The first algorithm for the computation of a basis of the Riemann-Roch space \(\mathcal {L}(D)\) associated to a divisor D on a curve is ascribed to von Brill and Noether [2]. Because such a basis allows both to construct algebraic geometric codes and to give addition formulas in the divisor class group of the curve, it is an essential tool in Coding Theory and Cryptography, and many authors have worked on the problem to make its computation more effective (e.g., [5, 8]), often in the equivalent scenario of function fields (cf. [19, Remark 2.3.15]). In particular, an algorithm, which is polynomial in the input size, is given in [7] with an arithmetic approach to the Riemann-Roch problem, and other algorithms were developed in order to simplify the computation, each under particular assumptions.

In this paper the class of hyperelliptic curves is considered. Many papers have been devoted to the study of arithmetic in these curves, among the others we mention in particular [3, 11, 12]. The interest on the subject does not seem to decline, as witnessed by more recent publications (cf. [14, 20]). A significant literature has also been produced in order to consider codes over hyperelliptic curves [1, 13, 17], and hyperelliptic curves in Cryptography have been investigated, e.g., in [10, 11, 18].

Both the Mumford representation of a divisor \(\Delta \) of degree zero on a hyperelliptic curve and the Riemann-Roch space \(\mathcal {L}(D)\), where \(D=\Delta +m \Omega \), are the subject of a large number of papers, also due to their applications in Coding theory. The dimension of \(\mathcal {L}(D)\) has been computed in [1, Lemma 2.1, p. 155] and an explicit basis of \(\mathcal {L}(D)\) has been indicated in [4, Theorem 1, p. 275].

But it has not been indicated in the literature that a basis of the latter can be directly found from the former, and it is the aim of the present note to give an explicit basis of \(\mathcal {L}(D)\), stressing the meaning of the Mumford representation of \(\Delta \) in this context. Note that, for a nodal curve, a data structure inspired by the Mumford representation has been used for the same purpose in a recent paper by Le Gluher and Spaenlehauer [14], and that in a paper by Garzón and Navarro [5] a basis of \(\mathcal {L}(D)\) in the more general case of superelliptic curves is provided, but for a given divisor D.

Algebraic geometric codes were introduced by Goppa in [6] several decades ago. These codes turned out not only to be interesting in Coding Theory, but also to be applicable in Cryptography, e.g. in public-key cryptographic systems [9, 16].

Using this basis, one constructs directly a generating matrix of an algebraic geometric code over a hyperelliptic curve defined over a Galois field of characteristic \(p\ge 2\). Also, it is possible to construct MDS codes. We make this for a toy model of MDS codes in Section 3. Although the reduction of a divisor D to its reduced Mumford form might be an inconvenient task, involving the application of the Cantor algorithm (see Remark 1), this difficulty does not occur in the construction of algebraic geometric codes, because in that case one can directly take D in the reduced form \(D=\Delta +m \Omega \).

1 Notations and reduction to the Mumford representation

Let \(\textsf{K}\) be the algebraic closure of the field \(\textsf{k}\) and let \(\mathcal {H}\) be a hyperelliptic curve of genus g over \(\textsf{k}\) with a rational Weierstrass point \(\Omega \). The non-singular curve \(\mathcal {H}\) is described by an affine equation of the form

$$\begin{aligned} y^2+yh(x)=f(x) \end{aligned}$$
(1.1)

where f(x) is a polynomial of degree \(d=2g+1\), h(x) is a polynomial of degree at most g, and \(\Omega =[0:1:0]\) is the point at infinity of \(\mathcal {H}\) [15, Prop. 1.2]. If \({\text {char}}\textsf{k}\ne 2\), changing y into \(y-h(x)/2\), and f(x) into \(f(x)-h^2(x)/4\), transforms the above equation into

$$\begin{aligned} y^2=f(x), \end{aligned}$$

whereas, if \({\text {char}}\textsf{k}= 2\), then it is not possible to reduce h(x) to zero.

Let D be a divisor of \(\mathcal {H}\). Since its Riemann-Roch space

$$\begin{aligned} \mathcal {L}(D)=\{F\in \textsf{K}(\mathcal {H}):\textrm{div}(F)+D \text{ is } \text{ effective }\}\cup \{0\} \end{aligned}$$

is null both in the case where D has negative degree, and in the case where D has degree zero and \(D\not \in \textrm{Princ}(\mathcal {H})\), whereas \(\mathcal {L}(D)=\Big \langle F_0^{-1} \Big \rangle \) in the case where \(D=\textrm{div}(F_0)\), from now on we will assume D has positive degree m.

Remark 1

In order to extend the use of Mumford representation to divisors of arbitrary degree, first we recap the results in [3, 10].

It follows from the Riemann-Roch theorem that each divisor of \(\mathcal {H}\) can be written uniquely in the following form

$$\begin{aligned} D=P_1+P_2+\dots +P_t+(m - t)\Omega +\textrm{div}(\psi (x,y)) \end{aligned}$$

for t points \(P_1,\dots , P_t\) in \(\mathcal {H}\) distinct from \(\Omega \), with \(t\le g\), \( P_i + P_j - 2 \Omega \not \in \textrm{Princ}(\mathcal {H})\), and a suitable \(\psi (x,y)\in {\textsf{K}}(\mathcal {H})\), that is, any divisor class \(D+\textrm{Princ}(\mathcal {H})\in \textrm{Div}(\mathcal {H})/\textrm{Princ}(\mathcal {H})\) can be reduced to the form \(P_1+\dots +P_t+(m - t)\Omega \).

Let \(P_i=(x_i,y_i)\) and note that any divisor

$$\begin{aligned} \Delta =l_1P_1+\dots +l_sP_s-(l_1+\dots +l_s)\Omega \end{aligned}$$

on the curve \(\mathcal {H}\), of degree zero and such that \(l_i>0\) for any index i, determines uniquely the polynomial \( a(x)= {(x-x_1)}^{l_1} \cdots {(x - x_s)}^{l_s} \) and the polynomial b(x) which is the polynomial such that \(b(x_t)=y_t\) (with a corresponding degree of contact with \(\mathcal {H}\), in the case where \(l_i >1\), that is, such that \( {\big (\frac{d}{dx}\big )}^j (b^2(x) + b(x) h(x) - f(x))|_{x = x_i} = 0 \), for \( 0 \le j \le l_i - 1\)). Hence \(b^2(x)+h(x)b(x)-f(x)\) is a multiple of a(x) and the degree of b(x) is smaller than the degree of a(x), and conversely, a pair of polynomials a(x) and b(x) such that \(b^2(x)+h(x)b(x)-f(x)\) is a multiple of a(x) and the degree of b(x) is smaller than the degree of a(x) defines such a divisor of degree zero, which is written as \(\Delta ={\text {div}}(a(x),b(x))\). Note that an intersection point of the curve with the x-axis is contained in the support of \(\Delta \) if and only if \({\text {GCD}}(a(x),a'(x),b(x))\ne 1\). If \({\text {GCD}}(a(x),a'(x),b(x))= 1\) and the degree of a(x) is not greater than the genus g of the curve (or equivalently, if the support of \(\Delta \) contains at most g points which are mutually non-opposite), one says that \({\text {div}}(a(x),b(x))\) is in Mumford form (or reduced form).

Now, we can directly extend the Mumford representation to any divisor \(D=D_1-D_2\) (with \(D_i\) effective of degree \(m_i\in \mathbb {Z}\)) by writing it as

$$\begin{aligned} D=\Delta +m \Omega +{\text {div}}(\psi (x,y)), \end{aligned}$$

with \(m = m_1-m_2\), for a suitable divisor \(\Delta ={\text {div}}\big (u(x),v(x)\big )\) in Mumford form, and a suitable function \(\psi (x,y)\), obtained with the following argument.

First, taking the vertical lines \(x-x_i\) passing through the points in the support of \(D_2\) we can write

$$\begin{aligned} -D_2=D_2'-2m_2\Omega -{\text {div}}(\phi ), \end{aligned}$$

with \(\phi =\prod (x-x_i)\) and \(D_2'\) effective, hence

$$\begin{aligned} D = D_1 - D_2 = D_3-2m_2\Omega -{\text {div}}(\phi ), \end{aligned}$$

with \(D_3=D_1+D_2'\) an effective divisor of degree \(m_1+m_2\), hence of the form

$$\begin{aligned} D_3={\text {div}}(a(x),b(x))+(m_1+m_2)\Omega . \end{aligned}$$

Secondly, applying the reduction step in Cantor’s algorithm (cf. [3], and [10] in the case where \({\text {char}}\textsf{k}= 2\)), we change \(D_3\) with

$$\begin{aligned} D_3'=D_3-{\text {div}}(y-b(x))={\text {div}}(a'(x),b' (x)) + (m_1+m_2)\Omega , \end{aligned}$$

which belong to the same divisor class, where

$$\begin{aligned} a'(x)=\frac{f(x)-b(x)h(x)-b^2(x)}{a(x)} \end{aligned}$$

and

$$\begin{aligned} b'(x)=-h(x)-b(x)\mod a'(x). \end{aligned}$$

This way \({\text {deg}} a'(x)<{\text {deg}} a(x)\), hence after finitely many iterations one gets \({\text {deg}} a'(x)\le g\), and one can write

$$\begin{aligned} D=\Delta +m \Omega +{\text {div}}(\psi (x,y)), \end{aligned}$$

where \(\psi (x,y)\) is the resulting function of the above reduction.

Finally, the function

$$\begin{aligned} \Phi : \mathcal {L}(D)\mapsto \mathcal {L}(\Delta +m \Omega ), \end{aligned}$$

mapping F onto the product \(\psi (x,y) F\), is an isomorphism.

Up to the latter isomorphism, we will directly assume that \(D=\Delta +m \Omega \), \(m > 0\).

2 Main theorem

In the following theorem we determine a basis of \(\mathcal {L}(D)\), with \(D=\Delta + m \Omega \), and \( \Delta = {\text {div}}(u(x),v(x)) \) is in Mumford representation, with \({\text {deg}} u(x)\le g\). We recall that, up to the isomorphism defined in Remark 1, any divisor can be reduced in such a form. Also, the kind of unexpected varying, according to m, of its dimension becomes manifest: in order to determine \({\text {dim}}\mathcal {L}(D)\), in [1, Lemma 2.1] it is distinguished the case \(m \ge 2g-t-1\) (with \( t:={\text {deg}} u(x \)), where it is proved that, in spite of the general behavior, \(\textrm{dim}\, \mathcal {L}(D)=m - g + 1\), and the case \(t\le m < 2g-t-1\), where \(\textrm{dim}\, \mathcal {L}(D)=\big \lfloor \frac{m - t}{2}\big \rfloor +1\) (cf. Remark 2 for details).

Theorem 1

Given the hyperelliptic curve \(\mathcal {H}\) of genus g and degree \(d=2g+1\) defined by (1.1), given the divisor \(D=\Delta +m \Omega \) of positive degree m on \(\mathcal {H}\), with \(\Delta ={\text {div}}(u(x),v(x))\) in Mumford representation, let \(t:={\text {deg}} u(x)\le g\) and let

$$\begin{aligned} \Psi (x,y)=\frac{y+ v(x)}{u(x)}, \end{aligned}$$

for \({\text {char}}\textsf{k}=p>2\), and \(\Psi (x,y)=\frac{y+ v(x) + h(x)}{u(x)}\), for \(p=2\).

If \(m <d-t\), then a basis of \(\mathcal {L}(D)\) is provided by the set of functions \( x^i\), with \(0\le i \le \frac{m - t}{2}\).

If \(m \ge d - t\), then a basis of \(\mathcal {L}(D)\) is provided by the set of functions \( x^i\) and \(\Psi (x,y)\cdot x^j\), with \( 0\le i \le \frac{m - t}{2}\) and \(0\le j \le \frac{m - (d - t)}{2}\).

Proof

In order to compute \({\text {div}}(\Psi (x,y))\), recall that \({\text {deg}} v(x)<{\text {deg}} u(x)\le g\) and that, in the case where \(p=2\), \({\text {deg}} h(x)\le g\), as well.

Since \( l = \text {max}(\text {deg}\, v(x), \text {deg}\, h(x))\le g \), the degree of \({\big (- v(x) - h(x) \big )}^2\) is smaller than the degree of f(x) , hence there are \(d = 2g + 1\) (not necessarily distinct) intersection points of the curve \( y+v(x)+h(x)=0 \) and \(\mathcal {H}\) in the affine plane, the remaining \(d(l-1)\) intersection points coinciding with \(\Omega \). More precisely, t intersection points in the affine plane belong to the support of the divisor \(\widehat{\Delta } ={\text {div}} \big (u(x),w(x)\big )\) in Mumford representation, where \(w(x)=-v(x)-h(x) \mod u(x)\), therefore

$$\begin{aligned} {\text {div}}\big (y+v(x)+h(x)\big )= \widehat{\Delta } + W + \big (t + d(l - 1)\big ) \Omega , \end{aligned}$$

where W is the effective divisor of degree \( d - t \), whose support consists of the remaining intersection points in the affine plane. Note that, in the case \( t = 0 \), the divisor \(\Delta \) has the Mumford representation (1, 0) and the degree of W is \( d = 2g + 1 \) and the support of W coincides with the intersections of \(\mathcal {H}\) with the curve \(y+h(x)=0\).

On the other hand, the intersection of \( u(x)=0\) and \(\mathcal {H}\) is simply

$$\begin{aligned} {\text {div}}\big (u(x)\big ) = \Delta + \widehat{\Delta } + (t d) \Omega . \end{aligned}$$

Summarizing, if \(t>0\), then

$$\begin{aligned} \begin{aligned} {\text {div}}(\Psi (x,y))&= {\text {div}}\big (y+v(x)+h(x)\big ) - {\text {div}}\big (u(x)\big ) \\&= W - \Delta - (d - t) \Omega \end{aligned} \end{aligned}$$
(2.1)

and, if \(t=0\), then \(\Delta =(1,0)\) and \(\Psi (x,y)=y+h(x)\), whence

$$\begin{aligned} \textrm{div}(\Psi (x,y))=\textrm{div}\left( y+h(x)\right) - \textrm{div}\left( 1\right) = W - d \Omega , \end{aligned}$$

thus in both cases the equality (2.1) holds. Hence

$$\begin{aligned} \Psi (x,y)\in \mathcal {L}(D) \text{ if } \text{ and } \text{ only } \text{ if } m \ge d - t . \end{aligned}$$
(2.2)

Let \(m \ge d - t\), that is, the case where \(\Psi (x,y)\in \mathcal {L}(D)\). First we consider the cases where either \(t=0\) (hence \(m \ge d = 2g+1\)), or \(t=1\) (hence \(m \ge d-1\)), or \(t \ge 2\) and \(m \ge d-2\), as in these cases we know, by the theorem of Riemann-Roch, that the dimension of \(\mathcal {L}(D)\) is \(m - g + 1\). Thus, in order to prove that

$$\begin{aligned} \mathcal {L}(D)=\left\langle x^i,\Psi (x,y)\cdot x^j\right\rangle ,\text { with } 0\le i \le \frac{m - t}{2}\text { and }0\le j \le \frac{m - (d - t)}{2}, \end{aligned}$$
(2.3)

it is sufficient to note that, for each of those values of the parameters i and j, these functions belong to \(\mathcal {L}(D)\), because

$$\begin{aligned} 1+\left\lfloor \frac{m - t}{2}\right\rfloor +1+\left\lfloor \frac{m - (d - t)}{2} \right\rfloor =m - g + 1, \end{aligned}$$

and the claim will follow from dimensional reasons. Now,

$$\begin{aligned} D+\textrm{div}(x^i)=(\Delta + m \Omega ) + i \cdot \textrm{div}(x), \end{aligned}$$
(2.4)

as well as

$$\begin{aligned} \begin{aligned} D+\textrm{div}\;(\Psi (x,y)\cdot x^j)&= (\Delta + m \Omega ) + j \cdot \textrm{div}(x) + \big (W - \Delta - (d - t) \Omega \big ) \\&= W + j \cdot \textrm{div}(x) - (d - t - m) \Omega , \end{aligned} \end{aligned}$$
(2.5)

are effective divisors, hence the functions belong to \(\mathcal {L}(D)\).

Secondly, we consider the case where \(d-t\le m < d - 2\). In this case, the dimension of \(\mathcal {L}(D)\) is not necessarily \(m - g + 1\), but still \(\Psi (x,y)\in \mathcal {L}(D)\).

If \(0\le \epsilon \le t-2\), and if, for short, we put \(m = m_\epsilon =d-2-\epsilon \), then

$$\begin{aligned} \mathcal {L}_\epsilon :=\mathcal {L}(\Delta + m_\epsilon \Omega ), \end{aligned}$$

hence the space \(\mathcal {L}_0=\mathcal {L}(\Delta + (d-2)\Omega )\) is generated, by the above case, by the functions \(x^i\) and \(\Psi (x,y)\cdot x^j\) with \(0\le i \le \frac{m_0-t}{2}\) and \(0\le j \le \frac{m_0 - (d - t)}{2}\). Of course, \(\mathcal {L}_{\epsilon +1} \subseteq \mathcal {L}_\epsilon \), and we will see that \({\text {dim}}(\mathcal {L}_{\epsilon +1})={\text {dim}}(\mathcal {L}_\epsilon )-1\). Indeed, by (2.4) and (2.5), the functions \(x^i, \Psi (x,y) x^j\) of \(\mathcal {L}_\epsilon \) belong to \(\mathcal {L}_{\epsilon +1}\) as long as \(i \le \frac{m_{\epsilon +1} -t}{2}\), and \(j \le \frac{m_{\epsilon +1}-(d-t)}{2}\), that is,

$$\begin{aligned} {\text {dim}}(\mathcal {L}_{\epsilon +1})=1+\left\lfloor \frac{m_{\epsilon +1} -t}{2}\right\rfloor +1+\left\lfloor \frac{m_{\epsilon +1}-(d-t)}{2}\right\rfloor , \end{aligned}$$

and our assertion is proved. In particular, we found that \({\text {dim}}(\mathcal {L}_{\epsilon +1})={\text {dim}}(\mathcal {L}_\epsilon )-1\), because \(m_{\epsilon +1}=m_\epsilon -1\) and

$$\begin{aligned} {\text {dim}}(\mathcal {L}_{\epsilon })=1+\left\lfloor \frac{m_{\epsilon } -t}{2}\right\rfloor +1+\left\lfloor \frac{m_{\epsilon }-(d-t)}{2}\right\rfloor , \end{aligned}$$

where the missing function is, once for one, \(x^i\) or \(\Psi (x,y) x^j\), because d is odd and changes the parity of \({m_{\epsilon +1} -t}\) in that of \(m_{\epsilon +1}-(d-t)\).

Now we consider the cases where \(m < d-t\), that is, the cases where, by (1.1), \(\Psi (x,y)\not \in \mathcal {L}(D)\). If \(t=0\) and \(m\in \{d-2, d-1\}\), or if \(t=1\) and \(m=d-2\), then on the one hand \(\lfloor \frac{m - t}{2}\rfloor =m-g\) and, on the other hand, by the theorem of Riemann-Roch, the dimension of \(\mathcal {L}(D)\) is \(m - g + 1\). Thus, by dimensional reasons, \(\mathcal {L}(D)=\left\langle x^i\right\rangle \), where \(0\le i \le \lfloor \frac{m - t}{2}\rfloor \).

In order to prove that \(\mathcal {L}(D)=\left\langle x^i\right\rangle \), where \(0\le i \le \frac{(m - t)}{2}\) also in the remaining cases where either \(t=0, 1\) and \(m <d-2\), or \(2\le t\le m <d-t\), write \(m = m_\epsilon =d-t-\epsilon \) with \(1\le \epsilon \le d-2t\), and again put, for short,

$$\begin{aligned} \mathcal {L}_\epsilon :=\mathcal {L}(\Delta + m_\epsilon \Omega ). \end{aligned}$$

Note that appending the value \(\epsilon =0\), that is, considering also the case where \(m = m_0=d-t\), by (2.3) we have \(\mathcal {L}_0=\left\langle x^i,\Psi (x,y)\right\rangle \), with \(0\le i \le \frac{m_0-t}{2}\).

Of course, \(\mathcal {L}_{\epsilon +1} \subseteq \mathcal {L}_\epsilon \) for any \(0\le \epsilon \le d-2t\), but in this case we will see that

$$\begin{aligned} {\text {dim}}(\mathcal {L}_{\epsilon +1})= \left\{ \begin{array}{ll} {\text {dim}}(\mathcal {L}_\epsilon )&{}\text{ if } m_\epsilon - t \text{ is } \text{ odd, } \\ {\text {dim}}(\mathcal {L}_\epsilon )-1&{}\text{ if } m_\epsilon - t \text{ is } \text{ even. } \end{array} \right. \end{aligned}$$
(2.6)

Indeed, by (2.2) \(\Psi (x,y)\not \in \mathcal {L}_\epsilon \) as soon as \(\epsilon >0\), and since, by (2.4), the functions \(x^i\) of \(\mathcal {L}_\epsilon \) belong to \(\mathcal {L}_{\epsilon +1}\) as long as \(i \le \frac{m_{\epsilon +1} -t}{2}\), we see that

$$\begin{aligned} {\text {dim}}(\mathcal {L}_{\epsilon +1})=1+\left\lfloor \frac{m_{\epsilon +1} -t}{2}\right\rfloor , \end{aligned}$$

and we get the equalities in (2.6), because \(m_{\epsilon +1}=m_\epsilon -1\). But this equality shows, as well, that the theorem is true for any value of m. \(\square \)

Remark 2

It is remarkable that the dimensions in [1, Lemma 2.1] look different from the ones above: for \(m = 2g-t, 2g-t-1\), in our theorem we find \({\text {dim}}\mathcal {L}(D)=1+\left\lfloor \frac{m - t}{2}\right\rfloor \), whereas in [1, Lemma 2.1] we read \({\text {dim}}\mathcal {L}(D)=m - g + 1\). Of course, the two values coincide exactly for \(m = 2g-t, 2g-t-1\). In particular, the necessary condition in [1, Lemma 2.1] to have \({\text {dim}}\mathcal {L}(D)\ne m - g + 1\), that is, \(m <d-t-2\), is also sufficient. An interesting phenomenon occurs when \(g<m <2g-1\) and \(t\in \{g,g-1,g-2\}\), because in these cases \(m \ge d-t-2\), hence \(\textrm{dim}\,\mathcal {L}(D)=m - g + 1\), regardless of the theorem of Riemann-Roch.

3 Applications to coding theory

A \([n,k,\delta ]\) linear code of minimal distance \(\delta \) is a k-dimensional subspace of the n-dimensional vector space over the Galois field \({\text {GF}}(q)\), such that any two vectors of the code differ in at least \(\delta \) entries (we address the reader to, e.g., [19] for a general reference). The number of entries for which any two vectors are different defines the Hamming distance, and it is easy to prove, by using the triangular inequality, that corrupting a vector of a \([n,k,\delta ]\) linear code in at most \( \frac{\delta -1}{2}\) entries does not give a vector belonging to the code, thus avoiding possible misunderstandings in communication. The distance between a vector \(\textbf{w}\) and the zero vector is the weight of \(\textbf{w}\), and it is manifest that the minimal distance of a code coincides with the minimal weight of a non-zero vector. The Singleton bound states that \(\delta \le n-k+1\), and a linear code is optimal or MDS (maximum distance separable) if the equality holds.

Algebraic geometric linear codes are defined by taking a divisor D on a curve \(\mathcal {C}\) over a finite field \(\textrm{GF}(q)\) and a divisor \( R = \sum _{i = 1}^{n} P_i \), with \( P_1, \ldots , P_n \) fixed rational points of the curve, not in the support \({\text {supp}}(D) \) of D, then

$$\begin{aligned} C_{\mathcal {L}} (R, D) = \{(f(P_1), \ldots , f(P_n)) :f \in \mathcal {L}(D)\} \end{aligned}$$

is an \( [n, k, \delta ] \) code with parameters \( k = \ell (D) - \ell (D - R) \), where \( \ell (*) = {\text {dim}}(\mathcal {L}(*)) \), and \(\delta \) satisfying the Goppa lower bound \( \delta \ge n - {\text {deg}}(D) \) (cf. [6]).

Under the additional hypothesis \( n - {\text {deg}}(D) > 0 \), we have that the divisor \(D - R\) has negative degree, thus \( \ell (D - R) = 0 \) and \( k = \ell (D) \). In this case, evaluating the k functions \(f_1,\dots ,f_k\) of a basis of \(\mathcal {L}(D)\) on the points \( P_i \in {\text {supp}}(R) \), the vectors \(\big (f_j(P_1),\dots ,f_j(P_n)\big )\) give the rows of a generator matrix of \( C_{\mathcal {L}} (R, D) \).

In this section we assume \( \textsf{k} = {\text {GF}}(p^c) \), where \( p \ge 2 \) is a prime number and c a positive integer.

Note that, for any polynomials u(x) and v(x), with u(x) of degree t, and v(x) of degree smaller than t (and, if \(p=2\), for any arbitrary non-zero polynomial h(x)), there is a hyperelliptic curve of arbitrary genus \(g\ge \max \{t, {\text {deg}}(h)\}\), of equation \(y^2 + y h(x) =v^2(x)+v(x)h(x) - c(x)u(x)\), for each polynomial c(x) of degree \(2g+1-t\), passing through the support of \(D=\Delta + m \Omega \), with \(\Delta ={\text {div}}\big (u(x),v(x)\big )\) in Mumford representation, and all of these curves determine the same Riemann Roch space \(\mathcal {L}(D)\) for D. That is, in order to give a basis of the space \(\mathcal {L}(D)\) one does not have to know the curve containing the support of D. Note also that one does not need to give explicitly the points in the support of D, a sensible advantage in the construction of algebraic geometric codes, as we will see in Example 1. In that Example, we compute the generating matrix of a toy model of an algebraic geometric code of length \(n=10\) and dimension \(k = 5\), arising from a hyperelliptic curves of genus \(g=11\), and which is a MDS code, although here the Goppa lower bound is equal to \(-5\), and \(D-R\) has positive degree.

Remark 3

Note that, for \(p\le \frac{m - t}{2}\), the polynomials x and \(x^{p^c}\) in the basis of \(\mathcal {L}(D)\) take the same values in the field \(\textsf{k}=\textrm{GF}(p^c)\), and the same occurs, for \(p\le \frac{m - (d - t)}{2}\), to the functions \(\Psi (x,y) x\) and \(\Psi (x,y) x^{p^c}\). This fact must be taken into account, for instance, when constructing a Goppa code.

Theorem 2

Let \( \textsf{k} \) be a field of characteristic \( p \ge 2 \), let u(x) be a monic polynomial of degree t and v(x) be a polynomial with \({\text {deg}}(v)<t\), such that \( {\text {GCD}}(u(x),u'(x),v(x)) = 1 \), and let \(P_s=(x_s,y_s)\) be n pairs such that \(u(x_s)\ne 0\), for any \(s=1,\dots ,n\).

If \( g \ge t \), then, for any \(g-t+2 \le {k} < n \), the rows of the matrix \(G=(\gamma _{rs})\)

$$\begin{aligned} \left\{ \begin{array}{ll} \gamma _{rs} = x_s^{r-1} &{} \text{ for } 1\le r\le \eta +1 \\ &{} \\ \gamma _{rs} = \Psi (x_s,y_s)\cdot x_s^{r-\eta } &{} \text{ for } \eta +2\le r\le {k} \end{array} \right. \ \left( \text{ where } \eta =\left\lfloor \frac{{k} + g - 1 - t}{2}\right\rfloor \right) \end{aligned}$$
(3.1)

generate an algebraic geometric code, of dimension \({\text {rank}}(G) \le k\), and \( n - {k} + 1 - g \le \delta \le n - {\text {rank}}(G) + 1 \), and with \(\Psi (x_s,y_s)=\frac{y_s + v(x_s) + h(x_s)}{u(x_s)}\), where \(h(x)=0\), if \(p>2\), or h(x) is an arbitrary non-zero polynomial with \({\text {deg}}(h)\le g\), if \(p=2\). If \(n> k+g-1\), then \({\text {rank}}(G) = k\); hence G is the generator matrix of a \([n,k,\delta ]\) code.

Proof

Let c(x) be a polynomial of degree \( 2g + 1 - t \) such that

$$\begin{aligned} c(x_s) = \frac{{v(x_s)}^2 + h(x_s) v(x_s) - y_s^2 - y_s h(x_s)}{u(x_s)}, \end{aligned}$$

for any \( (x_s, y_s) \) with \(s=1,\dots ,n\).

Hence, there is an hyperelliptic curve of genus g of equation

$$\begin{aligned} y^2 + y h(x) = f(x) = {v(x)}^2 + h(x) v(x) - c(x) u(x), \end{aligned}$$

passing through the n points \( (x_s, y_s) \) and the points belonging to the support of the divisor \( {\text {div}}(u(x), v(x)) \).

The claim follows from the fact that the functions taken into account in the theorem give in turn a set of generators of the Riemann-Roch space \( \mathcal {L}(D) \), where \( D = {\text {div}}(u(x), v(x)) + ({k} + g - 1) \Omega \), whose dimension is k , under the additional assumption that \(n> k+g-1\).\(\square \)

Remark 4

Note that, as long as \( k < g - t + 2 \) and the n points \(P_s=(x_s, y_s)\) where we evaluate the functions of the basis of \(\mathcal {L}(D)\) have different abscissæ \(x_s\), the algebraic geometric code coincides with the \([n,k,n-k+1]\) Reed-Solomon code on the n values \(\{x_1,\dots ,x_n\}\subset \textsf{k}\).

In the next Example 1, the additional assumption \(n-{\text {deg}}(D)\ge 0\) does not hold. Instead, we choose the points in the support of the divisor R as in the following Corollary, yet obtaining a k-dimensional MDS code.

Corollary 3

Under the assumption of Theorem 2, for any \(s=1,\dots , l \),

  • let \((x_s,\pm y_s)\) be \(n=2l\) distinct pairs with \( y_s \ne 0 \), if \(p > 2\), or

  • let \((x_s, y_s), (x_s, -y_s - h(x_s))\) be \(n=2l\) distinct pairs with \( h(x_s) \ne 0 \), if \(p = 2\), where h(x) is an arbitrary non-zero polynomial with \({\text {deg}}(h)\le g\),

such that \(x_i \ne x_j\), for any \(i \ne j\), \(u(x_s)\ne 0\). Then the matrix G has full rank k. Furthermore, if \(n=2k\), then the code having G as generator matrix has minimal distance \(\delta \ge n - k \).

Proof

Let \(a_s = \Psi (x_s, y_s)\) and let \(b_s = \Psi (x_s, - y_s)\) if \(p > 2\), or \(b_s = \Psi (x_s, -y_s - h(x_s)) \) if \(p = 2\), for all indices s. Since

$$\begin{aligned} G := \begin{pmatrix} 1 &{} 1 &{} \cdots &{} 1 &{} 1\\ x_1 &{} x_1 &{} \cdots &{} x_n &{} x_n\\ \vdots &{} \vdots &{} \ddots &{} \vdots &{} \vdots \\ x^\eta _1 &{} x^\eta _1 &{} \cdots &{} x^\eta _l &{} x^\eta _l\\ a_1 &{} b_1 &{} \cdots &{} a_l &{} b_l \\ x_1 a_1 &{} x_1 b_1 &{} \cdots &{} x_l a_l &{} x_l b_l \\ \vdots &{} \vdots &{} \ddots &{} \vdots &{} \vdots \\ x^{k - \eta -2}_1 a_1 &{} x^{k - \eta -2}_1 b_1 &{} \cdots &{} x^{k - \eta -2}_l a_l &{} x^{k - \eta -2}_l b_l \\ \end{pmatrix}, \end{aligned}$$

subtracting to the even columns their preceding columns, one gets the following matrix:

$$\begin{aligned} \begin{pmatrix} 1 &{} 0 &{} \cdots &{} 1 &{} 0 \\ x_1 &{} 0 &{} \cdots &{} x_l &{} 0 \\ \vdots &{} \vdots &{} \ddots &{} \vdots &{} \vdots \\ x^\eta _1 &{} 0 &{} \cdots &{} x^\eta _l &{} 0 \\ a_1 &{} c_1 &{} \cdots &{} a_l &{} c_l \\ x_1 a_1 &{} x_1 c_1 &{} \cdots &{} x_l a_l &{} x_n c_l \\ \vdots &{} \vdots &{} \ddots &{} \vdots &{} \vdots \\ x^{k - \eta -2}_1 a_1 &{} x^{k - \eta -2}_1 \ c_1 &{} \cdots &{} x^{k - \eta -2}_l a_l &{} x^{k - \eta -2}_l c_l \\ \end{pmatrix}, \end{aligned}$$

where \( c_s = b_s - a_s \) is equal to \(-2\frac{y_s}{u(x_s)}\) if \(p > 2\), while \(c_s\) is equal to \(\frac{h(x_s)}{u(x_s)} \) if \(p = 2\). In both cases they are non-zero, and, collecting the odd columns on the left and the even columns on the right, we reduce the matrix to the following block matrix form

$$\begin{aligned} \begin{pmatrix} \textbf{V} &{} \textbf{0} \\ \hline &{} \\ [-1.5ex] *&{} \mathbf {V^\prime } \\ \end{pmatrix} \end{aligned}$$

where \(\textbf{V}\) is a (rectangular) Vandermonde matrix, and \(\mathbf {V^\prime } \) is obtained by multiplying the columns of a (rectangular) Vandermonde matrix times \(c_s\), thus the rank of G is k.

In order to prove that for \( n = 2k \) the code having G as generator matrix has minimal distance \(\delta \ge n-k \), we look for a vector \(\textbf{w}\) of the code of minimal weight \(\delta \)

$$\begin{aligned} \textbf{w}&= (u_1, \ldots , u_k) \cdot G \\&=\big (\textbf{f}_1(x_1) + a_1 \textbf{f}_2(x_1),\ \textbf{f}_1(x_1) + b_1 \textbf{f}_2(x_1),\ \ldots ,\ \textbf{f}_1(x_l) + a_l \textbf{f}_2(x_l),\ \textbf{f}_1(x_l) + b_l \textbf{f}_2(x_l)\big ), \end{aligned}$$

where \(\textbf{f}_1(x_s) = \sum _{i = 1}^{\eta + 1} u_i \cdot x_s^{(i - 1)} \), and \(\textbf{f}_2(x_s) = \sum _{i = \eta + 2}^{k} u_i \cdot x_s^{(i - \eta - 2)} \), for all \(s = 1, \ldots , l\). It is harmless to assume that \(\eta \ge k-\eta -2\).

In order to count the maximal possible number of zeros in the entries \(\textbf{f}_1(x_s) + a_s \textbf{f}_2(x_s)\) or \(\textbf{f}_1(x_s) + b_s \textbf{f}_2(x_s)\) of \(\textbf{w}\), first we observe that we can annihilate \(\textbf{f}_2(x_s)\) on \(k-\eta -2\) values \(x_s\), and since \(\eta \ge k-\eta -2\), we can annihilate \(\textbf{f}_1(x_s)\) there, as well, taking \(\textbf{f}_1(x)=\textbf{f}_2(x)\textbf{f}_3(x)\) for a suitable polynomial \(\textbf{f}_3(x)\). This argument gives \(2(k-\eta -2)\) zero, pairwise consecutive, entries of \(\textbf{w}\).

On the remaining entries, where \(\textbf{f}_2(x_s)\) must be non-zero, we can still annihilate \(\textbf{f}_1(x_s) + a_s \textbf{f}_2(x_s)\) on \(\eta -(k-\eta -2)+1\) values \(x_s\), because the polynomial \({\textbf{f}_3(x)}\) has degree \(\eta -(k-\eta -2)\). This argument gives exactly \(2\eta -k+3\) further zero entries of \(\textbf{w}\), because now \(\textbf{f}_1(x_s) + b_s \textbf{f}_2(x_s)\) must be non zero.

Therefore the maximal possible number of zeros of \(\textbf{w}\) is \(2(k-\eta -2)+(2\eta -k+3)=k-1\), so \(\delta \ge n-(k-1)\), thus reaching the Singleton bound.

On the other hand, in the case \(\text {gcd}(\textbf{f}_1(x), \textbf{f}_2(x)) \ne \textbf{f}_2(x) \), we note that the maximal number of zeros of \(\textbf{w}\) is at most \( \frac{n}{2} = k \) since \(\textbf{f}_1(x_s) + a_s \textbf{f}_2(x_s) = 0\) implies that \(\textbf{f}_1(x_s) + b_s \textbf{f}_2(x_s) \ne 0\), and vice versa. Thus, \(\delta \ge n - k = k \) in this case. \(\square \)

Example 1

Let \(\textsf{k}={\text {GF}}(101)\), choose a pair of polynomials (u(x), v(x)) with \({\text {GCD}}(u(x),\) \(u'(x),v(x))=1\), for instance \((u(x),v(x))= (x^{11} + 1, x^6 + 1)\), and consider the function

$$\begin{aligned} \Psi (x,y)=\frac{y+v(x)}{u(x)}=\frac{y+x^6+1}{x^{11}+1}. \end{aligned}$$

Choose five pairs \((x_s, y_s)\) such that \(x_r\ne x_l\) whenever \(r\ne l\), such that \(u(x_s)\ne 0\) for any index s, for instance (15, 45), (53, 48), (58, 10), (64, 13), (80, 2). Evaluating the functions \(\left\{ 1, x, x^2, \Psi (x,y),x\Psi (x,y)\right\} \) on the ten points \( (15, \pm 45)\), \( (53, \pm 48)\), \( (80, \pm 2)\), \( (58, \pm 10)\), \( (64, \pm 13)\), one obtains a matrix

$$\begin{aligned} G:= \begin{pmatrix} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 \\ 15 &{} 15 &{} 53 &{} 53 &{} 80 &{} 80 &{} 58 &{} 58 &{} 64 &{} 64 \\ 23 &{} 23 &{} 82 &{} 82 &{} 37 &{} 37 &{} 31 &{} 31 &{} 56 &{} 56 \\ 73 &{} 41 &{} 35 &{} 92 &{} 1 &{} 45 &{} 99 &{} 71 &{} 48 &{} 21 \\ 85 &{} 9 &{} 37 &{} 28 &{} 80 &{} 65 &{} 86 &{} 78 &{} 42 &{} 31 \end{pmatrix} \end{aligned}$$

which, by the above Corollary 3, is a generating matrix of a linear code \(\mathcal {C}\) over \({\text {GF}}(101)\), having minimal distance \(\delta \ge 5\). Furthermore, since all the \(5 \times 5\) minors of G can be checked to have full rank, the code \(\mathcal {C}\) is [10, 5, 6] MDS code.

In order to give the equation of a hyperelliptic curve \(\mathcal {H}\) realizing the above code as an algebraic geometric code, defined by \(D={\text {div}}(u(x),v(x))+15\Omega \) (following the proof of Theorem 2) by evaluating the functions in \(\mathcal {L}(D)\) on the above five points \((x_s, y_s)\), we note that the genus g of \(\mathcal {H}\) must be equal at least to the degree of u(x). With g equal to the degree of u(x), hence with the degree of \(\mathcal {H}\) equal to 23, we need eight further points, because \(\mathcal {H}\) passes through the five points \((x_s, y_s)\) and through the eleven points (in the affine plane) of the support of \({\text {div}}(u(x),v(x))\). Choose arbitrarily eight pairs \((x_s, y_s)\) (now with \(s=6,\dots ,13\)) such that \( u(x_s) \ne 0 \) and \(x_i \ne x_j \) for all \( 1 \le i < j \le 13 \), for instance (48, 80), (58, 91), (64, 88), (89, 16), (95, 33), (53, 4), (51, 85), (71, 35).

With this choice, the curve \(\mathcal {H}\) defined by the equation

$$\begin{aligned} y^2=v^2(x)-c(x)u(x), \end{aligned}$$

where c(x) is the polynomial such that

$$\begin{aligned} c(x_s)=\frac{{v(x_s)}^2 - y_s^2}{u(x_s)}, \end{aligned}$$

for \(s=1,\dots , 13\), has degree 23, passes through the 13 points \((x_s, y_s)\) and the eleven points (in the affine plane) of the support of \({\text {div}}(u(x),v(x))\), thus realizing the [10, 5, 6] code as the algebraic geometric code defined by \(\mathcal {L}(D)\) and the ten points \((x_s,\pm y_s)\), for \(s=1,\dots ,5\).