Moderate-density parity-check codes from projective bundles

New constructions for moderate-density parity-check (MDPC) codes using finite geometry are proposed. We design a parity-check matrix for the main family of binary codes as the concatenation of two matrices: the incidence matrix between points and lines of the Desarguesian projective plane and the incidence matrix between points and ovals of a projective bundle. A projective bundle is a special collection of ovals which pairwise meet in a unique point. We determine the minimum distance and the dimension of these codes, and we show that they have a natural quasi-cyclic structure. We consider alternative constructions based on an incidence matrix of a Desarguesian projective plane and compare their error-correction performance with regards to a modification of Gallager’s bit-flipping decoding algorithm. In this setting, our codes have the best possible error-correction performance after one round of bit-flipping decoding given the parameters of the code’s parity-check matrix.


Introduction
The close interplay between coding theory and finite geometry has emerged multiple times in the last 60 years, starting from the works of Prange [24] and Rudolph [28], where they proposed to construct linear codes starting from projective planes.Their idea was to use the incidence matrix of the plane as a generator matrix or as a parity-check matrix of a linear code, showing that the underlying geometry can be translated in metric properties of the corresponding codes.Generalizations of these constructions have been studied since the 70's and are still subject of active research (see [1]).The relations between these two research areas had also a strong impact in the opposite direction.The most striking example is certainly the non-existence proof of a finite projective plane of order 10 shown in [18].This groundbreaking result came -with the help of a computer -after that a series of papers analyzed the binary linear code coming from a putative projective plane of order 10.
A very important class of codes which was sensibly influenced by geometric constructions is given by low-density parity-check (LDPC) codes, which were introduced by Gallager in his 1962 seminal paper [5].LDPC codes, as originally proposed, are binary linear codes with a very sparse parity-check matrix.This sparsity property is the bedrock of efficient decoding algorithms.Already Gallager provided two of such algorithms whose decoding complexity is linear in the block length.However, LDPC codes came to fame much later, when in 2001 Richardson, Shokrollahi and Urbanke [26] were able to show that LDPC codes are capable to approach Shannon capacity in a practical manner.Above authors derived this result using random constructions of very large and sparse parity-check matrices.Because of these random constructions the performance of the codes was only guaranteed with high probability and there was also the practical disadvantage that the storage of a particular parity-check matrix required a lot of storage space.
There are several design parameters one wants to optimize when constructing LDPC codes.On the side of guaranteeing that the distance is reasonably large, it was realized early that it is desirable that the girth of the associated Tanner graph is large as well.This last property helps to avoid decoding failures in many decoding algorithms.Thus, in order to guarantee that an LDPC code had desirable design parameters, such as a large distance or a large girth of the associated Tanner graph, some explicit constructions were needed.Already in 1982 Margulis [20] used group theoretic methods to construct a bipartite Cayley graph whose girth was large.This line of research was extended by Rosenthal and Vontobel [27] using some explicit constructions of Ramanujan graphs, which have exceptional large girth.
Maybe the first time objects from finite geometry were used to construct explicitly some good LDPC codes was in the work of Kou, Lin and Fossorier [17].These authors gave four different constructions using affine and projective geometries over finite fields which did guarantee that the resulting code had a good distance and the associated Tanner graph had a girth of at least 6.Using points and lines in F m q Kim, Peled, Perepelitsa, Pless and Friedland [16] came up with incidence matrices representing excellent LDPC codes.In the last 15 years there has been active research to come up with further explicit constructions of LDPC codes with desirable parameters based on combinatorial structures [10,17,19,33,32].
Moderate-density parity-check (MDPC) codes were first introduced by Ouzan and Be'ery [22].Misoczki, Tillich, Sendrier and Barreto [21] showed that MDPC codes could still be decoded with low complexity as long as the row-weight of each row vector of the parity-check matrix was not much more than the square root of the length of the code.These authors also showed that MDPC codes are highly interesting for the use in the area of code based cryptography.Similar as for LDPC codes, it is an important task to come up with explicit constructions of MDPC codes where e.g. a good minimum distance can be guaranteed.Already Ouzan and Be'ery [22] provided a construction using cyclotomic cosets.Further constructions using quasi-cyclic codes can be found in [9,21].This paper adds another dowel to the theory of error-correcting codes arising from geometric objects.We propose a new construction of linear codes using projective bundles in a Desarguesian projective plane, resulting in a family of MDPC codes.Concretely, a projective bundle in a projective plane of order q is a collection of q 2 + q + 1 ovals which mutually intersect in a unique point.We consider the incidence structure consisting of the lines of a projective plane together with the ovals of a projective bundle.The incidence matrix of this structure will serve as a parity-check matrix of the proposed binary codes.We completely determine their dimension and minimum distance for both q even and odd.In addition, we observe that we can design these codes to possess a quasi-cyclic structure of index 2.As a consequence, their encoding can be achieved in linear time and implemented with linear feedback shift registers.Moreover, also the storage space required is only half their length.
The main motivation arises from [31], where the error-correction capability of the bitflipping decoding algorithm on the parity-check matrix of an MDPC code was analyzed.There, it was derived that its performance is inversely proportional to the maximum column intersection of the parity-check matrix, which is the maximum number of positions of ones that two distinct columns share.We show indeed that the maximum column intersection of the derived parity-check matrices is the smallest possible for the chosen parameters, implying in turn the best possible performance of the bit-flipping algorithm.
The paper is organized as follows: Section 2 consists of the coding theory background needed in the paper.In particular, we introduce the family of MDPC codes and we recall the result on the performance of the bit-flipping algorithm presented in [31], which was decisive for the idea of this construction.In Section 3 we give a brief overview on projective planes, studying the basic properties of codes arising from them.Section 4 is dedicated to the new proposed MDPC design using projective bundles.Here, we study some of the code properties and we determine its dimension and minimum distance.The paper is based on the master's thesis of the first author [3] and in this section we extend the results which were originally stated there.Finally, the goal of Section 5 is to generalize the results stated in Section 4 in order to have more flexibility in the choice of the parameters.This is done by using several projective bundles instead of only one.

Coding Theory and Moderate Density Parity-Check Codes
Let us start by briefly recalling some basics of coding theory.Throughout the paper q will always be a prime power, and we will denote the finite field with q elements by F q .The set of vectors of length n over F q will be denoted by F n q .We consider the Hamming weight on F n q defined as It is well-known that it induces a metric, namely the Hamming distance which is given by Definition 2.1.A q-ary linear code C of length n and dimension dim(C) = k is a kdimensional linear subspace of F n q endowed with the Hamming metric.The minimum distance of C is the minimum among all the possible weights of the non-zero codewords and it is denoted by d(C), i.e.
A q-ary linear code of length n and dimension k will be denoted for brevity by [n, k] q code, or by [n, k, d] q code if the minimum distance d is known.
Any [n, k] q code C has a dual code which is defined as A generator matrix of an [n, k] q code C is a matrix G ∈ F k×n q whose rows form a basis of C. A generator matrix H ∈ F (n−k)×n q for the dual code C ⊥ is called a parity-check matrix of C. Note that C can also be represented by a parity-check matrix H, since it corresponds to its right kernel, i.e.
A matrix A ∈ F r×s q is said to have row-weight w, for some nonnegative integer w, if every row of A has Hamming weight equal to w.Similarly, we say that A has column-weight v, if each of its columns has Hamming weight v.
In the following we will focus on the family of moderate density parity-check (MDPC) codes.They are an extension of the well-known low density parity-check (LDPC) codes, and they are defined by the row-weight of a parity-check matrix.The terminology was first introduced in [22], and then these codes were reintroduced and further generalized in [21] MDPC codes have been constructed in various ways.In their seminal paper [22], Ouzan and Be'ery designed cyclic MDPC codes carefully choosing the idempotent generator of the dual code.This structure has been generalized in order to design quasi-cyclic MDPC codes (see e.g.[9,21]).A different approach has been proposed in [31], where a random model is considered.
In the definition of an MDPC code the chosen parity-check matrix is very important.Indeed, as for LDPC codes, an MDPC code automatically comes together with a decoding algorithm -for instance the bit-flipping algorithm -whose performance depends on the chosen parity-check matrix.Thus, in order to study the error-correction performance, we introduce the following quantity.Definition 2.3.Let H be a binary matrix.The maximum column intersection is the maximal cardinality of the intersection of the supports of any pair of distinct columns of H.
The following result was found by Tillich in 2018 (for more details and the proof see [31]).It states the amount of errors that can be corrected within one round of the bitflipping decoding algorithm.
Theorem 2.4.Let C be an MDPC code of type (v, w) with parity-check matrix H. Let s H denote the maximum column intersection of H. Performing one round of the bit-flipping decoding algorithm with respect to H, we can correct all errors of weight at most ⌊ v 2•s H ⌋.
It hence follows that, the smaller s H , the more errors can be corrected after one round of the bit-flipping decoding algorithm.A random construction would yield an asymptotic value for s H .We would like to design MDPC codes in such a way that s H is as small as possible and, more importantly, that s H is deterministic.

MDPC codes from Projective Planes
The projective plane PG(2, q) is a point-line geometry constructed from a three-dimensional vector space V over F q .Its points and lines are the one-and two-dimensional subspaces of V respectively and the containment relation in V defines the incidence relation of the plane.It has q 2 + q + 1 points and equally many lines.The geometry satisfies the following properties: 1. any two distinct points are incident with exactly one common line; 2. any two distinct lines are incident with exactly one common point; 3. there are four points such that no three of them are collinear.
This means that PG(2, q) can also be regarded as a symmetric 2-(q 2 + q + 1, q + 1, 1)design, where the lines correspond to the blocks.Moreover, every line in PG(2, q) is incident with q + 1 points and dually, every point is incident with q + 1 lines.One way to represent PG(2, q) is by an incidence matrix.This is a matrix A whose rows and columns are indexed by points and lines respectively such that Here we describe an alternative way to represent the projective plane PG(2, q).We can identify the set of points with the integers modulo q 2 + q + 1.For the description of the lines, we will follow the instruction presented by Hirschfeld in [8, p77-p79].Let us therefore introduce the following set.
Example 3.2.For instance, consider r = 2.One can show that the set D = {0, 1, 3} of r + 1 = 3 integers is indeed a perfect difference set, since any two differences between two distinct elements are pairwise disjoint modulo r 2 + r + 1 = 7.
Hirschfeld showed in [8, Theorem 4.2.2 and its Corollary] that the set of lines of PG(2, q) is fully described by the circulant shifts modulo q 2 + q + 1 of a perfect difference set of q + 1 elements.In this way we obtain a circulant incidence matrix in which the support of the first column is D. In order to illustrate this, consider the Fano plane PG(2, 2) consisting of seven points and lines.We have seen, that the points will be identified with the integers modulo q 2 +q+1 = 7.
For the set of lines we will use the cyclic shifts (modulo 7) of the set D = {0, 1, 3}, which we have seen is in fact a perfect difference set.Explicitly, we obtain the following set of points P and set of lines L P = {0, 1, 2, 3, 4, 5, 6}, The defining properties of projective planes have made them a good source of errorcorrecting codes by taking their incidence matrices as the parity-check matrix, as was done already in the late 1950s, cf.[24] or [28].Definition 3.3.Let H be an incidence matrix of Π = PG(2, q) over the binary finite field F 2 .We define the code in Codes from planes have been intensively studied and many properties have been derived thanks to the underlying geometric structure.Among the most relevant properties, Graham and MacWilliams [7] completely determined the dimension of the codes C p (Π) ⊥ over F p and their minimum distance when p = 2 was determined by Assmus and Key [1].
Here we state the two results, restricting ourselves only to the case p = 2.
The first part just follows from the observation that if A is the incidence matrix of a projective plane of order q, then by definition where I is the identity matrix and J the all-one matrix of size q 2 + q + 1.
From Theorem 3.4 we can see that binary codes from PG(2, q) are only interesting whenever q is even.Moreover, one can see that the incidence matrix of Π has constant row and column weight equal to q + 1 which is O( q 2 + q + 1).Hence, codes from projective planes are very special examples of MDPC codes.With the aid of Theorem 2.4, we can show that one round of the bit-flipping algorithm on these codes permits to decode up to half the minimum distance with no failure probability, for any projective plane.Theorem 3.5.Let Π be a projective plane of even order and H its incidence matrix, which is the parity-check matrix of the code C 2 (Π) ⊥ .After performing one round of bit-flipping on H we can correct any error of weight up to Proof.Since a projective plane is in particular a symmetric 2-(q 2 + q + 1, q + 1, 1)-design, then the maximum column intersection of H is 1.Moreover, the matrix H is of type (q + 1, q + 1).Hence, applying Theorem 2.4, we obtain that one round of the bit-flipping algorithm corrects every error of weight at most ⌊ d−1 2 ⌋.Theorem 3.5 shows that codes from planes are really powerful, and have the best performance according to Theorem 2.4, for a given matrix of type (q + 1, q + 1) and size (q 2 + q + 1) × (q 2 + q + 1).However, we can only construct codes from projective planes of even order, resulting in [2 2h + 2 h + 1, 2 2h − 3 h + 2 h , 2 h + 2] 2 codes.This lack of choice of the parameters motivated many variation on this construction.In the last 50 years, many codes have been constructed based on underlying geometric objects: Euclidean and projective geometries over finite fields [4,30,17], linear representation of Desarguesian projective planes [23], (semi-)partial geometries [14,32], generalized quadrangles [33,15], generalized polygons [19], Ramanujan graphs [20,27], q-regular bipartite graphs from point line geometries [16] and other incidence structures coming from combinatorial designs [12,11,13,10].
For the same reason, we propose a new construction of (families of) MDPC codes based on a suitable system of conics in a Desarguesian projective plane that behaves itself like a projective plane.This is encapsulated in the concept of projective bundles, which we define in the following section.

MDPC codes from Projective Bundles
In this section we present the new MDPC codes using projective bundles by constructing its parity-check matrix.We start off by introducing the relevant geometrical objects, which are ovals and projective bundles in PG(2, q).Definition 4.1.An oval in PG(2, q) is a set of q + 1 points, such that every line intersects it in at most two points.
The classical example of an oval is a non-degenerate conic, i.e. the locus of an irreducible homogeneous quadratic equation.When q is odd, Segre's seminal result [29] shows that the converse is also true: every oval is a conic.Definition 4.2.A line in PG(2, q) is skew, tangent or secant to a given oval if it intersects it in zero, one or two points respectively.
We recall some properties of ovals which were first recorded by Qvist [25].We include the proof as it will be relevant later.Lemma 4.3.An oval in PG(2, q) has q + 1 tangent lines, one in each point.
• If q is odd, every point not on the oval is incident with zero or two tangent lines.
• If q is even, then all tangent lines are concurrent.
Proof.Consider a point on the oval.Then there are q lines through this point intersecting the oval in one more point.This means that one line remains, which is necessarily a tangent line, hence proving the first part of the lemma.Now suppose that q is odd and consider a point on a tangent line, not on the oval.As q + 1 is even, this point is incident with an odd number of tangent lines more.Since the point is arbitrary, and there are q + 1 tangent lines, this implies that every point on the tangent line (but not on the oval) is incident with exactly two tangent lines.
When q is even, we consider a point on a secant line, but not on the oval and proceed in a similar fashion as before: q − 1 is odd, so this point is incident with an odd number of tangents.Since this point is arbitrary, and there are q + 1 tangent lines, this implies that every point on the secant line is incident with exactly one tangent line.Therefore the intersection point of two tangent lines is necessarily the intersection of all tangent lines.When q is even, one can add the point of concurrency of the tangent lines, which is called the nucleus, to the oval to obtain a set of q + 2 points that has zero or two points in common with every line.This leads us to the following definition.Definition 4.4.A hyperoval is set of q + 2 points in PG(2, q) such that every line has zero or two points in common.A dual hyperoval is a set of q + 2 lines such that every point is incident with zero or two lines.
We will encounter these objects again later on.We are now in the position to define projective bundles.Definition 4.5.A projective bundle is a collection of q 2 + q + 1 ovals of PG(2, q) mutually intersecting in a unique point.
Projective bundles were introduced by Glynn in his Ph.D. thesis [6] under the name 'packings of (q + 1)-arcs'.The original definition is a bit more general and applies to any projective plane instead of just PG(2, q).Since the only known projective bundles exist in PG(2, q), it suffices for our purposes to restrict ourselves to this case.
It follows from the definition that one can consider the points of PG(2, q) and the ovals of a projective bundle as the points and lines of a projective plane of order q.We can then define the notion of secant, tangent and skew ovals (which belong to the projective bundle) with respect to a line.Moreover, one can interchange the role of lines and ovals in the proof of 4.3 and find the following statement, which we record for convenience.Lemma 4.6.Given a projective bundle, a line in PG(2, q) has q + 1 tangent ovals, one in each point.
• If q is even, then all tangent ovals are concurrent.
• If q is odd, every point not on the line is incident with zero or two tangent ovals.
When q is even, we can similarly as before define a hyperoval of ovals as a set of q + 2 ovals such that every point is contained in zero or two of them.
An interesting property of projective bundles is that a third projective plane can be found.This result is due to Glynn [6, Theorem 1.1.1]and served as the motivation for projective bundles: to possibly find new projective planes from known ones.Theorem 4.7.Consider the ovals of a projective bundle and the lines of PG(2, q) as points and lines respectively, with incidence defined by tangency.Then this point-line geometry is a projective plane of order q.
We can rephrase this in terms of incidence matrices.As follows: if A and B are the point-line incidence matrices of the PG(2, q) and the projective plane whose lines are the ovals of a projective bundle, then AB ⊤ (mod 2) is again the incidence matrix of a projective plane.However, for q even this idea to construct new projective planes does not work, since then all three projective planes are isomorphic [6, Corollary 1.1.1].
Glynn showed that projective bundles indeed exist for any q, and his examples are all bundles of conics.When q is odd, he showed the existence of three distinct types of projective bundles in PG(2, q), by identifying them with planes in PG(5, q).It was shown in [2] that perfect difference sets can also be used to describe these projective bundles.In fact, given a perfect difference set D ⊆ Z/(q 2 + q + 1)Z and its circular shifts corresponding to the set of lines of PG(2, q), the three bundles are represented in the following way.
1. Cirumscribed bundle: set of all circular shifts of −D.

2.
Inscribed bundle: set of all circular shifts of 2D.

3.
Self-polar bundle: set of all circular shifts of D/2.
We are now going to construct the parity-check matrix as mentioned at the beginning of this section.Let us denote the projective plane formed by the points and lines of PG(2, q) by Π and the one formed by the points and the ovals of a projective bundle of PG(2, q) by Γ .Then define where A and B are the incidence matrices of Π and Γ respectively.Hence, we obtain a (q 2 +q +1)×2(q 2 +q +1) binary matrix defined by the points, lines and ovals of a projective bundle of PG(2, q).Definition 4.8.A binary linear code with parity-check matrix H given in ( 1) is called a projective bundle code and we will denote it by Clearly, the matrix H given in (1) has constant row-weight w = 2(q + 1) and constant column-weight v = q + 1.Hence, C 2 (Π ⊔ Γ ) ⊥ is an MDPC code of length n = 2(q 2 + q + 1) and type (q + 1, 2(q + 1)).
Remark 4.9.The family of MDPC codes that we are considering is built upon a paritycheck matrix as in (1).In such a matrix the number of columns is twice the number of rows and this coincides with the setting originally studied in [21].
Example 4.10.Let us give a short example of a projective bundle code for a relatively small parameter q = 3.Hence, we consider the projective plane PG(2, 3).Recall, that the set of points P is given by the set of integers modulo q 2 + q + 1 = 13.The set of lines L is defined by the image of a perfect difference set D of four integers under repeated application of the Singer cycle S(i) = i + 1.It is easy to verify that D = {0, 1, 3, 9} is a perfect difference set, i.e.
At this point, let us choose an inscribed bundle B I in PG(2, 3).As shown above, this bundle is represented by the cyclic shifts of 2D = {0, 2, 5, 6}.Hence, we obtain Concatenating the two corresponding incidence matrices A and B yields the desired paritycheck matrix , where the zero entries in the parity-check matrix are represented by dots.
Remark 4.11.Observe that the matrix H defined in (1) can be constructed from a perfect difference set D, by taking the circular shifts of D and sD, with s ∈ {−1, 2, 2 −1 }.Such a matrix has a double circulant structure.Thus, the resulting code C 2 (Π ⊔ Γ ) ⊥ is quasi-cyclic of index 2, and encoding can be achieved in linear time and implemented with linear feedback shift registers.Furthermore, we can also deduce -because of the circular structure -that the number of bits required to describe the parity check matrix is about half the block length.It would even be less if one compresses the data.
In the following subsections we will analyse the dimension, minimum distance and errorcorrection performance with respect to the bit-flipping decoding algorithm of C 2 (Π ⊔ Γ ) ⊥ .

Dimension
Recall from Theorem 3.4 that a p-ary code C p (Π) from a projective plane Π ∼ = PG(2, q), is either trivial of codimension 1 -when p ∤ q -or it is non-trivial to determine its dimension -when p | q.In our case, the structure of our code allows to both have a non-trivial code and to determine the exact dimension for all q.To do so, recall that if A is the incidence matrix of a projective plane of order q, then where J is the all-one matrix of appropriate size.
Using this result we are able to state the dimension of C 2 (Π ⊔ Γ ) ⊥ .
Proposition 4.12.Let Π be a projective plane of order q and let Γ be a projective bundle in Π.Then, Proof.In order to determine the dimension of the code, we need to compute the rank of a parity-check matrix H = ( A | B ). Since H is of size (q 2 + q + 1) × 2(q 2 + q + 1), we can already say that the rank of H is at most q 2 + q + 1.Now we consider the two cases.Case I: q odd.We know from Theorem 3.4 that rk(A) = q 2 + q, which gives us the lower bound rk(H) ≥ rk(A) = q 2 + q.
The matrix H has full rank q 2 +q +1 if and only if there exists no element in the left-kernel, i.e. if there is no non-zero vector x ∈ F q 2 +q+1 2 such that xH = 0. (2) However, if x is the all-one vector then Equation ( 2) is satisfied.Hence, there is an element in the cokernel which implies that H cannot have full rank and we conclude that dim C 2 (Π ⊔ Γ ) ⊥ = q 2 + q + 2.
Case II: q even.In this case, we consider the matrix By Theorem 4.7 and the discussion below, A ⊤ B = C is again the incidence matrix of PG(2, q), and hence the sum of all its rows/columns is equal to the all one vector.Therefore, by doing row operations on H ⊤ H, we obtain the matrix which has the same rank as H ⊤ H. Hence, where the last inequality comes from the fact that J has rank 1, and the rank satisfies the triangle inequality.On the other hand, we have that the all one vector is in the column spaces of both A and B, showing that rk(H) ≤ rk(A) + rk(B) − 1.Since A, B and A ⊤ B are all incidence matrices of a Desarguesian plane, they all have the same rank.Therefore, combining the two inequalities, we obtain and using Theorem 3.4, we can conclude that We can thus already say that C 2 (Π ⊔ Γ ) ⊥ is a [2(q 2 + q + 1), q 2 + q + 2] 2 MDPC code of type (q + 1, 2q + 1).

Minimum Distance
As mentioned earlier, we are interested in the error-correction capability.A relevant quantity to give information about error-correction and also error-detection is the minimum distance of a linear code.
In the following we will determine the exact value of the minimum distance of C 2 (Π ⊔ Γ ) ⊥ .An important observation for the proof is that geometrically, the support of a codeword of C 2 (Π ⊔ Γ ) ⊥ corresponds to a set of lines and ovals such that every point of PG(2, q) is covered an even number of times.
Theorem 4.13.The minimum distance of C 2 (Π ⊔ Γ ) ⊥ is q + 2 and the supports of the minimum weight codewords can be characterized, depending on the parity of q.For q odd, the support of a minimum weight codeword is • an oval and its q + 1 tangent lines, or • a line and its q + 1 tangent ovals.
On the other hand for q even, we find that the support of a minimum weight codeword is • a hyperoval of ovals.
Proof.Take a codeword of minimum weight in C 2 (Π ⊔ Γ ) ⊥ and consider its support.This is a set of r lines L and s ovals O such that every point in PG(2, q) is incident with an even number of these elements.We will show that r + s ≥ q + 2 and equality only holds for the two examples stated.
Let a i , 0 ≤ i ≤ 2q + 2, be the number of points that are covered i times, then we can double count the tuples (P ), (P, E 1 ), (P, E 1 , E 2 ), where P is a point and E 1 , E 2 ∈ L ∪ O are lines or ovals incident with this point.Remark that by assumption a i = 0 whenever i is odd.We find the following three expressions: where the last inequality follows as a line and oval intersect in at most two points.From these equations, we can find 2q+2 i=0 i(i− 2)a i ≤ (r + s)(r + s − q − 2) and hence r + s ≥ q + 2, as the sum on the left-hand side has only non-negative terms.Moreover, in the case of equality, a i = 0 whenever i / ∈ {0, 2}.Now consider a codeword of weight r + s = q + 2, consisting of r lines L and s ovals O.We will investigate the cases q odd and even separately and show the characterisation.Case I: q odd.Since q + 2 is odd and hence one of r or s is, we can suppose without loss of generality that r is odd.The argument works the same when s is odd, by interchanging the roles of lines and ovals.
Consider a line not in L. Then this line is intersected an odd number of times by the r lines in L. Therefore, it should be tangent to an odd number of ovals in O, recalling that every point is incident with zero or two elements from L ∪ O.In particular, any line not in L is tangent to at least one oval in O.So count the N pairs (ℓ, c), where ℓ is a line not in L, c ∈ O and |ℓ ∩ O| = 1.By the previous observation, it follows that q 2 + q + 1 − r = q 2 − 1 + s ≤ N .On the other hand, a oval has q + 1 tangent lines so that N ≤ s(q + 1).Combining these two leads to s ≥ q, which implies that r = 1 and s = q + 1. Remark that this argument only depends on r being odd.
If o ∈ O is one of these q + 1 ovals, we see that the other q ovals intersect O in q distinct points, as no point is incident with more than two elements from L ∪ O.This immediately implies that the unique line in L must be tangent to o.As O was arbitrary, we conclude that the support of the codeword consists of one line and q + 1 ovals tangent to it.By Lemma 4.6 this indeed gives rise to a codeword, as every point not on the line is incident with zero or two ovals.Case II: q even.The situation is slightly different.Since q + 2 is even now, either r and s are both odd, or both even.When r is odd, we can reuse the argument from before to find the configuration of q + 1 ovals tangent to a line.However, by Lemma 4.6 we know that these q + 1 ovals are all incident with a unique point, which is hence covered q + 1 times, a contradiction.
So suppose that r and s are even.Any line in L is intersected by the r − 1 other lines in L, leaving q + 1 − (r − 1) points to be covered by the ovals in O, which is an even number.We see that we must have an even number of tangent ovals to this line.Similarly for a line not in L, we observe that it is intersected an even number of times by the r lines in L and hence it should have an even number of intersections with the ovals in O, leading again to an even number of tangent ovals.In summary, every line in PG(2, q) is incident with an even number of tangent ovals.Now, by Lemma 4.6 and the fact that every point is covered zero or twice by the elements of O ∪ L, it follows that every line in PG(2, q) is incident with zero or two tangent ovals.So suppose that s > 0, meaning we have at least one oval in O and consider its q + 1 tangent lines.Then each of these lines should have one more tangent oval, and all of these are distinct by Corollary 4.7, which means we find s = q + 2 ovals forming a hyperoval of ovals.If s = 0, we find a dual hyperoval, concluding the theorem.

Error-Correction Capability
It is well-known that the minimum distance of a code gives information about the decoding radius.This means that it reveals an upper bound on the amount of errors that can be always detected and corrected.
We would like to focus in this subsection here on the performance of the constructed MDPC code C 2 (Π ⊔ Γ ) ⊥ within one round of the bit-flipping decoding algorithm.We now adapt and apply Theorem 2.4 to the parity-check matrix H of C 2 (Π ⊔ Γ ) ⊥ given in (1).
Proposition 4.14.The intersection number of the matrix H defined in (1) is s H = 2. Thus, after performing one round of the bit-flipping algorithm on H we can correct all the errors of weight at most ⌊ q+1 4 ⌋ in the code C 2 (Π ⊔ Γ ) ⊥ .Proof.From the construction of H we have that H consists of two matrices A and B which are the incidence matrices of points and lines and points and ovals of a projective bundle in PG(2, q), respectively.Clearly, both matrices A and B have a maximum column intersection equal to 1 as two distinct lines in a projective plane intersect in exactly one point and a similar property holds for every pair of distinct ovals of a projective bundle by definition.Since every line intersects an oval in at most 2 points, the maximum column intersection of the matrix H is at most 2. On the other hand, if we consider any two distinct points on an oval in the projective bundle, there always exists a line passing through them.Hence, s H = 2.The second part of the statement then follows directly from Theorem 2.4.Remark 4.15.Observe that s H = 1 for a parity-check matrix of size (q 2 + q + 1) × c and column weight q + 1 implies c ≤ q 2 + q + 1. this can be seen by counting the tuples {(x, y, B) | x, y ∈ B} in two ways.Thus, the value s H = 2 is the best possible for c > q 2 + q + 1.Furthermore, compared to a random construction of MDPC code, our design guarantees a deterministic error-correction performance for one round of the bit-flipping decoding algorithm.In particular, for the random model proposed in [31] it was proved that the expected value of s H is O( log n log log n ).Hence, our construction guarantees an errorcorrection capability of the bit-flipping algorithm which improves the random construction by a factor O( log n log log n ).
Additionally, we have implemented the parity-check matrix our MDPC-design as well as one round of the bit-flipping decoding algorithm.We were interested if we could correct even more errors than the number guaranteed in Proposition 4.14.Since the bitflipping decoding algorithm is only dependent on the syndrome and not on the actual chosen codeword, we took the all-zero codeword and added a pseudo-random error-vector of a fixed weight wt(e) ≥ ⌊ q+1 4 ⌋.We have generated 10 5 distinct error vectors.Each of these error vectors then was used to run one round of the bit-flipping decoding algorithm for all the three different families of MDPC-codes that we have constructed.It turned out that all the three types of our constructed code showed exactly the same error-correction performance.Finally, we have computed the probability of successful error-correction for the parameters q ∈ {5,  1 shows that the probability to correct even more errors grows as we increase q.This is due to the fact, that for small q we reach the unique decoding radius much faster.Remark 4. 16.In [31] the author analyzed also the error-correction performance after two rounds of the bit-flipping decoding algorithm.More precisely he estimated the probability that one round of the algorithm corrects enough errors so that in the second round all remaining errors will be correctable.Following the notation of that paper, let us denote by S the number of errors left after one round of the bit-flipping algorithm.Assuming that we have an MDPC code of length n and of type (v, w), where both v and w are of order Θ( √ n), the probability that S is at least a certain value t ′ satisfies the following inequality: where t = Θ( √ n) is the initial amount of errors that were introduced.
We have seen in Proposition 4.14, that performing one round of the bit-flipping algorithm to a parity-check matrix H of C 2 (Π ⊔ Γ ) ⊥ we can correct ⌊ q+1 4 ⌋ errors.Therefore, a second round of the bit-flipping is able to correct completely if after one round there are no more than ⌊ q+1 4 ⌋ errors left.Applying (6) for t ′ = ⌊ q+1 4 ⌋ to the parity-check matrix H of C 2 (Π ⊔ Γ ) ⊥ given in (1), we obtain that we can successfully correct every error of weight t = Θ( √ n) after two rounds of the bit-flipping decoding algorithm with probability e −Ω(n) .

Generalizations
Since our aim is to have more flexibility in the parameters, here we generalize the approach of Section 4, by considering several disjoint projective bundles.Let t > 1 be a positive integer and let us fix a Desarguesian projective plane Π = PG(2, q).Let Γ 1 , . . ., Γ t be disjoint1 projective bundles of conics in Π.Since we want s H to be low, we cannot take projective bundles of ovals in general, as for example two ovals in PG(2, q), q even, could intersect in up to q points: take any oval, add the nucleus and delete another point to find a second oval intersecting it in q points.In Proposition 5.3 we will see that by choosing conics, we find s H = 4.
Let us denote by A the incidence matrix of Π and by B i the incidence matrix of the projective bundle Γ i , for each i ∈ {1, . . ., t}.We then glue together all these matrices and consider the code C 2 (Π ⊔ Γ 1 ⊔ . . .⊔ Γ t ) ⊥ to be the binary linear code whose parity-check matrix is As already discussed, it is important to specify which parity-check matrix of a code we consider when we study the decoding properties, since the bit-flipping algorithm depends on the choice of the parity-check matrix.
We focus now on the parameters on the constructed codes.We first start with a result on the dimension of the code C 2 (Π ⊔ Γ 1 ⊔ . . .⊔ Γ t ) ⊥ Proposition 5.1.Let Π = PG(2, q) be a Desarguesian projective plane of order q and let Γ 1 , . . ., Γ t be a projective bundles in Π.Then, Proof.The proof goes as for Proposition 4.12.
Case I: q odd.We know from Theorem 3.4 that rk(A) = q 2 + q, which gives us the lower bound rk(H q,t ) ≥ rk(A) = q 2 + q.
Case I: q even.Let us write q = 2 h .In this case, we have that the all one vector belongs to the column spaces of each matrix B i .Therefore, Thus, we obtain where the last equality comes from Theorem 3.4.
Also in this general case we can study the minimum distance of the code C 2 (Π ⊔ Γ 1 ⊔ . ..⊔Γ t ) ⊥ , generalizing the result on the minimum distance obtained when t = 1 in Theorem 4.13.However, this time we are only able to give a lower bound.
Proof.The proof goes in a similar way as the one of Theorem 4.13.Take a codeword of minimum weight in C 2 (Π ⊔ Γ 1 ⊔ . . .⊔ Γ t ) ⊥ and consider its support.This is a set L of r lines and a set O i of s i ovals for each i ∈ {1, . . ., t} such that every point in PG(2, q) is incident with an even number of these elements.We will show that r + s 1 + . . .+ s t ≥ q+2 2 .Let a i , 0 ≤ i ≤ 2q + 2, be the number of points that are covered i times, then we can double count the tuples (P ), (P, E 1 ), (P, E 1 , E 2 ), where P is a point and E 1 , E 2 ∈ L ∪ O 1 ∪ . . .∪ O t are lines or ovals incident with this point.Remark that by assumption a i = 0 whenever i is odd.We find the following three expressions: as two conics intersect in at most 4 points by Bézout's theorem.Subtracting ( 9) from ( 10) we obtain One can easily check that this last quantity is in turn at most As a direct consequence of Proposition 5.2 we have that in principle it should be possible to correct at least q 4 errors in the code C 2 (Π ⊔ Γ 1 ⊔ . . .⊔ Γ t ) ⊥ when q is even, and at least q+1 4 when q is odd.However, also in this case, when running one round of the bit-flipping algorithm on the matrix H q,t given in (7), we only correct a smaller fraction of them, as the following result shows.
Proposition 5.3.The intersection number of the matrix H q,t defined in (7) is at most 4. Thus, after performing one round of the bit-flipping algorithm on H q,t we can correct all the errors of weight at most ⌊ q+1 8 ⌋ in the code C 2 (Π ⊔ Γ 1 ⊔ . . .⊔ Γ t ) ⊥ .Proof.The maximum column intersection is given by the maximum number of points lying in the intersection of elements in Π ⊔ Γ 1 ⊔ . . .⊔ Γ t .Each pair of lines intersects in exactly a point, and the same holds for every pair of conics belonging to the same projective bundle, since each projective bundle is itself (ismorphic to) a projective plane.Moreover, every line intersects a conic in at most two points, and we have already seen that each pair of conics meets in at most 4 points.Hence, the maximum column intersection of H q,t is at most 4. The second part of the statement directly follows from Theorem 2.4.
Remark 5.4.At this point it is natural to ask whether it is possible to construct disjoint projective bundles, and -if so -how many of them we can have.It is shown in [2, Theorem 2.2] that one can always find (q − 1) disjoint projective bundles when q is even, and q 2 (q−1) 2 of them when q is odd.We want to remark that this is not a restriction, since we still want that our codes C 2 (Π ⊔ Γ 1 ⊔ . . .⊔ Γ t ) ⊥ (together with the parity-check matrices H q,t of the form (7)) give rise to a family of MDPC codes.Thus, we are typically interested in family of codes where t is a constant and does not grow with q.
Remark 5.5.This construction provides a better performance of (one round of) the bit-flipping algorithm compared to the one run on random constructions of MDPC codes explained in [31].As already explained in Remark 4.15, the random construction of MDPC codes provides in average MDPC codes whose maximum column intersection is O( log n log log n ), and thus one round of bit-flipping algorithm corrects errors of weight at most O( √ n log log n log n ) in these random codes.Hence, also the generalized constructions of codes from projective bundles have asymptotically better performance in terms of the bit-flipping algorithm.

Conclusion
In this paper we proposed a new construction of a family of moderate density parity-check codes arising from geometric objects.Starting from a Desarguesian projective plane Π of order q and a projective bundle Γ in Π, we constructed a binary linear code whose paritycheck matrix is obtained by concatenating the incidence matrices of Π and Γ .We observed that we can construct these two matrices taking the circular shifts of two perfect difference sets modulo (q 2 + q + 1), providing a natural structure as a quasi-cyclic code of index 2. Hence, the storage complexity is linear in the length and the encoding can be achieved in linear time using linear feedback shift registers.Furthermore, the underlying geometry of Γ and Π allowed us to study the metric properties of the corresponding code, and we could determine its exact dimension and minimum distance.We then analyzed the performance of the bit-flipping algorithm showing that it outperforms asymptotically the one of the random construction of codes obtained in [31].We then generalized the construction of this family of codes by concatenating the incidence matrices of several disjoint projective bundles living in the Desarguesian projective plane Π.In this case we were still able to provide lower bounds on the parameters of the obtained codes exploiting their geometric properties.Nevertheless, we could still show that one round of the bit-flipping algorithm has the best asymptotic performance in terms of error-correction capability for the given parameters of the defining parity-check matrix.
for cryptographic purposes.Let {C i } be a family of binary linear codes of length n i with parity-check matrix H i .If H i has row weight O( √ n i ), {C i } is called a (family of) moderate density parity-check (MDPC) code.If, in addition, the weight of every column of H i is a constant v i and the weight of every row of the H i is a constant w i we say the MDPC code is of type