tr1 , tr } Z0 , n 1 > t1 > t2 > . . . > tr 0. Theorem 2 For any n Z+ , the binary sequence an1 an2 . . . a1 a0 of length n is in J0 (n; t1 , t2 , . . . , tr ) if and only if the subsequence an1 an2 . . . at1 +1 is in J (n 1 t1 ) and ati = 0 (1 i r).

31

Proof. Let aj be the rst 0-digit from the left. Then j t1 . By Theorem 1, an1 an2 . . . a1 a0 J (n) if and only if the entries before aj are all 1s, i.e., 2|n 1 j , which is the necessary and sufcient condition for an1 an2 . . . at1 +1 to be in J (n 1 t1 ). 2 It is somewhat surprising that whether an1 an2 . . . a1 a0 J0 (n; t1 , t2 , . . . , tr ) or not is determined only by the subsequence an1 an2 . . . at1 +1 and ati = 0 (1 i r), but is independent of the digits aj (0 j t1 1, j = ti ). Based on these theorems, some combinatorial identities involving Jn , N0 (n; t1 , t2 , . . . , tr ) and N1 (n; s1 , s2 , . . . , sk ) can be established, which will be presented in the next section. 2. Some Combinatorial Identities Involving Jn , N0 (n; t1 , t2 , . . . , tr ) and N1 (n; s1 , s2 , . . . , sk ) In this section some combinatorial identities involving Jn , N0 (n; t1 , t2 , . . . , tr ) and N1 (n; s1 , s2 , . . . , sk ) are proved. Applying them to obtain formulas for N0 (n; t1 , t2 , . . . , tr ) and N1 (n; s1 , s2 , . . . , sk ) will be the task of the next section. We need a simple lemma : Lemma 4 For any n Z0 , 2n = 3Jn1 + (1)n . Proof. Recalling that J1 = 0 (cf. (4)), we know that the statement is true when n = 0. When n Z+ , the statement is equivalent to (5). 2 We can now state the following Theorem 3 N0 (n; t1 , t2 , . . . , tr ) = [3Jt1 r + (1)t1 r+1 ]Jnt1 1 N0 (n; t1 , t2 , . . . , tr ) = Jnr + (1)nt1 1 Jt1 r (10) (11)

Proof. By Theorem 2, for a sequence an1 an2 . . . a1 a0 in J0 (n; t1 , t2 , . . . , tr ), there are |J (n t1 1)| = Jnt1 1 many choices for the subsequences an1 an2 . . . at1 +1 . For each of these choices, there are two choices for each of the digits aj (0 j t1 1, j = t2 , t3 , . . . , tr ). Noting that atj = 0 (1 j r), we have N0 (n; t1 , t2 , . . . , tr ) = |J (n t1 1)| 2t1 +1r = Jnt1 1 2t1 r+1 . By Lemma 4, 2t1 r+1 = 3Jt1 r + (1)t1 r+1 .

32

Therefore, N0 (n; t1 , t2 , . . . , tr ) = Jnt1 1 [3Jt1 r + (1)t1 r+1 ], which is (10). Similarly, we can also write N0 (n; t1 , t2 , . . . , tr ) = = Jnt1 1 2t1 r+1 1 = [2nt1 + (1)nt1 1 ]2t1 r+1 3 1 nr+1 = [2 + (1)nt1 1 2t1 r+1 ] 3 1 = {3Jnr + (1)nr+1 + (1)nt1 1 [3Jt1 r + (1)t1 r+1 ]} 3 = Jnr + (1)nt1 1 Jt1 r , which proves (11). 2 From this theorem, an identity can be immediately derived. Corollary 2 We have the identity [3Jt1 r + (1)t1 r+1 ]Jnt1 1 = Jnr + (1)nt1 1 Jt1 r . This identity can also be checked by using (5). Let us look at the cases r = 1 and r = 2. Corollary 3 If n 1 u 0, then N0 (n; u) = [3Ju1 + (1)u ]Jnu1 N0 (n; u) = Jn1 + (1)nu1 Ju1 Example 1 From (13) and J0 = J1 = 1, J2 = 3, we have N0 (1; 0) = J0 + (1)0 J1 = 1, N0 (2; 0) = J1 + (1)1 J1 = 1, N0 (2; 1) = J1 + (1)0 J0 = 2, N0 (3; 0) = J2 + (1)2 J1 = 3, N0 (3; 1) = J2 + (1)1 J0 = 2, N0 (3; 2) = J2 + (1)0 J1 = 4. The corresponding subsets of J (n) are J0 (1; 0) = {0}, J0 (2; 0) = {00}, J0 (2; 1) = {00, 01}. J0 (3; 0) = {000, 010, 110}, J0 (3; 1) = {000, 001}, J0 (3; 2) = {000, 001, 010, 011}. (12) (13)

33

Corollary 4 If n 1 u 0, then [3Ju1 + (1)u ]Jnu1 = Jn1 + (1)nu1 Ju1 . For N1 (n; s1 , s2 , . . . , sk ), we have Theorem 4 Suppose that s1 , s2 , . . . , sk satisfy (6). Then N1 (n; s1 , s2 , . . . , sk ) = Jn +

r 1r k (1) ki 1ikr +1 r 1

1i1 <i2 <...<ir k

Since 1 i1 < i2 < . . . < ir k , the index i1 must satisfy 1 i1 k r + 1. After i1 i1 has been chosen from this range, there are k r 1 ways of choosing i2 , . . . , ir . Since the summands Jnr + (1)nsi1 1 Jsi1 r do not depend on the values of i2 , . . . , ir , we have :

1i1 <i2 <...<ir k

1i1 kr +1

ki1 r 1

Further, using i to substitute for i1 in the summation on the right hand side, yields :

1i1 <i2 <...<ir k ki 1ikr +1 r 1

1r k 1r k

(1)r

(1)r

which proves (4) . 2 Similarly, using (10) instead of (11) yields the following : Theorem 5 Suppose that s1 , s2 , . . . , sk satisfy (6). Then N1 (n; s1 , s2 , . . . , sk ) = Jn +

r 1r k (1) ki 1ikr +1 r 1

34

Let us look at the cases for k = 1, 2. Corollary 5 For any n Z+ and n 1 u 0, N1 (n; u) = 2Jn2 + (1)nu Ju1 N1 (n; u) = Jn [3Ju1 + (1)u ]Jnu1 . Proof. By Theorem 4 and Lemma 1, N1 (n; u) = Jn + (1)1

11 11

= Jn Jn1 + (1)nu Ju1 = 2Jn2 + (1)nu Ju1 . And by Theorem 5 we obtain : N1 (n; u) = Jn + (1)1

11 11

Example 2 By Corollary 5, we have : N1 (1; 0) = 2J1 + J1 = 0, N1 (2; 0) = 2J0 + J1 = 2, N1 (2; 1) = 2J0 J0 = 1, N1 (3; 0) = 2J1 J1 = 2, N1 (3; 1) = 2J1 + J0 = 3, N1 (3; 2) = 2J1 J1 = 1. The corresponding subsets of J (n) are J1 (1; 0) = , J1 (2; 0) = {01, 11}, J1 (2; 1) = {11}, J1 (3; 0) = {001, 011}, J1 (3; 1) = {010, 011, 110}, J1 (3; 2) = {110}.

Example 3 Applying Corollary 5, we have N1 (1; 0) = J1 [3J1 + 1]J0 = 1 1 = 0. N1 (2; 0) = J2 [3J1 + 1]J1 = 3 1 = 2. N1 (2; 1) = J2 [3J0 1]J0 = 3 2 = 1. N1 (3; 0) = J3 [3J1 + 1]J2 = 5 3 = 2. N1 (3; 1) = J3 [3J0 1]J1 = 5 2 = 3. N1 (3; 2) = J3 [3J1 + 1]J0 = 5 4 = 1. The corresponding subsets of J (n) have been shown in Example 2.

35

Now let us turn to the case of k = 2. In this case, n > 1. Corollary 6 For any n Z+ , n 2, and n 1 u > v 0, we have : N1 (n; u, v ) = 2[Jn2 Jn3 ] + (1)nu [Ju1 Ju2 ] + (1)nv Jv1 . For any n Z+ , n 3, n 1 u > v 0, u 2, we have : N1 (n; u, v ) = 4Jn4 + (1)nu 2Ju3 + (1)nv Jv1 . Proof. By Theorem 4, N1 (n; s1 , s2 ) = Jn + (1)1

1i2 2i 11

(14)

(15)

21 21

Jn [Jn1 + (1)ns1 1 Js1 1 + Jn1 + (1)ns2 1 Js2 1 ] + + [Jn2 + (1)ns1 1 Js1 2 ] = Jn 2Jn1 + Jn2 + (1)ns1 Js1 1 + (1)ns2 Js2 1 + +(1)ns1 1 Js1 2 = 2[Jn2 Jn3 ] + (1)ns1 [Js1 1 Js1 2 ] + (1)ns2 Js2 1 . Substituting u, v for s1 , s2 , respectively, gives (14). When n 3, and s1 2, by Lemma 1 we have : Jn2 Jn3 = 2Jn4 , So , N1 (n; s1 , s2 ) = 2[Jn2 Jn3 ] + (1)ns1 [Js1 1 Js1 2 ] + (1)ns2 Js2 1 = 4Jn4 + (1)ns1 2Js1 3 + (1)ns2 Js2 1 . Substituting u, v for s1 , s2 , respectively, gives (15). 2 The identities in this section can be used to give formulas for N0 (n; t1 , t2 , . . . , tr ) and N1 (n; s1 , s2 , . . . , sk ), which will be presented in the next section. 3. Formulas for N0 (n; t1 , t2 , . . . , tr ) and N1 (n; s1 , s2 , . . . , sk ) For N0 (n; t1 , t2 , . . . , tr ), we have: Js1 1 Js1 2 = 2Js1 3 .

36

Theorem 6 The following holds : 1 N0 (n; t1 , t2 , . . . , tr ) = ( )2t1 +1r [2nt1 + (1)nt1 1 ] 3 Proof. From the proof of Theorem 3 and equality (5), we have N0 (n; t1 , t2 , . . . , tr ) = Jn1t1 2t1 +1r = 1 t1 +1r nt1 [2 + (1)nt1 1 ] . 2 2 3 (16)

Note that N0 (n; t1 , t2 , . . . , tr ) only depends on the parameters n, t1 and r, and is independent of the values of the parameters t2 , . . . , tr . Theorems 3 and 4 provide an explicit formulas for N1 (n; s1 , s2 , . . . , sk ), as shown in the following theorem. Its proof is obvious and will be omitted. Theorem 7 Suppose that s1 , s2 , . . . , sk satisfy (6). Then N1 (n; s1 , s2 , . . . , sk ) =

n+1 (1 + (1)n ) + 3 )(2

+ (1 3)

r 1r k (1)

ki 1ikr +1 r 1

Example 4 By (17), the rst several values of N1 (n; s) can be computed as follows. 1 N1 (1; 0) = {22 20 [22 + (1)1 ] + (1)1 } = 0, 3 1 N1 (2; 0) = {23 20 [22 + (1)1 ] + (1)2 } = 2, 3 1 3 N1 (2; 1) = {2 21 [21 + (1)0 ] + (1)2 } = 1, 3 1 4 N1 (3; 0) = {2 20 [23 + (1)2 ] + (1)3 } = 2, 4 1 N1 (3; 1) = {24 21 [22 + (1)1 ] + (1)3 } = 3, 4 1 N1 (3; 2) = {24 22 [21 + (1)0 ] + (1)3 } = 1. 4 The corresponding subsets of J (n) have been shown in Example 2. When k = 2, we have :

37

Corollary 8 For any n 2 and n 1 u > v 0, we have : 1 N1 (n; u, v ) = ( ) [2n1 + (1)nu 2u1 + (1)nv 2v + (1)n ]. 3 References

R. B RIGHAM , P. C HINN AND R. G RIMALDI Tiling and Patterns of Enumeration, Congressus Numerantium, 137(1999), 207-219. [2] D. F REY AND J. S ELLERS Jacobsthal Numbers and Alternating Sign Matrices, J. of Integer Sequences, 3(2000), Article 00.2.3, 1-15. [3] R. G RIMALDI, Binary Strings and the Jacobsthal Numbers Congressus Numerantium, 174(2005), 3-22. [4] R. G RIMALDI, The Distribution of 1s in Jacobsthal Binary Sequences, Congressus Numerantium, 190(2008), 47-64. [5] H. S ILVIA, Tiling an m-by-n Area with Squares of Size up to k-by-k (m 5), Congressus Numerantium, 140(1999), 43-64.. [1]

38

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-38

A. KLEIN and L. STORME Department of Mathematics, Ghent University, Krijgslaan 281 - Building S22, 9000 Ghent, Belgium (Email: {klein,ls}@cage.ugent.be) (WWW: http://cage.ugent.be/ {klein,ls})

Abstract. We present in this article the basic properties of projective geometry, coding theory, and cryptography, and show how nite geometry can contribute to coding theory and cryptography. In this way, we show links between three research areas, and in particular, show that nite geometry is not only interesting from a pure mathematical point of view, but also of interest for applications. We concentrate on introducing the basic concepts of these three research areas and give standard references for all these three research areas. We also mention particular results involving ideas from nite geometry, and particular results in cryptography involving ideas from coding theory. Keywords. Finite geometry, MDS codes, Griesmer bound, Secret sharing, AES

1. Introduction to projective geometry The classical Euclidean geometry contains two very interesting weaker geometries. The absolute geometry which explores what can be proved without the famous parallel postulate. The afne geometry which explores what can be proved without the axiom of measure (length and angles). The axioms of the afne plane are: (A1) Each two points are joined by exactly one line. (A2) For each line l and each point P not on l, there is exactly one line through P which does not intersect l. (A3) There are three points which do not lie on a common line. When working in the afne plane, one almost always distinguishes between parallel and intersecting lines. This distinction can be removed by going to the projective closure. For each parallel class of lines we add a point at innity which lies on all lines of the parallel class. There is also a line at innity which goes through all the points at innity. This leads to the projective plane with the axioms: (P1) Each two points are joined by exactly one line.

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

39

(P2) Each two lines meet in exactly one point. (P3) There are at least two lines and each line contains at least three points. To extend the projective geometry to higher dimensions, we must replace (P2) by an axiom that states that two lines in a plane have a common point. The Veblen-Young axiom does exactly this but avoids the use of the word plane. (P2) Let A, B , C and D be four points such that the lines AB and CD intersect. Then AC and BD have a common point.

Q C D

P A B

Figure 1. The Veblen-Young axiom

We now present the classical construction of a projective space. Theorem 1 Let V be a vector space of dimension d + 1 3 over a (skew) eld F. The geometry P G(V ) is dened by The points of P G(V ) are the 1-dimensional subspaces of V . The lines of P G(V ) are the 2-dimensional subspaces of V . A point of P G(V ) is incident with a line of P G(V ) if the corresponding 1dimensional subspace is contained in the corresponding 2-dimensional subspace. Then P G(V ) is a projective space. Proof. Let v , w be two points of PG(V ), then v, w is the unique 2-dimensional subspace containing v and w, which proves axiom (P1). Let A = u , B = v , C = w , D = x be four points of P G(V ). If the lines AB = u, v and CD = w, x intersect in a common point, the dimension formula gives dim u, v, w, x = dim u, v + dim w, x dim( u, v w, x ) = 2 + 2 1 = 3 . Again by the dimension formula, we get dim( u, w v, x ) = dim u, w + dim v, x dim u, v, w, x = 2 + 2 3 = 1, and hence AC = u, w and BD = v, x meet in a common point of PG(V ). This proves axiom (P2).

40

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

Each line v, w of PG(V ) contains at least three points v , w and v + w . Since dim V 3, there are at least two subspaces of dimension 2. This proves axiom (P3). Two extremely important Theorems of projective geometry are: Theorem 2 (Desargues Theorem) Let A1 A2 A3 and B1 B2 B3 be two triangles for which the lines A1 B1 , A2 B2 and A3 B3 are different and go through a common point C . Then the points P12 = A1 A2 B1 B2 , P13 = A1 A3 B1 B3 and P23 = A2 A3 B2 B3 lie on a common line. C

Theorem 3 (Pappus Theorem) Let l and h be two intersecting lines. Let A1 , A2 , A3 be distinct points on l different from l h and let B1 , B2 , B3 be distinct points on h different from l h. Then the points G12 = A1 B2 A2 B1 , G13 = A1 B3 A3 B1 and G23 = A2 B3 A3 B2 lie on a common line. Without proof we note: Theorem 4 A projective space satises the Theorem of Desargues if and only if it is of the form P G(V ) for some vector space V . A projective space satises the Theorem of Pappus if and only if it is of the form P G(V ) for some vector space V over a commutative eld F. In the following, all projective spaces will be of the form PG(V ) where V is a nite dimensional vector space over a nite eld Fq of order q . Let d + 1 be the dimension of V , then we also write PG(d, q ) for PG(V ). Fix a basis v0 , . . . , vd of V . Let u = v0 + + vd . Then any vector v = a0 v0 + + ad vd V is uniquely determined by its coordinates (a0 , . . . , ad ).

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

41

A1 A2 A3

G12

G13 G23

B3 B2 B1

Figure 3. Pappus Theorem

We call (a0 , . . . , ad ) the homogeneous coordinates of the point v of PG(V ) with respect to the projective reference system { v0 , . . . , vd , u }, where u = v0 + + vd . Since v = v for any = 0 the homogeneous coordinates of a projective point are unique up to a nonzero scalar factor. Example 1 The line through the points with homogeneous coordinates (a0 , . . . , ad ) and (b0 , . . . , bd ) consists of the points with the following coordinates (a0 , . . . , ad ) and (b0 , . . . , bd ) + x(a0 , . . . , ad ), with x F. If V is a vector space over a nite eld, then PG(V ) has a nite number of points and lines. Theorem 5 counts them. Theorem 5 The projective space P G(d, q ) has

qd+1 1 q 1 (qd +qd1 ++q+1)(qd1 +qd2 ++q+1) lines. q+1

= q d + q d1 + + q + 1 points. and

1 +1 +1 subspace of Fd contains q 1 nonzero vectors. Thus Fd has q q1 subspaces of q q dimension 1. As special cases we have that a two dimensional vector space over Fq has q + 1 subspaces of dimension 1, i.e. a line of PG(d, q ) has q + 1 points. There are (q d+1 1)(q d+1 q ) possibilities to choose linearly independent vectors +1 . Every two dimensional space u, v has (q 2 1)(q 2 q ) different bases. u, v Fd q +1 Thus Fd contains q +1 Proof. The vector space Fd contains q d+1 1 nonzero vectors and a 1-dimensional q

d+1

42

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

As indicated in the abstract, projective geometry is rst of all investigated because of its pure mathematical importance. But projective geometry is also important because of its links to other research areas. We now present coding theory, one of the most important research areas linked to projective geometry. For a detailed discussion of nite projective spaces we refer to [12, 13, 15].

2. Coding theory 2.1. Introduction to coding theory When sending a message there is always a small probability for transmission errors. The goal of coding theory is to develop good codes to detect and correct transmission errors. noise

data source

encoder

channel

decoder

receiver

Suppose for example that we transmit a binary message. With a probability p of 2% a transmission error occurs and one 1 is received as 0 and vice versa. Example 2 (Triple repetition code) We repeat every symbol three times, i.e. we send 000 instead of 0 and 111 instead of 1. If an error occurs we guess that the majority of the received symbols is correct, i.e. we will decode 110 as 1. The probability that more than 1 error occurs in a triplet is 3p2 (1 p) + p3 . If p = 0.02 we lowered the probability for incorrect decoding to 0.0012. The price is that we have to send 3 times more symbols. Example 3 (The Hamming code) Now we use the following encoding (x0 , x1 , x2 , x3 ) (x0 , . . . , x6 ) with x4 x1 + x2 + x3 x5 x0 + x2 + x3 x6 x0 + x1 + x3 mod 2 , mod 2 , mod 2 .

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

43

For example (1101) is encoded as (1101001). Every 7-bit word is either a codeword or differs at most one place from a codeword. The decoding will send the received word to the most similar codeword. If you compute the error probability for this example you will nd that the average probability for a wrong bit is 0.0034 when p = 0.02. Thus the Hamming code gives almost the same error probability as the simple triple repetition code, but we must send only 7 4 times more symbols. Thus the Hamming code allows a faster data transmission. The last example shows some important aspects: Linear mappings are often good codes. The mapping itself is not so important; the image under the map is the most important aspect of a code. Codewords should differ in as many positions as possible to obtain a good error correction rate. This motivates the following denition. Denition 1 The Hamming distance d(x, y ) of x, y Fn q , with x = (x1 , . . . , xn ) and y = (y1 , . . . , yn ), is d(x, y ) = |{i | xi = yi }| . The Hamming distance of x to 0 is called the weight of x; w(x) = d(x, 0). A linear [n, k ]q block code C is a k -dimensional subspace of Fn q. The minimum distance d of a linear [n, k ]q block code C is dened as d = min d(x, y ) = min w(x) .

x =y C 0=xC

An [n, k, d]q -code is an [n, k ]q -code with minimum distance d. A generator matrix G for an [n, k, d]q -code C is a k n matrix whose rows form a basis for the code C . A parity check matrix H for an [n, k, d]q -code C is an (n k ) n matrix of rank n k whose rows are orthogonal to all the codewords of C , i.e., c C c H t = 0. A main goal of coding theory is to determine for given n, k and q the largest d for which an [n, k, d]q -code exists. A good introduction into coding theory is [20]. For further reference, see also [21, 25]. 2.2. MDS codes We start with a very simple upper bound on the minimum distance of an [n, k ]q -code. Consider the systematic generator matrix of an [n, k ]q -code:

44

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

0 g1,k+1 . . . g1,n . . . . G = ... . . = Ik Gk(nk) . 0 1 gk,k+1 . . . gk,n 1 Each row of G has at most n k + 1 nonzero entries and hence n k + 1 d. Theorem 6 (Singleton bound [29]) An [n, k, d]q -code satises n k + 1 d. Codes that meet the Singleton bound are called maximum distance separable codes (MDS codes). Let C be an [n, k, d]q MDS code. Its parity check matrix H is an (n k ) n matrix with the property that any n k columns of H are linearly independent. Example 4 (Generalized Doubly-Extended Reed-Solomon (GDRS) codes [26]) Let Fq = {0, a1 , . . . , aq1 }. Let 1 1 1 0 0 a1 aq1 0 0 a2 a2 1 q1 0 H = . . . . . . . . . . . . . nk2 nk2 0 a1 aq 1 0 k 1 k 1 an 1 0 an 1 q 1 For instance, the determinant of the (n k ) (n k ) submatrix nk1 nk1 ank a1

1i<j nk (aj ai ) = 0. Any n k columns of H are linearly independent, i.e. H is a parity check matrix of an MDS code.

1 a1 . . .

1 ank . . .

is

Interpreting the columns of H as points in a projective space, we get a structure called arc. Denition 2 An r-arc of P G(n, q ) is a set of r points that span P G(n, q ) and such that any hyperplane contains at most n points of this r-arc. The (q + 1)-arc corresponding to a GDRS-code is called a normal rational curve. Here, {(1, t, . . . , tk1 )|t Fq } {(0, . . . , 0, 1)} is the standard form for a normal rational curve in PG(k 1, q ). The study of linear MDS codes was performed mostly by geometrical methods. We now mention a number of the most important results.

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

45

Theorem 7 (Segre, Thas [27, 32]) For q an odd prime power, 2 k < q/4, every [n = q + 1, k, d = q + 2 k ]-MDS code is a GDRS code. This preceding result was obtained using methods from algebraic geometry and projection arguments. The motivation for the next result is as follows. The GDRS codes are MDS codes of length q + 1. Maybe they can be extended to MDS codes of length q + 2. The following result proves that this is practically never the case. Theorem 8 (Storme [31]) Consider the [q + 1, k, q k + 2]q -GDRS code. For q odd and 2 k q + 3 6 q log q , and for q even and 4 k q + 3 6 q log q , this [q + 1, k, q + 2 k ]q -GDRS code cannot be not extended to a [q + 2, k, q + 3 k ]q -MDS code. 2.3. Minihypers and the Griesmer bound Let Nq (d, k ) denote the minimal n for which an [n, k, d]q -code exists and let x denote the smallest integer larger than or equal to x. Theorem 9 (Griesmer bound [9, 30])

Nq (k, d) d + Nq (k 1, and

k 1

d ) q

(1)

Nq (k, d) Gq (k, d) =

i=0

d . qi

(2)

Proof. Let C be an [n, k, d]q -code. Without loss of generality we can assume that C contains the codeword (0, . . . , 0, 1, . . . , 1) of weight d. Thus we have a generator matrix of the form G= 0 0 1 1 . G2 G1

This matrix G1 has rank k 1 since otherwise we could make a row of G1 zero and C would contain a codeword of weight less than d. Thus G1 is the generator matrix of an [n d, k 1, d1 ]q -code. Let (u, v ) C , with w(u) = d1 . Since also all codewords of the form (u, v + a1) 1 are in C , we can select v with weight at most q q d . Since (u, v ) C , we have w(u) + w(v ) d or d1 d d q . This proves Equation (1).

46

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

k 2

d ) q

d d + Nq (k 2, 2 ) q q

i=0 k 1

d d + Nq (1, k1 ) qi q d . qi

i=0

Now we want to construct linear codes that meet the Griesmer bound, i.e. we are interested in [Gq (k, d), k, d]q -codes. k 1 k By k = qq 1 , we denote the number of 1-dimensional subspaces of Fq , i.e. the number of points in PG(k 1, q ). The simplex code Sk is a [k , k, q k1 ]q -code whose generator matrix is formed by k pairwise linearly independent vectors in Fk q . For each t, the copy of t simplex codes is a [tk , tk, tq k1 ]q -code that satises the Griesmer bound. An excellent way to construct more linear codes satisfying the Griesmer bound is to start with a copy of t simplex codes and delete columns of the generator matrix. The columns to be deleted form the generator matrix of what is called an anticode. This is a code with an upper bound on the distance between its codewords. Even the distance 0 between codewords is allowed, i.e. an anticode may contain repeated codewords. Denition 3 If G is a k m matrix of Fq , then the q k combinations of its rows form the codewords of an anticode of length m. The maximum distance of the anticode is the maximum weight of any of its codewords. If rank G = r, each codeword occurs q kr times. If we start with t copies of the simplex code and delete m columns that form an anticode with maximum distance , we obtain a [tk m, k, tq k1 ]q -code. Codes meeting the Griesmer bound and their anticodes have a nice geometrical interpretation. Let C be an [n, k ]q -code with generator matrix G. Each column of the generator matrix describes a point of PG(k 1, q ). We represent C by the multiset M of these n points. For instance, the simplex code Sk is represented by the point set of PG(k 1, q ). An i-point is a point of multiplicity i. For each subset S of PG(k 1, q ), we denote the number of points of M in S by c(S ). Let i = max{c(S ) | S is a subspace of dimension i} .

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

47

Then 0 is the maximal i for which an i-point in M exists. The minimum distance of C is the minimal number of points of M lying in the complement of a hyperplane, i.e. d = n k 2 . If an [n, k, d]q -code meets the Griesmer bound we can compute the values i from its parameters. At this moment we only need the following lemma. Lemma 1 (Maruta [22]) Let (s 1)q k1 < d sq k1 and let C be an [n, k, d]q -code meeting the Griesmer bound. Then 0 = max{c(P ) | P PG(k 1, q )} = s. Proof. By the pigeonhole principle, we get 0 kn > s 1. 1 Assume 0 > s, then there exists a point P = (p0 , . . . , pk1 ) described by at least s + 1 columns of the generator matrix. Consider the subcode C of C dened by

k 1

C = {x = (x0 , . . . , xk1 ) Fk q |

i=0

xi pi = 0}G .

The codewords of C have entry 0 at the columns corresponding to P . Puncturing C at these columns yields an [n , k , d ]q -code with n n s 1, k = k 1 and d d. But the Griesmer bound says that

k

ns1 n

i=0

d qi

k 2 i=0

d = qi

k 1 i=0

d d k1 = n s, qi q

a contradiction. We represent the linear code C by the multiset M in which each point P of PG(k 1, q ) has weight w(P ) equal to s minus the number of columns in the generator matrix dening P . In fact, M is the multiset of columns of the anticode corresponding to C in the copy of s simplex codes. We have shown above that for linear codes meeting the k 2 Griesmer bound w(P ) 0 for each point P . Let d = sq k1 i=0 ti q i , 0 ti q 1 2 for i = 0, . . . , k 2. Then the total weight of all points in M is k i=0 ti i+1 and each k 2 hyperplane has a weight of at least n d = i=0 ti i . This geometrical structure is important enough to deserve a name. Denition 4 An (n, w; d, q )-minihyper is a multiset of n points in PG(d, q ) with the property that every hyperplane meets it in at least w points. Many characterisation theorems of minihypers are known. The simplest is: Theorem 10 (Bose and Burton [2]) Let k d. A (k+1 , k ; d, q )-minihyper always is a k -dimensional subspace of PG(d, q ). Proof. Let H be a (k+1 , k ; d, q )-minihyper. We claim that for s k every codimension s space of P G(d, q ) meets H in at least ks+1 points. For s = 1 this is the denition of a minihyper. Now let s > 1 and assume that a codimension s space meets H in less than ks+1 points. Then the average number of points of H in a codimension s 1 space through is less than

48

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

k+1 ks+1 + ks+1 = q ks+1 + ks+1 = ks+2 , s in contradiction to the already proved result that a codimension s 1 space contains at least ks+2 points of H. Now assume that H is not a k -space of PG(d, q ), i.e. there is a line l that contains at least two points of H but does not lie completely in H. Let P l\H. There exists a subspace of dimension d k 1 through P that has no point in common with H. (There are simply not enough points in H to block all the (d k 1)-spaces through P ). The average number of points of H in a (d k )-space through is k+1 /k+1 = 1. But the (d k )-space containing l contains at least 2 points of H, thus there must be a (d k )-space through that contains no point of H. A contradiction, i.e. H is a subspace. There are many other characterization results on minihypers. We refer to the literature for the known results. As a concrete example of a deep characterization result, we mention the following result of Hamada, Helleseth, and Maekawa. Theorem 11 (Hamada, Helleseth, and Maekawa [10, 11]) k 2 k 2 k 2 Let F be a ( i=0 i i+1 , i=0 i i ; k 1, q )-minihyper, with i=0 i < q + 1, then F is the union of 0 points, 1 lines, . . ., k2 (k 2)-dimensional subspaces, which all are pairwise disjoint. 2.4. Covering radius For an e-error correcting code, we search for a large set of pairwise disjoint spheres of radius e in the Hamming space Fn q . The problem of covering codes is an opposite problem. Here, we wish to cover all the points of the Hamming space Fn q with as few spheres as possible. Covering codes nd applications in data compression. Formally we dene: Denition 5 Let C be a linear [n, k, d]q -code. The covering radius of the code C is the smallest integer R such that every n-tuple in Fn q lies at Hamming distance at most R from a codeword in C. The following theorem will be the basis for making the link with the geometrically equivalent objects of the saturating sets in nite geometry. Theorem 12 Let C be a linear [n, k, d]q -code with parity check matrix H = (h1 hn ). Then the covering radius of C is equal to R if and only if every (n k )-tuple over Fq can be written as a linear combination of at most R columns of H . Denition 6 Let S be a subset of P G(N, q ). The set S is called -saturating when every point P from P G(N, q ) can be written as a linear combination of at most + 1 points of S .

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

49

Taking into account Theorem 12, the preceding denition means that: -saturating sets S in P G(n k 1, q ) determine the parity check matrices of linear [n, k, d]q -codes with covering radius R = + 1. Covering codes are linked to many geometrical objects. Obviously the goal of covering codewords becomes easier when one can use more codewords. So we are interested in small covering codes or equivalently in small saturating sets. Example 5 (Brualdi et al. [3], Davydov [5]) We construct a 1-saturating set in P G(3, q ) of size 2q + 1. We give the description via coordinates. Take a conic c = {(1, t, t2 , 0)|t Fq } {(0, 0, 1, 0)} in a plane : X3 = 0 of PG(3, q ) and let P = (0, 0, 1, 0) be a point of this conic c. For q even, let P = (0, 1, 0, 0) be the nucleus of the conic. For q odd, let P = (0, 1, 0, 0) be a point of the tangent line to c through P . Let l be a line through P not in . We claim that S = (c l {P })\{P } is a 1-saturating set in PG(3, q ).

First note that every point in the plane lies on a secant of c. Now take a point Q not in . Together with l, it spans a plane that either intersects the conic c in a point different from P or contains P . Thus Q lies on a line which meets S in two points. Example 6 (stergrd and Davydov [6]) Example 5 can be extended to a 2-saturating set in PG(5, q ) of size 3q + 1. We again give the description via coordinates.

50

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

Take two skew planes and . Let c be a conic in and let c be a conic in . Let P be a point of c be a point of c and let P . For q even, let P be the nucleus of c and for q . odd, choose P on the tangent line to c through P . Similarly choose P })\{P, P } is a 2-saturating set in PG(5, q ). {P , P Then S = (c c PP

As in Example 5, a point of or lies on a line meeting S in two points. A point Q not in or lies on a unique line l that meets both planes. As in Exam })\{P } in Q1 and Q2 . The c {P ple 5, we get that l, l meets (c {P })\{P } and ( span Q, Q1 , Q2 meets l in a point Q3 and hence Q lies in the plane Q1 , Q2 , Q3 . An interesting geometrical research problem, that in fact solves problems in coding theory, is therefore the problem of constructing small -saturating sets in nite projective spaces.

3. Cryptography 3.1. Secret sharing Secret sharing schemes are the cryptographic equivalents of a vault that needs several keys to be opened. In the simplest cases there are n participants and each group of k participants can reconstruct the secret, but less than k participants have no way to learn anything about the secret.

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

51

Example 7 (Shamirs k -out-of-n secret sharing scheme [28]) Let F be a nite eld. The dealer chooses a polynomial f F[x] of degree at most k 1 and gives participant number i a point (xi , f (xi )) on the graph of f (xi = 0). The value f (0) is the secret. A set of k participants can reconstruct f by interpolation. Then they can compute the secret f (0). If k < k persons try to reconstruct the secret, they see that for every value y F there are exactly |F|kk 1 polynomials of degree at most k 1 which pass through their shares and the point (0, y ). Thus they gain no information about f (0). secret point

S1 S5 S2 S4

S3

Many secret sharing schemes are constructed by nite geometry. For example one can use arcs to construct a k -out-of-n secret sharing scheme. Example 8 Let be a hyperplane of P G(k, q ) and let P0 , . . . , Pn be an (n + 1)-arc in . Let l be a line of P G(k, q ) with l = P0 . The participant number i (1 i n) gets the point Pi as his share. All participants are told that the secret point P0 lies on l, but the hyperplane is kept secret by the dealer. Less than k participants see the following: their shares P1 , . . . , Pi (i < k ) span an (i 1)-dimensional space skew to l. For every point P l there exists a hyperplane with an arc containing P , P1 , . . . , Pi . Thus there is no way to decide which point of l is the secret P0 . At least k participants can compute the span P1 , . . . , Pk = with their shares. The secret point P0 is computed as l. Thus we have constructed a k -out-of-n secret sharing scheme. One can consider more complex access structures. For example, we want that three staff members together can open the vault, but also two senior staff members alone can open the vault. Denition 7 formalises the idea of an access structure. Denition 7 Let P be a set of persons. An access structure is a subset of P (P ) with the property A = B

52

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

for every B A. Example 8 shows how to realise a k -out-of-n access structure with nite geometry. We want to generalise this example. The secret and the shares should be subspaces of a nite projective space PG(n, q ). As in Example 8, the reconstruction of the secret should be done by computing the span of the shares. This leads to the following denition. Denition 8 Let be an access structure for the person set P . A subspace conguration for is a set of subspaces Sp , with p P , and a secret space S with the properties / . S Sp | p A = for all A S Sp | p A for all A . Theorem 13 (Ito, Saito and Nishizeki [16]) Let be an access structure, then there exists a subspace conguration realising in PG(d, q ), for d large enough. Proof. Let U = {U0 , . . . , Ud } be the set of maximal unauthorised sets of . (A set A / is maximal unauthorised if every proper superset B A is in .) We will construct a subspace conguration for in PG(d, q ). Let ei , the i-th vector of unity, correspond to the set Ui . For p P , dene Sp = ei | p / Ui and let S = (1, . . . , 1) . An unauthorised set of persons U is contained in at least one maximal unauthorised set Ui . By construction, ei / pU Sp and hence pU Sp cannot contain ei and S = (1, . . . , 1) , i.e. the secret is not reconstructed. If Q is a qualied set of persons then for every maximal unauthorised set Ui , Q contains a person pi not in Ui . Hence, ei Spi pQ Sp for every i. This proves that S = (1, . . . , 1) Sp | p Q , i.e. the persons from Q can reconstruct the secret. For further applications of nite geometry in secret sharing, see [17]. Secret sharing schemes can also be constructed by error-correcting codes. Example 9 (McEliece and Sarwarte [24]) Let C be an [n + 1, k, n k + 2]q MDS code. For a secret c0 Fq , the dealer creates a codeword c = (c0 , c1 , . . . , cn ) C . The share of the participant number i is symbol ci . Since C is an MDS code with minimum distance n k + 2, the codeword c can be uniquely reconstructed if only k symbols are known. So any set of k persons can compute the secret c0 . On the other hand, less than k persons do not learn anything about the secret, since for any possible secret c , the same number of codewords that t to the secret c and their shares exist. This is an alternative description of the k -out-of-n secret sharing scheme from Example 8. The use of error-correcting codes for describing secret sharing schemes motivates the following denition.

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

53

Denition 9 (Massey [23]) The support of a word c Fn q is dened by sup(c) = {i | ci = 0}. Let C be a linear code. A nonzero codeword c C is called minimal if c C : sup(c ) sup(c) = c c . Lemma 2 (Massey [23]) Let C be an [n + 1, k ]q -code. A secret sharing scheme is constructed from C by choosing a codeword c = (c0 , . . . , cn ). The secret is c0 and the shares of the participants are the coordinates ci (1 i n). The minimal qualied sets of the secret sharing scheme correspond to the minimal codewords of C with 0 in their supports. Proof. Suppose the set {1, . . . , k} is a qualied set. This means that c0 can be determined from c1 , . . . , ck , i.e. there exist constants a1 , . . . , ak , with c 0 = a 1 c1 + + a k ck , (3)

which means that (1, a1 , . . . , ak , 0, . . . , 0) is a codeword of C with 0 in its support. On the other hand a codeword of C with 0 in its support gives an equation of type (3) and hence its support, minus the zero position, denes a qualied set of participants. 3.2. Authentication codes Consider the following cryptographic problem: Alice wants to send Bob a message m. Perhaps an attacker intercepts the message and sends an alternated message to Bob. How can Bob be sure that the message he gets is the correct one. One solution is that Alice and Bob agree on a secret key K . Alice computes an authentication tag eK (m) and sends m eK (m) to Bob. Then Bob can check that the authentication tag ts to the message and since the key K is private he knows that Alice has computed eK (m). This leads to: Denition 10 A message authentication code (MAC) is a 4-tuple (S , A, K, E ) with 1. 2. 3. 4. S a nite set of source states (messages). A a nite set of authentication tags. K a nite set of keys. For each K K, we have an authentication rule eK E with eK : S A.

The security of a MAC is measured by the following probabilities. Denition 11 Let pi denote the probability of an attacker to construct a pair (s, eK (s)) without knowledge of the key K , if he only knows i different pairs (sj , eK (sj )). The smallest value r for which pr+1 = 1 is called the order of the scheme.

54

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

For r = 1, the probability p0 is also known as the probability of an impersonation attack and the probability p1 is called the probability of a substitution attack. Example 10 Let be a projective plane of order q and let l be a line of . The possible messages should be the points of l. As keys we take the points in the afne plane \l and as authentication tags eK (s) we take the line through the message s and the key K . If an attacker wants to create a message (s, eK (s)) without knowing the key K , he must guess an afne line through s. There are q possibilities, i.e. the chance for an 1 impersonation attack is q . If the attacker already knows an authenticated message (s , eK (s )), he knows that the key K must lie on the line eK (s ). But for every of the q afne points on that line there exists a line through s. So he cannot do better than guess the key on eK (s ) which gives a probability of 1 q for a successful substitution attack. In the following we will generalise Example 10 and show that it is optimal. One can bound the number of keys by the attack probabilities. For r = 1 and p0 = p1 , it is stated in [8], and for arbitrary r with p0 = p1 = = pr , it was proven in [7]. Theorem 14 If a MAC has attack probabilities pi = 1/ni (0 i r), then |K| n0 nr . Proof. Suppose that we send the messages (s1 , eK (s1 )), . . . , (sr , eK (sr )). Let Ki be the set of all keys which give the same authentication tag for the rst i messages, i.e. K | e (sj ) = eK (sj ) for j i} . Ki = {K K By denition, we have K0 = K. Formally, we dene Kr+1 = {K }. An attacker who knows the rst i messages can create a false signature by guessing Ki and computing e (si+1 ). The attack is successful if K Ki+1 . Therefore a key K K pi |Ki+1 | . |Ki |

Multiplying these inequalities proves the theorem. A MAC that satises this theorem with equality is called perfect. A geometrical construction of perfect MACs uses generalised dual arcs [18, 19]. Denition 12 A generalised dual arc D of order l with dimensions d1 > d2 > > dl+1 of PG(n, q ) is a set of subspaces of dimension d1 such that: 1. each j of these subspaces intersect in a subspace of dimension dj , 1 j l + 1, 2. each l + 2 of these subspaces have no common intersection. We call (n, d1 , . . . , dl+1 ) the parameters of the dual arc.

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

55

d+1 Let P G(W ) be an n+ 1 -dimensional space with basis ei0 ,...,id (0 i0 d+1 i1 id n). To simplify notations, we will write ei0 ,...,id with 0 i0 , . . . , id n when we mean the vector ei(0) ,...,i(d) where is a permutation with 0 i(0) i(1) i(d) n. Let : V d+1 W be the multilinear mapping n (0) n id =0

:(

i0 =0

xi0 ei0 , . . . ,

xid eid )

(d )

0i0 ,...,id n

(0)

(d )

(4)

For each point P = [x] of P G(V ), we dene a subspace D(P ) of P G(W ) by D(P ) = (x, v1 , . . . , vd ) | v1 , . . . , vd V . (5)

Theorem 15 The set D = {D(P ) | P PG(V )} is a generalised dual arc with dimensions di = n+d+1i 1, i = 0, . . . , d + 1. d+1i Proof. Since is a multilinear form, we get D(P0 ) D(Pk1 ) = (x0 , . . . , xk1 , vk , . . . , vd ) | vk , . . . , vd V

d+1k and hence dim(D(P0 ) D(Pk1 )) = n+ 1. (The 1 is because the d+1k projective dimension is one less than the vector space dimension).

The link between dual arcs and MACs is: Theorem 16 Let be a hyperplane of PG(n + 1, q ) and let D be a generalised dual arc of order l in with parameters (n, d1 , . . . , dl+1 ). The elements of D are the messages and the points of P G(n + 1, q ) not in are the keys. The authentication tag that belongs to a message and a key is the generated (d1 + 1)-dimensional subspace. This denes a perfect MAC of order r = l + 1 with attack probabilities pi = q di+1 di . Proof. After i message tag pairs (m1 , t1 ), . . . , (mi , ti ) are sent, the attacker knows that the key must lie in the (di + 1)-dimensional space = t1 ti . This space contains q di +1 different keys. A message mi+1 intersects m1 mi in a di+1 -dimensional generate the same authentication tag if and only if K and space . Two keys K and K generate together with the same (di+1 + 1)-dimensional space. Thus the keys form K groups of size q di+1 +1 and keys from the same group give the same authentication tag. The attacker has to guess a group. The probability to guess the correct group is pi = q di+1 +1 /q di +1 .

56

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

3.3. AES In 1997 the American National Institute of Standards and Technology started a competition to design a successor for the old Data Encryption Standard DES. In 2000 the proposal of J. Daemen and V. Rijmen was selected as the new advanced encryption standard AES [4]. AES works on 128 bit words which are interpreted as 4 4 matrices over the eld F256 . The non-linear part of the AES substitution replaces every matrix element by its inverse in F256 . An other part of the AES is the mix column step which has a link to coding theory. Purpose of this step is to spread a change in the input (Diffusion). The input of the mix column step is a vector of four bytes (a1 , . . . , a4 ) and its output are four bytes (b1 , . . . , b4 ). It should have the following properties: Implementation of the mix column step should be simple and fast. It should have optimal diffusion (a difference in k input bytes (1 k 4) should result in the difference of at least 5 k output bytes). To satisfy the rst condition the designers chose the mix column step to be a linear mapping, i.e. mix column is done by b1 m1,1 m1,2 m1,3 m1,4 a1 b2 m2,1 m2,2 m2,3 m2,4 a2 = b3 m3,1 m3,2 m3,3 m3,4 a3 . b4 m4,1 m4,2 m4,3 m4,4 a4 To satisfy the second property, every square submatrix of M = (mi,j ) must be non-singular. This is equivalent to 1 0 0 0 m1,1 m1,2 m1,3 m1,4 0 1 0 0 m2,1 m2,2 m2,3 m2,4 0 0 1 0 m3,1 m3,2 m3,3 m3,4 0 0 0 1 m4,1 m4,2 m4,3 m4,4 is the parity check matrix of a [8, 4, 5] MDS code over F256 . Any MDS code would do the job. The designers of AES chose the following matrix: b1 +1 1 1 a1 b2 1 a2 + 1 1 = b3 1 1 + 1 a3 b4 a4 +1 1 1 where is a root of x8 + x4 + x3 + x + 1. The simple structure of AES mix columns has some additional advantages for the implementation. We have b1 = f (a1 , a2 , a3 , a4 ), b2 = f (a2 , a3 , a4 , a1 ), b3 = f (a3 , a4 , a1 , a2 ) and b4 = f (a4 , a1 , a2 , a3 ). Thus we must implement only one linear function f : F4 256 F256 .

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

57

f (a1 , a2 , a3 , a4 ) = (a1 + a2 ) + (a2 + a3 + a4 ) Addition in F256 is just a bitwise XOR. This is a cheap operation. The only difcult operation is the multiplication with . Most AES implementations do this operation by a table look up. Remark 1 This concludes this article describing applications of nite geometry in coding theory and cryptography, and also ideas from coding theory applied to cryptography. For all three research areas, we have given standard references. For a survey article containing a large number of tables with results on substructures in nite geometry, we refer to [14], and for a collected work describing current research topics in nite geometry and their applications in coding theory and cryptography, we refer to [1]. This latter collected work can guide interested readers to research in nite geometry and its applications, enabling them to contribute to nite geometry and its applications.

References

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] J. De Beule and L. Storme, editors. Current Research Topics in Galois Geometry. Nova Academic Publishers, to appear. R.C. Bose and R.C. Burton. A characterization of at spaces in a nite projective geometry and the uniqueness of the Hamming and the Macdonald codes. J. Comb. Theory, 1:96104, 1966. R.A. Brualdi, V.S. Pless, and R.M. Wilson. Short codes with a given covering radius. IEEE Trans. Inform. Theory, 35:99109, 1989. J. Daemen and V. Rijmen. The Design of Rijndael, AES - The Advanced Encryption Standard. Information Security and Cryptography. Springer Verlag, 2002. A.A. Davydov. Constructions and families of covering codes and saturated sets of points in projective geometry. IEEE Trans. Inform. Theory, 41(6, part 2):20712080, 1995. A.A. Davydov and P. stergrd. On saturating sets in small projective geometries. European J. Combin., 21:563570, 2000. V. Fk. Repeated use of codes which detect deception. IEEE Trans. Inform. Theory, IT-25(2):233234, 1979. E.N. Gilbert. Codes which detect deception. The Bell System Technical Journal, 53(3):405421, 1974. J.H. Griesmer. A bound for error correcting codes. IBM J. Res. Develop., 4:532542, 1960. N. Hamada and T. Helleseth. A characterization of some q -ary codes (q > (h 1)2 , h 3) meeting the Griesmer bound. Math. Japon., 38:925939, 1993. N. Hamada and T. Maekawa. A characterization of some q -ary linear codes (q > (h 1)2 , h 3) meeting the Griesmer bound. II. Math. Japon., 46:241252, 1997. J.W.P. Hirschfeld. Finite Projective Spaces of Three Dimensions. The Clarendon Press Oxford University Press, 1985. J.W.P. Hirschfeld. Projective geometries over nite elds. Oxford Mathematical Monographs. The Clarendon Press Oxford University Press, New York, second edition, 1998. J.W.P. Hirschfeld and L. Storme. The packing problem in statistics, coding theory and nite projective spaces: update 2001. In Finite Geometries, Proceedings of the Fourth Isle of Thorns Conference (Chelwood Gate, July 16-21, 2000) (Eds. A. Blokhuis, J.W.P. Hirschfeld, D. Jungnickel and J.A. Thas), Developments in Mathematics, volume 3, pages 201246. Kluwer Academic Publishers, 2001. J.W.P. Hirschfeld and J.A. Thas. General Galois geometries. Oxford Mathematical Monographs. The Clarendon Press Oxford University Press, New York, 1991. M. Ito, A. Saito, and T. Nishizeki. Secret sharing schemes realizing general access structure. J. Cryptology, 6:1520, 1993. W.-A. Jackson, K.M. Martin, and C.M. OKeefe. Geometrical contributions to secret sharing theory. J. Geom., 79:102133, 2004. A. Klein, J. Schillewaert, and L. Storme. Generalised dual arcs and Veronesean surfaces, with applications to cryptography. J. Combin. Theory, Ser. A, 116:684698, 2009.

58

[19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32]

A. Klein and L. Storme / Applications of Finite Geometry in Coding Theory and Cryptography

A. Klein, J. Schillewaert, and L. Storme. Generalised Veroneseans. Adv. Geom., submitted. J.H. van Lint. Introduction to Coding Theory. Springer-Verlag, 3 edition, 1998. F.J. MacWilliams and N.J.A. Sloane. The theory of error correcting codes, volume 16 of North-Holland Mathematical Library. North-Holland, Amsterdam, London, New York, Tokyo, 1977. T. Maruta. On the Achievement of the Griesmer Bound. Des. Codes Cryptogr., 12:8387, 1997. J.L. Massey. Minimal codewords and secret sharing. In Proceedings of the 6th Joint Swedish-Russian International Workshop on Information Theory, pages 276279, 1993. R.J. McEliece. On sharing secrets and Reed-Solomon codes. Comm. ACM, 24:583584, 1981. V.S. Pless, W.C. Huffman, and R.A. Brualdi, editors. Handbook of coding theory. Vol. I, II. NorthHolland, Amsterdam, 1998. I.S. Reed and G. Solomon. Polynomial codes over certain nite elds. J. SIAM, 8:300304, 1960. B. Segre. Curve razionali normali e k -archi negli spazi niti. Ann. Mat. Pura Appl. (4), 39:357379, 1955. A. Shamir. How to share a secret. Comm. ACM, 22:612613, 1979. R.C. Singleton. Maximum distance q -ary codes. IEEE Trans. Inform. Theory, 10:116118, 1964. G. Solomon and J.J. Stifer. Algebraically punctured cyclic codes. Inform. and Control, 8:170179, 1965. L. Storme. Completeness of normal rational curves. J. Algebraic Combin., 1:197202, 1992. J.A. Thas. Normal rational curves and k -arcs in Galois spaces. Rend. Mat. (6), 1:331334, 1968.

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-59

59

T. SHASKA2 Department of Mathematics, Oakland University L. BESHAJ 3 Department of Mathematics, University of Vlora

Abstract. Genus 2 curves have been an object of much mathematical interest since eighteenth century and continued interest to date. They have become an important tool in many algorithms in cryptographic applications, such as factoring large numbers, hyperelliptic curve cryptography, etc. Choosing genus 2 curves suitable for such applications is an important step of such algorithms. In existing algorithms often such curves are chosen using equations of moduli spaces of curves with decomposable Jacobians or Humbert surfaces. In these lectures we will cover basic properties of genus 2 curves, moduli spaces of (n,n)-decomposable Jacobians and Humbert surfaces, modular polynomials of genus 2, Kummer surfaces, theta-functions and the arithmetic on the Jacobians of genus 2, and their applications to cryptography. The lectures are intended for graduate students in algebra, cryptography, and related areas. Keywords. genus two curves, moduli spaces, hyperelliptic curve cryptography, modular polynomials

1. Introduction Genus 2 curves are an important tool in many algorithms in cryptographic applications, such as factoring large numbers, hyperelliptic curve cryptography, etc. Choosing such genus 2 curves is an important step of such algorithms. One of the techniques in counting such points explores genus 2 curves with decomposable Jacobians. All curves of genus 2 with decomposable Jacobians of a xed level lie on a Humbert surface. Humbert surfaces of level n = 3, 5, 7 are the only explicitly computed surfaces and are computed by the rst author in [61], [63], [49]. In these lectures we will cover basic properties of genus 2 curves, moduli spaces of (n, n)-decomposable Jacobians, Humbert surfaces of discriminant n2 ,

1 Notes on three lectures given in NATO-Advanced Study Institute, Information Security and Related Combinatorics, Opatija, Croatia, May 31 - June 10, 2010. 2 Corresponding Author: Tanush Shaska, Department of Mathematics and Statistics, Oakland University, Rochester Hills, MI, 48306, USA; E-mail: shaska@oakland.edu 3 The author wants to thanks the Department of Mathematics and Statistics at Oakland University for their hospitality during the time which this paper was written

60

modular polynomials of level N for genus 2, Kummer surfaces, theta-functions, and the arithmetic on the Jacobians of genus 2. Our goal is not to discuss genus 2 cryptosystems. Instead, this paper develops and describes mathematical methods which are used in such systems. In the second section, we discuss briey invariants of binary sextics, which determine a coordinate on the moduli space M2 . Furthermore, we list the groups that occur as automorphism groups of genus 2 curves. In section three, we study the description of the locus of genus two curves with xed automorphism group G. Such loci are given in terms of invariants of binary sextics. The stratication of the moduli space M2 is given in detail. A genus two curve C with automorphism group of order > 4 usually has an elliptic involution. An exception from this rule is only the curve with automorphism group the cyclic group C10 . All genus two curves with elliptic involutions have a pair (E, E ) of degree 2 elliptic subcovers. We determine the j -invariants of such elliptic curves in terms of C . The space of genus 2 curves with elliptic involutions is an irreducible 2-dimensional sublocus L2 of M2 which is computed explicitly in terms of absolute invariants i1 , i2 , i3 of genus 2 curves. A birational parametrization of L2 is discovered by the rst author in [66] in terms of dihedral invariants u and v . Such invariants have later been used by many authors in genus 2 cryptosystems. In section four, we discuss the theta functions. In the rst part of this section we dene 16 theta functions and the 4 fundamental theta functions. A description of all the loci of genus two curves with xed automorphism group G is given in terms of the theta functions. In detail this is rst described in [67] and [58] In section ve, we study the genus two curves with decomposable Jacobians. These are the curves with degree n elliptic subcovers. Their Jacobian is isogenous to a pair of degree n elliptic subcovers (E, E ). For n odd the space of genus two curves with (n, n)-split Jacobians correspond to the Humbert space of discriminant n2 . We state the main result for the case n = 3 and give a graphical representation of the space. In each case the j -invariants of E and E are determined. In the last section we describe a Maple package which does computation with genus 2 curves. Such package computes several invariants of genus two curves including the automorphism group, the Igusa invariants, the splitting of the Jacobian, the Kummer surface, etc. These lectures will be suitable to the graduate students in algebra, cryptography, and related areas who need genus two curves in their research.

Notation: Throughout this paper a genus two curve means a genus two irreducible algebraic curve dened over an algebraically closed eld k . Such curve will be denoted by C and its function eld by K = k (C ). The eld of complex, rational, and real numbers will be denoted by C, Q, and R respectively. The Jacobian of C will be denoted by Jac C and the Kummer surface by K(C ) or simply JC , KC .

Acknowledgements: The second author wants to thank the Department of Mathematics and Statistics at Oakland University for their hospitality during the time that this paper was written.

61

2. Preliminaries on genus two curves Throughout this paper, let k be an algebraically closed eld of characteristic zero and C a genus 2 curve dened over k . Then C can be described as a double cover of P1 (k ) ramied in 6 places w1 , . . . , w6 . This sets up a bijection between isomorphism classes of genus 2 curves and unordered distinct 6-tuples w1 , . . . , w6 P1 (k ) modulo automorphisms of P1 (k ). An unordered 6-tuple {wi }6 i=1 can be described by a binary sextic (i.e. a homogenous equation f (X, Z ) of degree 6). 2.1. Invariants of binary forms In this section we dene the action of GL2 (k ) on binary forms and discuss the basic notions of their invariants. Let k [X, Z ] be the polynomial ring in two variables and let Vd denote the (d + 1)-dimensional subspace of k [X, Z ] consisting of homogeneous polynomials. f (X, Z ) = a0 X d + a1 X d1 Z + ... + ad Z d (1)

of degree d. Elements in Vd are called binary forms of degree d. We let GL2 (k ) act as a group of automorphisms on k [X, Z ] as follows: M= ab cd GL2 (k ), then M X Z = aX + bZ . cX + dZ (2)

This action of GL2 (k ) leaves Vd invariant and acts irreducibly on Vd . Let A0 , A1 , ... , Ad be coordinate functions on Vd . Then the coordinate ring of Vd can be identied with k [A0 , ..., Ad ]. For I k [A0 , ..., Ad ] and M GL2 (k ), dene I M k [A0 , ..., Ad ] as follows I M (f ) := I (M (f )) (3)

for all f Vd . Then I M N = (I M )N and Eq. (3) denes an action of GL2 (k ) on k [A0 , ..., Ad ]. A homogeneous polynomial I k [A0 , . . . , Ad , X, Z ] is called a covariant of index s if I M (f ) = s I (f ) where = det (M ). The homogeneous degree in A1 , . . . , An is called the degree of I , and the homogeneous degree in X, Z is called the order of I . A covariant of order zero is called invariant. An invariant is a SL2 (k )-invariant on Vd . We will use the symbolic method of classical theory to construct covariants of binary forms. Let

n

f (X, Z ) :=

i=0 m

n ai X ni Z i , i (4) m bi X ni Z i i

g (X, Z ) :=

i=0

62

r

(f, g )r := ck

k=0

(1)k

rf rg r r k k k k X Y X Y rk

(5)

r )! (nr )! where ck = (mn . It is a homogeneous polynomial in k [X, Z ] and therefore ! m! a covariant of order m + n 2r and degree 2. In general, the r-transvection of two covariants of order m, n (resp., degree p, q ) is a covariant of order m + n 2r (resp., degree p + q ). For the rest of this paper F (X, Z ) denotes a binary form of order d := 2g + 2 as below d d i=0

F (X, Z ) =

i=0

ai X i Z di =

n b X i Z ni i i

(6)

i)! i! where bi = (n ai , for i = 0, . . . , d. We denote invariants (resp., covariants) n! of binary forms by Is (resp., Js ) where the subscript s denotes the degree (resp., the order).

Remark 1. It is an open problem to determine the eld of invariants of binary form of degree d 7. 2.2. Moduli space of curves Let M2 denote the moduli space of genus 2 curves. To describe M2 we need to nd polynomial functions of the coecients of a binary sextic f (X, Z ) invariant under linear substitutions in X, Z of determinant one. These invariants were worked out by Clebsch and Bolza in the case of zero characteristic and generalized by Igusa for any characteristic dierent from 2; see [12], [37], or [66] for a more modern treatment. Consider a binary sextic, i.e. a homogeneous polynomial f (X, Z ) in k [X, Z ] of degree 6: f (X, Z ) = a6 X 6 + a5 X 5 Z + + a0 Z 6 . Igusa J -invariants {J2i } of f (X, Z ) are homogeneous polynomials of degree 2i in k [a0 , . . . , a6 ], for i = 1, 2, 3, 5; see [37], [66] for their denitions. Here J10 is simply the discriminant of f (X, Z ). It vanishes if and only if the binary sextic has a multiple linear factor. These J2i are invariant under the natural action of SL2 (k ) on sextics. Dividing such an invariant by another one of the same degree gives an invariant under GL2 (k ) action. Two genus 2 curves) in the standard form Y 2 = f (X, 1) are isomorphic if and only if the corresponding sextics are GL2 (k ) conjugate. Thus if I is a GL2 (k ) invariant (resp., homogeneous SL2 (k ) invariant), then the expression I (C ) (resp., the condition I (C ) = 0) is well dened. Thus the GL2 (k ) invariants are functions

63

on the moduli space M2 of genus 2 curves. This M2 is an ane variety with coordinate ring

1 GL2 (k) k [M2 ] = k [a0 , . . . , a6 , J10 ] 1 which is the subring of degree 0 elements in k [J2 , . . . , J10 , J10 ]. The absolute invariants

i1 := 144

are even GL2 (k )-invariants. Two genus 2 curves with J2 = 0 are isomorphic if and only if they have the same absolute invariants. If J2 = 0 then we can dene new invariants as in [64]. For the rest of this paper if we say there is a genus 2 curve C dened over k we will mean the k -isomorphism class of C . The reason that the above invariants were dened with the J2 in the denominator was so that their degrees (as rational functions in terms of a0 , . . . , a6 ) be as low as possible. Hence, the computations in this case are simpler. While most of the computational results on [61], [63], [49] are expressed in terms of i1 , i2 , i3 we have started to convert all the results in terms of the new invariants t1 =

5 J2 , J10

t2 =

5 J4 2 , J10

t3 =

5 J6 3 . J10

2.3. Automorphisms of curves of genus two Let C be a genus 2 curve dened over an algebraically closed eld k . We denote its automorphism group by Aut(C ) = Aut(K/k ) or similarly Aut(C ). In any characteristic dierent from 2, the automorphism group Aut(C ) is isomorphic to one of the groups given by the following lemma. Lemma 1. The automorphism group G of a genus 2 curve C in characteristic = 2 is isomorphic to C2 , C10 , V4 , D8 , D12 , C3 D8 , GL2 (3), or 2+ S5 . The case G = 2+ S5 occurs only in characteristic 5. If G = Z3 D8 (resp., GL2 (3)), then C has equation Y 2 = X 6 1 (resp., Y 2 = X (X 4 1)). If G = C10 , then C has equation Y 2 = X 6 X . For the rest of this paper, we assume that char(k ) = 0. 3. Automorphism groups and the description of the corresponding loci In this section we will study genus two curves which have and extra involution in the automorphism group. It turns out that there is only one automorphism group from the above lemma which does not have this property, namely the cyclic group C10 . However, there is only one genus two curve (up to isomorphism) which has automorphism group C10 . Hence, such case is not very interesting to us. Thus, we will study genus two curves which have an extra involution, which is equivalent with having a degree 2 elliptic subcover; see the section on decomposable Jacobians for degree n > 2 elliptic subcovers.

64

3.1. Genus 2 curves with degree 2 elliptic subcovers An elliptic involution of K is an involution in G which is dierent from z0 (the hyperelliptic involution). Thus the elliptic involutions of G are in 1-1 correspondence with the elliptic subelds of K of degree 2 (by the Riemann-Hurwitz formula). If z1 is an elliptic involution and z0 the hyperelliptic one, then z2 := z0 z1 is another elliptic involution. So the elliptic involutions come naturally in pairs. This pairs also the elliptic subelds of K of degree 2. Two such subelds E1 and E2 are paired if and only if E1 k (X ) = E2 k (X ). E1 and E2 are G-conjugate unless G = D6 or G = V4 . Theorem 1. Let K be a genus 2 eld and e2 (K ) the number of Aut(K )-classes of elliptic subelds of K of degree 2. Suppose e2 (K ) 1. Then the classical invariants of K satisfy the equation,

7 4 4 2 2 2 2 3 4 2 J2 J4 + 8748J10 J2 J6 507384000J10 J4 J2 19245600J10 J4 J2 592272J10 J4 J2 3 4 3 3 2 3 81J2 J6 3499200J10 J2 J6 + 4743360J10 J4 J2 J6 870912J10 J4 J2 J6 5 6 3 4 4 3 6 + 159J4 J2 +1332J2 J4 J6 125971200000J10 + 384J4 J6 + 41472J10 J4 4 2 2 5 2 4 2 4 3 47952J2 J4 J6 + 104976000J10 J2 J6 1728J4 J2 J6 + 6048J4 J2 J 6 + 108J2 J 4 J6 6 3 +12J2 J4 J 6

(7)

2 2 3 29376J2 J4 J6

3 3 2 8910J2 J4 J6

2 2099520000J10 J4 J6

2 5 236196J10 J2

5 3 3 6 2 3 4 5 5 +31104J6 6912J4 J6 4 + 972J10 J2 J4 + 77436J10 J4 J2 78J2 J4 2 2 5 7 5 2 2 2 2 +3090960J10 J4 J2 J6 5832J10 J2 J4 J6 80J4 J2 54J2 J4 J6 9331200J10 J4 J6 = 0

Further, e2 (K ) = 2 unless K = k (X, Y ) with Y 2 = X5 X in which case e2 (K ) = 1. Lemma 2. Suppose z1 is an elliptic involution of K . Let z2 = z1 z0 , where z0 is the hyperelliptic involution. Let Ei be the xed eld of zi for i = 1, 2. Then K = k (X, Y ) where Y 2 = X 6 s1 X 4 + s2 X 2 1 (8)

2 3 3 and 27 18s1 s2 s2 1 s2 + 4s1 + 4s2 = 0. Further E1 and E2 are the subelds 2 2 k (X , Y ) and k (X , Y X ).

We need to determine to what extent the normalization above determines the coordinate X . The condition z1 (X ) = X determines the coordinate X up to a coordinate change by some centralizing z1 . Such satises (X ) = m mX or (X ) = X , m k \ {0}. The additional condition abc = 1 forces 1 = (1 ) . . . (a6 ), hence m6 = 1. So X is determined up to a coordinate change 1 by the subgroup H , where = D6 of generated by 1 : X 6 X , 2 : X X 2 6 is a primitive 6-th root of unity. Let 3 := 6 . The coordinate change by 1 2 replaces s1 by 3 s2 and s2 by 3 s2 . The coordinate change by 2 switches s1 and s2 . Invariants of this H -action are:

65

u := s1 s2 ,

3 v := s3 1 + s2

(9)

Remark 2. Such invariants were quite important in simplifying computations for the locus L2 . Later they have been used by Duursma and Kiyavash to show that genus 2 curves with extra involutions are suitable for the vector decomposition problem; see [20] for details. In this volume they are used again, see the paper by Cardona and Quer. They were later generalized to higher genus hyperelliptic curves and were called dihedral invariants; see [32].

The following proposition determines the group G in terms of u and v . Proposition 1. Let C be a genus 2 curve such that G := Aut(C ) has an elliptic involution and J2 = 0. Then, a) G = Z3 D4 if and only if (u, v ) = (0, 0) or (u, v ) = (225, 6750). b) G = W1 if and only if u = 25 and v = 250. c) G = D6 if and only if 4v u2 + 110u 1125 = 0, for u = 9, 70 + 30 5, 25. Moreover, the classical invariants satisfy the equations,

4 3 2 2 3 2 J 4 J 2 + 12J2 J6 52J4 J2 + 80J4 + 960J2 J4 J6 3600J6 =0 5 2 3 2 2 6 + 3456000J10 J4 J2 43200J10 J4 J2 2332800000J10 J4 J2 864J10 J2 4 2 3 4 5 768J4 J2 + 48J4 J2 + 4096J4 =0

(10)

d) G = D4 if and only if v 2 4u3 = 0, for u = 1, 9, 0, 25, 225. Cases u = 0, 225 and u = 25 are reduced to cases a),and b) respectively. Moreover, the classical invariants satisfy (7) and the following equation,

66

2 2 1706J4 J2

3 4 3 2 + 2560J4 + 27J4 J2 81J2 J6 14880J2 J4 J6 + 28800J6 =0

(11)

Remark 1. The following graphs are generated by Maple 13. Notice the singular point in both spaces of curves with automorphism group D4 and D6 . Such points correspond to larger automorphism groups, namely the groups of order 24 and 48 respectively. This can be easily seen from the group theory since D4 Z3 D4 and D6 W1 .

Figure 2. The space of genus 2 curves with automorphism group D4 and D6 respectively.

Proposition 2. The mapping A : (u, v ) (i1 , i2 , i3 ) gives a birational parametrization of L2 . The bers of A of cardinality > 1 correspond to those curves C with | Aut(C )| > 4. Proof. See [66] for the details. 3.1.1. Elliptic subcovers Let j1 and j2 denote the j-invariants of the elliptic curves E1 and E2 from Lemma 2. The invariants j1 and j2 are the roots of the quadratic j 2 + 256 (2u3 54u2 + 9uv v 2 + 27v ) (u2 + 9u 3v ) =0 j + 65536 2 2 (u + 18u 4v 27) (u + 18u 4v 27)2 (12)

3.1.2. Isomorphic elliptic subcovers The elliptic curves E1 and E2 are isomorphic when equation (12) has a double root. The discriminant of the quadratic is zero for (v 2 4u3 )(v 9u + 27) = 0

67

Remark 3. From lemma 2, v 2 = 4u3 if and only if Aut(C ) = D4 . So for C such that Aut(C ) = D4 , E1 is isomorphic to E2 . It is easily checked that z1 and z2 = z0 z1 are conjugate when G = D4 . So they x isomorphic subelds. If v = 9(u 3) then the locus of these curves is given by,

4 2 2 4i5 1 9i1 + 73728i1 i3 150994944i3 = 0 2 2 289i3 1 729i1 + 54i1 i2 i2 = 0

(13)

27 For (u, v ) = ( 9 4 , 4 ) the curve has Aut(C ) = D4 and for (u, v ) = (137, 1206) it has Aut(C ) = D6 . All other curves with v = 9(u 3) belong to the general case, so Aut(C ) = V4 . The j-invariants of elliptic curves are j1 = j2 = 256(9 u). Thus, these genus 2 curves are parameterized by the j-invariant of the elliptic subcover.

Remark 4. This embeds the moduli space M1 into M2 in a functorial way. 3.2. Isogenous degree 2 elliptic subelds In this section we study pairs of degree 2 elliptic subelds of K which are 2 or 3-isogenous. We denote by n (x, y ) the n-th modular polynomial (see Blake et al. [9] for the formal denitions. Two elliptic curves with j-invariants j1 and j2 are n-isogenous if and only if n (j1 , j2 ) = 0. In the next section we will see how such modular polynomials can be generalized for higher genus. 3.2.1. 3-Isogeny Suppose E1 and E2 are 3-isogenous. Then, from equation (12) and 3 (j1 , j2 ) = 0 we eliminate j1 and j2 . Then, (4v u2 + 110u 1125) g1 (u, v ) g2 (u, v ) = 0 (14)

where g1 and g2 are given in [66]. Thus, there is a isogeny of degree 3 between E1 and E2 if and only if u and v satisfy equation (14). The vanishing of the rst factor is equivalent to G = D6 . So, if Aut(C ) = D6 then E1 and E2 are isogenous of degree 3. 3.2.2. 2-Isogeny Below we give the modular 2-polynomial. 2 = x3 x2 y 2 + y 3 + 1488xy (x + y ) + 40773375xy 162000(x2 y 2 )+ 8748000000(x + y ) 157464000000000 (15)

Suppose E1 and E2 are isogenous of degree 2. Substituting j1 and j2 in 2 we get f1 (u, v ) f2 (u, v ) = 0 where f1 and f2 are displayed in [65] (16)

68

3.2.3. Other isogenies between elliptic subcovers If Aut(C ) = D4 , then z1 and z2 are in the same conjugacy class. There are again two conjugacy classes of elliptic involutions in Aut(C ). Thus, there are two degree 2 elliptic subelds (up to isomorphism) of K . One of them is determined by double root j of the equation (12), for v 2 4u3 = 0. Next, we determine the j-invariant j of the other degree 2 elliptic subeld and see how it is related to j . PPP n C @ @@ PPPP ~ nnn n ~ n n ~~ @@ PPP n n ~ PPP @@ nn ~ n ~ n PPP ~ wnnn ' /o /o /o E2 o / /o /o E E1 2

E1

1 +1 = If v 2 4u3 = 0 then Aut(C ) = V4 and P = {1, a, b}. Then, s1 = a+ a 1 1 s2 . Involutions of C are 1 : X X , 2 : X X , 3 : X X . Since 1 and 3 x no points of P then they lift to involutions in Aut(C ). They each determine a pair of isomorphic elliptic subelds. The j-invariant of elliptic subeld xed by 1 is the double root of equation (12), namely j = 256 v3 v+1

To nd the j-invariant of the elliptic subelds xed by 3 we look at the degree 2 1 1 covering : P1 P1 , such that (1) = 0, (a) = ( a ) = 1, (a) = ( a )= 2 a X 1 1, and (0) = () = . This covering is, (X ) = a1 X . The branch

2i a points of are qi = . From lemma 2 the elliptic subelds E1 and E2 have a1 2-torsion points {0, 1, 1, qi }. The j-invariants of E1 and E2 are

j = 16

(v 15)3 (v + 1)2

Then 2 (j, j ) = 0, so E1 and E1 are isogenous of degree 2. Thus, 1 and 3 determine degree 2 elliptic subelds which are 2-isogenous.

4. Theta functions In this section we give a brief description of the basic setup. All of this material can be found in any standard book on theta functions. Let C be a genus g 2 algebraic curve. We choose a symplectic homology basis for C , say {A1 , . . . , Ag , B1 , . . . , Bg }, such that the intersection products Ai Aj = Bi Bj = 0 and Ai Bj = ij , where ij is the Kronecker delta. We choose a basis {wi } for the space of holomorphic 1-forms such that Ai wj = ij . The matrix O = Bi wj is the period matrix of C . The columns of the matrix [I |O] form a lattice L in Cg and the Jacobian of C is Jac (C ) = Cg /L. Let Hg be the Siegel upper-half space. Then O Hg and there is an injection

69

Mg Hg /Sp2g (Z) =: Ag where Sp2g (Z) is the symplectic group. For any z Cg and Hg Riemanns theta function is dened as (z, ) =

uZg

ei(u

u+2ut z )

where u and z are g dimensional column vectors and the products involved in the formula are matrix products. The fact that the imaginary part of is positive makes the series absolutely convergent over any compact sets. Therefore, the function is analytic. The theta function is holomorphic on Cg Hg and satises (z + u, ) = (z, ), (z + u, ) = ei(u

t

u+2z t u)

(z, ),

where u Zg ; see [54] for details. Any point e Jac (C ) can be written uniquely a 1 for the as e = (b, a) g , where a, b Rg . We shall use the notation [e] = O b g characteristic of e. For any a, b Q , the theta function with rational characteristics is dened as a (z, ) = b ei((u+a)

uZg

t

(u+a)+2(u+a)t (z +b))

When the entries of column vectors a and b are from the set {0, 1 2 }, then the a characteristics are called the half-integer characteristics. The corresponding b theta functions with rational characteristics are called theta characteristics. A scalar obtained by evaluating a theta characteristic at z = 0 is called a theta 1 constant. Points of order n on Jac C are called the n -periods. Any half-integer characteristic is given by m= where mi , mi Z. For = Then, [ ](z, ) = e ( )[ ](z, ). We say that is an even (resp. odd) characteristic if e ( ) = 1 (resp. e ( ) = 1). For any curve of genus g , there are 2g1 (2g + 1) (respectively 2g1 (2g 1) ) even theta functions (respectively odd theta functions). Let a be another half integer characteristic. We dene m a as follows. ma = 1 2 t1 t2 tg t1 t2 tg 1 1 m= 2 2 m1 m2 mg m1 m2 mg

1 2g 2g 2 Z /Z

we dene e ( ) = (1)4(

)t

70

where ti (mi + ai ) mod 2 and ti (mi + ai ) mod 2. For the rest of this section we consider only characteristics 1 2 q in which each of the elements qi , qi is either 0 or 1. We use the following abbreviations

g g

|m| =

i=1

mi mi ,

|m, a| =

i=1

(mi ai mi ai ),

Pg

j =1

m a

= ei

mj aj

The set of all half integer characteristics forms a group which has 22g elements. We say that two half integer characteristics m and a are syzygetic (resp., azygetic ) if |m, a| 0 mod 2 (resp., |m, a| 1 mod 2) and three half integer characteristics m, a, and b are syzygetic if |m, a, b| 0 mod 2. A G opel group G is a group of 2r half integer characteristics where r g such that every two characteristics are syzygetic. The elements of the group G are formed by the sums of r fundamental characteristics; see [2, pg. 489] for r details. Obviously, a G opel group of order 2r is isomorphic to C2 . The proof of the following lemma can be found on [2, pg. 490]. Lemma 3. The number of dierent G opel groups which have 2r characteristics is (22g 1)(22g2 1) (22g2r+2 1) (2r 1)(2r1 1) (2 1) If G is a G opel group with 2r elements, then it has 22gr cosets. The cosets are called G opel systems and denoted by aG, a . Any three characteristics of a G opel system are syzygetic. We can nd a set of characteristics called a basis of the G opel system which derives all its 2r characteristics by taking only the combinations of any odd number of characteristics of the basis. Lemma 4. Let g 1 be a xed integer, r be as dened above and = g r. Then opel systems which consist of even characteristics only there are 21 (2 + 1) G and there are 21 (2 1) G opel systems which consist of odd characteristics. The other 22 (2r 1) G opel systems consist as many odd characteristics as even characteristics. Proof. The proof can be found on [2, pg. 492]. Corollary 1. When r = g we have only one (resp., 0) G opel system which consists of even (resp., odd) characteristics. Proposition 3. The following statements are true. 2 [a]2 [ah] = 1 2g1 ei|ae|

e

h 2 [e]2 [eh] ae

(17)

71

1 2g1

e

(18)

where [e] is the theta constant corresponding to the characteristic e, a and h are any half integer characteristics and e is an even characteristic such that |e| |eh| mod 2. There are 2 2g2 (2g1 + 1) such candidates for e. Proof. For the proof, see [2, pg. 524]. The statements given in the proposition above can be used to get identities among theta constants; see section 3. 4.1. Cyclic curves with extra automorphisms A normal cyclic curve is an algebraic curve C such that there exist a normal cyclic = G/Cm embeds as a subgroup Cm Aut(C ) such that g (C /Cm ) = 0. Then G nite subgroup of P GL(2, C). An ane equation of a birational model of a cyclic curve can be given by the following

s

y m = f (x) =

i=1

(19)

Hyperelliptic curves are cyclic curves with m = 2. Note that when 0 < di for some i the curve is singular. A hyperelliptic curve C is a cover of order two of the projective line P1 . Let z be the generator (the hyperelliptic involution) of the Galois group Gal(C /P1 ). It is known that z is a normal subgroup of the automorphism group Aut(C ). Let C P1 be the degree 2 hyperelliptic projection. We can assume that innity is a branch point. Let B := {1 , 2 , , 2g+1 } be the set of other branch points. Let S = {1, 2, , 2g + 1} be the index set of 2g 2g B and : S 1 be a map dened as follows; 2 Z /Z (2i 1) = (2i) = 0 0 1 2 0 0 1 1 0 0 0 2 2 0 0 1 1 2 2

1 2 1 2

0 0 0 0

where the nonzero element of the rst row appears in ith column. We dene () 0 0 0 . For any T B , we can dene the half-integer characteristic as to be 0 0 0 T =

ak T

(k ).

Let T c denote the complement of T in B. Note that B Z2g . If we view T 2g 2g as an element of 1 then T = T c . Let denote the symmetric dierence 2 Z /Z

72

of sets, that is T R = (T R) (T R). It can be shown that the set of subsets of B is a group under . We have the following group isomorphism {T B | #T g + 1 1 mod 2}/T = Z2g /Z2g . 2

+1 of the even For hyperelliptic curves, it is known that 2g1 (2g + 1) 2gg theta constants are zero. The following theorem provides a condition on the characteristics in which theta characteristics become zero. The proof of the theorem can be found in [55, pg. 102].

Theorem 2. Let C be a hyperelliptic curve, with a set B of branch points. Let S be the index set as above and U be the set of all odd values of S . Then for all T S with even cardinality, we have [T ] = 0 if and only if #(T U ) = g + 1, where [T ] is the theta constant corresponding to the characteristics T . Notice also that by parity, all odd theta constants are zero. There is a formula (so called Frobenius theta formula) which half-integer theta characteristics for hyperelliptic curves satisfy. Lemma 5 (Frobenius). For all zi Cg , 1 i 4 such that z1 + z2 + z3 + z4 = 0 and for all bi Q2g , 1 i 4 such that b1 + b2 + b3 + b4 = 0, we have

4 U (j ) j S {} i=1

[bi + (j )](zi ) = 0,

A (k )

1 1

if k A otherwise

Proof. See [54, pg. 107]. A relationship between theta constants and the branch points of the hyperelliptic curve is given by Thomaes formula. Lemma 6 (Thomae). For a non singular even half integer characteristics e corresponding to the partition of the branch points {1, 2, , 2(g + 1)} = {i1 < i2 < < ig+1 } {j1 < j2 < < jg+1 }, we have [e](0; )8 = A

k<l

(ik il )2 (jk jl )2 .

See [54, pg. 128] for the description of A and [54, pg. 120] for the proof. Using Thomaes formula and Frobenius theta identities we express the branch points of the hyperelliptic curves in terms of even theta constants.

73

4.2. Genus 2 curves The automorphism group G of a genus 2 curve C in characteristic = 2 is isomorphic to Z2 , Z10 , V4 , D8 , D12 , SL2 (3), GL2 (3), or 2+ S5 . The case when G = 2+ S 5 occurs only in characteristic 5. If G = SL2 (3) (resp., GL2 (3)) then C has equation Y 2 = X 6 1 (resp., Y 2 = X (X 4 1)). If G = Z10 then C has equation Y 2 = 6 X X . For a xed G from the list above, the locus of genus 2 curves with automorphism group G is an irreducible algebraic subvariety of M2 . Such loci can be described in terms of the Igusa invariants. For any genus 2 curve we have six odd theta characteristics and ten even theta characteristics. The following are the sixteen theta characteristics, where the rst ten are even and the last six are odd. For simplicity, we denote them by a a (z, ) where i = 1, . . . , 10 for the even theta functions. instead of i i = b b

1 00 0 0 00 00 1 = , 2 = 1 1 , 3 = 1 , 4 = , 5 = 2 00 01 0 0 2 2 2 2 1 1 1 1 1 1 0 02 0 6 = 2 1 , 7 = , 8 = 2 2 , 9 = 1 2 , 10 = 2 1 0 2 00 0 0 0 2 2 0 , 0 1 2 , 1

2

1 2 1 2

1 2 1 1 2 2

1 2 1 2

0 , 0

1 1 2 2 1 2 0

1 2 0 1 1 2 2

1 1 2 2 0 1 2

1 0 0 , 2 1 , 00 0 2 1 2 1 2 1 2

0 , 0

1 2 0 1 1 2 2 1 2 1 2

0

1 2

1 2

, ,

0

1 2 1 2

1 2 1 1 2 2 1 2 1 2

, ,

01 2 , 0 00 0 00

1 1 2 2

1 1 2 2 1 2 0

1 1 2 2 0 1 2

Notice that from all four cosets, only G has all even characteristics as noticed in Corollary 1. Using the Prop. 3 we have the following six identities for the above G opel group.

74

2 2 2 2 2 2 3 5 6 = 1 4 2 4 4 4 4 4 4 5 + 6 = 1 2 3 + 4 2 2 2 2 2 2 7 9 = 1 3 2 4 4 4 4 4 4 4 + 9 = 1 2 + 3 4 7 2 2 2 2 2 2 = 1 2 3 4 8 10 4 4 4 4 4 4 8 + 10 = 1 + 2 3 4

These identities express even theta constants in terms of four theta constants. We call them fundamental theta constants 1 , 2 , 3 , 4 . Next we nd the relation between theta characteristics and branch points of a genus two curve. Lemma 7 (Picard). Let a genus 2 curve be given by Y 2 = X (X 1)(X )(X )(X ). Then, , , can be written as follows: =

2 2 1 3 2 2 , 2 4

(20)

2 2 3 8 2 2 , 4 10

2 2 1 8 2 2 . 2 10

(21)

Proof. There are several ways for relating , , to theta constants, depending on the ordering of the branch points of the curve. Let B = {, , , 1, 0} be the branch points of the curves in this order and U = {, , 0} be the set of odd branch points. Using Lemma 6 we have the following set of equations of theta constants and branch points.

4 1 4 3 4 5 4 7 4 9 4 = A ( 1)( ) 2 = A ( 1)( ) 4 = A ( )( ) 4 = A ( )( ) 4 = A ( 1)( ) 6 = A ( )( )( ) 4 = A ( 1)( 1)( ) 8 = A ( )( 1) 4 = A ( 1)( 1)( ) 10 = A ( 1)( ),

(22)

where A is a constant. Choosing the appropriate equation from the set Eq. (22) we have the following: 2 =

2 2 1 3 2 2 2 4 2

2 =

2 2 3 8 2 2 4 10

2 =

2 2 1 8 2 2 2 10

Each value for (, , ) gives isomorphic genus 2 curves. Hence, we can choose = This completes the proof. One of the main goals of this paper is to describe each locus of genus 2 curves with xed automorphism group in terms of the fundamental theta constants. We have the following

2 2 3 1 2 2 , 2 4

2 2 3 8 2 2 , 4 10

2 2 1 8 2 2 . 2 10

75

Corollary 2. Every genus two curve can be written in the form: y 2 = x (x 1) where =

2 8 2 10

2 2 1 3 2 2 2 4

x2

2 2 2 2 2 2 3 + 1 4 2 3 2 , x + 1 2 2 2 2 2 4 2 4

4 4 4 4 1 + 2 3 4 +1=0 2 2 2 2 1 2 3 4

4 4 Remark 2. i) From the above we have that 8 = 10 implies that V4 Aut(C ). 4 4 ii) The last part of the lemma above shows that if 8 = 10 then all coecients of the genus 2 curve are given as rational functions of the 4 fundamental theta functions. Such fundamental theta functions determine the eld of moduli of the given curve. Hence, the curve is dened over its eld of moduli.

Corollary 3. Let C be a genus 2 curve which has an elliptic involution. Then C is dened over its eld of moduli. This was the main result of [13]. 4.3. Describing the locus of genus two curves with xed automorphism group by theta constants The locus L2 of genus 2 curves C which have an elliptic involution is a closed subvariety of M2 . Let W = {1 , 2 , 1 , 2 , 1 , 2 } be the set of roots of the binary sextic and A and B be subsets of W such that W = A B and |A B | = 2. We dene the cross ratio of the two pairs z1 , z2 ; z3 , z4 by (z1 , z2 ; z3 , z4 ) = z1 ; z3 , z4 z 1 z3 z2 z3 = : . z2 ; z3 , z4 z1 z4 z2 z4

Take A = {1 , 2 , 1 , 2 } and B = {1 , 2 , 1 , 2 }. Jacobi [45] gives a description of L2 in terms of the cross ratios of the elements of W. 1 1 2 1 1 1 2 1 : = : 1 2 2 2 1 2 2 2 We recall that the following identities hold for cross ratios: (1 , 2 ; 1 , 2 ) = (2 , 1 ; 2 , 1 ) = (1 , 2 ; 1 , 2 ) = (2 , 1 ; 2 , 1 ) and (1 , 2 ; , 2 ) = (, 2 ; 1 , 2 ) = (2 ; 2 , 1 ) Next we want to use this result to determine relations among theta functions for a genus 2 curve in the locus L2 . Let C be any genus 2 curve given by equation

76

Y 2 = X (X 1)(X a1 )(X a2 )(X a3 ) We take A B . Then there are ve cases for A B , where is an element of the set{0, 1, a1 , a2 , a3 }. For each of these cases there are three possible relationships for cross ratios as described below: i) A B = {0, }: The possible cross ratios are (a1 , 1; , 0) = (a3 , a2 ; , 0) (a2 , 1; , 0) = (a1 , a3 ; , 0) (a1 , 1; , 0) = (a2 , a3 ; , 0) ii) A B = {1, }: The possible cross ratios are (a1 , 0; , 1) = (a2 , a3 ; , 1) (a1 , 0; , 1) = (a3 , a2 ; , 1) (a2 , 0; , 1) = (a1 , a3 ; , 1) iii) A B = {a1 , }: The possible cross ratios are (1, 0; , a1 ) = (a3 , a2 ; , a1 ) (a2 , 0; , a1 ) = (1, a3 ; , a1 ) (1, 0; , a1 ) = (a2 , a3 ; , a1 ) iv) A B = {a2 , }: The possible cross ratios are (1, 0; , a2 ) = (a1 , a3 ; , a2 ) (1, 0; , a2 ) = (a3 , a1 ; , a2 ) (a1 , 0; , a2 ) = (1, a3 ; , a2 ) v) A B = {a3 , }: The possible cross ratios are (a1 , 0; , a3 ) = (1, a2 ; , a3 )

77

(1, 0; , a3 ) = (a2 , a1 ; , a3 )

Cross ratio 1 (1, 0; , a1 ) = (a3 , a2 ; , a1 ) (a2 , 0; , a1 ) = (1, a3 ; , a1 ) (1, 0; , a1 ) = (a2 , a3 ; , a1 ) (1, 0; , a2 ) = (a1 , a3 ; , a2 ) (1, 0; , a2 ) = (a3 , a1 ; , a2 ) (a1 , 0; , a2 ) = (1, a3 ; , a2 ) (a1 , 0; , a3 ) = (1, a2 ; , a3 ) (1, 0; , a3 ) = (a2 , a1 ; , a3 ) (1, 0; , a3 ) = (a1 , a2 ; , a3 ) (a1 , 0; , 1) = (a2 , a3 ; , 1) (a1 , 0; , 1) = (a3 , a2 ; , 1) (a2 , 0; , 1) = (a1 , a3 ; , 1) (a1 , 1; , 0) = (a3 , a2 ; , 0) (a2 , 1; , 0) = (a1 , a3 ; , 0) (a1 , 1; , 0) = (a2 , a3 ; , 0)

f (a 1 , a 2 , a 3 ) = 0 a1 a2 + a1 a3 a1 a2 a1 a2 a1 + a3 a1 a3 a2 a1 a2 a1 a3 a1 + a3 a1 a2 a2 a3 a2 + a3 a1 a2 a1 + a2 a3 a2 a1 a2 a3 a1 a2 + a3 a2 a1 a2 a3 a1 a3 a2 + a3 a3 a1 a1 a3 a2 + a3 a3 a1 + a2 a3 a3 a2 a1 + a3 a1 + a2 a3 a1 a2 a1 a2 + a3 a1 a2 + a3 a2 a3 a1 a2 a3 a1 a3 a2 a3 a1 a2

theta constants

2 2 2 2 2 2 2 2 + 1 3 8 2 1 2 4 10 4 2 2 + 2 4 2 1 3 10 3 2 10

2 2 2 2 2 4 2 + 3 8 2 4 2 4 10 2 2 2 2 4 2 2 1 3 4 10 3 2 10

4 2 2 + 2 2 2 2 + 8 3 2 8 2 10 4 2 2 2 2 2 2 4 1 3 8 10 3 2 10 2 4 2 2 4 2 + 1 8 4 1 10 4 2 2 2 2 + 2 2 2 2 8 2 10 4 1 3 8 10 2 2 2 2 + 2 2 4 + 1 8 3 4 1 10 4 2 4 2 2 2 2 2 1 3 10 3 2 10 4 2 2 2 2 + 4 2 2 1 8 2 4 1 10 4 2 2 2 2 + 4 2 2 1 3 2 10 2 4 10 4 2 2 + 2 2 2 2 8 2 4 1 8 10 4 2 4 2 + 2 2 2 2 2 10 4 3 8 2 10 4 4 8 10 4 2 2 2 2 2 2 1 8 4 1 2 4 10 2 2 2 2 + 2 4 2 1 3 8 2 8 2 4

8 9

10

4 2 2 2 2 2 2 1 3 8 1 8 2 4 2 2 2 2 + 2 2 4 1 3 2 10 3 8 2

11

2 4 2 2 2 2 2 + 1 8 3 1 8 10 4 2 2 4 2 2 2 2 1 3 10 3 8 2 10 2 2 4 2 2 2 2 + 1 8 4 1 3 4 10 2 4 2 2 2 2 2 1 3 8 3 8 2 4 4 4 8 10 4 4 3 4 4 4 1 2

12

13 14 15

78

Lemma 8. Let C be a genus 2 curve. Then Aut(C ) = V4 if and only if the theta functions of C satisfy

4 4 4 4 4 4 2 2 2 2 2 2 2 2 4 2 2 2 4 2 (1 2 )(3 4 )(8 10 )(1 3 8 2 1 2 4 10 + 1 3 10 + 3 2 10 ) 2 2 2 2 2 4 2 2 2 2 2 4 2 2 4 2 2 2 2 2 2 2 2 2 2 2 2 4 (3 8 2 4 2 4 10 + 1 3 4 10 3 2 10 )(8 3 2 + 8 2 10 4 + 1 3 8 10 3 2 10 ) 2 4 2 2 4 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 4 2 4 2 2 2 2 2 8 4 1 (1 10 4 + 8 2 10 4 + 1 3 8 10 )(1 8 3 4 + 1 10 4 + 1 3 10 3 2 10 4 ) 2 2 2 2 4 2 2 2 2 2 2 4 2 2 4 2 2 2 2 2 2 2 4 2 2 2 2 2 (1 8 2 4 + 1 10 4 1 3 2 10 + 2 4 10 )(8 2 4 + 1 8 10 4 2 10 4 + 3 8 2 10 ) 4 2 2 2 2 2 2 2 2 2 2 2 4 2 4 2 2 2 2 2 2 2 2 2 2 2 2 4 8 4 1 2 4 10 1 (1 3 8 2 + 8 2 4 )(1 3 8 1 8 2 4 1 3 2 10 + 3 8 2 ) 2 4 2 2 2 2 2 2 2 4 2 2 2 2 2 2 4 2 2 2 2 2 4 2 2 2 2 2 (1 8 3 1 8 10 4 + 1 3 10 3 8 2 10 )(1 8 4 1 3 4 10 + 1 3 8 3 8 2 4 ) = 0

(23)

However, we are unable to get a similar result for cases D8 or D12 by this argument. Instead, we will use the invariants of genus 2 curves and a more computational approach. In the process, we will oer a dierent proof of the lemma above. Our goal is to express each loci in terms of the theta characteristics. We obtain the following result. Theorem 3. Let C be a genus 2 curve. Then the following hold: i) Aut(C ) = V4 if and only if the relations of theta functions given Eq. (23) holds. ii) Aut(C ) = D8 if and only if Eq. (1) in [65] is satised. iii) Aut(C ) = D12 if and only if Eq. (2) in [65] is satised. Proof. Part i) of the theorem is Lemma 2. Here we give a somewhat dierent proof. Assume that C is a genus 2 curve with equation Y 2 = X (X 1)(X a1 )(X a2 )(X a3 ) whose classical invariants satisfy Eq. (7). Expressing the classical invariants of C in terms of a1 , a2 , a3 , substituting them into (7), and factoring the resulting equation yields

(a1 a2 a2 a3 a2 + a3 )2 (a1 a2 a1 + a3 a1 a3 a2 )2 (a1 a2 a3 a1 a3 a2 + a3 )2 (a3 a1 a1 a3 a2 + a3 )2 (a1 a2 + a1 a3 a1 a2 )2 (a1 a2 a1 a3 a1 + a3 )2 (a3 a1 + a2 a3 a3 a2 )2 (a1 + a3 a1 + a2 a3 )2 (a1 a2 a1 a2 + a3 )2 (a1 a2 a1 + a2 a3 a2 ) (a1 a2 + a3 a2 a3 ) (a1 a2 a3 a1 a2 + a3 a2 )

2 2 2

(24)

It is no surprise that we get the 15 factors of Table 1. The relations of theta constants follow from the table. ii) Let C be a genus 2 curve which has an elliptic involution. Then C is isomorphic to a curve with equation Y 2 = X (X 1)(X a1 )(X a2 )(X a1 a2 ). If Aut(C ) = D8 then the SL2 (k )-invariants of such curve must satisfy the equation of the D8 locus. Then, we get the equation in terms of a1 , a2 . By writing the

79

4 4 relation a3 = a1 a2 in terms of theta constants, we get 4 = 3 . All the results above lead to part ii) of the theorem. iii) The proof of this part is similar to part ii).

We would like to express the conditions of the previous lemma in terms of the fundamental theta constants only. Lemma 9. Let C be a genus 2 curve. Then we have the following: i) V4 Aut(C ) if and only if the fundamental theta constants of C satisfy

4 4 ` 4 4 ` 4 4 ` 4 4 ` 4 4 1 2 4 1 4 3 2 1 2 3 ` 2 2 2 2 ` 2 2 2 2 ` 2 2 2 2 ` 2 2 2 2 4 3 4 4 + 3 4 + 3 + 1 2 + 1 2 3 + 2 + 1 + 2 + 1 ` 4 4 2 2 2 2 ` 2 2 2 2 1 2 + 3 4 2 4 + 1 4 3 4 2 1 2 3 4 3 4 2 4 2 4 4 4 3 4 4 4 + 2 1 2 3 4 ` ` 4 4 2 2 2 2 2 2 2 2 2 4 + 1 4 2 4 + 1 4 4 4 2 1 2 3 4 1 4 4 4 + 3 4 4 4 + 1 4 3 4 2 1 2 3 4 =0 (25) 4 4 3 4

ii D8 Aut(C ) if and only if the fundamental theta constants of C satisfy Eq. (3) in [65] iii D6 Aut(C ) if and only if the fundamental theta constants of C satisfy Eq. (4) in [65] Proof. Notice that Eq. (23) contains only 1 , 2 , 3 , 4 , 8 and 10 . Using Eq. (5), we can eliminate 8 and 10 from Eq. (23). The J10 invariant of any genus two curve is given by the following in terms of theta constants: J10 =

12 12 3 1 28 28 40 2 4 10 2 2 2 2 12 2 2 2 2 12 2 2 2 2 12 (1 2 3 4 ) (1 4 2 3 ) (1 3 2 4 ) .

2 2 2 2 2 2 2 2 2 2 Since J10 = 0 we can cancel the factors (1 2 3 4 ), (1 4 2 3 ) and (1 3 2 2 2 4 ) from the equation of V4 locus. The result follows from Theorem 3. The proof of part ii) and iii) is similar and we avoid details.

Remark 3. i) For the other two loci, we can also obtain equations in terms of the fundamental theta constants. However, such equations are big and we dont display them here. ii) By using Frobeniuss relations we get (1 3 ) (2 4 )

12 16 10 24

J10 =

28

(5 6 7 8 9 )

Hence, i = 0 for i = 1, 3, 5, . . . 9.

80

4.4. Kummer surface The Kummer surface is an algebraic variety which is quite useful in studying genus two curves. Using the Kummer surface we can take the Jacobian as a double cover of the Kummer surface. Both the Kummer surface and the Jacobian, as noted above, can be given in terms of the theta functions and theta-nulls. The Kummer surface is a variety obtained by grouping together two opposite points of the Jacobian of a genus 2 curve. More precisely, there is a map : Jac (C ) K(C ) such that each point of K has two preimages which are opposite elements of Jac C . There are 16 exceptions that correspond to the 16 two-torsion points. The Kummer surface does not naturally come with a group structure. However the group law on the Jacobian endows a pseudo-group structure on the Kummer surface that is sucient to dene scalar multiplication. Let be a matrix in H2 . The Kummer surface associate to is the locus of the images by the map from C2 to P3 (C ) given in terms of the theta functions. It is a projective variety of dimension 2 that we will denote by K() or simply K. The group law on the Jacobian does not carry to a group law on K. We shall consider a Kummer surface K = Ka,b,c,d parameterized by theta constants 1 , 2 , 3 , 4 . We write (x, y, z, t) the projective coordinate of points on K, that is: x = 1 (z ), y = 2 (z ), z = 3 (z ), t = 4 (z ) for some z C2 , and some C . Then, the Kummer surface is given by the equation: (x4 + y 4 + z 4 + t4 ) + Axyzt B (x2 t2 + y 2 z 2 ) C (x2 z 2 + y 2 t2 ) D(x2 y 2 + z 2 t2 ) = 0 (26) where A= 1 1 2 3 4 2 2 2 2 2 2 2 2 2 2 2 2 ) ( 2 2 2 2 ) 1 + 2 + 3 + 4 128 (1 4 3 2 ) (1 3 4 2 1 2 4 3 1 2 2 2 + 3 2 4 2 1 2 2 2 3 2 + 4 2 1 4 2 4 + 4 4 2 2 2 2 ) (1 4 3 2 1 4 2 4 + 3 4 4 4 2 2 2 2 ) (1 3 4 2 1 4 + 2 4 3 4 4 4 2 2 2 2 ) (1 2 4 3

1 2 + 2 2 3 2 4 2 B= C= D=

Such equation can be easily obtained by sipmle computations using main denitions of the Kummer surface in the book of cassels and Flyyn [25] or work of Gaudry [27].

81

5. Decomposable Jacobians Let C be a genus 2 curve dened over an algebraically closed eld k , of characteristic zero. Let : C E be a degree n maximal covering (i.e. does not factor through an isogeny) to an elliptic curve E dened over k . We say that C has a degree n elliptic subcover. Degree n elliptic subcovers occur in pairs. Let (E, E ) be such a pair. It is well known that there is an isogeny of degree n2 between the Jacobian JC of C and the product E E . We say that C has (n,n)-split Jacobian. Curves of genus 2 with elliptic subcovers go back to Legendre and Jacobi. Legendre, in his Th eorie des fonctions elliptiques, gave the rst example of a genus 2 curve with degree 2 elliptic subcovers. In a review of Legendres work, Jacobi (1832) gives a complete description for n = 2. The case n = 3 was studied during the 19th century from Hermite, Goursat, Burkhardt, Brioschi, and Bolza. For a history and background of the 19th century work see Krazer [43, pg. 479]. Cases when n > 3 are more dicult to handle. Recently, Shaska dealt with cases n = 5, 7 in [49]. The locus of C , denoted by Ln , is an algebraic subvariety of the moduli space M2 . The space L2 was studied in Shaska/V olklein [66]. The space Ln for n = 3, 5 was studied by Shaska in [63,49] were an algebraic description was given as sublocus of M2 . 5.1. Curves of genus 2 with split Jacobians Let C and E be curves of genus 2 and 1, respectively. Both are smooth, projective curves dened over k , char(k ) = 0. Let : C E be a covering of degree n. From the Riemann-Hurwitz formula, P C (e (P ) 1) = 2 where e (P ) is the ramication index of points P C , under . Thus, we have two points of ramication index 2 or one point of ramication index 3. The two points of ramication index 2 can be in the same ber or in dierent bers. Therefore, we have the following cases of the covering : Case I: There are P1 , P2 C , such that e (P1 ) = e (P2 ) = 2, (P1 ) = (P2 ), and P C \ {P1 , P2 }, e (P ) = 1. Case II: There are P1 , P2 C , such that e (P1 ) = e (P2 ) = 2, (P1 ) = (P2 ), and P C \ {P1 , P2 }, e (P ) = 1. Case III: There is P1 C such that e (P1 ) = 3, and P C \ {P1 }, e (P ) = 1. In case I (resp. II, III) the cover has 2 (resp. 1) branch points in E. Denote the hyperelliptic involution of C by w. We choose O in E such that w restricted to E is the hyperelliptic involution on E . We denote the restriction of w on E by v , v (P ) = P . Thus, w = v . E[2] denotes the group of 2-torsion points of the elliptic curve E, which are the points xed by v . The proof of the following two lemmas is straightforward and will be omitted. Lemma 10. a) If Q E , then P 1 (Q), w(P ) 1 (Q). b) For all P C , e (P ) = e (w(P )).

82

Let W be the set of points in C xed by w. Every curve of genus 2 is given, up to isomorphism, by a binary sextic, so there are 6 points xed by the hyperelliptic involution w, namely the Weierstrass points of C . The following lemma determines the distribution of the Weierstrass points in bers of 2-torsion points. Lemma 11. The following hold: 1. (W ) E [2] 2. If n is an odd number then i) (W ) = E [2] ii) If Q E [2] then #( 1 (Q) W ) = 1 mod (2) 3. If n is an even number then for all Q E [2], #( 1 (Q) W ) = 0 mod (2) Let C : C P1 and E : E P1 be the natural degree 2 projections. The hyperelliptic involution permutes the points in the bers of C and E . The ramied points of C , E are respectively points in W and E [2] and their ramication index is 2. There is : P1 P1 such that the diagram commutes.

C C P1 E P1 E

(27)

Next, we will determine the ramication of induced coverings : P1 P1 . First we x some notation. For a given branch point we will denote the ramication of points in its ber as follows. Any point P of ramication index m is denoted by (m). If there are k such points then we write (m)k . We omit writing symbols for unramied points, in other words (1)k will not be written. Ramication data between two branch points will be separated by commas. We denote by E (E [2]) = {q1 , . . . , q4 } and C (W ) = {w1 , . . . , w6 }. 5.2. Maximal coverings : C E Let 1 : C E1 be a covering of degree n from a curve of genus 2 to an elliptic curve. The covering 1 : C E1 is called a maximal covering if it does not factor through a nontrivial isogeny. A map of algebraic curves f : X Y induces maps between their Jacobians f : JY JX and f : JX JY . When f is maximal then f is injective and ker(f ) is connected, see [61] for details. Let 1 : C E1 be a covering as above which is maximal. Then 1 : E1 JC is injective and the kernel of 1, : JC E1 is an elliptic curve which we denote by E2 . For a xed Weierstrass point P C , we can embed C to its Jacobian via iP : C JC x [(x) (P )] (28)

Let g : E2 JC be the natural embedding of E2 in JC , then there exists g : JC E2 . Dene 2 = g iP : C E2 . So we have the following exact sequence 0 E2 JC E1 0

g 1,

83

1 0 E1 JC E2 0

If deg (1 ) is an odd number then the maximal covering 2 : C E2 is unique. If the cover 1 : C E1 is given, and therefore 1 , we want to determine 2 : C E2 and 2 . The study of the relation between the ramication structures of 1 and 2 provides information in this direction. The following lemma (see answers this question for the set of Weierstrass points W = {P1 , . . . , P6 } of C when the degree of the cover is odd. Lemma 12. Let 1 : C E1 , be maximal of degree n. Then, the map 2 : C E2 is a maximal covering of degree n. Moreover,

1 i) if n is odd and Oi Ei [2], i = 1, 2 are the places such that #(i (Oi ) 1 1 W ) = 3, then 1 (O1 ) W and 2 (O2 ) W form a disjoint union of W. ii) if n is even and Q E [2], then # 1 (Q) = 0 or 2.

The above lemma says that if is maximal of even degree then the corresponding induced covering can have only type I ramication. 5.3. The locus of genus two curves with (n, n) split Jacobians Two covers f : X P1 and f : X P1 are called weakly equivalent if there is a homeomorphism h : X X and an analytic automorphism g of P1 (i.e., a Moebius transformation) such that g f = f h. The covers f and f are called equivalent if the above holds with g = 1. Consider a cover f : X P1 of degree n, with branch points p1 , ..., pr P1 . Pick p P1 \ {p1 , ..., pr }, and choose loops i around pi such that 1 , ..., r is a standard generating system of the fundamental group := 1 (P1 \ {p1 , ..., pr }, p), in particular, we have 1 r = 1. Such a system 1 , ..., r is called a homotopy basis of P1 \ {p1 , ..., pr }. The group acts on the ber f 1 (p) by path lifting, inducing a transitive subgroup G of the symmetric group Sn (determined by f up to conjugacy in Sn ). It is called the monodromy group of f . The images of 1 , ..., r in Sn form a tuple of permutations = (1 , ..., r ) called a tuple of branch cycles of f . We say a cover f : X P1 of degree n is of type if it has as tuple of branch cycles relative to some homotopy basis of P1 minus the branch points of f . Let H be the set of weak equivalence classes of covers of type . The Hurwitz space H carries a natural structure of an quasiprojective variety. We have H = H if and only if the tuples , are in the same braid orbit O = O . In the case of the covers : P1 P1 from above, the corresponding braid orbit consists of all tuples in Sn whose cycle type matches the ramication structure of .

84

5.3.1. Humbert surfaces Let A2 denote the moduli space of principally polarized Abelian surfaces. It is well known that A2 is the quotient of the Siegel upper half space H2 of symmetric complex 2 2 matrices with positive denite imaginary part by the action of the symplectic group Sp4 (Z). Let be a xed positive integer and N be the set of matrices = z1 z2 z2 z 3 H2

such that there exist nonzero integers a, b, c, d, e with the following properties:

2 az1 + bz2 + cz3 + d(z2 z1 z 3 ) + e = 0

= b2 4ac 4de

(29)

The Humbert surface H of discriminant is called the image of N under the canonical map H2 A2 := Sp4 (Z) \ H2 , see [36,10,53] for details. It is known that H = if and only if > 0 and 0 or 1 mod 4. Humbert (1900) studied the zero loci in Eq. (29) and discovered certain relations between points in these spaces and certain plane congurations of six lines; see [36] for more details. For a genus 2 curve C dened over C, [C ] belongs to Ln if and only if the isomorphism class [JC ] A2 of its (principally polarized) Jacobian JC belongs to the Humbert surface Hn2 , viewed as a subset of the moduli space A2 of principally polarized Abelian surfaces; see [53, Theorem 1, p. 125] for the proof of this statement. In [53] is shown that there is a one to one correspondence between the points in Ln and points in Hn2 . Thus, we have the map: H Ln Hn2 ([f ], (p1 , . . . , pr ) [C ] [JC ] (30)

1 n 1 n z2

z1 , z2 H.

There have been many attempts to explicitly describe these Humbert surfaces. For some small discriminant this has been done in [66], [63], [49]. Geometric characterizations of such spaces for = 4, 8, 9, and 12 were given by Humbert (1900) in [36] and for = 13, 16, 17, 20, 21 by Birkenhake/Wilhelm.

85

5.4. Genus 2 curves with degree 3 elliptic subcovers This case was studied in detail in[63]. The main theorem was: Theorem 4. Let K be a genus 2 eld and e3 (K ) the number of Aut(K/k )-classes of elliptic subelds of K of degree 3. Then; i) e3 (K ) = 0, 1, 2, or 4 ii) e3 (K ) 1 if and only if the classical invariants of K satisfy the irreducible equation F (J2 , J4 , J6 , J10 ) = 0 displayed in [63, Appendix A]. There are exactly two genus 2 curves (up to isomorphism) with e3 (K ) = 4. The case e3 (K ) = 1 (resp., 2) occurs for a 1-dimensional (resp., 2-dimensional) family of genus 2 curves, see [63].

A geometrical interpretation of the Shaskas surface (the space L3 ) and its singular locus can be found in [4]. Lemma 13. Let K be a genus 2 eld and E an elliptic subeld of degree 3. i) Then K = k (X, Y ) such that Y 2 = (4X 3 + b2 X 2 + 2bX + 1)(X 3 + aX 2 + bX + 1) for a, b k such that (4a3 + 27 18ab a2 b2 + 4b3 )(b3 27) = 0 (32) (31)

86

The roots of the rst (resp. second) cubic correspond to W (1) (K, E ), (resp. W (2) (K, E )) in the coordinates X, Y , (see Theorem 3). ii) E = k (U, V ) where U= and V 2 = U3 + 2 ab2 6a2 + 9b 2 12a b2 4 U + U R R R (33) X2 X 3 + aX 2 + bX + 1

Let K be a genus 2 eld and E K a degree 3 elliptic subeld. Let a , b be the associated parameters as above and u := a b , v = (b )3 . Then, there is a k -isomorphism K K mapping E E if and only if exists a third root of unity k with a = a and b = 2 b. If b = 0 then such exists if and only if v = v and u = u . iv) The classical invariants of K satisfy equation [63, Appendix A]. Let F (X ) := X 3 + aX 2 + bX + 1 G(X ) := 4X 3 + b2 X 2 + 2bX + 1 (34)

Denote by R = 4a3 + 27 18ab a2 b2 + 4b3 the resultant of F and G. Then we have the following lemma. Lemma 14. Let a, b k satisfy equation (32). Then equation (31) denes a genus 2 eld K = k (X, Y ). It has elliptic subelds of degree 3, Ei = k (Ui , Vi ), i = 1, 2, where Ui , and Vi are as follows: U1 = X2 , F (X ) V1 = Y X 3 bX 2 F (X )2

b(b3 4ba + 9) = 0 b=0 (b3 4ba + 9) = 0 (35)

8 (X s)2 (X t) > > > > G(X ) > > > > < (3X a) U2 = > 3(4X 3 + 1) > > > > > > (bX + 3)2 > : b2 G(X )

if if if

where

87

3 s= , b

t=

b3

3a b2 4ab + 9

8 27 b3 Y > > ((4ab 8 b3 )X 3 (b2 4ab)X 2 + bX + 1) > > 2 > G ( X ) > > > > < 8X 3 4aX 2 1 V2 = Y > (4X 3 + 1)2 > > > > > > 8 Y > > : (bX 3 + 9X 2 + b2 X + b) b b G(X )

if if if

(36)

5.5. Elliptic subcovers We express the j-invariants ji of the elliptic subelds Ei of K , from Lemma 14, in terms of u and v as follows:

j1 = 16v (vu2 + 216u2 126vu 972u + 12v 2 + 405v )3 (v 27)3 (4v 2 + 27v + 4u3 18vu vu2 )2 (u2 3v )3 2 v (4v + 27v + 4u3 18vu vu2 )

(37)

j2 = 256

where v = 0, 27. Remark 5. The automorphism Galk(u,v)/k(r1 ,r2 ) permutes the elliptic subelds. One can easily check that: (j1 ) = j2 , (j2 ) = j1

Lemma 15. The j-invariants of the elliptic subelds satisfy the following quadratic equations over k (r1 , r2 ); j 2 T j + N = 0, where T, N are given in [63]. 5.5.1. Isomorphic Elliptic Subelds Suppose that E1 = E2 . Then, j1 = j2 implies that

8v 3 + 27v 2 54uv 2 u2 v 2 + 108u2 v + 4u3 v 108u3 = 0 (39)

(38)

or

324v 4 u2 5832v 4 u + 37908v 4 314928v 3 u 81v 3 u4 + 255879v 3 + 30618v 3 u2 864v 3 u3 6377292uv 2 + 8503056v 2 324u5 v 2 + 2125764u2 v 2 215784u3 v 2 + 14580u v + 16u v + 78732u v + 8748u v 864u v 157464u v + 11664u = 0

4 2 6 2 3 5 6 4 6

(40)

88

The former equation is the condition that det(Jac()) = 0. The expressions of i1 , i2 , i3 we can express u as a rational function in i1 , i2 , and v . This is displayed in [63, Appendix B]. Also, [k (v ) : k (i1 )] = 8 and [k (v ) : k (i2 )] = 12. Eliminating v we get a curve in i1 and i2 which has degree 8 and 12 respectively. Thus, k (u, v ) = k (i1 , i2 ). Hence, e3 (K ) = 1 for any K such that the associated u and v satisfy the equation; see [63] for details. 5.5.2. The Degenerate Case We assume now that one of the extensions K/Ei from Lemma 14 is degenerate, i.e. has only one branch point. The following lemma determines a relation between j1 and j2 . Lemma 16. Suppose that K/E2 has only one branch point. Then, 729j1 j2 (j2 432)3 = 0 For details of the proof see Shaska [63]. Making the substitution T = 27j1 we get j1 = F2 (T ) = (T + 16)3 T

where F2 (T ) is the Fricke polynomial of level 2. If both K/E1 and K/E2 are degenerate then 729j1 j2 (j1 432)3 = 0 729j1 j2 (j2 432)3 = 0 (41)

There are 7 solutions to the above system. Three of which give isomorphic elliptic curves j1 = j2 = 1728, The other 4 solutions are given by: 729j1 j2 (j1 432)3 = 0

2 2 j1 + j2 1296(j1 + j2 ) + j1 j2 + 559872 = 0

j1 = j2 =

1 (297 81 15) 2

(42)

5.6. Further remarks If e3 (C ) 1 then the automorphism group of C is one of the following: Z2 , V4 , D4 , or D6 . Moreover; there are exactly 6 curves C L3 with automorphism group D4 and six curves C L3 with automorphism group D6 . They are listed in [62] where rational points of such curves are found. Genus 2 curves with degree 5 elliptic subcovers are studied in [49] where a description of the space L5 is given and all its degenerate loci. The case of degree 7 is the rst case when all possible degenerate loci occur.

89

We have organized the results of this paper in a Maple package which determines if a genus 2 curve has degree n = 2, 3 elliptic subcovers. Further, all its elliptic subcovers are determined explicitly. We intend to implement the results for n = 5 and the degenerate cases for n = 7.

6. Modular Polynomials for genus 2 The term modular polynomial refers to pollynomials which parametrize isogenies of elliptic curves as for example those in equations (15), (14). Recentely there have been eorts to dene modular polynomials for higher genus, mostly by Lauter and her collaborators as in [5]. This section is merely a quick recap of that paper with some suggestions on how to compute some of these polynomials. Let Hg = { M atg (C) | T = , Im( ) > 0} be the Siegel upper half plane. We denote with J the matrix J= The symplectic group Sp(2g, Z) = {M GL(4, Z) | M JM T = J } acts on Hg , Sp (2g, Z) Hg Hg a b (a + b)(c + d) 1 c d where a, b, c, d, are g g matrices. From now on we take g = 2. Let A/C be a 2-dimensional principally polarized Abelian variety, and let N 1 be a positive integer. The N -torsion A[N ] of A is, non-canonically, isomorphic to (Z/N Z)4 . The polarization on A induces a symplectic form v on the rank 4 (Z/N Z)-module A[N ]. We choose a basis for A[N ] such that v is given by the matrix 0 I2 , I2 0 and we let Sp(4, Z/N Z) be the subgroup of the matrix group GL(4, Z/N Z) that respects v . A subspace G A[N ] is called isotropic if v restricts to the zero-form on G G, and we say that A and A are (N, N )-isogenous if there is an isogeny A A whose kernel is isotropic of order N 2 . The full congruence subgroup 2(N ) of level N is dened as the kernel of the b reduction map Sp(4, Z) Sp(4, Z/N Z). Explicitly, a matrix a c d is contained 0 Ig Ig 0 .

90

in 2(N ) if and only if we have a, b I2 mod N and d, c 02 mod N . The congruence subgroup 2(N ) ts in an exact sequence 1 2(N ) Sp(4, Z) Sp(4, Z/N Z) 1. The surjectivity is not completely trivial. The 2-dimensional analogue of the subgroup 0 (N ) SL2 (Z) occurring in the equality Y0 (N ) = 0 (N )\Hg of Riemann surfaces is the group 0 (N ) =

(2)

a b Sp(4, Z) | c 02 mod N c d

From now on, we restrict to the case N = p prime. The following lemma gives the (2) link between the group 0 (p) and isotropic subspaces of the p-torsion, see [5] Lemma 17. The index [Sp(4, Z) : 0 (p)] equals the number of 2-dimensional isotropic subspaces of the Fp -vector space F4 p. Let S (p) be the set of equivalence classes of pairs (A, G), with A a 2dimensional principally polarized Abelian variety and G A[p] a 2-dimensional isotropic subspace. Here, two pairs (A, G) and (A , G ) are said to be isomorphic if there exists an isomorphism of Abelian varieties : A A with (G) = G . Theorem 5. The quotient space 0 (p)\H2 is in canonical bijection with the set S (p) via 1 1 (2) 0 (p) (A , ( , 0, 0, 0), (0, , 0, 0) ) p p where A = C2 /(Z2 + Z2 ) is the variety associated to . As a quotient space, the 2-dimensional analogue of the curve Y0 (p) is Y0 (p) := 0 (p)\H2 . Problem 1. Let g = 2. Determine Y0 (N ). It is shown in [5] that Y0 (p) has the structure of a quasi-projective variety. Siegel dened a metric on H2 that respects the action of the symplectic (2) group. With this metric, Y0 (p) becomes a topological space. Just as in the 1dimensional case Y0 (p), it is not compact. We have this Lemma from [5] Lemma 18. i) Y0 (N ) is a quasi projective variety non compact of dimension 2. ii) The Satake compactication Y0 (N ) = Y0 (N ) Y0 (N ) P1 (Q) is a projective variety.

(2) (2) (2) (2) (2) (2) (2) (2) (2)

91

For a xed prime p we dene three functions Ii : H2 P1 (C) Ii (p ). In [5] it is claimed that Lemma 19. If N = p is a prime then we have the following: i) C(Y0 (N )) = C(I1 , I2 , I3 ) 4 1 ii) [k (I1 ) : k ] = p p1 . The N -th modular polynomial N for i1 is dened as the minimal polynomial of Ii over k . Let the corresponding polynomials of eld extensions k (I1 )/k , k (I2 )/k , k (I3 )/k be N , N , N , respectively. They are called modular polynomials of genus 2 and level N . Problem 2. Consider the following problems: i) Compute explicitly k (I1 , I2 , I3 )/k or C(I1 , I2 , I3 ). ii) Compute N , N , N , which are the polynomials Fj (i1 , i2 , i3 , Ij ) = 0 for j = 1, 2, 3. Let each of the polynomials above be given by some equation Ad I d 1 + ... + A1 I1 + A0 = 0, and As C(i1 , i2 , i3 ), s = 1, ..., d. Lemma 20 (Broker, Lauter 2009). The coecients As of the Eq. 43 are rational Ns functions in i1 , i2 , i3 , so As = D for s = 1, ..., d and Ns , Ds C[i1 , i2 , i3 ]. s Let LN (i1 , i2 , i3 ) be the polynomial representing the Humbert space H2 or the space LN . For N = p prime LN | Ds for all s = 1, ..., d. 6.1. Computation of modular polynomials To compute polynomials N , N , N the following algorithm is suggested in Duponts thesis, see [20]. Compute deg Ds , deg Ns over C(i1 , i2 , i3 ). Fix , Q. Take some values 1 , . . . , r . For triples (j , , ) nd the genus 2 curve Cj using the Rational_Model function of the genus 2 package described in Section 7. For the curve Cj nd the corresponding j . Then nd the coecients of I1 , I2 , I3 for the given j . (43)

(2)

92

In this process are needed explicit equations of LN . The method is not efcient, since computation of LN is quite dicult and much information is lost from the ideal.

Algorithm 1 Algorithm for computing the modular polynomials. Require: The number p-prime. Ensure: Modular polynomials p , p , p . 1: Pick a matrix H2 which depends on three parameters 1 , 2 , 3 . 2: Find the genus 2 curve C corresponding to . 3: Compute i1 , i2 , i3 as functions of 1 , 2 , 3 . 4: Compute p H2 5: Compute the genus 2 C corresponding to p . 6: Find I1 , I2 , I3 for the curve C as functions of 1 , 2 , 3 . 7: Create a system with six equations i1 f1 (1 , 2 , 3 ) = 0 i2 f2 (1 , 2 , 3 ) = 0 i3 f3 (1 , 2 , 3 ) = 0 I1 g1 (p1 , p2 , p3 ) = 0 I2 g2 (p1 , p2 , p3 ) = 0 I3 g3 (p1 , p2 , p3 ) = 0 where fj , gj , are rational functions for j = 1, 2, 3. Since M2 has dimension 2 there are at most 3 parameters 1 , 2 , 3 . Eliminate 1 , 2 , 3 for the three rst equations. The result are the modular polynomials p , p , p .

8:

Such algorithm requires some elimination theory or Groebner basis argument to eliminate 1 , 2 , 3 . For details see [18].

7. A computational package for genus two curves Genus 2 curves are the most used of all hyperelliptic curves due to their application in cryptography and also best understood. The moduli space M2 of genus 2 curves is a 3-dimensional variety. To understand how to describe the moduli points of this space we need to dene the invariants of binary sextics. For details on such invariants and on the genus 2 curves in general the reader can check [37], [65], [44]. J4 2, J2 J2 J4 3J6 , 3 J2 J10 5 , J2

i1 := 144

i2 := 1728

i3 := 486

(44)

93

to determine genus two elds with J2 = 0, J4 = 0, and J6 = 0 up to isomorphism. For a given genus 2 curve C the corresponding moduli point p = [C ] is dened as (i1 , i2 , i3 ) if J2 = 0 (1 , 2 ) if J2 = 0, J4 = 0, J6 = 0 5 J6 p= 3 if J2 = 0, J4 = 0, J6 = 0 J 10 5 J4 2 if J2 = 0, J6 = 0, J4 = 0 J10 Notice that the denition of 1 , 2 can be totally avoided if one uses absolute invariants with J10 in the denominator. However, the degree of such invariants is higher and therefore they are not eective computationally. We have written a Maple package which nds most of the common properties and invariants of genus two curves. While this is still work in progress, we will describe briey some of the functions of this package. The functions in this package are: J_2, J_4, J_6, J_10, J_48, L_3_d, a_1, a_2, i_1, i_2, i_3, theta_1, theta_2, theta_3, theta_4, AutGroup, CurvDeg3EllSub_J2, CurveDeg3EllSub, Ell_Sub, LocusCurves,Aut_D4, LocusCurvesAut_D4_J2, LocusCurvesAut_D6, LocusCurvesAut_V4, Rational_Model, Kummer. Next, we will give some examples on how some of these functions work. 7.1. Automorphism groups A list of groups that can occur as automorphism groups of hyperelliptic curves is given in [65] among many other references. The function in the package that computes the automorphism group is given by AutGroup(). The output is the automorphism group. Since there is always confusion on the terminology when describing certain groups we also display the GAP identity of the group from the SmallGroupLibrary. For a xed group G one can compute the locus of genus g hyperelliptic curves with automorphism group G. For genus 2 this loci is well described as subvarieties of M2 . Example 1. Let y 2 = f (x) be a genus 2 curve where f := x5 + 2x3 x. Then the function AutGroup(f,x) displays: > AutGroup(f,x);

94

[D4 , (8, 3)] Example 2. Let y 2 = f (x) be a genus 2 curve where f := x6 + 2x3 x. Then the function AutGroup(f,x) displays: > AutGroup(f,x); [V4 , (4, 2)] We also have implemented the functions: LocusCurvesAut_V_4(), LocusCurvesAut_D_4(), LocusCurvesAut_D4_J2(), LocusCurvesAut_D_6(), which gives equations for the locus of curves with automorphism group D4 or D6 . 7.2. Genus 2 curves with split Jacobians A genus 2 curve which has a degree n maximal map to an elliptic curve is said to have (n, n)-split Jacobian ; see [62] for details. Genus 2 curves with split Jacobian are interesting in number theory, cryptography, and coding theory. We implement an algorithm which checks if a curve has (3, 3), and (5, 5)-split Jacobian. The case of (2, 2)-split Jacobian corresponds to genus 2 curves with extra involutions and therefore can be determined by the function LocusCurvesAut_V_4(). The function which determines if a genus 2 curve has (3, 3)-split Jacobian is CurvDeg3EllSub() if the curve has J2 = 0 and CurvDeg3EllSub_J_2 () otherwise; see [8]. The input of CurvDeg3EllSub() is the triple (i1 , i2 , i3 ) or the pair (1 , 2 ) for CurvDeg3EllSub_J_2 (). If the output is 0, in both cases, this means that the corresponding curve to this moduli point has (3, 3)-split Jacobian. Below we illustrate with examples in each case. Example 3. Let y 2 = f (x) be a genus 2 curve where f := 4x6 + 9x5 + 8x4 + 10x3 + 5x2 + 3x + 1. Then, > i_1:=i_1(f,x); i_2:=i_2(f,x); i_3:=i_3(f,x); i1 := 78741 , 100 i2 := 53510733 , 2000 i3 := 38435553 51200000

> CurvDeg3EllSub(i1 , i2 , i3 ); 0 Example 4. Let y 2 = f (x) be a genus 2 curve where f := 4x6 + (52 6 119)x5 + (39 6 24)x4 + (26 6 54)x3 + (13 6 27)x2 + 3x + 1. Then, > a_1:=a_1(f,x); a_2:=a_2(f,x); 1316599234443 6310855638567 6+ , 270840023 541680046 96672521239976 1467373119039023 6+ a2 := 1183208072032328121 7099248432193968726 This means that the above curve has a (3, 3)-split Jacobian.

a1 :=

95

> CurvDeg3EllSub_J_2(a1 , a2 ) 0 This means that the curve has J2 = 0 and (3, 3)-split Jacobian. 7.3. Rational model of genus 2 curve For details on the rational model over its eld of moduli see [61]. The rational model of C (if such model exists) is determined by the function Rational_Model(). Example 5. Let y 2 = f (x) be a genus 2 curve where f := x5 + 2x3 + x. Then, > Rational_Model(f,x); 1 x5 + x3 + x 2 Example 6. Let y 2 = f (x) be a genus 2 curve where f := 5x6 + x4 + Then, > Rational_Model(f,x); 2x + 1.

3

6 5 4

Notice that our algorithm doesnt always nd the minimal rational model of the curve. An ecient way to do this has yet to be determined. 7.4. A dierent set of invariants As explained in Section 2, invariants i1 , i2 , i3 were dened that way for computational benets. However, they make the results involve many subcases and are inconvinient at times. In the second version the the genus2 package we intend to convert all the results to the t1 , t2 , t3 invariants t1 =

5 J2 , J10

t2 =

5 J4 , 2 J10

t3 =

5 J6 . 3 J10

The other improvement of version two is that when the moduli point p is given the equation of the curve is given as the minimal equation over the minimal eld of denition.

96

8. Further directions Genus 2 curves have been suggested for factorization of large numbers as in [16]. In the algorithm suggested in [16] certain genus 2 curves with (2, 2) have been used. We believe that we have better candidates for selecting such curves. This is work planned to be presented in [35]. The computation of modular polynomials is also a very challenging computational problem. We have made some progress on levels p = 3, 5. Equations of the moduli spaces of genus 2 curves with (3, 3) and (5, 5)-split Jacobians computed in [63] and [49] have been fundamental in such computations. The newer version of our genus 2 package will come out soon. It has functions on equations for the Kummer surface KC , the map from KC to Jac C , and conversion of most of the equations in invariants t1 , t2 , t3 .

References

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] Ayad, Mohamed; Luca, Florian, Fields generated by roots of xn + ax + b. Albanian J. Math. 3 (2009), no. 3, 95105. H.F. Baker, Abelian Function, Abels theorem and the allied theory of theta functions, (1897). Banks, William D.; Nevans, C. Wesley; Pomerance, Carl, A remark on Giugas conjecture and Lehmers totient problem. Albanian J. Math. 3 (2009), no. 2, 8185. L. Beshaj, Singular locus of the Shaskas surface, (submitted) R. Broker, K. Lauter, Modular polynomials for genus 2. LMS J. Comput. Math. 12 (2009), 326339. Bernard, Nicolas; Leprevost, Franck; Pohst, Michael, Jacobians of genus-2 curves with a rational point of order 11. Experiment. Math. 18 (2009), no. 1, 6570. L. Beshaj, The arithmetic of genus two curves, (work in progress). L. Beshaj, A. Duka, V. Hoxha, T. Shaska Computational tools for genus two curves, (work in progress). I. Blake, G. Seroussi and N. Smart, Elliptic Curves in Cryptography, LMS, 265, (1999). C. Birkenhake, H. Wilhelm, Humbert surfaces and the Kummer plane. Trans. Amer. Math. Soc. 355 (2003), no. 5, 18191841. D. J. Bernstein, P. Birkner, T. Lange, and C. Peters, ECM using Edwards curves, Cryptology ePrint Archive, 2008, http://eprint.iacr.org/2008/016. O. Bolza, On binary sextics with linear transformations into themselves. Amer. J. Math. 10, 47-70. G. Cardona, J. Quer, Field of moduli and eld of denition for curves of genus 2. Computational aspects of algebraic curves, 7183, Lecture Notes Ser. Comput., 13, World Sci. Publ., Hackensack, NJ, 2005. C. -L. Chai, P. Norman, Bad reduction of the Siegel moduli scheme of genus two with 0 (p)-level structure, Amer. J. Math. 122, (1990), 1003-1071. A. Clebsch, Theorie der Bin aren Algebraischen Formen, Verlag von B.G. Teubner, Leipzig, 1872. R. Cosset, Factorization with genus 2 curves. (preprint) R. Dupont, Moyenne arithmetico-geometrique,suites de Borchardt et applications, J.PhD thesis, Ecole Polytechnique. 1Paris (2006) A. Duka and T. Shaska Modular polynomials of genus two, preprint S. Duquesne, Improving the arithmetic of elliptic curve in the Jacobi model, Inform. Process. Lett. 104 (2007), 101105. I. Duursma and N. Kiyavash, The Vector Decomposition Problem for Elliptic and Hyperelliptic Curves, (preprint)

[21] [22] [23] [24] [25]

97

[29]

[30]

[31] [32] [33] [34] [35] [36] [37] [38] [39] [40] [41] [42] [43] [44] [45] [46] [47] [48]

Elezi, Artur, Toric brations and mirror symmetry. Albanian J. Math. 1 (2007), no. 4, 223233. K. Eisentrager, K. Lauter, A CRT algorithm for constructing genus 2 curves over nite elds, to appear in Arithmetic, Geometry and Coding Theory (AGCT-10), 2005. A. Enge, Computing modular polynomials in quasi-linear time. Math. Comp. 78 (2009), no. 267, 18091824. Elkin, Arsen; Pries, Rachel, Hyperelliptic curves with a-number 1 in small characteristic. Albanian J. Math. 1 (2007), no. 4, 245252. J. W. Cassels and V. E. Flynn, Prolegomena to a middlebrow arithmetic of curves of genus 2. (English summary) London Mathematical Society Lecture Note Series, 230. Cambridge University Press, Cambridge, 1996. xiv+219 pp. ISBN: 0-521-48370-0 Gashi, Qndrim R., A vanishing result for toric varieties associated with root systems. Albanian J. Math. 1 (2007), no. 4, 235244. P. Gaudry, Fast genus 2 arithmetic based on theta functions, J. Math. Cryptol. 1 (2007), 243265. Schost, On the invariants of the quotients of the Jacobian of a curve of P. Gaudry and E. genus 2, Applied Algebra, Algebraic Algorithms and Error-Correcting Codes (S. Bozta s and I. Shparlinski, eds.), Lecture Notes in Comput. Sci., vol. 2227, Springer-Verlag, 2001, pp. 373386. P. Gaudry, R. Harley, Counting points on hyperelliptic curves over nite elds,Algorithmic Number Theory Symposium IV, Springer Lecture Notes in Computer Sience, vol. 1838, 2000, pp. 313-332. P. Gaudry, T. Houtman, D. Kohel, C. Ritzenthaler, A. Weng, The 2-adic CMmethod for genus 2 curves with applications to cryptography, Asiacrypt, Springer Lecture Notes in Computer Science, vol. 4284, 2006, pp. 114-129 P. Gaudry, E. Schost, Modular equations for hyperelliptic curves, Math, Comp,74 vol. (2005), 429-454. J. Gutierrez and T. Shaska, Hyperelliptic curves with extra involutions, LMS J. of Comput. Math., 8 (2005), 102-115. Haran, D.; Jarden, M., Regular lifting of covers over ample elds. Albanian J. Math. 1 (2007), no. 4, 179185. R. Hidalgo, Classical Schottky uniformizations of Genus 2. A package for MATHEMATICA. Sci. Ser. A Math. Sci. (N.S.) 15 (2007), 6794. V. Hoxha and T. Shaska, Factoring large numbers by using genus two curves, (work in progress) G. Humbert Sur les fonctionnes abliennes singulires. I, II, III. J. Math. Pures Appl. serie 5, t. V, 233350 (1899); t. VI, 279386 (1900); t. VII, 97123 (1901). J. Igusa, Arithmetic Variety Moduli for genus 2. Ann. of Math. (2), 72, 612-649, 1960. J. -I. Igusa, On Siegel modular forms of genus two, Amer. J. Math.84 (1962), 175-200. eorie des fonctions elliptiques. Troiseme suppl em ent. C. Jacobi, Review of Legendre, Th 1832. J. reine angew. Math. 8, 413-417. B. Justus, On integers with two prime factors. Albanian J. Math. 3 (2009), no. 4, 189197. Joswig, Michael; Sturmfels, Bernd; Yu, Josephine Ane buildings and tropical convexity. Albanian J. Math. 1 (2007), no. 4, 187211. Joyner, David; Ksir, Amy; Vogeler, Roger, Group representations on Riemann-Roch spaces of some Hurwitz curves. Albanian J. Math. 1 (2007), no. 2, 6785 (electronic). A. Krazer, Lehrbuch der Thetafunctionen, Chelsea, New York, 1970. lklein, Invariants of binary forms , Developments V. Krishnamorthy, T. Shaska, H. Vo in Mathematics, Vol. 12, Springer 2005, pg. 101-122. A. Krazer, Lehrbuch der Thetafunctionen, Chelsea, New York, (1970). Kopeliovich, Yaacov, Modular equations of order p and theta functions. Albanian J. Math. 1 (2007), no. 4, 271282. H. W. Lenstra, Jr., Factoring integers with elliptic curves, Ann. of Math. (2) 126 (1987), 649673. Luca, Florian; Shparlinski, Igor E., Pseudoprimes in certain linear recurrences. Albanian J. Math. 1 (2007), no. 3, 125131 (electronic).

98

[49] [50]

lklein, Genus 2 curves with degree 5 elliptic subcovers, K. Magaard, T. Shaska, H. Vo Forum. Math., vol. 16, 2, pg. 263-280, 2004. lklein, Helmut; Wiesend, Go tz, The combinatorics of degenerate Magaard, Kay; Vo covers and an application for general curves of genus 3. Albanian J. Math. 2 (2008), no. 3, 145158. lklein, The locus of curves with K. Magaard, T. Shaska, S. Shpectorov, and H. Vo prescribed automorphism group. Communications in arithmetic fundamental groups (Kyoto, 1999/2001). S urikaisekikenky usho K oky uroku No. 1267 (2002), 112141. J. -F. Mestre, Construction des curbes de genre 2 a partir de leurs modules, Eective Methods in Algebraic Geometry, Birkhauser, Progress in Mathematics, vol. 94, 1991, pp. 313-334. D. Mumford, The Red Book of Varieties and Schemes, Springer, 1999. D. Mumford, Tata lectures on theta. II. Jacobian theta functions and dierential equations. With the collaboration of C. Musili, M. Nori, E. Previato, M. Stillman and H. Umemura. Progress in Mathematics, 43. Birkhuser Boston, Inc., Boston, MA, 1984. D. Mumford, Tata lectures on theta. I. With the assistance of C. Musili, M. Nori, E. Previato and M. Stillman. Progress in Mathematics, 28. Birkhuser Boston, Inc., Boston, MA, 1983. xiii+235 pp. N. Murabayashi, The moduli space of curves of genus two covering elliptic curves, Manuscripta Math.84 (1994), 125-133. A.Nakayashiki, On the Thomae formula for ZN curves, Publ. Res. Inst. Math. Sci., vol 33 (1997), no. 6, pg. 9871015. Previato, E,; Shaska, T.; Wijesiri, S., Thetanulls of cyclic curves of small genus, Albanian J. Math., vol. 1, Nr. 4, 2007, 265-282. H.E. Rauch and H.M.Farkas, Theta functions with applications to Riemann surfaces, Williams and Wilkins, Baltimore, 1974. R. Sanjeewa, Automorphism groups of cyclic curves dened over nite elds of any characteristics. Albanian J. Math. 3 (2009), no. 4, 131160. T. Shaska, Curves of genus 2 with (n, n)-decomposable Jacobians, J. Symbolic Comput. 31 (2001), no. 5, 603617. T. Shaska, Genus 2 curves with (3,3)-split Jacobian and large automorphism group, Algorithmic Number Theory (Sydney, 2002), 6, 205-218, Lect. Not. in Comp. Sci., 2369, Springer, Berlin, 2002. T. Shaska, Genus 2 curves with degree 3 elliptic subcovers, Forum. Math., vol. 16, 2, pg. 263-280, 2004. T. Shaska, Some special families of hyperelliptic curves, J. Algebra Appl., vol 3, No. 1 (2004), 75-89. T.Shaska, Genus 2 curves covering elliptic curves, a computational approach Lect.Notes in Comp. 13 (2005) lklein, Elliptic subelds and automorphisms of genus two elds, T. Shaska and H. Vo Algebra, Arithmetic and Geometry with Applications, pg. 687 - 707, Springer (2004). T. Shaska and S. Wijesiri, Theta functions and algebraic curves with automorphisms, Algebraic Aspects of Digital Communications, pg. 193-237, NATO Advanced Study Institute, vol. 24, IOS Press, 2009. H. Shiga, On the representation of the Picard modular function by constants. I, II., Publ. Res. Inst. Math. Sci., vol. 24, (1988), no. 3, pg. 311360. P. van Wamelen, Equations for the Jacobian of a hyperelliptic curve, Trans. Amer. Math. Soc. 350 (1998), no. 8, 30833106.

[51]

[52]

[53] [54]

[55]

[68] [69]

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-99

99

Charles J. COLBOURN CIDSE, Arizona State University, P.O. Box 878809, Tempe, AZ 85287-8809, U.S.A. charles.colbourn@asu.edu

Abstract. The explicit construction of covering arrays arises in many disparate applications in which factors or components interact. Despite this, current computational tools are effective only when the number of factors is small, while probabilistic methods are typically effective only when the number of factors is very large. Consequently combinatorial constructions have played, and continue to play, a signicant role. Although some direct constructions from codes, Steiner systems, Hadamard matrices, and arrays over the nite eld provide very useful examples, the workhorses of the combinatorial methods are the recursive constructions. There are two main classes of recursive techniques, the cut-and-paste or Roux-type constructions, and the column replacement techniques. After describing both for strength two, the focus is on column replacement techniques. In particular, constructions that use hash families to select columns from smaller covering arrays are examined, in order to understand the interplay among properties of the hash families and covering arrays needed to produce effective constructions. This leads to specializations both of hash families and covering arrays that merit further investigation. Keywords. covering array, perfect hash family, separating hash family, distributing hash family, heterogeneous hash family, interaction testing.

1. Covering Arrays Let N , k , t, and v be positive integers. Let C be an N k array with entries from an alphabet of size v ; we typically take = {0, . . . , v 1}. When (1 , . . . , t ) is a t-tuple with i for 1 i t, (c1 , . . . , ct ) is a tuple of t column indices (ci {1, . . . , k}), and ci = cj whenever i = j , the t-tuple {(ci , i ) : 1 i t} is a t-way interaction. (In this denition, fewer than t distinct columns may be involved, and so strictly speaking the interaction may not be considered to be t-way in certain contexts, but we nd this extension convenient.) The array covers the t-way interaction {(ci , i ) : 1 i t} if, in at least one row of C, the entry in row and column ci is i for 1 i t. Array C is a covering array CA(N ; t, k, v ) of strength t when every t-way interaction is covered. Applications to interaction testing, in particular to testing component-based software, have driven much recent research; see [34,35,41,43,134]. In applications in testing, columns of the array correspond to experimental factors, and the symbols in the column form values or levels for the factor. Each row species the values to which to set the factors for an experimental run. The array is covering in the sense that every t-way interaction appears in at least one run. Figure 1 gives an example of a covering array with N = 13 rows, ten factors having two levels each, and strength three. Consider, for example, the 3-way interaction {(2, 0), (5, 1), (6, 1)}; it is covered in the sixth and ninth

100

10 3

0 1 0 0 1 0 1 1 0 1 0 0 1

0 1 0 1 0 0 1 0 0 0 1 1 1

0 1 0 0 0 1 1 1 1 0 0 1 0

0 1 1 0 0 0 0 0 1 1 0 1 1

Figure 1. CA(13;3,10,2)

We denote by CAN(t, k, v ) the minimum N for which a CA(N ; t, k, v ) exists, because fewer rows means fewer tests to be run. Because CAN(1, k, v ) = v , CAN(t, k, v ) = v t when k < t, and CAN(t, k, 1) = 1, we generally assume that k t 2 and v 2. Nevertheless, the denition employed herein allows t, k , and v to be arbitrary positive integers. Our primary concern in this paper is with recursive constructions that make larger covering arrays from smaller ones by a technique of column replacement. Before narrowing to these specic topics, however, we provide some background in order to place them in context. 1.1. Applications and Equivalent Formulations Covering arrays are employed in numerous testing applications in which experimental factors interact to detect the presence of faults (see [44,75] and references therein), to detect the location of faults [58,96], to detect interactions in biological networks [115], to generate representative multiple sequence alignments of genomic data [80,111], to quantify uncertainty in measurement [85], and to learn an unknown function by nonadaptive tests [62]. In these applications, often factors have differing numbers of levels. Permitting different numbers of levels in each column leads to mixed covering arrays [56,104,116]; here we concentrate on the uniform case. For further applications, other formulations have been explored. Let C be an N k covering array. Suppose that rows are indexed by a set R of size N . Then each column can be viewed as a partition of R into exactly v classes (M1 , . . . , Mv ); the class Mi of r R is determined by the value i appearing in row r in the chosen column. In this manner, an array gives a collection P = {R1 , R2 , . . . , Rk } of partitions of R. A family of partitions is t-qualitatively independent when for every t of the partitions Ri1 , . . . Rit , t and for every choice of classes Mij Rij , for 1 j t, we nd that j =1 Mij = ; this concept was pioneered by Marczewski [95] in 1948. It follows that covering arrays

101

of strength t having N rows are the same as t-qualitatively independent partitions of a set of size N . Many early results were established using this vernacular, but generally we translate to the language of covering arrays. Poljak, Pultr, and Rdl [108] and Krner and Lucertini [87] discuss combinatorial problems related to qualitative independence. A (k, t)-universal set is a subset of {0, 1}k such that the projection on every t coordinates contains all 2t combinations. Hence it is a CA(t, k, 2). Naor and Naor [105] establish that (k, t)-universal sets arise as probability spaces with limited independence; indeed these have been extensively studied as -biased arrays [3,89,92,105]. Bierbrauer and Schellwatt [15] extend this framework to more than two levels per column; see also [8]. Certain binary covering arrays are equivalent to face transversals of the n-cube; see [14,81,82,72]. Binary covering arrays arise in rendezvous search on the line [68]. Certain other binary covering arrays yield existentially closed graphs [6,20,64,73]; the relation to covering arrays is given in [52]. The nomenclature t-surjective array for a covering array of strength t is also used, to indicate that on each t columns, every possible outcome arises. See [1,30,37,38,79,114], for example. Our goal is not to treat these many different formulations and their applications here, but they provide ample reasons for constructing covering arrays! A special case of covering arrays is of particular interest (see [77], for example). Let k , t, and v be positive integers. A v t k array, each column of which contains v distinct symbols, is an orthogonal array OA(t, k, v ) of strength t when, for every way to select t columns, each of the v t possible tuples of symbols arises in exactly one row. A key property of orthogonal arrays, not shared by covering arrays in general, is that every two distinct rows have the same symbols in at most t 1 of the columns (for otherwise, one of the v t possible tuples of symbols would arise in at least two rows). A transversal design of order n, blocksize k , and strength s, denoted by TD(s, k, n), is a triple (V, G , B ). V is a set of kn points partitioned into groups G = {G1 , . . . , Gk }, with each group of size n. The set B contains ns blocks, each of which is a subset of V of size k ; each block meets each group in a single element (i.e. it is transverse to the groups), and two distinct blocks intersect in fewer than s elements. The transversal design TD(s, k, n) is equivalent to an orthogonal array OA(s, k, n) of strength s and index unity. The equivalence is straightforward. Form the TD(s, k, n) on {0, . . . , n 1}{1, . . . , k} and let group Gi = {0, . . . , n 1} {i} for 1 i k . Then each block B of the TD forms a row of the OA, by placing j in column i when (j, i) B . See [50,51] for background on transversal designs, and [77] for orthogonal arrays. We mention one standard construction of orthogonal arrays that is used repeatedly. Let q be a prime power and q s 2. Over the nite eld Fq , let F = {F1 , . . . , Fqs } be the set of all polynomials of degree less than s. Let A be a subset of Fq {}. Dene a q s |A| array in which the entry in cell (a, j ) is Fj (a) when a Fq , and is the coefcient of the term of degree s 1 in Fj when a = . The result is an OA(q s ; s, |A|, q ). A TD or OA is linear if it is constructed in this way. 1.2. Explicit Determination of Covering Arrays The determination of CAN(t, k, v ) has been the subject of much research; see [32,44, 75,76] for survey material. For xed t and v , only CAN(2, k, 2) has been determined exactly [83,86,110]. In fact, an explicit construction of covering arrays with the fewest rows when t = v = 2 is given there. Beyond this, when t and v are xed, exact numbers

102

are known only for a few small values of k (see [53], for example). Therefore most effort has focussed on constructions of covering arrays that have few rows, that is, on upper bounds for CAN(t, k, v ). Asymptotic results can be used to determine the growth rate of CAN(t, k, v ) for xed t and v as a function of k (see [69,70] for t = 2 and [71] in general, for example). Nevertheless the explicit construction of covering arrays is required for many of the applications mentioned. Asymptotic results typically rely on selecting arrays at random, and showing that when the number of rows is large enough, the randomly selected array is a covering array with high probability. A simple experiment illustrates this. For 9 N 100, we generated one hundred random N 100 arrays on three symbols, and checked, for each, whether it is a CA(N ; 2, 100, 3).

100 Percent Success or Covered 80 60 40 20 0 Random Matrices

20

40 60 Number of Rows

80

100

The lower band of points in Figure 2 shows the observed probability of success. The rst success occurs at N = 74, when one out of one hundred arrays meets the requirements. Thereafter the probability climbs rapidly. It has been frequently argued (and sometimes vehemently argued [9]) that in practice requiring every t-way interaction to be covered is too restrictive, and that if all but a few are, that ought to sufce. So the upper band of points in Figure 2 shows the observed percentage of the 44550 2-way interactions that are covered (on average). This gives a much more optimistic portrait of the randomly selected arrays. Once N 40, the percentage of interactions covered exceeds 99%, and for some practical purposes this may sufce. (See [74] for a general discussion.) Nevertheless, using the combinatorial methods to be described in this paper, one can produce a CA(24; 2, 100, 3) [56]. For N = 24 in this example, a randomly selected array covers only about 93.3% of the interactions. Hence we argue that for construction of small arrays, naive random methods are not the appropriate solution. Let us turn to explicit constructions. Orthogonal arrays provide a number of specic examples [77], as do Hadamard matrices [52], cyclotomic classes in the nite elds [48], error-correcting codes [118], and Steiner systems [53]. In [45,120], the structure of the nite eld leads to a projection technique that reduces the number of symbols while increasing the number of columns.

103

Computational methods produce many more arrays. For example, simulated annealing [42,53], tabu search [107], backtracking [133], integer programming [118], and constraint satisfaction [78] have proved successful for strengths up to four, but have limited application to larger strengths at present. Local optimization can often reduce the number of rows required [106]. Compact representations of covering arrays as permutation vectors can be used to extend heuristic search methods to these larger strengths [117,132], but they restrict to a subset of the admissible parameter sets. Assuming the presence of certain automorphisms also can reduce the difculty of computational search [31,45,102]. Nevertheless, for strength at least ve, greedy methods [25,26,29,66,91,93] and random methods [90] are often the only ones for which competitive computational results can be obtained in a reasonable amount of time. Consequently, an extensive amount of research has concentrated on recursive methods. Roux [112] developed a simple but effective doubling construction for binary covering arrays of strength three. Roux-type constructions operate by juxtaposing copies of smaller covering arrays, sometimes with smaller strength. Such constructions have been explored for strength three [32,42,57], strength four [57,75], strength ve [98], and arbitrary strength [75,97,98]. For strengths three and four, these constructions often yield the smallest known covering arrays for v 25 and k 10000 [47]. For strengths ve and larger, they appear to be less effective at present. A further class of recursive constructions instead selects columns from a smaller covering array, using the easy observation that any t columns from a covering array of strength t cover all t-way interactions. These form the main focus of the paper, and the remaining sections develop these constructions in detail. 1.3. Some Further Denitions and Notation Two rows of a CA(N ; t, k, v ) are disjoint if they do not agree in any column. In general, some t-way interactions may be covered more than once. Now consider each row r of a CA(N ; t, k, v ); for every subset C of t columns, let T be the t-way interaction that is covered in row r and the columns of C . If T is not covered in any other row of the array, each of the cells {(r, c) : c C } is necessary. All cells that are not necessary in this way are exible. If we ignore a exible cell (r, c) in the computation of coverage, all t-way interactions remain covered this is the meaning of exibility here. By convention, when exible cell (r, c) is to be ignored, we place the entry (dont care) in cell (r, c). For 2 example, in Figure 1, one can verify that each of the 9 2 2 3-way interactions containing the 0 in the (1,1) cell appears more than once, and hence this position is exible and can be changed to . Formally this modies the denition of CA as follows: An N k array, each cell of which contains one of v distinct symbols or a different symbol , is a covering array CA(N ; t, k, v ) of strength t when, for every way to select t columns, each of the v t possible tuples arises in at least one row. In general, one cannot simply convert all exible cells to , because two exible cells can each rely on the value in the other for its exibility. Nevertheless, one can repeatedly choose any one exible cell to convert to , and then recalculate the exible cells for this modied CA, until none remain. The prole (d1 , . . . , dk ) of an N k array is a k -tuple in which the entry di is the number of entries in the ith column. A single covering array can often admit many different proles, by lling the cells and changing a (possibly different) set of exible cells to . A prole (d1 , . . . , dk ) dominates prole (e1 , . . . , ek ) when di ei for 1 i k , and we write (d1 , . . . , dk ) (e1 , . . . , ek ) in this case.

104

A row r = (r1 , . . . , rk ) of a CA(N ; t, k, v ) is duplicated if there is another row s = (s1 , . . . , sk ) for which for each 1 i k , we have ri = si , ri = , or si = . It is irrelevant if it covers no t-way interaction not covered in another row, or equivalently if every cell in the row is exible. Duplicated rows are irrelevant, but not all irrelevant rows need be duplicated. One irrelevant row can be removed without reducing coverage; indeed this can be iterated until no row is irrelevant. For example, in Figure 1, one can verify that every cell in the rst row is exible, and hence that this row can be removed without reducing coverage. A row is constant if, for some symbol , every entry in the row is either or . A row is pure constant if it is constant and contains no . For example, in Figure 1, the rst two rows are pure constant rows. Because symbols within each column can be permuted independently, one has: Observation 1.1 If a CA(N ; t, k, v ) exists having rows that are pairwise disjoint, there is a CA(N ; t, k, v ) having constant rows. These can without loss of generality be assumed to be on any of the v symbols. In a standardized CA(N ; t, k, v ) the rst row is constant. Any CA(N ; t, k, v ) can be rewritten by choosing a column, and applying an arbitrary permutation to the symbols in the column. Observation 1.2 If a CA(N ; t, k, v ) exists, then a standardized CA(N ; t, k, v ) exists.

2. Products of Strength Two Covering Arrays We begin with the easiest case, that of strength t = 2. We consider a simple product construction, and explore methods to rene it. 2.1. Direct Products We start with the simplest direct product, which appears in different vernacular in [109] and [36]; it is also the essence of the block recursive construction from [121]. Theorem 2.1 [109] When a CA(N ; 2, k, v ) and a CA(M ; 2, , v ) both exist, a CA(N + M ; 2, k , v ) also exists. Proof. Let A = (aij ) be a CA(N ; 2, k, v ) and let B = (bij ) be a CA(M ; 2, , v ). Form an (N + M ) k array C = (ci,j ) = A B by setting ci,(f 1)k+g = ai,g for 1 i N , 1 f , and 1 g k . Then set cN +i,(f 1)k+g = bi,f for 1 i M , 1 f , and 1 g k . In essence, k copies of B = (bij ) are being appended to copies of A = (aij ) as shown in Figure 3. Because two different columns of C arise either from different columns of A or from two different columns of B, the result is a CA(N + M ; 2, k , v ). An extension of this simple concatenation to exploit dont care cells and constant rows is considered in [56]; we extend it further here. We suppose that a factor with v values always takes on values from {0, . . . , v 1}, and hence the corresponding column of the array contains only these symbols, and possibly . A CA(M ; 2, , v ) B and a CA(M ; 2, , v ) B are (L, r)-compatible if for every 0 < r, 1 j , and

105

N rows

a11 a21 . . . aN 1 b1 b2 . . . bM

a12 a22 aN 2 b1 b2 bM

a1k a2k aN k b1 b2 bM

M rows

1 j , there exists a with 1 L so that the entry in cell (, j ) of B is and the entry in cell (, j ) of B is . Theorem 2.2 Suppose that there exists a CA(N ; 2, k, v ), A, with prole (d1 , . . . , dk ), having r pure constant rows on symbols 0, . . . , r 1. Further suppose that for each 1 i k and some 0 i v , there exists a CA(M + di + i ; 2, i , v ), Bi , having r + i constant rows on symbols v ( r) i , . . . , v 1 and possibly , which form the last ( r) + i rows of Bi . Further suppose that for every 1 i1 < i2 k , Bi1 and k Bi2 are (M ( r), r)-compatible. Then there exists a CA(N + M ; 2, i=1 i , v ). Proof. Assume without loss of generality that the r pure constant rows of A form the last r rows, and remove them to form A with N r rows. Form an array C with N + M k rows and i=1 i columns, indexing columns as (i, j ) for 1 i k and 1 j i . On the rst N r rows, column (i, j ) is column i of A . For i = 1, . . . , k, dene Ri = (ri,1 , . . . , ri,di ) to be the indices of the di rows in which A contains a in column i. For 1 i k , 1 j i , and 1 M ( r) place in row N r + and column (i, j ) of C the entry in cell (, j ) of Bi . For 1 i k , 1 j i , and 1 x di , in row rx and column (i, j ) place the entry in cell (M ( r) + x, j ) of Bi . Consider columns (i1 , j1 ) and (i2 , j2 ) of the result. When i1 = i2 , all pairs of the form (, ) are covered in the rst N r rows excluding those in Ri1 . Then in rows Ri1 and the last M ( r) rows, all remaining pairs are covered because two different columns of Bi1 are selected (and i v ). So suppose that i1 = i2 . The rst N r rows cover all pairs except possibly for (, ) when 0 < r, which are covered by the remaining rows as a consequence of compatibility. In applying Theorem 2.2 the main difculty arises in ensuring compatibility among the {Bi }. The easiest application arises when the prole of A is (0, . . . , 0) and all of the {Bi } are identical: Corollary 2.3 If a CA(N ; 2, k, v ) with r disjoint rows and a CA(M ; 2, , v ) with s disjoint rows both exist, then a CA(N + M min(v, r + s); 2, k , v ) exists having min(1, r + s v ) constant rows. Proof. By renaming symbols within each column and reordering rows, any CA(N ; 2, k, v ) with r disjoint rows can be rewritten as a CA(N ; 2, k, v ), A, in which the last r rows

106

are constant on the symbols 0, . . . , r 1. Then, whether or not A has any dont care cells, it admits prole (0, . . . , 0) and r pure constant rows. By the same token, any CA(M ; 2, , v ) with s disjoint rows can be rewritten as a CA(M ; 2, , v ), B, in which the last s rows are constant on the symbols v s, . . . , v 1. Take di = i = 0 and Bi = B for 1 i k , and = min(v, r + s). Every choice of two columns from the {Bi } either selects the same column of B twice, or selects two different columns of B. In both cases, only the rst M min(s, v r) rows are considered, but pairs (, ) for 1 r are covered within these rows. Apply Theorem 2.2. If r + s > v , the constant rows on symbols v s, . . . , r 1 in B yield constant rows in the result; when r + s v , choose any row and rename symbols to make it constant. Compatibility among the {Bi } is vacuous when r = 0, and we obtain: Corollary 2.4 Suppose that A is a CA(N ; 2, k, v ) having r pure constant rows and prole (d1 , . . . , dk ). Let 0 s v be an integer. Further suppose that for each 1 i k and some 0 i v s, there exists a CA(M + di + i ; 2, i , v ), Bi , having s + i constant rows on symbols v s i , . . . , v 1 and possibly , which form the last s + i k rows of Bi . Then there exists a CA(N + M s; 2, i=1 i , v ) having r constant rows. Proof. Apply Theorem 2.2 but take r = 0. Because A actually has r constant rows, each produces a constant row in the resulting array. A more interesting way to ensure compatibility is to require each of the {Bi } to contain constant rows other than the (v r) + i used in the construction. Indeed if Bi and Bj contain constant rows on 0, . . . , r 1 among the rst M ( r) rows, they are (M ( r), r)-compatible. Hence we obtain: Corollary 2.5 Suppose that there exists a CA(N ; 2, k, v ), A, with prole (d1 , . . . , dk ), having r pure constant rows, and let 0 r r be an integer. Let r be an integer. Further suppose that for each 1 i k and some 0 i v , there exists a CA(M + di + i ; 2, i , v ), Bi , having + i constant rows. Then there exists a k CA(N + M ; 2, i=1 i , v ) having r constant rows. Proof. Rename symbols in A so that the last r rows are constant on 0, . . . , r 1 and the rst r r are constant on r, . . . , r 1. Rename symbols and reorder rows in each of the {Bi } so that the rst r rows are constant on symbols 0, . . . r 1 and possibly ; and the last r + i are constant on symbols v ( r) i , . . . , v 1 and possibly . Apply Theorem 2.2. The r constant rows on symbols 0, . . . r 1 in each of the {Bi }, and the r r constant rows on symbols r, . . . , r 1 in A, produce constant rows in the resulting array. Now we consider some applications. When q is a prime power there is a CA(q 2 ; 2, q + 1, q ), which necessarily has only one constant row, and no entries. Using this to construct A and each of the {Bi }, Corollary 2.3 produces a CA(2q 2 2; 2, (q + 1)2 , q ). In order to illustrate Corollary 2.4, we produce some proles for a CA(42; 2, 8, 6) having r pure constant rows. (The array itself is from [107]; we simply analyze its properties here.) When p1 is a prole for r pure constant rows, p2 p1 , and r r, p2 is a prole for r pure constant rows. We also show the number of constant rows s in various small CA(M ; 2, , 6)s from [39,45,107,129].

107

r 6 5 4 3 2 0

prole 04 14 06 11 21 05 11 22 , 07 31 03 15 04 13 21 02 16 , 03 14 21 , 04 12 22 , 05 23 , 05 11 21 31 , 06 32

M 36 42 54 60 65 69

3 8 12 16 20 30

s 6 6 3 2 2 6

M 37 46 56 62 66 70

4 9 13 17 21 32

s 5 1 2 3 6 6

M 39 49 58 63 67 71

5 10 14 18 23 35

s 4 3 3 2 6 2

M 41 52 59 64 68 72

6 11 15 19 27 36

s 5 3 3 2 6 1

Applying Corollary 2.4 with s = 6, M {66, 67, 68, 69}, and various values of r , we obtain the following arrays with M + 42 6 rows, each having at least r constant rows: r 6 4 3 0 CA(102; 2, K, 6) K prole 176 04 14 182 05 11 22 182 05 11 22 186 05 23 CA(103; 2, K, 6) K prole 200 04 14 202 05 11 22 204 03 15 208 02 16 CA(104; 2, K, 6) K prole 228 04 14 229 05 11 22 231 03 15 234 02 16 CA(105; 2, K, 6) K prole 248 04 14 248 04 14 250 03 15 252 02 16

Naturally in the cases when r = 0 there is nonetheless at least one disjoint row. Effective applications of Corollary 2.4 seem to necessitate a fairly detailed analysis of the array A to determine numbers of disjoint rows and corresponding proles. Now we turn to the most surprising application, that of Corollary 2.5. Lemma 2.6 Suppose that there exists a CA(N ; 2, k, v ) with v 2 N < v (v + 1). 1. If a CA(M ; 2, , v 1) having s constant rows also exists, there exists a CA((M s) + (N v ); 2, (k 1) , v 1) having v 1 constant rows. 2. If a CA(M ; 2, , v 1) having s constant rows also exists and M v (v 1), there exists a CA((M s) + (N v ); 2, (k 1) + 2, v 1) having v 1 constant rows. 3. If a CA(M ; 2, 1 , v 1) and a CA(M (v 1); 2, 2 , v ) both having s constant rows also exist, there exists a CA((M s) + (N v ); 2, (k 1) 1 + 2 , v 1) having v 1 constant rows. Proof. Taking 2 = 0 and 1 = in the third statement implies the rst. Taking 2 = 2 and 1 = in the third statement implies the second, because a CA(M (v 1); 2, 2, v ) exists with v 1 disjoint rows when M (v 1) (v 1)2 . So we establish the third statement. Form a CA(N ; 2, k, v ). In each column there is a symbol that occurs only v times, as N < v (v + 1). Rename symbols so that there is a constant row of symbol v 1, and symbol v 1 occurs exactly v times in the last column. Delete this constant row and change all occurrences of symbol v 1 to to form a CA(N 1; 2, k, v 1) having prole (v 1)k . (It may have more entries in columns other than the last, but its prole dominates (v 1)k .) Replace the v 1 entries in the nal column by entries 0, . . . , v 2, using each symbol exactly once. Then the v 1 corresponding rows are pairwise disjoint, and the result is a CA(N 1; 2, k, v 1) having v 1 pure constant rows, and prole (v 1)k1 01 . Apply Corollary 2.5 with = r = s, r = v 1, N = N 1, and M = M (v 1).

108

2.2. Roux-type Products The most effective applications of direct products for strength two employ the presence of constant rows. Unfortunately, in some cases we must sacrice columns to obtain many constant rows. Let us consider a motivating example. When q is a prime power, the standard CA(q 2 ; 2, q, q ) from the nite eld on q elements has q disjoint constant rows, but its extension to a CA(q 2 ; 2, q + 1, q ) can have at most one, no matter how the symbols are relabeled. Applying Theorem 2.2 to two CA(25; 2, 6, 5)s produces a CA(48; 2, 36, 5). Instead using a CA(25; 2, 6, 5) and a CA(25; 2, 5, 5) with ve disjoint constant rows yields a CA(45; 2, 30, 5); three fewer rows sufce, but six columns have been lost in the result. In [56] a generalization is treated that that enables us to obtain a CA(45; 2, 35, 5), sacricing one column in the product rather than one column in an ingredient. A1 D A2 X

We consider covering arrays exhibiting a specic structure. Consider a CA(N ; 2, k1 + k2 , v ), shown in Figure 4. Here A1 , A2 , and X are (N v ) k1 , (N v ) k2 , and v k2 arrays, respectively. However D is a v k1 array with a specic structure, namely that every column is a permutation of {1, . . . , v }. When a CA(N ; 2, k1 + k2 , v ) admits such a partition, it is a partitioned covering array PCA(N ; 2, (k1 , k2 ), v ). The structure is not altered by applying (possibly different) permutations to the v symbols in each column, and hence without loss of generality D can be assumed to be the matrix P in which each column is the identity permutation. When q is a prime power, an OA(2, q + 1, q ) yields an PCA(q 2 ; 2, (q, 1), q ). Now we turn to the main product construction for covering arrays: Theorem 2.7 If a PCA(N ; 2, (k1 , k2 ), v ) and a PCA(M ; 2, ( 1 , a PCA(N + M v ; 2, (k1 1 , k1 2 + k2 1 ), v ) also exists.

2 ); v )

Proof. Take a PCA(N ; 2, (k1 , k2 ), v ) with a partition as in Figure 4 into A1 , A2 , D and X; and an PCA(M ; 2, ( 1 , 2 ), v ) with partition B1 , B2 , E, and Y. We suppose without loss of generality that D and E consist of column identity permutations, and we write each as P. We further suppose that each of the columns of X and Y has the property that the i + 1st entry does not exceed i. Form an array as in Figure 5. In the products of the form Ai Bj , the rst N v rows arise from Ai while the next M v arise from Bj , as shown in Figure 3. Here 1 X is obtained by repeating the array X 1 times and k1 (Y) is obtained by repeated each column of Y k1 times. P is a matrix of identity permutations of appropriate dimension. We claim that the result R is an PCA(N +M v ; 2, ((k1 1 , k1 2 +k2 1 ), v ). Consider two columns c1 , c2 of the result. Suppose that column ci corresponds to column i of A and column i of B. We tabulate cases (indicating cases that cannot arise by ), taking symmetry between A and B and between c1 and c2 into account:

109

A1 B1 P

A2 B1

1X

A1 B2 k1 (Y)

1 k1 1 = 2 k1 2 = 1 2 > k1

1 > k1 k1 2 = 1 5 7 2 = 1 6 2 k1 2 4 8

B 1

1

1 >

2 = 1 1 = 2 1 2 > 1 2 1 2 = 1 1 < 1 = 2

1 2 2 5

1 3 4 4 6 7

2 4 8

We treat each case. In Cases 1, 3, 4, 6, and 7 when 1 = 2 and 1 , 2 k1 , the rst N v rows cover all pairs except possibly {(i, i) : 0 i < v }. In each of these cases, because c1 and c2 select different columns of D, all remaining pairs are covered. It remains to treat cases 2, 5, and 8. For cases 2 and 5, 1 = 2 and 1 = 2 1 . Then in the rst N v and last v rows, 1 and 2 select different columns of A, and hence all pairs are covered. Finally in case 8, 2 k1 < 1 and 1 1 < 2 . Let column 1 of X be (x0 , . . . , xv1 )T and column 2 of Y be (y0 , . . . , yv1 )T . Then in the rst N v rows all pairs are covered except {(xi , i) : 0 i < v }, and in the next M v all are covered except {(i, yi ) : 0 i < v }. It follows that prior to the last v rows, a pair can be uncovered only if (xi , i) = (j, yj ) for some 0 i, j < v . Then because xi i and yi i for 0 i < v , we have xi i = yj j = xi , so all are equal, and the pair is (i, i) = (xi , yi ); this pair is covered in the last v rows. Then R is a PCA(N + M v ; 2, (k1 1 , k1 2 + k2 1 ), v ) because R has a v k1 1 subarray consisting of (column) identity permutations in the last v rows. A substantial improvement is still possible. One can, on occasion, nd a larger submatrix in the result R that contains column identity permutations, and hence provide a better ingredient for the next iteration of the recursion. If the second PCA were to contain within B1 an v subarray in which every column is a permutation of {0, . . . , v 1}, then let us examine the impact on the covering array R constructed in Theorem 2.7. Each column of B1 is replicated k1 + k2 times in total, and hence R contains a v (k1 + k2 ) subarray in which every column is a permutation. If (k1 + k2 ) > k1 1 , we can permute symbols within each column, and permute rows: Theorem 2.8 When B1 in Theorem 2.7 contains a v subarray whose columns are permutations, the result is a PCA(N +M v ; 2, ( (k1 +k2 ), ( 1 )(k1 +k2 )+k1 2 ), v ).

110

For example, the OA(q 2 ; 2, q + 1, q ) for q a prime power contains a second q q subarray of column permutations. As stated here, Theorem 2.7 is a small generalization of the result in [56]; unlike Theorem 2.2, however, it does not exploit dont-care positions. In order to do so, we generalize here to use more than two ingredient arrays. Let A be a PCA(N ; 2, (k1 , k2 ), v ) with k = k1 + k2 and partition A1 , A2 , D, and X. Then A has restricted prole (d1 , . . . , dk ) if, for 1 i k , there are at least di entries in column i of (A1 A2 ). We also require a denition from [56]. An SCA(N ; 2, (k1 , k2 ), v ) is a PCA(N ; 2, (k1 , k2 ), v ) with partition A1 , A2 , P, and Z in which Z is the all-zero matrix and P is a matrix of column identity permutations of appropriate dimension. Now we adjust the notion of compatibility to suit our purposes. Let B be an N k matrix on v symbols, and B be an N k matrix on v symbols. Then B is (M, c)-equalcompatible with B if M min(N, N ), and for every 1 < v , each of columns c + 1, . . . , k of B, and every column of B , there exists a with 0 < M so that the entry in row N in the column of B is and the entry in row N in the column of B is . Further, B is (M, c)-down-compatible with B if M min(N, N ), and for every 1 < v , each of columns c + 1, . . . , k of B and every column of B , there exists a with 0 < M so that the entry in row N in the column of B is and the entry in row N in the column of B is 0. Theorem 2.9 Suppose that there exist 1. an SCA(N + v ; 2, (k1 , k2 ), v ), A, with k = k1 + k2 and restricted prole (d1 , . . . , dk ) and partition A1 , A2 , P, and Z; 2. for 1 i k1 , a PCA(M + v + di ; 2, ( i,1 , i,2 ); v ), Bi , with i = i,1 + i,2 and partition Bi,1 , Bi,2 , P, and Yi in which every column (y1 , . . . , yv )T of Yi has yi+1 i for 0 i < v ; and 3. for k1 < i k , an SCA(M + v + di ; 2, ( i , 0), v ), Bi with partition Bi,1 , O, P, and O (equivalently, a CA(M + di ; 2, i , v ) having v constant rows). Suppose that for 1 i = i k1 , (Bi,1 Bi,2 ) is (M, i,1 )-equal-compatible with (Bi ,1 Bi ,2 ), and that for 1 i k1 and k1 < i k , Bi is (M, i,1 )-down-compatible k1 k1 k with Bi . Then an SCA(N + M + v ; 2, ( i=1 i,1 , i=1 i,2 + i=k1 +1 i ), v ) also exists. Proof. Index the columns of the result R by {(i, j ) : 1 i k, 1 j i }. We describe how to form column (i, j ) of R. Let C1 be the ith column of (A1 A2 ) and let C2 be the j th column of (Bi,1 Bi,2 ) when i k1 , or the j th column of Bi,1 when i > k1 . Let C3 be a column of P when i k1 and j i,1 , the j th column of Yi when i k1 and j > i,1 , and a column of Z otherwise. Replace the entries in C1 by the rst di entries of C2 to form C1 , and let C2 be the last M entries of C2 . Form the column with N + M + v entries by vertically juxtaposing C1 , C2 , and C3 . Then R has the required number of rows, columns, and symbols, and admits the partition specied. It remains to verify that it is a covering array. Consider columns indexed by (i, j ) and (i , j ). First consider the cases when i = i . When i, i > k1 ; i, i k1 , j i,1 , and j i ,1 ; or i k1 < i and j i,1 , all pairs are covered in the rst N rows and last v rows, because the restriction to these rows gives two different columns of A. For cases with i, i k1 , all pairs with two unequal symbols are covered in the rst N rows; the

111

pair (0,0) is covered in the last v rows, and the other pairs with equal symbols are covered in the remaining rows because Bi is (M, i,1 )-equal-compatible with Bi . It remains to treat cases with i k1 < i and j > i,1 . In the rst N rows, all pairs but possibly {(, 0) : 0 i < v } are covered, and (0, 0) is covered in the last v rows. The remainder are covered in the rows arising from Bi and Bi because Bi is (M, i,1 )-down-compatible with Bi . It remains to treat columns indexed by (i, j ) and (i, j ). When i k1 , the two columns contain two different columns of Bi and hence all pairs are covered. When i > k1 , within the rows arising from Bi all pairs of unequal symbols are covered; because the column from A is chosen twice, all pairs with equal symbols are covered in the rst N v rows. Not surprisingly, the technical requirements of Theorem 2.9 make it hard to apply. Theorem 2.7 applied to a PCA and an SCA is a consequence of Theorem 2.9 using restricted prole (0, 0, . . . , 0) and forming each of the {Bi } from a single PCA. Instead taking k1 = 0 and k = k2 , no equal- or down-compatibility needs to be checked, and Theorem 2.9 yields Corollary 2.4 with s = v , a direct product construction. Lemma 2.6 essentially shows that a CA(N + v + 1; 2, k, v + 1) with v (v + 1) N < (v + 1)2 yields an SCA(N + v ; 2, k, v ) having a restricted prole that dominates v k1 01 . To exploit this, we rst need a PCA(M + v ; 2, ( i,1 , i,2 ), v ) Bi with partition Bi,1 , Bi,2 , P, and Y. To apply Theorem 2.9 effectively, we further require that Bi,1 and Bi,2 be (M v, i,1 )-equal-compatible. We see no easy way to ensure this in general, so we adopt a simple trick when i,2 = 1. Adjoin a constant row containing symbol v 1 to (Bi,1 Bi,2 ) to form (Bi,1 Bi,2 ) having M + v + 1 rows, and ensure that the rst v rows are the rows containing v 1 in the column of Bi,2 , other than the constant row of symbol v 1. Then Bi,1 is (M + 1 v, i,1 )-equal-compatible with Bi,2 . Lemma 2.10 Suppose that a CA(N + v + 1; 2, k, v + 1) exists with v (v + 1) N < (v + 1)2 ; that a PCA(M + v ; 2, ( , 1), v ) exists; and that = 1 or a PCA(v 2 ; 2, + 1, v ) exists. Then there exists a PCA(N + M + 1; 2, ((k 1) , k 1 + ), v ). Proof. This is a variant of Theorem 2.9 using the SCA(N + v ; 2, k, v ) with restricted prole v k1 01 as A. To form Bi with 1 i < k, order the rows of the PCA(M + v ; 2, ( , 1), v ) so that the rst v rows contain v 1 in the last column, and insert a constant row containing v 1 immediately thereafter to form a PCA(M + 1 + v ; 2, ( , 1), v ). To form Bk , for each 0 < v let R consist of all positive values v for which Bi contains in row in the last column. When = 1, for each 0 < v , ensure that appears as a row of Bk among the rows indexed by R . When > 1, partition the rows of the CA(v 2 ; 2, + 1, v ) for Bk into v classes C0 , . . . , Cv1 placing a row in class C if it has the symbol in column + 1. Then delete column + 1, and rename symbols so that C0 consists of v constant rows. Then order the rows of Bk , possibly together with rows consisting entirely of , so that for 0 v 2, the rows of C appear in the rows indexed by R . Place a constant row of symbol v 1 as the rst row of Bk (thereby aligning it to form a constant row of v 1 throughout). Apply Theorem 2.9. This can improve upon Lemma 2.6. For example, using a CA(110+10+1; 2, 12, 11) and a PCA(92+10;2,(5,1),10) (the latter from an incomplete transversal design, see [23,50]), Lemma 2.10 gives a PCA(203;2,(55,12),10), while Lemma 2.6 gives a

112

CA(205;2,66,10). In this case, M < v 2 so = 1. Similarly, using a CA(110 + 10 + 1; 2, 12, 11), a PCA(106+10;2,(10,1),11) from [53], and a CA(100;2,4,10), Lemma 2.10 gives a PCA(217;2,(110,14),10). We expect that with patience one can nd a number of such applications. Nevertheless, the accumulation of conditions that must be met seems to have led to the land of diminishing returns; one needs a construction with the power of Theorem 2.9 for which ingredients are more easily found.

3. Perfect Hash Families Theorem 2.1 constructs a CA(N +M ; 2, k , v ) from a CA(N ; 2, k, v ) and a CA(M ; 2, , v ). In Section 2.1, generalizations to use constant rows and dont care positions have been treated; then in Section 2.2 these were generalized further as cut-and-paste or Rouxtype constructions. The further generalization of Roux-type constructions to higher strengths has been alluded to, and we discuss it no further here. Instead we return to the basic direct product, in order to take a different view. When A is a CA(N ; 2, k, v ) and B is a CA(M ; 2, , v ), a column of the result C is obtained by selecting a column of A and a column of B and vertically juxtaposing them. In essence, then, the construction species which columns of A and B to juxtapose in order to form the column of C. Suppose that we form a 2 k array D = (dij ) so that, for 1 i k and 1 j , d1,(i1) +j = i and d2,(i1) +j = j . Then the array C from Theorem 2.1 is formed by replacing each symbol in the rst row of D by the column indexed by in A, and replacing each symbol in the second row of D by the column indexed by in B. That the result C is a CA(M ; 2, , v ) follows immediately from the fact that for any two columns in D there is a row in which they contain different symbols. Our objective is to generalize to higher strengths by considering the properties of the pattern array D used to select columns from the ingredient covering array(s). The key property is that, in this pattern array, every t columns select t different columns of the ingredient arrays and we encounter a well-studied combinatorial object. A perfect hash family PHF(N ; k, w, t) is an N k array on w symbols, in which in every N t subarray, at least one row consists of distinct symbols. The smallest N for which a PHF(N ; k, v, t) exists is the perfect hash family number, denoted PHFN(k, v, t). Figure 6 shows a PHF(6; 12, 3, 3). For instance, in columns 1, 8, and 9, the fourth row contains 2 0 1, and it is the only row in which we nd three distinct symbols in these columns. 012212201100 0 2 1 0 2 2 2 1 0 1 2 1 1 0 0 2 2 2 1 1 2 1 0 2 2 0 1 1 2 0 2 0 1 1 2 1 2 0 2 1 2 1 0 2 2 1 1 0 201211220121

Figure 6. A PHF(6; 12, 3, 3)

113

Mehlhorn [103] introduced perfect hash families as an efcient tool for compact storage and fast retrieval of frequently used information. In this setting, each row denes a hash function from a domain of size k to a range of size v ; we employ the array formulation instead. Stinson, Trung, and Wei [124] establish that perfect hash families can be used to construct separating systems, key distribution patterns, group testing algorithms, cover-free families, and secure frameproof codes; see also [21,125]. Perfect hash families have also been applied in broadcast encryption [33,65] and threshold cryptography [18]. Finally, perfect hash families arise as ingredients in some recursive constructions for covering arrays; we examine this in detail here. An older survey on PHFs is given in [61]; for recent results on the existence of perfect hash families see [55,99,131] and references therein. Our reason for interest in them here follows: Theorem 3.1 [15,98] If a PHF(s; k, m, t) and a CA(N ; t, m, v ) both exist then a CA(sN ; t, k, v ) exists. Proof. Let B = (bij ) be an s k array on m symbols forming a PHF(s; k, m, t). Let A = (aij ) be an N m array on v symbols forming a CA(N ; t, m, v ). We produce an sN k array C = (cij ) as follows. For each 1 i s, 1 j N , and 1 k , set c(i1)N +j, = aj,bi, . The verication that C is a CA(sN ; t, k, v ) is straightforward; one needs only check that every t-way interaction is covered. Consider the t-way interaction {(1 , 1 ), . . . , (t , t )}. Because B is a perfect hash family of strength t, it is also a perfect hash family of strength t for all t t. Therefore there is a row of B in which b,i = b,j whenever i = j (and hence i = j ). Set di = b,i for 1 i t. In columns (d1 , . . . , dt ) of A, there is a row in which a,di = i , because A is a covering array of strength t and di = dj when i = j . But then c(1)N +,i = i for 1 i t, and the t-way interaction is covered in C. Less formally, the perfect hash family B is used as a pattern to select columns from the covering array A, so that every symbol of B is replaced by the entire column of A that is indexed by . An immediate improvement arises by taking standardizing the covering arrays: Corollary 3.2 If a PHF(s; k, m, t) and a CA(N ; t, m, v ) both exist then a CA(1+ s(N 1); t, k, v ) exists. Proof. When the covering array is standardized, the constant row is repeated s times, and s 1 copies of it can be removed. We examine generalizations of this column replacement technique, by varying the properties of the hash family and covering array involved, and by permitting the use of many covering arrays rather than a single one. First we are concerned with the construction of perfect hash families. 3.1. Perfect Hash Families, Packings, and Codes A packing array A(N ; t, k, v ) is an N k array with symbols from a v -set so that in every t k subarray, no two columns are equal. Equivalently, no two columns of the N k array agree in t or more cells; hence the term packing array. These were explicitly studied in the case when t = 2 as transversal packings [122,123], although they have

114

been long explored as v -ary error-correcting codes. We rst provide a few denitions. Let x = (x1 , x2 , . . . , xN ) and y = (y1 , y2 , . . . , yN ) be v -ary vectors of length N . The Hamming distance between x and y is d(x, y ) := |{i|xi = yi }|. An (N, K, D, v )-code is a set C of K vectors (codewords) in {1, . . . , q }N such that the Hamming distance between any two distinct vectors in C is at least D. Codes over an alphabet of size v are v -ary codes. (See [94], for example.) Forming an N K array from an (N, K, D, v )code by taking codewords as columns yields a A(N ; N D, K, v ). Indeed the converse holds as well. While codes are much better studied than packing arrays, we adopt the array vernacular here. We mention two well known constructions used in [46]: Lemma 3.3 A set of N 2 mutually orthogonal latin squares of order v is equivalent to a A(N ; 2, v 2 , v ). The OA(q t ; t, q + 1, q ) from polynomials over the nite eld establishes a result essentially due to Bush [27]: Lemma 3.4 When q is a prime power and 1 t q , there is a A(q + 1; t, q t , q ). Lemma 3.5 [1] An OA(ns ; s, k, n) transposed yields a PHF(k ; ns , n, t) whenever t k > (s 1) 2 . More generally, we have: Lemma 3.6 When N > (s 1)

t 2

Proof. Let A be a A(N ; s, k, w). Choose t columns of A, and consider the N t t subarray induced on them. There are 2 pairs of columns, and for each pair there are at t most s 1 entries in which they agree. Hence when N > (s 1) 2 there is at least one row in which no two of the selected columns contain the same entry. In addition to Lemmas 3.5 and 3.6, better results are often available. Theorem 3.7 [19] Let s 2 and t 2. When q is a sufciently large prime power, there is a PHF(s(t 1); q s , q, t). Blackburn and Wild [19] also prove that s(t 1) is a lower bound on the number of rows in a PHF arising from a linear OA, and hence the PHF produced in these cases is an optimal linear PHF. Some explicit computations have been undertaken to determine those prime powers for which such an optimal linear PHF can be constructed: Theorem 3.8 [11,12,13,17] 1. An optimal linear PHF(6; q 2 , q, 4) exists if and only if q 11 is a prime power and q = 13. 2. An optimal linear PHF(6; q 3 , q, 3) exists if and only if q 11 is a prime power. Many results are known for numbers of rows intermediate between that prescribed by Lemma 3.6 and Theorem 3.7; each uses linear orthogonal arrays [54]. We repeat some of them that are useful in making covering arrays.

115

Theorem 3.9 [54] Let p be a prime. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. A PHF(9; p4 , p, 3) exists when p 17. A PHF(8; p4 , p, 3) exists when p 19. A PHF(12; p3 , p, 4) exists when p 17. A PHF(11; p3 , p, 4) exists when p 29. A PHF(10; p3 , p, 4) exists when p 251 and p {257, 263}. A PHF(10; p2 , p, 5) exists when p 19. A PHF(9; p2 , p, 5) or a DHF(9; p2 , p, 5, 4) exists when p 41. A PHF(8; p2 , p, 5) exists when p 241 and p {251, 257}. A PHF(15; p2 , p, 6) exists when p 29. A PHF(14; p2 , p, 6) or a DHF(14; p2 , p, 6, 5) exists when p 41. A PHF(13; p2 , p, 6) exists when p 73.

Some extensions to orders that are not powers of primes appear in [63]. Here we mention two recursive constructions for perfect hash families, and explore the topic further in Section 5. Blackburn [16] gives a simple product construction, composition, which is itself a column replacement technique: Theorem 3.10 Suppose there exist a PHF(N0 ; k, x, t) and a PHF(N1 ; x, v, t). Then there exists a PHF(N0 N1 ; k, v, t). Atici et al. [7] give a product type construction: Theorem 3.11 Suppose that a PHF(N1 ; k0 k1 , v, t), a PHF(N2 ; k2 , k1 , t 1), and a PHF(N3 ; k2 , v, t) all exist. Then there exists a PHF(N1 N2 + N3 ; k0 k2 , v, t). Stinson, Wei, and Zhu [127] develop further constructions.

4. Related Hash Families By weakening the requirements on the sets of columns to be separated, a number of variants of PHFs have been explored. 4.1. Distributing hash families In [46], a generalization of perfect hash families is examined in order to construct covering arrays. An N t array A on w symbols (with columns C = {1, . . . , t}) is (t, v )distributing if, for every partition {C1 , . . . , Cv } of C into v parts, there is at least one row of A, (a1 , . . . , at ), in which ai = aj only if i and j belong to the same class of the partition. An N k array is (t, v )-distributing if every N t subarray is (t, v )-distributing; such an array is a distributing hash family, and is denoted by DHF(N ; k, w, t, v ). An (N ; k, v, {w1 , w2 , . . . , wt })-separating hash family is an (N ; k, v )-hash family H that satises the property: For any C1 , C2 , . . . , Ct {1, 2, . . . , k} such that |C1 | = w1 , |C2 | = w2 , . . . , |Ct | = wt , and Ci Cj = for every i = j , there exists at least one function h H such that {f (y ) : y Ci } {f (y ) : y Cj } = . The notation SHF(N ; k, v, {w1 , w2 , . . . , wt }) is used. See, for example, [2,113,119]; and see [10] for the closely related notion of partially hashing.

116

Observation 4.1 Let A be an N k array. The following are equivalent: 1. A is a DHF(N ; k, w, t, v ). 2. A is a SHF(N ; k, w, {w1 , w2 , . . . , wv }) for every set {w1 , w2 , . . . , wv } with v i=1 wi = t and wi 0 for 1 i v . Observation 4.2 Let A be an N k array. The following are equivalent: 1. A is a PHF(N ; k, v, t). 2. A is an SHF(N ; k, v, {w1 , w2 , . . . , wt }) with w1 = = wt = 1. 3. A is a DHF(N ; k, w, t, v ) with v t. By Observation 4.1, an SHF(N ; k, w, 1t1 21 ) is the same as a DHF(N ; k, w, t+1, t) because the only partition of t + 1 elements into t nonempty parts has one part with two elements and the remainder with one. However, this equivalence does not extend further. While an SHF requires separation of a particular type of partition, a DHF can require the separation of many types of partitions. Stinson, Wei, and Chen [126] give an SHF(3;4,3,{2, 2}) that fails to separate partitions of type {1, 3} (and hence is not a DHF(3;4,3,4,2)); they also give an SHF(2;4,3,{1, 3}) that fails to separate partitions of type {2, 2} (and hence is not a DHF(2;4,3,4,2)). Distributing hash families weaken the conditions on perfect hash families, while strengthening the conditions on certain separating hash families, by requiring (in general) that more than one but fewer than all partitions of t columns be separated. Distributing hash families often require fewer rows than perfect hash families of the same strength. We collect some further easy observations. Observation 4.3 1. When s > 1, a DHF(N ; k, v, t, s) is also a DHF(N ; k, v, t, s 1). 2. A DHF(N ; k, v, t, s) yields a DHF(N ; k + 1, v + 1, t, s). 3. When t > 0, a DHF(N ; k, v, t, s) is a DHF(N ; k, v, t 1, min(s, t 1)). Lemma 3.6 points to a useful generalization. We need a preliminary denition. The Turn number T (t, v ) is the largest number of edges in a graph on t vertices that contains no complete subgraph of size v + 1. Turn [130] determined T (t, v ) exactly, as follows. Write a = t/v , and form a complete multipartite graph M with v classes, of which t av have size a + 1 and (a + 1)v t have size a. Then T (t, v ) is the number of edges in M . Lemma 4.4 When N > (s 1)T (t, v ), a A(N ; s, k, w) is a DHF(N ; k, w, t, v ). Proof. Let A be a A(N ; s, k, w). Choose t columns of A, and consider the N t subarray induced on them. Consider a partition of the indices of the t columns into v classes; this denes a graph G on t vertices containing no complete subgraph of size v +1 and hence G has T (t, v ) or fewer edges. Each edge of G indicates a pair of columns that are to contain distinct entries; as before, for each pair there are at most s 1 entries in which they agree. Hence when N > (s 1)T (t, v ) there is at least one row in which no two of the selected columns joined by an edge of G contain the same entry. For certain parameters, substantial improvements on Lemmas 3.5 and 4.4 are available.

117

Theorem 4.5 [54] Let p be a prime. 1. A DHF(10; p3 , p, 4, 3) exists when p 31 and p {37, 41}. 2. A DHF(8; p2 , p, 5, 3) exists when p 61 and p {67, 71, 79, 83, 89, 103, 113, 137, 139}. 3. A DHF(13; p2 , p, 6, 4) exists when p 67. 4.2. Partitioning hash families An N t array A on v symbols (with columns C = {1, . . . , t}) is (t, s)-partitioning if, for every partition {C1 , . . . , Cs } of C into at least two and at most s nonempty parts, there is at least one row of A, (a1 , . . . , at ), in which ai = aj if and only if i and j belong to the same class of the partition. An N k array is (t, s)-partitioning if every N t subarray is (t, s)-partitioning; such an array is a partitioning hash family, denoted by PaHF(N ; k, v, t, s). Sloane [118] explores the use of intersecting codes. An intersecting code is a linear code over Fq in which, for every two nonzero codewords, there is at least one coordinate in which the two codewords are both nonzero. In [118, Theorem 3] it is shown that for binary intersecting codes, choosing any three codewords a, b, c, there is a coordinate position in which a and b agree and c differs (and hence another in which a and c agree but b differs, and a third in which b and c agree but a differs). When the binary code has dimension d (2d codewords) and length M , this gives a DHF(M ; 2d , 2, 3, 2). The stronger requirement holds more generally. Lemma 4.6 [46] Every DHF(M ; k, 2, t, 2) has the property that for every t columns C = {c1 , . . . , ct } and every partition of C into two nonempty classes C1 and C2 , there is a row in which the entries in columns in C1 are the same, the entries in columns in C2 are the same, but the entries in columns in C1 differ from those in columns of C2 . Equivalently, it is a PaHF(M ; k, 2, t, 2). Proof. By the denition of a DHF, there is a row in which the entries in columns in C1 all differ from entries in columns in C2 . Because the array is binary, all entries in columns in C1 must agree in this row; similarly, all entries in columns in C2 must agree in this row. A PaHF(N ; k, t, t+1, t) is an SHF(N ; k, t, {w1 , . . . , wt }) with w1 = = wt1 = 1 and wt = 2. This is an example of a strong separating hash family [113]. However, even in this restricted case the SHF need not be a PaHF, because a partition of t + 1 into fewer than t classes need not contain a row with the same symbol in the columns of each class but different symbols in the columns of different classes. Indeed, partitioning hash families appear to be challenging to construct! 4.3. Heterogeneous hash families Colbourn and Torres-Jimnez [59] relax the requirement that each hash function (row) have a range of the same size (the same number of symbols, respectively). A heteroge-

118

neous hash family, denoted HHF(N ; k, (v1 , . . . , vN )), is an N k array in which the ith row contains (at most) vi symbols for 1 i N . Often we write (v1 , . . . , vN ) in expoc u1 uc nential notation: v1 vc means that the N = i=1 ui rows can be partitioned into classes, so that in the ith class there are ui rows each employing (at most) vi symbols. The denitions for PHF, DHF, and SHF extend naturally to perfect, distributing, and separating heterogeneous hash families; we extend the notation as follows:

u1 uc PHF(N ; k, w, t) PHHF(N ; k, v1 vc , t) u1 uc DHF(N ; k, w, t, v ) DHHF(N ; k, v1 vc , t, v ) u1 uc SHF(N ; k, w, {w1 , w2 , . . . , wt }) SHHF(N ; k, v1 vc , {w1 , w2 , . . . , wt })

u1 c uk Lemma 4.7 If there exists a DHHF(N ; k, k1 c , t, v ), then for every 1 i c, ui1 u1 ui 1 ui+1 k uc there exists a DHHF(N ; k ki , u1 ki1 (ki 1)1 ki ki+1 kc , t, v ) provided that ki v + 1. u1 uc Proof. Consider a DHHF(N ; k, k1 kc , t, v ) and let r be a row that has ki symi bols. The average number of times one of these ki symbols occurs in row r is k k , k and hence some symbol occurs no more than ki times. In order to form a ui1 u1 k ui ui+1 uc , k1 ki DHHF(N ; k k 1 (ki 1) ki+1 kc , t, v ), delete all columns that i contain in row r.

At rst it appears that Lemma 4.7 is of little value, because a DHHF is needed to begin. However, a PHF(N ; k, w, t) is a DHF(N ; k, w, t, t), and a DHF(N ; k, w, t, v ) is a DHHF(N ; k, wN , t, v ); hence all constructions of perfect and distributing hash families provide input ingredients for Lemma 4.7. By eliminating one symbol from each of a number of rows, eliminating symbols from a single row, or a combination of the two, many DHHFs arise from a single DHF. The deletion of enough symbols in one row allows us to apply the following:

u1 uc Lemma 4.8 Whenever a DHHF(N ; k, k1 kc , t, v ) with ki < v exists, there is a ui1 ui+1 u1 uc DHHF(N ui ; k, k1 ki1 ki+1 kc , t, v ).

Proof. No row with fewer than v symbols can separate v classes, so we can remove all such rows without affecting the required separation. Martirosyan and Tran Van Trung [98] essentially use a version of Lemma 4.8 in removing a row from a perfect hash family. They do not explore the extension to distributing hash families, and do not exploit the intermediate heterogeneous hash families that arise. Combining Lemma 4.8 with Lemma 4.7, we can manipulate both the number of rows and the number of symbols in each. Nevertheless we still require PHFs and DHFs to begin the process. Applying Lemma 4.7 to the DHF arising from an OA amounts to deleting points from the corresponding transversal design. Puncturing transversal designs has been extensively studied in another setting, the construction of mutually orthogonal latin squares via Wilsons theorem; see [49,50] for a catalogue of structures in transversal designs that have been used in that context. Colbourn and Torres-Jimnez [59] consider only some of the more straightforward methods to puncture, as follows:

119

Lemma 4.9 When q > s is a prime power, and the linear OA(q s ; s, q + 1, q ) yields a DHF(M ; q s , q, t, v ), there exist 1. a DHHF(M ; q s1 , q M 1 1 , t, v ) for v q , and a DHF(M 1; q s1 (v 1), q, s, v ) (one level); 2. a DHHF(M ; q s2 , q M 2 1 1 , t, v ) for v , q (two levels); 3. a DHHF(M ; S , q M (q 1) , t, v ) for 0 M (a spike) here S0 = q s and S = S1 Sq1 for 1 M ; 4. a DHHF(M ; S, , q M 1 (q 1) 1 , t, v ) for for v q and 0 S 1, M 1 (a level and a spike) here S0, = q s and S, = S1, q for 1 M 1. Proof. In each case we apply Lemma 4.7. For (1) delete q symbols in one row. For (2) further delete q symbols in another row. For (3) delete one symbol from each of rows, and for (4) further delete q symbols in another row. This is certainly not an exhaustive list, but it treats the majority of the applications in which we are interested. In determining S in Lemma 4.9(3) and S, in Lemma 4.9(4), the structure of the OA(q s ; s, q + 1, q ) is used in a naive manner. By explicitly constructing the OA and at each stage choosing a symbol to remove that minimizes the number of columns removed, we retain a number of columns T or T, that is at least as large as S or S, , respectively. Determining the largest number of columns that can be retained appears to be a challenging problem, but the greedy strategy employed here is an easy means to improve upon the simple argument of Lemma 4.9. See [59].

5. Recursive Constructions of Hash Families Now we return to the construction of PHFs, and outline some recent results from [55,99]. A further denition is needed. A PHF(N ; k, w, t) has matroshka type (N2 , N3 , . . . , Nt ) m when, for each 2 m t, the rst i=2 Ni rows form a PHF(N ; k, w, m). We require a variation on a DHF. Let (, ) be an abelian group of order n. Let A = (ai ) be an N k array with symbols from . Let C be a set of m columns. Let (1 , . . . , t ) be a t-tuple of elements of , so that {1 , . . . , t } contains at most t 1 distinct values. Let C be a partition of {1, . . . , t} into m (possibly empty) classes {C1 , . . . , Cm } in such a way that (1) i = j only if i and j are in different classes; and (2) one class contains at least t +1 m elements. If there is a row such that for every i, j with 1 i < j t, i Cx , and j Cy , we nd that ax i = ay j , then A difference separates (C, C ). When A difference separates all such choices for (C, C ), it is a difference distributing hash family DDHF(N ; k, n, t, m). A DDHF(N ; k, n, t, m) has laminar type (M2 , . . . , Mm ) when, for 2 m, the rst i=2 Mi rows form a DDHF(N ; k, n, t, ). Colbourn and Ling [55] establish a generalization of the many constructions of [99, 46], so we consider the general result here. Theorem 5.1 Let w q . Suppose that there exist 1. a PHF(L1 ; k, w, t), a PHF(L2 ; , w, t), a PHF(N ; k, q, t 1) with matroshka type (N2 , . . . , Nt1 ), and

120

2. a DDHF(M ; , q, t, t 1) with laminar type (M2 , . . . , Mt1 ). Then there exists a PHF(L1 + L2 +

g,h2 g +ht+1

Ng Mh ; k + w q, w, t).

Proof. Start with four arrays as follows. 1. A= (aij ) is an L1 k array that is a PHF(L1 ; k, w, t). 2. B= (bij ) is an N k array that is a PHF(N ; k, w, t 1) with matroshka type (N2 , . . . , Nt1 ). Let Bg be the submatrix containing the rows indexed from 1 + g 1 g i=2 Ni to i=2 Ni . 3. C= (cij ) is an M array that is a DDHF(M ; , q, t, t 1) with laminar type h (M2 , . . . , Mt1 ). Let Ch be the submatrix containing the rst j =2 Mj rows. 4. D= (dij ) is an L2 k array that is a PHF(L2 ; , w, t). We form an L1 + L2 + Ng Mh (k + w q ) array R. For conh=2 venience we refer to columns of R using ordered pairs from ({1, . . . , k} {1, . . . , }) {1 , . . . , wq }. To form R, we form certain arrays, each having k + w q columns. 1. E= (eij ) is an array with L1 rows: Set ei,(j, ) = aij for 1 i L1 , 1 j k , and 1 ; set elements in columns indexed by {1 , . . . , wq } arbitrarily. 2. F= (fij ) is an array with L2 rows: Set fi,(j, ) = di, for 1 i L2 , 1 j k , and 1 ; set elements in columns indexed by {1 , . . . , wq } arbitrarily. t+1g 3. For 2 g t 1, Tg = (ti,(j, ) ) is an array with h=1 Ng Mh rows: For every row of Bg and every row r of Ct+1g , form a row u of T with tu,(j, ) = bj cr , where is the addition dened for the DDHF. For each of the w a unused symbols, adjoin a constant column consisting of one of that symbol. Then vertically juxtapose E, F, and Tg for g = 2, . . . , t 1 to form R. Choose any m t distinct columns {(j1 , 1 ), . . . , (jt , m )} from the k columns, and choose t m from the columns indexed by {1 , . . . , wq }. If m = t and 1 = = t , then {j1 , . . . , jt } are all distinct and the t columns are separated in E. If m = t and j1 = = jt , then { 1 , . . . , t } are all distinct and the t columns are separated in F. Otherwise in each of the matrices Tg , each column among the last q w is separated from every other column by every row. Let L be the set of distinct entries in { 1 , . . . , m } and J the set of distinct entries in {j1 , . . . , jm }. Suppose that J has g distinct entries. Then 2 g t 1 and L has at most t +1 g distinct entries (when ja = jb , a = b ). Therefore the columns of J are separated by a row of Bg for some g g . We claim that a row of Tg separates the m columns. Set i = b,ji for 1 i m and choose (m+1 , . . . , t ) arbitrarily. Because Ct+1g is a DDHF(M ; , q, t, t + 1 g ), there is a row which difference separates the (at most t + 1 g ) columns of L for (1 , . . . , t ). Thus Tg separates {(j1 , 1 ), . . . , (jm , m )}. In order to apply Theorem 5.1, DDHFs are required. Basic constructions are given next.

t Theorem 5.2 A DDHF(N ; q s1 , q, t, t 1) exists whenever q (s 1) 2 1 . Indeed it has laminar type (M2 , . . . , Mt1 ) for Mi = (s 1)(t + 1 i) for 2 i m. t1 g =2 t+1g

121

t m Proof. It sufces to show that for any set A of (s 1)( 2 t+12 ) elements of Fq , the corresponding linear hash family A using only those polynomials of degree s with zero constant term forms a DDHF(N ; q s1 , q, t, m). Two columns of A agree in at most s 2 rows (in the orthogonal array they can agree in at most s 1, but they surely agree in the row indexed by 0). Now choose any set C of m polynomials F1 , . . . , Fm , and choose elements {1 , . . . , t } partitioned into m classes C = {C1 , . . . , Cv } of which one has at least t + 1 m elements. Further, i = j only if i and j belong to different classes. Among the {i } there are at most t 1 distinct values; suppose without loss of generality that i = j , i C1 , and j C2 . We show that at least one of the rows indexed by A difference separates (C, C ). The column indexed by F1 and that indexed by F2 agree in at most s 2 rows; any element a A indexing a row in which they t m agree fails to separate. There remain at most 2 t+12 1 ways to select i and j in different classes; for each, at most s 1 elements fail to separate. Therefore at least one a A remains that difference separates.

Lemma 5.3 If there is a PHF(N1 ; k, v, t 1) and a DDHF(N2 ; v, q, t, t 1), then there exists a DDHF(N1 N2 ; k, q, t, t 1). Proof. For 1 i v , replace each occurrence of symbol i in the PHF(N1 ; k, v, t 1) by the ith column of the DDHF(N2 ; k, q, t, t 1). These lead to two corollaries of Theorem 5.1.

t 1 with q a prime power. SupCorollary 5.4 [99, Theorem 5.1] Let w q 2 pose that there exist a PHF(L1 ; k, w, t) and a PHF(N ; k, q, t 1). Then there exists a t PHF(L1 + 2 1 N + 1; kq, w, t). t Proof. Set s = 2 and apply Theorem 5.2 to form a DDHF( 2 1; q, q, t). Take t its laminar type to be (M2 = 2 1, 0, . . . , 0). Take the matroshka type of the PHF(N ; k, q, t 1) to be (N2 = N, 0, . . . , 0). Then form a PHF(L2 = 1; q, w, t). Apply Theorem 5.1 and omit the last w q columns. t Corollary 5.5 [99, Theorem 4.1] Let q 2 1 be a prime power. Suppose that there exist a PHF(L1 ; k, q, t) and a PHF(N ; k, q, t 1). Then there exists a PHF(L1 + t 2 1 N + 1; kq, q, t).

Proof. Apply Corollary 5.4 with w = q . Better ingredients for Theorem 5.1 can be found as well; we refer the interested reader to [55] for more details. With these denitions in hand, further DHHFs can be constructed as well [59]. Lemma 5.6 If a DHF(N ; k, w, t, v ) with matroshka type (N2 , N3 , . . . , Nt ) exists, then there also exists a DHHF(N ; 2k, (2w)N Nt wNt , t, v ). Proof. Let A be a DHF(N ; k, w, t, v ) with matroshka type (N2 , N3 , . . . , Nt ); partition j 1 its rows so that, for 2 j t, Aj consists of the Nj rows from row 1 + i=2 Ni to row j i=2 Ni . Form a matrix Bj from Aj on a disjoint set of symbols for 2 j < t. Form Fj by placing Aj and Bj side-by-side when 2 j < t, and placing At and At side-by-side

122

when j = t. Then vertically juxtapose the arrays F2 , . . . , Ft to form an array E, which is an N 2k array. Index columns of each array Aj and each array Bj by {1, . . . , k}, and index columns of E by {1, . . . , k} {0, 1} in the natural way. Now choose t columns of E indexed by {(1 , i1 ), . . . , (t , it )}, and a partition of these columns into v classes C1 , . . . , Cv . If |{1 , . . . , t }| = t, there is a row of A that separates the classes C1 , . . . , Cv , and hence some row of E does as well. Otherwise |{1 , . . . , t }| < t; form a new set of classes L1 , . . . , Lv by starting with C1 , . . . , Cv , and whenever i = j and i < j , remove (j , ij ) from it class of the partition. Some row of A2 , A3 , or At1 separates the classes L1 , . . . , Lv restricted to the rst coordinates, because fewer than t distinct columns remain. Suppose that it is in Aj . Then in Fj there is a row that separates C1 , . . . , Cv because Aj and Bj share no symbols. Our primary objective in treating these constructions here is to demonstrate that imposing structure on the ingredient arrays (for example, specifying matroshka and laminar types) enables us to avoid producing certain irrelevant rows. We observe the same phenomenon next, this time for covering arrays.

6. Constructing Covering Arrays using Hash Families Three constructions for covering arrays via column replacement were developed independently. One uses perfect hash families [15]. A second uses intersecting codes in the special case of binary covering arrays of strength three [118]. A third squares the number of factors using an array constructed from a Turn family [75,128]. The rst has already been given in Theorem 3.1; here we explore how variants of hash families underlie the other two, and indeed many more, column replacement techniques. 6.1. Using Distributing Hash Families Colbourn [46] proves a general theorem: Theorem 6.1 Let k min(t, v ). Suppose that there exist a DHF(M ; , k, t, min(t, v )) and a CA(N ; t, k, v ) having constant rows. Then a CA( + (N )M ; t, , v ) exists. Proof. Let A be a CA(N ; t, k, v ) and let A be the (N )k array obtained by removing the constant rows. Let D be a DHF(M ; , k, t, min(t, v )) with symbols {1, . . . , k}. Let {aj : j = 1, . . . , k} be the columns of A. Form an (N )M matrix by replacing the symbol j in D by the column aj . Then add constant rows (one for each symbol in the constant rows deleted to form A from A ) to form the matrix E. It sufces to prove that E is a covering array of strength t. Fix a tuple C = (c1 , . . . , ct ) of t columns in E (equivalently, in D), and x a t-way interaction T by selecting value i for column ci for 1 i t. We must show that T is covered in E. If T is constant and contains a symbol of one of the constant rows of A , it is covered in the constant rows of E. Otherwise, the values ( 1 , . . . , t ) partition C into nonempty classes C1 , . . . , Cw for w min(t, v ), by placing ci and cj in the same class Cm if and only if i = j . There is a row (d1 , . . . , d ) of D in which, for this partition, the entries ei = dci and ej = dcj are equal only if ci and cj belong to the same class Cm . Thus, on columns c1 , . . . , ct in E, there is an N t subarray whose columns are ae1 , . . . , aet , in that order. The number z of distinct

123

columns of A that are represented is at most min(t, v ); because A is a covering array of strength t, it is also a covering array of strength z . Therefore the t-way interaction T is covered. Applying Theorem 6.1 with = 0 to a standardized CA, the constant row gives rise to M equal, constant rows. But applying the same theorem with = 1, we obtain: Corollary 6.2 Let k min(t, v ). Suppose that there exist a CA(N ; t, k, v ) and a DHF(M ; , k, t, min(t, v )). Then a CA(1 + (N 1)M ; t, , v ) exists. Numerous constructions following the framework of Theorem 6.1 have been given. For binary arrays of strength three, combining Lemmas 4.4 and 3.4 (noting that T (3, 2) = 2) with Theorem 6.1 gives Theorem 7(ii) of Sloane [118]; this is a strengthening of earlier work in [28,112]. Implicitly, Sloane uses the fact that a certain binary intersecting code yields a DHF(N ; k, 2, 3, 2). Employing Corollary 6.2 in conjunction with Lemmas 4.4 and 3.4 establishes a somewhat improved result, reducing the number of rows in [118, Theorem 7(ii)] by 2x 2: Theorem 6.3 Let q t 3 be a prime power and 1 x q . Suppose that a CA(N ; t, q, v ) exists. If q + 1 > (x 1)T (t, v ) then a CA(1 + (N 1)((x 1)T (t, v ) + 1); t, q x , v ) also exists. Corollary 6.4 Let q 3 be a prime power and 1 x exists, a CA(1 + (N 1)(2x 1); 3, q x , 2) also exists.

q +2 2 .

When a CA(N ; 3, q, 2)

Proof. Take t = 3 and v = 2, so that T (t, v ) = 2, to apply Theorem 6.3. We require that q + 1 > 2(x 1), which is met when x q+2 2 . By Lemma 3.4, when q is a prime power there is a A(q + 1; 2, q 2 , q ). Applying Lemma 4.4 and Theorem 6.1, we recover a construction of Tang and Chen [128] and Boroday [22] for squaring the number of factors. Hartman [75] generalizes to non-primepower numbers of symbols by using Lemma 3.3 in place of Lemma 3.4 with t = 2; hence Hartman also squares the number of factors. In both cases, an improvement is obtained by applying Corollary 6.2 in place of Theorem 6.1, resulting in a savings of T (t, v ) rows. We summarize this as follows. Theorem 6.5 If there are T (t, v ) + 1 mutually orthogonal latin squares of order k , and a CA(N ; t, k, v ) exists, a CA(1 + (N 1)(T (t, v ) + 1); t, k 2 , v ) also exists. In [46], consequences for covering arrays are developed using the packing arrays described earlier. Further applications could employ packing arrays other than those produced by Lemmas 3.3 and 3.4. 6.2. Using Heterogeneous Hash Families Colbourn and Torres-Jimnez [59] improve upon Theorem 6.1 in two ways: judiciously choosing symbols on which to place the constant rows, and using heterogeneous hash families: Theorem 6.6 Suppose that there exist

124

1. a CA(Ni ; t, ki , v ) having i constant rows and ki t for 1 i c, and u1 uc 2. a DHHF(M ; , k1 kc , t, min(t, v )). Let = max(0, v

c i=1

c i=1

ui (Ni i ); t, , v ) exists.

u1 uc kc , t, min(t, v )). Partition the M rows of D into Proof. Let D be a DHHF(M ; , k1 classes U1 , . . . , Uc so that, for 1 i c, class Ui contains exactly ui rows that each use (only) the symbols in {1, . . . , ki }. For 1 r M , choose Yr {1, . . . , v } with |Yr | = +1 v i when r Ui , and choose YM +1 with |YM +1 | = , so that M r =1 Yr = {1, . . . , v }. For 1 r M , choose i so that r Ui , and let Br be a CA(Ni ; t, ki , v ) whose i constant rows are on symbols {1, . . . , v } \ Yr . (Symbols can be renamed if necessary to place the constant rows on the desired symbols.) Then let Ar be the (Ni i ) ki array obtained by removing the i constant rows. Let {arj : j = 1, . . . , ki } be the columns of Ar for 1 r M . For each 1 r M , suppose that r Ui and form a (Ni i ) array Qr by replacing each occurrence of j in the rth row of D by the column arj . Form a array S that contains a constant row for each symbol in YM +1 . Then vertically juxtapose the c arrays {Qr : 1 r M } and S to form a ( + i=1 ui (Ni i )) matrix E. It sufces to prove that E is a covering array of strength t. Fix a tuple C = (c1 , . . . , ct ) of t columns in E (equivalently, in D), and x a t-way interaction T by selecting value j for column cj for 1 j t. We must show that T is covered in E. First consider the cases when T is constant, i.e. 1 = = t = . If YM +1 , T is covered in S. Otherwise choose r so that Yr , and consider the array Qr . Because Ar covers the constant s-tuple with all entries equal to for every 1 s t, T is covered in Qr . Now consider cases when T is not a constant t-tuple. The values (1 , . . . , t ) partition C into nonempty classes C1 , . . . , Cw for w min(t, v ), by placing ca and cb in the same class if and only if a = b . Choose row r = (d1 , . . . , d ) of D so that the entries ea = dca and eb = dcb are equal only if ca and cb belong to the same class; such a row exists because D is a DHHF. Choose i so that r Ui . On columns c1 , . . . , ct in Qr , there is an (Ni i ) t subarray whose columns are ar,e1 , . . . , ar,et , in that order. The number z of distinct columns of Ar that are represented is at most min(t, v ); because Ar is a covering array of strength t, it is also a covering array of strength z . Therefore the t-way interaction T is covered.

Comparing with Theorem 6.1, even for DHFs an improvement is obtained when < v: Corollary 6.7 Let k min(t, v ). Suppose that a DHF(M ; , k, t, min(t, v )) and a CA(N ; t, k, v ) having constant rows both exist. Let = max(0, (M 1)(v )). Then a CA( + (N )M ; t, , v ) exists. Theorem 6.6 can exploit a library of small covering arrays of small covering arrays rather than a single one. Moreover, as in Theorem 2.2, Theorem 6.6 does not require that every ingredient array have many constant rows. In [59], most applications are given for DHHFs obtained from truncating the orthogonal array from the nite eld. But they also give one example of the use of Lemma 5.6. There is a PHF(16; 172 , 17, 6) that has matroshka type (2, 2, 3, 4, 5) [55]. Lemma 5.6 gives a PHHF(16; 2 172 , 3411 175 , 6). For v {14, 15, 16} applying Theorem 6.6 with best

125

values for CAN(6, 34, v ) and a CAN(6, 17, v ) yields improvements on the best known construction for CAN(6, 2 172 , v ). 6.3. Using Partitioning Hash Families Consider a DHF(M ; 2d , 2, 3, 2) on symbols {0,1}. This cannot be used directly in Theorem 6.1, because the covering array required would have t > k . Nevertheless, replacing 1 d each occurrence of 0 by 0 1 and each occurrence of 1 by 0 , one obtains a 2M 2 array on symbols {0, 1}. Adjoin the constant row with all elements 0, and the row with all elements 1, to form a (2M +2) 2d array. The result is a CA(2M +2; 3, 2d , 2). This is [118, Theorem 7(i)], which implicitly uses the same technique as Theorem 6.1 to remove constant rows prior to replication, and then replace them once at the conclusion.) Viewed as a column replacement construction, the hash family employed is partitioning and not just distributing. The use of partitioning hash families is appealing, because covering arrays of smaller strength can be used to make covering arrays of larger strength: Theorem 6.8 [46] Suppose that a PaHF(M ; , k, t, v ) and a CA(N + ; v, k, v ) with constant rows both exist. Then a CA( + N M ; t, , v ) exists. Using a CA(2 + 2; 2, 2, 2) with 2 constant rows and a PaHF(M ; 2d , 2, 3, 2) from a binary intersecting code of length M and dimension d yields the theorem of Sloane. Other constructions of partitioning hash families appear to be needed to obtain further results. In [59], a variation on Theorem 6.6 is presented that requires additional properties of the DHHF but can save further rows. This can be seen as a generalization of the use of partitioning hash families. However, currently it does not appear to be fruitful in the construction of covering arrays. Theorem 6.9 Suppose that there exist 1. a CA(Ni ; t, ki , v ) having i constant rows for 1 i c, and u1 uc kc , t, min(t, v )) for which, for every way to choose t 2. a DHHF(M ; , k1 columns, there is a row in which these t columns do not have all entries distinct. Then a CA(

c i=1

ui (Ni i ); t, , v ) exists.

Proof. As in the proof of Theorem 6.6 form the arrays Q1 , . . . , QM . Then vertically c juxtapose the arrays {Qr : 1 r M } to form a ( i=1 ui (Ni i )) matrix E. It sufces to prove that E is a covering array of strength t. Fix a tuple C = (c1 , . . . , ct ) of t columns in E (equivalently, in D), and x a t-way interaction T by selecting value i for column ci for 1 i t. We must show that T is covered in E. When T is not constant, the argument is the same as in the proof of Theorem 6.6. Now consider the cases when T is constant, i.e. 1 = = t = . Choose any row r whose entries in columns c1 , . . . , ct are not all different and let kc1 , . . . , kct be the entries. Then z < t of them are distinct, so let {1 , . . . , z } be the set of distinct entries. These index columns in Ar . Because Ar covers the constant z -tuple with all entries equal to , T is covered in Qr .

126

7. Quilting Arrays Colbourn and Zhou [60] further improve on Theorem 6.6 using a variant of covering arrays, quilting arrays. The standard denition of covering array asks for all t-way interactions to be covered. The idea of covering only some of the t-way interactions has been examined in a number of contexts. Throughout this paper, for example, improvements often result by covering only the nonconstant t-way interactions. In [42] arrays of strength three are employed that cover all 3-way interactions except those in which all three symbols differ. Krner and Monti [88] relax the requirements in a different way; they study binary arrays of strength three in which at least 6 of the eight possible 3-way interactions arise in every set of three columns, but do not require that a specic set of 6 be covered. In a different direction, by restricting the sets of columns on which all interactions are to be covered, one encounters covering arrays on graphs [100,101] and variable strength covering arrays [40]. Here we consider restrictions in which all sets of t columns are treated similarly, but not all t-way interactions need to be covered. The species of a t-way interaction S = {(ci , i ) : 1 i t} is the multiset {i : 1 i t}; hence a species in general encompasses a number of specic t-way interactions. (A species can be represented as a weak composition of t with v parts, and v 1 there are t+ species.) Often we are not concerned with the specic symbols used v 1 in dening the species. Then the family of a species is its orbit under the action of the symmetric group on v letters, and hence a family consists of a set of species, and by inheritance, a set of t-way interactions. (A family can be represented as a partition of t into at most v parts.) Let S be a set of species for t and v . An N k array with v symbols is an Squilting array if every interaction whose species is in S is covered. The notation SQA(N ; t, k, v ) is used for such an array when S contains interactions of strength at most t, and S-QAN(t, k, v ) is the smallest N for which an S-QA(N ; t, k, v ) exists. An SQA(N ; t, k, v ) is equivalent to a CA(N ; t, k, v ) when S contains all possible species of t-way interactions. We also employ a novel variant of hash families. Let S be the set of all multisets {1 , . . . , t } with i {1, . . . , v } for 1 i t. Let A be an M k array with v symbols. Dene a function with : S 2{1,...,M } . Then A is a -separating hash family if for every S = {1 , . . . , t } S and for every choice of t distinct columns (c1 , . . . , ct ), there is at least one row (S ) in which, for 1 i < j t, row has different symbols in columns ci and cj if i = j . Such an array is denoted by -SHF(M ; k, v, t). Again we generalize to the heterogeneous case: A separating heterogeneous hash family SHHF(M ; k, v1 vM , t) contains at most vi symbols in the ith row for 1 i M , and satises the same separation condition. When : S 2{1,...,M } is specied, we dene a vector (1 , . . . , M ) so that i = {S : i (S )}. In words, associates each t-way interaction with a set of rows of the array, while i contains the t-way interactions thereby associated with the ith row. Theorem 7.1 Let t be a positive integer. Suppose that a -SHHF(M ; k, k1 kM , t) exM ists, and that a i -QA(Ri ; t, ki , v ) exists for each 1 i M . Then a CA( i=1 Ri ; t, k, v ) exists. Proof. Let D be a -SHHF(M ; k, k1 kM , t). Form E by replacing each entry j in row i of D by the j th column of the i -QA(Ri ; t, ki , v ). It sufces to prove that E is a

127

covering array of strength t. Fix a tuple C = (c1 , . . . , ct ) of t columns in E (equivalently, in D), and x a t-way interaction T by selecting value j for column cj for 1 j t. We must show that T is covered in E. Let W = (T ), the set of rows that (together) separate T in D; then for some w W , T is separated in row w. Because T w , it is covered in the w -QA(Rw ; t, kw , v ) and therefore also covered in E. To recover Theorem 6.6, we equip the DHHF(M ; k, k1 kM , t, min(t, v )) with a suitable function . To do this, map every nonconstant multiset to the set of all rows; i constant multisets are treated differently. For 1 i M , let i = min(v, j =1 j ) (using the notation of Theorem 6.6). Let 0 = 0. We consider covering arrays on symbol set {0, . . . , v 1}. For 1 i M , relabel symbols in a CA(Ni ; t, ki , v ) so that it has i constant rows on symbols of {i i , . . . , i 1}, and delete these constant rows. M M However, when i=1 i > M (v 1), retain = i=1 i M (v 1) constant rows in the CA(NM ; t, kM , v ) on symbols v , . . . , v 1. Then for 1 i M 1, maps {1 , . . . , t } with = 1 = = t to row i if and only if < i i or i . The result is a i -QA(Ni i ; t, ki , v ). For the last row, maps {1 , . . . , t } with = 1 = = t to row M if and only if < M M , M , or v < v . The result is a M -QA(NM M + ; t, kM , v ). Then Theorem 7.1 establishes the result of Theorem 6.6. Theorem 7.1 is more powerful, in that it employs much more than heterogeneity and constant rows. Nevertheless, its application is more technical as a result of the need for both -separating hash families and suitable quilting arrays. We use DHHFs obtained by removing rows and/or columns from the transpose of an orthogonal array of strength s, but other constructions for DHHFs may prove useful here as well. For a species {1 , . . . , t }, let ({1 , . . . , t }) = |{(i, j ) : i = j , 1 i < j t}|. Lemma 7.2 Suppose that a DHHF(M ; k, k1 kM , t, v ) exists for which every two different columns agree in at most s 1 rows. Let S contain all multisets of size t from {1, . . . , v }. Suppose that : S 2{1,...,M } satises |{i : {1 , . . . , t } i , 1 i M }| > (s 1) ({1 , . . . , t }). Then the DHHF is a -SHF(M ; k, k1 kM , t). Proof. Suppose to the contrary that some multiset S = {1 , . . . , t } is not separated by the (at least) 1 + (s 1) ({1 , . . . , t }) rows of (S ) in columns (c1 , . . . , ct ), where ci = cj whenever i = j . Two distinct columns agree in at most s 1 rows, and hence each of the ({1 , . . . , t }) pairs of unequal elements is separated by all but at most s 1 rows. At most (s 1) ({1 , . . . , t }) rows can fail to separate one or more of the pairs of columns (ci , cj ) with i = j . Hence at least one row of the DHHF separates all unequal pairs in {1 , . . . , t }, which contradicts our hypothesis. A number of DHHFs from Lemma 4.9 can be used in Lemma 7.2 [60]. We examine a few constructions for quilting arrays for use in Theorem 7.1. First we make an easy observation: Lemma 7.3 S-QAN(t, k, v ) + S -QAN(t , k, v ) (S S )-QAN(max(t, t ), k, v ) SQAN(t, k, v ). Proof. Vertically juxtaposing a S-QA(N1 ; t, k, v ) and a S -QA(N2 ; t , k, v ) yields a (S S )-QA(N1 + N2 ; max(t, t ), k, v ), and every (S S )-QA(N ; max(t, t ), k, v ) is an SQA(N ; t, k, v ).

128

Let S be a set of species on v symbols {0, . . . , v 1}. For S S and 0 i < v , let (S, i) be the empty set if S does not contain i, or the set of species obtained by removing exactly one i from S . Let (S, i) = S S (S, i). Then we have an analogue of the usual derivation of covering arrays: Lemma 7.4 S-QAN(t, k, v )

v 1 i=0

(S, i)-QAN(t 1, k 1, v ).

For strength t there are t + 1 species when v = 2. For 1 i < t, let species t correspond to the composition (i, t i); that is, it corresponds to the set of t-way Si t = when i {0, . . . , t}.) Then interactions of weight i. (For convenience, dene Si t t t t t }. dene Si = {Si }, and when i < j dene Si,j = {Si , . . . , Sj One method of construction is essentially the construction of Tang and Chen [128]: Lemma 7.5 St (kt), -QAN(t, k, 2)

1 i=0 k i(kt+1) k

Proof. For 0 i < , form an array whose rows are all characteristic vectors of ( i(k t + 1))-subsets of {1, . . . , k}. Then every t-way interaction of weight at least i(k t + 1) (k t) and at most i(k t + 1) species all but k t of the column values; the remainder can be chosen to ensure that the row weight is i(k t + 1). Apply Lemma 7.3 to these arrays to produce the desired array. Another uses a Roux-type recursive construction in one specic case:

4 Lemma 7.6 S4 2 -QAN(4, 2k, 2) S2 -QAN(4, k, 2) + CAN(3, k, 2).

Proof. Let A be an N k array that is a S4 2 -QAN(4, k, 2). Let B be an M k array that is a CA(M ; 3, k, 2). Horizontally juxtapose two copies of A to form C, with columns indexed by {1, . . . , k} {1, 2}. Horizontally juxtapose B and its complement to form D, with columns indexed similarly. Vertically juxtapose C and D to form a S4 2 -QA(N + M ; 4, 2k, 2). The verication is routine. Choose four columns {(ai , ci ) : 1 i 4}. If a1 , a2 , a3 , a4 are all distinct, they correspond in C to four distinct columns of A and hence the species in S4 2 are covered. If two of a1 , a2 , a3 , a4 are distinct, suppose without loss of generality that a1 = a3 , a2 = a4 , c1 = c2 = 1, and c3 = c4 = 2. All 4-way interactions of weight 2 are covered in C except for 0011, 0110, 1001, and 1100; these are all covered in D because every 2-way interaction is covered in B. If three of a1 , a2 , a3 , a4 are distinct, suppose without loss of generality that a1 = a4 , c1 = 1, and c4 = 2. In C, all 4-way interactions of weight 2 are covered except for 0011, 0101, 1010, and 1100. These are covered in D because in columns a1 , a2 , a3 of B are covered 001, 010, 101, and 110 to treat the case when c2 = c3 = 1; 000, 011, 100, and 111 to treat the case when c2 = 1 and c3 = 2; 011, 000, 111, and 100 to treat the case when c2 = 2 and c3 = 1; and 010, 001, 110, and 101 to treat the case when c2 = c3 = 2. We expect that many other constructions for covering arrays can be extended and improved to produce bounds on binary quilting arrays. Colbourn and Zhou [60] use computational methods to make many examples, primarily using an heuristic postoptimization method [106].

129

For quilting arrays in general, we aggregate species into families. As noted earlier, families for specic t and v correspond to partitions of t into at most v parts. Dene v v -Tt x to contain every family corresponding to a partition i=1 i = t with i 0 for 5 which 1i<j v i j x. For example, 3-T8 contains only the family corresponding to 2 + 2 + 1 = 5, which in turn contains the species {0, 0, 1, 1, 2}, {0, 0, 1, 2, 2}, and {0, 1, 1, 2, 2}, whereas 3-T5 7 contains in addition the family corresponding to 3 + 1 + 1 = 5, which in turn contains the species {0, 0, 0, 1, 2}, {0, 1, 2, 2, 2}, and {0, 1, 1, 1, 2}. Then a column replacement method can be used [60]: Lemma 7.7 If there exist a v -Tt x -QA(N ; t, k, v ) and a DHF(M ; K, k, t, v ), then there exists a v -Tt x -QA(N M ; t, K, v ). Proof. Form the N M K array R using column replacement. The verication is as follows. Choose any t columns of R, and a t-way interaction T from Tt x . There is some row of the DHF(M ; K, k, t, v ) in which every two of the chosen columns that have unequal entries in T also have unequal entries in this row. Further examples are provided in [60], but we do not pursue it further here. We do expect this to prove a fruitful topic for further research.

8. Restriction Problems By now the reader has surely noticed that the covering arrays and hash families employed here are all variations on a theme. Providing a common generalization appears to be worthwhile. This is pursued in [5], where a class of so-called restriction problems is dened. Here we discuss an extension. For the situations that we have encountered in this paper, an N k array is dened. For 1 i N , there is a nite alphabet i not containing for which the ith row contains only symbols in i { }. (For heterogeneous hash families, these may differ, but for the remaining arrays considered, we have had 1 = = N .) For 1 j k , there is a nite alphabet j not containing for which the j th column contains only symbols in j { }. (For mixed covering arrays, for example, these may differ.) Without N loss of generality, i k j =1 j and j i=1 i . If for some i, j with 1 i N and 1 j k , we have i j = , the (i, j ) cell is permitted only to contain . Then a strength t is chosen. Let = k j =1 j . A t-restriction is a list (P1 , . . . , P ) of subsets of t and a -tuple T {, } . Intuitively, for each subset P , if T = , we require that at least one t-tuple in P occur; and if T = , we require that all possible t-tuples in P occur. In [5], each selection of a set P is a demand, and they always take T = . For every selection S = (i1 , . . . , it ) of t distinct column indices, the set of possible t-tuples that could arise is i1 it . In order to enforce conditions on fewer than t columns, for a set S of t-tuples, let i (S ) be the set of t i sets of (t i)-tuples, each obtained by deleting the i chosen columns in each t-tuple of S . More precisely, then, the N k array A = (aij ) satises the t-restriction ((P1 , . . . , P ), T ) if and only if for all 0 i t, 1 x1 < x2 < < xti k , and for 1 , 1. T = and for each P i (P ), there exists a with 1 N for which (a,x1 , . . . , a,xti ) P ; or

130

2. T = and for each P i (P ) and for every (1 , . . . , ti ) P (x1 xti ), there exists a with 1 N for which (a,x1 , . . . , a,xti ) = (1 , . . . , t ). The use of permits us to extend the usual denitions to cases when k < t. The allowance for differing row alphabets and differing column alphabets supports heterogeneous hash families and mixed covering arrays. However the generality of the denition arises from the exibility in specifying t-restrictions. Covering arrays satisfy the t-restriction ((t ), ()), while perfect hash families satisfy ((D), ()) with D containing all tuples in t in which all elements are distinct. To capture quilting arrays, one simply identies the species to be covered, say P1 , . . . , Pp , and the t-restriction is then ((P1 , . . . , Pp ), {}p ). By the same token, to capture separating or distributing hash families, for each of the required separations, one forms the set of all t-tuples that separate; if the required separations are accomplished by the sets Q1 , . . . , Qq , the corresponding t-separation is ((Q1 , . . . , Qq ), {}q ). In employing t-restrictions, an implicit representation of the t-restriction could obviate the need to list all of the t-tuples in each subset. One might also observe that in the applications discussed here, permuting the t coordinate positions in the tuples of one subset yields another subset; when all such subsets obtained in this way have the same requirement, a more succinct representation is immediate. Despite the generality of t-restrictions, one could easily extend further. One could ask for covering arrays that cover every t-tuple at least some specied number of times, or for hash families that separate every t-tuple at least some specied number of times (for example, to accommodate the notion of strong qualitative independence [67,84], which arises in the construction of t-error correcting and all unidirectional-error detecting (tEC/AUED) codes [135]). To handle this, one could extend the choice from {, } to specify for each subset P the minimum number of rows in which the demand must be satised. Equally well, one could specify a maximum number of rows that meet a demand; packing arrays can then be incorporated. Specifying both a minimum and a maximum would permit one to discuss two extensions that we have not addressed here, namely covering arrays in which the numbers of times that t-tuples are covered do not differ substantially (see [75]), and balanced perfect hash families [4]. Along a different line, generalizations arise in which t-subsets of columns are treated differently; we have mentioned two examples, covering arrays on graphs [101] and variable strength covering arrays [40], earlier. Others include covering arrays with specied avoids [24,76] and constraints [24,43] but then it can be NP-hard to determine whether there is an array of the required type, no matter how many rows are allowed. One could also generalize the notion of coverage as in [53] so that a t-way interaction is covered if in some row the chosen columns contain a t-tuple that is at most a specied Hamming distance from the desired interaction. Our denition of t-restriction does not accommodate these. While each of these extensions is certainly of substantial interest, one pays a price to generalize, so we content ourselves with the level of generality developed here. Our reason for introducing t-restriction problems is to propose a line of investigation in closing. In the setting of t-restriction problems, each of the column replacement methods that we have discussed combines a number of arrays for various types of trestrictions to form a single larger array for a specic t-restriction. We expect that the relationship between the t-restriction that results and the t-restrictions on the ingredients

131

can be determined generally, not by enumerating a longer list of constructions that, after all is said and done, are quite similar.

References

[1] [2] [3] N. Alon. Explicit construction of exponential sized families of k-independent sets. Discrete Math., 58:191193, 1986. N. Alon, G. Cohen, M. Krivelevich, and S. Litsyn. Generalized hashing and parent-identifying codes. J. Combin. Theory Ser. A, 104:207215, 2003. N. Alon, O. Goldreich, J. Hstad, and R. Peralta. Simple constructions of almost k-wise independent random variables. Random Structures and Algorithms, 3:289304, 1992. Addendum in Random Structures and Algorithms 4 (1993), 119120. N. Alon and S. Gutner. Balanced families of perfect hash functions and their applications. In Automata, languages and programming, volume 4596 of Lecture Notes in Comput. Sci., pages 435446. Springer, Berlin, 2007. N. Alon, D. Moshkovitz, and S. Safra. Algorithmic construction of sets for k-restrictions. ACM Trans. Algorithms, 2:153177, 2006. W. Ananchuen and L. Caccetta. On the adjacency properties of Paley graphs. Networks, 23:227236, 1993. M. Atici, S. S. Magliveras, D. R. Stinson, and W.-D. Wei. Some recursive constructions for perfect hash families. J. Combin. Des., 4:353363, 1996. J. Azar, R. Motwani, and J. Naor. Approximating probability distributions using small sample spaces. Combinatorica, 18:151171, 1998. J. Bach and P. J. Schroeder. Pairwise testing: A best practice that isnt. In 22nd Annual Pacic Northwest Software Quality Conference, pages 180196, 2004. A. Barg, G. Cohen, S. Encheva, G. Kabatiansky, and G. Zmor. A hypergraph approach to the identifying parent property: the case of multiple parents. SIAM J. Discrete Math., 14:423431, 2001. S. G. Barwick and W.-A. Jackson. A sequence approach to linear perfect hash families. Des. Codes Cryptogr., 45:95121, 2007. S. G. Barwick and W.-A. Jackson. Geometric constructions of optimal linear perfect hash families. Finite Fields Appl., 14:113, 2008. S. G. Barwick, W.-A. Jackson, and C. T. Quinn. Optimal linear perfect hash families with small parameters. J. Combin. Des., 12:311324, 2004. B. Becker and H.-U. Simon. How robust is the n-cube? Inform. and Comput., 77:162178, 1988. J. Bierbrauer and H. Schellwat. Almost independent and weakly biased arrays: efcient constructions and cryptologic applications. Lecture Notes in Computer Science, 1880:533543, 2000. S. R. Blackburn. Combinatorics and threshold cryptography. In Combinatorial Designs and their Applications, pages 4970. Chapman and Hall, 1999. S. R. Blackburn. Perfect hash families: probabilistic methods and explicit constructions. J. Combinat. Theory (A), 92:5460, 2000. S. R. Blackburn, M. Burmester, Y. Desmedt, and P. R. Wild. Efcient multiplicative sharing schemes. Lecture Notes in Computer Science, 1070:107118, 1996. S. R. Blackburn and P. R. Wild. Optimal linear perfect hash families. J. Combinat. Theory (A), 83:233 250, 1998. A. Blass, G. Exoo, and F. Harary. Paley graphs satisfy all rst-order adjacency axioms. J. Graph Theory, 5:435439, 1981. D. Boneh and J. Shaw. Collusion-secure ngerprinting for digital data. IEEE Trans. Inform. Theory, 44:18971905, 1998. S. Y. Boroday. Determining essential arguments of boolean functions. In Proc. of the Conference on Industrial Mathematics, Taganrog, pages 5961, 1998. (Russian. English translation at http://citeseerx.ist.psu.edu). A. E. Brouwer. Four MOLS of order 10 with a hole of order 2. J. Statist. Plann. Inference, 10:203205, 1984. R. C. Bryce and C. J. Colbourn. Prioritized interaction testing for pairwise coverage with seeding and avoids. Information and Software Technology Journal, 48:960970, 2006.

[4]

[5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22]

[23] [24]

132

[25] [26] [27] [28] [29]

R. C. Bryce and C. J. Colbourn. The density algorithm for pairwise interaction testing. Software Testing, Verication, and Reliability, 17:159182, 2007. R. C. Bryce and C. J. Colbourn. A density-based greedy algorithm for higher strength covering arrays. Software Testing, Verication, and Reliability, 19:3753, 2009. K. A. Bush. Orthogonal arrays of index unity. Ann. Math. Statistics, 23:426434, 1952. P. Busschbach. Constructive methods to solve the problems of s-surjectivity, conict resolution, coding in defective memories. Technical Report 84D005, cole Nationale Supr. Tlcomm. Paris, 1984. A. Calvagna and A. Gargantini. IPO-s: incremental generation of combinatorial interaction test data based on symmetries of covering arrays. In Proc. Fifth Workshop on Advances in Model Based Testing, pages 1018, 2009. A. K. Chandra, L. T. Kou, G. Markowsky, and S. Zaks. On sets of boolean n-vectors with all kprojections surjective. Acta Informatica, 20:103111, 1983. M. A. Chateauneuf, C. J. Colbourn, and D. L. Kreher. Covering arrays of strength 3. Des. Codes Crypt., 16:235242, 1999. M. A. Chateauneuf and D. L. Kreher. On the state of strength-three covering arrays. J. Combin. Des., 10:217238, 2002. B. Chor, A. Fiat, M. Naor, and B. Pinkas. Tracing traitors. IEEE Trans. Inform. Theory, 46:893910, 2000. D. M. Cohen, S. R. Dalal, M. L. Fredman, and G. C. Patton. The AETG system: An approach to testing based on combinatorial design. IEEE Trans. Software Engineering, 23:43744, 1997. D. M. Cohen, S. R. Dalal, J. Parelius, and G. C. Patton. The combinatorial design approach to automatic test generation. IEEE Software, 13:8288, 1996. D. M. Cohen and M. L. Fredman. New techniques for designing qualitatively independent systems. J. Combin. Des., 6:411416, 1998. G. Cohen, S. Litsyn, and G. Zmor. On greedy algorithms in coding theory. IEEE Trans. Inform. Theory, 42:20532057, 1996. G. Cohen and G. Zmor. Intersecting codes and independent families. IEEE Trans. Information Theory, IT-40:18721881, 1994. M. B. Cohen. Designing test suites for software interaction testing. PhD thesis, The University of Auckland, Department of Computer Science, 2004. M. B. Cohen, C. J. Colbourn, J. S. Collofello, P. B. Gibbons, and W. B. Mugridge. Variable strength interaction testing of components. In Proc. Intl. Computer Software and Applications Conference (COMPSAC 2003), pages 413418, Dallas TX, 2003. M. B. Cohen, C. J. Colbourn, P. B. Gibbons, and W. B. Mugridge. Constructing test suites for interaction testing. In Proc. Intl. Conf. on Software Engineering (ICSE 2003), pages 3848, Los Alamitos, CA, 2003. IEEE. M. B. Cohen, C. J. Colbourn, and A. C. H. Ling. Constructing strength three covering arrays with augmented annealing. Discrete Math., 308:27092722, 2008. M. B. Cohen, M. B. Dwyer, and J. Shi. Constructing interaction test suites for highly-congurable systems in the presence of constraints: a greedy approach. IEEE Trans. Software Engineering, 34:633 650, 2008. C. J. Colbourn. Combinatorial aspects of covering arrays. Le Matematiche (Catania), 58:121167, 2004. C. J. Colbourn. Strength two covering arrays: Existence tables and projection. Discrete Math., 308:772786, 2008. C. J. Colbourn. Distributing hash families and covering arrays. J. Combin. Inf. Syst. Sci., 34:113126, 2009. C. J. Colbourn. Covering array tables, 2010. http://www.public.asu.edu/ccolbou/src/tabby. C. J. Colbourn. Covering arrays from cyclotomy. Des. Codes Cryptogr., 55:201219, 2010. C. J. Colbourn and J. H. Dinitz. Making the MOLS table. In W. D. Wallis, editor, Computational and Constructive Design Theory, pages 67134. Kluwer, 1996. C. J. Colbourn and J. H. Dinitz. Mutually orthogonal latin squares: A brief survey of constructions. J. Statist. Plann. Infer., 95:948, 2001. C. J. Colbourn and J. H. Dinitz, editors. Handbook of Combinatorial Designs. Chapman and Hall/CRC, Boca Raton, FL, second edition, 2007. C. J. Colbourn and G. Kri. Covering arrays and existentially closed graphs. Lecture Notes in Computer

[30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40]

[41]

[42] [43]

133

[53] [54] [55] [56] [57] [58] [59] [60] [61] [62] [63] [64] [65] [66] [67] [68] [69] [70] [71] [72] [73] [74] [75]

Science, 5557:2233, 2009. C. J. Colbourn, G. Kri, P. P. Rivas Soriano, and J.-C. Schlage-Puchta. Covering and radius-covering arrays: Constructions and classication. Discrete Applied Mathematics, 2010. C. J. Colbourn and A. C. H. Ling. Linear hash families and forbidden congurations. Des. Codes Cryptogr., 59:2555, 2009. C. J. Colbourn and A. C. H. Ling. A recursive construction for perfect hash families. J. Math. Crypt., 3:291306, 2009. C. J. Colbourn, S. S. Martirosyan, G. L. Mullen, D. E. Shasha, G. B. Sherwood, and J. L. Yucas. Products of mixed covering arrays of strength two. J. Combin. Des., 14:124138, 2006. C. J. Colbourn, S. S. Martirosyan, Tran Van Trung, and R. A. Walker II. Roux-type constructions for covering arrays of strengths three and four. Des. Codes Cryptogr., 41:3357, 2006. C. J. Colbourn and D. W. McClary. Locating and detecting arrays for interaction faults. J. Combinatorial Optimization, 15:1748, 2008. C. J. Colbourn and J. Torres-Jimnez. Heterogeneous hash families and covering arrays. Contemporary Mathematics, 523:315, 2010. C. J. Colbourn and J. Zhou. Improving two recursive constructions for covering arrays. preprint, 2010. Z. J. Czech, G. Havas, and B. S. Majewski. Perfect hashing. Theoret. Comput. Sci., 182:1143, 1997. P. Damaschke. Adaptive versus nonadaptive attribute-efcient learning. Machine Learning, 41:197 215, 2000. J. H. Dinitz, A. C. H. Ling, and D. R. Stinson. Perfect hash families from transversal designs. Australas. J. Combin., 37:233242, 2007. P. Erd os. On a problem in graph theory. Math. Gaz., 47:220223, 1963. A. Fiat and M. Naor. Broadcast encryption. Lecture Notes in Computer Science, 773:480491, 1994. M. Forbes, J. Lawrence, Y. Lei, R. N. Kacker, and D. R. Kuhn. Rening the in-parameter-order strategy for constructing covering arrays. J. Res. Nat. Inst. Stand. Tech., 113:287297, 2008. P. Frankl. An extremal problem of coding type. Ars Combinatoria, 1:5355, 1976. S. Gal. Rendezvous search on the line. Operations Research, 47:974976, 1999. L. Gargano, J. Krner, and U. Vaccaro. Sperner theorems on directed graphs and qualitative independence. J. Combinat. Theory (A), 61:173192, 1992. L. Gargano, J. Krner, and U. Vaccaro. Sperner capacities. Graphs and Combinatorics, 9:3146, 1993. A. P. Godbole, D. E. Skipper, and R. A. Sunley. t-covering arrays: upper bounds and Poisson approximations. Combinatorics, Probability and Computing, 5:105118, 1996. N. Graham, F. Harary, M. Livingston, and Q. F. Stout. Subcube fault-tolerance in hypercubes. Inform. and Comput., 102:280314, 1993. R. L. Graham and J. H. Spencer. A constructive solution to a tournament problem. Canad. Math. Bull., 14:4548, 1971. M. Grindal, J. Offutt, and S. F. Andler. Combination testing strategies a survey. Software Testing, Verication, and Reliability, 5:167199, 2005. A. Hartman. Software and hardware testing using combinatorial covering suites. In M. C. Golumbic and I. B.-A. Hartman, editors, Interdisciplinary Applications of Graph Theory, Combinatorics, and Algorithms, pages 237266. Springer, Norwell, MA, 2005. A. Hartman and L. Raskin. Problems and algorithms for covering arrays. Discrete Math., 284:149156, 2004. A. S. Hedayat, N. J. A. Sloane, and J. Stufken. Orthogonal Arrays. Springer-Verlag, New York, 1999. B. Hnich, S. Prestwich, E. Selensky, and B. M. Smith. Constraint models for the covering test problem. Constraints, 11:199219, 2006. I. Honkala. A Graham-Sloane type construction for s-surjective matrices. J. Algebraic Combin., 1:347351, 1992. M. Hou, P. Berman, L. Zhang, and W. Miller. Controlling size when aligning multiple genomic sequences with duplications. In P. Bcher and B. M. E. Moret, editors, Proceedings of the 6th Workshop on Algorithms in Bioinformatics (WABI 06), pages 138149. Springer, 2006. K. A. Johnson and R. Entringer. Largest induced subgraphs of the n-cube that contain no 4-cycles. J. Combinat. Theory (B), 46:346355, 1989. K. A. Johnson, R. Grassl, J. McCanna, and L. A. Szkely. Pascalian rectangles modulo m. Quaestiones Math., 14:383400, 1991. G. O. H. Katona. Two applications (for search theory and truth functions) of Sperner type theorems.

134

Periodica Math., 3:1926, 1973. G. O. H. Katona. Strong qualitative independence. Discrete Appl. Math., 137:8795, 2004. R. Kessel and R. Kacker. A test of linearity using covering arrays for evaluating uncertainty in measurement. In Advanced Mathematical and Computational Tools in Metrology and Testing, pages 195203. World Scientic, 2008. D. Kleitman and J. Spencer. Families of k-independent sets. Discrete Math., 6:255262, 1973. J. Krner and M. Lucertini. Compressing inconsistent data. IEEE Trans. Inform. Theory, 40:706715, 1994. J. Krner and A. Monti. Delta-systems and qualitative (in)dependence. J. Combin. Theory Ser. A, 99:7584, 2002. J. Krner and G. Simonyi. A Sperner type theorem and qualitative independence. J. Combinat. Theory (A), 59:90103, 1992. D. R. Kuhn, Y. Lei, R. Kacker, V. Okun, and J. Lawrence. Paintball: A fast algorithm for covering arrays of high strength. Internal Tech. Report, NISTIR 7308, 2007. V. V. Kuliamin. private communication by e-mail, February 2007. K. Kurosawa, T. Johansson, and D. R. Stinson. Almost k-wise independent sample spaces and their cryptologic applications. Lecture Notes in Computer Science, 1233:409421, 1997. Y. Lei, R. Kacker, D. R. Kuhn, V. Okun, and J. Lawrence. IPOG/IPOD: Efcient test generation for multi-way software testing. Software Testing, Verication, and Reliability, 18:125148, 2008. F. J. MacWilliams and N. J. A. Sloane. The theory of error-correcting codes. II. North-Holland Publishing Co., Amsterdam, 1977. North-Holland Mathematical Library, Vol. 16. E. Marczewski. Independence densembles et prolongement de mesures. Colloq. Math., 1:122132, 1948. C. Martnez, L. Moura, D. Panario, and B. Stevens. Locating errors using ELAs, covering arrays, and adaptive testing algorithms. SIAM J. Discrete Math., 23:17761799, 2009/10. S. S. Martirosyan and C. J. Colbourn. Recursive constructions for covering arrays. Bayreuther Math. Schriften, 74:266275, 2005. S. S. Martirosyan and Tran Van Trung. On t-covering arrays. Des. Codes Cryptogr., 32:323339, 2004. S. S. Martirosyan and Tran Van Trung. Explicit constructions for perfect hash families. Des. Codes Cryptogr., 46:97112, 2008. K. Meagher, L. Moura, and L. Zekaoui. Mixed covering arrays on graphs. J. Combin. Des., 15:393 404, 2007. K. Meagher and B. Stevens. Covering arrays on graphs. J. Combinat. Theory (B), 95:134151, 2005. K. Meagher and B. Stevens. Group construction of covering arrays. J. Combin. Des., 13:7077, 2005. K. Mehlhorn. Data Structures and Algorithms 1: Sorting and Searching. Springer-Verlag, Berlin, 1984. L. Moura, J. Stardom, B. Stevens, and A. Williams. Covering arrays with mixed alphabet sizes. J. Combin. Des., 11:413432, 2003. J. Naor and M. Naor. Small-bias probability spaces: efcient constructions and applications. SIAM J. Computing, 22:838856, 1993. P. Nayeri, C. J. Colbourn, and G. Konjevod. Randomized postoptimization of covering arrays. Lecture Notes in Computer Science, 5874:408419, 2009. K. Nurmela. Upper bounds for covering arrays by tabu search. Discrete Applied Mathematics, 138:143152, 2004. S. Poljak, A. Pultr, and V. Rdl. On qualitatively independent partitions and related problems. Discrete Applied Math., 6:193205, 1983. S. Poljak and Z. Tuza. On the maximum number of qualitatively independent partitions. J. Combinat. Theory (A), 51:111116, 1989. A. Ryni. Foundations of Probability. Wiley, New York, 1971. A. H. Ronneseth and C. J. Colbourn. Merging covering arrays and compressing multiple sequence alignments. Discrete Appl. Math., 157:21772190, 2009. G. Roux. k-Proprits dans les tableaux de n colonnes: cas particulier de la k-surjectivit et de la k-permutivit. PhD thesis, Universit de Paris, 1987. P. Sarkar and D. R. Stinson. Frameproof and IPP codes. In Progress in cryptologyINDOCRYPT 2001 (Chennai), volume 2247 of Lecture Notes in Computer Science, pages 117126. Springer, Berlin, 2001.

[84] [85]

[86] [87] [88] [89] [90] [91] [92] [93] [94] [95] [96] [97] [98] [99] [100] [101] [102] [103] [104] [105] [106] [107] [108] [109] [110] [111] [112] [113]

[114] [115]

135

[116] [117] [118] [119] [120] [121] [122] [123] [124] [125] [126] [127] [128] [129] [130] [131] [132] [133] [134] [135]

G. Seroussi and N. H. Bshouty. Vector sets for exhaustive testing of logic circuits. IEEE Trans. Inform. Theory, 34:513522, 1988. D. Shasha, A. Kouranov, L. Lejay, M. Chou, and G. Coruzzi. Using combinatorial design to study regulation by multiple input signals. A tool for parsimony in the post-genomics era. Plant Physiology, 127:15901594, 2001. G. B. Sherwood. Optimal and near-optimal mixed covering arrays by column expansion. Discrete Math., 308:60226035, 2008. G. B. Sherwood, S. S. Martirosyan, and C. J. Colbourn. Covering arrays of higher strength from permutation vectors. J. Combin. Des., 14:202213, 2006. N. J. A. Sloane. Covering arrays and intersecting codes. J. Combin. Des., 1:5163, 1993. J. N. Staddon, D. R. Stinson, and R. Wei. Combinatorial properties of frameproof and traceability codes. IEEE Trans. Inform. Theory, 47:10421049, 2001. B. Stevens, A. C. H. Ling, and E. Mendelsohn. A direct construction of transversal covers using group divisible designs. Ars Combin., 63:145159, 2002. B. Stevens and E. Mendelsohn. New recursive methods for transversal covers. J. Combin. Des., 7:185 203, 1999. B. Stevens and E. Mendelsohn. Packing arrays and packing designs. Des. Codes Cryptogr., 27:165 176, 2002. B. Stevens and E. Mendelsohn. Packing arrays. Theoret. Comput. Sci., 321:125148, 2004. D. R. Stinson, Tran Van Trung, and R. Wei. Secure frameproof codes, key distribution patterns, group testing algorithms and related structures. J. Statist. Plann. Infer., 86:595617, 2000. D. R. Stinson and R. Wei. Combinatorial properties and constructions of traceability schemes and frameproof codes. SIAM J. Discrete Math., 11:4153, 1998. D. R. Stinson, R. Wei, and K. Chen. On generalized separating hash families. J. Combinat. Theory (A), 115:105120, 2008. D. R. Stinson, R. Wei, and L. Zhu. New constructions for perfect hash families and related structures using combinatorial designs and codes. J. Combin. Des., 8:189200, 2000. D. T. Tang and C. L. Chen. Iterative exhaustive pattern generation for logic testing. IBM Journal Research and Development, 28:212219, 1984. J. Torres-Jimenez. Covering array tables, 2009. http://www.tamps.cinvestav.mx/jtj/. P. Turn. Eine Extremalaufgabe aus der Graphentheorie. Mat. Fiz. Lapok, 48:436452, 1941. R. A. Walker II and C. J. Colbourn. Perfect hash families: Constructions and existence. J. Math. Crypt., 1:125150, 2007. R. A. Walker II and C. J. Colbourn. Tabu search for covering arrays using permutation vectors. J. Stat. Plann. Infer., 139:6980, 2009. J. Yan and J. Zhang. A backtracking search tool for constructing combinatorial test suites. J. Systems Software, 81:16811693, 2008. C. Yilmaz, M. B. Cohen, and A. Porter. Covering arrays for efcient fault characterization in complex conguration spaces. IEEE Trans. Software Engineering, 31:2034, 2006. Z. Zhang and X. G. Xia. LYM-type inequalities for tEC/AUED codes. IEEE Trans. Inform. Theory, 39:232238, 1993.

136

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-136

1

K.T. ARASU Department of Mathematics and Statistics, Wright State University, Dayton, OH 45435, U.S.A.

Abstract. Binary perfect sequences and their variations have applications in various areas such as signal processing, synchronizing and distance measuring radars. This survey discusses their p -ary analogs, other variations and related matters. Many new results are also presented. Keywords. Sequences, correlation, difference sets, information security, synchronization, radar.

Introduction In recent years there have been many publications on time-discrete one and twodimensional sequences and arrays with perfect autocorrelation functions. Such sequences find applications in signal processing and as aperture functions for electromagnetic and acoustic imaging. Applications of two-dimensional perfect binary arrays are found in 2-D synchronization (Hershey & Yarlagadda (1983)) and timefrequency coding (Golomb & Taylor (1982)). In his invited address at the 1991 British Combinatorial Conference, Golomb gave an excellent exposition on why small correlations of sequences and arrays are desirable in dealing with radar problems (Golomb (1991)). Some fundamental results on sequences with small correlations can be found in the excellent survey of Turyn (1968). As observed by Lke, Bmer and Antweiler (1989), higher dimensional arrays are used in channel coding and in cryptographic coding. Because of their applications to wide-band digital communications and to optical signal processing, perfect binary arrays and their related mathematical objects deserve further study. Sequences with ideal autocorrelation property have many applications in spread spectrum communication systems such as a code division multiple access (CDMA) system, which has been adopted as a standard for multiple access method in the mobile radio communication systems. Signal designs for CDMA systems have become interesting research topics in their application area. Other applications where sequence design is a more pressing issue include: radar and audio coding (see Golomb and Gong (2005)).

137

This paper surveys several related areas that pertain to sequences and arrays with good correlation properties. We confine our discussion only to the periodic case and the autocorrelation discussions. The aperiodic discussion will take us too far and we refer the reader to Jedwab (2008) and references therein for further study on that very useful topic. For the cross correlation issues, any search engine would yield dozens of resources we give only two references (Hertel (2006) and Gologlu and Pott (2008)). Another intriguing related topic pertains to the study of the so-called Balanced generalized weighing matrices, for which we refer the reader to the excellent survey by Jungnickel and Kharaghani (2004). In this survey, we shall discuss perfect sequences and perfect arrays (binary, ternary, quaternary, p-ary for any prime p) and certain variations of them. Excellent surveys and fundamental discussions on related topics can be found in Jungnickel and Pott (1999a, 1999b), Cai and Ding (2009), Xiang (1992), Xiang (2005), Jedwab (1992,2008), and Davis and Jedwab (1997); all of which also provide a wealth of references. In section 1, we discuss binary sequences with 2-level optimal autocorrelation values (all of whose out-of-phase values being the same). Section 2 will be devoted to the 3-level case for optimal binary sequences. Generalization to the multi-dimensional case will be the focus of study in section 3, where we also investigate the inclusion of zero to the binary alphabet set {1, 1}, terming the r esulting arrays as ternary. These latter entities turn out to be equivalent to group weighing matrices. Section 4 will be devoted the quaternary case, primarily the 1- and 2- dimensional cases will be discussed. These will be equivalent to complex Hadamard matrices with a group action, which in turn give rise to a class of relative difference sets. Section 5 is a synopsis of the systematic study undertaken by Ma and Ng (2009) for the p-ary sequences (p any odd prime). Their terminology may slightly differ from what we shall use in section 6, wherein we study the 2-level p-ary case, primarily on the construction arena. Results of section 6 will serve as a preview of a rather long paper of Arasu, Dillon and Player (2010) which is nearing its completion. In the remainder of this section, we provide some basic definitions of some combinatorial objects that arise naturally from the sequences that we shall discuss in later sections. Let be a multiplicatively written abelian group of order . Let ][ denote the group ring of over the field of complex numbers . A subset of is identified with the group ring element which is a formal sum of the elements of (i.e. with coefficients 0 and 1) and for an element of and integer , () denotes the image of under the group homomorphism to , extended linearly to all of ;A* would denote () in which we also replace each coefficient of by its complex conjugate. Difference sets, perfect sequences and related objects are often studied using character theory. Let be the group of characters of ( A homomorphism from a group to the field of complex numbers is called a character of ) . The principal character of is defined as the homomorphism that maps each element of to 1.

138

We shall denote the principal character by F . The character homomorphism can be extended linearly to the group ring. We let the induced homomorphism from to also be denoted by . Definition: (Difference Set, abbr. DS) Let be an element of [ ]whose coefficients are from {0,1}. is a (, , O) difference set in if () = + or equivalently if () | (| ) = = (2) (1)

where is a multiplicative character of . A purely combinatorial definition of a difference set is given below: Definition: Let be an (additively written) abelian group of order . A k-subset of is said to be a (, , ) difference set in if every non-identity element of has exactly representations as = for and in .) A difference set is called cyclic or abelian, if has the respective property. For any prime power q, we let F q denote the finite field of order q and F q* the multiplicative group of all the non-zero elements of F q. Example: (Singer difference set) Let = / for some prime and d some positive integer > 2. Then = () , (3)

is a difference set with Singer parameters. (Here is the Kronecker delta function and is the absolute trace function of ) Definition: (Relative Difference Set, abbr. )Let be an element of [] whose coefficients are from {0,1}. is a (, , , O) relative difference set in if () = + ( ) or equivalently if (4)

139

() | () | =

| = | =

(5)

Here is a subgroup of of order and index in . For the interplay of characters and difference sets, we refer the reader to Mann (1965) and Turyn (1965). A good account of difference sets is found in Lander (1983) and Beth, Jungnickel, and Lenz (1999). For a recent survey, see Jungnickel and Pott (1999b). Pott(1995) would serve as a nice reference for relative difference sets and related objects discussed in the remainder of this survey.

1. Binary sequences with optimal autocorrelations (2-level case) Let be a binary sequence ( ) of period for t 0, so { r 1} and = for each . The autocorrelation of the binary sequence ( ) for shift is defined as the following sum: () = where the subscripts are modulo . A sequence with a constant value of () for all possible shifts , i.e. 0 < d 1, is said to have constant autocorrelation. We shall say that such sequences have 2-level autocorrelation values, one value for the trivial shift and the second constant value for the remaining non-trivial shifts. The following is well known: (e.g. see Turyn (1968) or Jungnickel and Pott (1999a)). (6)

Proposition 1.1: () { mod 4 It is important to find such sequences that are perfect (i.e. having optimal autocorrelation). A perfect sequence is defined to have the smallest possible max | | for 0 < < . Thus, we wish to have sequences with the following autocorrelations for every 0 (mod ): () = 0, { 0 (mod 4) () = 1, { 1 (mod 4) () = 2, { 2 (mod 4) (7) (8) (9)

140

(10)

Let = ( ) be a binary sequence of period . Define { = 0 1 = 1} and ( (| = )+ | ), which is called the difference function of . Then () = 4( ( ))where = ||. This would serve as a bridge between binary sequences and combinatorial designs. The set D defined above would work as the required cyclic difference set in the following result which is easy to prove: Proposition 1.2: A periodic binary sequence with period ;entries +1 per period and 2-level autocorrelation function (with all nontrivial autocorrelation coefficients equal to )is equivalent to a cyclic (, , = 4( ) .

O )-difference

set; where

Detailed analysis of the 5 optimal cases of Proposition 1.2, when = 0, 1, 2, 2, 1 are nicely discussed in Jungnickel and Pott (1999a). We give a very brief summary here. Case 1: = 0 The case = 0 corresponds to circulant Hadamard matrices of order , where = 4 , which are equivalent to cyclic (4 , 2 , )-difference sets. The only known such example is when = 4 and is conjectured that there are no others. Mossinghoff (2009) has verified this for upto 4 10 , with fewer than 1600 exceptions. Penetrating work of Schmidt (1999, 2002) which is based on deep algebraic number theory provides valuable tools to study these and other related and similar objects. We give one such sample result of Schmidt: Theorem 1.3: (Schmidt (1999)): Let be any finite set of primes. Then there are only finitely many cyclic Hadamard difference sets of order ; where all prime divisors of are in . Case 2: = 1 The case = 1 gives rise to (2 + 2 + 1; ; ( 1)/2) cyclic difference sets. While these do exist for = 1 and = 2, it is believed that none exists for all other higher values of . In fact Eliahou and Kervaire (1992) and Broughton (1995) have shown: Result 1.4: No abelian difference sets with parameters (2 + 2 + 1; ; ( 1)/2) exist for between 3 and 100; consequently perfect sequences of the type corresponding to the constant value 1 for all the non-trivial autocorrelations and period do not exist for between 14 and 20201.

141

Case 3: = 2 The only systematic investigation of the case when = 2 is due to Jungnickel and Pott (1999a) who show: Result 1.5: Perfect sequences of period for the case = 2 do not exist for between 7 and 12545; In fact, these do not exist for all periods < 10 except possibly perhaps for the following four unresolved lengths in this range: 12 546, 174 726, 2 433 602 and 33 895 686. We remark that the methods used to obtain the above result are standard ones from the theory of difference sets and with the advancement of technology, it should be possible to improve the bound on this result. New non-existence results in the area of difference sets would also help to strengthen this result. Case 4: = 2 It is easy to see that the only difference set corresponding to a perfect sequence with autocorrelation value 2 is the trivial (2; 1; 0)-difference set. Case 5: = 1 Thus the only remaining case we need to discuss pertains to the case = 1, which would take us to a very fertile terrain where the examples are bountiful. In view of Proposition 1.2, these perfect binary sequences with = 1 are equivalent to cyclic difference sets with parameters (, ( 1)/2, ( 3)/4), which are commonly referred to as Paley-Hadamard difference sets. We refer the reader to Beth, Jungnickel and Lenz (1999), Jungnickel and Pott (1999 b), Xiang ( 1992),Xiang (2005 ), Cai and Ding (2009) for further readings on these. We shall list below the known families of these interesting combinatorial objects: (1) Cyclotomic cyclic difference sets and their sequences (Storer (1967), Beth, Jungnickel and Lenz (1999)) (2) Hall difference sets (Hall (1956)) (3) Paley difference sets (Paley (1933) (4) The twin-prime construction (Stanton and Sprott (1958)) (5) Singer difference sets (Singer (1938)) (6) Hyperoval difference sets (Maschietti(1998)) (7) No-Chung-Yun difference sets (No et al (1998))

142

(8) Dillon-Dobbertin difference sets (Dillon-Dobbertin (2004)) (9) Gordon-Mills-Welch difference sets (Gordon et al (1962))

2. Binary sequences with optimal autocorrelations (3-level case) We now turn our attention to discuss the cases where we allow two possible values for () for all satisfying 0 < 1, referring to the underlying sequences as almost perfect. We warn the reader that the term almost perfect has been used with different meanings in Jungnickel and Pott (1999a) and Ma and Ng (2009). Jungnickel and Pott (1999a) variation is also of interest, and this has been investigated by Arasu, Ma and Voss (1997) and Leung et al (1998). The optimal criteria in the situations we discuss here will correspond to having autocorrelations for every 0 (mod ): () {0 , 4 } or {0 , 4} if n { 0 (mod 4) () {1 , 3} if n { 1 (mod 4) (){2, 2} if n { 2 (mod 4) (){1 , 3} if n { 3 (mod 4) (11) (12) (13) (14)

Definition 2.1: Let be an (additively written) abelian group of order . A subset of is said to be a (, , , )-almost difference set ( )of if ( )takes the value altogether times and the value + 1 altogether 1 times, as runs over all the non-identity elements of . Equivalently, (, , , )-almost difference set is a subset of a group of order with | = |such that the difference list ( |, ) contains elements of exactly times and the remaining 1 elements of exactly + 1 times. Detailed analysis of the 3-level optimal binary sequences and their ADS counterparts can be found in the nice survey by Cai and Ding (2009). Here we mainly extract the highlights given there and also provide some new results. Theorem 2.2: (Arasu, Ding et al (2001)) Let ( ( ))be a binary sequence of period , and let { = 0 1: () = 1} be its support. (1) Let 3 (mod 4). Then () = 1 for all 0(mod )iff is an () () ( ) ( ) , , or , , in .

(2) Let 1 (mod 4). Then () {1, 3} for all 0 (mod ) iff is an () , , , ( 1) ADS in .

143

(3) Let 2 (mod 4). Then () {2, 2} for all 0 (mod ) iff is an (, , ( + 2)/4, ( 1)( 2))ADS in . (4) Let 0 (mod 4). Then () {0, 4} for all 0 (mod ) iff D is an (, , ( + 4)/4, ( 1)) . We now discuss each of the 4 cases mentioned in Theorem 2.2: Case 1: 3 (mod 4) The resulting difference sets are Paley-Hadamard difference sets, which are already discussed in section 1. The extension of this case requiring the 3-level autocorrelations (allowing both -1 and 3 as autocorrelation values for all non-trivial shifts) has not been explored yet. The only such theorem that is known to us is given in: Theorem 2.3: (Cai and Ding (2009)): Let be any 2/ 1, 2()/ 1) difference set in 2/ . Define 1, 2

()

= ( 2 ): // ( = )1, = { : , }

(15)

Then is a (2 1, 2 2 , 2 2 , 2 2) almost difference set in (2). Furthermore, the characteristic sequence of the set D has only the out-of-phase autocorrelation values { 1,3}, where D is any generator of (2 ). Case 2: 1 (mod 4) We summarize below the known constructions of binary sequences of period 1 ( 4) with optimal out-of-phase autocorrelation values {1, 3}: (1) The Legendre sequences: (Legendre (1798)) Let 1 ( 4) be a prime. The set of quadratic residues modulo p form an almost difference set in . Its characteristic sequence is the Legendre sequence with optimal out-of-phase autocorrelation values {1, 3}. (2) Ding-Helleseth-Lam sequences (Ding et al (1999)): These are equivalent to almost difference sets in where is a prime of the form = + 4 and 1( 4) and are constructed using suitable cyclotomic classes of order 4. (See Ding et al (1999) for details. (3) Ding sequences using generalized cyclotomy (Ding (1998)): Using the notion of generalized cyclotomy due to Whiteman (1962), Ding constructed a class of almost difference sets in () where and + 4 are primes, the characteristic sequences of which would serve as optimal sequences with out-of-phase autocorrelation values {1, 3}.

144

Remarks: (1) The resulting sequences from the above three constructions can be shown to be inequivalent. (Ding (2010)) (2) There is a small history behind the 3rd family discussed above, we draw it from http://www.cse.ust.hk/faculty/cding/200year.html. Stanton and Sprott (1958) discovered the so-called two-prime difference sets and thus the twin-prime sequences with optimal autocorrelation value -1. Whiteman (1962) obtained a generalization of the theorem of Stanton and Sprott. In 1991, the two-prime sequences, which are a generalization of the twin-prime sequences, were described in Jensen, Jensen and Hoholdt (1991). However, the autocorrelation values of the twoprime sequences were not known until 1998. Ding (1998) determined the autocorrelation values under the condition that ( 1, 1) = 2. Mertens and Bessenrodt (1998) independently obtained the autocorrelation values of the two-prime sequences. Thus exactly two centuries after the Legendre sequences had been reported, it was discovered that the two-prime sequences have optimal autocorrelation values -3 and 1 when = 4. It seems to be the case that balanced optimal binary sequences of period when 1 (mod 4) always exist; we do not have a proof of this of course. Computer experiments seem to suggest it. We give the following computer generated examples of such sequences: Length 5 : ++--Length 9 : +++-+---Length 13 : +++-++-+----Length 17 : ++-+++-+-++-----Length 21 : ++++--++-++-+-+-----Length 25 : +++-+-++-++--+++-+------Length 29 : +++-+-+++-++-+--+++--+------Length 33 : +++-+--++-+++--+++-+-++-+-------Length 37 : +++-+-+-++--++++--+-++-+++--+-------Length 41 : +++-+-+-++--++--+-++++-+--++++--+-------Length 45 : ++++-+--+++--++--+-++-+++--+-+++-+-+--------Case 3: 0 ( 4) We summarize below the known constructions of binary sequences of period 0 ( 4) with optimal out-of-phase autocorrelation values {0, 4}: (1) Sidelnikov-Lempel-Cohn-Eastman sequences (see Sidelnikov (1969) and Lempel, Cohn and Eastman (1977)): Let be a prime power, 1( 4). Let be a primitive element of the infinite field. )(. The set = in | + 1 is a non-square in })(is an almost difference set with parameters 1, 12 ( 1), 14 ( 5), 14 ( 1) in whose

145

characteristics sequence is optimal having autocorrelation values {0, 4}. (2) Arasu-Ding-Helleseth-Kumar-Martinsen sequences (See Arasu, Ding et al (2001)): There are two such sequences, both of which use cyclic difference sets with Paley parameters , ( 1), (m 3) and certain Kronecker type composition with , thereby yielding an almost difference set in with parameters (4, 2 1, 2, 1); the characteristic sequence is optimal having autocorrelation values {0, 4}. Remarks: (1) The Arasu-et al family (2) above is very fertile, in view of our results from the previous section on 2-level perfect sequences with = 1, all of which yielding difference sets with Paley parameters which can be used in the aforementioned construction. (2) Use of complementary Paley difference sets with parameters (, ( + 1), ( + 3)) in the constructions of Arasu et al (2001) yield almost difference sets in with parameters (4, 2 + 1, , 1); the characteristic sequence is optimal having autocorrelation values {0, 4}. Case 4: 2 (mod 4) We now summarize the known constructions of binary sequences of period 2(mod 4) with optimal out-of-phase autocorrelation values {2, 2}: (1) Sidelnikov-Lempel-Cohn-Eastman sequences (see Sidelnikov (1969) and Lempel, Cohn and Eastman (1977)): Let be a prime power, 3( 4). Let be a primitive element of the finite field. )(. The set = in | + 1 is a non-square in })(is an almost difference set with parameters 1, 12 ( 1), 14 ( 3), 14 (2 5) in whose characteristics sequence is optimal having autocorrelation values {2, 2}. (2) Ding-Helleseth-Martinsen sequences (See Ding,Helleseth,Martinsen (2001)): Since we believe that some clever insight into the ingenious construction of Ding,Helleseth,Martinsen (2001) might result in the use of higher order cyclotomic classes to obtain further classes of such sequences, we now outline this construction in detail. Let be a finite field of prime order and let be a divisor of 1. Let (,) be a primitive element of , and define to be the multiplicative group generated (,) (,) by . Then, = for integer , where 0 < 1. We now let 5 (mod 8), and it is known that = + 4 for some and with 1 (mod 4). Then,

146

= {0} , , {1} , , {(0)} is an (n, n/2, (n 2)/4, (3n 2)/4) - almost difference set in Z2 Zp , if = 1 and (, , ) {(0,1,3), (0,2,3), (1,2,0), (1,3,0)} or = 1 and (, , ) {(0,1,2), (0,3,2), (1,0,3), (1,2,3)}.

(16)

(17)

(18)

The above constructions correspond to balanced perfect sequences of period 2 (mod 4). The following constructions give almost balanced perfect sequences: Let 5 (mod 8), and = + 4 for some and with 1 ( 4). Then, = {0} , , {1} , , (19)

is an (, /2, ( 6)/4, (3 6)/4) almost difference set in , if = 1 (, , ) = (0,1,3) ( 0,2,1) or = 1 (, , ) = (1,0,3) ( 0,1,2). (21) (20)

The aforementioned almost difference sets readily give the optimal binary sequences having autocorrelation values {2, 2}. We close this section by giving the following two new examples due to Arasu and Little (2010) based on computer searches: (1) D = {0,1,4,5,6,7,10,12,13,20,22,24,25,26,28,31,33,34,35} (38,19,9,28)almost difference set in Z . is a

(2) D = {0,1,2,4,5,8,9,10,12,15,16,17,18,19,22,24,26,28,29,31,34,35,37, ,39, 40} is a (50,25,12,37)almost difference set in . We give the corresponding balanced optimal binary sequences below: Length 38: ++--++++--+-++------+-+-+++-+--+-+++-Length 50: +++-++--+++-+--+++++--+-+-+-++-+--++-+-++---------

147

Helleseth (2002) provides the following two balanced binary optimal sequences of length 34: +-------+-++--+-+++--+-+++--+++-++ +-------+-++-+-+-+++++---+++--++-+ The above three examples are balanced in the sense, the number of 1's and -1's in the sequence is the same; the term almost balanced would mean that the number of 1's and number of -1's nearly equal. (differ by 1 or 2 depending on the length of the sequence is odd or even). Although an almost balanced optimal binary sequence of length 14 exists, a balanced one cannot (for a proof see Arasu and Pott (2009)). We close this section by asking: Questions: Are there other families of perfect binary sequences of period 2 ( 4) that can be constructed, balanced or otherwise? Do balanced perfect sequences of periods = 54,62,86,90,94, 98 exist? Remark: The periods listed above are the only open cases for < 100, when 2 ( 4).

3. Perfect arrays An r-dimensional matrix [ = , , ] with 0 < (1 )is called an array. The array is called perfect if the periodic autocorrelation coefficients

( , , ) = [ , , ][( + )mod , , ( + (22) ) mod ]

are zero for all ( , , ) (0, ,0), 0 d < . The array is binary if each matrix entry is 1. The array is ternary if the entries lie in {0,1, 1}. The invertible mapping from the binary array to (({ = ) , , )|[ , , ] = 1} gives rise to an equivalence between an perfect binary array and a Hadamard difference set (also called Menon difference set) in (See Jedwab (1992) and Davis and Jedwab (1997)). There is a vast literature in the area of Hadamard difference sets we refer the reader to Beth, Jungnickel and Lenz (1999) and the Bibliography provided there for the study of this very important combinatorial structure. We just summarize below as a theorem which contains the current state of the art of the abelian groups that contain a Hadamard difference set.

where is an abelian Theorem 3.1: Let = group of order 2 and exponent at most 2 , , m m are non-negative integers

148

such that = 3 for some non-negative integer and are odd primes. Then contains a Hadamard difference set. The smallest open cases are: . A study of perfect binary arrays (and Hadamard difference sets) would be incomplete without mentioning the names of some very important players and contributors in the field: W.K. Chan, Y.Q. Chen, J. Davis, J.F. Dillon, J. Iiams, W.M. Kantor, R.G. Kraemer, R. Liebler ,S.L. Ma, R.L. McFarland, D.B. Meisner, P.K. Menon, C. Mitchell, F.C. Piper, D. K. Ray-Chaudhuri, B. Schmidt, S.K. Sehgal, M.K. Siu, K. Smith, V. Tonchev, R.J. Turyn, P.R. Wild, X. Wu, R.M. Wilson, M.Y. Xia,Q. Xiang, M. Yamada, and K.Yamamoto. A recent exposition of Hadamard difference sets containing some beautiful examples is Dillon (2010). Dillon (2010) gives several perfect multidimensional arrays and synchronization patterns with colorful pictures. In the remainder of this section, we shall discuss perfect ternary arrays (See Arasu and Dillon (1999) for a survey on this topic). We begin by introducing group invariant matrices (which are also referred to as group developed matrices). Let be a group of order ( need not be abelian, but we write additively). An u matrix = indexed by the elements of the group ( so and belong to )is said to be -invariant (or -developed) if it satisfies the condition = , for , , . (23)

is said to be circulant if the underlying group is cyclic. Thus the matrix is completely determined by its first row. Let denote the group ring of a given group over a ring . Then the set of invariant matrices with entries from is isomorphic to the group ring . A weighing matrix (, ) is a square matrix of size all of whose entries lies in {0,1, 1} satisfying = where is the u identity matrix. Note that must have exactly k entries which are nonzero. is called the weight of . If = (| |) is the incidence matrix of a symmetric (, , )design, then the weighing matrix is said to be balanced. Examples of balanced weighing matrices include Hadamard matrices (, ) and conference matrices (, 1). We let CW(n,k) stand for a circulant weighing matrix of order n with weight k. (24)

149

Each class of group invariant matrices can be described as a group ring equation. This group ring formulation of the problem is generally used to obtain existence and nonexistence of these objects. Hence the study of these group invariant matrices uses character theory and algebraic number theory. We now turn our attention to perfect ternary arrays, drawing freely from the survey of Arasu and Dillon (1999). Antweiler, Bomer and Luke(1990) first introduced the term perfect ternary array but 1-dimensional examples were known in the literature earlier under name of perfect ternary sequences or circulant weighing matrices, (see Chang (1997), Dillon (1979), Eades and Hain (1976), Games (1986), Geramita and Seberry (1979), Hholdt and Justensen (1983), Ipatov, Platonov and Samilov(1983), Mullin (1975), Mullin and Stanton (1975,1976), Vincent (1989) and Whiteman (1975).) Moreover, Jedwabs (1992) results on generalized perfect arrays apply to the ternary case as well. Let be an PTA. The number of nonzero entries in is called energy of and is denoted by (). The ratio ()/( ) is called its energy efficiency. The following is easy to prove; it gives the connection between perfect ternary arrays and group invariant/developed matrices. Proposition 3.2: The existence of an PTA with energy is equivalent to the existence of two disjoint subsets and of = satisfying ( )( )() = , and hence equivalent to existence of a Gdeveloped matrix ( , ). The next result is well known and easy to prove (see Mullin (1975), e.g.) Proposition 3.3: Assume the existence of a G-developed weighing matrix (||, ). Then (1) = for some integer ; (2) {, ({ = } )/2, ( + )/2} The following is an easy composition and imbedding theorem. Theorem 3.4: (1) If there exists a G-developed matrix (||, ), then there exists an Hdeveloped matrix (, ) for all groups containing a subgroup isomorphic to G. (2) If there exists a (, ), then there exists a (, ) for all positive

150

integers . (3) Suppose that ( , ) = 1. Then there exists a ( )-developed matrix (, ) if there exists a ( , ). (4) If there exists -developed matrix ( , ), = 1,2, then there exists a ( )-developed matrix ( , ). Our next theorem uses the well known idea of orthogonal pieces; an explicit proof is in Arasu and Dillon (1999). Theorem 3.5: if there exists a (, ) with odd, then there exists a (2, 4) for all odd > 1. An extension of theorem 3.5 to the abelian case is given below: Theorem 3.6: Let H be an abelian group and let for = 0,1,2 , ( 1). Assume that following three conditions are satisfied: (1) (2) (3) The coefficients of each of the s are 0,1 and 1

() = ||

()

= 0 for all

Moreover, let be an abelian group containing as a subgroup of index > . Then there exists a -developed matrix (||, |)|. Our next result contains essentially the only infinite family of CWs (the minimal ones). Theorem 3.7: For each prime power and positive integer , there exists a ([ 1)/( 1) , ). The result of Theorem 3.7 has an interesting history. Using the so-called affine difference sets of Bose (1942) and Elliot and Butson (1956), the CWs of the Theorem 2.9 for odd can be easily obtained by taking a suitable homomorphic image of the underlying relative difference set. The reader may consult Arasu, Dillon, Jungnickel and Pott (1995), Elliot and Butson (1956) and Pott (1995) for more details. The odd case was independently obtained by Eades (1977,1980). The case odd and = 3 is also contained in Wallis and Whiteman (1975). Using shift register sequences, Ipatov (1979, 1980) obtained CWs in the odd case using the PTS language.

151

The case even was first reported by Dillon (1979); Games (1986) and Hholdt and Justesen (1983) are the first published results for the even case (using PTS language). Details of Dillons (1979) constructions appeared in Arasu, Dillon, Jungnickel and Pott (1995). The other known sporadic examples of CW(, ) have (, ) equal to (33,25), (71,25), (87,49) and (24,9). A CW(33,25) was first found by Antweiler, Bmer and Lke (1990) using a computer; a theoretical explanation of this example is due to Arasu and Torban (1997). A CW(24,9) is contained in Strassler (1997) and Ang et al (2008). This was first discovered by Vincent (1989) via computer search. Strassler (1998) found examples of CW(71,25) and CW(87,49). These two can be easily obtained using the well known notion of multipliers. Jedwab and Mitchell (1988) and Wild (1988) obtain larger PBAs from smaller ones by combining them with the so called quasiperfect binary arrays. These ideas were extended to the ternary case by Vincent (1989) and Antweiler, Bomer and Luke (1990). The most general -ary case is dealt with by Jedwab (1992). The importance of these composition theorems can be seen in the work of Vincent (1989), where she constructs a new CW(96,36) using a CW(24,9) and what she calls as a quasiperfect ternary sequence of length 24 and weight 9. Modifying the "orthogonal pieces" ideas of Arasu & Dillon (1999), Arasu, Koukivinos et al (2010) have found a new perfect ternary sequence of length 142 and weight 100, which gives new examples of circulant weighing matrices, answering previously unknown cases affirmatively. There are several non-existence results for CWs (see Arasu and Ma (2001), Arasu and Seberry (1996)). We begin with a reduction theorem: Theorem 3.8: (Arasu (1998)) Suppose that a ( , ) exists where is a prime, , , and are positive integers satisfying (, ) = (, = )1. Assume 1 (mod ) for an integer . Then = 2 and = 1 and there exists a (2 , ). A G-developed weighing matrix W is called proper if there is no proper subgroup H of G such that W is H-developed. The next three theorems are due to Arasu and Ma (2001). Theorem 3.9: (Arasu and Ma (2001)) Let = , = )( , ( ( 1), ) = 1 and is a prime greater than 3. Then, a proper G-developed W(||, ) for all 1 does not exist. Theorem 3.10: (Arasu and Ma (2001)) Let = where (D) = , = )(, (, ) = 1 and is a prime greater than 7. If is odd or is strictly

152

divisible by 2 or ( + 1)/2, then a proper G-developed (||, ) does not exist. Theorem 3.11: (Arasu and Ma (2001)) Let = where (D) = , is an odd prime, = )(, > 1, and (, ) = 1. Then, a proper G-developed (||, ) does not exist. The next theorem is an extension to the abelian case of the cyclic version of a theorem due to Arasu and Seberry (1996): Theorem 3.12: (Arasu and Hollon (2010)) Suppose that a G-developed (||, ) exists for an abelian group G of order n. Let p be a prime such that | for some . Further let H be a subgroup of G, of order | = |n/m. Write / = , where P is the cyclic Sylow p-subgroup of / and (, | = )|1. Assume also that there exists an such that 1(mod ))(. Then, (1) If p divides m, then 2/ (2) If p does not divide m, then / Lengths of perfect ternary sequences (equivalently circulant weighing matrices) of small weights have been classified: (1) Eades and Hain (1976) Perfect ternary sequence of length with weight 4 (n 4) exists if and only if is divisible by 2 or 7. (2) Ang, Arasu, Ma & Strassler (2008), Strassler (1997) Perfect ternary sequence of length with weight 9 exists if and only if is divisible by 13 or 24. (3) (Arasu, Leung et al (2006)) Perfect ternary sequence of length with weight 16 exists if and only if is divisible by 21 or 31 or 14. (Here n 21). Strassler (1997) has a table of parameters (, ) for 100 and discusses the existence status of the corresponding (, ). Arasu and Gutman (2010) fill over 50 missing entries of Strasslers table. Group weighing matrices have been systematically studied by Ang (2003). Arasu and Hollon (2010) investigate group weighing matrices in the abelian case and provide a table, when weights and group size do not exceed 100. For some interesting results and conjectures on circulant weighing matrices with large weights, we refer the reader to section 5 of Arasu and Dillon (1999). We next extract some very interesting recent results of Leung and Schmidt (2010) regarding finiteness. We need some definitions first: Let denote the cyclic group of order . For a divisor of , we identify the subgroup of order of as .

153

Definition 3.13: Let be a positive integer, let be a divisor of , and let be a generator of . Every [ ] can be uniquely written in the form:

= with [ ].

(25)

If = 0 for all , then we say that is orthogonal over . We say that a subset of S of [ ] is orthogonal over if every element of is orthogonal over . Definition 3.14: Let be a positive integer and let { = } be a finite set of elements of [ ] with 0 for all . We call an orthogonal family over if = 0 for all . We call reducible if there is a proper divisor of such () = when is that is orthogonal over and irreducible otherwise. If an integer, we say that has weight . Definition 3.15: Let be a positive integer, let be divisor of and let = { } be an orthogonal family over . We say that [ ] is a coset combination of if has the form: = where , , are representatives of distinct cosets of in . The following is the main result of Leung and Schmidt (2010). It shows that for fixed n, all circulant weighing matrices of weight can be determined by a finite algorithm. Theorem 3.16: Let be a positive integer. (1) Every circulant weighing matrix of weigh n is a coset combination of an irreducible orthogonal family of weight n. (2) The number of irreducible orthogonal families of weight n is finite and they can be enumerated by a finite algorithm. In the case where the weight is an odd prime, they go much further. To formulate their result this case we need some more terminology. Definition 3.17: Let { = } be an orthogonal family over (recall that this requires 0 for all ). We call nontrivial if 2. We say that has coefficients 1,0,1 if all have coefficients 1,0,1 only. Theorem 3.18: There is no nontrivial orthogonal family with coefficients 1,0,1 of an odd prime weight. (26)

154

Corollary 3.19: Let be an odd prime power, then there are at most finitely many proper circulant weighing matrices of order . We close this section by providing an application of perfect ternary sequences to self dual codes. It is easy to show that perfect ternary arrays are equivalent to weighing matrices that admit a regular group action. If is a suitable weighing matrix of order , then it can be shown that [ |] generates a ternary self-dual code of length 2. Perfect ternary arrays yield an interesting class of self-dual codes, as in Arasu & Gulliver (2001). Arasu (2004) and Arasu, Chen, Gulliver and Song (2006), who discovered a new ternary self dual code [96,48,24] whose minimum distance 24 beats all the previously known such codes. The best previously known ternary [96,48] code has a minimum distance 19. Their new code has the generator matrix [|], where = 48 and is the negacyclic matrix whose first row is 122221211111112112212211012211122111212121111212 The aforementioned initial row is theoretically obtained using Theorem 3 of Arasu, Chen, Gulliver and Song (2006) and the symbol 2 in the first row denotes -1. It turns out that the codes of Arasu, Chen, Gulliver and Song (2006) are equivalent to the Pless symmetry codes (Pless (1972)). A proof of this equivalence is in Arasu, Chen, Gulliver and Song (2006). Computing its minimum distance as 24 took 53 days of computing time.

4. Perfect quaternary arrays Arasu & de Launey (2001) and Arasu, de Launey and Ma (2002) investigate complex Hadamard matrices and perfect quaternary arrays. A perfect quaternary array (PQA) is a array of fourth roots of unity with perfect periodic autocorrelation properties, i.e. . ,... = 0 whenever the offset = ( , , , ) is non-zero. Examples: (1) (1, i) is a 1 2 is a perfect quaternary array. (2) (1, i, 1, i) is a 1 4 is a perfect quaternary array. (3) (1, 1, i, 1, 1, 1 , i, 1) is a 1 8 perfect quaternary array. The known 2-dimensional examples of perfect binary arrays have their dimensions restricted to 2 3 2 3, where = 0 or 2, 0, 0, and = 0 unless (27)

155

2 + 2. But the answer to the existence for perfect quaternary arrays appears to be very different. Arasu & de Launey (2001) show: perfect quaternary arrays are equivalent to relative difference sets in , relative to the subgroup which is contained in = . Using this nice connection and algebraic techniques, several new families of perfect quaternary arrays have been constructed. A few examples have already been discovered. Some of the new arrays obtained have dimensions: 3 u 6, 3 u 24, 6 u 12, 6 u 48, 12 u 24, 12 u 96, 24 u 48, 48 u 96, 51 u 102, 14 u 14, 7 u 28, 14 u 28, 28 u 28, 7 u 56, 14 u 56, 28 u 56, 21 u 84, 42 u 42, 42 u 84, 84 u 84, 18 u 9, 72 u 9 and 54 u 27. Examples of Two dimensional Perfect Quaternary Arrays Example 4.1: (Arasu & de Launey [2001]): A PQA(2,2) is shown below: 1 1 (28)

(29)

Example 4.3: A PQA(14,14) is given in Arasu & de Launey [2001]. It should be possible to obtain several new classes of quaternary arrays , surely for dimensions higher than 2, using the techniques of Arasu and (2001), as their investigation focused only on the 2-dimensional case and routine generalization must yield results for higher dimensions. PQAs are very closely connected to complex Hadamard matrices. We now describe how any PQA (, )leads to a complex Hadamard matrix with the bicyclic group acting regularly. The concept of regular action of a group on a combinatorial object is important in combinatorial mathematics, but here it is of peripheral interest. A complex Hadamard matrix of order is an u matrix , say, whose entries are fourth roots of unity and which satisfies the equation = (30)

Here is the Hermitian adjoint of . It is obtained by forming the transpose of and replacing each entry by its complex conjugate.

156

For each pair of integers and , where 0 , < , define the integers , , and by the relations = + and = + , where 0 , < and 0 , < , and set (, ( = ) , ) where the arithmetic in the indices of is done modulo and respectively. Now suppose the u array = (, ) is a PQA (, ). Define the u matrix to be the matrix whose (, )-th entry is (, ). Then the (, )-th entry of is (, ( ), )

= ( , ) ( , )

(31)

( , )( + , + ) =

if = and = 0 otherwise

(32)

Hence, = , and is indeed a complex Hadamard matrix of order . The additional property that (, ) depends only on the values of (mod )and (mod )confers on the aforementioned regular action. Complex Hadamard matrices were first discussed in Turyn (1970). The matrix = , is said to be circulant if, for all , = 0,1, . . . , 1, , = , . here the difference 1 is computed modulo n. Example 4.4: The circulant matrices with first rows (1, i) (1, i, 1, i) (1,1, i, 1,1, 1, i, 1) (1,1, i, i, i, 1,1, i, 1,1, i, i, i, 1, 1, i) are complex Hadamard matrices of the respective orders = 2,4,8 and 16. The following are well known: Theorem 4.5: If there is a circulant complex Hadamard matrix of order , then is the sum of two squares.

157

Theorem 4.6: (Turyn (1970)) There are no circulant complex Hadamard matrices of order 2 for > 4 or 2 where is an odd prime. Using Turyn type arguments (Turyn (1965)) and techniques of (Ma (1985)), Arasu, and Ma (2002) prove several nonexistence theorems. We only state a few of them here. Theorem 4.7: (Arasu, and Ma (2002)) Suppose 1 (mod 4) is a prime. Let 0, be an integer such that 1 (mod ). Let be an odd integer, (, = )1. If there exists a circulant complex Hadamard matrix of order 2, then . Lemma 4.8: (Arasu, and Ma (2002)) Let = with (, = )1, an integer relatively prime to and an abelian group of order which contains an element of order . If [ ]satisfies (( ) ) , for all characters of with () = , where () is a polynomial in [ ]such that ( ) and are relatively prime, then

/ ( = ) +

(33)

where , , [ ]and , , . , are all prime divisors of . Lemma 4.9: (Arasu, and Ma (2002) Let = be a cyclic group of order = 4. Let be an odd prime such that 1 ( 4), || and = 2 . If ][ satisfies ( )()0 mod for a character of of order

, and if one of the following is true: (1) f 2 (2) t = 0 (3) (y) (y) 0 mod p for a character of G of order v/p, then

/ = + / +

(34)

where , , , [], , , , are all prime divisors of and , are integers relatively prime to such that + = with = [/2] if 2 = 1 if = 1. (Note that {, } are unique up to signs and permutations. Lemma 4.10: (Arasu, and Ma (2002)) Let = be an abelian group where = )(2 , 2 and | |is odd. Suppose 2 is self-conjugate modulo exp ().

158

If ][ satisfies ( )()0 2 mod 2 for all characters which are nonprincipal on , then = 2 1 +

(35)

where , [ ]and = [/2]. (Here 2 is self conjugate modulo exp ( )means 2 1 (mod exp ( ))for some integer l). For non-existence results, we have only stated the above sample lemmas (further extensions of the lemmas are likely and would yield stronger results). (See Arasu, de Launey and Ma (2002) and Arasu and Ma (2001) for more such results). Using Schmidts results (Schmidt (1999, 2002)), we obtain the following: Theorem 4.11: (Arasu, and Ma (2002)). Let be a finite set of primes, and let () be the set of integers whose prime divisors all lie in P. Then there are finitely many circulant complex Hadamard matrices with orders in (). We conclude this section by making the following remark: Remark: The following eleven orders of circulant complex Hadamard matrix up to 1000 have yet to be excluded: 260, 340, 442, 468, 520, 580, 680, 754, 820, 884, 890. In view of the conjecture that there is no circulant Hadamard matrix of order greater than 4, it is tempting to conjecture that there is no circulant complex Hadamard matrix of order greater than 16. 5. p-ary sequences Ma and Ng (2009) follow the approach of Turyn (1968) and study the complex p-ary sequences, where p is an odd prime. Definition 5.1: Let = ( , , ) be a complex sequence. The sequence is called a complex m-ary sequence if = where is a primitive m-th root of unity in and {0,1, , 1}. Also is said to be periodic with period , if = () for all 0. Suppose is a periodic complex m-ary sequence of period . The autocorrelation function of is defined by C(t) = , for t = 0,1, , (n 1). (36)

All autocorrelation coefficients )(with 0 (mod ) are called out-of-phase autocorrelation coefficients. A periodic sequence is said to have a two-level autocorrelation function if all the out-of-phase autocorrelation coefficients are equal to a

159

constant . In particular, the sequence a is called a perfect sequence if = 0 and a nearly perfect sequence if || = 1. The binary perfect and nearly perfect sequences, i.e., = 2, were discussed in Sections 1 and 2. The case = 4 has been studied by Turyn (1970) and Arasu, and Ma (2002). (See Section 4 of this survey). In this section, we shall discuss the case when = where is an odd prime, basically summarizing the results of Ma and Ng (2009). Theorem 5.2: (Ma and Ng (2009) Let be a prime and let = ( , , ) be a periodic sequence for period n where = and {0,1, , 1}. Let = be an abelian group where = , = , () = , and = )(. Then a is a perfect sequence if and only if { = | = 0,1, , 1} is an (, , , /)relative difference set in relative to , i.e., () = + / ( ) (37)

In view of Theorem 5.2, to study complex -ary perfect sequences is equivalent to study the (, , , /)-relative difference set. We list below some examples found from the literature. We are only interested in the case where is an odd prime. Example 5.3: (Ma and Schmidt, 1995, Theorem 2.2.9) Let = and D = {(x, x )|x = 0,1, , p 1} (38)

Then is a (, , , 1)-relative difference set in relative to =< (0,1) >. So we have a complex -ary perfect sequence of period : (1, , , ,

()

,)

(39)

Example 5.4: (Ma and Schmidt, 1995, Theorem 2.3) Let = and D = (x + py, xy)

(40)

Then is a ( , , , )-relative difference set in relative to =< (0,1) >. So, we have a complex -ary perfect sequence of period .

( , , ,

Definition 5.5: Let be a periodic complex -ary sequence. (1) If the out-of-phase autocorrelation coefficients of a are all equal to 1, we say that is a type I nearly perfect sequence.

160

(2) If the out-of-phase autocorrelation coefficients of a are all equal to 1, we say that a is a type II nearly perfect sequence. Theorem 5.6: (Ma and Ng (2009)) Let p be a prime and let = ( , , }) be a periodic sequence of period of n where = and {0,1, , 1}. Let = be an abelian group where <= >, =< >, () = , and = )(. Define { = = 0,1, , 1}. Then (1) is type I nearly perfect sequence if and only if is an (, , , 1,0,

DD() = (n + 1) H + and

(G P)

(42)

() = ( 1) + +

( )

(43)

Example 5.7: (see Helleseth and Kumar, (1998), Section 3.1) Let be a prime and be a power of . Let be the finite field of order and be the subfield of of order . Then = , )(|

(44)

is a ( 1, , 1, 1, 0, ) -direct product difference set relative to {0} and {0} where is the group of the units of . So we have a complex -ary type I nearly perfect sequence of period 1:

(() , () , ,

,)

(45)

6. -ary sequences via Gauss sums In this section, we discuss a few important results on some new constructions of p-ary perfect sequences due to Arasu, Dillon and Player (2010). Detailed proofs of their results on new constructions of p-ary sequences using Guass sums and Stickelberger

161

combinatorics are provided in Arasu, Dillon, and Player (2010). Here we provide only some of the main ideas of their construction methods. We begin by reformulating an earlier definition for "complex" valued sequences. For a sequence = ( ), = 0,1,2, , ( 1), of length , where each is a complex number, its periodic autocorrelation coefficients are defined by: ( = ) , = 0,1, , ( 1) (46)

where the subscripts are taken modulo . We shall investigate -ary sequences ( any prime), whose entries are -th roots of unity satisfying ( = ) 1 0 (mod ) otherwise (47)

We alert the reader that p-ary sequences that satisfy (47) are referred to as almost perfect p-ary sequences of type I as we saw in section 5. But we shall call these perfect sequences in this section. Let = for some prime . Throughout this section, we will assume that the group is either or / , which is a cyclic group. We now define the well-known notion of a perfect sequence using group rings. Note that this definition implies that all the out-of-phase autocorrelations are minus one. Definition 6.1: (Perfect Sequence, abbr. PS) Define to be an arbitrary subring of generated by some set . is usually taken to be the set of n-th roots of unity for some positive integer . Let be an element of [ ]whose coefficients are from . Then is called a perfect sequence in if = (| |+ 1) or equivalently if , |()| = | |+ 1 1 = (49) (48)

Here denotes the field of complex numbers. Example: (-sequence) Let = for some prime and a positive integer. Then = () is perfect. Throughout this paper, denotes a finite field with m elements.

162

It can be easily seen that the above definition of perfect sequences is equivalent to the standard one. Definition 6.2: (Generalized Weighing Matrix, abbr.. GWM) Let be an arbitrary subring of generated by some set where is taken to be the set of -th roots of unity for some positive integer together with {0}. Let be an element of [] whose coefficients are from . Let be some positive integer. is called a generalized weighing matrix of weight in if = or equivalently if ()|(|) = (51) (50)

It is well-known that binary perfect sequences are equivalent to difference sets with Singer parameters. But the -ary case (for an odd prime )behaves very differently; we are able to show that perfect -ary sequences are equivalent to a class of generalized weighing matrices, as defined above, which in turn give rise to a class of relative difference sets which are extensions of Singer parameters (i.e. the images of these relative difference sets under the canonical homomorphim when mod out by the forbidden subgroup is a difference set with Singer parameters (up to complementation)). This was the reason why we have introduced the above definitions using the group ring notation. There has been much research activity in the binary case area during the last decade. All of the known binary perfect sequences (equivalently cyclic difference sets with Singer parameters), except for the GMW-sequences, the ones that arise from cyclotomy, and the Hall sets, are contained in the following two theorems: Theorem 6.3: (Dillon, Dobbertin (2004)): Let be any integer in the range /2 which is coprime to . Let = 2 2 + 1 and let (= ) ( + 1) + + 1 for all . Then the punctured image = { ( |) }\ {0} of corresponds to a perfect binary sequence of length 2 1. Moreover, these perfect sequences are pairwise inequivalent. Theorem 6.4: (Dillon, Dobbertin (2004)) Let be an integer which is not divisible by 3, and let be a natural number such that 3 1 or 1 ( ) . Let = 2 2 + 1 and let ( ( = )+ 1) + for all . Let = {( + 1) + : } if is even. \{( + 1) + : } if is odd. (52)

163

Researchers have become interested in the -ary case, where is an odd prime. -sequences and the sequences are two well understood families of perfect ary sequences of length 1 which have been known for several decades. Aside from these, there are perfect sequences due to the work of Dillon (2002), Helleseth, Kumar and Martinsen (2001), Helleseth and Gong (2002), and Lin (1998), as stated below: Theorem 6.5: (Dillon (2002)) Let be any odd prime and let ( = ), > 1 . For every even integer k, 0 1, let : ( ) )(be the quadratic form given by + = and let be the related function given by ( = ) (), where is the odd part of 1. Then { } = { ( )} is perfect. Theorem 6.6: (Helleseth, Gong (2002)) Let be a primitive element of . Let = (2 + 1) and let , 1 2 be an integer such that (, 2 + 1) = 1. Define

()/ ( = )

(53)

and let = 2 , = = for = 1,2, , . Suppose = 1 and = (1) for = 1,2, , , then the sequence over defined by = )( ( ) is perfect, where indices of are taken mod 2 + 1. Theorem 6.7: (Helleseth, Gong (2002)) Let be a primitive element of . Let = (2 + 1) and let 1 2 be an integer such that (, 2 + 1) = 1. Define

( = )

/()

(54)

(55)

and let = 2 , = = for = 1,2, , . Suppose = 1 and = (1) for = 1,2, , , then the sequence over defined by = )( ( ) is perfect, where indices of are taken mod 2 + 1. Theorem 6.8: (Helleseth, Kumar, Martinsen (2001)) Let = 3 3 + 1, and let be a primitive element of . Then the sequence { ( + )},,, is perfect. Finally, Lin has made the following conjecture: (see Lin 1998) (56)

164

Conjecture 6.9: (Lin (1998)) Let = 2 3 + 1, and let be a primitive element of . Then the sequence { ( + )},,, is perfect. These recent results and Lins conjecture, having as they do rather tantalizing similarities, have stimulated a lot of interest. The proofs of the known results are elegant but ad hoc. So far these direct methods have not yielded a proof of Lins conjecture. Recently, Arasu, Dillon and Player (2010) have proved Lins conjecture. The method of proof is very different from the standard methods. The new approach is described in what follows. For convenience, we define the Gauss and Jacobi sums now: (here and are multiplicative characters of the finite field in question. By convention, (0) = (0) = 0). Definition 6.10: (Gauss Sum) The Gauss Sum on over denoted )(is defined to be )( )(() (57)

(Here is a primitive -th root of unity and is a multiplicative character of with (0) = 0. Definition 6.11: (Jacobi Sum) The Jacobi Sum on and denoted (, ) is defined to be: (, ): = (( )1 ) (58)

(Here and are multiplicative characters of , with (0) = (0) = 0) Our basic tool is the following well-known result in algebraic number theory (see Berndt et al (1998) or Lidl et al (1997), for instance): Theorem 6.12: (Stickelberger`s congruence) Let ( = ). Then, for any integer not divisible by 1, ( (Z )) = )(, where denotes the Gauss sum, Z denotes the Teichmueller character and )(denotes the -adic weight of the integer after it is reduced modulo 1. Here denotes the valuation function at a prime ideal lying above in the number field that contains the underlying Gauss sum. For more details regarding the above theorem, please refer to Berndt, et al (1998), Evans et al (1999) or Arasu and Player (2003) . Our next task is to explain a perfect sequence existence condition.

165

In the study of group developed designs, one may start with an object and try to prove that the group developed design has the required auto-correlation properties. We take the opposite approach in this paper. Start with an object in Fourier space which has the correct auto-correlation properties and try to show that its Fourier inverse has coefficients in the required subset. Let be a prime, a positive integer and let = . Define = [,,] by [,,] =

( )( )

(59)

( )( () () () )

(61)

Set = [,,] . We can clearly remark that Remark 6.13: Our primary tool in the new constructions of p-ary perfect sequences is given in the next theorem: Theorem 6.14: The following are equivalent: (1) [,,] is a perfect sequence. (2) The coefficients of [,,] are p-th roots of unity. (3) For all primes above p in [ , ] and non-principal characters of G, () > 0. (4) For all non-principal characters , () > 0. (5) For all , 0 < < 1, )( )(+ > )(0.

166

Judicious choices of , and as given in the next three theorems now yield new classes of -ary perfect sequences. The first family works for = 2, the second for any odd prime , whereas the last one requires the said prime to be 3. Theorem 6.15: Let = 2 and > 2 be an integer. Also let be any integer with (, ) = 1. Assume that and of opposite parity. Then [1, 3, (2 + 1)] is a perfect sequence over (2 ) \{0}. Remark 6.16: When = 2 and (, ) = 1, [,, ] can be shown to be the binary Dillon and Dobbertin (2004) sequences. Kashyap (2005) has proved Theorem 6.15 independently using similar methods via Stickelberger combinatorics. Theorem 6.17: Let p be an odd prime. Let d be an integer, > 2. Let be an Then integer with ( + 1, 1) = 2, or equivalently /(, ) is odd. [1, 2, + 1] is a perfect sequence over (p )\{0}. Remark 6.18: It can be shown that odd prime -ary perfect sequences of Dillon (2002), Helleseth and Gong (2002), Helleseth, Kumar and Martinsen (2001) arise as [,, ] of theorem 6.17 for each with /(, ) odd. Theorem 6.19: Let = 3 and > 2 be an integer. Also let be any integer with (, ) = 1. Then [1, 2, (3 + 1 )] is a perfect sequence over (3 )\{0} (62)

If, furthermore, is odd, [1 + (3 1)/2, 2, (3 + 1) + (3 1)/2] is a perfect sequence over (3 )\{0} Remarks 6.20: (1) The two ternary perfect sequences

[,,

]

and

, , ]

of

Theorem 6.19 project to the same difference set. (2) Arasu, Dillon and Player (2010) have shown that these families prove the conjectures of Ludkovski and Gong (2001). (3) By focusing attention on the trace expansion of the perfect sequence in the last family with ( = 1)2, Arasu, Dillon and Player (2010) show that it is equivalent to the Lin sequence (i.e. ~ 3 + 1). Thus we obtain: Corollary 6.21: The Lin Conjecture (1998) is true.

, where = 2

167

Remarks 6.22: (1) Arasu, Dillon, Player (2010)) provide the first proof of this very important result. (2) Arasu, Dillon, Player (2010) do a lot more than what is stated in the above theorems. They also prove the inequivalence and compute the ranks in certain cases. We end this paper with the following: Question: Is there a more direct proof of the Lin Conjecture?

Acknowledgement The author wishes to thank John F. Dillon, Cunsheng Ding, Tor Helleseth, Dieter Jungnickel, Siu Lun Ma, Alexander Pott, and Bernhard Schmidt for their valuable suggestions.

References

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] Ang, M.H., Group weighing matrices, Ph.D. Thesis, National University of Singapore, Singapore (2003). Ang, M.H, Arasu, K. T., Ma, S.L., and Strassler, Y., Study of proper circulant weighing matrices with weight 9, Discrete Math. 308, no. 13 (2008) pp. 2802-2809. Antweiler, M., Bmer, L., and Lke, H. D., Perfect ternary arrays , IEEE Trans. Inf. Theory 36 (1990 ) pp. 696-705. Arasu and Pott, Perfect binary sequences of even period, Journal of Statistics and Applications, Vol. 4 No. 2-3, Pages 169-178, (2009). Arasu, K. T. and Gulliver, T.A., Self-dual codes over Fp and weighing matrices , IEEE Trans. Inform. Theory 47 (2001) pp. 2051-2055 Arasu, K.T. Abstract of talk, XXVIIth Ohio State-Denison Mathematics Conference, June 1113, 2004, The Ohio State University, Columbus, Ohio, (2004). Arasu, K. T. Leung, Ka Hin, Ma, Siu Lun, Nabavi, Ali, Ray-Chaudhuri, D. K., Circulant weighing matrices of weight 2 . Des. Codes Cryptogr. 41, no. 1, (2006) pp. 111-123. Arasu, K. T., and Ma, Siu Lun, Some new results on circulant weighing matrices , J. Algebraic Combin. 14, no. 2 (2001) pp. 91-101. Arasu, K. T., and Seberry, Jennifer, Circulant weighing designs, in J. Combin. Des. 4, no. 6 (1996) pp. 439-447 Arasu, K. T., , Warwick; Ma, S. L. On circulant complex Hadamard matrices . Des. Codes Cryptogr. 25, no. 2, (2002) pp. 123-142 Arasu, K. T., Dillon, J. F., Perfect ternary arrays. Difference sets, sequences and their correlation properties (Bad Windsheim, 1998), pp. 1-15, NATO Adv. Sci. Inst. Ser. C Math. Phys. Sci., 542, Kluwer Acad. Publ., Dordrecht, (1999). Arasu, K. T., Ma, S. L., and Voss, N. J., On a class of almost perfect sequences , J. Algebra 192, no. 2, (1997) pp. 641-650. Arasu, K. T.; Leung, Ka Hin; Ma, Siu Lun, and Nabavi, Ali; Ray-Chaudhuri, D. K., Determination of all possible orders of weight 16 circulant weighing matrices . Finite Fields Appl. 12, no. 4, (2006) pp. 498-538. Arasu, K.T. and Gutman, A.J.: Circulant Weighing Matrices, Cryptogr. Commun., (in press), 2010. Arasu, K.T. and Hollon, J.R., Group weighing matrices (2010), Preprint. Arasu, K.T. and Little, D., Balanced perfect sequences of period 38 and 50, (2010), Preprint.

[12] [13]

168

[17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39] [40]

Arasu, K.T. and Pott, A., Perfect binary sequences of even period , Journal of Statistics and Applications, 4 (2009) pp. 169-178. Arasu, K.T. and Pott, A., Theory of difference sets , In: Encyclopedia for Electrical and Electronics Engineering, Ed. J. Webster, Willey, New York, Vol. 21, (1999), pp. 682-694. Arasu, K.T. and Xiang, Q., On the existence of periodic complementary binary sequences , Designs, Codes & Cryptography, 2 (1992) pp. 257-266. Arasu, K.T., Chen, Y.Q., Song W., and Gulliver, T.A., Self-Dual Codes over F3 and Negacirculant Conference Matrices , Proc. IEEE Int. Symp. Inform. Theory, (July 2006) pp. 1301-1304. Arasu, K.T., Chen, Yu Qing, Dillon, J.F., Liu, Xiaoyu, and Player, Kevin J., Abelian difference sets of order n dividing , Des. Codes Cryptography, 44 (2007), no. 1-3, 307-319 Arasu, K.T., Davis, J., Jedwab, J. & Sehgal, S.K., New constructions of Menon difference sets , J. Comb. Th. (A), vol 64, (1993), pp. 329-336. Arasu, K.T., , W, Two-dimensional perfect quaternary arrays , IEEE Trans Info Th, Vol 47, (2001), pp. 1482-1493. Arasu, K.T., Dillon, J.F., Jungnickel, D. & Pott, A., The solution of the waterloo problem. J. Comb. Th. (A), 71 (1995). pp. 316-331. Arasu, K.T., Dillon, J.F., Perfect ternary arrays , In: NATO volume on difference sets, sequences and their correlation properties., Ed. (A.Pott et al), Kluwer, (1999) pp. 1-15. Arasu, K.T., Dillon, J.F., Player, K.J., Character Sum Factorizations Yield Perfect Sequences (2010), Preprint. Arasu, K.T., Hollman, D.L., Player, K., Xiang, Q., On the p-ranks of GMW difference sets , (Columbus, OH, 2000), 9-35, Ohio State Univ. Math. Res. Inst. Publ., 10, de Gruyter, Berlin, (2002). Arasu, K.T., Player, K, New families of Singer difference sets in characteristic three using Jacobi sums, Designs, Codes and Cryptography, 28, (2003) no. 1, pp. 75-91. Arasu, Koukivinos, Kotsereas and Seberry, On Circulant and Two-Circulant Weighing Matrices, Australasian Journal of Combinatorics, (2010), Preprint. Arasu.K.T., Ding, C., Helleseth,T., Kumar. P.V., Martinsen. H., Almost difference sets and their sequences with optimal autoacceleration , IEEE Trans. Inform. Theory 47 (2001) pp. 2834 -2843. Arasu K.T., and Torban, D (1999), New weighing matrices of weight 25, J. Comb. Designs 7, 11-15. Arasu K.T. (1998), A reduction theorem for circulant weighing matrices, Australasian J. Combinatorics 18, 111-114. Baumert, L. D., Cyclic difference sets , Lecture Notes in Mathematics 182, Springer, New York (1972). Berndt, B.C., Evans, R.J., and Williams, K.S., Gauss and Jacobi Sums, Wiley-Interscience New York (1998). Beth.T., Jungnickel,D., and Lenz.H., Design Theory, 2nd Edition, Cambridge University Press, Cambridge (1999). Bose, R.C.(1942) An affine analogue of singers theorem, J. Indian Math. Soc. 6, 1 -15. Broughton, W.J., A note on Table 1 of Barker sequences and difference set ", L'Enseignement Math. 50 (1995) pp. 105-107. Cai,Y. and Ding, C., Binary sequences with optimal autocorrelation, Theoretical Computer Science, Volume 410, Issues 24-25, pp. 2316-2322. Chang, J.A., Ternary sequence with zero correlation , Proceedings of the IEEE, vol. 55, no. 7 (1967) pp. 1211-1213 Chang, S.W. Golomb, G. Gong and P.V. Kumar, On ideal autocorrelation sequences arising from hyperovals, Proceedings of the International Conference on Sequences and their Applications, Dec. 14-17, (1998), Singapore. Chang, T. Helleseth, P.V. Kumar, Further results on a conjectured 2-level autocorrelation sequence , In: Conference on Communication, Control and Computing, Sep. 23-25, (1998), pp. 598-599. Davis, J. A., Jedwab.J., A unifying construction for difference sets , J. Combin. Theory Ser. A 80 (1997) pp. 13-78. Dillon,J.F., Some REALLY Beautiful Hadamard Matrices, Cryptogr. Commun., (in press) (2010). Dillon, J.F., Elementary Hadamard difference sets, Ph.D. thesis, University of Maryland, (1974). Dillon, J.F., The Waterloo Problem , In F.Hoffman(ed.), Proceedings of the Tenth Southeastern Conference on combinatorics, Graph Theory and Computing, Congressus Numerantium XXIV, Utilitas Math. Publishing Co., Winnipeg, (1979) p.924. Dillon, J. F. Dobbertin, H., New cyclic difference sets with Singer parameters. Finite Fields Appl. 10, no. 3, (2004) pp. 342-389. Dillon, J. F. Geometry, codes and difference sets: exceptional connections. Codes and designs (Columbus, OH, 2000), 73-85, Ohio State Univ. Math. Res. Inst. Publ., 10, de Gruyter, Berlin, (2002).

[46] [47]

[48] [49]

169

[63]

[67] [68] [69] [70] [71] [72] [73] [74] [75] [76] [77]

Dillon, J. F., Multiplicative Difference sets via additive characters, Designs, Codes , Cryptography 17 (1999), pp. 225-235. Dillon,J.F., New p-ary perfect sequences and difference sets with Singer parameters. Sequences and their applications (Bergen, 2001), pp. 23-33, Discrete Math. Theor. Comput. Sci. (Lond.), Springer, London, (2002). Ding.C., Autocorrelation values of the generalized cyclotomic sequences of order 2 , IEEE Trans. Inform. Theory 44 (1998), pp. 1698-1702. Ding, C., Personal communication, (2010). Ding.C., Helleseth.T., Lam.K.Y., Several classes of sequences with three-level autocorrelation, IEEE Trans. Inform. Theory 45 (1999) pp. 2606-2612. Ding.C., Helleseth.T., Martinsen.H.M, New families of binary sequences with optimal three-level autocorrelation , IEEE Trans. Inform. Theory, 47, (2001) pp. 428-433. Dobbertin, H., Kasami power functions, permutation polynomials and cyclic difference sets , Proceedings of the NATO A.S.I. Workshop Difference sets, sequences and their correlation properties, Bad Windsheim, August 3-14, 1998, Klumer, Dordrecht, (1999) pp. 133-158. Eades, P. On the existence of orthogonal designs, Ph.D. Thesis, Australian National University, Canberra (1977). Eades, P. Circulant (v,k,)-designs, in R.W. Robinson et. Al. (eds) Combinatorial Mathematics VII, Lecture Notes in Mathematics 829, Springer, Berlin-Heidelberg, (1980) pp. 83-93. Eades, P. and Hain, R.M. Circulant weighing matrices , Ars Combinatoria 2, (1976) pp. 265--284. Eliahou,S., Kervaire, M., Barker sequences and difference sets , L'Enseignement Math. 38, (1992) pp. 345--382. Elliot, J.E.H. and Butson, A.T., Relative Difference Sets , Ill. J. Math 10, (1966) pp. 517-531. Evans, R., Hollman, H., Krattenthaler, C., and Xiang, Q., Gauss Sums, Jacobi Sums and p-ranks of cyclic difference sets , J. Comb. Th (A), 87, (1999) pp. 74-119. Games, Richard A., The geometry of quadrics and correlations of sequences . IEEE Trans. Inform. Theory 32 (1986), no. 3, 423-426. Geramita, Anthony V., and Seberry, Jennifer, Orthogonal designs. Quadratic forms and Hadamard matrices. Lecture Notes in Pure and Applied Mathematics, 45. Marcel Dekker, Inc., New York, (1979). Gologlu, Faruk and Pott, Alexander, Results on crosscorrelation and autocorrelation of sequence , In: Sequences and Their Applications - SETA 2008, Lecture Notes in Computer Science, (2008), Vol 5203, 95--105, Springer Berlin/Heidelberg. (Editors: Solomon W. Golomb and Matthew G. Parker and Alexander Pott and Arne Winterhof) (2008). Golomb, S. & Taylor, H., Two dimensional synchronization patterns with minimum ambiguity , IEEE Trans. Inform. Th. Vol IT-28, (1982) pp. 600--604. Golomb, S., Construction of signals with favorable correlation properties , In: Surveys in combinatorics, ed. A.D. Keedwell, London Math Society Lecture Note Series, 166, (1991) pp 1-39. Golomb, S. W. Construction of signals with favorable correlation properties. Difference sets, sequences and their correlation properties (Bad Windsheim, 1998), 159-194, NATO Adv. Sci. Inst. Ser. C Math. Phys. Sci., 542, Kluwer Acad. Publ., Dordrech, (1999). Golomb, Solomon W. and Gong, Guang, Signal design for good correlation. For wireless communication, cryptography, and radar. Cambridge University Press, Cambridge (2005). Gong, G., Gaal, P., and Golomb, S.W., A suspected new infinite class of (2 1, 2 1, 2 1) cyclic difference sets , ITW 1997, Longyear-byen, Norway, July 6-12, (1997). Gordon.B., Mills. W.H., Welch. L.R., Some new difference sets , Canad. J. Math. 14 (1962) pp. 614625. Hall Jr.,Marshall, A survey of difference sets , Proc. Amer. Math. Soc. 7 (1956) pp. 975-986. Helleseth, T, Gong, Guang., New nonbinary sequences with ideal two-level autocorrelation , IEEE Trans. Inform. Theory 48, no. 11, (2002), pp. 2868-2872. Helleseth, T., Kumar P.V., and Martinsen H., A new family of ternary sequences ideal autocorrelation function, Des. Codes Cryptogr. 23, no. 2, (2001) pp. 157-166. Helleseth, T., personal communication, (2002). Helleseth, Tor and Kumar, P. Vijay, Sequences with low correlation, Handbook of coding theory, Vol. I, II, North-Holland, Amsterdam (1998) pp. 1765-1853. Hershey, J. & Yarlagadda, R., Two dimensional synchronization , Electron Lett., Vol 19, (1983) pp. 801-803. Hertel, Doreen, Sequences with good correlation properties, Ph.D. Thesis, Otto-von-GuerickeUniversity, Magdeburg (2006). Hholdt,T., and Justesen, J., Ternary sequences with perfect periodic autocorrelation , IEEE Transactions on Information Theory 29(4): (1983) pp. 597--600.

170

[78] [79] [80] [81] [82] [83] [84] [85] [86] [87] [88] [89] [90] [91] [92] [93] [94] [95] [96]

Ipatov, V. P., Platonov, V. D., and Samolov, I. M., A new class of triple sequences with ideal periodic autocorrelation properties. (Russian) Izv. Vyssh. Uchebn. Zaved. Mat., no. 3 (1983) pp. 47-50. Ipatov, V.P., Ternary sequences with ideal periodic autocorrelation properties , Radio Engineering and Electronic physics 24, (1979) pp. 75-79. Ipatov, V.P., Contribution to the theory of sequences with perfect auto correlation properties, Radio Engineering and Electronic physics 25, (1980) pp. 31-34. Jedwab, J., Mitchell, C., Constructing new perfect binary arrays , Electronic letters 24, (1988) pp. 650652. Jedwab, Jonathan, Generalized perfect arrays and Menon difference sets. Des. Codes Cryptogr. 2, no. 1, (1992) pp. 19-68. Jedwab, Jonathan, What can be used instead of a Barker sequence? Finite fields and applications, Contemp. Math., 461, Amer. Math. Soc., Providence, RI, (2008) pp. 153-178. Jensen, J.M., Jensen, H.E., Hholdt,T., The merit factor of binary sequences related to difference sets , IEEE Trans. IT 37(3) (1991) pp. 617-626. Jungnickel, D. and Pott, A., Perfect and almost perfect sequences , Discrete Appl. Math. 95 (1999a) pp. 331-359. Jungnickel, D., and Pott, A., Recent results on difference sets with classical parameters , Proceedings of the NATO ASI Difference Sets: An introduction, A. Pott et al. (eds.), (1999b), pp. 259 -295. Jungnickel, Dieter and Kharaghani, H., Balanced generalized weighing matrices and their applications, in: Matematiche 59, (2004) pp. 225-261 Kashyap,N., Jacobi-like sums and cyclic difference sets, Master's Thesis, University of Maryland Baltimore County, 2005. Lander.E.S., Symmetric Designs, An Algebraic Approach, Cambridge University Press, Cambridge, (1983). Legendre, A.M., Essai sur la theorie des nombres Paris (1798), p 186. Lempel.A., Cohn. M., Eastman.W.L, A class of binary sequences with optimal autocorrelation properties, IEEE Trans. Inform. Theory 23 (1977) pp. 38-42. Leung, Ka Hin, Ling, San, Ma, Siu Lun, and Tay, Kian Boon, Almost perfect sequences with =2 , Arch. Math. (Basel) 70 , no. 2, (1998) pp. 128-131. Leung, Ka Hin, Schmidt, B, Finiteness of Circulant Weighing Matrices of Fixed Weight (2010) Preprint. Lidl, R. and Niederreiter, H., Finite Fields, 2nd Ed., Encyclopedia of Mathematics and Its Applications, vol. 20, Cambridge University Press, Cambridge, (1997). Lin, H.A., From Hadamard difference sets to perfectly balanced sequences, Ph.D. Thesis, University of Southern California, Los Angeles, USA, (1998). Ludkovski, M. and Gong, G., New families of ideal 2-level autocorrelation ternary sequences from second order DHT, International Workshop on Coding and Cryptography (Paris, 2001), 10 pp. (electronic), Electon. Notes Discrete Math., 6, Elsevier, Amsterdam, (2001). Luke, H.D., Bmer, C. & Antweiler, M., Perfect binary arrays , Signal processing, 17 (1989), pp. 6980. Ma, S.L., Polynomial addition sets, Ph.D. thesis (1985), University of Hong Kong. Ma, S.L. and Ng, W.S. On non-existence of perfect and nearly perfect sequences , Int. J. Information and Coding Theory, Vol. 1, No. 1, (2009) pp.15-38. MacWilliams, J., and Mann, H. B., On the p-rank of the design matrix of a difference set, Inform. Control 12 (1968) pp. 474-488. Mann, H.B., Addition Theorems, Wiley, New York (1965). Maschietti, A., Difference sets and hyperovals , Des. Codes Cryptgr. 14 (1998) pp. 89-98. Mertens, S., and Bessenrodt, C, On the ground states of the Bernasconi model, J. Phys. A: Math. Gen. 31 (1998), 3731-749. Mossinghoff, M.J., Wieferich prime pairs, Barker sequences, and circulant Hadamard matrices , http://www.cecm.sfu.ca/_mjm/ WieferichBarker, (2009). Mossinghoff, Michael J., Wieferich pairs and Barker sequences , Des. Codes Cryptogr. 53, no. 3, (2009) pp. 149-163. Mullin, R. C. and Stanton, R. G., Group matrices and balanced weighing designs . Utilitas Math. 8, (1975) pp. 277-301. Mullin, R. C., A note on balanced weighing matrices . Combinatorial mathematics, III (Proc. Third Australian Conf., Univ. Queensland, St. Lucia, 1974), pp. 28-41. Lecture Notes in Math., Vol. 452, Springer, Berlin, (1975). No, J. S., Golomb, S.W., Gong, G., Lee H.K., and Gaal, P., Binary pseudorandom sequences of period 2 1 with ideal autocorrelation, IEEE Trans. Inf. Theory 44, (1998) pp. 814-817.

[97] [98] [99] [100] [101] [102] [103] [104] [105] [106] [107]

[108]

171

[109] No, J.S., Chung, H., Yun, M.S., Binary pseudorandom sequences of period 2 1 with ideal autocorrelation generated by the polynomial + ( + 1) , IEEE Trans. Inform. Theory 44 (1998) pp. 1278-1282. [110] No., J., p-ary unified sequences: p-ary extended d-form sequences with the ideal autocorrelation property. IEEE Trans. Inform. Theory 48, no. 9 (2002) pp. 2540-2546. [111] Paley, R.E.A.C., On orthogonal matrices , J. Math. Phys. MIT 12 (1933) pp. 311-320. [112] Pless, V., Symmetry codes over GF(3) and new five-designs, J.Combin. Theory Ser. A, 12 (1972) pp. 119-142. [113] Pott, A., Finite geometry and character theory, Springer Lecture Notes 1601, New York (1995). [114] Schmidt, B., Characters and cyclotomic fields in finite geometry . Lecture Notes in Mathematics, 1797 (2002). [115] Schmidt, B., Cyclotomic integers and finite geometry , J. Am. Math. Soc. 12 (1999) pp. 929-952. [116] Sidelnikov, V.M., Some k-valued pseudo-random sequences and nearly equidistant codes , Probl. Inf. Transm. 5 (1969) pp. 12-16. [117] Simon, M.K., Omura. J.K., Scholtz, R.A., and Levit, B.K., Spread Spectrum Communications, Volume I Computer Science Press, Rockville Maryland, (1985). [118] Singer, J.F., A theorem in finite projective geometry and some applications to number theory , Trans. AMS 43 (1938) pp. 377-385. [119] Stanton, R. G. and Sprott, D. A., A family of difference sets , in Canad. J. Math. 10 (1958), pp. 73-77. [120] Storer, T., Cyclotomy and Difference Sets, Markham, Chicago (1967). [121] Strassler, Y., The classification of circulant weighing matrices of weight 9, Ph.D. Thesis, Bar-Ilan University, Israel (1997). [122] Strassler, Y., New circulant weighing matrices of prime order in CW(31,16), CW(71,25), CW(127,64) , J.Stat. Planning and Inference 73, (1998) pp. 317-330. [123] Turyn, R. Sequences with small correlation. (1968) Error Correcting Codes (Proc. Sympos. Math. Res. Center, Madison, Wis.,) John Wiley, New York (1968) pp. 195-228. [124] Turyn. R.J., Character sums and difference sets , Pacific J. Math., Vol. 15 (1965) pp. 319-346. [125] Turyn. R.J., Complex Hadamard matrices, Combinatorial Structures and their Applications, Gordon and Breach, London (1970) pp. 435-437. [126] Vincent, A., Applications of Combinatorial Designs to the Theory of Communications, PhD thesis, RHBNC, University of London (1989). [127] Wallis, Jennifer Seberry, and Whiteman, Albert Leon, Some results on weighing matrices , Bull. Austral. Math. Soc. 12, no. 3 (1975) pp. 433-447. [128] Whiteman, A.L., A family of difference sets , Illinois J. Math. 6 (1962) pp. 107-121. [129] Wild, P., Infinite families of perfect binary arrays , Electronic letters 24, (1988) pp. 845-847. [130] Xiang, Q., Recent progress in algebraic design theory, Finite Fields and Their Applications 11 (2005) pp. 622-653. [131] Xiang, Q., Recent results on difference sets with classical parameters , In: J. Dinitz, D.R. Stinson (Eds.), Contemporary Design Theory, A Collection of surveys, Wiley-Interscience Series in Discrete Mathematics and Optimization, Wiley, New York (1992) pp. 419--437. [132] Yamamoto, K, On congruences arising from relative Gauss sums , In: Number Theory and Combinatorics, World Scientific Publ. Japan (1985).

172

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-172

Permutation decoding for codes from designs, nite geometries and graphs

J.D. KEY Department of Mathematical Sciences, Clemson University, Clemson, SC 29634, U.S.A.

Abstract. Recent advances in technology have produced a requirement for new implementations of good error-correcting codes. Such applications of codes also require ecient encoding and decoding methods. The method of permutation decoding was rst developed by MacWilliams in the early 60s and can be used when a code has a suciently large automorphism group to ensure the existence of a set of automorphisms, called a PD-set, that has some specic properties. We describe here the method, and why it works, and give a short survey of permutation decoding using codes that arise from combinatorial structures such as graphs, designs and nite geometries, including some recent results in the search for PD-sets. Keywords. codes, designs, nite geometries, graphs

Introduction Permutation decoding was introduced by MacWilliams [42]. It involves nding a set of automorphisms of the code, called a PD-set, that acts in a certain way with respect to a known information set for the code. If such a set of automorphisms can be found, then a simple algorithm using this set can be followed to correct the maximum number of errors of which the code is capable. The method is described fully in MacWilliams and Sloane [43, Chapter 15] and also in Human [17, Section 8], where a survey of results up to the time of writing that chapter is given. We will describe the method and the algorithm in Section 2. We will give here a brief, but complete, description of permutation decoding, and discuss some recent results. In particular we will look at codes dened by classes of designs, graphs, or nite geometries where the automorphism group is known and large enough to allow permutation decoding or partial permutation decoding to be used. The implementation of this decoding method involves not only knowledge of the main parameters of the code, but also, of course, the automorphism group of the code, as well the ability to produce suitable information sets. This latter question leads to questions involving a set of basis vectors of the code, and in the case of codes from combinatorial structures that we concentrate on here, bases made up of incidence vectors of the blocks of the design, or a design associated

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

173

with the structure. This particularly applies to codes from nite planes, for which there are only very partial answers. The question of the automorphism group of the code also arises, and the determination of when this is the same as the symmetry group of the combinatorial structure, or when it might be larger. The group of the code will be the same as the group of the design if the words in the code of weight the block size of the design are precisely the scalar multiples of the incidence vectors of the blocks of the design. This happens for a large class of graphs discussed here, and, of course, for nite projective planes. The results that are mentioned in the sections to follow do in many cases address these questions. In the sections to follow we rst give some background material on designs, codes and graphs in Section 1. Section 2 contains a full description of permutation decoding and the notions of PD-sets and s-PD-sets. The remaining sections outline some of the known results for PD-sets from combinatorial structures. In many cases PD-sets for full error-correction are obtained, but in others it is not possible to use this method for full error-correction, due to a combinatorial lower bound on the size of a PD-set being larger than the size of the automorphism group. However in these case s-PD-sets can usually be found. In Section 6, as an illustration of the problems involved, we give sample proofs of three of the results quoted in the earlier sections, one for a class of graphs, one for desarguesian projective planes, and one for ane hyperplane designs.

1. Background and terminology The notation for designs and codes follows [1]. An incidence structure D = (P , B , J ), with point set P , block set B and incidence J is a t-(v, k, ) design, if |P| = v , every block B B is incident with precisely k points, and every t distinct points are together incident with precisely blocks. An incidence matrix M = [mi,j ] of D = (P , B , J ) with |B| = b is a b v matrix with rows labelled by the blocks, columns by the points and mi,j = 1 if the ith block is incident with the j th point, and mi,j = 0 otherwise. A design is symmetric if v = b. The code CF (D) of the design D over the nite eld F is the space spanned by the incidence vectors of the blocks over F . Equivalently, it is the row span of an incidence matrix for the design over F . If Q P , then we denote the incidence vector of Q by v Q , writing v P if Q = {P } where P P . Thus CF (D) = v B | B B , and is a subspace of F P . If F = Fp we write CF (D) = Cp (D). The p-rank of D, written rankp (D), is the dimension of Cp (D), i.e. the rank over Fp of an incidence matrix for D. The hull of a design with code C over Fp is C C , written Hullp (D) or simply Hull(D). All the codes here will be linear codes, i.e. subspaces of the ambient vector space. If a code C over a eld of order q is of length n, dimension k , and minimum weight d, we say that C is a [n, k, d]q code. A generator matrix for the code is a k n matrix made up of a basis for C . The dual code C is the orthogonal under the standard inner product, i.e. C = {v F n |(v, c) = 0 for all c C }. A check matrix for C is a generator matrix for C ; the syndrome of a vector y F n is Hy T . A code C is self-orthogonal if C C and is self-dual if C = C . If c is a codeword then the support of c is the set of non-zero coordinate positions

174

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

of c. A constant word in the code is a codeword, all of whose coordinate entries are either 0 or 1. The all-one vector will be denoted by j, and is the constant vector of weight the length of the code. Two linear codes of the same length and over the same eld are equivalent if each can be obtained from the other by permuting the coordinate positions and multiplying each coordinate position by a non-zero eld element. They are isomorphic if they can be obtained from one another by permuting the coordinate positions. Any code is isomorphic to a code with generator matrix in so-called standard form, i.e. the form [Ik | A]; a check matrix then is given by [AT | Ink ]. The rst k coordinates are the information symbols and the last n k coordinates are the check symbols. An automorphism of a code C is any permutation of the coordinate positions that maps codewords to codewords. For any nite eld Fq of order q , the set of points and r-dimensional subspaces of an m-dimensional projective geometry forms a 2-design which we will denote by P Gm,r (Fq ). Similarly, the set of points and r-dimensional ats of an m-dimensional ane geometry forms a 2-design, AGm,r (Fq ). The automorphism groups of these designs (and codes) are the full projective or ane semilinear groups, P Lm+1 (Fq ) or A Lm (Fq ), and are always 2-transitive on points. If q = pe where p is a prime, the codes of these designs are over Fp and are subeld subcodes of the generalized Reed-Muller codes: see [1, Chapter 5] for a full treatment. The dimension and minimum weight is known in each case: see [1, Theorem 5.7.9]. For a vector space V over a eld F , if the dimension of V is n we will use ei , for i = 1, . . . , n to denote the standard basis for V . A translation by u V will be denoted by T (u), i.e. T ( u) : x x + u (1)

for each x V . The group of translations of V will be denoted by T (V ) or simply T if the context is clear. The graphs, = (V, E ) with vertex set V and edge set E , discussed here are undirected with no loops, apart from the case where all loops are included, in which case the graph is called reexive. If x, y V and x and y are adjacent, we write [x, y ] for the edge in E that they dene. If [xi , xi+1 ] for i = 1 to r 1, and [xr , x1 ] are all edges of , and the xi are all distinct, then the sequence written (x1 , . . . , xr ) will be called a closed path of length r for . A graph is regular if all the vertices have the same valency. An adjacency matrix A of a graph with N vertices is an N N matrix with entries aij such that aij = 1 if vertices vi and vj are adjacent, and aij = 0 otherwise. An incidence matrix of is an N |E | matrix B with bi,j = 1 if the vertex labelled by i is on the edge labelled by j , and bi,j = 0 otherwise. If is regular with valency k , then the 1-(|E |, k, 2) design with incidence matrix B is called the incidence design of . The neighbourhood design of a regular graph is the 1-design formed by taking the points to be the vertices of the graph and the blocks to be the sets of neighbours of a vertex, for each vertex, i.e. an adjacency matrix as an incidence matrix for the design. The line graph of a graph = (V, E ) is the graph L() with E as vertex set and where adjacency is dened so that e and f in E , as vertices, are adjacent in L() if e and f as edges of share a vertex in .

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

175

The code of a graph over a nite eld F is the row span of an adjacency matrix A over the eld F , denoted by CF () or CF (A). The dimension of the code is the rank of the matrix over F , also written rankp (A) if F = Fp , in which case we will speak of the p-rank of A or , and write Cp () or Cp (A) for the code. It is also the code over Fp of the neighbourhood design. Similarly, if B is an incidence matrix for , Cp (B ) denotes the row span of B over Fp and is the code of the design with blocks the rows of B , in the case that is regular. If M is an adjacency matrix for L() where is regular of valency k , N vertices, e edges, then BB T = A + kIN and B T B = M + 2Ie , (2)

where A is an adjacency matrix, and B an incidence matrix, for . When examining the codes from incidence matrices of graphs and adjacency matrices of their line graphs, the following result from [12] concerning weight-4 words in the dual code has been useful. We will refer to it in Section 6. Result 1 ([12]) Let be a graph, G an incidence matrix for , and [P, Q, R, S ] a closed path in . For any prime p, if C = Cp (G), then u = v [P,Q] + v [R,S ] v [P,S ] v [Q,R] C . For p odd, u Cp (L()). (3)

2. Permutation decoding The decoding method termed permutation decoding involves nding a set of automorphisms of a code, called a PD-set. The method is described fully in MacWilliams and Sloane [43, Chapter 15] and Human [17, Section 8]. In [21] we extended the denition of PD-sets to s-PD-sets for s-error-correction, a term that is also used in [37,38]. Denition 1 If C is a t-error-correcting code with information set I and check set C , then a PD-set for C is a set S of automorphisms of C which is such that every t-set of coordinate positions is moved by at least one member of S into the check positions C . For s t an s-PD-set is a set S of automorphisms of C which is such that every s-set of coordinate positions is moved by at least one member of S into C . The algorithm for permutation decoding, once a PD-set has been found, is as follows: given a t-error-correcting [n, k, d]q code C with check matrix H in standard form. Thus the generator matrix G for C that is used for encoding has Ik as the rst k columns, and hence as the information symbols. Any k -tuple v is encoded as vG. Suppose x is sent and y is received and at most t errors occur. Let S = {g1 , . . . , gm } be the PD-set.

176

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

Compute the syndromes H (ygi )T for i = 1, . . . , m until an i is found such that the weight of this vector is t or less. Examine the information symbols in ygi , and obtain the codeword c that has these information symbols. 1 Decode y as cgi . Note that this is valid since permutations of the coordinate positions correspond to linear transformations of F n , so that if y = x + e, where x C , then yg = xg + eg for any g Sn , and if g Aut(C ), then xg C . That this method does correct t errors follows from the following result (proved in [17, Theorem 8.1]): Result 2 Let C be an [n, k, d]q t-error-correcting code. Suppose H is a check matrix for C in standard form, i.e. such that Ink is in the redundancy positions. Let y = c + e be a vector, where c C and e has weight t. Then the information symbols in y are correct if and only if the weight of the syndrome of y is t. Proof: Suppose C has generator matrix G in standard form, i.e. G = [Ik |A] and that the encoding is done using G, i.e. the data set x = (x1 , . . . , xk ) is encoded as xG. The information symbols are then the rst k symbols, and the check matrix H is H = [AT |Ink ]. Suppose the information symbols of y are correct. Then Hy T = HeT = eT , and thus wt(Hy T ) t. Conversely, suppose that not all the information symbols are correct. Then if e = e1 . . . en , and e = e1 . . . ek , e = ek+1 . . . en , we assume that e is not the zero vector. Now use the fact that for any vectors wt(x + y ) wt(x) wt(y ). Then wt(Hy T ) = wt(HeT ) = wt(AT e wt(AT e ) wt(e dtt+1 which proves the result. 2 There is a lower bound on the size of a PD-set (and one for an s-PD-set), due to Gordon [15] using a formula of Sch onheim [46], and also proved in [17]: Result 3 ([15]) If S is a PD-set for a t-error-correcting [n, k, d]q code C , and r = n k , then |S| nt+1 n n1 ... ... r r1 rt+1 .

T T T

+e

) = wt(e A) wt(e )

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

177

This result can be adapted to s-PD-sets for s t by replacing t by s in the formula. In Gordon [15] and Wolfman [51] small PD-sets for the binary Golay codes were found. In Chabanne [6] abelian codes, i.e. ideals in the group algebra of an abelian group, are looked at using Gr obner bases, and the ideas of permutation decoding are generalized. In general it is rather hard to nd these PD-sets, and obviously they need not even exist. Also the existence may depend on the chosen information set, and thus existence of a PD-set is not invariant under equivalence of codes. Note that PD-sets need not be sought, in general, for codes with minimum weight 3 or 4, since correcting a single error is, in fact, simply done by using syndrome decoding, because in that case multiples of the columns of the check matrix will give the possible syndromes. Thus the syndrome of the received vector need only be compared with the columns of the check matrix, by looking for a multiple. A simple argument yields that the worst-case time complexity for the decoding algorithm using an s-PD-set of size m on a code of length n and dimension k is O(nkm). Thus we want small PD-sets. Since the algorithm uses an ordering of the PD-set, good choices of the ordering of the elements can reduce the complexity. For example, we can nd an s-PD-set Ss for each 0 s t such that S0 < S1 . . . < St and arrange the PD-set S in this order: S 0 ( S1 \ S 0 ) ( S 2 \ S 1 ) . . . ( St \ S t 1 ) . (4)

(Usually take S0 = {id}). A study of the complexity of the algorithm for some algebraic geometry codes is give in [19]. An interesting method of using anti-blocking sets, that is sometimes more ecient than that of PD-sets, is described in [38].

3. Cyclic codes and generalizations In her original paper, MacWilliams [42] developed a theory for nding PD-sets for cyclic codes. An [n, k, d]q code C is cyclic if whenever c = c1 c2 . . . cn C then every cyclic shift of c is in C . Thus the mapping Sn dened by :ii+1 for i {1, 2, . . . n}, is in the automorphism group of C , and n = 1. If a message c is sent and t errors occur, then if e is the error vector and if there is a sequence of k zeros between two of the error positions, then j for some j will move the sequence of zeros into the information positions, and thus all the errors will occur in the check positions. Thus < > will be a PD-set for C if k < n t.

178

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

As shown in [42], if q is a number prime to the length n, then the map : i qi is also an automorphism of the cyclic code and in the normalizer N of < >. MacWilliams examines cases where N contains a PD-set. In [22, Lemma 7] the following, which generalizes this, was proved: Result 4 ([22]) Let C be a code with minimum distance d, I an information set, C the corresponding check set and P = I C . Let G be an automorphism group of 1 C , and n the maximum of |O I|/|O|, where O is a G-orbit. If s = min( n d 1 1, 2 ), then G is an s-PD-set for C . It is important to note that this result is true for any information set. If the group G is transitive then |O| is the degree of the group and |O I| is the dimension of the code. This result is used to establish PD-sets in some of the classes of graphs and designs in the next sections, in particular when information sets are hard to nd for general classes. Result 4 is applicable to codes from incidence matrices of connected regular graphs with automorphism groups transitive on edges: Result 5 ([8]) Let = (V, E ) be a regular graph of valency v with automorphism group A transitive on edges. Let M be an incidence matrix for . If, for p a prime, C = Cp (M ) = [|E |, |V | , v ]p , where {0, 1, . . . , |V | 1}, then any transitive subgroup K of A will serve as a PD-set for full error correction for C . This is used in the following section discussing PD-sets for some classes of graphs.

4. Codes from graphs In searching for PD-sets, suitable information sets need rst to be found. Codes from some classes of graphs have large automorphism groups, so it was reasonable to consider some of these classes of graphs rst. Notice that a code dened by a design or graph as outlined in Section 1 will have automorphism group at least that of the design or graph, and in some cases a larger automorphism group. We look here at codes from adjacency matrices and incidence matrices of classes of graphs, and nd, where possible, information sets and PD-sets for these classes. In the following we frequently wish to include the identity element of the symmetric group Sn as a transposition in some set, and have used the notation (i, i), where 1 i n to denote it, where convenient. 4.1. Triangular graphs For any n, the triangular graph Tn is the line graph of the complete graph Kn , n and is strongly regular with parameter set ( n 1 , 2(n 2), n 2, 4). Equivalently, it is the uniform subset graph with vertex set the n 2 2-subsets of a set of size n and adjacency dened by two 2-subsets being adjacent if the cardinality of their intersection in 1. The automorphism group of the graph is the symmetric group Sn , that being the automorphism group for Kn and hence, by [50], it is the group for the line graph Tn as well. Binary codes for Tn were examined in [16,49].

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

179

In [26,45,13] the binary codes were examined for permutation decoding: Result 6 ([26] Theorem 1.1) For n 5, Tn the triangular graph, and C = C2 (Tn ) with the vertices I = {{1, n}, {2, n}, . . . , {n 1, n}} in the rst n 1 positions: 1. C = [

n 2

, n 1, n 1]2 code for n odd and, with I as the information set, S = {1G } {(i, n) | 1 i n 1}

is a PD-set for C of n elements in Sn ; 2. C = [ n 2 , n 2, 2(n 2)]2 code for n even, and with I excluding {n 1, n} as the information set, S = {1G } {(i, n) | 1 i n 1} {[(i, n 1)(j, n)]1 | 1 i, j n 2} is a PD-set for C of n2 2n + 2 elements in Sn . From [26], the automorphism group of the binary code of T (n) is also Sn for n 5, n = 6, since in the latter case the automorphism group of the code is larger. The computational complexity of the decoding by this method may be quite low, of the order n1.5 if the elements of the PD-set are appropriately ordered. The codes are low density parity check (LDPC) codes. Recall that, from Equation (2), if Mn is an incidence matrix for the complete graph Kn , and An is an adjacency matrix for Tn , then

T Mn = An + 2I( Mn

n n 1

).

Thus for binary codes, C2 (An ) C2 (Mn ), and we are led to an examination of codes from Mn . (Note that in [30,12] it is shown that codes over other primes of the line graphs in this and similar cases will not yield interesting codes, since the minimum weight is at most 4. See Result 1) From Result 6 we see that for n odd C2 (Mn ) = C2 (Tn ) and for n even, C2 (Tn ) is the subcode spanned by the dierences of two rows of Mn . In [30] the codes from the incidence matrix Mn of Kn over odd primes were examined: Result 7 ([30] Theorem 1.1) Let Cn be the p-ary code of an incidence matrix Mn for the complete graph Kn where p is any odd prime and n 5. Then Cn is a [ n 2 , n, n 1]p code with information set I n = {[1, n], . . . , [n 1, n], [1, 2]}, where [i, j ] denotes the edge of Kn between the vertices i, j .

180

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

For n 6 the minimum words of Cn are the scalar multiples of the rows of Mn , and Aut(Cn ) = Sn . The set S = {(n, i)(1, j ) | 1 i n, 1 j n 1} of elements of Sn , where (i, j ) Sn is a transposition and (k, k ) is the identity of Sn , is a PD-set of size n(n 1) for Cn for the information set I n . For n 8, Cn has no words of weight d in the range n d 2n 5. Let En = ri rj | ri , rj rows of Mn . Then for n 8, En is an [ n 2 ,n 1, 2n 4]p code. For n 4, I = I \{ [ n 1 , n ] } is an information set for E n n . For n n 9, the minimum words of En are the scalar multiples of ri rj , 1 i, j n, where ri , rj are rows of Mn . For n 7, S = {(n 1, i)(n, j )(1, k ) | 1 i n 1, 1 j n, 3 k n 1}, is a PD-set of size n(n2 5n + 7) for En for the information set I n. Note: This result holds for p = 2 as well, except that the dimension is n 1 and one element must be removed from I n . 4.2. Lattice graphs The (square) lattice graph L2 (n) is the line graph of the complete bipartite graph Kn,n , and is strongly regular with parameters (n2 , 2(n 1), n 2, 2). The row span over F2 of an adjacency matrix (see also [49,16]) gives codes with parameters [n2 , 2(n 1), 2(n 1)]2 for n 5 with Sn S2 as automorphism group. Information sets and PD-sets of size n2 in Sn Sn were found in [35]. The vertex set of Kn,n is A B , where A = {a1 , . . . , an }, B = {b1 , . . . , bn } and the edges (points of the line graph) are the pairs [ai , bj ] where ai A, bj B . For , Sn , (, ) Sn Sn acts on the points of L2 (n) by [ai , bj ](, ) = [ai , bj ]. Result 8 ([35] Theorem 1) For n 5, C = C2 (L2 (n)) = [n2 , 2(n 1), 2(n 1)]2 . The 2(n 1) points {[ai , bn ] | 2 i n 1} {[an , bi ] | 1 i n} are information symbols for which the set S = {((i, n), (j, n)) | 1 i n, 1 j n} of permutations in Sn Sn forms a PD-set of size n2 for C . Using the ideas of Equation (4), the time complexity can be reduced if the PD-set (sequence) is ordered as follows, from [48]: (5)

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

181

Result 9 ([48]) For n 5, C = C2 (L2 (n)) = [n2 , 2(n 1), 2(n 1)]2 , and information set {[ai , bn ]|2 i n 1} {[an , bi ]|1 i n}, for 0 k t = n 2, Sk = {((i, n), (j, n))|n k i, j n} is a k -PD-set for C . The codes from incidence matrices for the lattice graph were also examined in [31]. Using the same notation for the graph as given above: Result 10 ([31] Theorem 1) Let Cn be the p-ary code of an incidence matrix Mn for the complete bipartite graph Kn,n where p is a prime and n 3. Then Cn is a [n2 , 2n 1, n]p code with information set I n = {[ai , bn ] | 1 i n} {[an , bi ] | 1 i n 1}. For n 3 the minimum words are the scalar multiples of the rows ri of Mn , and Aut(Cn ) = Sn S2 . The set S = {((n, i), (n, i)) | 1 i n}, of elements of Sn Sn , where (i, j ) Sn is a transposition if i = j , is a PD-set of size n for Cn using I n . Let En = ri rj | ri , rj rows of Mn . Then for n 3 En is an [n2 , 2n 2, 2n 2]p code and the minimum words are the scalar multiples of the ri rj . Further, I n = I n \ {[a1 , bn ]} is an information set, and S = {((n, i), (n, j )) | 1 i, j n}, a PD-set of size n2 for En using I n. Note that for p = 2, En is the binary code of the lattice graph L2 (n), and was covered originally in Result 8. 4.3. Line graphs of complete multi-partite graphs Similar results to those for the square lattice graph hold for the rectangular lattice graph L2 (m, n) [32], i.e. the line graph of the complete bipartite graph Km,n with n = m. The vertex set of Km,n is A B , where A = {a1 , . . . , am }, B = {b1 , . . . , bn } and the edges are the pairs [ai , bj ] where ai A, bj B . Result 11 ([32] Theorem 1) If C = C2 (L2 (m, n)) for 2 m < n, then C is [mn, m + n 2, 2m]2 for m + n even; [mn, m + n 1, m]2 for m + n odd

182

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

with Sm Sn as an automorphism group of C . The set I = {[ai , bn ] | 1 i m} {[am , bi ] | 1 i n 1} is an information set for m + n odd, and I = I \ {[a1 , bn ]} is an information set for m + n even. Let S e = {((i, m), (j, n)) | 1 i m, 1 j m} {id}, S o = {((i, m), (i, n)) | 1 i m} {id}, be sets of permutations in Sm Sn . Then for 3 m < n, S e is a PD-set of m2 +1 elements for C for m + n even, and S o is a PD-set of m + 1 elements for C for m + n odd, using I as information symbols for m + n odd, and I for m + n even, and where id denotes the identity map. More generally, the binary codes of the line graphs L(Kn1 ,...,nm ) of the complete multi-partite graphs Kn1 ,...,nm , where ni = n for i = 1, . . . m, with automorphism group Sn Sm were considered in [33], and PD-sets were found for some classes, and s-PD-sets were found for all classes for some s. Writing the vertices of Kn,n,...,n as the ordered pairs (i, j ) for 1 i m and 1 j n, the edges are [(i, j ), (k, l)] where i = k , and these are the points of the line graph. The specic decoding sets can be found in [33]. Result 12 ([33] Theorem 1) If C = C2 (L(Kn,...,n )) is the binary code of the line graph of the complete multipartite graph Kn,...,n of nm vertices, where n 2, m 3, then

2 C is a [ 1 2 m(m 1)n , mn 2, 2n(m 1) 2 ]2 code for mn even; 1 C is a [ 2 m(m 1)n2 , mn 1, n(m 1) ]2 code for mn odd.

Let

I = {[(1, 1), (i, j )] | 2 i m, 1 j n}{[(1, i), (2, 1)] | 2 i n}\{[(1, 1), (m, n)]}, I = I {[(1, 2), (m, n)]}.

Then I is an information set for C if mn is even, and I is an information set for mn odd. Using these information sets 1. if n = 2 and m 3, C has a PD-set of size 16m2 8m; 2. if n = 3 and m 3 is odd, C has a PD-set of size 27m; 3. if m = 3 and n 3 is odd, C has a PD-set of size 2n3 . Furthermore, s-PD-sets of size N exist as follows: s < m/2, N = m; s < m, N = mn2 ; s < 3m/2, N = mn3 ; s < 2m, mn even, N = 4m2 n2 2mn2 ; s < n/2, N = n for mn even, N = 2n for mn odd; s < n, N = n3 for mn even, N = 2n3 for mn odd.

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

183

4.4. Uniform subset graphs If is a set of size n, let P = {3} , the set of subsets of of size 3, be the vertex set of graphs Ai (n), for i = 0, 1, 2, with adjacency dened by two vertices (as 3-sets) being adjacent if the 3-sets have intersection of size i. The corresponding neighbourhood designs are denoted by Di (n), for i = 0, 1, 2. Properties of the binary codes of adjacency matrices of these graphs were established in [25]. Again Sn in its natural action acts as an automorphism group of the graphs and codes. The more interesting codes were examined for permutation decoding: Result 13 ([27] Theorem 1) Let C = C2 (D2 (n)) and n 7. Then for n odd, n 1 C = [ n 3 , 2 , n 2]2 . With I = {{1, 2, n}, {1, 3, n}, . . . , {n2, n1, n}{{n3, n2, n1}}\{{n2, n1, n}} as information set, C has a PD-set in Sn given by the following elements of Sn in their natural action on 3-subsets of = {1, 2, . . . , n}: S = {(n, i)(n 1, j )(n 2, k ) | 1 i n, 1 j n 1, 1 k n 2}. Note: The notation includes the convention (i, i) = 1, the identity element of Sn . Similar results hold for some of the other more interesting codes obtained in this way, but in some cases only partial decoding through s-PD-sets was possible: see [28]. Using the same notation: Result 14 ([28] Theorem 1) Let Ci (n) = C2 (Ai (n)) = C2 (Di (n)), for i = 0, 1 denote the code formed from the row span over F2 of an adjacency matrix for Ai (n). n 1 For n = 4k , k 2, C0 (n) = [ n 3 , n, 2 ]2 with I = {{i, n 1, n} | 1 i n 2} {{n 3, n 2, n 1}, {n 3, n 2, n}}

n 2 as information set. For n 1 (mod 4), n 13, C1 (n) = [ n 3 , n 1, 2 2 ]2 and C1 (9) = [84, 8, 38]2 , with I \ {{n 2, n 1, n}} as information set. Taking the following elements of Sn , in their natural action on 3-subsets of = {1, 2, . . . , n}:

1 = {(n, i) | 1 i n 2} {}; 2 = {(n 1, i) | 1 i n 2} {}; 3 = {(n 2, i) | 1 i n 4} {}; 4 = {(n 3, i) | 1 i n 4} {}, where is the identity element of Sn , let = 1 2 3 4 . Then is an s-PD-set for C0 (n) for s < n2 /6 1, and for C1 (n) for s < n(n 1)/6 1.

184

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

These graphs are particular cases of the class of uniform-subset graphs. A more general study of the binary codes of these graphs and the application of permutation decoding to the codes can be found in [13]. Ternary codes from the adjacency matrices of the graphs Ai (n) for i = 0, 1, 2 on 3-subsets were considered in [29] and permutation decoding can also be used for these, although the results are not published. 4.5. Hamming graphs Codes from adjacency and incidence matrices from the class of Hamming graphs H k (n, m) have been examined for permutation decoding in [34,10,9,11,7,12]. Here the Hamming graph H k (n, m), for n, k, m integers, 1 k < n, is the graph with vertices the mn n-tuples of Rn , where R is a set of size m, and adjacency dened by two n-tuples being adjacent if they dier in k coordinate positions. These are the graphs that occur in the Hamming association scheme: see [41, Chapter 30]. For example, the n-cube Qn is H 1 (n, 2) with R = F2 , and if k = 1 the standard notation H (n, m) is used. The automorphism group of H (n, m) is Sm Sn : see [4]. n From [34], using the notation for r Z and 0 r 2n 1, if r = i=1 ri 2i1 is the binary representation of r, let r = (r1 , . . . , rn ) be the corresponding vector in Fn 2: Result 15 ([34] Theorem 1.1) For n even and n 8, let Tn = T {ti | 1 i n}, where T is the translation group of Fn 2 , ti = (i, n) for i < n is a transposition in the symmetric group Sn , and tn is the identity map. Then Tn is a 3-PD-set of size n2n for the self-dual [2n , 2n1 , n]2 code Cn from an adjacency matrix for H (n, 2), with the information set I = [0, 1, . . . , 2n1 3, 2n 2, 2n 1]. In [10] it was shown that the same 2-PD-sets as found in [13] and 3-PDsets as found in [34] for C2 (H (n, 2)) for n even will work for C2 (H 2 (n, 2)) for n 0 (mod 4), n 8, although a dierent information set needs to be chosen. We do not have a formula for the minimum weight of C2 (H 2 (n, 2)), although we know it is 2 for n = 4, 8 for n = 8, and at least 12 for n = 12, by Magma. For n 4, with ti as in Result 15, let Pn = {ti | 1 i n 1} {} and Tn = T Pn . (6)

Since the translation group T is normalized by Sn , elements of the form T (w)ti T (u) are all in Tn , i.e. 1 T (u) = T (u 1 ), so that for transpositions t, tT (u) = T (ut)t. Let Pn = {tn1 , } and

Tn = T Pn = T {tn1 , }.

(7)

Denote

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

185

I 1 = {r | 0 r 2n1 3} = {(r1 , . . . , rn1 , 0) | ri F2 } \ {(0, 1, . . . , 1, 0), (1, . . . , 1, 0)} C 1 = {r | 2n1 r 2n 1} \ {2n 8, 2n 7} = {(r1 , . . . , rn1 , 1) | ri F2 } \ {(0, 0, 0, 1, . . . , 1), (1, 0, 0, 1, . . . , 1)} I 2 = {2n 8, 2n 7} = {(0, 0, 0, 1, . . . , 1), (1, 0, 0, 1, . . . , 1)} C 2 = {2n1 2, 2n1 1} = {(0, 1, . . . , 1, 0), (1, . . . , 1, 0)}, and I = I 1 I 2 and C = C 1 C 2 . (8)

Result 16 ([10] Proposition 5) For n 0 (mod 4) and n 8, C = C2 (H 2 (n, 2)) = [2n , 2n1 , d] where d 8. With I as in Equation (8) as information set, Tn as n+1 in Equation (7) is a 2-PD-set of size 2 for C , and Tn as in Equation (6) is a 3-PD-set of size n2n for C . The graph H (n, 3) and the related reexive graph H (n, 3) (including all loops, i.e. by adding the identity matrix to an adjacency matrix for H (n, 3)) provide good binary codes from their adjacency matrices. Write D(n, 3) for the symmetric 1-(3n , 2n, 2n) design from an adjacency matrix for H (n, 3) and D(n, 3) for the symmetric 1-(3n , 2n + 1, 2n + 1) design from an adjacency matrix for H (n, 3). Then, from [9],

1 n Result 17 ([9] Proposition 4) If n 4, then C = C2 (D(n, 3)) = [3n , 2 (3 n n 1 n n (1) ), 2n]2 and C = C = C2 (D(n, 3) ) = [3 , 2 (3 + (1) ), 2n + 1]2 . Further, C C = {0} and the minimum words of C are the incidence vectors of the blocks of D(n, 3). For n 1, Aut(C2 (D(n, 3))) = S3 Sn T Sn , where T is the translation n group on Vn = F3 . Using the natural ordering of the numbers 0 to 3n 1 for n 3, if C = C2 (D(n, 3)) or C2 (D(n, 3) ), and k = dim(C ), then any consecutive set of k positions forms an information set for C . For n 3, if U = en1 , en , then S = {T (u) | u U } is a 2-PD-set for C of size 9 for the information set from the natural ordering of the integers from 0 to 3n 1.

(As noted in Section 1, ei denotes a standard basis element for Vn = Fn 3 ).) For the next result we need some notation: we write (i, n) for the transposition in Sn in its action on Vn , with (n, n) denoting the identity map. Further, di (a) will denote the diagonal matrix with all diagonal entries equal to 1, apart from the ith which will be a F 3 . As before, T (u) will denote the translation by u Vn , T the translation group. Result 18 ([9] Proposition 5) For n 3, using the information set I for C = C2 (D(n, 3)) or C2 (D(n, 3) ) obtained by rotating the naturally ordered numbers to the right by 3n1 1 (thus starting with (1, 0, . . . , 0, 2) = 1 + 2(3n1 )), the set

186

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

S = T {(i, n)dn (a) | 1 i n, a F 3} is a 3-PD-set for C of size 2n3n . Result 4 can be used for permutation decoding when a specic information set is not given. This is useful for codes from incidence matrices and has been applied to some cases, for example to the incidence designs and line graphs of H (n, 2): see [11]. Result 19 ([11] Proposition 19) For n 2 let C1 be the binary code obtained from the span over F2 of an adjacency matrix for the line graph L(H (n, 2)) of H (n, 2) and C2 the binary code spanned by an incidence matrix for H (n, 2). Then C1 C2 , C1 is a [2n1 n, 2n 2, 2(n 1)]2 code, and C2 is a [2n1 n, 2n 1, n]2 code. For n 4, the minimum words of C1 and C2 are the rows of an adjacency, respectively incidence, matrix and the automorphism group of either code is T Sn , where T is the translation group on Vn = Fn 2 , and Sn the symmetric group of degree n acting on the n coordinate positions. Further, C1 and C2 have minimum weight 4, C1 C1 C2 C2 , and C1 C1 , respectively C2 C2 , has dimension 2n1 , respectively 2n1 1, and minimum weight at most n2 for n even, or n(n 1) for n odd. If E denotes the subgroup of T of translations by even-weight vectors, and g is an n-cycle in Sn , then E g , regular of order 2n1 n, is a n 2 -PD-set for C1 , a PD-set for C2 , and an (n 1)-PD-set for Ci Ci , for i = 1, 2, for any information set. For the incidence matrices of the graphs H k (n, 2) for k 2, the following was proved in [8]. Result 20 ([8]Proposition 8) For k 2, n 2k + 2, any transitive subgroup of Aut(H k (n, 2)) of degree 2n1 n k acting on edges is a PD-set for any information k set for the code Cp (Gk (2)) from an incidence matrix Gk n n (2) for H (n, 2), where

n 1 1. for k odd, Cp (Gk n (2)) = [2 n 1 2. for k even, C2 (Gk n (2)) = [2 n 1 n n n [2 k , 2 , k ]p . n k n k

, 2n 1, , 2n 2,

n k ]p n k ]2 ,

Example 1 For k = 2, when n = q is a prime power, Sn will have sharply 2transitive subgroups. If H is any such then, then with T the translation group, T H has order 2n n(n 1) and is easily seen to be transitive on the points of G 2 n, and hence will be a PD-set. Similarly, if k = 3, n = q +1 where q is a prime-power, H a sharply 3-transitve group, we get PD-sets of size 2n n(n 1)(n 2). 4.6. Paley graphs If n is a prime power with n 1 (mod 4), the Paley graph,P (n), has Fn as vertex set and two vertices x and y are adjacent if and only if x y is a non-zero square 1) n1 1 in Fn . It is a strongly regular graph with parameters (n, n(n2 , 4 1 , n 4 ). The row span over a eld Fp of an adjacency matrix gives a good code (in fact, a quadratic residue code) if and only if p is a square in Fn .

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

187

For any Aut(Fn ), if n = q e where q is prime, and a, b Fn with a a non-zero square, the set of mappings a,b, : x ax + b form the automorphism group of the graph, of order 1 2 en(n 1). It is not in general 2-transitive on vertices. Using Magma [5,3], it can be veried (see [20,40]) that for n 1697 and prime or n 1849 and a square, PD-sets cannot exist since the bound of Result 3 is bigger than the order of the group (using the square root bound for the minimum weight, and the actual minimum weight q + 1 when n = q 2 and q is a prime power). For the case where n is prime and n 1 (mod 8), the code of P (n) over Fp is 1 C = [n, n n, (the square-root bound) for p any prime dividing 2 , d]p where d n 1 4 . In [20] a 2-PD-set for C of size 6, and for the dual code, a 2-PD-set of size 10, was found for all n satisfying the stated conditions. Further results for this class of codes can be found in [40]. A general result was proved in [20,40], and used to nd 2-PDsets for P (n) when n is a prime. Result 21 ([20] Theorem 1) Let C = [n, k, d]q be a cyclic code of prime length n over the eld Fq of order q , where n 1 (mod 8), (n, q ) = 1 and d 5. Label the coordinate positions 0, 1, . . . , n 1 and suppose that 0, 1, . . . , k 1 form the information symbols. Let a,b : i ai + b for a, b Fn where a is a nonzero-square and suppose that a,b Aut(C ) for all such a, b Fn . Then (1) if k =

n 1 2 ,

n+1 2 ,

S = {1,b | b {0, 1, k, k 1, n1}}{k,b | b {0, k, k 1, For the Paley graphs this gives:

Result 22 ([20] Corollary 1) Let P (n) be the Paley graph of prime order n where 1 n 1 (mod 8), and C = [n, n 2 ]p its code over Fp where p is a prime dividing n 1 n 1 4 . If the information set for C is I = {0, 1, . . . , k 1}, where k = 2 , then C has a 2-PD-set of size 6 as given by S in Equation (9). Result 23 ([20] Corollary 2) Let P (n) be the Paley graph of prime order n where n 1 (mod 8), and C = [n, n+1 2 ]p the dual of its code C over Fp where p is a 1 prime dividing n . If the information set for C is I = {0, 1, . . . , k 1}, where 4 n+1 k = 2 , then C has a 2-PD-set of size 10 as given by S in Equation (10). Note: The lower bounds on the size of 2-PD-sets for the code and its dual of the Paley graph P (n) are 4 and 7, respectively, as follows immediately from Result 3. The sizes of 2-PD-sets in Result 22 and 23 are close to these bounds.

188

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

5. Codes from nite geometries The nite geometries have, in general, far more structure than graphs, so their automorphism groups, ALn (Fq ) or P Ln (Fq ), are not as large, and in general will not accommodate PD-sets for full permutation decoding. However, in most cases s-PD-sets can be found for small s 2. The codes of the the designs from these ane and projective geometries are all from the family of generalized ReedMuller codes, including their subeld subcodes. This is all explained in detail in [1, Chapter 5], or [2]. We give a brief description of some members of the class below, but the main properties of these codes must be found elsewhere, and for example in [1, Chapters 5,6] 5.1. Generalized Reed-Muller codes Let q = pt , where p is a prime, and let V be the vector space Fm q of m-tuples, with standard basis. The codes will be q -ary codes with ambient space the function space FV q , with the usual basis of characteristic functions of the vectors of V . We can denote the elements f of FV q by functions of the m-variables denoting the coordinates of a variable vector in V , i.e. if x = (x1 , x2 , . . . , xm ) V, then f FV q is given by f = f (x1 , x2 , . . . , xm ) and the xi take values in Fq . Since aq = a for a Fq , the polynomial functions can be reduced modulo xq i xi . Furthermore, every polynomial can be written uniquely as a linear combination of the q m monomial functions

im 1 i2 M = {xi 1 x2 . . . xm | 0 ik q 1, for 1 k m}.

For any such monomial the degree is the total degree, i.e. = k=1 ik and clearly 0 m(q 1). The generalized Reed-Muller codes are dened as follows (see [1, Denition 5.4.1]): Denition 2 Let V = Fm q be the vector space of m-tuples, for m 1, over Fq , where q = pt and p is a prime. For any such that 0 m(q 1), the th -order generalized Reed-Muller code RFq (, m) is the subspace of FV q (with basis the characteristic functions of vectors in V ) of all m-variable polynomial functions (reduced modulo xq i xi ) of degree at most . Thus

m im 1 i2 RFq (, m) = xi 1 x2 xm | 0 ik q 1, for 1 k m, k=1

ik .

These codes are thus codes of length q m and the codewords are obtained by evaluating the m-variable polynomials in the subspace at all the points of the = vector space V = Fm q . From [1, Theorem 5.4.2] we know that RFq (, m) RFq (, m) for < m(q 1) and where + + 1 = m(q 1). For p prime, the code RFp ((m r)(p 1), m) is the p-ary code of the ane geometry design AGm,r (Fp ): see [1, Theorem 5.7.9]. For q = p = 2, the codes are the original Reed-Muller codes, written simply as R(m r, m), this being the

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

189

binary code of the the ane geometry design of points and r-dimensional ats of AGm (F2 ). The set of monomial functions of degree at most ,

m im 1 i2 B = {xi 1 x2 . . . xm | 0 ik q 1, for 1 k m, k=1

i k },

is an Fq -basis of RFq (, m). A subset S V = Fq m will be an information set of the code if, and only if, the subspace of Fq S spanned by the restriction of B to S has dimension |B|. The following theorem from [22] holds for a wider class of codes spanned by monomials than the Generalized Reed-Muller codes: Result 24 ([22] Theorem 1) Let V = Fm q be the vector space of m-tuples, for m 1, over the nite eld Fq of order q , where q = pt and p is a prime. Let 0 , . . . , q1 be the elements of Fq and let S = {[i1 , i2 , . . . , im ] | ik Z, 0 ik q 1, 1 k m}. Let denote the partial order dened on S by [i1 , i2 , . . . , im ] [j1 , j2 , . . . , jm ] if and only if ik jk for all k such that 1 k m. Let X S have the property that y X if y S and y x for some x X , im 1 i2 and let C = xi 1 x2 xm | [i1 , i2 , . . . , im ] X . Then the set of vectors I = {(i1 , . . . , im ) | [i1 , i2 , . . . , im ] X } is an information set for C . In particular, if X = {[i1 , i2 , . . . , im ] S | information set for RFq (, m), and if p is a prime,

m k=1 ik

}, then I is an

I = {(i1 , . . . , im ) | ik Fp , 1 k m,

k=1

ik }

(11)

is an information set for RFp (, m) 5.2. Finite desarguesian planes If q = pe where p is prime, the code of the desarguesian projective plane of order +1) e ) + 1, q + 1]p . For the ane plane the code is q has parameters [q 2 + q + 1, ( p(p2 +1) e ) , q ]p . The codes are subeld subcodes of the generalized Reed-Muller [q 2 , ( p(p2 codes (see [2]), and the automorphism groups are the semi-linear groups and doubly transitive on points. All these facts can be found in [1, Chapters 5,6]. Thus 2-PD-sets always exist. However, unlike the codes from graphs discussed in the preceding sections, it is not possible to obtain a general construction of PD-sets that will cover all members of this class of codes (i.e. for all q ), since the bound of Result 3 for the size of a PD-set for error-correction using the full

190

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

capability of the code is greater than the size of the group as q grows beyond a certain value: see Tables 1,2,3, [21]. For example, in the projective desarguesian case, P G2 (Fq ), when q is greater than the stated value, PD-sets for full errorcorrection cannot exist beyond the stated values of q (computations done using Magma [5] and GAP [14]): q q q q q q q q = p prime and p > 103; = 2e and e > 12; = 3e and e > 6; = 5e and e > 4; = 7e and e > 3; = 11e and e > 2; = 13e and e > 2; = pe for p > 13 and e > 1.

Similar results hold for the ane and for the dual codes. Thus it is not possible to give a general construction of PD-sets for this whole class of codes. However, s-PD-sets that apply to the whole class can be found for some small values of s 2. In [21] it was shown that both the code and its dual of any desarguesian projective plane will have 3-PD-sets no matter what information set I is chosen. To ensure that the code will correct three errors, we will take the order q 7; for the dual code, where the minimum weight in the case q = p prime is 2p, we need q 5. In general our bounds on the order relate to the error-correction capability of the code, which might not be the same as that of its dual. Result 25 ([21] Proposition 3.2) Let = P G2 (Fq ), where q = pe and p is a +1) e ) + 1, q + 1]p , and G = Aut(). Then prime, C = Cp () = [q 2 + q + 1, ( p(p2 if q 7, a 3-PD-set can be found in G for C using any information set; simi+1) e larly for q 5 for the dual code C = [q 2 + q + 1, q 2 + q ( p(p2 ) , d ]p where q + p d 2q . If q 8, information sets exist for C such that 4-PD-sets can be found in G; similarly for C for q 5. Similar results hold for the ane plane, but the information set is not arbitrary (see [21] for the properties required): Result 26 ([21] Proposition 3.3) Let = AG2 (Fq ) where q = pe and p is a prime, +1) e ) , q ]p , and G = Aut( ). Then if q 7, a 3-PD-set can C = Cp ( ) = [q 2 , ( p(p2 be found in G for C . Similarly, for q 5, a 3-PD-set can be found in G for the +1) e ) , d ]p where q + p d 2q . dual code C = [q 2 , q 2 ( p(p2 For q = p a prime, using a Moorhouse [44] basis for the ane plane, 4-PD-sets were found for the ane case. Here the points of the plane AG2 (Fp ) are written as the ordered pairs, (a, b), for a, b Fp . Result 27 ([21] Proposition 3.4) Let = AG2 (Fp ) where p is a prime and p 11, C = Cp ( ) = [p2 , p+1 2 , p]p , and G = Aut( ). Then G contains a 4-PD-set for the code using information set

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

191

I = {(i, j ) | 0 i j p 1}, and check set C = {(i, j ) | p 1 i > j 0}. The same result is true for p 5 for C = [p2 , p2 information set). 5.3. Small 2-PD-sets in prime-order desarguesian planes

p+1 2

(12)

It is clear that 2-PD-sets exist for any information set for the p-ary code of a desarguesian plane of order a power of p, since the group is 2-transitive. Since the smaller the size of an s-PD-set is, the more economical it will be for decoding purposes, it is desirable to nd small 2-PD-sets inside the full group. In general this problem is not solved since information sets are not know in general. However, for prime order a Moorhouse [44] basis can be used to nd an information set, and using this, in [21], the following sizes were obtained: 2-PD-sets of 37 elements for desarguesian ane planes of any prime order p; 2-PD-sets of 43 elements for desarguesian projective planes of any prime order p. Also 3-PD-sets for the code and the dual code in the ane prime case of sizes 2p2 (p 1) and p2 , respectively, were found. In [21] the following general result was applied to planes of prime order: Result 28 ([21] Proposition 4.1) Let C = [n, k, d]q be a cyclic code of odd length n over the eld Fq of order q , where k = n+1 2 , (n, q ) = 1 and d 5. Label the coordinate positions 0, 1, . . . , n 1 and take I = {0, 1, . . . , k 1} for the information symbols. Let A = Aut(C ) Sn , and let : i i + 1 and : i qi (mod n). If Z = and q 1 (mod n), then S = Z Z is a 2-PD-set of size 2n for C . Note: That Aut(C ) is proved in MacWilliams [42]. Thus taking our informations positions to be consecutive positions dened by a cycle acting on the code, we will have the following: Result 29 ([21] Proposition 4.2) Let = P G2 (Fp ) where p 5 is a prime. Then C = Cp () = [p2 + p + 1, n+1 2 , p + 1]p . Let Z be the cyclic group generated by a

2

p+2 Singer cycle and take I = {0, 1, . . . , p +2 1} for the information symbols, as dened by S . Then, in the notation of Result 28 for and , where has order 3, Z Z will form a 2-PD-set for C and Z will form a 2-PD-set for C for p 3.

We write here, for a translation in the ane group AGL2 (Fq ), a,b : (x, y ) (x, y ) + (a, b), (14)

192

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

for (x, y ), (a, b) AG2 (Fq ). For a Fp and a = 0, dene collineations of AG2 (Fp ): a : (x, y ) (ax, ay ) : (x, y ) (y, x) (15) (16)

| a Fp } and T = {a,b | 0 a, b p 1}, for (x, y ) AG2 (Fp ). Let Z = {a the translation group of AG2 (Fp ). Using a Moorhouse basis for the code from the ane plane, the following was obtained in [21]: Result 30 ([21] Proposition 4.3) Let = AG2 (Fp ) where p 5 is a prime, and C = Cp ( ). Let n = (p + 1)/6 , and Y = {un,vn | 0 u, v 5}. Then, using I of Equation (12) as information set, Y is a 2-PD-set for C if p 1 (mod 6), and Y {1,1 } is a 2-PD-set for C if p 1 (mod 6), of size 37. Furthermore, (Y {1,1 }) is a 2-PD-set of 37 elements for C , using C of Equation (13) as information set, and where is dened in Equation (16). The analogue for the desarguesian projective planes of prime order was also obtained in [21]. First we dene A = {(1, i, j ) | 0 i, j p 1}, A1 = {(1, i, j ) | 0 i j p 1}, L = {(0, 1, i) | 0 i p 1} and P = (0, 0, 1) explicitly, and set A2 = A A1 . Then we can take for an information set for Cp (P G2 (Fp )) the set I = {(1, i, j ) | 0 i j p 1} {(0, 0, 1)} = A1 {P }, and the corresponding check set will then be C = {(1, i, j ) | p 1 i > j 0} {(0, 1, i) | 0 i p 1} = A2 L. (18) The element of P GL3 (Fq ) corresponding to the translation a,b , we write a,b 1ab = 0 1 0 . 001 (19) (17)

Result 31 ([21] Proposition 4.4) Let = P G2 (Fp ) where p 5 is a prime, and let C = Cp (). If n = (p + 1)/6 , let = { Y un,vn | 0 u, v 5}, 0 = { Y 0,0 , 0,(p)/2 , (p+)/2,(p)/2 , (p)/2,p+ }, where {1, 1} and p (mod 6), and 100 100 010 1 0 0 010 0 = 0 0 1 , 1 = 0 1 1 , 2 = 1 0 0 , 3 = 0 1 0 , 4 = 0 0 1 . 0 0 1 010 010 001 100

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

193

Y 0 Then, using the information set I of Equation (17), C has a 2-PD-set Y 0 Y0 {1 } in the case p 1 (mod 6) and Y Y0 0 Y0 {1 , 1,1 } in the case p 1 (mod 6), of size 42 and 43, respectively. Furthermore, using the information set C of Equation (18), the set { 1,1 3 , 1,1 4 , 1,1 4 , 4 , 4 3 , 1,0 4 } (Y 1,1 })0 {, 2 , 3 , (where is the identity map) of size 46 is a 2-PD-set for C . Also some specic 3-PD-sets in the ane case were found in [21]. Result 32 ([21] Proposition 4.5) Let = AG2 (Fp ) where p is a prime, and let T be its translation group, Z and as dened above and in Equation (16). For p 7, T Z T Z is a 3-PD-set for the code C = Cp ( ) using the information set of Equation (12), and for p 5, T is a minimal 3-PD-set for C , using the information set of Equation (13). 5.4. Ane and projective geometry designs Information sets for the generalized Reed-Muller codes were found in [22] (see Result 24) and using these, 2-PD sets of size 2p3 for p 5 and 3-PD-sets of size p3 (p 1)3 for p 7 were found in [23] for the p-ary codes from the 2-(p3 , p, 1) ane geometry designs of points and lines in 3-dimensional space over Fp , where p is a prime. Recall that it was mentioned in Section 5.1 that for p prime, the code RFp ((m r)(p 1), m) is the p-ary code of the ane geometry design AGm,r (Fp ) of points and r-ats. So our code here has m = 3, r = 1, and is thus RFp (2(p 1), 3). Result 33 ([23] Theorem 1) Let D be the 2-(p3 , p, 1) design AG3,1 (Fp ) of points and lines in the ane space AG3 (Fp ), where p is a prime, and let C = Cp (D) = 2 RFp (2(p 1), 3). Then C is a [p3 , 1 6 p(5p + 1), p]p code with information set

3

I = {(i1 , i2 , i3 ) | ik Fp , 1 k 3,

k=1

ik 2(p 1)}.

(20)

Let T be the translation group of AG3 (Fp ), let D be the group of invertible diagonal 3 3 matrices, and let Z be the group of scalar matrices. For each d Fp with d = 0, let (d) be the associated dilatation. Corresponding to the information set I , the code C has a 2-PD-set of the form T T (d) of size 2p3 for p 5 and for 3 3 some d F p , and T D is a 3-PD-set for C of size p (p 1) for p 7. For the 2-PD-set, we can choose d = (p 1)/2. For q = p and r = m 1, RFp ((m r)(p 1), m) = RFp (p 1, m) = Cp (AGm,m1 (Fp )), i.e. the code of the ane geometry design of points and m 1p1 ats, or hyperplanes. Then |I| = m+ . We have a general construction for m smaller 2-PD-sets for these designs for p 3 and m 3 (except for p = 3 when we will need m 4). This is from [22].

194

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

Result 34 ([22] Proposition 2) Let C = Cp (AGm,m1 (Fp )) = RFp (p 1, m) where p is a prime and p 3 and let Tm (Fp ) be the translation group. For the vector z = (1, 1, . . . , 1) Fm p let denote the translation by z and let Z = . Using the standard information set

m

I = {(i1 , . . . , im ) | ik Fp , 1 k m,

k=1

ik p 1},

(21)

Z is a 2-PD-set of size p for C for m 3 and p 5, and for m 4 when p = 3. The general result concerning information sets (Result 24) for generalized Reed-Muller codes can be adapted to projective geometries over prime elds, and then partial PD-sets found as in the ane case. If I is an information set for Cp (AGm,m1 (Fp )), then I {(0, . . . , 0, 1)} is an information set for Cp (P Gm,m1 (Fp )), where I = {(1, x1 , . . . , xm ) | (x1 , . . . , xm ) I}. In Result 34, using the information set I of Equation (21), a 2-PD-set R = {i | 0 i p1} for Cp (AGm,m1 (Fp )) was obtained, where i is the translation i | v v + iz and z = (1, . . . , 1). Using the usual embedding of AGm (Fp ) into P Gm (Fp ), each i corresponds to a collineation i : (x0 , x1 , . . . , xm ) (x0 , x1 + i, . . . , xm + i) of P Gm (Fp ). Let Z = { i | 0 i p 1}. We dene two further collineations: : ( x 0 , . . . , x m 2 , x m 1 , x m ) ( x 0 , . . . , x m 2 , xm , x m 1 ) ,

: ( x 0 , x 1 , . . . , x m 1 , xm ) ( x 0 , x 1 , . . . , x m 1 + x m , x m ) , where the images are normalized further if necessary. Using these collineations we nd a small 2-PD-set for Cp (P Gm,m1 (Fp )). Result 35 ([22] Proposition 6) For m 3, p 5, the set S = Z Z { } of collineations of P Gm (Fp ) is a 2-PD-set of size 2p + 1 of the code Cp (P Gm,m1 (Fp )) with respect to the information set I {(0, . . . , 0, 1)}. 5.4.1. Reed-Muller codes The rst- and second-order Reed-Muller codes, R(1, m) and R(2, m), are binary codes with large minimum weight, being the codes of the ane geometry designs over F2 of points and (m 1)-ats or (m 2)-ats, respectively, and with the minimum words the incidence vectors of the blocks. In [24] the following was proved, extending results in [47]:

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

195

Result 36 ([24] Theorem 1) Let V = Fm 2 and Ci = {v | v V, wt(v ) = i} for 0 i m. Let T (u) denote the translation of V by u V , Am = {T (u) | u C0 C1 C2 Cm }, Bm = Am {T (u) | u C3 }, then

2 1. Am is an (m 1)-PD-set of size 1 2 (m + m + 4) for R(1, m) for m 5 for the information set C0 C1 ; 3 2. Bm is an (m + 1)-PD-set of size 1 6 (m + 5m + 12) for R(1, m) for m 6 for the information set C0 C1 ; 3 3. Bm is an (m 3)-PD-set of size 1 6 (m + 5m + 12) for R(2, m) for m 8 for the information set C0 C1 C2 .

Some of these codes are also considered in [39]. 6. Examples In this section we illustrate three of the results described in the previous sections, showing how the process of examining the code of the graph or design for the existence of PD-sets or s-PD-sets was approached. Once the main parameters of the code have been established, a suitable information set needs to be found, and then the PD-set or s-PD-set itself found. For the latter process, Magma [5,3] was frequently used to help with the determination of such sets in the smaller cases (since all the examples are members of an innite class), and then the general pattern established and veried theoretically. 6.1. Adjacency matrix of the Hamming graph Qn = H (n, 2) We refer here to the Result 15 from [34], and let An be an adjacency matrix for Qn = H (n, 2) so that with natural ordering of the vectors, for n 2 An = An1 I . I A n 1

We consider Cn = C2 (Qn ), and it follows that A2 n = nI2n . Thus only the codes for n even will be of interest. It is shown in [34] that for n even, n 4, Cn is a [2n , 2n1 , n]2 self-dual code with I = [0, 1, . . . , 2n1 3, 2n 2, 2n 1] as an information set, using the notation as described prior to Result 15. We show that, for n even and n 8, Tn = {T (w)ti | w Fn 2 , 1 i n}, where T (w) is the translation by w Fn 2 , ti = (i, n) for i < n is a transposition in the symmetric group Sn , and tn is the identity map, is a 3-PD-set for Cn . If I is as above, the corresponding check set is C . We will write

196

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

I 1 = [0, 1, . . . , 2n1 3], C 1 = [2n1 , 2n1 + 1, . . . , 2n 3] I 2 = [2n 2, 2n 1], C 2 = [2n1 2, 2n1 1] and a = 2n 2 = (0, 1, . . . , 1, 1) , b = 2n 1 = (1, 1, . . . , 1, 1) A = 2n1 2 = (0, 1, . . . , 1, 0) , B = 2n1 1 = (1, 1, . . . , 1, 0) Notice that the points a and b are placed in I in order to have points and their complements in I since under any automorphism of the design, if v = w then vc = wc . Thus we have ac = 1 and bc = 0, Ac = 1 + 2n1 , Bc = 2n1 , and v + vc = b for any vector v P . Proof of Result 15: Let T = {x, y, z } be a set of three points in P . We need to show that there is an element in Tn that maps T into C . We consider the various possibilities for the points in T . If T C then use . Thus suppose at least one of the points is in I and, by using a translation, suppose that one of the points, say z , is 0. If T I , then T (2n1 ) will work. Now we consider the other cases. 1. x I 1 , y C 1 Then there are ix , iy such that 2 ix , iy n 1 such that x(ix ) = y (iy ) = 0. If ix = iy = i then T ti I , unless yti {A, B }, so ti T (2n1 ) will work unless yti {A, B }. If yti = A then y (1) = y (i) = 0, y (j ) = 1 otherwise. If x(1) = 0 then t1 T (2n1 ) will work. If x(i) = 1 then take any j = 1, i, n, and use T (2j1 )ti T (2n1 ). If yti = B , then y (i) = 0 and y (j ) = 1 otherwise. Take any j = 1, i, n, and use T (2j1 )ti T (2n1 ). If x and y have no common zero, then if y = xc , so x + y = b, then use T (x)T (2n1 ). If x(i) = y (i) = 1, where 1 i n 1, then ti T (2n1 1) can be used. 2. x I 1 , y C 2 (a) y = A: then x(i) = 0 for some 2 i n 1, and ti T (2i1 + 2n1 ) will work. (b) y = B : then x(j ) = 0 for some 1 j n 1, and tj T (2j1 + 2n1 ) will work unless x(i) = 1 for all i = j, n. In the latter case, let 1 i n 1, and i = j , then T (y )ti T (2i1 + 2n1 ) will work. 3. x I 2 , y C 1 (a) x = a: since y C 1 , there is a j such that 2 j n 1 with y (j ) = 0. If y (i) = 1 for i = j and 1 i n, or if y (1) = 0 and y (i) = 1 for i = j and 2 i n, then T (A) will work. If there is an i = j such that y (i) = y (j ) = 0 where 2 i, j n 1 then tj T (2n1 ) can be used. (b) x = b: this follows exactly as in the x = a case except that in the rst two cases for y use T (B ) instead of T (A). 4. x I 2 , y C 2 (a) x = a, y = A: use T (a)t2 T (2n1 ).

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

197

(b) x = a, y = B : use tn1 T (B ). (c) x = b, y = A: use tn1 T (B ). (d) x = b, y = B : use t1 T (1 + 2n1 ). 5. x, y C (a) x, y C 1 : if x + y = B then T (B ) will work. Otherwise x(i) = y (i) for some i such that 1 i n 1. Again T (B ) will work unless x or y are (0, . . . , 0, 1) or (1, 0, . . . , 0, 1). If x = (0, . . . , 0, 1) then y (i) = 0 for some i such that 2 i n 1. Then ti T (2n1 ) can be used unless y (j ) = 1 for all j = i, or y (1) = y (i) = 0 and y (j ) = 1 for j = 1, i; in these cases ti T (2i1 + 2n1 ) can be used. The same arguments hold if x = (1, 0, . . . , 0, 1). (b) x C 1 , y C 2 i. y = A: since x C 1 , there is a j such that 2 j n 1 with x(j ) = 0. Then tj T (2j1 + 2n1 ) can be used unless y (i) = 1 for i = j and 1 i n, or if y (1) = 0 and y (i) = 1 for i = j and 2 i n. In these cases T (A)tk T (2k1 + 2n1 ), where k 1, j , 2 k n 1, can be used. ii. y = B : exactly as in the case y = A, except that T (B ) is used in the nal cases. (c) x, y C 2 : x = A and y = B , and T (2n2 + 2n1 ) will work. This completes all the cases and proves the result. 2 6.2. Desarguesian projective planes We illustrate the proof of Result 25, and use the notation given there. For this we need a lemma, the proof of which is quite direct. Lemma 1 ([21] Lemma 3.1) If q = pe 5, where p is a prime, then 1. 2.

p(p+1) 2 p(p+1) 2 e e

p(p+1) 2

> pe + 2;

p(p+1) 2 e

1 > pe + 2.

Proof of Result 25: Note rst that G is transitive on triangles and on collinear triples of points: see, for example, [18, Chapter 2]. For 3-PD-sets, let I denote an information set for C and C a check set, and let T = {P1 , P2 , P3 } be a set of three points. We rst show that both I and C contain both triangles and sets of collinear triples. In fact, if a set of points in has no three points collinear, then it must be an arc in the plane and hence of size at most q + 2. Both I and C have size bigger than this by Lemma 1, so this is impossible. Also, neither I nor C can have all points collinear since this would restrict their size to q + 1. Thus both types of triples occur in both I and C . By transitivity, T can be mapped to the error positions by some member of G, in the case of C and in the case of C .

198

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

For 4-PD-sets, we need to consider sets of four points in . Such a set is either a quadrangle, or a point and three collinear points, or a set of four collinear points. Again taking I for the information set and C for the check set, using the lemma we see that both I and C contain 4-sets of the rst two types. Since G is transitive on these types of 4-sets, we can always map such a 4-set to the check symbols. In the case of sets of four collinear points, we do not have transitivity. We have to ensure that C (for C ) and I (for C ) contains a representative of every orbit of G acting on collinear 4-sets. Since G is transitive on incident pointline pairs and since q 4, each line excluding an arbitrary point contains such representatives. We may choose I for C by starting with an information set for a corresponding ane plane and adding a point from the line at innity. In this case C will contain a line excluding one point. Thus, C has a 4-PD-set in this case. Now let L be any line of P G2 (Fq ), let P1 ,. . . ,Pq+1 be the points of L, let P be a point o L and let Li be the line joining P to Pi , i = 1, . . . , q + 1. Then v L1 ,. . . ,v Lq+1 are independent and yield Iq+1 when restricted to the positions P1 ,. . . ,Pq+1 . Hence, we may choose I to contain P1 ,. . . ,Pq+1 . With the corresponding check set as the information set, C has a 4-PD-set. 2

6.3. Ane hyperplane designs We give the proof of Result 34 for Cp (AGm,m1 (Fp )) = RFp (p 1, m), the p-ary code of the design of points and hyperplanes of AGm (Fp ) where p is a prime. This uses the information set found in Result 24, Equation (11). Proof of Result 34: We need to show that any two vectors v and w can be moved by some multiple m of z into the check positions, C = {(i1 , i2 , . . . , im ) | ik Fp , k=1 ik > p 1}. Notice that if, for a given prime p, we can prove this for m = t then it will follow for m t. To shorten the exposition, we will omit consideration of primes 11 and prove the result for p 13 and m = 3. This leaves m = 3 for the primes p = 5, 7 and 11 and m = 4 for p = 3. These involve a proliferation of subdivisions which need to be considered but no essential diculty. We consider the various types of pairs of vectors (a, b, c) F3 p and for each pair we write down an element k of Fp so that the corresponding element in Z that will move that pair into C . We can always translate such a pair of vectors into one of the form (a, b, c), (0, d, e). As membership of C depends only on the sum of the coordinates, we may assume that 0 a b c p 1 and 0 d e p 1. Let = p/3 + 1. First, suppose d = e = 0. If p 1 a , let k = p 1 a unless b = c = a +1. In this case, if p 2 a let k = p 2 a, and if p 1 a = let k = 2 + 1. If p 1 a < let k = p 1. Next, suppose d = 0 and e = 0. If a + b + c > p + 2, let k = p 1. If a + b + c p + 2 and p 11, let k = p 1 a unless b = c = a + 1. In this case, let k = p 2 a if p 13. Finally, suppose a, b and c are distinct and 0, d and e are distinct. If a + b + c > p + 2, let k = p 1. Now suppose a + b + c p + 2. We may choose k = p 1 a

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

199

if d a or if a < d and d + e 3a + 3. Now suppose additionally that a < d and d + e < 3a + 3. If e b let k = p 1 b and if b < e let k = p e. This completes the proof for p 13 and m 3. 2 7. Conclusion We do not claim to give an exhaustive survey of all the known work to date on the discovery of PD-sets and s-PD-sets for codes associated with nite geometries or graphs, but we give a large sample of what has been achieved. Human [17] gives a survey up to the date of publication of his chapter in the Handbook of Coding Theory. Another survey of recent results is in [48]. A permutation decoding method linked to the method using PD-sets was established in [38,36]. It uses the idea of antiblocking sets, and works on the basis of nding a sucient number of information sets to employ a decoding algorithm very similar to that used with PD-sets. This method can in fact be more ecient than that using PD-sets, as is pointed out in [36].

References

[1] E. F. Assmus, Jr and J. D. Key. Designs and their Codes. Cambridge: Cambridge University Press, 1992. Cambridge Tracts in Mathematics, Vol. 103 (Second printing with corrections, 1993). E. F. Assmus, Jr and J. D. Key. Polynomial codes and nite geometries. In V. S. Pless and W. C. Human, editors, Handbook of Coding Theory, pages 12691343. Amsterdam: Elsevier, 1998. Volume 2, Part 2, Chapter 16. W. Bosma, J. Cannon, and C. Playoust. The Magma algebra system I: The user language. J. Symb. Comp., 24, 3/4:235265, 1997. A. E. Brouwer, A. M. Cohen, and A. Neumaier. Distance-Regular Graphs. Ergebnisse der Mathematik und ihrer Grenzgebiete, Folge 3, Band 18. Berlin, New York: Springer-Verlag, 1989. J. Cannon, A. Steel, and G. White. Linear codes over nite elds. In J. Cannon and W. Bosma, editors, Handbook of Magma Functions, pages 39514023. Computational Algebra Group, Department of Mathematics, University of Sydney, 2006. V2.13, http://magma.maths.usyd.edu.au/magma. Herv e Chabanne. Permutation decoding of abelian codes. IEEE Trans. Inform. Theory, 38:18261829, 1992. W. Fish, J. D. Key, and E. Mwambene. Binary codes from designs from the reexive n-cube. Util. Math. (To appear 85 (2011)). W. Fish, J. D. Key, and E. Mwambene. Codes from the incidence matrices and line graphs of Hamming graphs H k (n, 2) for k 2. Adv. Math. Commun. (To appear). W. Fish, J. D. Key, and E. Mwambene. Codes, designs and groups from the Hamming graphs. J. Combin. Inform. System Sci., 34:169182, 2009. No.1 4. W. Fish, J. D. Key, and E. Mwambene. Graphs, designs and codes related to the n-cube. Discrete Math., 309:32553269, 2009. W. Fish, J. D. Key, and E. Mwambene. Binary codes of line graphs from the n-cube. J. Symbolic Comput., 45:800812, 2010. W. Fish, J. D. Key, and E. Mwambene. Codes from the incidence matrices and line graphs of Hamming graphs. Discrete Math., 310:18841897, 2010. Washiela Fish. Codes from uniform subset graphs and cyclic products. PhD thesis, University of the Western Cape, 2007.

[2]

[3] [4]

[5]

200

[14] [15] [16] [17]

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

The GAP Group. GAP Groups, Algorithms, and Programming, Version 4.4.12, 2008. http://www.gap-system.org. D. M. Gordon. Minimal permutation sets for decoding the binary Golay codes. IEEE Trans. Inform. Theory, 28:541543, 1982. Willem H. Haemers, Ren e Peeters, and Jeroen M. van Rijckevorsel. Binary codes of strongly regular graphs. Des. Codes Cryptogr., 17:187209, 1999. W. Cary Human. Codes and groups. In V. S. Pless and W. C. Human, editors, Handbook of Coding Theory, pages 13451440. Amsterdam: Elsevier, 1998. Volume 2, Part 2, Chapter 17. Daniel R. Hughes and Fred C. Piper. Projective Planes. Graduate Texts in Mathematics 6. New York: Springer-Verlag, 1973. David Joyner. Conjectural permutation decoding of some AG codes. ACM SIGSAM Bulletin, 39, 2005. No.1, March. J. D. Key and J. Limbupasiriporn. Permutation decoding of codes from Paley graphs. Congr. Numer., 170:143155, 2004. J. D. Key, T. P. McDonough, and V. C. Mavron. Partial permutation decoding for codes from nite planes. European J. Combin., 26:665682, 2005. J. D. Key, T. P. McDonough, and V. C. Mavron. Information sets and partial permutation decoding for codes from nite geometries. Finite Fields Appl., 12:232247, 2006. J. D. Key, T. P. McDonough, and V. C. Mavron. Partial permutation decoding for codes from ane geometry designs. J. Geom., 88:101109, 2008. J. D. Key, T. P. McDonough, and V. C. Mavron. Reed-Muller codes and permutation decoding. Discrete Math., 310:31143119, 2010. J. D. Key, J. Moori, and B. G. Rodrigues. Binary codes from graphs on triples. Discrete Math., 282/1-3:171182, 2004. J. D. Key, J. Moori, and B. G. Rodrigues. Permutation decoding for binary codes from triangular graphs. European J. Combin., 25:113123, 2004. J. D. Key, J. Moori, and B. G. Rodrigues. Binary codes from graphs on triples and permutation decoding. Ars Combin., 79:1119, 2006. J. D. Key, J. Moori, and B. G. Rodrigues. Partial permutation decoding of some binary codes from graphs on triples. Ars Combin., 91:363371, 2009. J. D. Key, J. Moori, and B. G. Rodrigues. Ternary codes from graphs on triples. Discrete Math., 309:46634681, 2009. J. D. Key, J. Moori, and B. G. Rodrigues. Codes associated with triangular graphs, and permutation decoding. Int. J. Information and Coding Theory, 1, No.3:334349, 2010. J. D. Key and B. G. Rodrigues. Codes associated with lattice graphs, and permutation decoding. Discrete Appl. Math., 158:18071815, 2010. J. D. Key and P. Seneviratne. Binary codes from rectangular lattice graphs and permutation decoding. European J. Combin., 28:121126, 2006. J. D. Key and P. Seneviratne. Codes from the line graphs of complete multipartite graphs and PD-sets. Discrete Math., 307:22172225, 2007. J. D. Key and P. Seneviratne. Permutation decoding for binary self-dual codes from the graph Qn where n is even. In T. Shaska, W. C. Human, D. Joyner, and V. Ustimenko, editors, Advances in Coding Theory and Cryptology, pages 152159. World Scientic Publishing Co. Pte. Ltd., Hackensack, NJ, 2007. Series on Coding Theory and Cryptology, 2. J. D. Key and P. Seneviratne. Permutation decoding of binary codes from lattice graphs. Discrete Math., 308:28622867, 2008. Hans-Joachim Kroll and Rita Vincenti. Antiblocking decoding. Discrete Appl. Math. (2010) To appear. Hans-Joachim Kroll and Rita Vincenti. PD-sets related to the codes of some classical varieties. Discrete Math., 301:89105, 2005. Hans-Joachim Kroll and Rita Vincenti. Antiblocking systems and PD-sets. Discrete Math., 308:401407, 2008. Hans-Joachim Kroll and Rita Vincenti. PD-sets for binary RM-codes and the codes related to the Klein quadric and to the Schubert variety of PG(5,2). Discrete Math., 308:408414,

[18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34]

J.D. Key / Permutation Decoding for Codes from Designs, Finite Geometries and Graphs

201

[40] [41] [42] [43] [44] [45] [46] [47] [48] [49]

[50] [51]

2008. J. Limbupasiriporn. Partial permutation decoding for codes from designs and nite geometries. PhD thesis, Clemson University, 2005. J. H. van Lint and R. M. Wilson. A Course in Combinatorics. Cambridge: Cambridge University Press, 1992. F. J. MacWilliams. Permutation decoding of systematic codes. Bell System Tech. J., 43:485505, 1964. F. J. MacWilliams and N. J. A. Sloane. The Theory of Error-Correcting Codes. Amsterdam: North-Holland, 1983. G. Eric Moorhouse. Bruck nets, codes, and characters of loops. Des. Codes Cryptogr., 1:729, 1991. B. G. Rodrigues. Codes of designs and graphs from nite simple groups. PhD thesis, University of Natal, 2003. J. Sch onheim. On coverings. Pacic J. Math., 14:14051411, 1964. P. Seneviratne. Partial permutation decoding for the rst-order Reed-Muller codes. Discrete Math., 309:19671970, 2009. Padmapani Seneviratne. Permutation decoding of codes from graphs and designs. PhD thesis, Clemson University, 2007. Vladimir D. Tonchev. Combinatorial Congurations, Designs, Codes, Graphs. Pitman Monographs and Surveys in Pure and Applied Mathematics, No. 40. New York: Longman, 1988. Translated from the Bulgarian by Robert A. Melter. Hassler Whitney. Congruent graphs and the connectivity of graphs. Amer. J. Math., 54:154168, 1932. J. Wolfmann. A permutation decoding of the (24,12,8) Golay code. IEEE Trans. Inform. Theory, 29:748750, 1983.

202

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-202

J. MOORI 2 School of Mathematical Sciences, University of KwaZulu-Natal Pietermaritzburg 3209, South Africa

Abstract. We will discuss two methods for constructing codes and designs from nite groups (mostly simple nite groups). This is a survey of the collaborative work by the author with J D Key and B Rorigues. Keywords. Designs, codes, simple groups, maximal subgroups, conjugacy classes

1. Introduction Error-correcting codes that have large automorphism groups whose properties are extensively studied can be useful in applications as the group can help in determining the codes properties, and can be useful in decoding algorithms: see Human [14] for a discussion of possibilities, including the question of the use of permutation decoding by searching for PD-sets. We will discuss two methods for constructing codes and designs for nite groups (mostly simple nite groups). In the rst method we discuss construction of symmetric 1-designs and binary codes obtained from the primitive permutation representations, that is from the action on the maximal subgroups, of a nite group G. This method has been applied to several sporadic simple groups, for example in [17], [21], [22], [26], [27], [28] and [29]. The second method introduces a technique from which a large number of non-symmetric 1-designs could be constructed. Let G be a nite group, M be a maximal subgroup of G and Cg = [g ] = nX be the conjugacy class of G containing g . We construct 1 (v, k, ) designs D = (P , B ), where P = nX and B = {(M nX )y |y G}. The parameters v , k , and further properties of D are determined. We also study codes associated with these designs. In Subsections 5.1, 5.2 and 5.3 we apply the second method to the groups A7 , P SL2 (q ) and J1 respectively.

2. Terminology and notation Our notation will be standard, and it is as in [2] for designs and ATLAS [5] for groups. For the structure of nite simple groups and their maximal subgroups we follow the ATLAS notation.

1 AMS 2 Supports

Subject Classication (2000): 20D05, 05B05. from NATO, NRF and the University of KwaZulu-Natal are acknowledged.

203

An incidence structure D = (P , B, I ), with point set P , block set B and incidence I is a t-(v, k, ) design, if |P| = v , every block B B is incident with precisely k points, and every t distinct points are together incident with = (P , B , I ), where precisely blocks. The complement of D is the structure D t t = P B I . The dual structure of D is D = (B , P , I ), where (B, P ) I t I if and only if (P, B ) I . Thus the transpose of an incidence matrix for D is an incidence matrix for Dt . We will say that the design is symmetric if it has the same number of points and blocks, and self dual if it is isomorphic to its dual. A t-(v, k, ) design is called self-orthogonal if the block intersection numbers have the same parity as the block size. The code CF of the design D over the nite eld F is the space spanned by the incidence vectors of the blocks over F . We take F to be a prime eld Fp , in which case we write also Cp for CF , and refer to the dimension of Cp as the p-rank of D. If the point set of D is denoted by P and the block set by B, and if Q is any subset of P , then we will denote the incidence vector of Q by v Q . Thus CF = v B | B B , and is a subspace of F P , the full vector space of functions from P to F . For any code C , the dual code C is the orthogonal subspace under the standard inner product. The hull of a designs code over some eld is the intersection C C . If a linear code over the nite eld F of order q is of length n, dimension k , and minimum weight d, then we write [n, k, d]q to represent this information. If c is a codeword then the support of c, s(c), is the set of non-zero coordinate positions of c. A constant word in the code is a codeword all of whose coordinate entries are either 0 or 1. The all-one vector will be denoted by j, and is the constant vector of weight the length of the code. Two linear codes of the same length and over the same eld are equivalent if each can be obtained from the other by permuting the coordinate positions and multiplying each coordinate position by a non-zero eld element. They are isomorphic if they can be obtained from one another by permuting the coordinate positions. An automorphism of a code is any permutation of the coordinate positions that maps codewords to codewords. An automorphism thus preserves each weight class of C. A binary code with all weights divisible by 4 is said to be a doubly-even binary code. Terminology for graphs is standard: our graphs are undirected, the valency of a vertex is the number of edges containing the vertex. A graph is regular if all the vertices have the same valence, and a regular graph is strongly regular of type (n, k, , ) if it has n vertices, valence k , and if any two adjacent vertices are together adjacent to vertices, while any two non-adjacent vertices are together adjacent to vertices. The groups G.H, G : H, and G H denote a general extension, a split extension and a non-split extension respectively. For a prime p, pn denotes the elementary abelian group of order pn . If G is a group and M is a G-module, the socle of M , written Soc(M ), is the largest semi-simple G-submodule of M . It is the direct sum of all the irreducible G-submodules of M . Determination of Soc(V ) for each of the relevant full-space G-modules V = F n is highly desirable.

204

3. Group Actions and Permutation Characters Suppose that G is a nite group acting on a nite set . For , the stabilizer of in G is given by G = {g G|g = }. Then G G and [G : G ] = ||, where is the orbit containing . The action of G on gives a permutation representation with corresponding permutation character denoted by (G|). Then from elementary representation theory we deduce that Lemma 1 (i) The action of G on is isomorphic to the action of G on the G/G , that is on the set of all left cosets of G in G. Hence (G|) = (G|G ). (ii) (G|) = (IG )G , the trivial character of G induced to G. (iii) For all g G, we have (G|)(g ) = number of points in xed by g. Proof: For example see Isaacs [15] or Ali [1]. In fact for any subgroup H G we have

k

(G|H )(g ) =

i=1

where h1 , h2 , ..., hk are representatives of the conjugacy classes of H that fuse to [g ] = Cg in G. Lemma 2 Let H be a subgroup of G and let be the set of all conjugates of H in G. Then we have (i) GH = NG (H ) and (G|) = (G|NG (H ). (ii) For any g in G, the number of conjugates of H in G containing g is given by

m

(G|)(g ) =

i=1

where xi s and hi s are representatives of the conjugacy classes of NG (H ) and H that fuse to [g ] = Cg in G, respectively. Proof: (i) GH = {x G|H x = H } = {x G|x NG (H )} = NG (H ). Now the results follows from Lemma 1 part (i).

205

(ii) The proof follows from part (i) and Corollary 3.1.3 of Ganief [10] which uses a result of Finkelstien [7]. Remark 1 Note that (G|)(g ) = |{H x : (H x )g = H x }| = |{H x |H x

1

gx

= H} =

|{H x |x1 gx NG (H )}| = |{H x |g xNG (H )x1 }| = |{H x |g (NG (H ))x }|. Corollary 3 If G is a nite simple group and M is a maximal subgroup of G, then number of conjugates of M in G containing g is given by

k

(G|M )(g ) =

i=1

where x1 , x2 , ..., xk are representatives of the conjugacy classes of M that fuse to the class [g ] = Cg in G. Proof: It follows from Lemma 2 and the fact that NG (M ) = M. It is also a direct application of Remark 1, since (G|)(g ) = |{M x |g (NG (M ))x }| = |{M x |g M x }|. Let B be a subset of . If B g = B or B g B = for all g G, we say B is a block for G. Clearly , and {} for all are blocks, called trivial blocks. Any other block is called non-trivial. If G is transitive on such that G has no non-trivial block on , then we say G is primitive. Otherwise we say G is imprimitive. Remark 2 Classication of Finite Simple Groups (CFSG) implies that no 6transitive nite groups exist other than Sn (n 6) and An (n 8), and that the Mathieu groups are the only faithful permutation groups other than Sn and An providing examples for 4- and 5-transitive groups. Remark 3 It is well-known that every 2-transitive group is primitive. By using CFSG, all nite 2-transitive groups are known. The following is a well-known theorem that gives a characterisation of primitive permutation groups. Since by Lemma 1 the permutation action of a group G on a set is equivalent to the action of G on the set of the left cosets G/G , determination of the primitive actions of G reduces to the classication of its maximal subgroups. Theorem 4 Let G be transitive permutation group on a set . Then G is primitive if and only if G is a maximal subgroup of G for every . Proof: See Rotman [32].

206

4. Method 1 Construction of 1-Designs and Codes from Maximal Subgroups: In this section we consider primitive representations of a nite group G. Let G be a nite primitive permutation group acting on the set of size n. We can consider the action of G on given by (, )g = (g , g ) for all , and all g G. An orbit of G is an orbital, then = {(, ) : (, ) } on is called an orbital. If is also an orbital of G on , which is called the paired orbital of . We say is self-paired if = . that Now Let , and let = {} be an orbit of the stabilizer M = G of given by = {(, )g : , g G} is an . It is not dicult to see that is a self paired orbital. Also orbital. We say that is self-paired if and only if note that the primitivity of G on implies that M is a maximal subgroup of G. If M = G has only three orbits {}, and on , then we say that G is a rank-3 permutation group. Our construction for the symmetric 1-designs is based on the following results, mainly Theorem 5 below, which is the Proposition 1 of [17] with its corrected version in [18]: Theorem 5 Let G be a nite primitive permutation group acting on the set of size n. Let , and let = {} be an orbit of the stabilizer G of . If B = {g : g G} and, given , E = {{, }g : g G}, then D = (, B) forms a 1-(n, ||, ||) design with n blocks. Further, if is a self-paired orbit of G , then = (, E ) is a regular connected graph of valency ||, D is self-dual, and G acts as an automorphism group on each of these structures, primitive on vertices of the graph, and on points and blocks of the design. Proof: We have |G| = |G ||G |, and clearly G G . Since G is primitive on , G is maximal in G, and thus G = G , and |G | = |B| = n. This proves that we have a 1-(n, ||, ||) design. Since is self-paired, is a graph rather than only a digraph. In we notice that the vertices adjacent to are the vertices in . Now as we orbit these pairs under G, we get the nk ordered pairs, and thus nk/2 edges, where k = . Since the graph has G acting, it is clearly regular, and thus the valency is k as required, i.e. the only vertices adjacent to are those in the orbit . The graph must be connected, as a maximal connected component will form a block of imprimitivity, contradicting the groups primitive action. Now notice that an adjacency matrix for the graph is simply an incidence matrix for the 1-design, so that the 1-design is necessarily self-dual. This proves all our assertions. Note that if we form any union of orbits of the stabilizer of a point, including the orbit consisting of the single point, and orbit this under the full group, we will

207

still get a self-dual symmetric 1-design with the group operating. Thus the orbits of the stabilizer can be regarded as building blocks. Since the complementary design (i.e. taking the complements of the blocks to be the new blocks) will have exactly the same properties, we will assume that our block size is at most v/2. In fact this will give us all possible designs on which the group acts primitively on points and blocks: Lemma 6 If the group G acts primitively on the points and the blocks of a symmetric 1-design D, then the design can be obtained by orbiting a union of orbits of a point-stabilizer, as described in Theorem 5. Proof: Suppose that G acts primitively on points and blocks of the 1-(v, k, k) design D. Let B be the block set of D; then if B is any block of D, B = B G . Thus |G| = |B||GB |, and since G is primitive, GB is maximal and thus GB = G for some point. Thus G xes B , so this must be a union of orbits of G . Lemma 7 If G is a primitive simple group acting on , then for any , the point stabilizer G has only one orbit of length 1. Proof: Suppose that G xes also . Then G = G . Since G is transitive, there exists g G such that g = . Then (G )g = Gg = G = G , and thus g NG (G ) = N , the normalizer of G in G. Since G is maximal in G, we have N = G or N = G . But G is simple, so we must have N = G , so that g G and so = . We have considered various nite simple groups, for example J1 ; J2 ; M c L; P Sp2m (q ), where q is a power of an odd prime, and m 2; Co2 ; HS and Ru. For each group, using Magma [4], we construct designs and graphs that have the group acting primitively on points as automorphism group, and, for a selection of small primes, codes over that prime eld derived from the designs or graphs that also have the group acting as automorphism group. For each code, the code automorphism group at least contains the associated group G. To aid in the classication, if possible, the dimension of the hull of the design for each of these primes were found. Then we took a closer look at some of the more interesting codes that arose, asking what the basic coding properties were, and if the full automorphism group could be established. It is well known, and easy to see, that if the group is rank-3, then the graph formed as described in Theorem 5 will be strongly regular. In case the group is not of rank 3, this might still happen, and we examined this question also for some of the groups we studied. A sample of our results for example for J1 and J2 is given below. Clearly the automorphism group of any of the codes will contain the automorphism group of the design from which it is formed. We looked at some of the codes that 2 formed the full were computationally feasible to nd out if the groups J1 and J automorphism group in any of the cases when the code was not the full vector space. We rst mention the following lemma: Lemma 8 Let C be the linear code of length n of an incidence structure I over a eld F. Then the automorphism group of C is the full symmetric group if and only if C = F n or C = F j .

208

Proof: Suppose Aut(C ) is Sn . C is spanned by the incidence vectors of the blocks of I ; let B be such a block and suppose it has k points, and so it gives a vector of weight k in C . Clearly C contains the incidence vector of any set of k points, and thus, by taking the dierence of two such vectors that dier in just two places, we see that C contains all the vectors of weight 2 having as non-zero entries 1 and 1. Thus C = F j or F n . The converse is clear. Human [14] has more on codes and groups, and in particular, on the possibility of the use of permutation decoding for codes with large groups acting. See also Knapp and Schmid [25] for more on codes with prescribed groups acting. In [13] Haemers, Parker, Pless and Tonchev discuss a design and a code invariant under the simple group Co3 . We should also mention here that Tonchev [34] construct some binary linear codes using the adjacency matrices of the Homan-Singleton graph and the Higman-Sims graph. Most of the codes we looked at were too large to nd the automorphism group, but we did nd some of, through computation with Magma. Note that we could in some cases look for the full group of the hull, and from that deduce the group of the code, since Aut(C ) = Aut(C ) Aut(C C ). 4.1. J1 , J2 and Co2 In this subsection we give a brief discussion on the application of Method 1 to the sporadic simple groups J1 , J2 and Co2 . For full details the readers are referred to [17], [18], [19] and [27]. 4.1.1. Computations for J1 and J2 The rst Janko sporadic simple group J1 has order 175560 = 23 3 5 7 11 19 and it has seven distinct primitive representations, of degree 266, 1045, 1463, 1540, 1596, 2926, and 4180, respectively (see Table 1 and [5,8]). For each of the seven primitive representations, using Magma, we constructed the permutation group and formed the orbits of the stabilizer of a point. For each of the non-trivial orbits, we formed the symmetric 1-design as described in Theorem 5. We took set of the {2, 3, 5, 7, 11} of primes and found the dimension of the code and its hull for each of these primes. Note also that since 19 is a divisor of the order of J1 , in some of the smaller cases it is worthwhile also to look at codes over the eld of order 19. We also found the automorphism group of each design, which will be the same as the automorphism group of the regular graph. Where computationally possible we also found the automorphism group of the code. Conclusions from our results are summarized below. In brief, we found that there are 245 designs formed in this manner from single orbits and that none of them is isomorphic to any other of the designs in this set. In every case the full automorphism group of the design or graph is J1 . In Table 2, the rst column gives the degree, the second the number of orbits, and the remaining columns give the length of the orbits of length greater than 1, with the number of that length in parenthesis behind the length in case there is more than one of that length. The pairs that had the same code dimensions occurred as follows: for degrees 266, 1045 and 1596, there were no such pairs; for

No. Max[1] Max[2] Max[3] Max[4] Max[5] Max[6] Max[7] Order 660 168 120 114 110 60 42 Index 266 1045 1463 1540 1596 2926 4180 Structure P SL(2, 11) 23 :7:3 2 A5 19:6 11:10 D6 D10 7:6

209

# 5 11 22 21 19 67 107

length 132 168(5) 120(7) 114(9) 110(13) 60(34) 42(95) 110 56(3) 60(9) 57(6) 55(2) 30(27) 21(6) 12 28 20(2) 38(4) 22(2) 15(5) 14(4) 7 11 8 15(2) 19 11 12

degree 1463 there were two pairs, both for orbit size 60; for degree 1540, there were two pairs, for orbit size 57 and 114 respectively; for degree 2926 there was one pair for orbit size 60; for degree 4180 there were 12 pairs, for orbit size 42. In summary then, we have the following: Proposition 9 If G is the rst Janko group J1 , there are precisely 245 nonisomorphic self-dual 1-designs obtained by taking all the images under G of the non-trivial orbits of the point stabilizer in any of Gs primitive representations, and on which G acts primitively on points and blocks. In each case the full automorphism group is J1 . Every primitive action on symmetric 1-designs can be obtained by taking the union of such orbits and orbiting under G. We tested the graphs for strong regularity in the cases of the smaller degree, and did not nd any that were strongly regular. We also found the designs and their codes for some of the unions of orbits in some cases. We found that some of the codes were the same for some primes, but not for all. The second Janko sporadic simple group J2 has order has order 604800 = 27 33 52 7, and it has nine primitive permutation representations (see Table 3), but we did not compute with the largest degree. Thus our results cover only the rst eight. Our results for J2 are dierent from those for J1 , due to the existence of an outer automorphism. The main dierence is that usually the full 2 , and that in the cases where it was only J2 , there would automorphism group is J be another orbit of that length that would give an isomorphic design, and which, if the two orbits were joined, would give a design of double the block size and

210

2 . A similar conclusion held if some union of orbits was automorphism group J taken as a base block.

No. Max[1] Max[2] Max[3] Max[4] Max[5] Max[6] Max[7] Max[8] Max[9] Order 6048 2160 1920 1152 720 600 336 300 60 Index 100 280 315 525 840 1008 1800 2016 10080 Structure P SU (3, 3) 3. P GL(2, 9) 21+4 :A5 22+4 :(3 S3 ) A4 A5 A5 D10 P SL(2, 7):2 52 :D12 A5

From these eight primitive representations, we obtained in all 51 nonisomorphic symmetric designs on which J2 acts primitively. Table 4 gives the same information for J2 that Table 2 gives for J1 . The automorphism group of the de2 . Where J2 was the full group, there is another copy sign in each case was J2 or J of the design for another orbit of the same length. This occurred in the following cases: degree 315, orbit length 32; degree 1008, orbit lengths 60, 100 and 150; degree 1800, orbit lengths 42, 42, 84 and 168; degree 2016, orbit lengths 50, 75, 75, 150, 150, and 300. We note again that the p-ranks of the design and their hulls gave an initial indication of possible isomorphisms and clear non-isomorphisms, so that only the few mentioned needed be tested. This reduced the computations tremendously. We also found three strongly regular graphs (all of which are known: see Brouwer [6]): that of degree 100 from the rank-3 action, of course, and two more of degree 280 from the orbits of length 135 and 36, giving strongly regular graphs with parameters (280,135,70,60) and (280,36,8,4) respectively. The full automor2 in each case. We have not checked all the other representations phism group is J but note that this is the only one with point stabilizer having exactly four orbits. Note that Bagchi [3] found a strongly regular graph with J2 acting.

Degree 100 280 315 525 840 1008 1800 2016 # 3 4 6 6 7 11 18 18 length 63 135 160 192(2) 360 300 336 300(2) 36 108 80 96 240 150(2) 168(6) 150(6) 36 32(2) 32 180 100(2) 84(3) 75(5) 10 12 24 60(2) 42(3) 50(2) 20 50 28 25 15 25 21 15 12 14(2)

211

In each of the following we consider the primitive action of J2 on a design formed as described in Method 1 from an orbit or a union of orbits, and the codes are the codes of the associated 1-design. 2 is the full automorphism group of the design 1. For J2 of degree 100, J with parameters 1-(100, 36, 36), and it is the automorphism group of the self-orthogonal doubly-even [100, 36, 16]2 binary code of this design. 2 is the full automorphism group of the design 2. For J2 of degree 280, J with parameters 1-(280, 108, 108), and it is the automorphism group of the self-orthogonal doubly-even [280, 14, 108]2 binary code of this design. The weight distribution of this code is

<0, 1>, <108, 280>, <128, 1575>, <136, 2520>, <140, 7632>, <144, 2520>, <152, 1575>, <172, 280>, <280, 1>

Thus the words of minimum weight (i.e. 108) are the incidence vectors of the design. 2 is the full automorphism group of the design with 3. For J2 of degree 315, J parameters 1-(315, 64, 64) (by taking the union of the two orbits of length 32), and it is the automorphism group of the self orthogonal doubly-even [315, 28, 64]2 binary code of this design. The weight distribution of the code is as follows:

<0, 1>,<64, 315>,<96, 6300>,<104, 25200>,<112, 53280>, <120, 242760>,<124, 201600>,<128, 875700>,<132, 1733760>, <136, 4158000>,<140, 5973120>,<144, 12626880>,<148, 24232320>, <152, 35151480>,<156, 44392320>,<160, 53040582>, <164, 41731200>,<168, 28065120>,<172, 13023360>,<176, 2129400>, <180, 685440>,<184, 75600>,<192, 10710>,<200, 1008>

Thus the words of minimum weight (i.e. 64) are the incidence vectors of the blocks of the design. Furthermore, the designs from the two orbits of length 32 in this case, i.e. 1-(315, 32, 32) designs, each have J2 as their automorphism group. Their binary codes are equal, and are [315, 188]2 codes, with hull the 28dimensional code described above. The automorphism group of this 1882 . The minimum weight is at most 32. This is dimensional code is again J also the binary code of the design from the orbit of length 160. 2 is the full automorphism group of the design 4. For J2 of degree 315, J with parameters 1-(315, 160, 160) and it is the automorphism group of the [315, 265]5 5-ary code of this design. This code is also the 5-ary code of the design obtained from the orbit of length 10, and from that of the orbit of length 80, so we can deduce that the minimum weight is at most 10. 2 as full automorphism The hull is a [315, 15, 155]5 code and again with J group. 2 is the full automorphism group of the design with 5. For J2 of degree 315, J parameters 1-(315, 80, 80) from the orbit of length 80, and it is the automorphism group of the self-orthogonal doubly-even [315, 36, 80]2 binary code of this design. The minimum words of this code are precisely the 315 incidence vectors of the blocks of the design.

212

In [19] we used the construction described in Method 1 to obtain all irreducible modules of J1 (as codes) over the prime elds F2 , F3 , F5 . We also showed that most of those of J2 can be represented in this way as the code, the dual code or the hull of the code of a design, or of codimension 1 in one of these. For J2 , if no such code was found for a particular irreducible module, then we checked that it could not be so represented for the relevant degrees of the primitive permutation representations up to and including 1008. In summary, we obtained: Proposition 10 Using the construction described in Method 1 above (see Theorem 5 and Lemma 6), taking unions of orbits, the following constructions of the irreducible modules of the Janko groups J1 and J2 as the code, the dual code or the hull of the code of a design, or of codimension 1 in one of these, over Fp where p = 2, 3, 5, were found to be possible: 1. J1 : all the seven irreducible modules for p = 2, 3, 5; 2. J2 : all for p = 2 apart from dimensions 12, 128; all for p = 3 apart from dimensions 26, 42, 114, 378; all for p = 5 apart from dimensions 21, 70, 189, 300. For these exclusions, none exist of degree 1008. Note: 1. We do not claim that we have all the constructions of the modular representations as codes; we were seeking mainly existence. We give below three self-orthogonal binary codes of dimension 20 invariant under J1 of lengths 1045, 1463, and 1540. These are irreducible by [16] or Magma data. In all cases the Magma simgps library is used for J1 and J2 . 1. J1 of Degree 1045 [1045, 20, 456]2 code; dual code: [1045, 1025, 4]2

\\Orbit lengths of stabilizer of a point: [ 1, 8, 28, 56, 56, 56, 168, 168, 168, 168, 168 ]; \\Orbits chosen: ##1,3,5,10,11 \\Defining block is the union of these, length 421 1-(1045, 421, 421) Design with 1045 blocks \\C is the code of the design, of dimension 21 \\The 20-dimensional code is Ch:= C meet Dual(C) =Hull(C) > WeightDistribution(Ch); [ <0, 1>, <456, 3080>, <488, 29260>, <496, 87780>, <504, 87780>, <512, 36575>, <520, 299706>, <528, 234080>, <536, 175560>, <544, 58520>, <552, 14630>, <560, 19019>, <608, 1540>, <624, 1045> ]. Those of weight 456, 504, 544, 552, 624, 608 are single orbits; the others split. >WeightDistribution(C); [ <0, 1>, <421,1405>, <437, 1540>, <456, 3080>, <485,19019>, <488, 29260>, <493, 14630>, < 496, 87780>, <501, 58520>, <504, 87780>, <509, 175560>, <512, 36575>, <517, 234080>, <520, 299706>, <525, 299706>, <528, 234080>, <533, 36575>, <536, 175560>, <541, 87780>, <544, 58520>, <549, 87780>, <552, 14630>, <557,29260>, <560, 19019>, <589, 3080>, <608, 1540>, <624, 1045>, <1045, 1> ].

2. J1 of Degree 1463 [1463, 20, 608]2 code; dual code: [1463, 1443, 3]2

213

\\Orbit lengths of stabilizer of a point: [ 1, 12, 15, 15, 20, 20, 60, 60, 60, 60, 60, 60, 60, 60, 60, 120, 120, 120, 120, 120, 120, 120 ] \\Orbits chosen ##18,21 \\Defining block is union of these, of length 240 1-(1463, 240, 240) Design with 1463 blocks \\C is the code of the design, of dimension 492 \\The 20-dimensional code is Ch:= C meet Dual(C) =Hull(C) WD(Ch); [ <0, 1>, <608, 1540>, <632, 2926>, <640, 7315>, <688, 29260>, <696, 29260>, <712, 87780>, <720, 89243>, <728, 311410>, <736, 87780>, <744, 175560>, <752, 222376>, <760, 3080>, <784, 1045> ]

3. J1 of Degree 1540 [1540, 20, 640]2 code; dual code: [1540, 1520, 4]2

\\Orbit lengths of stabilizer of a point: [ 1, 19, 38, 38, 38, 38, 57, 57, 57, 57, 57, 57, 114, 114, 114, 114, 114, 114, 114, 114, 114 ] \\Orbits chosen ##7,13 \\Defining block is the union of these, length 171 1-(1540, 171, 171) Design with 1540 blocks \\C is the code of the design, of dimension 592 \\The code of dimension 20 is Ch:=C meet Dual(C) WD(Ch); [ <0, 1>, <640, 1463>, <728, 33440>, <736, 58520>, <760, 311696>, <768, 358435>, <792, 175560>, <800, 105336>, <856, 3080>, <896, 1045> ]

We now look at the smallest representations for J2 . We have not been able to nd any of dimension 12, and none can exist for degree 1008, as we have veried computationally by examining the permutation modules. We give below four representations of J2 acting on self-orthogonal binary codes of small degree that are irreducible or indecomposable codes over J2 . The full automorphism 2 . group of each of these codes is J 1. J2 of Degree 100, dimension 36 [100, 36, 16]2 code; dual code: [100, 64, 8]2

\\Orbit lengths of stabilizer of a point: [1, 36, 63] 1-(100, 36, 36) Design with 100 blocks \\ Orbit #2 gave a block of the design [ <0, 1>, <16, 1575>, <24, 105000>, <28, 1213400>, <32, 29115450>, <36, 429677200>, <40, 2994639480>, <44, 10672216200>, <48, 20240374350>, <52, 20217640800>, <56, 10675819800>, <60, 3004193640>, <64, 422248725>, <68, 30819600>, <72, 1398600>, <76, 12600>, <80, 315> ]

This code C = C36 of dimension 36 is irreducible, by Magma. The dual code C64 = C has an invariant subcode C63 of dimension 63 that is spanned by the weight-8 vectors and that contains j and C36 . All these codes are indecomposable, by Magma. The full automorphism group of 2 . this code is J

214

2. J2 of Degree 280, dimension 13 [280, 13, 128]2 code; dual code: [280, 267, 4]2

\\Orbit lengths of stabilizer of a point: [1, 36, 108, 135] \\Orbit #3 gave a block of the design 1-(280,108,108) Design with 280 blocks \\Weight distribution of its 14-dimensional binary code [ <0, 1>, <108, 280>, <128, 1575>, <136, 2520>, <140, 7632>, <144, 2520>, <152, 1575>, <172, 280>, <280, 1> ] Dual code: [280,266,4] \\Weight distribution of reducible but indecomposable 13-dimensional code [ <0, 1>, <128, 1575>, <136, 2520>, <144, 2520>, <152, 1575>, <280, 1> ]

This code has the invariant subcode of dimension 1 generated by the allone vector, so it is reducible. However, we checked the orbits of all the other words and found that there are no other invariant subcodes. It is 2 . thus indecomposable. The full automorphism group of these codes is J 3. J2 of Degree 315, dimension 28 [315, 28, 64]2 code; dual code: [315, 287, 3]2

\\Orbit lengths of stabilizer of a point: [ 1, 10, 32, 32, 80, 160 ] \\Orbits ## 3 and 4 chosen 1-(315, 64, 64) Design with 315 blocks \\Weight distribution of its 28-dimensional binary code [ <0, 1>, <64, 315>, <96, 6300>, <104, 25200>, <112, 53280>, <120, 242760>, <124, 201600>, <128, 875700>, <132, 1733760>, <136, 4158000>, <140, 5973120>, <144, 12626880>, <148, 24232320>, <152, 35151480>, <156, 44392320>, <160, 53040582>, <164, 41731200>, <168, 28065120>, <172, 13023360>, <176, 2129400>, <180, 685440>, <184, 75600>, <192, 10710>, <200, 1008> ]

The code is an irreducible module over J2 , by Magma. The full automor2 . phism group of this code is J 4. J2 of Degree 315, dimension 36 [315, 36, 80]2 code; dual code: [315, 279, 5]2

\\Orbit lengths of stabilizer of a point: [ 1, 10, 32, 32, 80, 160 ] \\chose the orbit of length 80 1-(315, 80, 80) Design with 315 blocks 36 =Dim(C) dim hull 36 //Weight distribution of the 36-dimensional code [ <0, 1>, <80, 315>, <84, 1800>, <96, 9450>, <100, 50400>, <108, 126000>, <112, 84150>, <116, 466200>, <120, 4798920>, <124, 10987200>, <128, 54432000>, <132, 180736920>, <136, 606475800>, <140, 1792977480>, <144, 3988438335>, <148, 6923044800>, <152, 10151396640>, <156, 12278475300>, <160, 11844516600>, <164, 9314451720>, <168, 6136980600>, <172, 3360636720>, <176, 1436425200>, <180, 459183200>, <184, 132924960>, <188, 32715900>, <192, 7006125>, <196, 1800000>, <200, 126000>, <204, 113400>, <208, 75600>, <216, 12600>, <220, 6300>, <252, 100> ]

215

The code is an irreducible module over J2 , by Magma. The full automor2 . phism group of this code is J For F one of the elds Fp for p = 2, 3, 5 and n the degree of the permutation representation, in [19] we demonstrated some cases where the full space F n can be completely decomposed into G-modules, where G = J1 , J2 , using codes obtained by our construction. In all cases Cm denotes an indecomposable linear code of dimension m over the relevant eld and group. If the codes were irreducible they were obtained according to our method and were listed in [19]. For example For J1 of degree 1045 over F2 , the full space can be completely decomposed into J1 -modules, that is: = C76 C112 C360 C496 F2 j, F1045 2 where all but C496 are irreducible. C496 has composition factors of dimensions 20, 112, 1, 76, 20, 1, 112, 20, 1, 1, 112, 20. Also ) = F2 j C20 C76 C112 C360 , S = Socle(F1045 2 with dim(S ) = 569. For J2 of degree 315 over F2 we have:

315 = C160 C154 F2 j, F2 is the binary code of the where C160 is irreducible and C154 F2 j = C160 and F280 are 1-(315, 33, 33) design from orbits #1 and #4. (Note that F100 2 2 indecomposable as J2 modules.) For J2 of degree 100 over F3 we have: 100 = C36 C63 F3 j. F3

280 = C63 C216 F3 j, F3

where C216 is the code of the 1-(280, 135, 135) design obtained from the orbit # 4. for J2 of degree 525 over F5 we have:

525 = C175 C100 C250 , F5

where C175 is irreducible and C100 is the dual of the code C of the 1(525, 140, 140) design obtained from the orbits #2, #3 , #4, and C250 = . C C175

216

4.1.2. The Conway group Co2 The Leech lattice is a certain 24-dimensional Z submodule of the Euclidean space R24 whose automorphism group is the double cover 2. Co1 of the Conway group Co1 . The Conway groups Co2 and Co3 are stabilizers of sublattices of the Leech lattice. The subgroup structure of Co2 is discussed in Wilson [36] and [35] using the following information. The group Co2 admits a 23-dimensional indecomposable representation over GF (2) obtained from the 24-dimensional Leech lattice by reducing modulo 2 and factoring out a xed vector. The action of Co2 on the vectors of this 23-dimensional indecomposable GF (2) module (say M ) produces eight orbits, with stabilizers isomorphic to Co2 , U6 (2):2, 210 :M22 :2, M c L, HS :2, U4 (3).D8 , 21+8 + :S8 and M23 , respectively. The 23-dimensional indecomposable GF (2) module M contains an irreducible GF (2)-submodule N of dimension 22. We use TABLE III(a) given by Wilson in [35] to produce Table 5, which gives the orbit lengths and stabilizers for the actions of Co2 on M and N respectively.

M -Stabilizer Co2 U6 (2) : 2 M cL 210 :M HS :2 U4 (3).D8 M23 21+8 + : S8

22 :2

2049300

On the other hand, reduction modulo 2 of the 23-dimensional ordinary irreducible representation results in a decomposable 23-dimensional GF (2) representation. In [36] Wilson showed that Co2 has exactly eleven conjugacy classes of maximal subgroups. One of these subgroups is the group U6 (2):2 of index 2300. In Proposition 11, using this maximal subgroup, we construct the decomposable 23-dimensional GF (2)-representation as the binary code C892 of dimension 23 invariant under the action of Co2 . The action of Co2 on C892 produces 12 orbits with stabilizers isomorphic to Co2 (2 copies), U6 (2):2 (2 copies), 210 :M22 :2 (2 copies), HS :2 (2 copies), U4 (3).D8 (2 copies), 21+8 : S8 (2 copies) respectively. + Furthermore, C892 contains a binary code C1408 of dimension 22 invariant and irreducible under the action of Co2 . Notice that the 2-modular character table of Co2 is completely known (see [31]) and follows from it that the irreducible 22-dimensional GF (2) representation is unique and 22 is the smallest dimension for any non-trivial irreducible GF (2) module. Here we examine some designs Di and associated binary codes Ci constructed from a primitive permutation representation of degree 2300 of the sporadic simple group Co2 . For the full detail the readers are encouraged to see [27].

217

We used Method 1 and constructed self-dual symmetric 1-designs Di and binary codes Ci , where i is an element of the set {891, 892, 1408, 1409, 2299}, from the rank-3 primitive permutation representation of degree 2300 of the sporadic simple group Co2 of Conway. The stabilizer of a point in this representation is a maximal subgroup isomorphic to U6 (2):2, producing orbits {}, 1 , 2 of lengths 1, 891 and 1408 respectively. The self-dual symmetric 1-designs Di are constructed from the sets 1 , {} 1 , 2 , {} 2 , and 1 2 , respectively. We let = {} 1 2 . We proved the following result: Proposition 11 Let G be the Conway group Co2 and Di and Ci where i is in the set {891, 892, 1408, 1409, 2299} be the designs and binary codes constructed from the primitive rank-3 permutation action of G on the cosets of U6 (2):2. Then the following holds: (i) Aut(D891 ) = Aut(D892 ) = Aut(D1408 ) = Aut(D1409 ) = Aut(C892 ) = Aut(C1408 ) = Co2 . (ii) dim(C892 ) = 23, dim(C1408 ) = 22, C892 C1408 and Co2 acts irreducibly on C1408 . (iii) C891 = C1409 = C2299 = V2300 (GF (2)). (iv) Aut(D2299 ) = Aut(C891 ) = Aut(C1049 ) = Aut(C2299 ) = S2300 . The proof of the proposition follows from a series of lemmas. In fact we showed that the codes C892 and C1408 are of types [2300, 23, 892]2 and [2300, 22, 1024]2 respectively. Furthermore C892 = C1408 , j = C1408 {w + j : w C1408 } = C1408 j , where j denotes the all-one vector. Let Wl denote the set of all codewords of C892 of weight l and let Al be the size of Wl . Then clearly Wl + {j} = W2300l C892 and |Wl | = Al = |W2300l | = A2300l . We found the weight distribution of C892 and then the weight distribution of C1408 follows. We also determined the structures of the stabilizers (Co2 )wl , for all nonzero weight l, where wl C1408 is a codeword of weight l. The structures of the stabilizers (Co2 )wl for C892 follows clearly from those of C1408 . We also showed that the code C1408 is the 22 dimensional irreducible representation of Co2 over GF (2) contained in the 23-dimensional decomposable C892 . It is also contained in the 23-dimensional indecomposable representation of Co2 over GF (2) discussed in ATLAS [5] and Wilson [35]. We should also mention that computation with Magma shows the codes over some other primes, in particular, p = 3 are of some interest. In a separate paper we plan to deal with the ternary codes invariant under Co2 [30].

218

5. Method 2 Construction of 1-Designs and Codes from Maximal Subgroups and Conjugacy Classes of Elements: In this section we assume G is a nite simple group, M is a maximal subgroup of G, nX is a conjugacy class of elements of order n in G and g nX . Thus Cg = [g ] = nX and |nX | = |G : CG (g )|. As in Section 3 let M = (G|M ) be the permutation character aorded by the action of G on , the set of all conjugates of M in G. Clearly if g is not conjugate to any element in M , then M (g ) = 0. The construction of our 1-designs is based on the following theorem. Theorem 12 Let G be a nite simple group, M a maximal subgroup of G and nX a conjugacy class of elements of order n in G such that M nX = . Let B = {(M nX )y |y G} and P = nX. Then we have a 1(|nX |, |M nX |, M (g )) design D, where g nX . The group G acts as an automorphism group on D, primitive on blocks and transitive (not necessarily primitive) on points of D. Proof: First note that B = {M y nX |y G}. We claim that M y nX = M nX if and only if y M or nX = {1G }. Clearly if y M or nX = {1G }, then M y nX = M nX . Conversely suppose there exits y / M such that M y nX = M nX . Then maximality of M in G implies that G =< M, y > and hence M z nX = M nX for all z G. We can deduce that nX M and hence < nX > M. Since < nX > is a normal subgroup of G and G is simple, we must have < nX >= {1G }. Note that maximality of M and the fact < nX > M , excludes the case < nX >= G. From above we deduce that b = |B| = || = [G : M ]. If B B , then

k k

k = |B | = |M nX | =

i=1

|[xi ]M | = |M |

i=1

1 , |CM (xi )|

where x1 , x2 , ..., xk are the representatives of the conjugacy classes of M that fuse to g. Let v = |P| = |nX | = [G : CG (g )]. Form the design D = (P , B, I ), with point set P , block set B and incidence I given by xI B if and only if x B. Since the number of blocks containing an element x in P is = M (x) = M (g ), we have produced a 1 (v, k, ) design D, where v = |nX |, k = |M nX | and = m (g ). The action of G on blocks arises from the action of G on and hence the maximality of M in G implies the primitivity. The action of G on nX , that is on points, is equivalent to the action of G on the cosets of CG (g ). So the action on points is primitive if and only if CG (g ) is a maximal subgroup of G.

219

) design, where = , the complement of D, is 1 (v, v k, Also note that D v k k . Remark 5 If = 1, then D is a 1 (|nX |, k, 1) design. Since nX is the disjoint union of b blocks each of size k , we have Aut(D) = Sk Sb = (Sk )b : Sb . Clearly In this case for all p, we have C = Cp (D) = [|nX |, b, k ]p , with Aut(C ) = Aut(D). Remark 6 The designs D constructed by using Theorem 12 are not symmetric in general. In fact D is symmetric if and only if b = |B| = v = |P| [G : M ] = |nX | [G : M ] = [G : CG (g )] |M | = |CG (g )|. 5.1. Some 1-designs and Codes from A7 A7 has ve conjugacy classes of maximal subgroups, which are listed in Table 6. It has also 9 conjugacy classes of elements, some of which are listed in Table 7.

No. Max[1] Max[2] Max[3] Max[4] Max[5] Structure A6 P SL2 (7) P SL2 (7) S5 (A4 3):2 Index 7 15 15 21 35 Order 360 168 168 120 72

We apply the Theorem 12 to the above maximal subgroups and few conjugacy classes of elements of A7 to construct several non-symmetric 1- designs. The corresponding binary codes are also constructed.

nX 2A 3A 3B |nX | 105 70 280 CG (g ) D8 : 3 (22 3): 3 A4 3 = 33 Maximal Centralizer No No No

220

5.1.1. G = A7 , M = A6 and nX = 3A Let G = A7 , M = A6 and nX = 3A. Then b = [G : M ] = 7, v = |3A| = 70, k = |M 3A| = 40. Also using the character table of A7 , we have M = 1 + 2 = 1a + 6a and hence M (g ) = 1+3 = 4 = , where g 3A. We produce a non-symmetric 1 (70, 40, 4) design D. A7 acts primitively on the 7 blocks. Since CA7 (g ) = A4 3 is not maximal in A7 (sits in the maximal subgroup (A4 3):2 with index two), A7 , is a 1 (70, 30, 3) acts imprimitively on the 70 points. The complement of D, D design. Computations with MAGMA [4] shows that the full automorphism group of D is Aut(D) = 235 :S7 = 25 S 7 , with |Aut(D)| = 239 .32 .5.7. Construction using MAGMA shows that the binary code C of this design is a [70, 6, 32]2 code. The code C is self-orthogonal with the weight distribution < 0, 1 >, < 32, 35 >, < 40, 28 > . Our group A7 acts irreducibility on C. If Wi denote the set of all words in C of weight i, then C =< W32 >=< W40 >, so C is generated by its minimum-weight codewords. The full automorphism group of C is Aut(C ) = 235 :S8 with |Aut(C )| = 242 .32 .5.7, and we note that Aut(C ) Aut(D) and that Aut(D) is not a normal subgroup of Aut(C ). Furthermore C is a [70, 64, 2]2 code and its weight distribution has been determined. Since the blocks of D are of even size 40, we have that j meets evenly i denote the set of all codewords in C every vector of C and hence j C . If W 2 | = 35,, |W 3 | = 840, |W 4 | = 14035 and of weight i, then |W 3 >, dim(< W 2 >= 35, dim(< W 4 >= 63. C =< W 2 ) is the support of a Let eij denote the 2-cycle (i, j ) in S7 , where {i, j } = s(w 2 . Then eij (w 2 >= codeword w 2 W 2 ) = w 2 , and < eij |{i, j } = s(w 2 ), w 2 W 35 2 . 70 Using MAGMA we can easily show that V = F2 is decomposable into indecomposable G-modules of dimension 40 and 30. We also have dim(Soc(V ) = 21 and Soc(V ) =< j > C C14 , where C is our 6-dimensional code and C14 is an irreducible code of dimension 14. The structures the stabilizers Aut(D)wl and Aut(C )wl , where l {32, 40} are listed in Table 8 and 9.

l 32 40(1) 40(2) |Wl | 35 7 21 Aut(D)wl 235 :S6 235 :(S5 :2)

221

l 32 40

|W l | 35 28

Aut(D)wl

5.1.2. G = A7 , M = A6 and nX = 2A Let G = A7 , M = A6 and nX = 2A. Then b = [G : M ] = 7, v = |2A| = 105, k = |M 2A| = 45. Also using the character table of A7 , we have M = 1 + 2 = 1a + 6a and hence M (g ) = 1+2 = 3 = , where g 2A. We produce a non-symmetric 1(105, 45, 3) design D. A7 acts primitively on the 7 blocks. Since CA7 (g ) = D8 : 3 is not maximal in A7 (sits in the maximal subgroup (A4 3):2 with index three), A7 , is a 1 (105, 60, 4) acts imprimitively on the 105 points. The complement of D, D design. The full automorphism group of D is Aut(D) = S3 35 :S7 = S3 5 S7 , with |Aut(D)| = 242 .337 .5.7. Construction using MAGMA shows that the binary code C of this design is a [105, 7, 45]2 code. The weight distribution of C is < 0, 1 >, < 45, 28 >, < 48, 35 >, < 57, 35 >, < 60, 28 >, < 105, 1 > . We also have that Hull(C ) is a [105, 6, 48] code and has the following weight distribution: < 0, 1 >, < 48, 35 >, < 60, 28 > . Note that C = Hull(C ) < j >, and that our group A7 acts irreducibility on Hull(C ). Also note that this result together with the result obtained in 5.1.2 imply that the 6-dimensional irreducible representation of A7 over GF (2) could be represented by two non-isomorphic codes, namely [105, 6, 48]2 and [70, 6, 32]2 codes. We also have

222

C =< W45 >=< W57 >, so C is generated by its minimum-weight codewords. The full automorphism group of C is Aut(C ) = Aut(D) and its structure was given above in 5.2.1. 105 Using MAGMA we can easily show that V = F2 is decomposable into indecomposable G-modules of dimension 1, 14, 20 and 70 (the rst three are irreducible). We also have dim(Soc(V ) = 55 and that Soc(V ) =< j > C14 C14 C20 Hull(C ), where C = Hull(C ) < j > is our 7-dimensional code and C14 and C20 are irreducible codes of dimension 14 and 20 respectively. 5.1.3. G = A7 , M = S5 and nX = 2A: 1 (105, 25, 5) Design Let G = A7 , M = S5 and nX = 2A. Then b = [G : M ] = 21, v = |2A| = 105, k = |M 2A| = 25. Note that both conjugacy classes of involutions of S5 fuses to 2A. Also using the character table of A7 , we have M = 1 + 2 + 5 = 1a + 6a + 14a and hence M (g ) = 1 + 2 + 2 = 5 = , where g 2A. We produce a non-symmetric 1 (105, 25, 5) design D. A7 acts primitively on the 21 blocks. Since CA7 (g ) = D8 :3 is not maximal in A7 (sits in the maximal subgroup (A4 3):2 with index , is a three), A7 acts imprimitively on the 105 points. The complement of D, D 1 (105, 80, 16) design. 5.1.4. G = A7 , M = P SL2 (7) and nX = 2A: 1 (105, 21, 3) Design Let G = A7 , M = P SL2 (7) and nX = 2A. Then b = [G : M ] = 15, v = |2A| = 105, k = |M 2A| = 21. Also using the character table of A7 , we have M = 1 + 6 = 1a + 14b and hence M (g ) = 1+2 = 3 = , where g 2A. We produce a non-symmetric 1(105, 21, 3) design D. A7 acts primitively on the 15 blocks. Since CA7 (g ) = D8 : 3 is not maximal in A7 (sits in the maximal subgroup (A4 3):2 with index three), A7 acts , is a 1 (105, 84, 12) imprimitively on the 105 points. The complement of D, D design. 5.1.5. G = A7 , M = P SL2 (7) and nX = 3B : 1 (280, 56, 3) Design Let G = A7 , M = P SL2 (7) and nX = 3B . Then b = [G : M ] = 15, v = |3B | = 280, k = |M 2A| = 56. Also using the character table of A7 , we have M = 1 + 6 = 1a + 14b and hence M (g ) = 1+2 = 3 = , where g 3B. We produce a non-symmetric 1(280, 56, 3) design D. A7 acts primitively on the 15 blocks. Since CA7 (g ) = 3 3 Syl3 (A7 ) is not maximal in A7 (sits in the maximal subgroups A6 and (A4 3):2 with indices 40 and 8 respectively), A7 acts imprimitively on the 280 points. The complement , is a 1 (280, 224, 12) design. of D, D

223

5.2. Design and codes from P SL2 (q ) The main aim of this section to develop a general approach to G = P SL2 (q ), where M is the maximal subgroup that is the stabilizer of a point in the natural action of degree q + 1 on the set . This is fully discussed in Subsection 5.2.1. We start this section by applying the results discussed for Method 2, particularly the Theorem 12, to all maximal subgroups and conjugacy classes of elements of P SL2 (11) to construct 1- designs and their corresponding binary codes. These are itemized bellow after Tables 10 and 11. The group P SL2 (11) has order 660 = 22 3 5 11, it has four conjugacy classes of maximal subgroups, which are listed in the table 10. It has also eight conjugacy classes of elements which we list in Table 11.

No. Max[1] Max[2] Max[3] Max[4] Order 55 60 60 12 Index 12 11 11 55 Structure F55 = 11 : 5 A5 A5 D12

nX 2A 3A 5A 5B 6A 11A 11B

Max[1] 5A: D = 1 (132, 22, 2), b = 12; C = [132, 11, 22]2 , C = [132, 121, 2]2 ; Aut(D) = Aut(C ) = 266 : S12 . 5B : As for 5A. 11A: D = 1 (60, 5, 1), b = 12; C = [60, 12, 5]2 , C = [60, 48, 2]2 ; Aut(D) = Aut(C ) = (S5 )12 : S12 . 11B : As for 11A. Max[2] 2A : D = 1 (55, 15, 3), b = 11; C = [55, 11, 15]2 , C = [55, 44, 4]2 ; Aut(D) = P SL2 (11), Aut(C ) = P SL2 (11) : 2. 3A : D = 1 (110, 20, 2), b = 11; C = [110, 10, 20]2 , C = [110, 100, 2]2 ; Aut(D) = Aut(C ) = 255 : S11 .

224

5A : D = 1 (132, 12, 1), b = 11; C = [132, 11, 12]2 , C = [132, 121, 2]2 ; Aut(D) = Aut(C ) = (S12 )11 : S11 . 5B : As for 5A. Max[3] As for Max[2]. Max[4] 2A : D = 1 (55, 7, 7), b = 55; C = [55, 35, 4]2 , C = [55, 20, 10]2 ; Aut(D) = Aut(C ) = P SL2 (11) : 2. 3A : D = 1 (110, 2, 1), b = 55; C = [110, 55, 2]2 , C = [110, 55, 2]2 ; Aut(D) = Aut(C ) = 255 : S55 . 6A : As for 3A. 5.2.1. G = P SL2 (q ) of degree q + 1, M = G1 Let G = P SL2 (q ), let M be the stabilizer of a point in the natural action of degree q + 1 on the set . Let M = G1 . Then it is well known that G acts sharply 2-transitive on and M = Fq : Fq = Fq : Zq1 , if q is even, and M = Fq : Z q1 , 2 if q is odd. Since G acts 2-transitively on , we have = 1 + where is the permutation character of the action and is an irreducible character of G of degree q . Also since the action is sharply 2-transitive, only 1G xes 3 distinct elements of . Hence for all 1G = g G we have = (g ) {0, 1, 2}. Proposition 13 For G = P SL2 (q ), let M be the stabilizer of a point in the natural action of degree q + 1 on the set . Let M = G1 . Suppose g nX G is an element xing exactly one point, and without loss of generality, assume g M . Then the replication number for the associated design is r = = 1. We also have

1 1 2 (q 1), |M g G | = 2 (q 1), and D is a (i) If q is odd then |g G | = 2 1 1 2 1-( 2 (q 1), 2 (q 1), 1) design with q + 1 blocks and q +1 1 1 : Sq+1 . Aut(D) = S 2 (q 1) Sq +1 = (S 2 (q 1) ) 1 1 2 For all p, C = Cp (D) = [ 2 (q 1), q +1, 2 (q 1)]p , with Aut(C ) = Aut(D). G 2 (ii) If q is even then |g | = (q 1), |M g G | = (q 1), and D is a 1((q 2 1), (q 1), 1) design with q + 1 blocks and

Aut(D) = S(q1) Sq+1 = (S(q1) )q+1 : Sq+1 . For all p, C = Cp (D) = [(q 2 1), q + 1, q 1)]p , with Aut(C ) = Aut(D). Proof: Since (g ) = 1, we deduce that (g ) = 0. We now use the character table and conjugacy classes of P SL2 (q ) (for example see [12]): (i) For q odd, there are two types of conjugacy classes with (g ) = 0. In both cases we have |CG (g )| = q and hence |nX | = |g G | = |P SL2 (q )|/q = (q 2 1)/2. Since b = [G : M ] = q + 1 and k= 1 (q 2 1)/2 (g ) |nX | = = (q 1)/2, [G : M ] q+1

225

the results follow from Remark 5. (ii) For q even, P SL2 (q ) = SL2 (q ) and there is only one conjugacy class with 10 (g ) = 0. A class representative is the matrix g = with |CG (g )| = q 11 and hence |nX | = |g G | = |P SL2 (q )|/q = (q 2 1). Since b = [G : M ] = q + 1 and k= 1 (q 2 1) (g ) |nX | = = q 1, [G : M ] q+1

the results follow from Remark 5. If we have = r = 2 then a graph (possibly with multiple edges) can be dened on b vertices, where b is the number of blocks, i.e. the index of M in G, by stipulating that the vertices labelled by the blocks bi and bj are adjacent if bi and bj meet. Then the incidence matrix for the design is an incidence matrix for the graph. In the case where the graph is an undirected graph without multiple edges the following result from [9, Lemma] can be used. Lemma 14 ([9]) Let = (V, E ) be a regular graph with |V | = N , |E | = e and valency v . Let G be the 1-(e, v, 2) incidence design from an incidence matrix A for . Then Aut() = Aut(G ). Note: If the graph is also connected, then it is an easy induction to show that rankp (A) |V | 1 for all p with obvious equality when p = 2. If in addition (as happens for some classes of graphs, see [9,24,23]) the minimum weight is the valency and the words of this weight are the scalar multiples of the rows of the incidence matrix, then we also have Aut(Cp (G )) = Aut(G ). Proposition 15 For G = P SL2 (q ), let M be the stabilizer of a point in the natural action of degree q + 1 on the set . Let M = G1 . Suppose g nX G is an element xing exactly two points, and without loss of generality, assume g M = G1 and that g G2 . Then the replication number for the associated design is r = = 2. We also have

1 q (q + (i) If g is an involution, so that q 1 (mod 4), the design D is a 1-( 2 1), q, 2) design with q + 1 blocks and Aut(D) = Sq+1 . Furthermore C2 (D) = 1 1 q (q + 1), q, q ]2 , Cp (D) = [ 2 q (q + 1), q + 1, q ]p if p is an odd prime, and [2 Aut(Cp (D)) = Aut(D) = Sq+1 for all p. (ii) If g is not an involution, the design D is a 1-(q (q + 1), 2q, 2) design 1 with q + 1 blocks and Aut(D) = 2 2 q(q+1) : Sq+1 . Furthermore C2 (D) = [q (q + 1), q, 2q ]2 , Cp (D) = [q (q + 1), q + 1, 2q ]p if p is an odd prime, and 1 Aut(Cp (D)) = Aut(D) = 2 2 q(q+1) : Sq+1 for all p.

Proof: A block of the design constructed will be M g G . Notice that from elementary considerations or using group characters we have that the only powers of g that are conjugate to g in G are g and g 1 . Since M is transitive on \ {1}, g M and (g 1 )M give 2q elements in M g G if o(g ) = 2, and q if o(g ) = 2.

226

These are all the elements in M g G since Mj is cyclic so if h1 , h2 Mj and h1 = g x1 , h2 = g x2 for some x1 , x2 G, then h1 is a power of h2 , so they can only be equal or inverses of one another. (i) In this case by the above k = |M g G | = q and hence |nX | = q (q + 1) k [G : M ] = . (g ) 2

1 q (q + 1), q, 2) design with q + 1 blocks. An incidence matrix So D is a 1-( 2 of the design is an incidence matrix of a graph on q + 1 points labelled by the rows of the matrix, with the vertices corresponding to rows ri and rj being adjacent if there is a conjugate of g that xes both i and j , giving an edge [i, j ]. Since G is 2-transitive, the graph we obtain is the complete graph Kq+1 . The automorphism group of the design is the same as that of the graph 1 q (q + 1), q, q ]2 and Cp (D) = (see [9]), which is Sq+1 . By [23], C2 (D) = [ 2 1 [ 2 q (q +1), q +1, q ]p if p is an odd prime. Further, the words of the minimum weight q are the scalar multiples of the rows of the incidence matrix, so Aut(Cp (D)) = Aut(D) = Sq+1 for all p. (ii) If g is not an involution, then k = |M g G | = 2q and hence

|nX | =

2q (q + 1) k [G : M ] = = q (q + 1). (g ) 2

So D is a 1-(q (q + 1), 2q, 2) design with q + 1 blocks. In the same way we dene a graph from the rows of the incidence matrix, but in this case we have the complete directed graph. 1 The automorphism group of the graph and of the design is 2 2 q(q+1) : Sq+1 . Similarly to the previous case, C2 (D) = [q (q + 1), q, 2q ]2 and Cp (D) = [q (q +1), q +1, 2q ]p if p is an odd prime. Further, the words of the minimum weight 2q are the scalar multiples of the rows of the incidence matrix, so 1 Aut(Cp (D)) = Aut(D) = 2 2 q(q+1) : Sq+1 for all p. We end this subsection by giving few examples of designs and codes constructed, using Propositions 13 and 15, from P SL2 (q ) for q {16, 17, 19}, where M is the stabilizer of a point in the natural action of degree q +1 and g nX G is an element xing exactly one or two points. Example 1 (P SL2 (16)) 1. g is an involution having cycle type 11 28 , r = = 1: D is a 1 (255, 15, 1) design with 17 blocks. For all p, C = Cp (D) = [255, 17, 15]p , with Aut(C ) = Aut(D) = S15 S17 = (S15 )17 : S17 . 2. g is an element of order 3 having cycle type 12 35 , r = = 2: D is a 1 (272, 32, 2) design with 17 blocks. C2 (D) = [272, 16, 32]2 and Cp (D) = [272, 17, 32]p for odd p. Also for all p we have Aut(Cp (D)) = Aut(D) = 2136 : S17 . Example 2 (P SL2 (17)) Note that 17 1 (mod 4).

227

1. g is an element of order 17 having cycle type 11 171 , r = = 1: D is a 1 (144, 8, 1) design with 18 blocks. For all p, C = Cp (D) = [144, 18, 8]p , with Aut(C ) = Aut(D) = S8 S18 = (S8 )18 : S18 . 2. g is an involution having cycle type 12 28 , r = = 2: D is a 1 (153, 17, 2) design with 18 blocks. C2 (D) = [153, 17, 17]2 and Cp (D) = [153, 18, 17]p for odd p. Also for all p we have Aut(Cp (D)) = Aut(D) = S18 . 3. g is an element of order 4 having cycle type 12 44 , r = = 2: D is a 1 (306, 34, 2) design with 18 blocks. C2 (D) = [306, 17, 34]2 and Cp (D) = [306, 18, 34]p for odd p. Also for all p we have Aut(Cp (D)) = Aut(D) = 2153 : S18 . 4. g is an element of order 8 having cycle type 12 82 , r = = 2: D is a 1 (306, 34, 2) design with 18 blocks. C2 (D) = [306, 17, 34]2 and Cp (D) = [306, 18, 34]p for odd p. Also for all p we have Aut(Cp (D)) = Aut(D) = 2153 : S18 . Example 3 (P SL2 (19)) 1. g is an element of order 19 having cycle type 11 191 , r = = 1: D is a 1 (180, 9, 1) design with 20 blocks. For all p, C = Cp (D) = [180, 20, 9]p , with Aut(C ) = Aut(D) = S9 S20 = (S9 )20 : S20 . 2. g is an element of order 3 having cycle type 12 36 , r = = 2: D is a 1 (380, 38, 2) design with 20 blocks. C2 (D) = [360, 19, 38]2 and Cp (D) = [360, 20, 38]p for odd p. Also for all p we have Aut(Cp (D)) = Aut(D) = 2190 : S20 . 5.3. Some 1-designs from the Janko group J1 The Janko group J1 of order 23 3 5 7 11 19 has seven conjugacy classes of maximal subgroups, which were listed in the table 1. It has also 15 conjugacy classes of elements some of which are listed in Table 12.

nX 2A 3A |nX | 1463 5852 CG (g ) 2 A5 D6 5 Maximal Centralizer Yes No

We apply the Theorem 12 to the maximal subgroups and few conjugacy classes of elements of J1 to construct several 1- designs. 5.3.1. G = J1 , M = P SL2 (11) and nX = 2A: 1 (1463, 55, 10) Design Let G = J1 , M = P SL2 (11) and nX = 2A. Then b = [G : M ] = 266, v = |2A| = 1463, k = |M 2A| = 55. Also using the character table of J1 , we have M = 1 + 2 + 4 + 6 = 1a + 56a + 56b + 76a + 77a

228

and hence M (g ) = 1 + 0 + 0 + 4 + 5 = 10 = , where g 2A. We produce a non-symmetric 1 (1463, 55, 10) design D. Since CG (g ) = 2 A5 is also a maximal subgroup of J1 , J1 acts primitively on blocks and points. The complement of D, , is a 1 (1463, 1408, 256) design. D 5.3.2. G = J1 , M = 2 A5 and nX = 2A: 1 (1463, 31, 31) Design Let G = J1 , M = 2 A5 and nX = 2A. Then b = [G : M ] = 1463, v = |2A| = 1463. It is easy to see that M = 2 A5 has three conjugacy classes of order 2, namely x1 = z, x2 = and x3 = z, that fuse to 2A with corresponding centralizer orders 120, 8 and 8. Now by using Corollary 3 we have

3

= M (g ) =

i=1

where g 2A. Alternatively we can use the character table of J1 to nd that M = 1 + 2 + 3 + 24 + 26 + 9 + 10 + 11 + 212 + 215 , and M (g ) = 1 + 0 + 0 + 8 + 10 + 0 + 0 + 0 + 10 + 2 = 31 = . In this case clearly k = |M 2A| = = 31, and we produce a symmetric 1 (1463, 31, 31) design D. Obviously J1 acts primitively on blocks and points. , is a 1 (1463, 1432, 1432) design. The complement of D, D 5.3.3. G = J1 , M = P SL2 (11) and nX = 3A: 1 (5852, 110, 5) Design Let G = J1 , M = P SL2 (11) and nX = 3A. Then b = [G : M ] = 266, v = |3A| = 5852, k = |M 3A| = 110. Also using the character table of J1 , we have M = 1 + 2 + 4 + 6 = 1a + 56a + 56b + 76a + 77a and hence M (g ) = 1 + 4 + 1 1 = 5 = , where g 3A. We produce a nonsymmetric 1 (5852, 110, 5) design D. Since CG (g ) = D6 5 is not a maximal subgroup of J1 , J1 acts primitively on 266 blocks but imprimitively on 5852 points. , is a 1 (5852, 5742, 261) design. The complement of D, D

229

5.3.4. G = J1 , M = P SL2 (11) and nX = 3A: 1 (5852, 20, 5) Design Let G = J1 , M = 2 A5 and nX = 3A. Then b = [G : M ] = 1463, v = |3A| = 5852, k = |M 3A| = 20. It is easy to see that M = 2 A5 has only one conjugacy class of elements of order 3, which fuses to 3A, with the corresponding centralizer order 6. Now by using Corollary 3 we have = M (g ) = 30 |CG (g )| = = 5, |CM (x)| 6

where g 3A. Alternatively we can use the character M as in Subsection 5.3.2 to nd that M (g ) = 1 + 2 + 2 + 2 2 + 0 + 0 + 0 + 2 2 = 5 = , where g 3A. We produce a non-symmetric 1 (5852, 20, 5) design D. Since CG (g ) = D6 5 is not a maximal subgroup of J1 , J1 acts primitively on the , is a 1463 blocks but imprimitively on the 5852 points. The complement of D, D 1 (5852, 5832, 1458) design.

References

[1] F. Ali, Fischer-Cliord Theory for Split and non-Split Group Extensions, PhD Thesis, University of Natal, 2001. [2] E. F. Assmus, Jr. and J. D. Key, Designs and their Codes, Cambridge University Press, 1992 (Cambridge Tracts in Mathematics, Vol. 103, Second printing with corrections, 1993). [3] B. Bagchi, A regular two-graph admitting the Hall-Janko-Wales group, Combinatorial mathematics and applications (Calcutta, 1988), Sankhy a, Ser. A 54 (1992), 3545. [4] W. Bosma and J. Cannon, Handbook of Magma Functions, Department of Mathematics, University of Sydney, November 1994. [5] J. H. Conway, R. T. Curtis, S. P. Norton, R. A. Parker, and R. A. Wilson, An Atlas of Finite Groups, Oxford University Press, 1985. [6] A. E. Brouwer, Strongly regular graphs, in Charles J. Colbourn and Jerey H. Dinitz, editors, The CRC Handbook of Combinatorial Designs, pages 667685. CRC Press, Boca Raton, 1996. VI.5. [7] L. Finkelstein, The maximal subgroups of Jankos sinple group of order 50, 232, 960, J. Algebra, 30 (1974), 122143. [8] L. Finkelestein and A. Rudvalis, Maximal subgroups of the Hall-Janko-Wales group, J. Algebra, 24 (1977), 486493. [9] W. Fish, J. D. Key, and E. Mwambene, Codes from the incidence matrices and line graphs of Hamming graphs, submitted. [10] M. S. Ganief, 2-Generations of the Sporadic Simple Groups, PhD Thesis, University of Natal, 1997. [11] The GAP Group, GAP - Groups, Algorithms and Programming, Version 4.2 , Aachen, St Andrews, 2000, (http://www-gap.dcs.st-and.ac.uk/~gap). [12] K. E. Gehles, Ordinary characters of nite special linear groups, MSc Dissertaion, University of St Andrews, 2002.

230

[13] W. Haemers, C. Parker, V. Pless, and V. D. Tonchev, A design and a code invariant under the simple group Co3, J. Combin. Theory, Ser. A, 62 (1993), 225-233. [14] W. C. Human, Codes and groups, in V. S. Pless and W. C. Human, editors, Handbook of Coding Theory, pages 13451440, Amsterdam: Elsevier, 1998, Volume 2, Part 2, Chapter 17. [15] I. M. Isaacs, Character Theory of Finite Groups, Academic Press, San Diego, 1976. [16] C. Jansen, K. Lux, R. Parker, and R. Wilson. An Atlas of Brauer Characters, Oxford Scientic Publications, Clarendon Press, 1995. LMS Monographs New Series 11. [17] J. D. Key and J. Moori, Designs, codes and graphs from the Janko groups J1 and J2 , J. Combin. Math. and Combin. Comput., 40 (2002), 143159. [18] J. D. Key and J. Moori, Correction to: Codes, designs and graphs from the Janko groups J1 and J2 [J. Combin. Math. Combin. Comput., 40 (2002), 143159], J. Combin. Math. Combin. Comput., 64 (2008), 153. [19] J. D. Key and J. Moori, Some irreducible codes invariant under the Janko group, J1 or J2 , submitted. [20] J. D. Key and J. Moori, Designs and codes from maximal subgroups and conjugacy classes of nite simple groups, submitted. [21] J. D. Key, J. Moori, and B. G. Rodrigues, On some designs and codes from primitive representations of some nite simple group, J. Combin. Math. and Combin. Comput., 45 (2003), 319. [22] J. D. Key, J. Moori, and B. G. Rodrigues, Some binary codes from symplectic geometry of odd characteristic, Utilitas Mathematica, 67 (2005), 121-128. [23] J. D. Key, J. Moori, and B. G. Rodrigues, Codes associated with triangular graphs, and permutation decoding, Int. J. Inform. and Coding Theory, to appear. [24] J. D. Key and B. G. Rodrigues, Codes associated with lattice graphs, and permutation decoding, submitted. [25] W. Knapp and P. Schmid, Codes with prescribed permutation group, J. Algebra, 67 (1980), 415435. [26] J. Moori and B. G. Rodrigues, A self-orthogonal doubly even code invariant under the M c L : 2, J. Comb. Theory, Series A, 110 (2005), 5369. [27] J. Moori and B. G. Rodrigues, Some designs and codes invariant under the simple group Co2 , J. of Algerbra, 316 (2007), 649661. [28] J. Moori and B. G. Rodrigues, A self-orthogonal doubly-even code invariant under Mc L, Ars Combinatoria, 91 (2009), 321332. [29] J. Moori and B. G. Rodrigues, Some designs and codes invariant under the Higman-Sims group, Utilitas Mathematica, to appear. [30] J. Moori and B. Rodrigues, Ternary codes invariant under the simple group Co2 , under prepararion. [31] J. M uller and J. Rosenboom, Condensation of induced representations and an application: the 2-modular decomposition numbers of Co2 , Computational methods for representations of groups and algebras (Essen, 1997), 309321, Progr. Math., 173, Birkhuser, Basel, 1999. [32] J. J. Rotman, An Introduction to the Theory of Groups, volume 148 of Graduate Text in Mathematics, Springer-Verlag, 1994. [33] I. A. Suleiman and R. A. Wilson, The 2-modular characters of Conways group Co2 , Math. Proc. Cambridge Philos. Soc. 116 (1994), 275283. [34] V. D. Tonchev, Binary codes derived from the Homan-Singleton and Higman-Sims graphs, IEEE Trans. Info. Theory, 43 (1997), 1021-1025. [35] R. A. Wilson, Vector stabilizers and subgroups of Leech lattice groups, J. Algebra, 127 (1989), 387408. [36] R. A. Wilson, The maximal subgroups of Conways group Co2 , J. Algebra, 84 (1983), 107114.

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-231

231

Designs, strongly regular graphs and codes constructed from some primitive groups

a ,Vedrana MIKULIC CRNKOVIC a and B.G. RODRIGUES b Dean CRNKOVIC a Department of Mathematics, University of Rijeka, Omladinska 14, 51000 Rijeka, Croatia b School of Mathematical Sciences, University of KwaZulu-Natal, Durban 4041, South Africa

Abstract. Let G be a nite group acting primitively on the sets 1 and 2 . We describe a construction of 1-designs with block set 1 and block set 2 , having G as an automorphism group. Applying this construction method we obtain a unital 2(q 3 +1, q +1, 1), and a semi-symmetric (q 4 q 3 +q 2 , q 2 q, (1)) from the unitary group U3 (q ), where q = 3, 4, 5, 7. From the unital and the semi-symmetric design we build a projective plane P G(2, q 2 ). Further, we describe other combinatorial structures constructed from these unitary groups and structures constructed from U4 (2), U4 (3) and L2 (49). We also construct self-orthogonal codes obtained from the row span over F2 or F3 of the incidence (resp. adjacency) matrices of mostly self-orthogonal designs (resp. strongly regular graphs) dened by the action of the simple unitary groups U3 (q ) for q = 3, 4, 7 and U4 (q ) for q = 2, 3 and the linear group L2 (49) on the conjugacy classes of some of their maximal subgroups. Some of the codes are optimal or near optimal for the given length and dimension. Keywords. design, strongly regular graph, code, primitive simple group

Introduction The study of nite groups prompts many questions about the groups and related structures. An interplay between primitive groups, combinatorial designs and graphs has been established by the by now standard construction given in [34], which was later corrected in [35]. In that paper codes are obtained from symmetric 1-designs admitting a primitive action of the group, and such that the point and the block stabilizers are conjugate. The designs obtained in this way have the automorphism group acting primitively on the points and on the blocks. In particular codes with interesting properties having nite simple groups acting have been found by a series of subsequent papers. Recently, in [14] a generalization of the construction outlined in [34,35] was described. This new construction allows for 1-designs which are not necessarily symmetric, with stabilizers of a point and a block not necessarily conjugate, although the group acts primitively on the points and on the blocks of the design. This paper collects results on designs, graphs, and codes constructed using this generalized construction.

232

In fact the construction presented in this paper also generalizes the constructions of a symmetric 2-(126, 36, 14), 2-(36, 15, 6) and 2-(144, 66, 30) designs form primitive representations of the groups U3 (5) : Z2 (see [41]) , U3 (3) (see [30]) and M12 (see [57]) respectively. Similarly those given in [24] where the author describes all symmetric 2-designs that admit a primitive action of rank 3. An incidence structure is an ordered triple D = (P , B , I ) where P and B are nonempty disjoint sets and I P B . The elements of the set P are called points, the elements of the set B are called blocks and I is called an incidence relation. If |P| = |B| then the incidence structure is called symmetric. The complement of D is the structure = (P , B , I ), where I = P B I . The dual structure of D is Dt = (B , P , I t ), D t where (B, p) I if and only if (P, B ) I . Thus the transpose of an incidence matrix for D is an incidence matrix for Dt and we say that D is self dual if it is isomorphic to its dual. The incidence matrix of an incidence structure is a b v matrix [mij ] where b and v are the number of blocks and points respectively, such that mij = 1 if the point Pj and block xi are incident, and mij = 0 otherwise. An isomorphism from one incidence structure to another is a bijective mapping of points to points and blocks to blocks which preserves incidence. An isomorphism from an incidence structure D onto itself is called an automorphism of D. The set of all automorphisms forms a group called the full automorphism group of D and is denoted by Aut(D). A t (v, k, ) design is a nite incidence structure (P , B , I ) satisfying the following requirements: 1. |P| = v , 2. every element of B is incident with exactly k elements of P , 3. every t elements of P are incident with exactly elements of B . A semi-symmetric (v, k, ()) design is a nite incidence structure with v points and v blocks satisfying: 1. every point (block) is incident with exactly k blocks (points), 2. every pair of points (blocks) are incident with 0 or blocks (points). A 2-(v, k, ) design is called a block design. A 2-(v, k, ) design is called quasisymmetric if the number of points in the intersection of any two blocks takes only two values. A symmetric 2 (v, k, 1) design is called a projective plane. Let G = (V , E , I ) be a nite incidence structure. G is a graph if each element of E is incident with exactly two elements of V . The elements of V are called vertices and the elements of E are called edges. Two vertices u and v are called adjacent or neighbors if they are incident with the same edge. The number of neighbors of a vertex v is called the degree of v . If all the vertices of the graph G have the same degree k , then G is called k -regular. Dene a square {0, 1}matrix A = (auv ) labeled with the vertices of G in such a way that auv = 1 if and only if the vertices u and v are adjacent. The matrix A is called the adjacency matrix of the graph G . A graph G is called a strongly regular graph with parameters (n, k, , ), and denoted by SRG(n, k, , ) if G is k regular graph with n vertices and if any two adjacent vertices have common neighbors and any two non-adjacent vertices have common neighbors.

233

Let x and y (x < y ) be the two cardinalities of block intersections in a quasisymmetric design D. The block graph of D has as vertices the blocks of D and two vertices are adjacent if and only if they intersect in y points. The block graph of a quasisymmetric 2 (v, k, ) design is strongly regular. In a 2 (v, k, 1) design which is not a projective plane two blocks intersect in 0 or 1 points, therefore the block graph of this design is strongly regular (see [10]). Let D be a symmetric (v, k, ) design which possesses a symmetric incidence matrix M with 1 everywhere on the diagonal. Then the matrix M I is an adjacency matrix of a strongly regular graph G with parameters (v, k 1, 2, ) (see [10]) and Aut(G ) Aut(D). The code CF of the design D over the nite eld F is the space spanned by the incidence vectors of the blocks over F . If the point set of D is denoted by P and the block set by B , and if Q is any subset of P , then we will denote the incidence vector of Q by v Q . Thus CF = v B | B B , and is a subspace of F P , the full vector space of functions from P to F . All our codes will be linear codes, i.e. subspaces of the ambient vector space. If a code C over a eld of order q is of length n, dimension k , and minimum weight d, then we write [n, k, d]q to show this information. An [n, k, d] code is optimal if the d is the largest possible minimum weight for any [n, k ] code over the corresponding eld. n The weight enumerator of C is dened as WC (x) = i=0 Ai xi , where Ai denotes the number of codewords of weight i in C. The dual code C is the orthogonal complement under the standard inner product (, ), i.e. C = {v F n |(v, c) = 0 for all c C }. A code C is self-orthogonal if C C and self-dual if C = C . The hull of a design over the nite eld F is the code obtained by intersecting both C and C . The all-one vector will be denoted by 1, and is the constant vector of weight the length of the code. A binary code C is doubly-even if all codewords of C have weight divisible by four. Two linear codes of the same length and over the same eld are equivalent if each can be obtained from the other by permuting the coordinate positions and multiplying each coordinate position by a non-zero eld element. They are isomorphic if they can be obtained from one another by permuting the coordinate positions. An automorphism of a code is any permutation of the coordinate positions that maps codewords to codewords. For the structure of the simple groups we follow the ATLAS[12] notation.

1. The construction The following construction of symmetric 1-designs and regular graphs was described in [34, Proposition 1], used in [35] and later corrected in [36]: Theorem 1 Let G be a nite primitive permutation group acting on the set of size n. Further, let , and let = {} be an orbit of the stabilizer G of . If B = {g : g G} and, given , E = {{, }g : g G},

234

then D = (, B ) is a symmetric 1 (n, ||, ||) design. Further, if is a self-paired orbit of G then (, E ) is a regular connected graph of valency ||, D is self-dual, and G acts as an automorphism group on each of these structures, primitive on vertices of the graph, and on points and blocks of the design. In [14] a generalization of the above construction is described; using this construction one obtains 1-designs which are not necessarily symmetric, and stabilizers of a point and a block that are not necessarily conjugate. For completeness we give the proof of this result and subsequent results. More details on these results can be found in [14]. Theorem 2 Let G be a nite permutation group acting primitively on the sets 1 and 2 s of size m and n, respectively. Let 1 and 2 = i=1 i G , where 1 , ..., s 2 are representatives of distinct G -orbits. If 2 = 2 and B = {2 g : g G}, then (2 , B ) is a 1 (n, |2 |, i=1 |Gi |) design with m blocks, and G acts as an automorphism group, primitive on points and blocks of the design. Proof: It is clear that the number of points v = n, since the point set is P = 2 , and also that each element of B consists of k = |2 | elements of 2 . Since 2 is a G -orbit, we have G G2 , where G2 is the setwise stabilizer of 2 . Since G is primitive on 1 , G is a maximal subgroup of G, and therefore G2 = G . The number of blocks is b = | 2 G| = | G| | G| = = |1 | = m. | G 2 | | G |

s

Since G acts transitively on 1 and 2 the constructed structure is a 1-design, hence bk = vr, where each point is incident with r blocks. Therefore |1 | |2 | = |2 | r, and consequently | G | | G | | G| = r. | G | | ( G ) | | G | It follows that r= | G | | G | = = |G | = |1 |. | ( G ) | | ( G ) |

In the construction of the design D(G, , ) described in Theorem 2, instead of taking a single G -orbit, we can take 2 to be any union of G -orbits. In fact, this construction gives us all designs on which the group G acts primitively on points and blocks:

235

Corollary 1 If the group G acts primitively on the points and the blocks of a 1-design D, then D can be obtained as described in Theorem 2, where 2 is a union of G -orbits. The set 1 of blocks incident with the point is a union of G -orbits. Proof: Let be any block of the design D. G acts transitively on the block set B of the design D, hence B = G. Since G acts primitively on B , the stabilizer G is a maximal subgroup of G. G xes , so is a union of G -orbits. In a similar way one concludes that 1 is a union of G -orbits. 1.1. The incidence relation We can interpret the construction of a design from Theorem 2 in the following way: the point set is 2 = G, and the block set is 1 = G, the block g is incident with the set of points {g : g G g }. Let a point g 2 be incident with a block g 1 . Then for g G g there exists g G such that g = gg . Hence we have

g g Gg Gg = Gg Ggg = Gg Gg = (G Gg ) =

g g ( G G g ) = ( G

G )gg = (G G )gg = (G G )g .

If a point g 2 is incident with the block 1 , then G Gg = (G G )g . If the set {G Gg | g G} contains Orb(G , 2 ) G -conjugacy classes, where Orb(G , 2 ) is the number of G -orbits on 2 , then each conjugacy class corresponds to one G -orbit, and the incidence relation in the design D(G, , ) can be dened as follows: the block g is incident with the point g if and only if Gg Gg is conjugate to G G . Similarly, if the set {G Gg | g G} contains Orb(G , 2 ) isomorphism classes, then the incidence in the design D(G, , ) can be dened as follows: the block g is incident with the point g if and only if Gg Gg = G G , 1.2. Conjugacy classes of simple groups Let G be a simple group and H1 and H2 be maximal subgroups of G. The conjugacy class of Hi , i = 1, 2, is denoted by cclG (Hi ) and |cclG (Hi )| = [G : NG (Hi )]. Denote gj g1 the elements of cclG (Hi ), i = 1, 2, by Hi , H g2 , . . . , Hi i , ji = [G : NG (Hi )]. G acts primitively on cclG (H1 ) and cclG (H2 ) by conjugation. We can construct a primitive 1design such that: the point set of the design is cclG (H2 ), the block set is cclG (H1 ), h h gi gi the block H1 is incident with the point H2 j if and only if H2 j H1 = Gi , y x i = 1, . . . , k, where {G1 , ..., Gk } {H2 H1 | x, y G}.

236

Let us denote a 1design constructed in this way by D(G, H2 , H1 ; G1 , ..., Gk ). From the conjugacy class of a maximal subgroup H of a simple group G one can construct a regular graph, in the following way: the vertex set of the graph is cclG (H ), the vertex H gi is adjacent to the vertex H gj if and only if H gi H gj = Gi , i = 1, . . . , k, where {G1 , ..., Gk } {H x H y | x, y G}. We denote this graph G (G, H ; G1 , ..., Gk ). G acts primitively on the set of vertices of G (G, H ; G1 , ..., Gk ). Remark 1 Let be an automorphism of a nite group G and H , H1 and H2 subgroups of G. Then D(G, (H2 ), (H1 ); G1 , ..., Gk ), D(G, H2 , H1 ; G1 , ..., Gk ) = G (G, H ; G1 , ..., Gk ) = G (G, (H ); G1 , ..., Gk ). Remark 2 Described construction allows us to construct 1design and regular graphs. In this paper we will consider only 1designs that are 2design and regular graphs that are strongly regular.

2. Results 2.1. Structures constructed from the unitary groups U3 (q ), q = 3, 4, 5, 7 2.1.1. U3 (3) The unitary group U3 (3) is the simple group of order 6048. It possesses four maximal subgroups, up to conjugation (Table 1).

Table 1. Maximal subgroups of the group U3 (3) (see [12]) No M 1, 1 M 1, 2 M 1, 3 M 1, 4 Max. sub. (E 9 : Z 3 ) : Z 8 L2 (7) (Z 4 Z 4 ) : S 3 Z4 .S4 Order 216 168 96 96 Index 28 36 63 63

Let G1 be a group isomorphic to the unitary group U3 (3) and M1,2 be a maximal subgroup of G1 isomorphic to L2 (7). The conjugacy class of the subgroup M1,2 in G1 is denoted by cclG1 (M1,2 ). Therefore, |cclG1 (H1 )| = |G1 : M1,2 | = 36. We denote the g1 g2 g36 elements of cclG1 (M1,2 ) by M1 ,2 , M1,2 , . . . , M1,2 . Using GAP ([43]), one can check that the intersection of two different elements gj gi of any kind M1 ,2 and M1,2 of the set cclG1 (M1,2 ) is either D8 or S4 . One can also gi check that for every element M1 ,2 , i = 1, . . . , 36, of the set cclG1 (M1,2 ), the cardinality g gj gj gi M of the set {M1,j2 | M1 ,2 1,2 = S4 } is 14. Let us dene sets Si = {M1,2 | j = gj gi i or M1,2 M1,2 = S4 }, 1 i 36. For every 1 i, j 36, i = j , the set Si Sj has exactly 6 elements.

237

This shows that the incidence structure D1 = D(G1 , M1,2 , M1,2 ; S4 , M1,2 ) is a symmetric 2-(36, 15, 6) design. The incidence matrix M1 of the design D1 is a symmetric matrix with 1 everywhere on the diagonal. Therefore, the design is self-dual and the matrix M1 I is an adjacency matrix of a SRG(36, 14, 4, 6). An isomorphic strongly regular graph can be constructed directly from the group G1 , and it can be shown that the graph constructed is isomorphic to the graph G1 = G (G1 , M1,2 ; S4 ). The full automorphism group of the design D1 and the corresponding strongly regular graph has order 12096 and it is isomorphic to U3 (3) : Z2 = Aut(G1 ). The design D1 is isomorphic to the design described in [13] and in [24]. In a similar way, one can construct other block designs and strongly regular graphs from the group G1 . In the following tables (Table 2 and Table 3) we give all block design and strongly regular graph constructed from the G1 .

Table 2. Block designs constructed from the group U3 (3) No D1 D2 D3 D4 D5 D6 Structure D ( G 1 , M 1, 2 , M 1, 2 ; S 4 , M 1, 2 ) D ( G 1 , M 1, 1 , M 1, 4 ; Z 3 : Z 8 ) D (G1 , M1,3 , M1,3 ; D16 YZ4 , Z2 Z2 , M1,3 ) D ( G 1 , M 1, 4 , M 1, 4 ; Z 4 , Z 4 Z 4 , M 1, 4 ) D ( G 1 , M 1, 1 , M 1, 3 ; Z 8 ) D ( G 1 , M 1, 2 , M 1, 3 ; S 3 ) Parameters 2-(36, 15, 6) 2-(28, 4, 1) 2-(63, 31, 15) 2-(63, 31, 15) 2-(28, 12, 11) 2-(36, 16, 12) Aut. group U3 (3) : Z2 U3 (3) : Z2 L6 (2) U3 (3) : Z2 S6 (2) S6 (2)

Table 3. Strongly regular graphs constructed from the group U3 (3) No G1 G2 G3 Structure G ( G 1 , M 1, 2 ; S 4 ) G (G1 , M1,3 ; D16 YZ4 , Z2 Z2 ) G ( G 1 , M 1, 4 ; Z 4 , Z 4 Z 4 ) Parameters (36, 14, 4, 6) (63, 30, 13, 15) (63, 30, 13, 15) Aut. group U3 (3) : Z2 S6 (2) U3 (3) : Z2

Notes on constructed structures: The design D4 is isomorphic to the symmetric (63, 31, 15) design obtained from a generalized hexagon of order (2, 2) (see [25]). The design D3 is the point-hyperplane design in the projective geometry P G(5, 2). The design D5 is isomorphic to the derived design of the symplectic SDP design with parameters (64, 28, 12) (see [42]) and it is a quasi-symmetric SDP design. The block graph of this design is a SRG(63, 32, 16, 16) whose full automorphism group is isomorphic to S6 (2). That graph is the complement of the strongly regular graph G2 . The design D2 is quasi-symmetric and its block graph is a SRG(63, 32, 16, 16) whose full automorphism group is isomorphic to U3 (3) : Z2 . That graph is the complement of the strongly regular graph G3 . The design D6 is isomorphic to the residual design of the symplectic SDP design with parameters (64, 28, 12) (see [42]) and it is a quasi-symmetric SDP design, with block graph a SRG(63, 30, 13, 15) whose full automorphism group is isomorphic to S6 (2). That graph is isomorphic to the strongly regular graph G2 .

238

The structure S1 = D(G1 , M1,4 , M1,4 ; Z4 Z4 ) is a semi-symmetric design (63, 6, (1)) with the full automorphism group isomorphic to Aut(U3 (3)) = U3 (3) : Z2 . Let M1 and M be the incidence matrices of the constructed block design D2 and the semi-symmetric design S1 , respectively, and I28 be the identity matrix of order 28. Then the matrix P = I28 M1

T M1 M

is the incidence matrix of the Desarguesian projective plane P G(2, 9) with the full automorphism group isomorphic to the group P L3 (9). P is a symmetric matrix, and therefore the projective plane admits a unitary polarity (for the denition see e.g. [23]) and the design D2 is the Hermitian unital in P G(2, 9). The absolute points and blocks are the G1 conjugates of M1,1 , and the non-absolute points and blocks are the G1 conjugates on M1,4 . 2.1.2. U3 (4) Let G2 be a group isomorphic to the unitary group U3 (4). Representatives of conjugacy classes of maximal subgroups are listed in the Table 4.

Table 4. Maximal subgroups of the group U3 (4) No M 2, 1 M 2, 2 M 2, 3 M 2, 4 Max. sub. (E16 : E4 ) : Z15 A5 Z5 E25 : S3 Z13 : Z3 Order 960 300 150 39 Index 65 208 416 1600

Using the describe method we constructed 3 block designs and 2 strongly regular graphs from the group G2 (Table 5 and Table6).

Table 5. Block designs constructed from the group U3 (4) No D7 D8 D9 Structure D ( G 2 , M 2, 1 , M 2, 2 ; A 4 Z 5 ) D (G2 , M2,1 , M2,3 ; Z10 ) D ( G 2 , M 2, 1 , M 2, 4 ; Z 3 ) Parameters 2-(65, 5, 1) 2-(65, 15, 21) 2-(65, 26, 250) Aut. group U3 (4) : Z4 U3 (4) : Z4 U3 (4) : Z4

Table 6. Strongly regular graphs constructed from the group U3 (4) No G4 G5 Structure G ( G 2 , M 2, 2 ; E 4 ) G ( G 2 , M 2, 3 ; S 3 ) Parameters (208, 75, 30, 25) (416, 100, 36, 20) Aut. group U3 (4) : Z4 G2 (4) : Z2

The structure S2 = D(M2,2 , M2,2 ; E25 ) is a semi-symmetric design with parameters (208, 12, (1)) having U3 (4) : Z4 as full automorphism group. Let M1 and M be the incidence matrices of D7 and S2 respectively, and I65 be the identity matrix of order 65. Then the matrix

239

P =

I65 M1

T M1 M

is the incidence matrix of a projective plane P G(2, 16), i.e., a symmetric (273, 17, 1) design. Since the matrix P is symmetric, the projective plane admits a unitary polarity. The absolute points and blocks are the conjugates of M1,1 , and the non-absolute points and blocks are the conjugates on M2,2 . The design D7 is the Hermitian unital in P G(2, 16). Notes on constructed structures: The design D7 is resolvable (see [51]). The design D7 is a quasi-symmetric whose block graph is a strongly regular graph with parameters (208, 75, 30, 25) and isomorphic to the graph G4 . Each block of the design D8 is a union of three disjoint blocks of the design D7 which form a triangle in the projective plane P G(2, 16). A union of three disjoint blocks of D7 form a block of D8 if and only if a setwise stabilizer in Aut(D1 ) of the union is a group of order 600 isomorphic to M3,3 : Z4 . Every block of D9 intersect 78 blocks of D7 in one point, 91 blocks in two points, and the remaining 39 blocks in four points. So, every block of D9 is a blocking set of the Hermitian unital D7 . The group U3 (4) acts transitively on the graph G2 . The full automorphism group of the graph G5 is a group of order 503193600 isomorphic to G2 (4) : Z2 . This is the full automorphism group of the exceptional group G(2, 4), which is the simple group of order 251596800. Since the Janko group J2 is a subgroup of G(2, 4), J2 acts as an automorphism group of the graph G5 . The graph G5 was previously known. Namely, the Suzuki graph, a strongly regular graph with parameters (1782, 416, 100, 96), is locally G5 (see [49]). The graph G5 can be constructed from the design D8 . Any two blocks of D8 intersect in 2,3, or 5 points. The graph which has as its vertices the blocks of D8 , two vertices being adjacent if and only if the corresponding blocks intersect in 3 points, is isomorphic to G5 . 2.1.3. U3 (5) Let G3 be a group isomorphic to the unitary group U3 (5). The group G3 possesses 8 maximal subgroups, up to conjugation (Table 7).

Table 7. Maximal subgroups of the group U3 (5) No M 3, 1 M 3, 2 M 3, 3 M 3, 4 M 3, 5 M 3, 6 M 3, 7 M 3, 8 Max. sub. A7 A7 A7 (E25 : Z5 ) : Z8 A6 .Z2 A6 .Z2 A6 .Z2 Z2 .A5 .Z2 Order 2520 2520 2520 1000 720 720 720 240 Index 50 50 50 126 175 175 175 525

We constructed 3 block designs and 3 strongly regular graphs from the group G3 (Table 8 and Table 9).

240

Table 8. Block designs constructed from the group U3 (5) No D10 D11 D12 Structure D ( G 3 , M 3, 1 , M 3, 5 ; A 5 , A 6 ) D ( G 3 , M 3, 4 , M 3, 8 ; Z 5 ) D ( G 3 , M 3, 4 , M 3, 5 ; Z 5 : Z 4 ) Parameters 2-(50, 14, 13) 2-(126, 6, 1) 2-(126, 36, 14) Aut. group U3 (5) : Z2 U3 (5) : S3 U3 (5) : Z2

Table 9. Strongly regular graphs constructed from the group U3 (5) No G6 G7 G8 Structure G ( G 3 , M 3, 1 ; A 6 ) G (G3 , M3,5 ; D10 ) G ( G 3 , M 3, 8 ; Z 5 ) Parameters (50, 7, 0, 1) (175, 72, 20, 36) (525, 144, 48, 36) Aut. group U3 (5) : Z2 U3 (5) : Z2 U3 (5) : S3

The structure S3 = D(G3 , M3,8 , M3,8 ; Z3 : E4 ) is a semi-symmetric design with parameters (525, 20, (1)), and Aut(S3 ) = AutU3 (5) = U3 (5) : S3 . Let M1 and M be the incidence matrices of D11 and S1 , respectively, and I126 be the identity matrix of order 126. Then the matrix P = I126 M1

T M1 M

is the incidence matrix of the Desarguesian projective plane P G(2, 25), i.e., a symmetric 2-(651, 26, 1) design. Aut(P G(2, 25)) = P L3 (25), of order 304668000000. D1 is the Hermitian unital in P G(2, 25). Notes on constructed structures: D11 is a block design with blocks intersection sizes 1 and 0, and its block graph is a strongly regular graph with parameters (525, 144, 48, 36) isomorphic to the graph G8 . The design D10 is a derived design of the Higman design 2-(176, 50, 14) (see [41]) and is isomorphic to designs D(G3 , M3,1 , M3,6 ; A5 , A6 ) and D(G3 , M3,1 , M3,7 ; A5 , A6 ). The design D12 is a residual design of the Higman design 2-(176, 50, 14) (see [41]) and is isomorphic to designs D(G3 , M3,4 , M3,6 ; Z5 : Z4 ) and D(G3 , M3,4 , M3,7 ; Z5 : Z4 ). The graph G6 is the unique strongly regular graph with these parameters, i.e., the Hoffman-Singleton graph (see [8]) and is isomorphic to graphs G (G3 , M3,2 ; A6 ) and G (G3 , M3,3 ; A6 ). G6 is rank-3 graph obtainable from the representation of degree 50 of the group U3 (5). The graph G7 is the graph whose vertices are edges of the Hoffman-Singleton graph G2 , two vertices being adjacent if their distance is two (see [41]) and is isomorphic to graphs G (G3 , M3,6 ; D10 ) and G (G3 , M3,7 ; D10 ). The graph G7 can be constructed from the designs D10 and D12 . Any two blocks of D10 intersect in 3, 4, or 8 points. The graph which has as its vertices the blocks of D10 , two vertices being adjacent if and only if the corresponding blocks intersect in three points, is isomorphic to G7 . Denote this graph by G (D10 , {3, 4, 8}; 3). The graph G (D12 , {6, 10, 11}; 11) is also isomorphic to G3 .

241

2.1.4. U3 (7) Let G4 be a group isomorphic to the unitary group U3 (7), i.e. simple group of order 5663616. L1 = (E49 : Z7 ) : Z48 and L2 = Z2 .(L2 (7) Z4 ).Z2 are maximal subgroups y of the group G4 of index 344 and 2107, respectively. One can check that Lx 1 L2 = Z7 : Z48 or Z8 for all x, y, G4 , and D13 = D(G4 , L1 , L2 ; Z7 : Z48 ) is a block design with parameters 2-(344, 8, 1) and full automorphism group isomorphic to the group AutG4 = U3 (7) : Z2 . The intersection of two distinct elements of cclG4 (L2 ) is isomorphic to Z7 , Z8 , or Z8 Z8 . S4 = D(U3 (7), L2 , L2 ; Z4 Z4 ) is a semi-symmetric design with parameters (2107, 42, (1)). Let M1 and M be the incidence matrices of the block design D13 and the semisymmetric design S4 , respectively, and I344 be the identity matrix of order 344. Then the matrix P = I344 M1

T M1 M

is the incidence matrix of the Desarguesian projective plane P G(2, 49) having P L3 (49) as the full automorphism group. The matrix P is a symmetric matrix, so the design D13 is the Hermitian unital in P G(2, 49). 2.1.5. Conjecture We use these computations to conjecture that from any simple group of type U3 (q ), by dening incidence structures on the conjugacy classes of maximal subgroups, one can construct a Hermitian unital 2-(q 3 + 1, q + 1, 1) and a semi-symmetric design (q 4 q 3 + q 2 , q 2 q, (1)) having Aut(U3 (q )) as an automorphism group, and that the unital can be used to construct a Desarguesian projective plane P G(2, q 2 ) (in the way presented in this paper). 2.2. Structures constructed from unitary groups U4 (2) and U4 (3) 2.2.1. U4 (2) Let G5 be a group isomorphic to the unitary group U4 (2). The group G5 possesses ve maximal subgroups, up to conjugation (Table 10).

Table 10. Maximal subgroups of the group U4 (2) No M 5, 1 M 5, 2 M 5, 3 M 5, 4 M 5, 5 Max. sub. E16 : A5 S6 E27 : S4 (E9 : Z3 ) : SL2 (3) Z2 .(A4 A4 ).Z2 Order 960 720 648 648 576 Index 27 36 40 40 45

We give a list of all constructed structures (Table 11 and Table12). Notes on constructed structures: The graph G9 is a unique strongly regular graph with parameters (27,10,1,5).

242

Table 11. Block designs constructed from the group U4 (2) No D14 D15 D16 D17 Structure D ( G 5 , M 5, 2 , M 5, 2 ; S 3 S 3 ) D ( G 5 , M 5, 3 , M 5, 3 ; E 9 : S 3 , M 5, 3 ) D ( G 5 , M 5, 4 , M 5, 4 ; E 9 S 3 , M 5, 4 ) D ( G 5 , M 5, 5 , M 5, 5 ; E 4 A 4 ) Parameters 2-(36, 15, 6) 2-(40, 13, 4) 2-(40, 13, 4) 2-(45, 12, 3) Aut. group U4 (2) : Z2 P L4 (3) U4 (2) : Z2 U4 (2) : Z2

Table 12. Strongly regular graphs constructed from the group U (4, 2) No G9 G10 G11 G12 G13 Structure G (G5 , M5,1 ; #96.42d 1 ) G ( G 5 , M 5, 2 ; S 3 S 3 ) G ( G 5 , M 5, 3 ; E 9 : S 3 ) G ( G 5 , M 5, 4 ; E 9 S 3 ) G ( G 5 , M 5, 5 ; E 4 A 4 ) Parameters (27, 10, 1, 5) (36, 15, 6, 6) (40, 12, 2, 4) (40, 12, 2, 4) (45, 12, 3, 3) Aut. group U4 (2) : Z2 U4 (2) : Z2 U4 (2) : Z2 U4 (2) : Z2 U4 (2) : Z2

The incidence matrix of the design D14 is a symmetric matrix with zero diagonal. Therefore, the design D14 is self-dual and its incidence matrix is an adjacency matrix of a SRG(36, 15, 6, 6) isomorphic to the graph G10 . A computer-free construction of the design D14 can be found in [30]. The incidence matrix M of the design D15 is symmetric matrix with 1 everywhere on the diagonal. Therefore, the design D15 is self-dual and the matrix M I is an adjacency matrix of a SRG(40, 12, 2, 4) isomorphic to the graph G11 . The design D15 is isomorphic to the design described in [50] and [22]. This design can also be obtained from the point graph of a generalized quadrangle (see [28]). The incidence matrix M of the design D16 is a symmetric matrix with 1 everywhere on the diagonal. Therefore, the design D16 is self-dual and matrix M I is an adjacency matrix of a SRG(40, 12, 2, 4) isomorphic to the graph G12 . The design D16 is the point-hyperplane design in the projective geometry P G(3, 3), which can also be obtained from the point graph of a generalized quadrangle. The incidence matrix of the design D17 is a symmetric matrix with zero diagonal. Therefore, the design D17 is self-dual and its matrix is an adjacency matrix of a SRG(45, 12, 3, 3) isomorphic to the graph G13 . The design D17 is isomorphic to the one described in [21] and [39]. 2.2.2. U4 (3) Let G6 be a group isomorphic to the unitary group U4 (3). The group G6 possesses 16 maximal subgroups, up to conjugation (Table 13). Strongly regular graphs constructed from the group G6 are listed in the Table 14. Notes on constructed strongly regular graphs: The graphs G14 , G15 , G16 and G17 are rank-3 graphs constructed from the rank-3 representation of the group U4 (3) of degrees 112, 126, 162 and 280 respectively. 2.3. Structures constructed from linear groups L2 (49) Let G7 be a group isomorphic to the linear group L2 (49). The group G7 possesses 7 maximal subgroups, up to conjugation (Table 15).

Table 13. Maximal subgroups of the group U4 (3) No M 6, 1 M 6, 2 M 6, 3 M 6, 4 M 6, 5 M 6, 6 M 6, 7 M 6, 8 Max. sub. E81 : A6 U4 (2) U4 (2) L3 (4) (Ex+ 243 : Q2 ).S3 U3 (3) E16 : A6 L3 (4) Order 29160 25920 25920 20160 20160 11664 6048 5760 Index 112 126 126 162 162 280 540 567 No M 6, 9 M6,10 M6,11 M6,12 M6,13 M6,14 M6,15 M6,16 Max. sub. E16 : A6 A7 A7 A7 A7 ((E8 .Z12 ) : Z6 ) : Z2 A6 .Z2 A6 .Z2 Order 5760 2520 2520 2520 2520 1152 720 720

243

Table 14. Strongly regular graphs constructed from the group U4 (3) No G14 G15 G16 G17 G18 Structure G (G6 , M6,1 ; Ex+ 273 : Z4 ) G (G6 , M6,2 ; (E8 .Z12 ) : Z6 ) G ( G 6 , M 6, 4 ; A 6 ) G (G6 , M6,6 ; E81 : Z4 ) G ( G 6 , M 6, 7 ; E 9 : Z 3 ) Parameters (112, 30, 2, 10) (126, 45, 12, 18) (162, 56, 10, 24) (280, 36, 8, 4) (540, 224, 88, 96) Aut. group U4 (3) : D4 U4 (3) : Z2 ) : Z2 (U4 (3) : Z2 ) : Z2 U4 (3) : D4 U4 (3) : D4

Table 15. Maximal subgroups of the group L( 49) No M 7, 1 M 7, 2 M 7, 3 M 7, 4 M 7, 5 M 7, 6 M 7, 7 Max. sub. E49 : Z24 P GL2 (7) P GL2 (7) A5 A5 D50 D48 Order 1176 336 336 60 60 50 48 Index 50 175 175 980 980 1176 1225

Table 16. Block designs constructed from the group L2 (49) No D18 D19 Structure D ( G 7 , M 7, 1 , M 7, 2 ; Z 7 : Z 6 ) D ( G 7 , M 7, 1 , M 7, 4 ; Z 3 ) Parameters 2-(50, 8, 4) 2-(50, 20, 152) Aut. group L2 (49) : Z2 L2 (49) : Z2

The design D18 is isomorphic to the design D(G7 , M7,1 , M7,3 ; Z7 : Z6 ) and the design D19 is isomorphic to the design D(G7 , M7,1 , M7,5 ; Z3 ). 3. Codes from the designs and graphs It is well-known that combinatorial design theory and coding theory are closely related. Certain combinatorial structures have been used to construct good codes. Such example structures include balanced incomplete block designs, symmetric designs, resolvable designs, strongly regular graphs, etc.

244

3.1. Some codes from the designs and graphs of the unitary groups U3 (3), U3 (5), U4 (2) and U4 (3) For the binary codes associated with the unitary group U3 (3) the reader should consult the work of Broke in [6], and for some codes invariant under the unitary group U3 (5), see [41,56]. Binary codes invariant under U4 (2) have been studied in [7]. Work determining all binary codes invariant under the groups U3 (4) and U3 (5) is currently in progress. As an illustration of the links with codes, in this section, we examine some linear codes associated with the combinatorial structures described in Sections 2.2.1, 2.2.2 and 2.3 respectively, and which are obtained from the row span over the nite eld of the corresponding incidence or adjacency matrices. In particular we examine results on some binary, and ternary codes invariant under the groups U4 (2), U4 (3) and L2 (49) respectively, as given for example in [45,16] and in [46]. Some interesting self-dual and self-orthogonal codes are obtained from these structures. A code with the property that its weight enumerator coincides with its MacWilliams transform is called formally self-dual. A linear code is termed isodual if it is equivalent to its dual. Thus an isodual code is automatically formally self-dual. A self-dual code is isodual and even, however a formally self-dual code need not be isodual. One motivation for this study is that codes associated with strongly regular graphs admit an efcient decoding method, known as majority decoding [55]. Moreover, strongly regular graphs have been used recently with success in the construction of self-dual codes (see [27]). In this section we give an example of this association by constructing self-dual [72, 36, 8], [80, 40, 12], [80, 40, 8] codes from some designs and isodual [54, 27, 8]2 , [90, 45, 12]2 , [224, 112, 6]2 codes from some strongly regular graphs. Furthermore, we use the properties of the designs and the graphs and their geometry to gain some insight into the nature of possible codewords, particularly those of minimum weight. 3.1.1. Codes of graphs (designs) from U4 (2) Notice that the simple group U4 (2) acts as a rank-3 primitive group in all its representations [12], thus producing rank-3 graphs. The reader should be aware that rank-3 graphs give rise to strongly regular graphs. However strongly regular graphs do not give rise to rank-3 graphs. In this section we examine the properties of the linear codes constructed from the strongly regular graphs Gi where 9 i 13 as presented in [Section 2.2.1,Table 12]. Notice that with exception of G9 all other graphs in Table 12 possess the property that they or their complements (the complements of the graphs G11 and G12 are graphs with parameters (40, 27, 18, 18)) are such that = , so we may associate with every (n, k, , ) graph a 2-(n, k, ) design and thus construct the codes spanned by the incidence matrices of such designs. Since these designs (or their complements) are self-orthogonal, the codes spanned by the block-point incidence matrices are self-orthogonal [53]. We adopted this view in [45] and surveyed the interplay between this very special class of designs and self-orthogonal codes. Since the orders of these designs is divisible by 3, we only examined ternary codes obtained from the row span of the incidence matrices of the designs D14 , D15 , D16 and D17 or those of their respective complements, as given in [Section 2.2.1,Table 11]. We establish some properties of these codes and the nature of some classes of codewords. Some of the codes are optimal or near optimal for the given length and dimension. The dual codes of some designs and

245

those of some complementary designs admit majority logic decoding. Notice that the design D14 belongs to a series with parameters v = 4m2 , k = m(2m 1), = m(m 1), n = m2 (see [4], p. 622 with m = 3). In [45] we proved the following results: Proposition 1 (i) D14 is a self-orthogonal design. (ii) CD14 is a [36, 15, 9]3 self-orthogonal code. (iii) CD14 is a [36, 21, 6]3 with 240 words of weight 6. Moreover, 1 CD14 and in CD14 . (iv) Aut(D14 ) = Aut(CD14 ) = U4 (2):Z2 . Proof: Since |Bi Bj | |Bk | 0(mod 3), (where i, j, k {1, . . . , b}, i = j and b and k are respectively the number of blocks and the block size), we deduce that D14 is a self-orthogonal design. Hence the block-point incidence matrix of D36 spans a selforthogonal code CD14 of length 36 [53]. Since the block size of D14 is divisible by 3 we have that 1 CD14 . Now, from [30, Theorem 1] we have that Aut(D14 ) = P U4 (2). Since Aut(D14 ) Aut(CD14 ) and |Aut(CD14 )| = |P U4 (2)|, the result follows. In particular CD14 contains the vector 1. The minimum distance 9 can be deduced from the weight enumerator for this code which is as follows: WCD14 = 1 + 80 x9 + 3240 x12 + 43632 x15 + 693600 x18 + 3355344 x21 + 5992110 x24 + 3654320 x27 + 587736 x30 + 18360 x33 + 484 x36 . Computation with Magma [3] show that dim(CD14 ) = 15 and that CD14 has minimum weight 6. Since 1 CD14 it follows that the code of the complementary design 2-(36, 21, 12) is CD14 . Following the above, here we look at the ternary codes of the complementary de 15 and D 16 respectively. Observe that these designs are signs of D15 and D16 namely D non-isomorphic, and that D15 , i.e., a 2-(40, 27, 18) design, is the design of points and lines of the projective geometry P G(2, 3). These designs have the group L4 (3):(Z2 )1 , as their full automorphism group. Notice that the group L4 (3) has three involutory outer automorphisms (see [12]), namely (Z2 )1 , (Z2 )2 and (Z2 )3 . The groups L4 (3):(Z2 )1 , L4 (3):(Z2 )2 and L4 (3):(Z2 )3 are non-isomorphic. Notice that Aut(U4 (2)) = U4 (2):Z2 Aut(D15 ) = L4 (3):(Z2 )1 . From the Atlas [12] we have that U4 (2):Z2 is a maximal subgroup of L4 (3):21 of index 234. Theorem 3 The linear group L4 (3):(Z2 )1 is the automorphism group of the [40, 10]3 ternary code CD 15 derived from D15 . D15 is a self-orthogonal design. The code CD 15 is self-orthogonal, with minimum distance 18. Its dual is a [40, 30, 4]3 with 260 words of weight 4. Moreover 1 CD 15 . 15 follows using an argument similar to that in the proof Proof: Self orthogonality of D of Proposition 1, hence the self-orthogonality of CD 15 . The minimum distance 18 can be deduced from the weight enumerator for this code which is as follows:

246

WCD

15

= 1 + 1560 x18 + 21060 x24 + 18800 x27 + 16848 x30 + 780 x36 .

Computation with Magma shows that dim(CD has minimum 15 ) = 10 and that CD 15 weight 4.

Remark 3 The code and groups found above can be described geometrically: with the notation of the propositions, the [40, 30, 4]3 code CD is in fact the code of the 2 15 (40, 4, 1) design of points and lines in the projective geometry P G(2, 3); the automorphism group of the design is P L3 (3) = L4 (3):(Z2 )1 , by the fundamental theorem of projective geometry. The 260 words of weight 4 are the incidence vectors of the lines, and their scalar multiples. The code CD is in fact a projective generalized Reed-Muller 15 code (see [1, Chapter 5]). The words of weight 18 in CD 15 can also be described geometrically, i.e., they are the differences of the incidence vectors of two planes of order 3 in P G(2, 3). These planes meet in a line, i.e., four points, so the weight of the difference of incidence vectors is 18. The code CD 15 is an optimal code, and its dual code CD 15 has minimum distance 15 , only 1 less than the optimal. The code of the complementary design 2-(40, 13, 4) of D which is obtained from CD 15 by adding the all-one vector, is a [40, 11, 13]3 . This code is far from being optimal. However the dual of this code is an optimal [40, 29, 6]3 code. The rows of the incidence matrix of the design D15 can be used as orthogonal parity checks that allow majority decoding of the code [40, 29, 6]3 up to its full error-correcting capacity. The following proposition can now be proved Proposition 2 The code [40, 29, 6]3 can correct up to 2 errors by majority decoding. Proof: Applying the Rudolphs decoding algorithm [47] for the design D15 we have that r + 1 1 = 13+4 = 2, and so the result. 2 2 4 16 we have the following Associated with D 16 is a self-orthogonal design. Proposition 3 (i) D (ii) CD 16 is a [40, 14, 12]3 self-orthogonal code. (iii) 1 CD 16 . (iv) CD 16 is a [40, 26, 4]3 with 80 words of weight 4. 16 ) = Aut(C ) (v) Aut(D D16 = U4 (2):Z2 . The weight enumerator for CD 16 is as follows: W CD = 1 + 540 x12 + 3600 x15 + 39360 x18 + 305280 x21 + 1228320 x24 + 1982240 x27 + 1017648 x30 + 193680 x33 + 11580 x36 + 720 x39 . 15 we have that D 16 15 . The code C has 16 = Aut D D Remark 4 Since Aut D D16 minimum distance only 3 less than the optimal. The same occurs for its dual code CD 16 . The code CD16 , of D16 which is obtained from CD 16 by adding the all-one vector, is a [40, 15, 10]3 . This code is far from being optimal. The dual of this code a [40, 25, 6]3

16

247

has minimum distance only 2 less than the optimal. However [40, 25, 6]3 can be used to correct up to 2 errors by majority decoding. We now look at the ternary codes of D17 . Notice that symmetric 2-(45, 12, 3) designs belong to the series with parameters v = q l+1 1+ q l+1 1 q1 , k = ql q l+1 1 ql 1 and = q l , q1 q1

where q is any prime power and l is any positive integer (see [4], p. 622 with q = 3 and l = 1). Proposition 4 (i) D17 is a self-orthogonal design. (ii) CD17 is a [45, 15, 12]3 self-orthogonal code. (iii) 1 CD17 and 1 CD17 . (iv) CD17 is a [45, 30, 6]3 with 1200 words of weight 6. (v) Aut(D17 ) = Aut(CD17 ) = U4 (2):Z2 . The weight enumerator of CD17 is given by WCD17 = 1 + 90 x12 + 1152 x15 + 8660 x18 + 92340 x21 + 952020 x24 + 3394640 x27 + 5270400 x30 + 3712770 x33 + 850170 x36 + 63360 x39 + 3060 x42 + 244 x45 . The words of minimum weight in CD17 are the incidence vectors of the blocks of the design and their scalar multiples. The code CD17 is not optimal. However its dual code CD17 has minimum distance only 1 less than the optimal. Since 1 CD17 it follows that the code of the complementary design 2-(45, 33, 24) is CD17 . The dual code CD17 is a [45, 30, 6]3 , and the rows of the incidence matrix of D17 can be used as orthogonal parity checks that allow majority decoding of CD17 up to its full error-correcting capacity. 3.1.2. Self-dual [72, 36, 8]2 , [80, 40, 12]2 and [80, 40, 8]2 codes The existence of self-dual [72, 36, 16] code is an important coding theory question. It is shown in [26] that a code with these parameters could be found from Hadamard matrices of order 36 with a trivial group or with automorphisms of order 2, 3, 5 or 7. This is one motivation for our study of the codes given below. Using a well-known construction, such as for example that given in [5] we construct a self-dual type II [72, 36, 8]2 code associated with the design D14 . Theorem 4 ([5, Theorem 2]) Let A be the incidence matrix of a symmetric 2-(v, k, ) design with k odd. Then: (i) if k 3(mod 4), then the code with generator matrix (I A) is a doubly-even self-dual [2v, v ] code. (ii) if k 2(mod 4), then the code with generator matrix

248

1 ... 1 0 1 Iv+1 A . . . 1

is a doubly-even self-dual [2v + 2, v + 1] code. Using Theorem 4 a generator matrix of a double-even self-dual code of length 72 can be obtained as A I36 , so we construct a type II [72, 36, 8]2 self-dual code denoted PT . Proposition 5 The binary code PT of A I36 is a formally self-dual type II [72, 36, 8]2 code, with automorphism group isomorphic to E32768 :S6 (2). The weight enumerator of PT is as follows: WPT (x) = 1 + 945 x8 + 30576 x12 + 535932 x16 + 17267040 x20 + 455965020 x24 + 4438423440 x28 + 16506508662 x32 + 25882013504 x36 + 16506508662 x40 + 4438423440 x44 + 455965020 x48 + 17267040 x52 + 535932 x56 + 30576 x60 + 945 x64 + x72 . Similarly, using Theorem 4 we constructed self-dual type II [80, 40, 12]2 and [80, 40, 8]2 codes from the designs D15 and D16 respectively. So we have Proposition 6 The binary code of D15 is a formally self-dual type II [80, 40, 12]2 code, with 4160 words of weight 12, and automorphism group isomorphic to L4 (3):(E4 ). Moreover the binary code of D16 is a formally self-dual type II [80, 40, 8]2 code, with 270 words of weight 8, and automorphism group isomorphic to Z2 .U4 (2):Z2 . Remark 5 The binary code of D17 is an isodual [90, 45, 12] with 1160 codewords of weight 12, and automorphism group isomorphic to U4 (2):Z2 . 3.1.3. Codes from U4 (3) Similar to the analysis provided in Section 3.1.1, here we look at the codes obtained from strongly regular graphs constructed from the simple unitary group U4 (3). These graphs are in fact rank-3 graphs. A study of the binary codes of strongly regular graphs, including some known graphs on fewer than 45 vertices has been undertaken in [29]. As discussed in [Section 2.2.2,Table 13] using Theorem 2, from the conjugacy classes of maximal subgroups of the simple unitary group U4 (3) we obtain strongly regular graphs Gi , where 14 i 17. A code CGi of a graph Gi is the code of its (0, 1)-adjacency matrix. The dimension of CGi is equal to the p-rank of its adjacency matrix, i.e., the rank of Gi regarded as a matrix over GF (p). This section discusses the codes of these graphs as presented in [16] without an association to 2-designs. Notice rst that the unitary group U4 (3) is a maximal subgroup of the sporadic simple group Mc L discovered

249

by J. McLaughlin [32]. It was shown by McLaughlin that there exists a regular graph G = (, E ) with 275 vertices possessing a transitive automorphism group Aut(G ) = Mc L:2, with Mc L a simple group of order 898128000. The McLaughlin graph G is a rank-3 graph of valency 112 on 275 points. The stabilizer of a point in Mc L is a maximal subgroup isomorphic to U4 (3). The orbits under this action have lengths 1, 112 and 162, respectively. The McLaughlin graph contains many induced subgraphs which are again strongly regular. The graphs denoted G14 and G16 in Section 2.2.2 which are the rst and second subconstituents of the McLaughlin graph are one such example. The uniqueness of these graphs was proved in [9,11]. We now look at the codes of G14 and G16 respectively. Proposition 7 (i) CG14 is a [112, 22, 30]2 self-orthogonal code. (ii) 1 CG14 . (iii) CG is a self-complementary [112, 90, 6]2 code with 5040 words of weight 6. 14 (iv) Aut(G14 ) = Aut(CG14 ) = U4 (3)D8 . (v) CG16 is a [162, 20, 56]2 self-orthogonal doubly-even code. (vi) CG is a self-complementary [162, 142, 6]2 code with 86562 words of weight 16 6. Moreover 1 CG . 16 (vii) Aut(G16 ) = Aut(CG16 ) = U4 (3) (22 )133 . (viii) U4 (3) acts irreducibly on CG16 as a GF (2) module. Uniqueness of the graphs G15 and G17 is not known. The codes of these graphs are given in Proposition 8 (i) CG15 is a [126, 21, 36]3 self-orthogonal code. (ii) CG is a [126 , 105, 6]3 code with 23250 words of weight 6. 15 (iii) 1 CG15 . (iv) Aut(G15 ) = Aut(CG15 ) = U4 (3) (22 )122 . (v) CG17 is a [280, 70, 36]2 self-orthogonal with 280 words of weight 36. (vi) CG is a [280, 210, 8]2 . 17 (vii) 1 CG17 . (viii) Aut(G17 ) = Aut(CG17 ) = U4 (3)D8 . Remark 6 The codes of the complements of the graphs Gi , where 14 i 17, have been examined in [16]. We have constructed an isodual [224, 112, 6]2 code from the adjacency matrix of the graph G14 . 3.2. Codes from L2 (49) In closing we consider the results presented in [Section 2.3,Table 15], and look at the codes obtained from the designs D18 and D19 . In [46], a discussion of the properties of the codes of these designs is given, and links with isodual codes are established. Work related with isodual codes could be found in [2,33,31,52]. Isodual codes have many practical applications and their mathematical structure provides useful information for computing their support weight enumerators. Proposition 9 The linear group L2 (49):Z2 is the automorphism group of the [50, 25, 8]2 code CD18 derived from the 2-(50, 8, 4) design D18 . The code CD18 is also the code of the design D19 . Moreover, CD18 is an isodual code.

250

Table 17. Weight distribution of CD18 i 0, 50 8, 42 12, 38 16, 34 18, 32 20, 30 22, 28 24, 26 Ai 1 175 9800 287875 1102500 2808190 5225500 7292425

The rows of the incidence matrix of the 2-(50, 8, 4) design can be used as orthogonal parity checks that allow majority decoding of the code [50, 25, 8]2 up to its full errorcorrecting capacity.

References

[1] [2] [3] [4] [5] E. F. Assmus, Jr. and J. D. Key, Designs and their Codes, Cambridge University Press, 1992, Cambridge Tracts in Mathematics, Vol. 103 (Second printing with corrections, 1993). C. Bachoc, T. A. Gulliver, and M. Harada. Isodual codes over Z2k and isodual lattices. J. Algebraic Combin., 12(3) (2000), 223240 W. Bosma and J. Cannon, Handbook of Magma Functions, Department of Mathematics, University of Sydney, November 1994, http://magma.maths.usyd.edu.au/magma. T. Beth, D. Jungnickel, and H. Lenz, Design Theory, Cambridge University Press, Cambridge (1993) Iliya Bouyukliev, Veerle Fack, and Joost Winne, 2-(31,15,7), 2-(35,17,8) and 2-(36,15,6) designs with automorphisms of odd prime order, and their related Hadamard matrices and codes, Des. Codes Cryptogr. 51, no. 2 (2009), 105122 P. L H. Brooke, On matrix representations and codes associated with the simple group of order 25920, J. Algebra 91 no. 2, (1984), 536566. P. L. H. Brooke, On the Steyner system S(2, 4, 28) and codes associated with the simple group of order 6048, J. Algebra 97 no. 2, (1985), 376406. A. E. Brouwer, "Strongly Regular Graphs", Handbook of Combinatorial Designs, 2nd ed., C. J. Colbourn and J. H. Dinitz (Editors), Chapman & Hall/CRC, Boca Raton (2007), 852868. A. E. Brouwer and J.H. van Lint, Strongly regular graphs and partial geometries, Enumeration and Design (1982 In D.M. Jackson & S.A. Vanstone, Waterloo, ed.), Academic Press, Toronto, 1984, Proc. Silver Jubilee Conf. on Combinatorics, Waterloo, (1982), 85122. P. J. Cameron, and J. H. van Lint, Designs, Graphs, Codes and Their Links, London Mathematical Society Studnet Texts, Cambridge University Press, Cambridge (1991) P. J. Cameron, J.-M. Goethals, and J. J. Seidel, Strongly regular graphs having strongly regular subconstituents, J. Algebra 55 (1978), 257280 J. H. Conway, R. T. Curtis, S. P. Norton, R. A. Parker, R. A. Wilson and J. G. Thackray, Atlas of Finite Groups, Clarendon Press, Oxford (1985) D. Crnkovi c, D. Held, Some Menon Designs Having U(3,3) as an Automorphism Group, Ill. J. Math. Vol. 47 (2003), 129-139 D. Crnkovi c and V. Mikuli c, Unitals, projective planes and other combinatorial structures constructed from the unitary groups U (3, q ), q = 3, 4, 5, 7, Ars Combin., to appear.

[15] [16] [17] [18]

251

[19]

[20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35]

D. Crnkovi c, V. Mikuli c, Block designs and strongly regular graphs constructed from the group U (3, 4), Glas. Mat. Ser. III 41(61) (2006), 189194 D. Crnkovi c, V. Mikuli c, and B. G. Rodrigues, Some strongly regular graphs and self-orthogonal codes from the unitary group U4 (3), Glas. Mat. Ser. III, To appear. D. Crnkovi c, V. Mikuli c, S. Rukavina, Block designs constructed from the group U (3, 3), J. Appl. Algebra Discrete Struct. 2 (2004), 6981 D. Crnkovi c, V. Mikuli c, S. Rukavina, Block designs and strongly regular graphs constructed form linear groups L(2, 49) and L(2, 32), Advances in Algebra towards Millennium Problems, Proceedings of 2004 International Conference on Related Subjects to Clay Problems / Ki-Bong Nam et al. (ur.). Delhi: SAS International Publications (2005), 197-207 D. Crnkovi c, V. Mikuli c, S. Rukavina, Block Designs and Strongly Regular Graphs Constructed form Some Linear and Unitary Groups, Pragmatic Algebra, Ki-Bong Nam et al. (Editors), SAS International Publications, Delhi (2006), 93108 D. Crnkovi c, S. Rukavina, On some symmetric (45,12,3) and (40,13,4) designs, J. Comput. Math. Optim Vol. 1, No. 1 (2005), 55-63 V. Cepuli c, On Symmetric Block Designs (45,12,3) with Automorphisms of Order 5, Ars Combin. 37 (1994) 33-48 V. Cepuli c, On Symmetric Block Designs (40,13,4) with Automorphisms of Order 5, Discrete Math. 128, No.1-3, (1994) 45-60 P. Dembowski, Finite Geometries, Springer-Verlag, Berlin Heidelberg New York (1968) U. Dempwolff, Primitive Rank 3 Groups on Symmetric Designs, Des. Codes Cryptography 22, No.2 (2001), 191-207 U. Dempwolff, W. M. Kantor, Symmetric Designs from the G2 (q ) Generalized Hexagons, J. Comb. Theory, Ser. A 98, No.2 (2002), 410-415 R. A. Dontcheva, A. J. van Zanten, and S. M. Dodunekov,Binary self-dual codes with automorphisms of composite order, IEEE Trans. Inform. Theory 50, no. 2, (2004) 311318 S. T. Dougherty, J.-L. Kim, and P. Sol, Double circulant codes from two class association schemes, Adv. Math. Commun. 1 (2007), 4564 W.H. Haemers, Eigenvalue techniques in design and graph theory, Mathematical Centre Tracts 121 (Amsterdam: Mathematisch Centrum, 1980) W. H. Haemers, R. Peeters, and J. M. van Rijckevorsel, Binary codes of strongly regular graphs, Des. Codes Cryptogr. 17 (1999), 187209 D. Held, J. Hrabe de Angelis, M.-O. Pav cevi c, P Sp4 (3) as a symmetric (36,15,6)-design, Rend. Semin. Mat. Univ. Padova 101 (1999) 95-98 W. Cary Huffman. On the classication and enumeration of self-dual codes. Finite Fields Appl., 11(3) (2005), 451490 J. McLaughlin, A simple group of order 898, 128, 000, Theory of Finite Groups (Symposium, Harvard Univ., Cambridge, Mass., 1968), Benjamin, New York, (1969), 109111 Olgica Milenkovic, Support weight enumerators and coset weight distributions of isodual codes, Des. Codes Cryptogr., 35(1) (2005), 81109 J. D. Key and J. Moori, Codes, Designs and Graphs from the Janko Groups J1 and J2 , J. Combin. Math. Combin. Comput. 40 (2002), 143159 J. D. Key and J. Moori, Correction to: Codes, designs and graphs from the Janko groups J1 and J2 [J. Combin. Math. Combin. Comput. 40 (2002), 143-159], J. Combin. Math. Combin. Comput. 64 (2008), 153 J. D. Key and J. Moori, B. G. Rodrigues, On some designs and codes from primitive representations of some nite simple groups, J. Combin. Math. Combin. Comput. 45 (2003), 319 R. Laue, Zur Konstruktion und Klassikation endlicher auosbarer Gruppen, Bayreuter Math. Schr. Vol. 9 (Universitt Bayreut, 1982). R. Mathon and A. Rosa, 2 (v, k, ) Designs of Small Order, in: Handbook of Combinatorial Designs, 2nd ed., (C. J. Colbourn and J. H. Dinitz, Eds.), Chapman & Hall/CRC, Boca Raton (2007), 2558 R. Mathon, E. Spence, On 2-(45,12,3) designs, J. Combin. Des. 4, No.3 (1996), 155-175 B. D. McKay, Nauty Users Guide (version 1.5) Technical Report TR-CS-90-02, Department of Computer Science, Australian National University (1990) C. Parker, and V. D. Tonchev, Linear Codes and Double Transitive Symmetric Design, Linear Algebra Appl. 226-228 (1995), 237246

252

[42] [43] [44] [45] [46] [47] [48] [49] [50]

C. Parker, E. Spence, V. D. Tonchev, Designs with the Symmetric Difference Property on 64 Points and Their Groups, J. Comb. Theory, Ser. A 67, No.1 (1994), 23-43 The GAP Group, GAP Groups, Algorithms, and Programming, Version 4.4.9; 2006. (http://www.gapsystem.org) D. Robinson, A Course in the Theory of groups, Springer-Verlag, New York, Berlin, Heidelberg (1996) B. G. Rodrigues, Self-orthogonal designs and codes from the symplectic groups S4 (3) and S4 (4), Discrete Math. 308 (2008) 1941-1950 B. G. Rodrigues, An isodual [50, 25, 8]2 code invariant under L2 (49), Submitted. L. D. Rudolph, A class of majority logic decodable codes, IEEE Trans. Information Theory 13 (1967), 305307 L. H. Soicher, DESIGN a GAP package, Version 1.3, 2006. (http://designtheory.org/software/gap_design/) L. H. Soicher, Three New Distance-regular Graphs, Europ. J. Combinatorics 14 (1993), 501505 E. Spence, (40,13,4)-designs derived from strongly regular graphs, Advances in Finite Geometry and Designs, Proc. 3rd Isle of Thorns Conf., Chelwood Gate/UK 1990, Oxford University Press (1991), 359-368 R. T. Stoichev and V. D. Tonchev, Unital designs in planes of order 16, Discrete Appl. Math. 102 (2000), 151-158 N. J. A. Sloane, On lattices equivalent to their duals, Journal of Number Theory 48 (1994) 373-382 V. D. Tonchev, Self-orthogonal designs, Finite geometries and combinatorial designs (Lincoln, NE,1987), Contemp. Math., vol. 111 (1990), 219235 V. D. Tonchev, Unitals in the Hlz design on 28 points, Geom. Dedicata 38 (1991), 357-363 V. D. Tonchev, Error-correcting codes from graphs, Discrete Math. 257, no. 2-3 (2002), 549557 V. D. Tonchev, Binary codes derived from the Hoffman-Singleton and Higman-Sims graphs, IEEE Trans. Info. Theory 43 (1997), 10211025 W.Wirth, Announcement (Handbook of Combinatorial Designs, New Results at http://www.emba.uvm.edu/dinitz/newresults.1.html)

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-253

253

Willem H. HAEMERS Department of Econometrics and OR, Tilburg University, The Netherlands

Abstract. The adjacency matrix of a graph can be interpreted as the incidence matrix of a design, or as the generator matrix of a binary code. Here these relations play a central role. We consider graphs for which the corresponding design is a (symmetric) block design or (group) divisible design. Such graphs are strongly regular (in case of a block design) or very similar to a strongly regular graph (in case of a divisible design). Many constructions and properties for these kind of graphs are obtained. We also consider the binary code of a strongly regular graph, work out some theory and give several examples. Keywords. Block designs, divisible designs, strongly regular graphs, Seidel switching, Hadamard matrices, binary codes.

1. Introduction Central is this reader is the interplay between graphs and designs. We start with a preliminary chapter on strongly regular graphs, block designs and their interplay. Then we will look at binary codes generated by the adjacency matrix of a strongly regular graph. This section is mainly based on [24]. The third part, based on [21], is devoted to a more recent development on graphs that are related to divisible designs. We introduce basic concepts as block designs, strongly regular graphs and Hadamard matrices, but we assume basic knowledge of algebra and graph theory. Some useful general references are [4,16,29,39].

2. Graphs and designs 2.1. Designs A block design with parameters (v, k, ) is a nite point set P of cardinality v , and a collection B of subsets (called blocks) of P , such that: (i) Each block has cardinality k (2 k v 1). (ii) Each (unordered) pair of points occurs in exactly blocks. A block design with parameters (v, k, ) is also called a 2-(v, k, ) design. The incidence matrix N of such a design is the (0, 1) matrix with rows indexed by the points, and columns indexed by the blocks, such that Nij = 1 if point i is in block j , and Nij = 0 otherwise. The following result is a straightforward translation of the denition into matrix language. (as usual, J stands for an all-ones matrix, and 1 for an all-ones vector).

254

Proposition 2.1 A (0, 1) matrix N is the incidence matrix of a 2-(v, k, ) design if and only if N 1 = k 1 and N N = J + D , for some diagonal matrix D. Theorem 2.1 Suppose (P , B ) is a 2-(v, k, ) design with incidence matrix N , then (i) each point is incident with r = (v 1)/(k 1) blocks, that is N 1 = r1, and N N = J + (r )I , (ii) the number of blocks equals b = vr/k , that is N has b columns, (iii) b v with equality if and only if N is the incidence matrix of a 2-(v, k, ) design. Proof. (i): Fix a point z P . By use of ii of the above denition, the number of pairs (x, a) with x P , x = z and a B, z a equals (v 1). On the other hand it is equal to k 1 times the number of blocks containing z . Equation (ii) follows by counting the number of pairs (x, a) with x P , a B, a a (that is, the number of ones in N ). (iii): From (i) and Proposition 2.1 it follows that R= 1 N + J r r(r )

is a right inverse of N . Therefore N has rank v , and hence b v . Moreover, if b = v , then r = k , R = N 1 and we have I = N 1 N , which leads to N N = (k )I + J . By (i) we have N 1 = k 1, hence N is the incidence matrix of a 2-(v, k, ) design by Proposition 2.1. A 2-(v, k, 1) design is also called a Steiner 2-design. A block design with b = v is called symmetric. The dual of a design with incidence matrix N is the structure with incidence matrix N . Theorem 2.1(ii) states that the dual of a symmetric design is again a symmetric design with the same parameters. In terms of the original design, it means that any two distinct blocks intersect in the same number of points. In general, the size of the intersection of two distinct blocks can vary. If in a block design these numbers take only two values, we call the design quasi-symmetric. Obviously, two blocks in a Steiner 2-design cannot have more than one points in common, so it is symmetric, or quasi-symmetric. Note that if N is the incidence matrix of a 2-(v, k, ) design (P , B ), then J N represents a 2-(v, v k, b 2v + ) design, called the complement of (P , B ). Moreover, if N is symmetric (or quasi-symmetric), the so is the complement. Many examples of block designs come from geometries over a nite eld Fq . For example the points end the lines in in projective space of dimension n over Fq give a 2-(q n + q n1 + . . . + q + 1, q + 1, 1) design. Because = 1, it is Steiner 2-design, and therefore quasi-symmetric, or symmetric. The design is a symmetric if and only if n = 2. Such a design is called a projective plane of order q . The smallest case q = 2 gives the famous Fano plane. Another family of examples comes from Hadamard matrices. An m m matrix H is a Hadamard matrix (of order m) if every entry is 1 or 1, and HH = mI . In other 1 H hence H H = mI . If a row or a column of a Hadamard matrix is words, H 1 = m

255

multiplied by 1, the matrix remains a Hadamard matrix. Therefore we can accomplish that the rst row and column consist of ones only. If we then delete the rst row and column we obtain a (m 1) (m 1) matrix C , often called the core of H (with respect to the rst row and column). It follows straightforwardly that a core C of a Hadamard matrix satises CC = C C = mI J , and C 1 = C 1 = 1. This implies that 1 1 1 N=1 2 (C + J ) satises N 1 = ( 2 m 1)1 and N N = 4 mI + ( 4 m 1)J , that is, N 1 1 is the incidence matrix of a 2-(m 1, 2 m 1, 4 m 1) design (provided m > 2). Note that this implies that if m > 2, then m is divisible by 4. A Hadamard matrix H is regular if H has constant row and column sum ( say). From HH = mI we get that 2 = m, so = m, and m is a square. If H is a regular Hadamard matrix, the we easily have that N = 1 2 (H + J ) is the incidence matrix of a symmetric 2-(m, (m + )/2, (m + 2 )/4) design. Examples of Hadamard matrices are: 1 1 1 1 1 1 1 1 1 1 and 1 1 1 1 . 1 1 1 1 1 1 One easily veries that, if H1 and H2 are Hadamard matrices, then so is the Kronecker product H1 H2 . Moreover, if H1 and H2 are regular, then so is H1 H2 . With the above examples (note that the second one is regular) we can construct Hadamard matrices of order m = 2i , and regular ones of order 4i for i 0. Many more constructions for Hadamard matrices and block designs are known. Some general references are [6] and [16], Chapter V. 2.2. Strongly regular graphs A strongly regular graph with parameters (v , k , , ) (often denoted by SRG(v, k, , )) is a (simple undirected and loopless) graph of order v satisfying: (i) each vertex is adjacent to k (1 k v 2) vertices, (ii) for each pair of adjacent vertices there are vertices adjacent to both, (iii) for each pair of non-adjacent vertices there are vertices adjacent to both. For example, the pentagon is strongly regular with parameters (v, k, , ) = (5, 2, 0, 1). One easily veries that a graph is strongly regular with parameters (v, k, , ) if and only if its complement is strongly regular with parameters (v, v k 1, v 2k + 2, v 2k + ). The line graph of the complete graph of order m, known as the triangular graph T (m), is strongly regular with parameters ( 1 2 m(m 1), 2(m 2), m 2, 4). The complement of T (5) has parameters (10, 3, 0, 1). This is the Petersen graph (see Figure 1). A graph satisfying condition (i) is called k -regular. The adjacency matrix of a graph is the symmetric (0, 1) matrix A indexed by the vertices of , where Aij = 1 if i is adjacent to j , and Aij = 0 otherwise. It is well-known and easily seen that A1 = k 1 for a k -regular graph, in other words, the adjacency matrix of a k -regular graph has an eigenvalue k with eigenvector 1. Moreover, every other eigenvalue satises || k , and if is connected, the multiplicity of k equals 1 (see Biggs [7]). For convenience we call an eigenvalue restricted if it has an eigenvector perpendicular to 1. So for a k -regular connected graph the restricted eigenvalues are the eigenvalues different from k .

256

Figure 1. The Petersen graph

Theorem 2.2 For a simple graph of order v , not complete or empty, with adjacency matrix A, the following are equivalent: (i) G is strongly regular with parameters (v, k, , ) for certain integers k , , , (ii) A2 = ( )A + (k )I + J for certain reals k , , , (iii) A has precisely two distinct restricted eigenvalues. Proof. The equation in (ii) can be rewritten as A2 = kI + A + (J I A). Now (i) (ii) is obvious. (ii) (iii): Let be a restricted eigenvalue, and u a corresponding eigenvector perpendicular to 1. Then Ju = 0. Multiplying the equation in (ii) on the right by u yields 2 = ( ) +(k ). This quadratic equation in has two distinct solutions. (Indeed, ( )2 = 4( k ) is impossible since k and k 1.) (iii) (ii): Let r and s be the restricted eigenvalues. Then (A rI )(A sI ) = J for some real number . So A2 is a linear combination of A, I and J . As an application, we show that quasi-symmetric block designs give rise to strongly regular graphs. Recall that a quasi-symmetric design is a 2-(v, k, ) design in which any two distinct blocks meet in either x or y points, for certain xed x, y . Given this situation, we may dene a graph on the set of blocks, and call two blocks adjacent when they meet in x points. Then there exist coefcients 1 , . . . , 7 such that N N = 1 I + 2 J , N J = 3 J , JN = 4 J , A = 5 N N + 6 I + 7 J , where A is the adjacency matrix of the graph . (The i can be readily expressed in terms of v , k , , x, y .) Then is strongly regular by (ii) of the previous theorem. Indeed, from the equations just given it follows straightforwardly that A2 can be expressed as a linear combination of A, I and J . We know that all 2-(v, k, 1) designs are quasi-symmetric. This leads to a substantial family of strongly regular graphs, including the triangular graphs T (m) (derived from the trivial design consisting of all pairs out of an m-set). Theorem 2.3 Let be a strongly regular graph with adjacency matrix A and parameters (v, k, , ). Let r and s (r > s) be the restricted eigenvalues of A and let f and g be their respective multiplicities. Then (i) k (k 1 ) = (v k 1), (ii) rs = k, r + s = , (r +s)(v 1)+2k (iii) f, g = 1 ). 2 (v 1 r s

257

(iv) r and s are integers, except perhaps when f = g , (v, k, , ) = (4t + 1, 2t, t 1, t) for some integer t. Proof. (i) Fix a vertex x of . Let (x) and (x) be the sets of vertices adjacent and nonadjacent to x, respectively. Counting in two ways the number of edges between (x) and (x) yields (i). The equations (ii) are direct consequences of Theorem 2.2(ii), as we saw in the proof. Formula (iii) follows from f + g = v 1 and 0 = trace A = k + f r + gs = 1 k+ 1 2 (r + s)(f + g ) + 2 (r s)(f g ). Finally, when f = g then one can solve for r and s in (iii) (using (ii)) and nd that r and s are rational, and hence integral. But f = g implies ( )(v 1) = 2k , which is possible only for = 1, v = 2k + 1. These relations imply restrictions for the possible values of the parameters. Clearly, the right hand sides of (iii) must be positive integers. These are the so-called rationality conditions. As an example of the application of the rationality conditions we can derive the following result due to Hoffman & Singleton [27] Theorem 2.4 Suppose (v, k, 0, 1) is the parameter set of a strongly regular graph. Then (v, k) = (5, 2), (10, 3), (50, 7) or (3250, 57). Proof. The rationality conditions imply that either f = g , which leads to (v, k) = (5, 2), or r s is an integer dividing (r + s)(v 1) + 2k . By use of Theorem 1(i)-(ii) we have s = r 1, k = r2 + r + 1, v = r4 + 2r3 + 3r2 + 2r + 2, and thus we obtain r = 1, 2 or 7. The rst three possibilities are uniquely realized by the pentagon, the Petersen graph and the Hoffman-Singleton graph. For the last case existence is unknown Except for the rationality conditions, a few other restrictions on the parameters are known. We mention two of them. The Krein conditions [35], can be stated as follows: (r + 1)(k + r + 2rs) (k + r)(s + 1)2 , (s + 1)(k + s + 2rs) (k + s)(r + 1)2 . The absolute bound (see Delsarte, Goethals & Seidel [17]) reads, v f (f + 3)/2, v g (g + 3)/2. The Krein conditions and the absolute bound are special cases of general inequalities for association schemes, see for example [10]. For constructions and more results on strongly regular graphs we refer to [11], [12], [15], [16], [28], or [36]. 2.3. Neighborhood designs Any graph can be interpreted as a design, by taking the vertices of as points, and the neighborhoods of the vertices as blocks. In other words, the adjacency matrix of is interpreted as the incidence matrix of a design. Let us call such a design the neighborhood design of .

258

Consider a strongly regular graph with parameters (v, k, , ). If = , then any two distinct vertices have exactly common neighbors, and the adjacency matrix A of satises AA = A2 = (k )I + J . This implies that the neighborhood design of is a symmetric 2-(v, k, ) design (sometimes called: (v, k, ) design). Rudvalis [34] has called such a graph a (v, k, ) graph. If a symmetric design admits a symmetric incidence matrix, the corresponding bijection between points and blocks is called a polarity of the design. The points (and blocks) that correspont to a 1 on the diagonal are the absolute points (blocks) of the polarity. Thus a (v, k, ) design with a polarity with no absolute points can be interpreted as a (v, k, ) graph. Similarly, if A is the adjacency matrix of a strongly regular graph with parameters (v, k, , + 2), then A + I is the incidence matrix of a square 2-(v, k, ) design, and in this way one obtains precisely the 2-(v, k, ) designs possessing a polarity with all points absolute. This interplay between graphs and designs turned out to be fruitful for both parts. For example, an easy construction of a symmetric 2-(16, 6, 2) design goes via the 4 4 grid, (that is, the line graph of the complete bipartite graph K4,4 , also known as the Lattice graph L(4)), which is a (16, 6, 2) graph. It may happen, however, that two nonisomorphic (v, k, ) graphs, 1 and 2 with adjacency matrices A1 and A2 say, give isomorphic designs. Also A1 and A2 + I can represent isomorphic designs. The standard example is given by the two SRG(16, 6, 2, 2)s (the lattice graph L(4) and the Shrikhande graph) and the unique SRG(16, 5, 0, 2) (the Clebsch graph). The three graphs produce the same symmetric 2-(16, 6, 2) design. Proposition 2.2 If two non-isomorphic (v, k, ) graphs 1 and 2 give rise to isomorphic (v, k, ) designs, then both 1 and 2 have an involution (that is, an automorphism of order 2). Proof. Let Ai be the adjacency matrix of i (i = 1, 2), and assume that the corresponding designs are isomorphic. Then there exist permutation matrices P and Q such that P A1 Q = A2 . Without loss of generality we assume Q = I (otherwise replace A2 by Q A2 Q). The symmetry of A2 gives P A1 = A1 P , and hence P m A1 = A1 (P m ) . If P has even order 2m, then P 2m = I and P m = (P m ) = I . This implies A1 = P 2m A1 = P m A1 (P m ) , so P m is an involution. If P has odd order 2m 1, then A2 = P A1 = P 2m A1 = P m A1 (P m ) , so 1 and 2 are isomorphic graphs. So, if for example a (v, k, ) graph has a trivial automorphism group, then any other (v, k, ) graph not isomorphic to gives a non-isomorphic design. For instance, there exist 16428 (36, 21, 12) graphs. From these graphs, 15127 have a trivial automorphism group (see [37], [30]). So at least 15128 are also non-isomorphic as designs. A large family of (v, k, ) graphs comes from regular graphical Hadamard matrices. A Hadamard matrix H is graphical if it is symmetric with constant diagonal. Without loss of generality we assume that the diagonal elements are 1 (otherwise we replace H by H ). If, in addition, H is regular of order m with row sum = m, then A= 1 2 (H + J ) is the adjacency matrix of an (m, (m + )/2, (m + 2 )/4) graph. The two smallest regular graphical Hadamard are:

1 1 1 1 1 1 1 1 1 1 1 1 and 1 1 1 1 . 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 It is easily veried that if H1 and H2 are regular graphical Hadamard matrices with row sums 1 and 2 , respectively, then the Kronecker product H1 H2 is again such a matrix, whose row sum is 1 2 . Starting with the above Hadamard matrices, we can make regular graphical Hadamard matrices of order m = 4t with row sum = 2t and = 2t . Many more constructions are known, for example if m = 4t4 , t 1 for = 2t2 and = 2t2 (see [16] for a survey, and [26] for some recent developments).

259

3. Binary codes of strongly regular graphs 3.1. Introduction Codes generated by the incidence matrix of combinatorial designs and related structures have been studied rather extensively. The best reference for this is the book by Assmus and Key [4] (see also the update [5]). Codes generated by the adjacency matrix of a graph did get less attention. For strongly regular graphs there is much analogy with designs and therefore interesting results may be expected. Concerning the dimension of these codes, that is, the p-rank of strongly regular graphs , several results are known: see [9], [33]. It has turned out that some special strongly regular graphs generate nice codes, see [23] and [38]. Here we restrict to binary codes, not only because it is the simplest case, but also since for the binary case there is a relation with regular two-graphs and Seidel switching that has already proved to be useful: see [23] and [14]. For an integral n v matrix A we dene the binary code CA of A to be the subspace of V = Fv 2 generated by the rows of A (mod 2). We start with some known lemmas for symmetric integral matrices (see [9], [13] or [33]). Lemma 3.1 If A is a symmetric integral matrix with zero diagonal, then 2-rank(A) (i.e. the dimension of CA ) is even. Proof. Let A be a non-singular principal submatrix of A with the same 2-rank as A. Over Z, any skew symmetric matrix of odd order has determinant 0 (since det(A) = det(A )). Reduction mod 2 shows that A has even order. Lemma 3.2 If A is a symmetric binary matrix, then diag(A) CA .

. Then i (A)ii xi = Proof. Suppose x CA x diag(A). Hence diag(A) CA . i,j (A)ij xi xj

= x Ax = 0 (mod 2), so

With these lemmas we easily nd a relation between the codes CA and CA+J . Proposition 3.1 Suppose A is the adjacency matrix of a graph then CA CA+J and the following are equivalent: (i) CA = CA+J , (ii) 1 CA , (iii) dim(CA+J ) is even.

260

Proof. By Lemma 3.2, diag(A + J ) = 1 CA+J , so CA+J = CA + 1 and the equivalence of (i) and (ii) follows. By Lemma 3.1 we have 2-rank(A) is even and so (i) (iii). The next proposition gives a trivial but useful relation between CA and CA+I .

CA+I with equality if Proposition 3.2 If A is a symmetric integral matrix, then CA and only if A(A + I ) = 0 (mod 2). Proof. Suppose x CA . Then Ax = 0 (mod 2), so (A + I )x = x and hence x CA+I . Clearly A(A + I ) = 0 (mod 2) reects that CA+I CA , which completes the proof.

3.2. Facts from the parameters Here we present some properties of the binary codes of a strongly regular graph , using only the parameters (eigenvalues) of . Proposition 3.3 Suppose has non-integral eigenvalues. (i) If is odd (i.e. v = 5 mod 8) then CA = 1 and CA+I = V. (ii) If is even (v = 1 mod 8) then CA = CA+I and dim(CA ) = dim(CA+I ) 1 = 2 (= f = g = k = (v 1)/2). Proof. If is odd, Equation 2.2(ii) becomes A2 = A+I +J (mod 2), so (A+J )(A+I ) = I (mod 2), hence CA+J = CA+I = V and CA = 1 . Suppose is even. Then A2 = A (mod 2) so CA+I = CA . The characteristic polynomial of A is given by: det(xI A) = (x + k )(x2 + x + )f = xf +1 (x + 1)f (mod 2). Therefore 2-rank(A + I ) v f and 2-rank(A) v (f + 1) = f . We know (Proposition 3.2) 2-rank(A) + 2-rank(A + I ) = v , and the result follows. Proposition 3.4 Suppose the eigenvalues r and s of are integers. (i) If k = r = s = 1 (mod 2) then CA = V, CA+I is self-orthogonal and dim(CA+I ) min{f + 1, g + 1}. (ii) If r = s = 1 (mod 2) and k is even, then CA = 1 , CA+I is orthogonal to CA and dim(CA+I ) min{f + 1, g + 1}. (iii) If r = s (mod 2) and k is even, then CA+I = CA , dim(CA ) = f and dim(CA+I ) = v f , where f is the multiplicity of the odd eigenvalue. (iv) If r = s (mod 2) and k is odd, then CA = CA , dim(CA ) = f + 1 and dim(CA+I ) = v f . (v) If r = s = 0 (mod 2) then k is even, CA+I = V, CA is self-orthogonal and dim(CA ) min{f + 1, g + 1} and even. Proof. (i): Equation 2.2(ii) gives A2 = I and (A + I )2 = 0 (mod 2). Over the real numbers, rank(A rI ) = v f = g + 1, hence 2-rank(A + I ) g + 1 and similarly, 2-rank(A + I ) f + 1. (ii): Now A1 = 0, A2 = I + J , and (A + I )2 = J (mod 2), proving the rst two claims. For the dimension bound see case (i).

261

(iii): Now Equation 2.2(ii) becomes A(A + I ) = 0 (mod 2), so CA+I = CA by v f f (x + 1) , so Proposition 3.2. The characteristic polynomial of A (mod 2) reads x dim(CA+I ) v f and dim(CA ) f and, since they add up to v the result follows. (iv): Here AA = 0 (mod 2). Similar to case (iii) we get dim(CA+I ) v f 1 and dim(CA ) f + 1. Now the dimensions add up to v + 1, but f is odd (from trace(A)) and v is even (since k is odd), so by Proposition 3.1 we nd dim(CA ) = f + 1, dim(CA+I ) = v f and dim(CA ) = v f 1. (v): Now A2 = kJ and (A + I )2 = kJ + I (mod 2). From k + f r + gs = 0 it follows that k is even. By Lemma 3.1 dim(CA ) is even. The rest follows by similar arguments as above.

Thus, unless r and s are both even, the dimension of CA (i.e. 2-rank(A)) follows from the parameters of and similarly, dim(CA+I ) follows, unless r and s are both odd (see [9]). From the two propositions above we also see that if rs (= k ) is odd CA and CA+J (= CA+I ) are determined by the parameters of . Similarly, CA+I and CA are determined if (r +1)(s +1) is odd. So in these cases non-isomorphic strongly regular graphs with the same parameters (of which there are many examples) generate the same (trivial) codes. 3.3. Some families and their codes 3.3.1. Triangular graphs The triangular graph T (n) is the line graph of the complete graph Kn . It follows that T (n) is a strongly regular graph with v = n(n 1)/2, k = 2(n 2), = n 2, = 4, r = n 4 and s = 2. T (n) is known to be determined by these parameters if n = 8. If N is the vertex-edge incidence matrix of Kn , then A = N N (mod 2) is the adjacency matrix of T (n). The words of CN , CA and CA+I are characteristic vectors of subsets of the edge set of Kn , so can be interpreted as graphs on a xed vertex set of size n. It is easily seen that CN is the n 1 dimensional binary code consisting of all consists of disjoint unions of Euler graphs. Note complete bipartite graphs and that CN that 1 CN . Theorem 3.1 Let be the triangular graph T (n). If n is even then CA = CN 1 (the Eulerian complete bipartite graphs), CA+I = V, CA = V if n = 0 (mod 4) and CA = 1 if n = 2 (mod 4). If n is odd then CA = CN , CA+I = CN , CA = CN if n = 1 (mod 4) and CA = CN 1 (the unions of Euler graphs with an even total number of edges) if n = 3 (mod 4). Proof. Since N N = A (mod 2), we have CA CN . First suppose n is odd. By . iii of Proposition 3.4, dim(CA ) = f = n 1, hence CA = CN and CA+I = CN Proposition 3.1 gives CA = CA+I whenever (n 1)(n 2)/2 = dim(CA+I ) is even, that is n = 1 mod 4. If n = 3 mod 4, CA has dimension one less and is orthogonal to CA and to 1. Since 1 CA , this proves the last claim. Next take n even. By i and ii of Proposition 3.4 we nd CA+I and CA . Since dim(kernel(N )) = 1 (mod 2), dim(CA ) but (since n is even), 1 CN . Therefore dim(CN ) 1 = n 2. Clearly 1 CA CA = CN + 1 and so CA = CN 1 . From Theorem 3.1 it follows that the codes CN and CA only have weights wi = i(n i)

262

n (0 i n 2 ). In n is odd, the number of codewords of weight wi equals i (for both n n n CN and CA ). If n is even, CN has i codewords of weight wi for 0 i < 2 and 1 2 n/2 codewords of weight wn/2 . The code CA consists of the codewords from CN with even weight.

3.3.2. Lattice graphs The lattice graph L(m) is the line graph of the complete bipartite graph Km,m . It is strongly regular with parameters v = m2 , k = 2(m 1), = m 2, = 2, r = n 2 and s = 2. If m = 4, L(m) is determined by these parameters. Similar to above the adjacency matrix A = M M (mod 2) if M is the vertex-edge incidence matrix of Km,m . The code CM consist of the edge sets of Km,m that form a union of Euler graphs. The code CM has dimension 2m 1 and consists of disjoint unions of two bipartite graphs, one on m1 +m2 and one on (mm1 )+(mm2 ) vertices. Each choice of m1 , m2 (0 m1 m, 0 m2 m/2) gives codewords of weight m1 m2 +(m m1 )(m m2 ). m m m 1 m The number of these codewords equals m m2 if m2 < m/2 and 2 m1 m/2 if 1 m2 = m/2 (but note that different choices for m1 , m2 can lead to the same weight). The weight enumerators of the codes CA now follow easily from the next result. Theorem 3.2 Let be the lattice graph L(m). If m is even then CA consists of the graphs from CM with m1 + m2 odd, and moreover, CA + 1 = CM and CA+I = CA = V. If m is odd then CA consists of the graphs from CM with m1 + m2 even, and moreover, CA = CM 1 , CA+I = CA and CA = CA+I 1 . Proof. From M M = A (mod 2), we deduce CA CM and dim(CA ) dim(CM ) 1 = 2m 2. Let Fv 2 represent a subgraph of Km,m with all vertex degrees odd (if m is odd, we may choose = 1). Then CA , but CM , hence CA = CM . Now all statements follow straightforwardly. 3.3.3. Paley graphs Suppose v = 1 (mod 4) is a prime power. The Paley graph has Fv as vertex set and two vertices are adjacent if the difference is a non-zero square in Fv . The Paley graph is an SRG(v, (v 1)/2, (v 1)/4 1, (v 1)/4) which is isomorphic to its complement. By Propositions 3.3 and 3.4, the code CA of a Paley graph is only non-trivial if v = 1 (mod 8). Then CA and CA+I are well known as the (binary) quadratic residue codes, see for example [15] or [29] (which are usually only dened for primes v ). For v = 5, 9, 13 and 17, the Paley graph is the only one with the given parameters. If v 25, other graphs with the same parameters exist. If v = 5 (mod 8) all these graphs give isomorphic (trivial) codes. If v = 25 or 41 (see Section 3.5), the known non-isomorphic graphs give non-isomorphic codes and amongst them, the codes of the Paley graphs have the largest minimum distance. We conjecture that the second part of this statement is true in general. 3.3.4. Graphs from designs and Latin squares Let D denote a 2-(n, , 1) design with incidence matrix N . Then A = N N I is the adjacency matrix of a strongly regular graph D with parameters (m2 m(m 1)/, (m 1), 2 2 + m 1, 2 ), where m = (n 1)( 1). We have CA =

263

CN N CN if is even and CA+I = CN N CN if is odd. If = 2, (D) is a triangular graph and the related codes are given above. If = 3 D is a Steiner triple system ST S (n). A Latin square of order m (denoted by LS (m)) is an m m matrix L with entries from {1, . . . , m} such that every entry occurs exactly once in every row and column. A Latin square can be represented by a set of m2 triples (i, j, k) indicating that entry (i, j ) is equal to k . Then two triples of at most one entry in common. The Latin square graph L of L is dened on the triples (the entries of L), where two triples are adjacent if they have an element in common (that is, the entries are in the same row, the same column, or have the same value). Then it easily follows that L is an SRG(m2 , (m 1), 2 3 + m, ( 1)). Let N be the 3m m2 incidence of this the set of triples of a L. Then we easily have that A = N N 3I is the adjacency matrix of L , and CA+I = CN N CN . For D and L , the dimensions of CN and CA+I are known in terms of the number of sub-triple systems and quotient Latin squares, see [18], [31] and [33]. In some cases the relation between CN and CA+I is easy. Proposition 3.5 If D is an ST S (n) then (i) if n = 1 (mod 4) (i.e. m is even), then CA+I = CN and dim(CA+I ) = n; (ii) if n = 3 (mod 4) (i.e. m is odd), then dim(CA+I ) = 2dim(CN ) n (so CA+I = CN if and only if dim(CN ) = n). If D represents an LS (m) then dim(CN ) 3m 2 and (iii) if m is odd then CA+I = CN and dim(CA+I ) = 3m 2; (iv) if m is even then dim(CA+I ) 3m 4 with equality if and only if dim(CN ) = 3m 2; equality also implies that CA+I = CN CN . Proof. The cases (i) and (iii) follow from Proposition 3.4 and the results about dimensions in (ii) and (iv) can be found in Chapter 3 of [33]. So we are left with the last statement. We have N N = (J3 + I3 ) Jm (mod 2) and dim(CN CN ) dim(CN ) 2-rank(N N ) = 3m 4. Moreover, N N N = 0, so CA+I CN and hence CA+I CN CN and the result follows. For Steiner triple systems the problem has been raised (see [38]) whether or not nonisomorphic designs always give non-isomorphic codes CN . This is true for n 15. If dim(CA+I ) < n (the ST S (n) has subsystems) then CA+I = CN . also the codes CA+I are mutually non-isomorphic. However, there exist examples of non-isomorphic strongly regular graphs with the parameters of the graph of an ST S (15), but with isomorphic codes CA+I of dimension 15 (see [24]). The binary codes of Latin squares have also been studied by Assmus [3]. he wonders if non-isomorphic Latin squares (regarded as nets of degree 3) give non-isomorphic codes CN . This is true for m 7. In particular if m = 4 the codes CN of the two Latin squares even have different dimension. However the codes CA+I of the graphs are isomorphic, because they correspond to the same 2-(16, 10, 6) design (see the end of Section 2.3). 3.4. Two-graph codes We briey explain Seidel switching. For details we refer to [11] or [15]. Let = (V, E ) be a graph and let {V1 , V \ V1 } be a partition of V , then we dene the result of switching

264

with respect to this partition to be the graph = (V, E ) whose edges are those edges of contained in V1 or V \ V1 together with the pairs {v1 , v2 }, with v1 V1 , v2 V \ V1 for which {v1 , v2 } E . The graphs and are said to be switching equivalent. It is not hard to check that switching denes an equivalence relation on graphs. An equivalence class is called a two-graph. Note that, if we switch with respect to the set of neighbors x of a vertex x, then x becomes an isolated vertex in . If we order the vertices in a suitable way then, in terms of the adjacency matrices A and A , Seidel switching comes down to A= A1 A12 + J A1 A12 ,A = A12 A2 A12 + J A2 (mod 2).

Suppose we switch with respect to a subset V1 of V with characteristic vector . Then we have CA + 1 + = CA + 1 + . Let us not worry about 1 and look at the codes CA+J = CA + 1 and CA +J . It is clear that if CA+J then CA +J CA+J . Suppose and both have an isolated vertex (not the same one) then is in CA+J and CA +J , hence CA+J = CA +J . So this code is independent of the isolated vertex and we will call it the two-graph code. Note that 1 CA (because of the isolated vertex), so dim(CA+J ) = dim(CA ) + 1 is odd. Assume is an SRG(v, k, , ) with k = 2 (or equivalently, k = 2rs). Extend (i.e. \{x} = ). If we switch in to , such that another with an isolated vertex x to vertex y becomes isolated, then it follows that = \ {y } is again a SRG(v, k, , ), is called a but not necessarely isomorphic to . In this case the switching class of regular two-graph and (and ) is the descendant of with respect to x (and y ). Clearly, the code CA of a descendant is the shortened code of the corresponding twograph code. Regular two-graphs can produce interesting two-graph codes. For example the Paley graph is the descendant of a regular two-graph and the corresponding twograph code is the extended quadratic residue code. For other interesting two-graph codes, can be switched into a regular graph , then it follows that see [14], [22] and [23]. If is strongly regular with the same r and s as , but with two possibilities for the valency: Either k = 2rs r or k = 2rs s (so r and s need to be integral). On the other hand, a strongly regular graph with degree 2rs r or 2rs s is in the switching class of a regular two-graph (so isolating a vertex yields a strongly regular graph with k = 2rs). For example the Shrikhande graph, L(4) and the complement of the Clebsch graph are switching equivalent. We observed already that these three graphs generate the same (6-dimensional) code. By isolating a vertex we get T (6) and the two-graph code is a 5-dimensional subspace of the L(4) code. The shortened code (with respect to any vertex) is the 4-dimensional code of T (6). Theorem 3.3 Suppose is a regular two-graph with eigenvalues r and s and two-graph code C . Suppose is a k -regular graph in (so is strongly regular) and let be the graph in with a given vertex x isolated (so switching in with respect to the neighbors x of x gives ). Let A and B be the adjacency matrices of and respectively, and let denote the characteristic vector of the switching set x . Then either

dim CA = dim CB = dim C 1 dim CA 2 = dim CB = dim C 1 1 CA 1 CA or CB CB CA+J = CA + 1 = CB + 1 = C CA+J = CA = CB + 1 + = C + . If k is even and r + s is odd, we are in the rst case. If k = 2 mod 4 and r + s is even, or k is odd, we are in the second case. Proof. The results follow from the fact that CA + 1 + = CB + 1 + , CA + 1 = CA+J , C = CB + 1 ,

265

and that dim CA and dim CB are even. Clearly 1 CB , 1 CA+J and CA . If 1 CA then CA = CA+J and CA = CB + 1 + , so CB is a proper subspace of CA and hence dim CA = dim CB + 2 and CB . On the other hand, if 1 CA , then must be a codeword of CB and dim CA = dim CB . Furthermore, CA+J =CA + 1 =CB + 1 = C. If k is even and r + s is odd, then = k + rs is even and = + r + s is odd. Now the rows of B corresponding to x add up to the characteristic vector of x . So CB and hence we are in the rst case. It is clear that 1 CA if k is odd. Suppose k = 2 mod 4 and r + s is even. Then r and s are both even (since k = 2rs + s or 2rs + r). Let B be the adjacency matrix of the descendant = \ {x}. Then CB is self-orthogonal by 3.4.v . Moreover, the degree of is 2rs, which is divisible by 4, and hence all weights in CB and CB are divisible by 4. Therefore CB , so we are in the second case. For example, the last statement implies that 1 CA for an SRG(36, 14, 4, 6). If k is even and r + s is odd then C = CA+J . So, in this case, non-isomorphic switching equivalent strongly regular graphs give isomorphic codes of the form CA+J . Examples are given by the switching equivalent SRG(26, 10, 3, 4)s (see the next section). It is clear that if two two-graph codes are isomorphic then so are the codes of corresponding descendants. And vice versa, two descendants 1 and 2 with isomorphic codes CA1 = CA2 give isomorphic two-graph codes. Among the regular two-graphs on 36 vertices (r = 2, s = 4) there exist several non-isomorphic ones with isomorphic two-graph codes, therefore we also have non-isomorphic SRG(35, 16, 6, 8)s with isomorphic codes CA (see [24]). 3.5. Small cases In Table 1 we give the parameters of all primitive strongly regular graphs on at most 40 vertices (up to taking complements). We indicate how many non-isomorphic graphs there exist with the given parameters and, if k = 2 we give the number of corresponding non-isomorphic regular two-graphs. In the previous sections we have obtained the codes of several of these graphs. For the other parameters we refer to [24]. The mentioned paper also contains the weight enumerators of most of the codes. Here we restrict to the strongly regular graphs on 25 and 26 vertices, and the related regular two-graphs on 26 vertices. There are exactly four non-isomorphic regular two-graphs on 26 vertices with eigenvalues 2 and 3. Together they have fteen SRG(25, 12, 5, 6)s (two from LS (5) s one of which is the Paley graph) as a descendant and ten SRG(26, 15, 8, 9)s

266

no. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22

(v, k, , ) (5,2,0,1) (9,4,1,2) (10,3,0,1) (13,6,2,3) (15,6,1,3) (16,5,0,2) (16,6,2,2) (17,8,3,4) (21,10,3,6) (25,8,3,2) (25,12,5,6) (26,10,3,4) (27,10,1,5) (28,12,6,4) (29,14,6,7) (35,16,6,8) (36,10,4,2) (36,14,4,6) (36,14,7,4) (36,15,6,6) (37,18,8,9) (40,12,2,4) a name pentagon (Paley) L(3) Petersen (T (5)) Paley T (6) Clebsch L(4) Paley T (7) L(5) LS (5) ST S (13) Schli T (8) Paley ST S (15) L(6) HJsub T (9) LS (6) Paley GQ(3, 3) #graphs 1 1 1 1 1 1 2 1 1 1 15 10 1 4 41 3854 1 180 1 32548 6760 28 1 #two-graphs 1 1 1 1 dim(CA ) 4 4 6 12 14 16 6 8 14 8 12 12 26 6, 8 28 6,..,14 10 8,..,14 8 36 36 10,..,16 dim(CA ) 4 4 4 12 4 6 16 8 6 16 12 14 6 28 28 34 36 36 27 6,..,16 36 40

4 1 6 227

191

dim 12 12 12 12 12 12 12 12 12 12 12 12 12 12 12

0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

4 10 12 4 4 3 6 8 7 5 7 6 7 6

6 50 37 43 54 66 51 54 32 38 39 41 35 36 35 44

8 225 279 279 213 225 213 225 291 291 295 303 291 295 291 303

10 880 712 696 868 832 876 864 728 712 708 700 720 716 720 692

12 1225 1343 1331 1237 1201 1243 1225 1331 1319 1313 1301 1325 1319 1325 1295

14 1050 1140 1152 1062 1098 1056 1074 1122 1134 1140 1152 1128 1134 1128 1158

16 550 432 448 546 582 538 550 436 452 456 464 444 448 444 472

18 100 124 124 96 84 96 84 132 132 128 120 132 128 132 120

20 15 15 9 15 3 18 15 15 9 8 6 12 11 12 3

22 3 1

1 4 2 1 3 1 2 1 2

0 name ls11 st11 st12 ls21 ls22 st21 st22 st23 st24 st25 dim 14 14 14 14 14 14 14 14 14 14 26 1 1 1 1 1 1 1 1 1 1 13 13 4 4 8 8 8 8 8 24 14 10 26 22 26 10 22 4 22 5 21 10 6 20 65 52 52 69 69 47 47 47 47 47 7 19 190 130 130 190 190 130 130 130 130 130 8 18 325 403 403 309 309 423 423 423 423 423 9 17 740 884 788 724 740 780 796 780 844 796 10 16 1430 1144 1144 1414 1414 1164 1164 1164 1164 1164 11 15 1826 1950 1950 1826 1826 1950 1950 1950 1950 1950 12 14 2275 2483 2483 2299 2299 2453 2453 2453 2453 2453 2660 2264 2408 2684 2660 2420 2396 2420 2324 2396 13

267

(two from ST S (13) s) in the switching class, see [32] and [2]. The corresponding codes of the form CA have been generated and the weight enumerators are given in Table 2 and Table 3 (keeping the names and order from [32]; the lines give the partition into the four switching-equivalence classes (two-graphs)). All codes are non-isomorphic. In most cases this follows from the weight enumerator, but in some cases more information is needed; see [24]. It follows that also the four two-graph codes are non-isomorphic and by Theorem 3.3 we have that the ten graphs on 26 vertices give rise to just four non-isomorphic codes of the + 1 ). In other words, by deleting the words of odd weight, the ten form CA+J (= CA codes of length 26 collapse to the four two-graph codes.

4. Divisible Design Graphs In this section we generalize the concept of a (v, k, )-graph, and introduce graphs with the property that the neighborhood design is a divisible design. Denition 4.1 A k -regular graph is a divisible design graph (DDG for short) if the vertex set can be partitioned into m classes of size n, such that two distinct vertices from the same class have exactly 1 common neighbors, and two vertices from different classes have exactly 2 common neighbors. u & & u &$ $ & u $$ u & & & u u ff f f f fu u 3 f 3 (3 u u f3 (

Figure 2. A proper divisible design graph

268

For example the graph of Figure 2 (which is the strong product of K2 and C5 ) is a DDG with parameters (v, k, 1 , 2 , m, n) = (10, 5, 4, 2, 5, 2). Note that a DDG with m = 1, n = 1, or 1 = 2 is a (v, k, ) graph. If this is the case, we call the DDG improper, otherwise it is called proper. The denition of a divisible design (often also called group divisible design) varies. We take the denition given in Bose [8]. Denition 4.2 An incidence structure with constant block size k is a (group) divisible design whenever the point set can be partitioned into m classes of size n, such that two points from one class occur together in 1 blocks, and two points from different classes occur together in exactly 2 blocks. A divisible design D is said to have the dual property if the dual of D (that is, the design with the transposed incidence matrix) is again a divisible design with the same parameters as D. From the denition of a DDG it is clear that the neighborhood design of a DDG is a divisible design D with the dual property. Conversely, a divisible design with a polarity with no absolute points is the neighborhood design of a DDG. A DDG is closely related to a strongly regular graph. It follows easily that a proper DDG is strongly regular if and only if the graph or the complement is mKn , the disjoint union of m complete graphs of size n. Deza graphs (see [19]) are k -regular graphs which are not strongly regular, and where the number of common neighbors of two distinct vertices takes just two values. So proper DDGs, which are not isomorphic to mKn or the complement, are Deza graphs. 4.1. Eigenvalues With the identity matrix Im of order m, and the n n all-ones matrix Jn we dene K = K(m,n) = Im Jn = diag(Jn , . . . , Jn ). Then we easily have that a graph is a DDG with parameters (v, k, 1 , 2 , m, n) if and only if has an adjacency matrix A that satises: A2 = kIv + 1 (K(m,n) Iv ) + 2 (Jv K(m,n) ). Clearly v = mn, and taking row sums on both sides of Equation 1 yields k 2 = k + 1 (n 1) + 2 n(m 1). So we are left with at most four independent parameters. Some obvious conditions are 1 k v 1, 0 1 k , 0 2 k 1. From Equation (1) strong information on the eigenvalues of A can be obtained. (Throughout we write eigenvalue multiplicities as exponents.) Lemma 4.1 The eigenvalues of the adjacency matrix of a DDG with parameters (v, k, 1 , 2 , m, n) are k1 , k 1

f1

(1)

k 1

f2

k 2 2 v

g1

k 2 2 v

g2

269

Proof. The eigenvalues of K(m,n) are {0m(n1) , nm }. Because Iv , Jv and K(m,n) commute it is straightforward to compute the eigenvalues of A2 from equation (1). They are {(k 2 )1 , (k 1 )m(n1) , (k 2 2 v )m1 }, and must be the squares of the eigenvalues of A. Some of the multiplicities may be 0, and some values may coincide. In general, the multiplicities f1 , f2 , g1 and g2 are not determined by the parameters, but if we know one, we know them all because f1 + f2 = m(n 1), g1 + g2 = m 1, and trace A = 0 = k + (f1 f2 ) k 1 + (g1 g2 ) k 2 2 v. This equation leads to the following result. Theorem 4.3 Consider a proper DDG with parameters (v, k, 1 , 2 , m, n), and eigenvalue multiplicities (f1 , f2 , g1 , g2 ). a. k 1 or k 2 2 v is a nonzero square. b. If k 1 is not a square, then f1 = f2 = m(n 1)/2. c. If k 2 2 v is not a square, then g1 = g2 = (m 1)/2. Proof. If one of k 1 and k 2 2 v equals 0, then Equation (2) gives that the other one is a nonzero square. If k 1 and k 2 2 v are both non-squares, it follows straightforwardly that the square-free parts of these numbers are equal non-squares, hence Equation (2) has no solution. The second and third statement are obvious consequences of Equation (2). If k 1 , or k 2 2 v is not a square, the multiplicities (f1 , f2 , g1 , g2 ) can be computed from the parameters. The outcome must be a set of nonnegative integers. This gives a condition on the parameters, which is often referred to as the rationality condition. Only if k 1 and k 2 2 v are both squares (that is, all eigenvalues of A are integers), the parameters do not determine the spectrum. Then 0 g1 m 1, so there are at most m possibilities for the set of multiplicities. 4.2. The quotient matrix The vertex partition from the denition of a DDG gives a partition (which will be called the canonical partition) of the adjacency matrix A1,1 A1,m . .. . . A= . . . . . Am,1 Am,m We shall see that the canonical partition is equitable, which means that each block Aij has constant row (and column) sum. For this, we introduce the v m matrix S , whose columns are the characteristic vectors of the partition classes. Then S satises S = Im 1n , S S = nIm , SS = K(m,n) , (2)

270

1 where 1n denotes the all-ones vector with n entries. Next we dene R = n S AS , which means that each entry rij of R is the average row sum of Aij . We will call R the quotient matrix of A.

Theorem 4.4 The canonical partition of the adjacency matrix of a proper DDG is equitable, and the quotient matrix R satises R2 = RR = (k 2 2 v )Im + 2 nJm . The eigenvalues of R are k1 , k 2 2 v

g1

k 2 2 v

g2

Proof. Equation (1) gives (1 2 )K(m,n) = A2 2 Jv (k 1 )Iv . Clearly A commutes with the right hand side of this equation and therefore with K(m,n) . Thus ASS = SS A. Using this we nd: SR =

1 n SS

AS =

1 n ASS

S = AS,

1 n2 S

ASS AS =

1 nS

A2 S = (k 2 2 v )Im + 2 nJm ,

where in the last step we used k 2 = k + 1 (n 1)+ 2 n(m 1). From the formula for R2 it follows that R has eigenvalues k 2 2 v , whose multiplicities add up to m 1. If v is an eigenvector of R, then Sv is an eigenvector of A for the same eigenvalue. Therefore the multiplicity of an eigenvalue k 2 2 v of R is at most equal to the multiplicity of the same eigenvalue of A. This implies that the multiplicities are the same. The above lemma can easily be generalized to divisible designs with the dual property. This more general version of the lemma is due to Bose [8] (who gave a much longer proof). If one wants to construct a DDG with a given set of parameters, one rst tries to construct a feasible quotient matrix. For this the following straightforward properties of R can be helpful: Proposition 4.1 The quotient matrix R of a DDG satises

i (R)i,j = k for j = 1, . . . , m, 2 2 2 ( R ) i,j = trace(R ) = mk (m 1)2 v, i,j 0 trace(R) = k + (g1 g2 ) k 2 2 v m(n 1).

In some cases these conditions lead to nonexistence or limited possibilities for R. Proposition 4.2 If m = 3 and k 2 2 v is not a square, then the following system of equations has an integral solution. X + Y + Z = k, X + Y 2 + Z 2 = k 2 22 v/3, 3 X + Y 3 + Z 3 = 3XY Z + k (k 2 2 v ) .

2

271

Proof. The quotient matrix R is a symmetric 3 3 matrix with all row and column sums equal to k and, since k 2 v2 is not a square, also trace(R) = k . This implies XY Z R = Y Z X , ZXY so trace(R2 ) = 3(X 2 + Y 2 + Z 2 ) = k 2 + 2(k 2 2 v ). The third equation comes from det R = k (k 2 2 v ). For example a DDG with parameters (21, 12, 8, 6, 3, 7) does not exist because X 2 + Y 2 + Z 2 = 60 has no integral solution. Note that Construction 4.11 gives innitely many DDGs that satisfy the condition of the above proposition. Proposition 4.3 There exists no DDG for the parameter sets (14, 10, 6, 7, 7, 2), and (20, 11, 2, 6, 10, 2). Proof. In both cases n = 2, so trace R m. For the rst parameter set this gives a contradiction, because trace R = k = 10 and m = 7. For the second parameter set, Theorem 4.5 implies that R = J + P for some symmetric permutation matrix P . Therefore trace R = 10, P has zero diagonal, and the spectrum of R is {11, 14 , 15 }. This implies that the adjacency matrix has eigenvalues 11, 3f1 , 3f2 , 14 and 15 where f1 + f2 = 10. This is impossible. The following result is essentially due to Bose [8] (though his formulation is different). Theorem 4.5 Consider a DDG with parameters (v, k, 1 , 2 , m, n). Write k = mt + k0 for some integers t and k0 with 0 k0 m 1. Then the entries of R take exactly one, or two consecutive values if and only if

2 k0 mk0 k 2 + km + 1 m(n 1) = 0 .

If this is the case then R = tJ + N , where N is the incidence matrix of a (possibly degenerate) (m, k0 , 0 ) design with a polarity. Proof. If each entry of R equals t or t + 1, then in each row k0 entries are equal to t + 1 and m k0 entries are equal to t (because the row sums of R are k ). Therefore, mk0 (t + 1)2 + mt2 (m k0 ) = trace(R2 ) = mk 2 + (m 1)2 v,

2 which leads to k0 mk0 k 2 + km + 1 m(n 1) = 0. Conversely, if the equation holds, then a matrix R with k0 entries t + 1 in each row, and all other entries equal to t satises the conditions of Equation 4.1. Moreover, any other solution to these equations has the same properties. (Indeed changing some entries to integer values different from t and t + 1, such that the sum of the entries remains the same, increases the sum of the squares of the entries). Suppose R = tJ + N for some incidence structure N , then N = N , and Theorem 4.4 implies that N 2 J, I , therefore N is the incidence matrix of a (m, k0 , ) design.

Note that the number of absolute points of the polarity equals trace N = trace R mt = k + (g1 g2 ) k 2 2 v mt, which is equal to k mt = k0 if k 2 2 v is not a square.

272

4.3. Constructions In this section we present some constructions of DDGs. 4.3.1. (v, k, ) graphs and designs We recall that the incidence graph of a design with incidence matrix N is the bipartite graph with adjacency matrix O N N O .

Construction 4.6 The incidence graph of an (n, k, 1 ) design with 1 < k n is a proper DDG with 2 = 0. Construction 4.7 The disconnected graph for which each component is an (n, k, 1 ) graph (1 < k < n), or the incidence graph of an (n, k, 1 ) design (1 < k n), is a proper DDG with 2 = 0. Proposition 4.4 For a proper DDG the following are equivalent. a. comes from Construction 4.6, or 4.7. b. is bipartite or disconnected. c. 2 = 0. Proof. It is clear that a bipartite or disconnected DDG has 2 = 0. Assume is a DDG with 2 = 0. Then in every block row of the canonical partition of the adjacency matrix there is exactly one nonzero block (otherwise the neighborhood of a vertex contains vertices in different blocks which contradicts 2 = 0), and each nonzero block is the incidence matrix of a (n, k, 1 ) design. If such a block is on the diagonal it is the adjacency matrix of a (n, k, 1 ) graph with 1 < k < n. If it is not on the diagonal the transposed block is on the transposed position, and together they make the bipartite incidence graph of a (n, k, 1 ) design with 1 < k n. Construction 4.8 If A is the adjacency matrix of a (m, k , ) graph (1 k < m), then A Jn is the adjacency matrix of a proper DDG with k = 1 = nk , 2 = n . Proposition 4.5 For a proper DDG the following are equivalent. a. comes from Construction 4.8. b. The adjacency matrix of can be written as A Jn for some m m matrix A . c. 1 = k . Proof. The only nontrivial claim is that c implies a. Assume is a DDG with k = 1 . Then any two rows of the adjacency matrix belonging to the same class are identical. Since the blocks have constant row and column sum this implies that all blocks have only ones, or only zeros. Therefore the adjacency matrix has the form A Jn , where A is a symmetric (0, 1)-matrix with zero diagonal and row sum k/n. Moreover, any two distinct rows of A have inner product 2 /n. Therefore A is the adjacency matrix of a (m, k , ) graph.

273

Construction 4.9 Let A1 , . . . , Am (m 2) be the adjacency matrices of m (n, k , ) graphs with 0 k n 2. Then A = J K + diag(A1 , . . . , Am ) is the adjacency matrix of a proper DDG with k = k + n(m 1), 1 = + n(m 1)), 2 = 2k v . Proposition 4.6 For a proper DDG the following are equivalent. a. comes from Construction 4.9. b. The complement of is disconnected. c. 2 = 2k v . Proof. Let x and y be two vertices of . Simple counting gives that the number of common neighbors is at most 2k v , and equality implies that x and y are adjacent. So, if 2 = 2k v , then two vertices from different classes are adjacent, and hence the complement is disconnected. Conversely, suppose is a DDG with disconnected complement G (say). Let x and y be vertices in different components of G. Then x and y have no common neighbors in G, and hence x and y are adjacent vertices in with 2k v common neighbors. Therefore 2 = 2k v , and all vertices from different classes are adjacent. Finally, equivalence of a and b is straightforward. Note that in the above constructions the used (v, k, ) graphs and designs may be degenerate. This means that the above constructions include the k -regular complete bipartite graph (k 2), the (k + 1)-regular complete bipartite graph minus a perfect matching (k 2), the disjoint union of m complete graphs Kn (m 2, n 3), the complete m-partite graph with parts of size n (m 2, n 2), and the complete m-partite graphs with parts of size n extended with a perfect matching of the complement (m 2, n 4, n even). So these DDGs exist in abundance, and well call them trivial. 4.3.2. Hadamard matrices Construction 4.10 Consider a regular graphical Hadamard matrix H of order m 4 and row sum = m. Let n 2. Replace each entry with value 1 by Jn In , and each +1 by In , then we obtain the adjacency matrix of a DDG with parameters (mn, n(m )/2 + , (n 2)(m )/2, n(m 2 )/4 + , m, n). In terms of the adjacency matrix the construction becomes: H In + 1 2 (J H ) Jn . Using this, it is straightforward to check that Equation 1 is satised. We recall (see Section 2.3) the two regular graphical Hadamard matrices of order 4: 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 and 1 1 1 1 . 1 1 1 1 1 1 1 1 For the rst one, the DDG is the 4 n grid, that is, the line graph of K4,n . The second one gives DDGs with parameters (4n, 3n 2, 3n 6, 2n 2, 4, n); for n = 2 this is the complement of the cube. The DDGs of Construction 4.10 are improper whenever 1 = 2 , which is the case if and only if n = 4.

274

2

Construction 4.11 Consider a regular graphical Hadamard matrix H of order with diagonal entries 1 and row sum . The graph with adjacency matrix M N O A = N O M , where O M N M= 1 J +H J +H 2 J +H J +H , and N =

2

1 J +H J H 2 J H J +H

2

+ ,

+ ,(

+ )/2, 3, 2 2 ).

For the two Hadamard matrices presented above, this leads to DDGs with parameters (24, 10, 6, 3, 3, 8) and (24, 6, 2, 1, 3, 8), respectively. 4.3.3. Divisible designs Here we examine known constructions of divisible designs that admit a symmetric incidence matrix with zero diagonal, and therefore correspond to DDGs. Clearly, we can restrict ourselves to divisible designs with the dual property. Many constructions for these kind of designs come from divisible difference sets. Such a construction uses a group G of order v = mn, together with a subset of G of order k , called the base block. The blocks of the design are the images of the base block under the group operation. Thus we obtain v blocks of size k (blocks may be repeated). This construction gives a divisible design if the group G has a normal subgroup N of order n and the base block is a so called divisible difference set relative to N . It follows from the construction that such a divisible design has the dual property. Moreover, one can order the points and blocks such that the incidence matrix becomes symmetric, and it is also easy to nd an ordering that gives a zero diagonal. The problem is to nd an ordering that simultaneously provides a symmetric matrix and a zero diagonal. Such an ordering is not always possible. For having a symmetric incidence matrix with zero diagonal, the divisible difference set should be reversible (or equivalently, it must have a strong multiplier 1). Several reversible relative difference sets are known. For example, for the group G = C5 S2 = {1, a, a2 , a3 , a4 } {1, b} the base block {(1, b), (a, 1), (a, b), (a4 , 1), (a4 , b)} is a reversible difference set relative to N = S2 , and hence gives a DDG. This DDG is the one given in Figure 2. In fact, several of the examples constructed so far can also be made with a reversible divisible difference set. These include all trivial examples and some of the ones from Construction 4.10. For more examples and information on reversible difference sets we refer to [1]. Another useful result on divisible designs is the construction and characterization of divisible designs with k 1 = 1 given in [20]. We recall that the strong product of two graphs with adjacency matrices A and B , is the graph with adjacency matrix (A + I ) (B + I ) I . Construction 4.12 Let be a strongly regular graph with parameters (m, k , , + 1). Then the strong product of K2 with is a DDG with n = 2, 1 = k 1 = 2k and 2 = 2 + 2.

275

Checking the correctness of the construction is straightforward. There exist innitely many strongly regular graphs with the required property. For example the Paley graphs. But there are innitely many others. It easily follows that the complement of a strongly regular graph with = 1 has the same property. Thus we can get two DDGs from one strongly regular graph with = 1, unless the strongly regular graph is isomorphic to the complement (which is the case for the Paley graphs). For example the Petersen graph and its complement lead to DDGs with parameters (v, k, 1 , 2 , m, n) = (20, 7, 6, 2, 10, 2) and (20, 13, 12, 8, 10, 2), respectively. The pentagon, which is a strongly regular graph with parameters (5, 2, 0, 1), leads once more to the example of Figure 2. In fact, several graphs coming from Construction 4.12 can also be constructed by use of a reversible divisible difference set. This includes all Paley graphs. Theorem 4.13 Let be a nontrivial proper DDG, then comes from Construction 4.12 if and only if k 1 = 1. Proof. Assume is a DDG with k 1 = 1. According to [20] the neighborhood design D, or its complement has incidence matrix N = (A Jn ) + Iv , where one of the following holds: (i) J 2A is the core of s skew-symmetric Hadamard matrix (this means that A + A = J I , and 4AA = (v + 1)I + (v 3)J ). (ii) n = 2, and A is the adjacency matrix of a strongly regular graph with = 1, or (iii) A = O, or A = J I . Case iii and its complement correspond to trivial DDGs. Case ii corresponds to Construction 4.12 (note that N has no zero diagonal, but interchanging the two rows in each class gives N the required property). Also the complement of Case ii corresponds to Construction 4.12. Indeed, Jv N = Jv (A J2 ) Iv = (Jm A) J2 Iv , where A, and therefore also Jm A Im is the adjacency matrix of a strongly regular graph with = 1. Finally we will show that Case i is not possible for a DDG. Suppose P N = P (A J ) + P , or P (J N ) is symmetric with zero diagonal for some permutation matrix P , then P is symmetric and preserves the block structure. The quotient matrix Q of P is a symmetric permutation matrix such that QA is symmetric with zero diagonal. We have A + A = J I , so J Q = AQ + A Q = AQ + QA, and therefore trace(J Q) = 2 trace(QA) = 0, so Q = I , a contradiction. 4.3.4. Partial complements The complement of a DDG is almost never a DDG again. If the partition classes are the same, then only the complete multipartite graph and its complement have this property. The cube (which is a bipartite DDG with two classes) and its complement (which is a DDG with four classes) is an example where the canonical partitions differ. However, if we only take the complement of the off-diagonal blocks it is more often the case that we get a DDG again. We call this the partial complement of the DDG. We have seen one such example in Construction 4.12, where the partial complement can be constructed in the same way, and hence produces no new examples. The following idea however can give new examples. Proposition 4.7 The partial complement of a proper DDG is again a DDG if one of the following holds: a. The quotient matrix R equals t(J I ) for some t {1, . . . , n 1}. b. m = 2.

276

Proof. We use Equation 1. In Case a, the partial complement has adjacency matrix A = J K A. In Section 4.2 we saw that AK = KA = ASS = SRS . Since R = t(J I ) this implies AK Span {J, K }. Therefore A2 Span {I, J, K }, and A represents a DDG. In Case b, the vertices can be ordered such that the partial complement has adjacency matrix A = J K + DAD, where D = diag(1, . . . , 1, 1, . . . , 1). The quotient matrix R is a symmetric 2 2 matrix with constant row sum, hence R Span {I2 , J2 }, and therefore AK = SRS Span {K2,n , Jv }, and also DADK = DAK Span {K2,n , Jv }. Moreover, (DAD)2 = DA2 D Span {Iv , Jv , K2,n }, and hence A2 Span {I, J, K }, which proves our claim. Taking partial complements often gives improper DDGs. Conversely, the arguments also work if is an improper DDG (that is, is a (v, k, ) graph), provided admits a nontrivial equitable partition that satises a or b. An equitable partition of a (v, k, ) graph that satises a is a so called Hoffman coloring (see [25]). Note that the diagonal blocks are zero, so the partition corresponds to a vertex coloring. Thus we have: Construction 4.14 Let be a (v, k, ) graph. If has a Hoffman coloring, or an equitable partition into two parts of equal size, then the partial complement is a DDG. Also this construction can give improper DDGs, but in many cases the DDG is proper. For example there exists a strongly regular graph with parameters (v, k, , ) = (40, 12, 2, 4) with a so called spread, which is a partition of the vertex set into cliques of size 4 (see [25]). The complement of is a (40, 27, 18) graph, and the spread of is a Hoffman coloring in the complement. The partial complement is with the edges of the cliques of the spread removed. This gives a DDG with parameters (40, 9, 0, 2, 10, 4). By taking the union of ve classes in this Hoffman coloring, we obtain an equitable partition into two parts of size 20. The partial complement with respect to this partition gives a DDG with parameters (40, 17, 8, 6, 2, 20).

References

[1] [2] [3] [4] [5] [6] [7] [8] [9] [10] K.T. Arasu, D. Jungnickel and A. Pott, Divisible difference sets with multiplier 1, J. Algebra 133 (1990), 35-62. V.L. Arlazarov, A.A. Lehman, M.Z.Rosenfeld, Computer-aided construction and analysis of graphs with 25, 26 and 29 vertices, Institute of control problems, Moscow, (1975). E.F. Assmus Jr. and A.A. Drisko, Binary codes of odd-order nets, Designs, Codes and Cryptography 17 (1999), 15-36. E.F. Assmus Jr. and J.D. Key, Designs and their codes, Cambridge tracts in mathematics, 103, Cambridge univ. press, 1992. E.F. Assmus Jr. and J.D. Key, Designs and Codes: An Update, Designs, Codes and Cryptography 9 (1996), 7-27. T. Beth, D. Jungnickel and H. Lenz, Design Theory, Cambridge Univ. Press, 2nd ed., 1999. N.L. Biggs, Algebraic Graph Theory, Cambridge Tracts in Mathematics, Vol 67, Cambridge Univ. Press, Cambridge, 1974. R.C. Bose, Symmetric group divisible designs with the dual property, J. Stat. Planning and Inference 1 (1977), 87-101. A.E. Brouwer and C.A. van Eijl, On the p-Rank of the Adjacency Matrices of Strongly Regular Graphs, J. Algebraic Combin. 1 (1992), 329-346. A.E. Brouwer and W.H. Haemers, Association schemes, in: Handbook of Combinatorics, R. Graham, M. Grtschel and L. Lovasz (Eds.), Elsevier Science B.V. (pp. 747-771).

[11] [12]

277

[13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31] [32] [33] [34] [35] [36] [37] [38] [39]

A.E. Brouwer and W.H. Haemers, Graph Spectra, http://homepages.cwi.nl/ aeb/math/ipm.pdf A.E. Brouwer and J.H. van Lint, Strongly regular graphs and partial geometries, in: Enumeration and designs, Proc. Silver Jubilee Conf. on Combinatorics, Waterloo 1982, eds. D.M. Jackson & S.A. Vanstone, Academic Press, Toronto. pp. 85-122. A.E. Brouwer and H.A. Wilbrink, Block Designs, Chap. 8, Handbook of Incidence Geometry, Buildings and Foundations, F. Buekenhout (Ed.), North-Holland, (1995) 349-382. A.E. Brouwer, H.A. Wilbrink and W.H. Haemers, Some 2-ranks, Discrete Math. 106/107 (1992), 83-92. P.J. Cameron and J.H. van Lint, Designs, graphs, codes and their links, Cambridge University Press, (1991). C.J. Colbourn and J.H. Denitz eds. Handbook of Combinatorial Designs, second edition, Chapman & Hall/CRC press, Boca Raton, 2007. Ph. Delsarte, J.-M. Goethals and J.J. Seidel, Bounds for systems of lines and Jacobi polynomials, Philips Res. Reports 30 (1975), 91-105. J. Doyen, X. Hubaut and M. Vandensavel, Ranks of Incidence Matrices of Steiner Triple Systems, Math Z. 163 (1978), 251-259. M. Ericson, S. Fernando, W.H. Haemers, D. Hardy and J. Hemmeter, Deza graphs: A generalization of strongly regular graphs, J. Combin. Designs 7 (1999), 395-405. W.H. Haemers, Divisible designs with r 1 = 1, J. Combin. Theory Ser. A 57 (1991), 316-319. W.H. Haemers, H. Kharaghani and M.A. Meulenberg, Divisble design graphs, CentER Discussion paper series Nr.: 2010-19, Tilburg University (2010). W.H. Haemers and E. Kuijken, The Hermitian two-graph and its code, Linear Alg. Appl. 356 (2002), 79-93. W.H. Haemers, C. Parker, V. Pless and V.D. Tonchev, A Design and a Code Invariant under the Simple Group Co3 , J. Combin. Theory Ser. A 62 (1993), 225-233. W.H. Haemers, R. Peeters and J.M. van Rijckevorsel, Binary codes of strongly regular graphs, Designs, Codes and Cryptography 17 (1999), 187-209. W.H. Haemers and V.D. Tonchev, Spreads in strongly regular graphs, Designs, Codes and Cryptography 8 (1996), 145-157. W.H. Haemers and Q. Xiang, Strongly regular graphs with parameters (4m4 , 2m4 + m2 , m4 + m2 , m4 + m2 ) exist for all m > 1, European J. Combin., to appear. A.J. Hoffman and R.R. Singleton, On Moore graphs with diameter 2 and 3, IBM J. Res. Develop. 4 (1960), 497-504. X. Hubaut, Strongly regular graphs, Discret Math. 13 (1975), 357-381. J. MacWilliams and N. Sloane, The Theory of Error-Correcting Codes, North-Holland, Mathematical Library, (1977). B. McKay and E. Spence, The Classication of Regular Two-graphs on 36 and 38 vertices, Australas. J. Combin., 24 (2001), 293-300. G.E. Moorhouse, Bruck Nets, Codes, and Characters of Loops, Designs, Codes and Cryptography 1 (1991), 7-29. A.J.L. Paulus, Conference Matrices and Graphs of Order 26, T.H.-Report 73-WSK-06 (1973). R. Peeters, Ranks and Structure of Graphs, dissertation, Tilburg University, (1995). A. Rudvalis, (v, k, )-graphs and polarities of (v, k, )-designs, Math. Z. 120 (1971) 224-230. L.L. Scot Jr, A condition on Higmans parameters, Notices Amer. Math. Soc. 20, A-97 (1973) 701-20-45. J.J. Seidel, Strongly regular graphs, in: Surveys in Combinatorics, Proc. 7th Bitish Combinatorial Conf. LMSLN ser. Vol 38, ed. B. Bollobs, Cambridge Univ. Press, Cambridge, 1979, pp.157-180. E. Spence, Regular two-graphs on 36 vertices, Linear Alg. Appl. 226-228 (1995), 459-497. V.D. Tonchev, Binary codes derived from the Hoffman-Singleton and Higman-Sims graphs, IEEE Trans. Inform. Theory 43 (1997), 1021-1025. D. West, Introduction to graph theory, 2nd ed., Prentice Hall, 2001.

278

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-278

Clement LAM Department of Computer Science and Software Engineering, Concordia University, Montreal, Quebec, Canada

Abstract. The theory of error-correcting codes is a vast and fast-moving area with many open problems. The objective of this paper is to survey where the current boundaries of knowledge are in a few selected areas, by listing the smallest unsolved cases. Our hope is that these lists will motivate further computational to move these boundaries. Keywords. error-correcting code, self-dual

Introduction We start with the basic denitions. For a detailed introduction to the subject, please consult the standard references, such as [2,11,17]. A code C of length n over an alphabet Q of size q is a subset C Qn , where n Q is the set of all n-tuples with entries from Q. We will assume that 0 Q. A code is binary if q = 2, ternary if q = 3, and quaternary if q = 4. For q > 4, we will just call them q -ary codes. The elements of a code C are called codewords. If x, y Qn , then the Hamming distance d(x, y ) is dened by d(x, y ) = |{i|xi = yi }|, where x = (x1 , . . . , xn ) and y = (y1 , . . . , yn ). The distance distribution of a code C is given by the sequence (Ai )n i=0 where Ai = 1 |{(x, y )|x, y C, d(x, y ) = i}|. |C |

The Hamming weight of a codeword x is w(x) = d(x, 0), where 0 = (0, . . . , 0). Beside the Hamming distance, there is also the Lee distance. If Q = {0, . . . , q 1}, the Lee weight of i is dened by wL (i) = min{i, q i}.

279

n

wL (x) =

i=1

wL (xi ),

and the Lee distance of codewords x and y is dened by dL (x, y ) = wL (x y ). In this paper, the unqualied words weight and distance refer to the Hamming weight and distance. When we refer to the Lee weight and distance, it is always qualied. A code is nontrivial if |C | > 1. The minimum distance d of a nontrivial code C is min {d(x, y )|x, y C, x = y }. A code is e error correcting if its minimum distance d is at least 2e + 1. If Q is a group and C is a subgroup of Qn , then C is a group code. Group codes over nonabelian groups are asymptotically bad and not interesting [13]. However, there are many interesting abelian group codes. In particular, when Q is a nite eld Fq and C is closed under vector addition, we have an additive code. If C is also closed under scalar multiplication, then it is a linear subspace of Fn q, and C is a linear code. Given two codes, it is natural to ask whether they are equivalent. For binary codes, it suces to dene two codes as isomorphic if one can be obtained from the other by a permutation of the coordinates only. Isomorphic codes are sometimes said to be permutation equivalent [11, p. 20] or permutationally isometric [1, p. 30]. In the general case, two codes are equivalent if, in addition to coordinate permutations, permutations of the symbol in the alphabet Q are also allowed. While equivalency preserves the distance distribution, it preserves neither linearity nor weights [6, p. 678]. Weights are preserved if the symbol 0 Q is xed. Two codes are isometric if one can be obtained from the other by a combination of coordinate permutations, and permutations of the symbols in Q = Q \ {0} [1, p. 29, p. 44]. Isometry still does not preserve linearity. Two linear codes over Fq are monomially equivalent or linearly isometric [1, p. 30] if one can be obtained from the other by a permutation of the coordinates, and by independent multiplications of the entries by a non-zero eld element in Fq . Monomial equivalency preserves linearity. However, the linearity-preserving group may be larger. Any eld automorphism of Fq , when applied simultaneous to the entries of all the codewords of a code also preserves linearity. When q = pr and r > 1, the Fronbenius automorphism of raising every element of Fq to its p-th power is not a monomial operation. In [1, Thm. 1.5.10], it was shown that monomially equivalency plus eld automorphism give the full linearity preserving group, and it is called the group of semilinear isometries. Two codes are semilinearly isometric if one can be obtained from the other by using a semilinear isometry. Thus, for linear codes, we have three notions of equivalence: permutation, monomial(or linear), and semilinear. For binary linear codes, the three notions are the same. For linear codes over Fq where q is a prime, monomial and semilinear

280

equivalence are the same. When q is not a prime, but a prime power, the three are all dierent. The literature has many classication results on linear codes. Before one can compare these classication results, especially for the non-prime cases, one has to be careful which notion of equivalency is used. An automorphism of a code is an equivalence taking the code to itself. The set of automorphisms form a group. Of course, this group also depends on the equivalence being used. A code is characterized by three parameters, its length n, its size M = |C |, and its minimum distance d. Hence, it is denoted as an [n, M, d] code. For a linear code of dimension k over Fq , M = q k , and the code is denoted as an [n, k, d] code. Since M is normally large, and k is small, there is usually no confusion in using the two notations. When two of the parameters are xed, it is also natural to ask for the best value of the third, giving rise to three optimization problems. Computers have been used extensively to determine these optimal values, to construct examples of codes attaining these values, and to enumerate them when possible. The objective of this paper is to survey where the boundary of current knowledge is and where further computer work may be helpful in expanding the status of knowledge about error-correcting codes. Since the area is vast, we need to be brief and selective. With the assumption that the boundary of knowledge is usually represented by the smallest unsolved cases, we shall try to list these cases, with the hope that further computational work may solve these cases. Before moving on, we should add that there is also an extensive body of computational tools and methodology developed which are applicable to problems in error-correcting codes. Interested readers should see [1,14].

Linear Codes One can count the number of semilinear isometry classes of linear codes of length n and dimension k over Fq without actually constructing them [1, Ch. 6]. However, there seems to be no easy way of counting the number of such classes with a given minimum distance d. Thus, the optimization problem of determining the maximum minimum distance when given the length n and dimension k is still dicult. Given n and k , we let Dq (n, k ) denote the maximum minimum distance amongst all codes of length n and dimension k over Fq . Bounds for Dq (n, k ) with small parameters can be found in [9]. Table 1 gives the smallest n for which Dq (n, k ) is unsolved. Readers interested in this problem should consult [1, Ch. 9] and [14, Ch. 3, 4, and 6] for many relevant computational techniques.

Self-Dual Codes A special class of linear codes are the self-dual codes. Given x, y Fn q , the (Euclidean) inner product is

q 2 2 3 4 5 5 7 8 9 n 32 32 22 19 16 16 15 16 17 k 14 18 8 8 5 6 8 9 11 Dq (n, k) 8-9 6-7 9-10 8-9 9-10 8-9 6-7 6-7 5-6

281

(x, y ) =

i=1

xi yi ,

n

(x, y ) =

i=1

xi y i ,

where y i is the conjugate of yi . The dual of a code C is C = {u Fn q |(u, v ) = 0, v C }. If C = C then C is self-dual. A theorem of Gleason and Pierce [16, p. 200] implies that, in the following four cases, all the Hamming weights of a self-dual code over Fq are divisible by an integer c > 1: I II III IV q q q q = 2, c = 2, = 2, c = 4, = 3, c = 3, and = 4 with the Hermitian inner product, c = 2.

This theorem is so inuential that the rst three cases are often called Type I , Type II , and Type III codes. A Type I code is also called a singly-even code and a Type II code a doubly-even code. The two are not mutually exclusive, and a code is strictly Type I if it is not also of Type II. For codes over F4 , in addition to the Hermitian self-dual codes, Euclidean self-dual codes, and Additive self-dual codes have also been studied. The ordinary inner product is used for Euclidean self-dual codes; but the weight used is the Lee weight. If F4 = {0, 1, , 2 } where 1 + + 2 = 0, their respective Lee weights are {0, 1, 2, 1}. The Lee weight of a codeword in a Euclidean self-dual code is always even. It is a Type II code over F4 if the Lee weights of all its codewords are divisible by 4. It is a Type I code over F4 if some codewords have Lee weights not divisible by 4. The Gray map taking {0, 1, , 2 } to {00, 01, 11, 10}

282

q 2(type I) 2(type II) 3 4(Hermitian) 4(Euclidian I) 4(Euclidian II) 4(Additive I) 4(Additive II) 5 n 56 72 68 32 24 24 14 24 20 Highest-Bound 10 or 12 12 or 16 15-18 10 or 12 8 or 10 8 or 12 5 or 6 8 or 10 8 or 9

2n maps Fn 4 to F2 . It takes Type I and Type II codes of length n over F4 to Type I and Type II binary codes of length 2n, respectively. As for Additive self-dual codes over F4 , the trace inner product is used: n 2 (xi yi + x2 i yi ),

(x, y ) =

i=1

where x = (x1 , . . . , xn ) and y = (y1 , . . . , yn ). An Additive self-dual code is Type II if all its codewords are of even Hamming weight; otherwise, it is Type I. Technically, Additive self-dual codes are not linear codes, but they behave like a linear code, and they are important because of their relationship to quantum codes [5]. Tables of self-dual codes are maintained in [8,12,10]. Table 2 lists the smallest n for which the highest minimum distance is unsolved. Several upper bounds on the minimum distance of binary self-dual codes have been proved. The rst one was given in 1973 [15]. Codes meeting these bounds are called extremal. The most famous open problem is probably the question whether an extremal doubly-even [72, 36, 16] code exists. There are many papers on the possible divisors of the order of its automorphism group. For a summary, see [12, p. 463]. Given a length n, codes with the maximum minimum distance have the best error correcting capability. Thus, we may want to classify all the self-dual codes of length n with the maximum minimum distance. Table 3 gives the smallest unsolved cases for which this classication is not complete. The column labelled number gives the number of inequivalent self-dual codes known. We may also want to classify all the self-dual codes for a given length n. Even partial results are useful. For example, the computer-aided proof of the non-existence of a (22, 8, 4)-BIBD was based on a complete classication of the self-dual binary codes of length 34 with minimum distance at least 4 [3]. The task of classifying self-dual codes is greatly facilitated by the mass formulae [16, p. 183-184]. A mass formula counts the number of self-dual codes for a given length and can be used to check the correctness of the classication. It can also be used to derive a lower bound for the number of equivalence classes by assumption all classes are of maximal size, which is equivalent to assuming

q 2(type I) 2(type II) 3 4(Hermitian) 4(Additive I) 4(Additive II) 5 n 38 40 32 24 13 14 18 minimum distance 6 8 9 8 5 6 7 number 900 12579 239 17 9 491 1

283

7 16 7 1 Table 3. Smallest unclassied self-dual codes with the largest minimum distance

n 34 40 28 22 13 14 18

lower bound(mass formula) 704 17493 1001336 66265 72573550 1727942 10930

all codes are rigid. Thus, a lower bound for the number of inequivalent codes is obtained by dividing the number of self-dual codes by the size of the full transformation group. With the conjecture that when n is large, most codes are rigid, this lower bound also gives an estimate for the number of inequivalent codes. Table 4 gives the smallest n for which a complete classication of self-dual codes is unknown. As a guide to the size of the problem, the table lists a lower bound derived from the mass formula. It also lists the number of inequivalent code known so far. Tables of already classied self-dual codes can be found in [10,7]. Non-restricted Block Code Now, we consider the least restricted situation. Let |Q| = q , and let Aq (n, d) denote the maximum number of vectors from Qn with minimum (Hamming) distance d. Bounds for Aq (n, d) with small parameters can be found in [4]. Table 5 gives the smallest n for which there exists a gap between the lower and upper bounds for Aq (n, d). Conclusion This concludes a brief snapshot of where further computer work may be helpful in expanding the knowledge in this vast area of error-correction codes.

284

q 2 2 2 2 2 3 4 5 5 5 n 17 17 17 17 17 7 6 7 7 7 d 4 5 6 7 8 3 3 3 4 5 Aq (n, d) 2720-3276 512-680 256-340 64-72 36-37 99-111 164-179 1597-2291 250-545 53-108

References

[1] A. Betten, M. Braun, H. Fripertinger, A. Kerber, A. Kohnert, and A. Wassermann, ErrorCorrecting Linear Codes - Classication by Isometry and Applications, Algorithms and Computation in Mathematics, 18, Springer, 2006. J. Bierbrauer, Introduction to Coding Theory, Chapman & Hall/CRC, 2005. R. T. Bilous and G. H. J. van Rees Self-Dual Codes and the (22,8,4) Balanced Incomplete Block Design, J. of Combin. Designs, 13(2002), 363-376. A. E. Brouwer, Small table of bounds for binary/ternary/quaternary/5-ary codes. Online available at http://www.win.tue.nl/~aeb/. Accessed on 2010-04-12. A. R. Calderbank, E. M. Rains, P. M. Shor, and N. J. A. Sloane, Quantum error correction via codes over GF(4), IEEE Trans. Inform. Theory IT-44 (1998), 1369-1387. C. J. Colbourn and J. H. Dinitz, eds., The CRC handbook of combinatorial designs, CRC Press Series on Discrete Mathematics and its Applications, CRC Press, 2006. E. Danielsen, Database of Self-Dual Quantum Codes. Online available at verb+http://www.ii.uib.no/ larsed/vncorbits/+. Accessed on 2010-04-14. P. Gaborit, Tables of Self-dual Codes. Online available at http://www.unilim.fr/pages_perso/philippe.gaborit/SD/. Accessed on 2010-04-14. M. Grassl, Bounds on the minimum distance of linear codes and quantum codes. Online available at http://www.codetables.de. Accessed on 2010-04-14. M. Harada and A, Munemasa, Table of Self-dual Codes. Online available at http://www.math.is.tohoku.ac.jp/~munemasa/selfdualcodes.htm. Accessed on 201004-13. W. C. Human and V. Pless, Fundamentals of Error-Correcting Codes, Cambridge Univ. Press, 2003. W. C. .Huffman, On the classication and enumeration of self-dual codes, Finite Fields Appl., 11(2005), 451-490. J. C. Interlando, R. Palazzo, Jr., and M. Elia, Group Block Codes Over Nonabelian Groups are Asymptotically Bad, IEEE Trans. Info. Th, 42(1996), 12771280. P. Kaski and P. R. J. Ostergard Classcation Algorithms for Codes and Designs Algorithms and computations in mathematics, 15, Springer, (2006). C. L. Mallows, N. J. A. Sloane, An upper bound for self-dual codes, Inform. Control, 22(1973), 188-200. V. S. Pless and W. C. Huffman, eds., Handbook of Coding Theory, Elsevier, 2006. J. H. van Lint, Introduction to Coding Theory, 3rd Ed., Springer Grad. Texts in Math. 86, 1999.

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-285

285

Masakazu JIMBO a,1 and Keisuke SHIROMOTO b a Graduate School of Information Science, Nagoya University, Nagoya, Japan b Department of Mathematics and Engineering, Kumamoto University, Kumamoto, Japan

Abstract. Quantum jump codes were introduced by Alber et al. (2001). Quantum jump codes have a close connection with combinatorial designs called t-SEED (tspontaneaus emission error design). In this paper, we give a brief survey of quantum jump codes together with some new results. Firstly, fundamental properties of a t-error correcting quantum jump code are described. Secondly, a few examples of jump codes are given and an upper bound on the dimension of a jump code with a xed length and given error correcting ability is derived. A relation between a t-SEED and a jump code is discussed and various constructions of t-SEEDs are given. Keywords. quantum jump code, t-SEED, large set

Introduction Quantum error correcting codes have been studied by many authors [9,11,14,29,30] motivated by the pioneering work by Shor [28]. Among them, Alber et al. [1] introduced quantum jump codes which correct errors caused by quantum jumps. Quantum jump codes have a close connection with combinatorial designs called t-SEED (t-spontaneaus emission error design). In this paper, we give a brief survey of a quantum jump code together with some new results. In Sections 1 and 2, a breif introduction to a quantum jump code is given. In Section 3, a few examples of jump codes are shown and in Section 4, an upperbound of dimension of a jump code with a xed length and given error correcting ability is explained. In Section 5, a non-existence result for a special parameter is shown. Moreover, in Section 6 a connection between a t-SEED and a jump code is discussed. Finally, in Section 7, various constructions of t-SEEDs are given.

1. Quantum codes We begin with the introduction of quantum error correcting codes.

1 Corresponding

286

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

1.1. Quantum state A quantum state for a single particle can be represented by a vector in a nite dimensional Hilbert space H, that is, a vector space with inner product. In this paper we set H = C2 , where C is the set of complex numbers. A quantum state of a single quantum system like a photon is represented by | , called a ket vector, which is a 2-dimesional vector in H = C2 . The unit of the information amount for a single quantum system is called a 1 0 qubit. In particular, |0 = and |1 = are called pure states and any state | is a 0 1 linear combination (superposition) of these two pure states, that is, | = |0 + |1 for , C. We dene a bra vector | = | , where | is the tanspose of the complex conjugate of | . Then the inner product of | and | is written by the notation | | . and the size of a state vector | is written by In the eld of quantum information, any state | and its scalar multiple | ( = 0) are identied as the same quantum state. Hence, without loss of generality, we assume | = 1. A joint state of n-qubits is of the form | = |1 2 n = |1 |2 |n , where is the tensor product. In this case, | is a 2n -dimensional vector in Hn = H H H. Let F = {0, 1} and F n = F F . Then for any x = (x1 , x2 , . . . , xn ) F n , |x = |x1 |x2 |xn are pure states for n-qubits and these 2n vectors in {|x : x F n } form an orthonormal basis of Hn . Any n-qubit state can be represented by | = xF n x |x . 1.2. State Transition For any quantum state | Hn , a state transition can be represented by a linear operator. In a quantum computation or quantum data transmission, information is stored as a quantum state of an n-qubit system. Quantum computation can be pursued by applying suitable unitary operators. However, in these computation or data transmission system, we can not avoid the occurence of errors or noises caused by the interaction with environment. Because of the noise, the information stored in a quantum system may include some error. Errors or noises are also considered as operators. Typical unitary operators for a single qubit are X = 01 , 10 Z = 1 0 , 0 1 Y = 0 i , i 0

where i = 1. In order to correct such errors, we need to apply (inverse) unitary operators. But unlike to the classical data strage, we can not observe the quantum state of the system. Hence, we need to correct the quantum state by utilizing some partial information like an eigenvalue of a measurement, or by observing changes of outside of the system.

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

287

1.3. Quantum error correcting codes Let C be a subspace of Hn and E be a set of error operators including the identity operator. We assume that only the errors in E occur in a quantum system. C is called an E -error correcting quantum codes if, for any |c C and E E , we can recover the original state |c utilizing a partial information of E |c obatined by measurement without knowing the original state |c . For an E -error correcting quantum code C , the following theorem is known. Theorem 1 (Knill and Laamme [23]) A subspace C Hn with orthonormal basis {|ci : i = 1, . . . , m} is a quantum E -error correcting code if and only if the following holds:

ci |E1 E2 |cj = ij E1 ,E2 ,

(1)

where ij = 1, 0, if i = j, if i = j,

and E1 ,E2 is a constant depeding only on E1 and E2 . Example 2 Let n = 2 and E = {I I, E = I X }. Then, C = |00 , |11 is an E -error correcting quantum code, since E |00 = |01 , E |11 = |10 implies 00|E E |11 = 0, 00|E |11 = 0, 00|E |00 = 11|E |11 = 0, 00|E E |00 = 11|E E |11 = 1, which satises the condition (1). The code space C is spanned by |00 and |11 , whereas the space E C derived from error E is spanned by |01 and |10 as is seen in Figure 1. These subspaces are orthogonal and by measuring, that is, by checking eigenvalues of a set of projectors P0 = |00 00| + |11 11| and P1 = |01 01| + |10 10|, we nd the subspace that the quantum state belongs. We can decode the received state by utilizing this information.

EC

|01> |10>

|00>

0

|11>

Figure 1. Code space and error space

288

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

2. A quantum jump code 2.1. A decay operator and a jump operator In this paper, we treat errors caused by spontaneous emission. Quantum state is changed according as the spontaneous emission by the loss of energy. In this case, there are two kinds of errors, that is, quantum decay and quantum jump. A quantum decay operator is represented by

2 4 t 2

D(t) = e 2 |1

1|

=e

0 05 01

t 00 10 , + e 2 01 00

t 00 10 + e 2 01 00

|x = ex 2 |x .

(2)

holds. Assume that spontaneous decay occurs to each qubit with the same decay rate. Then the decay operator for n-qubit quantum state is dened by DV (t) = D(t) D(t) = D(t)n . For any x = (x1 , x2 , . . . , xn ) F n , we have

n

DV (t)|x =

i=1

D(t)|xi = ewt(x) 2 |x ,

t

(3)

where wt(x) is the Hamming weight of x, that is, the number of nonzero elements in x. On the other hand quantum jump is dened as follows: Let A = |0 1| = 01 , 00

then the quantum jump operator for a single qubit is dened by J | = Thus, we have J (|0 + |1 ) = |0 , |0 , if = 0, if = 0. A| , | if |A A| = 0, if |A A| = 0. (4)

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

289

1 0

A| = |0 .

|A A| and instead we deIn this paper, we ignore the normalizing denominator ned that any state vector | is identied with its scalar multiple in Subsection 1.1. In the case of n-qubit system, a jump operator at the i-th position is dened by Ji = I I I J I I. Let V = {1, 2, . . . , n}. If jump error operators Ji1 , . . . , Jis1 , Jis are applied in turn to a quantum state |c , such multiple jump is represented by JE = Jis Jis1 Ji1 , where E = (i1 , , is ) is an ordered s-tuple (s-list). In general, jump operators Ji1 , . . . , Jis1 , Jis are not commutative. For example, J2 J1 (|101 + |010 ) = |001 , whereas J1 J2 (|101 + |010 ) = |000 . However, for a state |c , by deleting jump operator Jij s which do not change the state Jij1 Ji1 |c we can get a subsequence of operators JEc = Jijr Jij1 , where Ec = (ij1 , , ijr ) E . Hence JE |c = JEc |c holds for the state |c = xF n x |x and there are xs such that x = 0 and supp(x) Ec hold, where supp(x) = {i : xi = 0} for x = (x1 , . . . , xn ). Moreover, the operators in JEc are commutative when it is applied to |c . Hence, for a multiple jump operator JE and a state |c , we have only to consider multiple jump operators which are commutative with respect to |c . Now, for a subset E of V , when the jumps at positions in E are commutative for |c , we denote it by

n

JE =

i=1

Ai ,

Ai =

I J

if i / E, if i E.

The position where a quantum jump occured can be detected by the continuous monitoring of photodetector since a photon is radiated when a quantum jump occured at a qubit (see Figure 2). Hence, we assume that the positions where quantum jumps occur are known (see, Alber et al. [2]). In general, a decay and jump process is written as DV (ts ) Jis DV (ts1 ) Jis1 DV (t1 ) Ji1 DV (t0 ). That is, as it is shown in Figure 3, within a time period t, spontaneous decay occurs to each qubit with the same decay rate and among the period quantum jumps occur s times. 2.2. Decoherence-free subspace for decay operator Our aim in this paper is to construct a code which can correct errors caused by quantum decay and quantum jumps. For quantum decay error, we apply a passive error correction, that is, we consider the error-free space caused by spontaneous decay error operator DV (t).

290

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

a quantum jump

n qubits

a photon

photodetector

t0 0

t1

ts-1

ts t

Hence, we nd a subspace W in which every quantum state vector is invariant with respect to the state transition by DV (t). A subspace W is called a decoherence-free subspace if DV (t)| = | holds for any | W , where is a nonzero constant. n n = {x F n : wt(x) = k } and let Wk =< |x : x Fk > be a Now, let Fk n subspace which is spanned by {|x : x Fk }. Lemma 3 W is a decoherence-free subspace with respect to a decay operator DV (t) if and only if W is a subspace of Wk for an arbitrary xed weight k . Proof. For any | = xF n x |x W , DV (t)| = = x x DV (t)|x x ewt(x) 2 |x

( i)

t

( i)

F n

xF n

n

n k=0 xFk

x e

(i)

kt 2

|x

holds. In order that DV (t)| = const.| holds for any t, weight k must be constant, which prove the lemma. Hence, any quantum jump code C must be in a subspace of Wk for some k to ignore the quantum decay error. Furthermore, for a quantum state |c Wk and a jump operator JE , JE |c Wk holds for some k k .

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

291

2.3. Quantum jump codes If we want to nd an e-error correcting quantum jump code as a subspace of Wk , then we have only to consider error operators of the form E = {JE : E is a s-list of elements in V , s e}. In quantum jump codes, it is assumed that the positions E = (i1 , i2 , . . . , is ) of quantum jump occured are known by the continuous observation of photodetector as it was stated in Section 2.1. Note that if the error positions are known, the conditions (i) and (ii) in Theorem 1 are simplied as

ci |JE JE |cj = ij E

(5)

where E is a nonzero constant depending only on E . A subspace of Wk satisfying (5) is called an e-error correcting quantum jump code, denoted by an (n, m, e)k jump code, where m is the dimension of C . For a vector x = (x1 , x2 , . . . , xn ) F n and E = { 1 , 2 , . . . , s }, let x|E = (x 1 , x 2 , . . . , x s ). Lemma 4 Let C be an (n, m, e)k jump code. Then for any E , with |E | = s e, and for any y F s , the following hold:

n (i) JE |ci = |ci implies that x = 0 for any x Fk such that x|E = (1, 1, . . . , 1). (ii) For an orthonormal basis {|ci : i = 1, . . . m}, if JE |ci = |ci holds for some i then JE |cj = |cj holds for any j = 1, . . . , m. (i )

<

3. Examples of 1- and 2-error correcting quantum jump codes 3.1. A 1-error correcting quantum jump code of length four Here, we consider an example of 1-error correcting quantum jump codes of length four. Let C be a 1-error correcting quantum jump code. A codeword |c is represented by |c = for some xed weight k , 0 k 4. Now, let {ci =

n xFk n xFk

x |x

x |x : i = 1, 2, . . . , m}

(i)

292

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

4 xFk

x x = ij

( i) ( j )

(6)

holds for each i and j , and for a xed k {0, 1, . . . , 4}, where x is the complex ( i) conjugate of x . Similarly,

(i ) (i )

(i )

J |ci =

4 xFk

x J |x =

4 ,x xFk

x |P x ,

=1

where P is the 4 4 diagonal matrix whose diagonal elements are 1 except for the -th element being 0. Hence, ci |J J |cj =

( i ) (j )

4 ,x xFk

x x = ij k,

=1

,1

(7)

holds for each i, j and V , where k, and . Hence, (6) and (7) can be rewrited as

,1

4 ,x xFk

x x = ij k,

=1

( i) (j )

,1

(8) (9)

4 ,x xFk

x x = ij k,

=0

( i) (j )

,0

for any i, j and . Hence, we can easily see that the weight k of the decoherence-free subspace Wk must be 2, since

(i) (i ) (i ) (i ) (i ) (i ) (i ) (i) (i)

0000 = 0, 1111 = 0,

(i)

hold by (8) and (9). Moreover we have the following equations for any i and j by (8) and (9):

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

293

1100 1100 + 1010 1010 + 1001 1001 = ij k,1,1 , 1100 1100 + 0110 0110 + 0101 0101 = ij k,2,1 , 1010 1010 + 0110 0110 + 0011 0011 = ij k,3,1 , 1001 1001 + 0101 0101 + 0011 0011 = ij k,4,1 , 0011 0011 + 0101 0101 + 0110 0110 = ij k,1,0 , 0011 0011 + 1001 1001 + 1010 1010 = ij k,2,0 , 0101 0101 + 1001 1001 + 1100 1100 = ij k,3,0 , 0110 0110 + 1010 1010 + 1100 1100 = ij k,4,0 . By solving these equations for i = j , we can nd the following relations: |1100 | = |0011 | = w1 , w1

( i) 2 (i) (i ) (i ) ( i) (j ) ( i) (j ) (i ) (j ) ( i) (j ) ( i) (j ) (i ) (j ) ( i) (j ) ( i) (j ) (i ) (j ) ( i) (j ) ( i) (j ) (i ) (j ) ( i) (j ) ( i) (j ) (i ) (j ) ( i) (j ) ( i) (j ) (i ) (j ) ( i) (j ) ( i) (j ) (i ) (j )

( i)

(j )

( i)

(j )

(i )

(j )

|1010 | = |0101 | = w2 ,

(i)

( i)

(i)

( i)

(i )

(i )

+ w2

( i) 2

+ w3

( i) 2

= const.

(i) (j ) (i) (j ) (i) (j ) ( i) (j )

(i) (j )

(i)

(j )

(i)

(j )

(i)

(j )

(i )

(j )

1100 1100 + 1010 1010 + 1001 1001 = 0. A solution satisfying (10), (11) can be obtained as follows: |ci = ui1 |h1 + ui2 |h2 + ui3 |h3 for i = 1, 2, 3, where 1 |h1 = (|1100 + ei1 |0011 ), 2 1 |h3 = (|1001 + ei3 |0110 ) 2 and 1 |h2 = (|1010 + ei2 |0101 ), 2

is a unitary matrix. In particular, let i = 0 for any i and let U = I , then 1 |c1 = (|1100 + |0011 ), 2 1 |c3 = (|1001 + |0110 ) 2 1 |c2 = (|1010 + |0101 ), 2

294

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

term that x = 0 and x has 1 in the position . In this case, c1 |J J |c1 < c1 |c1 = 1. (i ) Since ci |J J |ci = c1 |J J |c1 holds for any |ci = xF 4 x |x , there must be a

(i )

2

is an example of a 1-error correcting quantum jump code of length 4. It is easy to show that the code C with an orthonormal basis (ONB) {|c1 , |c2 , |c3 } has the maximum dimension. In fact, as we saw that any 1-error correcting jump code C 4 of length 4 is a subspace of a space spanned by {|x |x F2 }. Moreover, after a jump error J occured, J C still has to have the same dimension with C because J |ci must be (1) orthogonal for any i. Let be a position where a codeword |c1 = xF 4 x |x has a

(1)

2

vector |x such that |x has 1 at position and x = 0. Thus, J C is spanned by the ket vector whose weight is one and x = 0. There are three such vectors of weight 1 whose -th element is 0. Thus dim C 3 holds. 3.2. An example of 2-error correcting quantum jump codes of length 6 Here, we consider an example of 2-error correcting quantum jump codes of length 6. Let C be a 2-error correcting quantum jump code. And let {ci = x |x : i = 1, 2, . . . , m}

(i)

6 xFk

be an orthonormal basis of C . Let E = { 1 , 2 } be the set of positions where jump errors occur. If there are some ( i) x such that supp(x) E and x = 0, we have JE |ci = =

6 ,x xFk

6 Fk

x JE |x x |PE x ,

=1for E (i )

(i )

where PE is the 6 6 diagonal matrix whose diagonal elements are 1 except for the positions in E being 0. Hence,

ci |JE JE |cj =

6 ,x xFk

x x = i,j E ,

=1for E

( i) ( j )

(12)

where E is a nonzero constant depending only on E . (i ) By (12), it is shown that x = 0 for any x with wt(x) = 0, 1, 2, 4, 5, 6. Thus, in this case a decoherence-free subspace is W3 . The following is an example of (6, 2, 2)3 jump code. Example 5 A (6, 2, 2)3 jump code is given by the following orthonormal basis:

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

295

1 |c1 = (|111000 + |101100 + |100110 + |100011 + |110001 10 + |011010 + |001101 + |010110 + |001011 + |010101 ), 1 |c2 = (|000111 + |010011 + |011001 + |011100 + |001110 10 + |100101 + |110010 + |101001 + |110100 + |101010 ). It can be checked that (12) holds for any E V , |E | 2. For example, let E = {1, 2}, then 1 JE |c1 = (|001000 + |000001 ) and 10 1 JE |c2 = (|000010 + |000100 ) 10

1 for i = 1, 2 and c1 |JE hold, which imply that ci |JE JE |ci = 5 JE |c2 = 0. Similarly, for any E with two elements, JE |ci consists of two basis ket vectors. Also, for any E with a single element, it consists of ve basis vectors. These facts implies that

JE |cj ci |JE

1 5, 1, = 2 1, 0,

Remark: As you will see later, |c1 and |c2 are derived from two disjoint 2-(6, 3, 2) designs, which include all triples from V .

4. An upper bound for the dimension of jump codes In this section, fundamental properties of an (n, m, e)k jump code are described. Most of the results in this section, we refer the reader to Beth et al. [8]. For a vector x = (x1 , x2 , . . . , xn ) F n and E = { 1 , 2 , . . . , s }, let x|E = (x 1 , x 2 , . . . , x s ). Lemma 6 Let C be an (n, m, t)k jump code. Then for any E , with |E | = s t, and for any y F s , x x = ij E,y

(i ) ( j )

(13)

n ,x| =y xFk E

holds, where E,y is a constant depending only on E and y . Proof. In the case of y = 1s = (1, 1, . . . , 1) F s for s t, (13) is ovbious by (5). Note that, even in the case of JE |ci = |ci , (13) holds with E,1s = 0 by (i).

296

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

We prove (iii) by induction for the weight of y . For E V such that |E | = s < t and a vector y F s with weight w < s, without loss of generality, we assume that the rst w elements are 1 and the other s w elements are 0. Let E0 = {i : yi = 1} and we dene N (E, y ) = x x|E =y x x .

( i) (j )

n Fk

Then, N ((E, y ) = N (E0 , 1w ) z F sw ,z =0 holds, where (1w , z ) is a concatination vector of 1w and z . In the case when i = j , each term in the right hand side of the above equation is constant by the induction assumption. Similarly, when i = j , each term in the right hand side is 0, hence the lemma is proved. N (E, (1w , z ))

n Lemma 7 (Beth et al. [8]) If C is an (n, m, t)k jump code, then X C is an (n, m, t)nk jump code.

Lemma 8 (Beth et al. [8]) If an (n, m, t)k jump code exists for k > t > 1, then an (n 1, m, t 1)k1 exists. Proof. The lemma can be obtained by applying an error operator Jn to the (n, m, t)k jump code C . Note that if {|ci : i = 1, . . . , m} is an othonormal basis then {Jn |ci : i = 1, . . . , m} is also an othonormal basis. Lemma 9 (Beth et al. [8]) If an (n, m, t)k jump code exists for k > t 1, then an (n + 1, m, t)k jump code and an (n + 1, m, t)k+1 jump code exist. Proof. Appending |0 or |1 to a an (n, m, t)k jump code, an (n + 1, m, t)k or an (n + 1, m, t)k+1 jump code can be obtained, respectively. The following upperbound is obtained by Beth et al. [8]. Proposition 10 (Beth et al. [8]) The dimension m of a (n, m, t)k jump code is bounded by m min nt nt , k kt nt . n/2 t (14)

Proof. It is ovbious that (n, m, 0)k jump code has dimension dim Wk = n k . If C is an (n, m, t)k jump code, then by Lemma 8, a JE C is an (n t, m, 0)kt jump code for t E V , |E | = t. Hence, dim C n kt . Also, by Lemma 7, an (n, m, t)nk jump code

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

297

n t nkt

Lemma 11 (Beth et al. [8]) An (n, m, 1)k jump code attaing the upperbound (14) exists 1 n for any even integer n. In the case, k = n 2 and m = 2 k .

1 (|x + |x ) for any x F n , wt(x) = n Proof. Let |cx = 2 , where x = (1 2 x1 , 1 x2 , . . . , 1 xn ). Then, the code C with orthonormal basis {|cx } has dimension 1 n m= 2 n . And

2

Ji |cx =

1 |x 2 1 |x 2

, ,

if i supp(x) , if i / supp(x)

5. Non-existence of a (6, 3, 2)3 jump code By the upperbound (14), dim C = m 4 holds for a (6, m, 2)3 jump code C . Moreover, Beth et al. [8] showed that there does not exist a (6, 4, 2)3 jump code. Here we show that there does not exist a (6, 3, 2)3 jump code. Lemma 12 There is no (6, 3, 2)3 jump code. Proof. Assume that there are three orthonormal vectors |c1 , |c2 , |c3 which span the basis of a (6, 3, 2)3 jump code. Case 1: Firstly, we consider the case when there is a coordinate such that J |ci = |0 holds for every i = 1, 2, 3. In this case, by deleting the -th coordinate, C can be viewed as a subspace of H5 . That is, we consider the existence of a (5, 3, 2)3 jump code. For 5 5 W3 =< |x : x F3 >, let |ci =

5 xW3

x |x

( i)

for i = 1, 2, 3. Then, by setting E = {1, 2} and y = (00) in Lemma 6, we obtain 00111 00111 = 0, and 00111 00111 = 00111 00111 = 00111 00111 , which implies 00111 = 0 for any i. By a similar argument, we get x = 0 for any 5 x F3 and i = 1, 2, 3. Hence there does not exist a (5, 3, 2)3 jump code. Case 2: Secondly, we consider the case when there are no coordinate such that J |ci = |0 for every i = 1, 2, 3. In this case, vector ci s are linear combinations of twenty vectors 6 in W3 = {|x : x F3 }. Let

(i ) (i) (1) (1) (2) (2) (3) (3) (1) (2)

00111 00111 = 0,

(2)

(3)

00111 00111 = 0

(3)

(1)

298

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

|ci =

xW3

x |x

(i)

for i = 1, 2, 3. Without loss of generality, we choose vectors |111000 and |000111 . Then similarly to (8) and (9), we obtain the following equations including the term of (i ) (i ) 111000 and 000111 : 111000 111000 + 110100 110100 + 110010 110010 + 110001 110001 = 0 111000 111000 + 101100 101100 + 101010 101010 + 101001 101001 = 0 111000 111000 + 011100 011100 + 011010 011010 + 011001 011001 = 0 000111 000111 + 001011 001011 + 001101 001101 + 001110 001110 = 0 000111 000111 + 010011 010011 + 010101 010101 + 010110 010110 = 0 000111 000111 + 100011 100011 + 100101 100101 + 100110 100110 = 0. Summing up all these equations and by subtracting xW3 we obtain 111000 111000 = 000111 000111 . for any i = j . This can be shown for any x W . Hence, E E = E c E c

( i ) (j ) (i ) (j ) (i) (j ) (i) (j ) ( i) (j ) ( i) (j ) (i ) (j ) ( i) (j ) ( i) (j ) ( i) (j ) (i ) (j ) ( i) (j ) ( i) (j ) ( i) (j ) (i ) (j ) ( i) (j ) ( i) (j ) ( i) (j ) (i ) (j ) ( i) (j ) ( i) (j ) ( i) (j ) (i ) (j ) ( i) (j ) ( i) (j ) ( i) (j ) (i ) (j ) ( i) (j )

x x = 0,

(i ) ( j )

(15)

V c for any E V 3 and i = j , where E = V \ E and k is the set of k -element subsets of V . By applying the similar calculation to (8) and (9), we obtain

|E |2 + |E c |2 = |E |2 + |E c |2 for any E V 3 and i = j . By multiplying (15) for (i, j ) = (1, 2), (2, 3), (3, 1), we have |E E E |2 = |E c E c E c |2 , which means E E E = E c E c E c = 0.

(1) (2) (3) (1) (1) (2) (3) (1) (2) (3) (1) (2) (3)

(i)

( i)

(j )

(j )

(16)

Case 1. The case of E = 0 and E c = 0: In this case, by (16) E = 0 and E c = 0 for any E V 3 and i = 1, 2, 3. Hence, |ci = 0 for any i, contradiction.

(1)

( i)

(i )

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

(1) (2) (1) (3) (2) (3)

299

Case 2. The case of E = 0 and E c = 0: In this case, E c E c = E E = 0 holds (2) (3) (3) (1) by (15). The case of E c = 0 or E = 0 results in Case 1. Hence, E c = E = 0, which also results in Case 1. Hence, the lemma is proved. By Lemma (12), we found that a (6, 2, 2)3 jump code in Example 5 has the maximum possible dimension for n = 6, k = 3 and t = 2.

6. A t-SEED and a jump code Though the coefcients x of a ket vector |c = xF n x |x are complex numbers (i) in general, by restricting the values of x to 0 and , where is a normalizing constant satisfying c|c = 1, the combinatorial structure of quantum jump codes are closely related to combinatorial designs. Here, we identify a vector x = (x1 , x2 , . . . , xn ) F n with its support set B = supp(x) = {i : xi = 1} and |x with |B . Then a ket vector |c = xF n x |x is represented by |c = |B = 1 |B| B B |B ,

(i ) (i )

where B = {supp(x) : x = 0}. Now, let V /E be the family of subsets of V including E V . We dene projection matrices Mk = |x x| =

B (

V k

n xFk

|B B | and ) |B B |

B V /E

LE =

E supp(x)

|x x| =

xF n x |x , |B ,

n xFk

B B(

V k

) |B

LE |c =

supp(x)E

x |x =

1 |B| B B(V /E )

hold. By using Mk and LE , the conditon (5) for a t-error correcting quantum jump code with orthonormal basis {|ci } can be characterized by (i) ci |Mk |ci = 1 for any i and for given k (t < k < n t), (ii) ci |LE |cj = ij E for any i, j and E V such that |E | t. For an orthonormal basis {|ci = |Bi : i = 1, 2, . . . , m}, by noting

300

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

ci |LE |cj =

1=

we nd that (i) and (ii) implies (T1) |B | = k for any B B (i) , = E holds for any i and E V , |E | t, where E is a constant depending on E . (T3) B (i) B (j ) = for i = j . (T2) For an n-set V and B (i) V k , (i = 1, . . . , m), if (T1), (T2), (T3) are satised, then a system (V ; B(1) , . . . B (m) ) is called a t-spontaneous emission error design, denoted by t-(n, k ; m) SEED (see Figure 4).

V k

|{B B(i) :B E }| |B(i) |

B(1)

V E

1 0 0 1 1 1 0 1 1 0 0 0 1 1 1 0 0 1

B(2) D(2)

B(3) D(3)

B (m) D(m)

not used

D(1)

E|B(1)|

E|B(2)|

E|B(3)|

E|B(m)|

Note that when E depends only on the number of elements in |E |, a pair (V, B (i) ) is called a t-(n, k, ) design, where = E for |E | = t. In particular, a t-(n, k, 1) design is called a Steiner t-design, denoted by S (t, k, v ). Moreover if |B| is constant m and i=1 B (i) = V k , a t-SEED is called a large set of a t-(n, k, ) design, denoted by v t LS (t, k, n). The number of t-designs in a large set is m = k t /. Lemma 13 For a xed k tion 10.

n 2,

7. Constructions of t-SEEDs In this section various constructions of t-SEEDs are described. 7.1. Large sets Firstly, known large sets are listed here. For deatils of large sets, we refer the reader to Khosrovshahi and Tayfeh-Rezaie [20], Colbourn and Dinitz [13] and Tierlinck [31].

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

301

An LS1 (2, 3, v ) exists for all admissible parameters of v = 7. An LS (3, 4, v ) exists for v 0 (mod 3). min (4, 5, 20v + 4) exists for gcd(v, 30) = 1. An LS min An LS60 (4, 5, 60v + 4) exists for gcd(v, 60) = 1, 2. t The number of disjoint designs in LS (t, t + 1, v ) is = v . No LS1 (3, 4, v ) is known. Etizon and Hartman(1991) obtained near large set with v 5 disjoint 3-(v, 4, 1) designs for v = 5 2n . (viii) An LS3 (3, 4, v ) exists for v 0, 6 (mod 12). (ix) An LS6 (3, 4, v ) exists for v 9 (mod 12). (x) An LS12 (3, 4, v ) exists for v 3 (mod 12). (i) (ii) (iii) (iv) (v) (vi) (vii) 7.2. t-SEEDs derived from orthogonal arrays Let S be a set of q elements. A q t k array A with elements in S is called an orthogonal array, denoted by OA(t, k, q ), if each ordered t-tuple occurs exactly once in any t-columns of A. A large set of an orthogonal array LOA(t, k, q ) is a collection {Ar }rR of OA(t, k, q )s such that every ordered k -tuple of S occurs exactly once in one of Ar . Note that |R| = q kt . The following is known (see Raghavarao [26]): Proposition 14 If there is an OA(t, k, q ), then there is a large set LOA(t, k, q ). By this Proposition, we obtain the following: Theorem 15 If there exists an OA(t, k, q ), then there exists a t-(kq, k ; q kt ) SEED. Example 16 If q is a prime power, then there exists a t-(qk, k ; q kt ) SEED for k q +1. Remark: Beth et al. [8] obtained a t-SEED for k = q . Moreover, Beth et al. [8] claimed that log(dim. of jump code by Theorem 1) (q t) log q 1 = 2 t log(the upper bound of (14)) log qq t as q for xed t. On the other hand, it holds that dim. of jump code by Theorem 1 q qt = q2 t 0 the upper bound of (14)

q t

(17)

as q for xed t. Hence, we may pose a question whether there is a sequence of t-SEEDs which is asymptotically optimal in the sence that (17) tend to 1 except for a series of large sets? 7.3. Product methods and recursive constructions Let (V1 ; B (1) , . . . , B (m) ) be a t-(n, k ; m) SEED and k q t matrices A( ) = (aij ) be an LOA(t, k, q ) with elements {0, 1, . . . , q 1}. Let V = V1 {0, 1, . . . , q 1} and construct families of blocks

( )

302

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

B(h, ) = {{(b1 , a1j ), . . . , (bk , akj )} : (b1 , . . . , bk ) B(h) , j = 1, . . . , q t } for h = 1, . . . , m, = 1, . . . , q kt . Then, we obtain the following theorem. Theorem 17 If there are a t-(n, k ; m) SEED and a LOA(t, k, q ), then there is a t(nq, k ; mq kt ) SEED. Applying this recusive construction to Theorem 15, we obtain the following: Corollary 18 For a prime power q , a t-(q n (q + 1), q + 1; q n(q+1t) ) SEED exists. Beth et al. [8] gave a construction which combines a quantum jump code and a usual quantum code. Theorem 19 (Beth et al. [8]) Let C = (n, p, t)k be a jump code of prime dimension. Furthermore, let Cp = [[N, K, D]]p be a quantum error-correcting code in the space (Cp )N . Then the concatenation of C as inner and Cp as outer code yields a jump code C = (N n, pK, T )N w on N n-qubits with T D(t + 1) 1. A t-(n, k ; m) SEED (V ; B (1) , . . . , B (m) ) is said to be s-resolvable if each B (i) is partitioned into h subfamilies B(i,1) , . . . , B (i,h) and a (V ; B(1,1) , B(1,2) , . . . , B (m,h) ) forms an s-(n, k ; mh) SEED.

t -resolvable t-(n, k ; m) SEED (V ; B (1) , . . . , B(m) ), then Theorem 20 If there is a 2 2 there exists a t-(nv, 2k ; hm ) SEED for any v 2, where h is the number of subfamilies B (i,j ) in B(i) .

( )

( )

We will give an example of Theorem 20. Let Kn be the complete graph of order n. For even n, a 1-factor of Kn is a set of independent edges. A 1-factorization of Kn is a partition of the edges of Kn into n 1 one-factors. For any even n, there exists a 1-factorization of Kn . A 1-factorization can be seen as a 1-resolvable 3-(n, 2; 1) SEED. Hence, by Theorem 20, we obtain the following corollary. Corollary 21 For any even n and for any integer v 2, there is a 3-(nv, 4; n 1) SEED, which is an (nv, n 1, 3)4 jump code. Remark: In this case, the upper bound of the dimension is nv 3. When v 3 this is better than that of Corollary 2 for k = 4, t = 3. Example 22 In Figure 5 and Table 1, a 1-factor for K4 is presented. A column of Table 1 corresponds to an edge. And any two columns partitioned by vertical lines correspond to 1-factors. In Table 2, each column corresponds to a block. Let V = {00 , 10 , 20 , 30 , 01 , 11 , 21 , 31 }, then a four tuple (a, b|c, d) means a block {a0 , b0 , c1 , d1 }.

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

0 2 0 2 0 2 0 2

303

1 K4

1 Factor 1

1 Factor 2

1 Factor 3

Table 2. A 3-(8, 4; 3) SEED for n = 4, v = 2, m = 1, h = n 1 = 3 002200110011 113322333322 020201010101 131323233232 002200110011 113322333322 010101010202 232332321313 002200110011 113322333322 010102020101 323213132323

7.4. 2- and 3-SEEDs derived from afne geometry It is well known that the set of planes in AG(n, q ) yields a 2-(v = q n , k = q 2 , = (q n1 1)/(q 1)) design. Lemma 23 The 2-design generated by the set of 2-ats in AG(n, q ) is decomposed into (i) (ii) number of 2-(v = q n , k = q 2 , = q + 1) designs and one 2-(v = q , k = q 2 , = 1) design when n is even.

q n 1 1 q 2 1 q n 1 q q 2 1 n

Munemasa [25] showed better results for q = 2 by examining the orbit structure of PG(2n 1, 2). Lemma 24 (Munemasa [25]) The number of lines in PG(2n 1, 2) whose orbit under the subgroup of index 3 in the Singer group is a spead is given by 1 2n (2 1)(2n + (1)n+1 )2 . 27 By using Lemma 24, we can obtain a 2-SEED. Example 25 PG(7, 2) has 28 1 = 255 points and (18)

304

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

(28 1)(27 1) = 255 42 + 85 (22 1)(2 1) lines. These lines are partitioned into 42 Singer cycles whose orbits are full and a single cycle of short orbit with orbit length 85. For a line L in a full orbit, {a(L 0) + b : a GF (28 ) , b GF (28 )} generates a 2-(28 , 4, 3) design and a line in the short orbit generates a 2-(28 , 4, 1) design. Among those 42 full orbits there are 8 orbits each of which can be partitioned into 3 spreads of lines. Actually, for a root of the primitive irreducible polynomial x8 + x5 + x3 + x2 + x + 1, B = { 0 , 7 , 173 } and its Frobenius cycle of length 8 are lines in such orbits. Hence, we obtain 24 spreads and each of these spreads generates a 2-(28 , 4, 1) design. As a total, we obtain (24 + 1) 2-(28 , 4, 1) designs and (42 8) 2-(28 , 4, 3) designs, which generate a 2-(28 , 4; 59) SEED. In general, by Lemmas 23 and 24 it holds that the number of full orbits are Among these, there are (2n + (1)n+1 )2 9 27 orbits which can be partitioned into 3 spreads. Hence, we obtain the following theorem. Theorem 26 The 2-design generated by the set of 2-ats in AG(2n, 2) is decomposed into 22n1 2 (2n + (1)n+1 )2 9 3 27 number of disjoint 2-(22n , 4, 3) designs and (2n + (1)n+1 )2 1 9 number of disjoint 2-(22n , 4, 1) designs. Hence, there is a 2-(22n , 4; f2n ) SEED, where f2n = 22n1 2 2{(2n + (1)n+1 )2 9} +1+ . 3 27

22n1 2 . 3

Now, for V = GF(2)n , let be a mapping such taht : x xs for x V . Then our problem is to nd the condition on s in order that a D and (D) are disjoint, where i D is a 3-design generated from 2-ats of AG(n, 2). When s = 2i , : x x2 is a Frobenius automorphism of D. In this case, it holds that (D) = D. Let D = (V, B ) is the 3-(2f , 4, 1) design derived from 2-ats of AG(f, 2). Let s be an integer such that (s, n) = 1, where n = 2f 1. Then : x xs is a bijection on V = GF(2f ) and (D) = Ds is isomorphic to D.

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

305

Lemma 27 If s Zn satises (i) gcd(s, n) = 1, (ii) x GF(2n ) \ {0, 1}, (1 + x)s = 1 + xs , (iii) x = y GF(2n ) \ {0, 1}, (1 + x + y )s = 1 + xs + y s , then the designs Ds and D are isomorphic and disjoint. Lemma 28 When f is odd, s = 3 satises the conditions (i), (ii), (iii) of Lemma 27 Remark:If s satises the condition (i), (ii), (iii), then 2i s and s1 (mod n) also does. When m 12 is even, s = 1 is the only parameter satisfying the condition (i) and (ii).

Table 3. List of s such that D and Ds are disjoint m 3 5 7 9 11 13 # of s 2 6 12 14 24 28 representatives of s 1, 3 1, 3, 5, 7, 11, 15 1, 3, 5, 9, 11, 13, 15, 23, 27, 29, 43, 63 1, 3, 5, 13, 17, 19, 27, 31, 47, 59, 87, 103, 171, 255 1, 3, 5, 9, 13, 17, 33, 35, 43, 57, 63, 95, 107, 117, 143, 151, 231, 249, 315, 365, 411, 413, 683, 1023 1, 3, 5, 9, 13, 17, 33, 57, 65, 67, 71, 127, 171, 191, 241, 287, 347, 367, 635, 723, 911, 1243, 1245, 1453, 1639, 1691, 2731, 4095

Assume that s and s satisfy the condition of Lemma 27. Then Ds and Ds are also disjoint when s s1 (mod n) satises the conditon. By choosing a set S such that s s1 (mod n) satises the condition for each s, s S , we obtain a set of disjoint Ds s. Example 29 (i) For f = 5s = 1, 3, 5, 7, 11, 15 generate six disjoint 3-(25 , 4, 1) designs. (ii) For f = 7s = 1, 3, 5, 9, 15, 43 generate six disjoint 3-(27 , 4, 1) designs. Hence, we obtain the following t-SEEDs: Lemma 30 There exists a 3-(25 , 4; df ) SEED containing a 2-(25 , 4; df 2 where df = 2, 6, 6, . . . for f = 3, 5, 7, . 7.5. 5-SEEDs derived from Golay code In this section, we review mutually disjoint 5-designs related to the Golay code and self dual codes. Kramer and Magliveras [21] constructed 9 mutually disjoint Steiner systems S (5, 8, 24) by nding 8 permutations on 24 points. Araya [4] also constructed 15 mutually disjoint Steiner systems S (5, 8, 24) by a computer search. The following results were shown by Jimbo and Shiromoto [18].

f 1

) SEED,

306

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

Theorem 31 There exists at least 22 mutually disjoint Steiner systems S (5, 8, 24). Hence a 5-(24, 8; 22) SEED exists. Theorem 31 can be obtained by making disjoint isomorphic 22 5-(24, 8, 1) designs from the Golay code. We will give a breif proof of Theorem 31. Let G24 be the binary extended Golay [24, 12, 8] code with parity-check matrix 010000000000011011100011 01000000000101101110001 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 1 1 0 1 1 1 0 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 1 1 0 1 1 1 0 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 1 1 0 1 1 1 1 I12 H (G24 ) = 0 0 0 0 0 0 1 0 0 0 0 0 1 0 0 0 1 0 1 1 0 1 1 1 = 0 0 0 0 0 0 0 1 0 0 0 0 1 1 0 0 0 1 0 1 1 0 1 1 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 1 0 0 0 1 0 1 1 0 1

000000000100011100010111 000000000010101110001011 000000000001111111111110

1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 1 0 0 0 1 0 1

1 . A11 . . . 1 1 1 0

Note that A11 is a circulant matrix, and the Hamming distance between any two distinct row vectors of A11 is 6. Let = (13, 14, . . . , 23) and = (1, 13)(2, 14) (11, 23) be the coordinate permutations which act on the vector space GF(2)24 . We denote the zero vector and the all-one vector by 0 and 1, respectively. For any positive integer m, let Jm be the all-one m m matrix. The following lemma is well-known and is essential (see, for instance, Ch. 16 in [22]). Lemma 32 Let X be a circulant matrix of rst row (c0 , c1 , . . . , cn1 ) over a nite eld. X is invertible if and only if a0 (x) = c0 + c1 x + + cn1 xn1 is relatively prime to xn 1. Now the following three lemmas are obtained. Lemma 33 For any i, j {0, 1, . . . , 10}, i = j , the intersection between all the i j and G24 is {0, 1, x, x + 1}, where x is the weight 12 vector codewords in G24 (0, . . . , 0, 1, . . . , 1, 0). Lemma 34 For any i, j {0, 1, . . . , 10}, i = j , the intersection between all the i j and G24 is {0, 1, y , y + 1}, where y is the weight 12 vector codewords in G24 (1, . . . , 1, 0, . . . , 0).

Lemma 35 For any i and j , the intersection between all the codewords in G24 and G24 is {0, 1}.

i j

By summarizing these results, we have the following: Theorem 36 Let = (13, 14, . . . , 23) and = (1, 13)(2, 14) (11, 23) be the permutations on 24 points and let H be the set of all permutations of the form l i in the permutation group S24 . And let B be the set of supports of all the Hamming weight 8 codewords in G24 . Then {B g : g H } forms the set of 22 mutually disjoint Steiner systems S (5, 8, 24). In Theorem 36, for any subset K of H , the collection gK B g can be viewed as a set of blocks in a simple 5-(24, 8, |K |) design. Then we have the following result as a corollary of Theorem 36.

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

307

Corollary 37 There exist simple 5-(24, 8, m) designs, for m = 1, 2, . . . , 22. It is also known that the set of supports of the codewords of Hamming weight 12 in G24 forms a 5-(24, 12, 48) design. From Proposition 35, there is no codewords of i j and G24 . Hamming weight 12 in the intersection between G24 Corollary 38 There exists at least two mutually disjoint 5-(24, 12, 48) designs. And there exist simple 5-(24, 12, 48m) designs, for m = 1, 2. Recently, Araya and Harada [5] found the following by a computer search. Theorem 39 (Araya and Harada [5]) There exists at least 50 mutually disjoint Steiner systems S (5, 8, 24). Hence a 5-(24, 8; 50) SEED exists. Theorem 40 (Araya and Harada [5]) There exists at least 35 mutually disjoint 5S (24, 12, 48) designs. Hence a 5-(24, 12; 35) SEED exists. Similar resluts were obtained for a quadratic residue code of length 48. Theorem 41 (Jimbo and Shiromoto [18]) There exists at least 46 mutually disjoint simple 5-(48, 12, 8) designs. Hence a 5-(48, 8; 46) SEED exists. The above results are based on a binary extended Golay code of length 24 and a quadratic residue code of length 48. Angata and Shiromoto [3] and Araya, Harada, Tonchev and Wassermann [6] independently generalized the results to the case of Pless symmetry (ternary) code. Theorem 42 (Angata and Shiromoto [3]) There exist at least (i) 34 mutually disjoint 5-(36, k, ) designs for each (k, ) = (12, 45), (15, 5577). (ii) 58 mutually disjoint 5-(60, k, ) designs, for each (k, ) = (18, 3060), (21, 449820), (24, 34337160), (27, 1271766600). Remark: Araya, Harada, Tonchev and Wassermann [6] found 17 mutually disjoint 5(36, 12, 45) designs. Theorem 43 (Angata and Shiromoto [3], Araya, Harada, Tonchev, Wassermann [6]) There exist at least 11 mutually disjoint 5-(24, 9, 6) designs. Theorem 44 (Angata and Shiromoto [3]) There exist at least 23 mutually disjoint 5(48, k, ) designs, for each (k, ) = (15, 364), (18, 50456), (21, 2957388). By these results, the following is obtained: Corollary 45 There exist (i) (ii) (iii) (iv) a 5-(36, 12; 34) SEED for k = 12, 15, a 5-(60, k ; 58) SEED for k = 18, 21, 24, 27, a 5-(24, 9; 11) SEED, and a 5-(48, k ; 23) SEED for k = 15, 18, 21.

308

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

Moreover, Araya, Harada, Tonchev and Wassermann [6] obtained the following. Theorem 46 (Araya, Harada, Tonchev and Wassermann [6]) There exist at least (i) (ii) (iii) (iv) (v) (vi) 3 mutually disjoint 5-(18, 8, 6) designs, 5 mutually disjoint 5-(24, 10, 36) designs, 2 mutually disjoint 5-(25, 9, 30) designs, 2 mutually disjoint 5-(30, 12, 220) designs, 4 mutually disjoint 5-(32, 6, 3) designs. 4 mutually disjoint 5-(33, 7, 4) designs.

Corollary 47 There exist a 5-(18, 8; 2) SEED, a 5-(24, 10; 5) SEED, a 5-(25, 9; 2) SEED, a 5-(30, 12; 2) SEED, a 5-(32, 6; 4) SEED and a 5-(33, 7; 4) SEED. 7.6. More SEEDs from codes By Assmus and Matson [7]s theorem, codewords of weight k of codes in Table 4 form 3-designs, or 5-designs. If we can partition the design into subdesigns, 3-SEEDs can be obtained. The results in Table 4 were reported by Shiromoto [27].

Table 4. Partition of t-designs derived from codes codes Aut(C ) weights 6 8 Extended BCH [32, 21, 6] Code AL(1, 32) 10 12 14 16 Its dual [32, 11, 12] Code Extended BCH [32, 16, 8] Code Self-Dual Extended QR [32, 16, 8] Code Self-Dual Extended QR [48, 24, 12] Code PSL(2, 47) PSL(2, 31) AGL(2, 5) AL(1, 32) 12 16 12 16 8 12 16 12 16 20 designs1 3-(32,6,4) 3-(32,8,119) 3-(32,10,1464) 3-(32,12,10120) 3-(32,14,32760) 3-(32,16,68187) 3-(32,12,22) 3-(32,16,119) 3-(32,12,616) 3-(32,16,4123) 3-(32,8,7) 3-(32,12,616) 3-(32,16,4123) 5-(48,12,8) 5-(48,16,1365) 5-(48,20,36176) s of subdesigns 4 56, 56, 7 120 24 220 43, 44, 22 3, 110 5 364 90 560 119, 112 5, 140 7, 7 22 7,112 616 3136, 7, 980 7 11, 165, 110, 330 112, 336, 560, 840, 210, 140, 105 ,840 ,560 ,420 3-(48,12,) 110,55,55 unknown unknown

(*1) Assmus & Matson (1969) (*2) Computations of subdesigns using MAGMA were assisted by M. Angata

From these computation results, the following theorem is shown. Theorem 48 There exist a 3-(32, 8; 3) SEED, a 3-(32, 10; 24) SEED, a 3-(32, 12; 52) SEED, a 3-(32, 14; 90) SEED, and a 3-(32, 16; 132) SEED.

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

309

8. Concluding remark and open problems In this paper, we considered constructions of t-error correcting jump codes and t-SEEDs. Besides the construction of t-SEEDs reviewed in this paper, more constructions are presented in Beth et al. [8] and Charnes and Beth [12]. Beth et al. [8] gave a construction of (n, 2, t)k jump codes by using isodual binary codes, which was extended by Charnes and Beth [12] utilizing a group theoretical technique. However, only a few results are known for optimal t-SEEDs attaining the upperbound (16) for t 2. In general, t-SEEDs have weaker combinatorial conditions than that of large sets. But we do not know any example of optimal t-SEEDs except for large sets. Problem 49 Is there an optimal t-SEED attaining the upperbound (16) for t 2 except for large sets? A jump code can be considered as a continuous version of a t-SEED or a system of disjoint t-designs. Actually, balancedness is generalized to the constancy of inner product. Whereas, disjointness corresponds to orthogonality. It is ovbious that if there is a t-(n, k ; m) SEED, then there is a (n, m, t)k jump code. But it may not be known whether there is an example such that there is an (n, m, t)k jump code even if there is no t-(n, k ; m) SEED. Problem 50 Is there an (n, m, t)k jump code even if there is no t-(n, k ; m) SEED. In paticular, a (7, 3, 2)3 jump code can be constructed by two disjoint 2-(7, 3, 1) designs and one 2-(7, 3, 3) designs. But the upperbound for m is 5. Is there a (7, m, 2)3 jump code for m = 4 or 5? Problem 51 If there is an LS1 (t, k, n) it is optimal in the sense that it attains the upperbound (14). However, in the case when there is no LS1 (t, k, n), can we nd an optimal or asymtotically optimal t-(n, k ; m) SEED for t 2? In Subsection 7.5, we showed that there are 22 disjoint 5-(24, 8, 1) designs. Whereas, Harada [16] found 50 disjoint 5-(24, 8, 1) designs by computer search. If an LS1 (5, 8, 24) exists it must have 3 17 19 disjoint 5-(24, 8, 1) designs. Similarly, we wonder whether a LS48 (5, 12, 24) exists, or not. We pose here a challenging problems. Problem 52 Does there exist an LS1 (5, 8, 24)? Problem 53 Does there exist an LS48 (5, 12, 24)?

Acknowledgements The rst author wish to thank the ASI and the organizers, Professor Dean Crnkovi c and Professor Vladimir Tonchev, for giving me a chance to attend such an extreamly wellorganized conference and for their support.

310

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

References

[1] G. Alber, T. Beth, C. Charnes, A. Delgado, M. Grassl and M. Mussinger, Stabilizing distinguishable qubits against spontaneous decay by detected-jump correcting quantum codes, Physical Review Letters, 86 (2001) 44024405. [2] G. Alber, T. Beth, C. Charnes, A. Delgado, M. Grassl and M. Mussinger, Detected-jump-error-correcting quantum codes, quantum error designs, and quantum computation. Physical Review A, 68 (2003), 012316. [3] M. Angata and K. Shiromoto, Mutually disjoint 5-designs from Pless symmetry codes, submitted to J. Statist. Theory and Practice (2010). [4] M. Araya, More mutually disjoint Steiner systems S (5, 8, 24), J. Combin. Theory, Ser. A 102 (2003), 201203. [5] M. Araya and M. Harada, Mutually disjoint Steiner systems S (5, 8, 24) and 5-(24, 12, 48) designs, Electronic J. Combinatorics, 17 (2010) N1. [6] M. Araya, M. Harada, V. D. Tonchev, A. Wassermann, Mutually disjoint designs and new 5-designs derived from groups and codes, to appear in J. Combin. Designs, (2010). [7] E. F. Assmus Jr. and H. F. Mattson Jr., (1969), New 5 designs, J. Combin. Theory 6, 122151. [8] T. Beth, C. Charnes, M. Grassl, G. Alber, A. Delgado, M. Mussinger, A new class of designs which protect against quantum jumps. Designs, Codes and Cryptography, 29 (2003), 5170. [9] A. R. Calderbank and P. W. Shor, Good quantum error-correcting codes exist, Physical Review A, 54, (2) (1996) 10981105. [10] A.R. Calderbank, E.M. Rains, P.W. Shor, N.J.A. Sloane, Quantum error correction and orthogonal geometry, Phys. Rev. Lett., 78 (1997) 405408. [11] A.R. Calderbank, E.M. Rains, P.W. Shor, N.J.A. Sloane, Quantum error correction via codes over GF(4), IEEE Trans. Inform. Theory 44 (4) (1998) 13691387. [12] C. Charnes and T. Beth, Combinatorial aspects of jump codes, Discrete Math., 294 (2005) 4351. [13] C. J. Colbourn and J. H. Dinitz, Handbook of Combinatorial Designs (2nd edition), CRC Press, Boca Raton, 2007. [14] A. Ekert and C. Macchiavello, Quantum error correction for communication, Physical Review Letters, 77, (12) (1996) 25852588. [15] M. Grassel, T. Beth and T. Pellizzari, Codes for the quantum erasure channel, Physical Review A, 56 (1997) 3338. [16] M. Harada, private communication (2010). [17] W. Huffman and V. Pless, Fundamentals of Error-Correcting Codes, Cambridge University Pless, 2003. [18] M. Jimbo and K. Shiromoto, A construction of mutually disjoint Steiner systems from isomorphic Golay codes, J. Combin. Theory Ser. A, 116 (2009) 12451251. [19] O. Kern and G. Alber, Suppressing decoherence of quantum algorithms by jump codes, European Physical J. D, 36 (2005) 241248. [20] G.B. Khosrovshahi and B. Tayfeh-Rezaie, Large sets of t-designs through partitionable sets: A survey, Discrete Math., 306 (2006) 2993-3004. [21] E. S. Kramer and S. S. Magliveras, Some mutually disjoint Steiner systems, J. Combin. Theory, Ser. A 17 (1974), 3943. [22] F. J. MacWilliams and N. J. Sloane, The Theory of Error-Correcting Codes, North-Holland Publishing Company, Amsterdam, 1978. [23] E. Knill and R. Laamme, Theory of quantum error-correcting codes, Physical Review A, 55 (1997), 900-911. [24] The Magma Computational Algebra System for Algebra, Number Theory and Geometry, Version 2.12, University of Sydney (2005). [25] A. Munemasa, Flag-transitive 2-designs arising from line-spreads in PG(2n-1,2), Geometriae Dedicata, 77 (1999), 209213. [26] D. Raghavarao, Constructions and Combinatorial Problems in Design of Experiments, Wiley, New York (1971). [27] K. Shiromoto, private communication (2008). [28] P. W. Shor, Scheme for reducing decoherence in quantum computer memory, Physical Review A, 52 (1995) R2493-R2496. [29] A. Steane, Multiple particle interference and quantum error correction, Proceedings of the Royal Society London Series A, 452 (1996) 25512577.

M. Jimbo and K. Shiromoto / Quantum Jump Codes and Related Combinatorial Designs

311

[30] A. M. Steane, Error correcting codes in quantum theory, Physical Review Letters, 77, (5) (1996) 793 797. [31] L. Tierlinck, Large sets of disjoint designs and related structures, in Contemporary Design Theory: A Collection of Surveys J. H. Dinitz and D. R. Stinson eds., Wiley-Interscience Series in Discrete Mathematics and Optimization, (1992) 561592.

312

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-312

Hadi Kharaghani 1

Abstract. Mutually unbiased unit Hadamard (MUUH) matrices have been studied for almost 40 years. Recent interest in such matrices has been motivated by their applications to quantum information theory. In this paper, we introduce the class of mutually unbiased complex Hadamard (MUCH) matrices having as sntries fourth roots of unity. The number of MUCH matrices of order 2n, n odd, is at most 2, and the bound is attained for n = 1, 5, 9. Certain pairs of mutually unbiased complex Hadamard matrices of order m can be used to construct pairs of unbiased real Hadamard matrices of order 2m. We then turn our attention to the class of mutually unbiased real Hadamard matrices of order 16n2 which seem to be the most interesting ones. Mutually unbiased weighing (MUW) matrices are introduced for the rst time. Further study of these objects look quite promising. Keywords. Complex Hadamard matrix, Hadamard matrix, weighing matrix, unbiased complex Hadamard matrices, mutually unbiased weighing matrices, Mutually suitable Latin squares, MOLS, Bush-type Hadamard matrices, unbiased bases

Introduction A complex (unit) Hadamard matrix is a matrix H of order n with entries in {1, 1, i, i} ({c Cn , |c| = 1}) and orthogonal rows in the usual complex inner product on Cn . If the entries of the matrix consist of only 1, we call the matrix a real Hadamard matrix. Our main references for complex and real Hadamard matrices are [13,14]. Two complex Hadamard matrices H and K of order 2n are called unbiased if HK = L, where K denotes the Hermitian transpose of K and all the entries of the matrix L are of the absolute value 2n. In this case, it follows that 2n = a2 + b2 , where a, b are nonnegative integers. While there has been considerable interest in unbiased unit Hadamard matrices, it is only recently that some attention has been given to unbiased real Hadamard matrices subsequent to which interesting applications have emerged [12]. The class of unbiased complex Hadamard matrices was introduced and studied in [2]. We borrow a portion of [2] in this note. The readers are referred to [5,7,15] for the study and applications of unbiased unit Hadamard matrices. The topics studied in this article are as follows. We rst concentrate on matrices of order 2n, n odd, with entries in {1, 1, i, i}. We will nd an upper bound for the number of mutually unbiased complex Hadamard matrices of order 2n, n odd, denoted |MUCH(2n)|. We report on the outcome of a computer search for the classes of MUCH matrices of orders 10 and 18. We then turn to the study of mutually unbiased real Hadamard matrices (MUHM). In the course of studying MUHM, we introduce a class

1 Department of Mathematics & Computer Science, University of Lethbridge, Lethbridge, Alberta, T1K 3M4, Canada; email: kharaghani@uleth.ca - supported by an NSERC Discovery Grant - Group.

313

of Latin squares which we call mutually suitable Latin squares. It turns out that this class is equivalent to the class of mutually orthogonal Latin squares (MOLS). Next we consider an extension of Hadamard matrices to weighing matrices and touch upon DelsarteGoethals-Seidel [6] and Calderbank-Cameron-Kantor-Seidel bound [4]. We will briey discuss mutually unbiased bases in the last section. In the presentation of matrices we use j to denote i and to denote 1. 1. Unbiased complex Hadamard matrices Dealing with complex Hadamard matrices, i.e. matrices with entries in {1, 1, i, i}, is quite different from working with unit Hadamard matrices as the powerful character theory is no longer applicable. We begin this section with a well known [2,9], but important property of complex Hadamard matrices. Lemma 1. Let H = [hi j ] be a complex Hadamard matrix of order n for which the absolute values of the row sums are all identical and equal to r. Then r = n. Proof. Let e be the all ones column vector, we have (H e) (H e) = e H H e = e nI e = ne e = n2 . Let ri = n j=1 hi j , 1 i n. Noting that H e is the column vector with components ri = n 2 2 j=1 hi j and e H = (H e) , we have n i=1 |ri | = n . It follows that r = n. A complex Hadamard matrix of order n for which the absolute values of the row sums are all equal to n is called row regular. It follows from Lemma 1 that for a row n regular complex Hadamard matrix H = [hk j ] of order 2n, n odd, if 2 j=1 hk j = a + ib, for some k, 1 k 2n, then a2 + b2 = 2n and so both |a| and |b| are odd integers. We use this in the next lemma from [2]. Lemma 2. For the odd integer n, it is not possible to have a pair of unbiased row regular complex Hadamard matrices of order 2n. Proof. Suppose on the contrary that there is a pair of row regular complex Hadamard matrices H and K of order 2n such that HK = L, where the entries of L are of absolute value 2n. Let J be the matrix of all one entries of order 2n. Then the matrix 1 1 (H + J ) (K + J ) 1+i 1+i is a complex integer matrix (i.e. all entries of the matrix consist of Gaussian integers). It 1 1 is easy to see that the entries of both matrices 1+ i (H + J ) and 1+i (K + J ) belong to the set {0, 1, i, 1 i}. Noting that 1 i 1 (H + J ) (K + J ) = (HK + HJ + JK + 2nJ ) 1+i 1+i 2 and that all the entries of the matrices HK , HJ and JK consist of numbers of the form x + iy, where both |x| and |y| are odd integers, we get a contradiction.

314

Theorem 3. For any odd integer n, |MUCH(2n)| 2. Proof. Suppose on the contrary that there are more than two MUCH matrices of order 2n. By multiplying the columns of all matrices by appropriate numbers we can make the rst row of one of the matrices to be all equal to one. The new matrices form a set of MUCH matrices which contain at least two row regular Hadamard matrices of order 2n, contradicting Lemma 1 and thus the result follows. Example 4. Let H= Then HK = 1i 1i . 1 i 1 + i 11 , 1 K= 1i . i1

This shows the inequality in the Theorem 3 is sharp for n = 1. By a computer search many maximal sets of MUCH matrices of orders 10 and 18 were found in [2]. One representative from each of these pairs of matrices is listed below in Tables 1 and 2.

Table 1. A pair H , K of unbiased complex Hadamard matrices of order 10 1111111111 1 i i j i j j j i 1 ii j j i i j j 1 i ii j j j i j 1 j j ii i j i j 1 i j j i i j j i , 1 j i j i ii j j 1 j i j j j ii i 1 j j i i j j ii 1 i j j j i j i i j 1 1 1 j i i 1 j i 1 i 1 1 j 1 i j j 1 i 1 1 j 1 j i 1 i 1 1 i 1 1 j j 1 i j j 1 i 11 1 j 1 j 1 1 1 i 1 j 1 i i i j 1 1 i i 1 j 1 j i 1 1 1 j 1 i 1 1 i 1 1 1 1 i j 1 j 1

As stated in [2], it is reasonable to assume that the upper bound in Theorem 3 is sharp for every odd integer n for which 2n is the order of a row regular complex Hadamard matrix. The following conjecture includes this and a conjecture regarding the existence of row regular complex Hadamard matrices. Conjecture 5. |MUCH(2n)| = 2 for all odd integers n, where 2n is a sum of two squares. The existence of a row regular Hadamard matrix is a necessary condition to have two MUCHs (see the proof of Theorem 3). For matrices of size 2n, n odd, the existence of a row regular Hadamard matrix is, in turn, conditioned by the existence of integers a, b such that 2n = a2 + b2 (see lemma 1).

Table 2. A pair H , K of unbiased complex Hadamard matrices of order 18 111111111111111111 1 i i j i j j j i i j j j i j i i 1 ii i j i j j j i i j j j i j i 1 i ii i j i j j j i i j j j i j 1 j i ii i j i j j j i i j j j i 1 i j i ii i j i j j j i i j j j 1 j i j i ii i j i j j j i i j j 1 j j i j i ii i j i j j j i i j 1 j j j i j i ii i j i j j j i i 1 i j j j i j i i i i j i j j j i , 1 i i j j j i j i ii i j i j j j 1 j i i j j j i j i ii i j i j j 1 j j i i j j j i j i ii i j i j 1 j j j i i j j j i j i ii i j i 1 i j j j i i j j j i j i ii i j 1 j i j j j i i j j j i j i ii i 1 i j i j j j i i j j j i j i ii 1 i i j i j j j i i j j j i j i i 1 1 i 1 j 1 i 1 1 1 i i 1 i i 1 1 i 11 i j 1 j i 11 i i i i i 1 j 1 111 1 j 1 i 11 1 j 1 i i i i 1 j 1 1 i 1 1 i 11 i j 1 j i 11 i i 1 1 j i i 1 1 1 1 i i j 1 j i j 1 i 1 i i j j i i 1 i 1 j i 1 j i i i j 1 i i j 1 1 j i i 1 j i 1 j ii j 1 i 1 i i j j i i 1 1 i j i 1 i 1 1 1 1 1 1 i 1 1 i i 1 i 1 j i j i j i j 1 i 1 i 1 1 1 i i 1 1 1 i 1 j i i 11 1 j j 1 11 i i 1 i 1 j j 1 i i i i 1 j j i 1 i 1 i 1 i i i j 1 i i j 1 1 j i i 1 j j 1 j ii j 1 i 1 i i j j i i 1 i 1 1 j j j j 1 i i 1 i i i 1 i i 1 j 1 i i 1 i i i 1 i i 1 j j j

315

t Two real Hadamard matrices H , K of order n are called unbiased, if HK = L, where the absolute values of all entries of L are equal to n. It follows that L = nA, where A is a real Hadamard matrix of order n and so unbiased Hadamard matrices exist only in square orders. Our rst lemma is the real version of Lemma 2.

Lemma 6 ([3]). For the odd integer n, it is not possible to have a pair of unbiased row regular Hadamard matrices of order 4n2 . Proof. Repeating the line of proof of Lemma 2, we have 1 1 1 (H + J ) (K t + J ) = (HK t + HJ + JK t + 4n2 J ). 2 2 4 Noting that HK t = 2nL, where L is a Hadamard matrix, we get a contradiction to the fact that the left side of the above identity is an integer matrix. Lemma 7. Let w(n) be the number of mutually unbiased real Hadamard matrices of order 4n2 , n odd, then w(n) 2. We have shown in [2] that certain pairs of unbiased complex Hadamard matrices can be used to construct pairs of unbiased real Hadamard matrices. Before giving a proof of this we introduce a notation: for the integer a let G(a) = {a ia, a ia}. Theorem 8 ([2]). Let H, K be a pair of unbiased complex Hadamard matrices of order 2n, n odd, for which the entries of HK are all in G(a), where 2n = a2 + a2 , a odd integer. Then there is a pair of unbiased real Hadamard matrices of order 4n.

316

Proof. Let H = A + iB, K = C + iD, where A, B and C, D are (0, 1)-matrices of order 2n such that A B and C D are 1-matrices. Consider the matrices H = and K = 11 1 C + D. 1 11 11 1 A+ B 1 11

It is only a routine calculation to see that H , K are Hadamard matrices of order 4n. Let HK = E + iF , where E , F are a-matrices of order 2n. We have H Kt = 2(ACt + BDt ) 2(BCt ADt ) 2(BCt ADt ) 2(ACt + BDt ) = 2E 2F 2F 2E .

Using the fact that the entries of HK are in G(a) and noting that E , F are (a)-matrices, it follows that H , K are unbiased Hadamard matrices of order 4n. Remark 9. Note that the assumption above that the entries of HK are all in G(a), where 2n = a2 + a2 , a odd integer, implies that HK = (a + ia)L, where L is a complex Hadamard matrix. Corollary 10 ([2]). There is a pair of unbiased Hadamard matrices of order 36. Proof. We apply Theorem 8 to the pair of unbiased complex Hadamard matrices of order 18 of Table 2. The resulting pair of matrices is given in Tables 3 and 4. The fact that all entries of HK are in G(3) is automatic in this case, as 18 = 32 + 32 only.

3. Unbiased Hadamard matrices of order 16n2 We start this section with a characterization of Hadamard matrices. Theorem 11 (Kharaghani [10]). There is a Hadamard matrix of order 2n if and only if there are 2n 1-matrices C0 , C1 , C2 , . . ., C2n1 of order 2n such that: 1. 2. 3. 4. 5. Cit = Ci , CiC j = 0, i = j, Ci2 = 2nCi , C0 + C1 + C2 + + C2n1 = 2nI2n , C0 may be chosen to be the matrix of all ones.

tr , Proof. Let ri be the (i 1)-th row of the normalized Hadamard matrix H , and let Ci = ri i for i = 1, . . . , 2n. Then, t r )t = C . 1. Cit = (ri i i t r rt r = 0, i = j . 2. CiC j = ri i j j t r rt r = 2nrt r = 2nC . 3. Ci2 = ri i i i i i i

Table 3. A pair of unbiased Hadamard matrices of order 36: rst matrix 111111111111111111111111111111111111 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 H = 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

317

4. This follows from the fact that t rt . . . rt r0 1 2n1 r0 r1 . . . r2n1 5. Note that the rst row consist of all one entries. = 2nI2n .

318

Table 4. A pair of unbiased Hadamard matrices of order 36: second matrix 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 K= 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

Conversely, the existence of a Hadamard matrix of order 2n follows from the property 2 by selecting one row from each of the Ci s and forming a matrix of order 2n. The rst proof of the following theorem traces back to Delsarte, Goethals and Seidel [6] (see [3]). Theorem 12. Let U = {H1 , H2 , , Hm } be a set of mutually unbiased real (respectively complex) Hadamard matrices of order 2n. Then m n.

319

Proof. For 1 j m, let C1 j , C2 j , . . . , C(2n) j , be the matrices corresponding to the Hadamard matrix H j by applying Theorem 11. Let S j = {Ci j | 1 i 2n 1}. Then the span of each of {S j | 1 j 2n} is a subspace of all symmetric matrices of order 2n with zero diagonal of dimension 2n 1. Using the assumption that the Hadamard matrices are mutually unbiased, it can be seen that every pair of matrices in different subspaces are orthogonal in the inner product dened by A, B = trace(AB ) for square matrices A, B. The span of all Si s is contained in the set of all symmetric (respectively Hermitian) matrices with zero diagonal. So m(2n 1) (1 + 2 + + 2n 1) = n(2n 1) (respectively m(2n 1) 2(1 + 2 + + 2n 1) = 2n(2n 1)). This completes the proof. Remark 13. The upper bound in previous theorem is attained for real Hadamard matrices of order 4k , see [5]. Next we introduce a class of Latin squares which seemed to have appeared in [8] for the rst time. Denition 14. Two Latin squares L1 and L2 of size n on the symbol set {0, 1, 2, . . . , n 1} are called suitable if every superimposition of each row of L1 on each row of L2 results in only one element of the form (a, a). Example 15. The following are three mutually suitable Latin squares of size 4:

0231 2 0 1 3 3 1 0 2, 1320 0312 3 0 2 1 1 2 0 3, 2130 0123 1 0 3 2 2 3 0 1. 3210

It turns out that from a pair of mutually orthogonal Latin squares (see [1]), one can construct a pair of mutually suitable Latin square and vice versa. Lemma 16 ([8]). There are m MOLS (Mutually Orthogonal Latin Squares) of size n if and only if there are m MSLS (Mutually Suitable Latin Squares) of size n. Proof. Let L1 , L2 be two orthogonal Latin squares on {1, 2, , n} both having their row and columns labeled by the set. Let ((i, j), k) denote the entry at (i, j) position of a Latin square. Then the transformation ((i, j), k) ((k, j), i) results in a pair of suitable Latin squares. The reverse implication is now clear. Lemma 17 ([1]). Let q be a prime power. Then there are q 1 MSLS of size q. The class of Bush-type Hadamard matrices which is dened next, and was introduced in [10], is proved to be one of the most versatile class of Hadamard matrices, see [11]. Denition 18. A Bush-type Hadamard matrix is a block matrix H = [Hi j ] of order 4n2 with block size 2n, Hii = J2n and Hi j J2n = J2n Hi j = 0, i = j, 1 i 2n, 1 j 2n where J2n is the 2n by 2n matrix of all 1 entries. Example 19. Let

320

11 1 1 1 1 H4 = 1 1 . 1 1

The matrices corresponding to this Hadamard matrix are: 1111 1 1 1 1 1 1 1 1 t t C1 = r1 C0 = r0 r0 = r1 = 1 1 1 1, 1 1 , 1111 1 1 11 1 1 1 1 1 1 t t C2 = r2 r2 = 1 1 , C3 = r3 r3 = 1 1 . 11 1 1 The matrix C0 C1 C2 C3 C1 C0 C3 C2 L= C2 C3 C0 C1 C3 C2 C1 C0 is a Bush-type Hadamard matrix of order 16. We are now ready to construct a very interesting class of mutually unbiased real Hadamard matrices. Theorem 20 ([8]). If there are m MSLS of size 2n, where 2n is the order of a Hadamard matrix, then there are m mutually unbiased Bush-type Hadamard matrices of order 4n2 . Proof. Let C0 , C1 , . . . , C2n1 , be the matrices corresponding to the normalized Hadamard matrix of order 2n. We can assume that all Latin squares are on the set {0, 1, , 2n 1} and their row and columns are all labeled by the set. Replace the entry i in each of the Latin squares by the matrix Ci , 0 i 2n 1 would result in m mutually unbiased Bush-type Hadamard matrices of order 4n2 . Example 21 ([8]). Let C0 C2 C3 C1 C2 C0 C1 C3 H1 = C3 C1 C0 C2 , C1 C3 C2 C0 C0 C3 C1 C2 C3 C0 C2 C1 H2 = C1 C2 C0 C3 , C2 C1 C3 C0

and

C0 C1 C2 C3 C1 C0 C3 C2 H3 = C2 C3 C0 C1 . C3 C2 C1 C0

321

These are remarkable matrices. The three matrices are symmetric and 1 1 1 H1 , H2 , H3 , I16 4 4 4 forms a group under matrix multiplication. The blocks are not sign sensitive, i.e., one can change the block signs without changing the unbiasedness of the matrices. Corollary 22. There are 2n 1 mutually unbiased Bush-type Hadamard matrices of order 22n , n 2. Proof. This follows from Lemma 17, Theorem 20, and the existence of Hadamard matrices of order 2n for any positive integer n. Remark 23. The unbiased Bush-type Hadamard matrices constructed above can be easily complemented by a normalized Hadamard matrix (see 25 below). However, by doing so we get a maximal set of MUH matrices as we see in the next Lemma. A vector v of dimension m is called unbiased with the matrix K of order m if the inner product of v with every row of K is of absolute value m. Lemma 24. If there is a normalized Hadamard matrix H which is unbiased with all Bush-type Hadamard matrices of corollary 22. Then there is no 1-vector unbiased with H and all of the Bush-type Hadamard matrices of corollary 22. Proof. Let 2n = m and v = (e1 , e2 , . . . , em ), where ei s are 1-vectors of dimension m with the rst component ai . Assuming that v is unbiased with all Bush-type Hadamard matrices and H , we get ms(e1 ) + m(a2 + a3 + . . . + am ) = (b1 + b2 + . . . + bm )m, where s(e1 ) denotes the sum of the components of e1 and bi {1, 1}. Noting that s(e1 ) and b1 + b2 + . . . + bm are even integers, we get a contradiction to the fact that a2 + a3 + . . . + am is an odd integer. Next we give a lower bound for the number of MUH matrices. Theorem 25 ([8]). Let m be the number of mutually suitable Latin squares of size 2n, where 2n is the order of a Hadamard matrix H, then there are m + 1 mutually unbiased Hadamard matrices of order 4n2 . Proof. Let ri be the i-th row of H , and let K be the block matrix dened by K = [ki j ] = [rtj ri ], i, j = 0, 1, , 2n 1. It is easy to see that K is a Hadamard matrix of order 4n2 which is unbiased with all the Bush-type Hadamard matrices constructed in Theorem 20. The lower bound in Theorem 25 has appeared in a number of papers, see for example [3,12]. Next we show that our method above extends to weighing matrices.

322

4. Extension to weighing matrices One of the advantages of the construction method above is that it can be easily applied to weighing matrices. A matrix W = [wi j ] of order n and wi j {1, 0, 1} is called a weighing matrix with weight p and denoted by W (n, p), if WW t = pIn , where In is the identity matrix of order n, see [13]. Two weighing matrices W1 , W2 of order n and weight t = pW , where W is a weighing matrix of order n and p are called unbiased, if W1W2 weight p. Theorem 26. Let m be the number of mutually suitable Latin squares of size n, where n is the order of a weighing matrix W with weight p, then there are m + 1 mutually unbiased weighing matrices W (n2 , p2 ). Proof. Note that every step in Theorem 25 can be applied to the weighing matrices and the result is immediate. Example 27. Let 1 0 0 0 1 0 00 1 0 0 0 W = 0 1 0 0 . 0 1 0 0 0 0 1 0 0 0 0 1 The matrices from Theorem 11 corresponding to this weighing matrix are: 1 0 0 0 10 0 1 0 1 1 10 0 1 0 0000000 1 0 00 1 10 0 1 0 1 0 0 0 0000000 0000000 C0 = 0 0 1 0 1 1 , C1 = 0 0 0 0 0 0 0 , C2 = 0 0 0 0 0 0 0 , 0000000 10 0 1 0 1 0000000 0 0 1 0 1 1 0000000 1 10 0 1 0 10 0 1 0 1 0 0 1 0 1 1 0000000 0000000 1 0 1 10 0 0000000 0 1 10 0 1 0000000 0 1 0 1 10 0 1 10 0 1 1 0 1 10 0 0000000 C3 = 0 1 0 0 , C4 = 1 0 1 1 0 0 , C5 = 0 1 0 1 1 0 , 0000000 0 1 0 0 0 1 0 1 10 0000000 0000000 0 0 1 0 0000000 0 1 10 0 1 0000000

0000000 0000000 0 0 1 0 1 1 C6 = 0 0 0 0 0 0 0 . 0 0 1 0 1 1 0 0 1 0 1 1 0 0 0 1 Substituting these in the appropriate MSLS, we get the following six mutually unbiased weighing matrices: C0C4C1C5C2C6C3 C3C0C4C1C5C2C6 C6C3C0C4C1C5C2 W1 = C2C6C3C0C4C1C5 , C5C2C6C3C0C4C1 C1C5C2C6C3C0C4 C4C1C5C2C6C3C0 C0C5C3C1C6C4C2 C2C0C5C3C1C6C4 C4C2C0C5C3C1C6 W2 = C6C4C2C0C5C3C1 , C1C6C4C2C0C5C3 C3C1C6C4C2C0C5 C5C3C1C6C4C2C0

323

Delsarte, Goethals and Seidel, [6] studied lines in both Rn and Cn having a prescribed number of angles and found a number of upper bounds, depending on the angles. Calderbank, Cameron, Kantor and Seidel, [4], among other interesting results, found an upper bound for the number of lines in Rn (Cn ) that are either perpendicular or at a xed angle . Having a set of unbiased weighing matrices of order n provides a set of lines in Rn which are either perpendicular or at a xed angle . As it is demonstrated in [6] and [4], line sets meeting the upper bound have very nice properties.

324

Theorem 28 ([6,4]). Let m be the cardinality of a set of vectors in Rn such that the absolute value of the inner product of any distinct pair of elements is in {0, }, 0 < < 1. Then m n(n + 2)(1 2 ) , 3 (n + 2)2

assuming that the denominator is positive. If equality holds, then perpendicularity denes a strongly regular graph. Computer computational works show that for some small values of n, the upper bound is attained by unbiased weighing matrices. This is a new area of research and looks quite promising.

5. Unbiased bases Let H , K be a pair of special unbiased complex Hadamard matrices of order 2n2 corresponding to the decomposition 2n2 = n2 + n2 , so that HK = (n + in)L, for some complex Hadamard matrix L. Then the normalized rows of H and K , or equivalently the rows 2 of 1 2 H and 1 2 K , form two orthonormal bases for C2n in such a way that for every pair of vectors u, v from different bases, u, v D = { 21n (1 + i), 21n (1 + i), 21n (1 +in = 21n (1 + i)). Here , denotes the standard Hermitian ini), 21n (1 i)} (note that n2 n2

+i b : b Bs }, where Bs denotes the standard basis in ner product in C2n . Adding { 1 2

2

2n

2n

C2n , to these bases we get 3 orthonormal bases for C2n in such a way that for every pair of vectors u, v from different bases, u, v D . Two orthonormal bases B1 and B2 in 2 C2n are called unbiased complex bases if u, v D for all u B1 and v B2 . We will use |MUCB(n)| to denote the number of elements in a set of mutually unbiased complex bases for Cn . Lemma 29. |MUCB(2n2 )| 3 for any odd integer n. Equality is attained for n = 1, 3. Proof. Let B1 , B2 , B3 be three mutually unbiased complex bases for C2n . Let Hi be the n matrix formed by putting the vectors of Bi as the rows of Hi , i = 1, 2, 3. Then 12 +i H2 H1 2n and 1+i H3 H1 form a special pair of unbiased complex Hadamard matrices of order 2n2 corresponding to the decomposition 2n2 = n2 + n2 . Thus, it follows from Theorem 3 that |MUCB(2n2 )| 1 2. The equality occurs for n = 1, 3 as there are pair of special unbiased complex Hadamard matrices of order 2 and 18.

2

Two orthonormal bases B1 and B2 for Rn are called mutually unbiased real bases if 1 1 , } for all u B1 and v B2 , where , is the standard Euclidean inner u, v { n n n product in R , see [3] for details. We will use |MURB(n)| to denote the number of elements in a set of mutually unbiased real bases in Rn . Lemma 30. |MURB(4n2 )| 3 for any odd integer n. Equality is attained for n = 1, 3.

4n2

325

Proof. Let B1 , B2 , B3 be three mutually unbiased real bases for R . Let Hi be the matrix t and formed by putting the vectors of Bi as the rows of Hi , i = 1, 2, 3. Then 2nH2 H1 t 2 2nH3 H1 form a pair of unbiased Hadamard matrices of order 4n . The result now follows from Lemma 7 and Corollary 10. See also Observation 2.1 of [3]. For the unbiased bases in R16n , following the idea above, it is easy to get a lower bound depending on the number of known MOLS. Using Theorem 12, we see that the 2 upper bound for the number of unbiased bases in R16n is 8n2 + 1. This upper bound is believed to be quite large and very unlikely achievable, except of course, for the case where the dimension of the space is a power of 4. See [3,15] for details. Acknowledgments: This article is based on a joint work of the author with W. Holzmann and W. Orrick [8] and another joint work with Darcy Best [2].

2

References

[1] R. Julian R. Abel, Charles Colbourn, Jeffrey Dinitz, Mutually Orthogonal Latin Squares (MOLS), in Handbook of Combinatorial Designs (C. J. Colbourn and J. H. Dinitz, eds.), Second Edition, pp. 160193, Chapman & Hall/CRC Press, Boca Raton, FL, 2007. Darcy Best, H. Kharaghani, Unbiased complex Hadamard matrices and bases, Cryptography and Communications - Discrete Structures, Boolean Functions and Sequences, to appear. P. O. Boykin, M. Sitharam, M. Tari and P. Wocjan, Real mutually unbiased bases. Preprint. arXiv:quant ph/0502024v2 [math.CO], (revised version dated Feb. 1, 2008). A. R. Calderbank, P. J. Cameron, W. M. Kantor, J. J. Seidel, Z4 -Kerdock codes, orthogonal spreads, and extremal Euclidean line-sets, Proc. London Math. Soc. 75 (1997), 436480. P. J. Cameron and J. J. Seidel, Quadratic forms over GF(2), Nederl. Akad. Wetensch. Proc. Ser. A 76=Indag. Math, 35 (1973), 18. P. Delsarte, J. M. Goethals, and J. J. Seidel, Bounds for systems of lines and Jacobi polynomials, Philips Res. Repts., 30 (1075), 91105. Chris Godsil, Aidan Roy, Equiangular lines, mutually unbiased bases, and spin models, European J. Combin., 30 (2009), 246262. W. Holzmann, H. Kharaghani and W. Orrick, On real unbiased Hadamard matrices, to appear. H. Kharaghani, Jennifer Seberry, The excess of complex Hadamard matrices, Graphs Combin. 9 (1993), 4756. H. Kharaghani, New class of weighing matrices, Ars Combin., 19 (1985), 6972. H. Kharaghani, On the twin designs with the Ionin-type parameters, Electron. J. Combin. 7 (2000), Research Paper 1, 11 pp. Nicholas LeCompte, William J. Martin, William Owens, On the equivalence between real mutually unbiased bases and a certain class of association schemes, European J. Combin., to appear. J. Seberry and M. Yamada, Hadamard matrices, sequences, and block designs, in Contemporary Design Theory: A Collection of Surveys, J. H. Dinitz and D. R. Stinson, eds., John Wiley Sons, Inc., 1992, pp. 431560. Wojciech Tadej, Karol Zyczkowski, A concise guide to complex Hadamard matrices, Open Syst. Inf. Dyn. 13 (2006), 133177. P. Wocjan and T. Beth, New construction of mutually unbiased bases in square dimensions, Quantum Inf. Comput. 5 (2005), 93101.

[2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13]

[14] [15]

326

Information Security, Coding Theory and Related Combinatorics D. Crnkovi and V. Tonchev (Eds.) IOS Press, 2011 2011 The authors and IOS Press. All rights reserved. doi:10.3233/978-1-60750-663-8-326

Ryoh FUJI-HARA1 and Ying MIAO Graduate School of Systems and Information Engineering University of Tsukuba Tsukuba 305-8573, Japan

Abstract. In this paper, we give a survey of multi-structured designs and their various applications. Multi-structured designs are block designs with additional structure imposed on the blocks. Combinatorial conditions of the further block structure depend on applications. Examples of multi-structured designs are nested designs, row-column designs, splitting design, etc. Their constructions have been independently studied for a long time and often use similar techniques. Cyclic multistructured designs are related to various types of sequences which have many applications to modern communications. The paper consists of three parts. The rst part deals with classical multi-structured designs which are used in experimental designs and authentication systems. The second part reviews several applications to optical and wireless communications which use cyclic multi-structured designs. Finally, in the third part, we discuss algebraic and geometric construction methods which are commonly used for many types of multi-structured designs. Keywords. multi-structured design, experimental design, nested design, balanced array, row-column design, authentication code, optical orthogonal code, frequency hopping sequence, ultra-wideband, comma-free code, difference system of sets, algebraic construction, geometric construction.

1. Introduction Let V be a set of v elements and B a collection of subsets of V . The elements of V and B are called points and blocks, respectively, and the pair (V , B ) is called a design. There are many types of designs, for example, the well-known pairwise balanced designs, (r, )designs, group divisible designs, and balanced incomplete block designs, each satisfying certain specic combinatorial conditions. The commonly required combinatorial conditions are parts or the whole of the following: (C1) every block contains k points (called regular condition), (C2) every point of V is contained in r blocks (called singleton balance condition) (C3) every pair of distinct points of V appears in exactly in blocks (called pair balance condition).

1 Corresponding author. E-mail: fujihara@sk.tsukuba.ac.jp

327

A design (V , B ) is called a pairwise balanced design (PBD) if it satises the condition (C3), and an (r, )-design if it satises further the condition (C2). If all the conditions (C1), (C2) and (C3) are satised, then (V , B ) is said to be a balanced incomplete block design (BIBD) or 2-design, denoted by B (k , ; v). The reader is referred to [2] for the detailed information on various types of designs. Usually, people dont consider the ne structures within each block of B . Nevertheless, people also found it necessary sometimes to investigate those designs where some additional combinatorial conditions are imposed on the blocks. A multi-structured design (MSD) is a design (V , B ) in which the blocks have some ne structures, or in other words, the blocks satisfy some additional combinatorial conditions. The block forms of a multi-structured design can be described as superblocks containing sub-blocks. Let B = {B1 , B2 , . . . , Bb }. The block Bi has the form Bi = {Ci 1 , Ci 2 , . . . , Cin }, where Ci j Bi , which satises one of the following conditions for any i : 1. {Ci 1 , Ci 2 , . . . , Cini } is a partition of Bi ; 2. Bi = 1 j ni Ci j , where the sub-blocks Ci j are not necessary mutually disjoint. Finite geometries are typical examples of the case 2. However, we dont consider the case in this paper. Finite geometries are typical examples of MSDs of case 2. However, we will not consider this case in this paper. i = {Ci 1 , Ci 2 , . . . , If Bi is considered as a set of disjoint n i sub-blocks, that is, B Cini }, then the super-block Bi is called unordered. If Bi is considered as an ordered set of disjoint n sub-blocks, some of which can be , that is, Bi = (Ci 1 , Ci 2 , . . . , Cin ), then the super-block Bi is called ordered. Multi-structured designs arise in many situations with various applications. In what follows, we describe some typical examples of their applications and related constructions.

2. Experiments Based on Block Designs Consider a multi-structured design (V , B), where B is a collection of super-blocks B = i = {Ci 1 , Ci 2 , . . . , Cin }, with {Ci 1 , Ci 2 , . . . , Cin } being {B1 , B2 , . . . , Bb } such that B i i a partition of Bi for each 1 i b. Let C = {Ci j | 1 i b, 1 j n i }. The super-design (V , B ) satises the following conditions: 1. the super-block size is a constant k (regular); 2. every point of V appears in the same number r of super-blocks (singleton balance); 3. every pair of distinct points of V appears in the same number of super-blocks (pair balance), that is, (V , B ) is a balanced incomplete block design. Furthermore, the sub-design (V , C ) satises the following conditions: 1. the sub-block size is a constant k (regular); 2. every point of V appears in the same number r of sub-blocks (singleton balance); 3. every pair of distinct points of V appears in the same number of sub-blocks (pair balance),

328

that is, (V , C ) is a B (k , ; v). Such an MSD is called a nested design. Historically, different notions of nested designs were introduced by Preece [66] and Federer [26], which were nally unied by Kageyama and Miao [50]. Example 2.1 Let V = {0, 1, 2, 3, 4}, and B = {Bi | 1 i 5}, C = {Ci j | 1 i 5, 1 j 2}, where 1 = {C11 = {0, 1}, C12 = {2, 4}}, B 3 = {C31 = {2, 3}, C32 = {4, 1}}, B 5 = {C51 = {4, 0}, C52 = {1, 3}}. B Then (V , B , C ) is a multi-structured design B (4, 3; 5) with a sub-desgin B (2, 1; 5). MSDs can do more than conventional designs do. Lets consider the conventional agricultural experiment with 7 wheat varieties and 7 fertilizers. The following is the standard block experiment, where the rows i are labeled with wheat varieties and the columns j are labeled with fertilizers. 2 = {C21 = {1, 2}, C22 = {3, 0}}, B 4 = {C41 = {3, 4}, C42 = {0, 2}}, B

ij,

1 i, j 7

where yi j is the variable observed on the unit with wheat variety i and fertilizer j in the experiment, is the central effect, i and j are the variety and fertilizer effects, 7 7 respectively, with i =1 i = j =1 j = 0, and i j s are uncorrelated random variables for technical errors. The number of total combinations of i and j is 49, but we only need to do 21 experiments which are crossed in the table above. The merits of this experiment include (1) less experiments, (2) all effects are estimable easily, (3) good precision of estimations, and (4) equal precisions of estimations. We next consider an experiment with 5 wheat varieties, 10 fertilizers with 5 kinds each of 2 types, say, organic which is denoted , and chemical which is denoted , using the multi-structured design in Example 2.1.

329

i jk ,

where the sub-block effects (organic or chemical type) k , k = 0, 1, further satisfy the condition that 0 + 1 = 0. 3. Orthogonal Multi-Structured Designs The sub-blocks in the multi-structured designs introduced in Section 1, like the conventional balanced incomplete block designs, are one-dimensional. In fact, the points of each block can also be arranged into a two-dimensional array. A row-column design is a pair (V , B ), where V is a set of v points, B = {B1 , B2 , . . . , Bb } is a collections of m n arrays, called blocks, with entries from V , where x11 x12 . . . x1m x21 x22 . . . x2m Bj = . . . . . . . . . xn 1 xn 2 . . . xnm such that 1. any point of V cannot appear more than once in any arrays; 2. every point of V appears in the same number r of arrays (singleton balance); 3. every pair of distinct points of V appears in the same number of arrays (pair balance); 4. every pair of distinct points of V appears in the same number R of rows in all arrays (row pair balance); 5. every pair of distinct points of V appears in the same number C of columns in all arrays (column pair balance). The linear model for experiments based on row-column designs is established by Srivastava [77] and Singh and Dey [75] as follows: yi jkl = + i + j + k + l +

i jkl ,

where i is the variety effect, j is the block effect, k is the row (type) effect, l is the column (kind) effect, with i i = jj = k k = l l = 0, and i jkl s are uncorrelated random variables for technical errors. In other words, if (V , B ) is a row-column design, then it is equivalent to an MSD with two sub-designs satisfying the following conditions:

( R ) = {C j 1 , C j 2 , . . . , C jn }, C jk B j , and Each block B j has two kinds of sub-blocks B j (C ) = {D j 1 , D j 2 , . . . , D jm }, D jl B j , B j C = {C jk | 1 j b, 1 k n }, D = {D jl | 1 j b, 1 l m }, such that

330

1. the super-design (V , B ) possesses regular, singleton balance and pair balance properties, 2. the sub-designs (V , C ) and (V , D) posses regular and pair balance properties; ( R ) and B (C ) are orthogonal for any 1 j b, that is, |C jk D jl | = 1 for 3. B j j 1 k n, 1 l m . It can be easily proved that each of the two sub-designs also possesses singleton balance property. Example 3.1 The following is an MSD with two orthogonal sub-designs, where V = {0, 1, 2, 3, 4, 5, 6, 7, }, block size is 3 3, r = 4, = 4, R = 1, C = 1. The blocks are described below: 1 5 0 2 3 4 7 6 3 7 2 4 5 6 1 0 0 4 1 2 7 5 3 6 2 6 3 4 1 7 5 0

4. Authentication Codes Multi-structured designs also have applications in many disciplines such as cryptology. Authentication codes were invented by Gilbert et. al. [42] for protecting the integrity of information, which involve three active parties: Alice, Bob, and Oscar. Alice and Bob want to communicate over an insecure channel. Oscar, the opponent, has the ability to introduce his own messages into the channel (the impersonation attack) and/or to modify existing messages (the substitution attack). A game-theoretic model for authentication codes was developed by Simmons [72]. In this model, Alice and Bob share a common encoding rule (or key) e. The key e is chosen from a key space E according to some specied probability distribution. Given a source state (or plaintext) s from some source state space S , when Alice wants to communicate s to Bob, she computes a message m = (s , e(s )) M , where M is the message space and e(s ) A is the authenticator of s , and then sends m M to Bob over the channel. Bob accepts or rejects the transmitted message m = (s , a ) M based on the key e E which Bob shared with Alice. If a = e(s ), then Bob is able to detect that an attack has taken place. The strength of an authentication code is measured by the deception probabilities P0 and P1 , which represent the probability that Oscar can deceive Bob by impersonation and substitution, respectively. In computing P0 and P1 , it is assumed that Oscar is using an optimal strategy. When Alice and Bob use an authentication code, they want P0 and P1 , as well as | E |, to be small, Example 4.1 The following is an example of authentication code with S = {s0 , s1 , s2 }, E = {e0 , e1 , . . . , e8 }, and A = {0, 1, 2}. The key ei is chosen from E at random. It is easily seen that this authentication code has the deception probabilities P0 = P1 = 1/3 and | E | = 9. In fact, P0 , P1 and | E | are the smallest ones for the case | A| = 3.

331

e0 e1 e2 e3 e4 e5 e6 e7 e8

s0 0 0 0 1 1 1 2 2 2

s1 0 1 2 0 1 2 0 1 2

s2 0 2 1 1 0 2 2 1 0

It is possible that more than one authenticator can be used to authenticate a particular source state s S ; this is called splitting, an important concept in the context of an authentication code with arbitration. In this case, a message m M is computed as m = (s , e(s , r )), where r is some random number chosen from a specied nite set R . If we dene e(s ) = {a A | a = e(s , r ) for some r R }, then splitting means that |e(s )| > 1 for some e E and s S . It is also required that for any e E , e(s ) e(s ) = if s = s . Obviously, Bob accepts m = (s , a ) M if a e(s ). A splitting authentication code is called c-splitting if |e(s )| = c for any e E and any s S . Theorem 4.2 [64] For any c-splitting authentication code, P0 c| S |/| M |, P1 c(| S | 1)/(| M | 1).

If in fact the above equalities are satised, then | E | | M |(| M | 1)/(c2 | S |(| S | 1)). A c-splitting authentication code is optimal if it satises all the equalities in Theorem 4.2. An optimal c-splitting authentication code has been shown to be closely related to a multi-structured design called c-splitting balanced incomplete block design. In this paper, however, we will call it a multi-structured design with external balance. The following is its formal denition. Let v, u and c be positive integers such that v uc. Let V be a v -set of points, B = {B1 , B2 , . . . , Bb } be a collection of super-blocks with entries from V such that each super-block has u sub-blocks of size c, Bi = (Ci 1 , Ci 2 , . . . , Ciu ), |Ci j | = c. The pair (V , B ) is said to be a multi-structured design with external balance if it satises the following conditions: (1) every point occurs at most once in each super-block; (2) for every pair of distinct points x , y V , there is exactly one super-block which contains x , y in distinct sub-blocks (external balance condition).

332

Example 4.3 The following is a multi-structured design with external balance with v = 25, u = 3 and c = 2 taken from [39], where the point set is Z25 . The collection of blocks is obtained by developing the elements of Z25 in the following given block +1 modulo 25:

Ogata et al. [64] showed the following relations between splitting authentication codes and multi-structured designs with external balance. An authentication matrix of a c-splitting authentication code is a matrix with the rows indexed by the keys e E , the columns indexed by the source states s S , and entry (e, s ) given by e(s ) A. Theorem 4.4 [64] If there exists an optimal c-splitting authentication code, then the rows of its authentication matrix form the blocks of an MSD with external balance. The resulting MSD has | M | points, and each of its super-blocks contains | S | sub-blocks of size c. Conversely, starting from an MSD with external balance, (V , B ), with parameters v, u and c, we can put A = V , S = {s0 , s1 , . . . , su 1 }, and for each super-block

(C1 , C2 , . . . , Cu ),

we dene an encoding rule e E such that e(s0 ) = C1 , e(s1 ) = C2 , . . . , e(su 1 ) = Cu . Then we obtain the following result. Theorem 4.5 [64] If there exists an MSD with external balance with parameters v, u and c, then there exists an optimal c-splitting authentication code such that (1) | A| = v , | S | = u; (2) each source state occurs with equal probability.

Example 4.6 The following is an example of optimal 2-splitting authentication code with S = {s0 , s1 , s2 }, E = {e0 , e1 , . . . , e24 }, and A = {0, 1, . . . , 24}, constructed from the MSD in Example 4.3.

333

e0 e1 e2 e3 e4 e5 e6 e7 e8 e9 e10 e11 e12 e13 e14 e15 e16 e17 e18 e19 e20 e21 e22 e23 e24

s0 0, 1 1, 2 2, 3 3, 4 4, 5 5, 6 6, 7 7, 8 8, 9 9, 10 10, 11 11, 12 12, 13 13, 14 14, 15 15, 16 16, 17 17, 18 18, 19 19, 20 20, 21 21, 22 22, 23 23, 24 24, 0

s1 2, 4 3, 5 4, 6 5, 7 6, 8 7, 9 8, 10 9, 11 10, 12 11, 13 12, 14 13, 15 14, 16 15, 17 16, 18 17, 19 18, 20 19, 21 20, 22 21, 23 22, 24 23, 0 24, 1 0, 2 1, 3

s2 12, 20 13, 21 14, 22 15, 23 16, 24 17, 0 18, 1 19, 2 20, 3 21, 4 22, 5 23, 6 24, 7 0, 8 1, 9 2, 10 3, 11 4, 12 5, 13 6, 14 7, 15 8, 16 9, 17 10, 18 11, 19

5. Orthogonal and Balanced Arrays Now we consider a multi-structured design (V , B ), where |V | = v and B is a collection of ordered super-blocks B = {B1 , B2 , . . . , Bb } such that Bi = (Ci 1 , Ci 2 , . . . , Cin ), where some of Ci j , 1 j n , can be . Let C j = {Ci j | 1 i b}, 1 j n . The (n + 2)-tuple (V , B , C1 , . . . , Cn ) is called an MSD with mutually balanced sub-designs provided that (V , B , C1 , . . . , Cn ) satises the following conditions: 1. (V , B) has the singleton balance property (r ), 2. (V , B ) has the pair balance property (), that is, (V , B ) is an (r, )-design; for any 1 j n , 3. (V , C j ) has the singleton balance property (r j ), 4. (V , C j ) has the pair balance property ( j ), that is, each (V , C j ) is an (r j , j )-design; furthermore, 5. every pair {x , y } of distinct points of V appears in the same number i j of superblocks such that x is in the i th sub-block and y is in the j th sub-block (called external balance condition).

334

Example 5.1 The following is an MSD with mutually balanced sub-designs having parameters r = 10, = 4, r1 = r2 = 5, 1 = 2 = 12 = 1: B1 = ({1, 3}, {2}), B2 = ({1, 2, 5}, ), B3 = ({6}, {1, 3}), B4 = ({5}, {1, 6}), B5 = (, {2, 3, 4}), B6 = ({2, 4}, {5}), B7 = ({3, 4}, {6}), B8 = ({6}, {4, 5}), B9 = ({2}, {1, 4}), B10 = ({4}, {1, 2}), B11 = ({1}, {3, 5}), B12 = ({3}, {1, 5}), B13 = ({1, 4, 6}, ), B14 = ({1}, {4, 6}), B15 = ({2, 3, 6}, ), B16 = ({2}, {3, 6}), B17 = ({5, 6}, {2}), B18 = (, {2, 5, 6}), B19 = ({3, 5}, {4}), B20 = ({4, 5}, {3}).

From any ordered super-block Bi = (Ci 1 , Ci 2 , . . . , Cin ), we can dene an (n + 1)ary vector of length v , xi = (x0 , x1 , . . . , xv 1 ), where xt = j 0 if t Ci j , otherwise.

In this way, we can obtain a 20 6 array with entries from {0, 1, 2}. The following is the transpose of the array: 11220000221211000000 2 1 0 0 2 1 0 0 1 2 0 0 0 0 1 1 2 2 0 0 1 0 2 0 2 0 1 0 0 0 2 1 0 0 1 2 0 0 1 2 0 0 0 0 2 1 1 2 2 1 0 0 1 2 0 0 0 0 2 1 0 1 0 1 0 2 0 2 0 0 2 2 0 0 0 0 1 2 1 1 00120021000012121200 The above array is in fact an example of balanced arrays. Let S = {0, 1, . . . , s 1}. A balanced array BA(m , n , s ) over S is an n m array A with entries from S which satises the following two conditions: 1. in any two columns of A, any pair (x , y ) S2 occurs exactly x y times, and 2. for any x , y S , x y = yx . If x y = for any x , y S , then the balanced array is an orthogonal array OA(m , n , s ). The notion of a balanced array was introduced by Chakravarti [10] as a generalization of that of an orthogonal array and used as a substitute for an orthogonal array in statistics. Example 5.2 The above array in Example 5.1 is the transpose of a BA(6, 20, 3) dened over S = {0, 1, 2} with 00 = 4, 01 = 02 = 3, 11 = 12 = 22 = 1. Lemma 5.3 [53] Let V , B , C j , 1 j n , be dened as above, and dene C0 = {V \ Bi | 1 i b}. If (V , B ) is an (r, )-design and (V , C j ) is an (r j , j )-design for any 1 j n, then (V , C0 ) also an (r0 , 0 )-design with r0 = b r and 0 = b 2r + . Furthermore, if condition 5 (external balance) is satised for all 1 i , j n, then it is also satised for all 0 i , j n, with 0i = i 0 = ri n j =1 i j .

335

Theorem 5.4 [53] There exists an ordered multi-structured design which satises conditions 15 above if and only if there exists a b v balanced array with entries from S = {0, 1, . . . , n } and parameters x y , 0 x , y n. 6. Cyclic Multi-Structured Blocks and Sequences The case where V = Zv , where Zv is the residue ring of integers modulo v , is of special interest in modern communications. In what follows, we focus on cyclic multi-structured designs and their related sequences used in communications. Let (V , B ) be a design, and be a permutation on V . For any block B = , . . . , b }. If B = {B | B B } = B , then is an {b1 , . . . , bk } B , dene B = {b1 k automorphism of the design (V , B ). The set of all such permutations forms a group under composition called the full automorphism group of the design. Any of its subgroups is an automorphism group of the design. A design admitting a cyclic automorphism group is a cyclic design. For a cyclic design (V , B ), the point set V can be identied with Zv , The cyclic automorphism then is just the bijection : i i + 1 (mod v). Cyclic designs (Zv , B ) having only full block orbits are of particular interest. In this section, when we say a cyclic design, we always mean a cyclic design in which each of its block orbits under the automorphism contains exactly v distinct blocks. Example 6.1 A cyclic B (3, 1; 7) on Z7 . B0 = {0, 1, 3}, B4 = {4, 5, 0}, B1 = {1, 2, 4}, B5 = {5, 6, 1}, B2 = {2, 3, 5}, B6 = {6, 0, 2}. B3 = {3, 4, 6},

Consider an (n + 1)-ary sequence X = (x0 , x1 , . . . , xv 1 ) of length v based on an alphabet Q = {0, 1, 2, . . . , n }. The cyclic shift function is dened by ( X ) = (xv 1 , x0 , x1 , . . . , xv 2 ). We can construct a corresponding ordered multi-structured block B = (C1 , C2 , . . . ,

## Molto più che documenti.

Scopri tutto ciò che Scribd ha da offrire, inclusi libri e audiolibri dei maggiori editori.

Annulla in qualsiasi momento.