In mathematics and computer science, the binary Goppa code is an error-correcting code that belongs to the class of general Goppa codes originally described by Valerii Denisovich Goppa, but the binary structure gives it several mathematical advantages over non-binary variants, also providing a better fit for common usage in computers and telecommunication. Binary Goppa codes have interesting properties suitable for cryptography in McEliece-like cryptosystems and similar setups.
g(x)
t
GF(2m)
L1,...,Ln
n
GF(2m)
g
Codewords belong to the kernel of the syndrome function, forming a subspace of
\{0,1\}n
\Gamma(g,L)=\left\{c\in\{0,1\}n\vert
| n | |
| \sum | |
| i=1 |
| ci | |
| x-Li |
\equiv0\bmodg(x)\right\}
The code defined by a tuple
(g,L)
n-mt
2t+1
n-mt
n
\left\lfloor
| (2t+1)-1 | |
| 2 |
\right\rfloor
H
H=VD=\begin{pmatrix} 1&1&1& … &
| 1 | |
| 1\\ L | |
| 1 |
&
| 1 | |
| L | |
| 2 |
&
| 1 | |
| L | |
| 3 |
& … &
| 2 | |
| L | |
| 1 |
&
| 2 | |
| L | |
| 2 |
&
| 2 | |
| L | |
| 3 |
& … &
| 2\\ \vdots | |
| L | |
| n |
&\vdots&\vdots&\ddots&\vdots
| t-1 | |
| \\ L | |
| 1 |
&
| t-1 | |
| L | |
| 2 |
&
| t-1 | |
| L | |
| 3 |
& … &
| t-1 | ||
| L | \end{pmatrix} \begin{pmatrix} | |
| n |
| 1 | |
| g(L1) |
&&&&\\ &
| 1 | |
| g(L2) |
&&&\\ &&
| 1 | |
| g(L3) |
&&\\ &&&\ddots&\\ &&&&
| 1 | |
| g(Ln) |
\end{pmatrix}
V
D
t/2
For practical purposes, parity-check matrix of a binary Goppa code is usually converted to a more computer-friendly binary form by a trace construction, that converts the
t
n
GF(2m)
mt
n
GF(2m)
m
Decoding of binary Goppa codes is traditionally done by Patterson algorithm, which gives good error-correcting capability (it corrects all
t
Patterson algorithm converts a syndrome to a vector of errors. The syndrome of a binary word
c=(c1,...,cn)
s(x)\equiv
| n | |
| \sum | |
| i=1 |
| ci | |
| x-Li |
\modg(x)
Alternative form of a parity-check matrix based on formula for
s(x)
The algorithm then computes
v(x)\equiv\sqrt{s(x)-1-x}\modg(x)
s(x)\equiv0
v(x)
a(x)
b(x)
a(x)\equivb(x) ⋅ v(x)\modg(x)
\deg(a)\leq\lfloort/2\rfloor
\deg(b)\leq\lfloor(t-1)/2\rfloor
Finally, the error locator polynomial is computed as
\sigma(x)=a(x)2+x ⋅ b(x)2
If the original codeword was decodable and the
e=(e1,...,en)
\sigma(x)=
| n | |
| \prod | |
| i=1 |
ei(x-Li)
Factoring or evaluating all roots of
\sigma(x)
Binary Goppa codes viewed as a special case of Goppa codes have the interesting property that they correct full
\deg(g)
\deg(g)/2
Because of the high error correction capacity compared to code rate and form of parity-check matrix (which is usually hardly distinguishable from a random binary matrix of full rank), the binary Goppa codes are used in several post-quantum cryptosystems, notably McEliece cryptosystem and Niederreiter cryptosystem.