A Short Course On Error-Correcting Codes: Mario Blaum C All Rights Reserved
Mario Blaum
Copyright 2009
All Rights Reserved
Chapter 1
1.1 Introduction
When digital data are transmitted over a noisy channel, it is important to have a mechanism
allowing recovery against a limited number of errors. Normally, a user string of 0’s and
1’s, called bits, is encoded by adding a number of redundant bits to it. When the receiver
attempts to reconstruct the original message sent, it starts by examining a possibly corrupted
version of the encoded message, and then makes a decision. This process is called the
The set of all possible encoded messages is called an error-correcting code. The field was
started in the late 40’s by the work of Shannon and Hamming, and since then thousands of
papers on the subject have been published. There are also several very good books touching
different aspects of error-correcting codes [1, 2, 3, 5, 6, 7, 9, 13, 11, 12, 15, 16, 18, 19, 21, 22,
25, 26, 27, 28, 29, 30, 31, 33, 34, 35, 36, 37, 38]. Programs implementing different codes can
be found in [4].
The purpose of this course is giving an introduction to the theory and practice of error-
correcting codes.
Unless otherwise stated, we will assume that our information symbols are bits, i.e., 0 and 1.
The set {0, 1} has a field structure under the exclusive-OR (⊕) and product operations. We
denote this field GF (2), which means Galois field of order 2.
Roughly, there are two types of error-correcting codes: codes of block type and codes of
convolutional type. Codes of block type encode a fixed number of bits, say k bits, into a vector
of length n. So, the information string is divided into blocks of k bits each. Convolutional
codes take the string of information bits globally and slide a window over the data in order
to encode. A certain amount of memory is needed by the encoder.
In this course, we concentrate on block codes.
As said above, we encode k information bits into n bits. So, we have a 1-1 function f ,
Definition 1.1.1 Given two vectors of length n, say a and b, we call the Hamming distance
between a and b the number of coordinates in which they differ (notation, dH (a, b)).
Given a code C of length n and dimension k, let
It is easy to verify that dH (a, b) verifies the axioms of distance (Problem 1.1.1), i.e.,
We call a sphere of radius r and center a the set of vectors that are at distance at most r
from a.
The relation between d and the maximum number of errors that code C can correct is given
by the following lemma:
Lemma 1.1.1 The maximum number of errors that an [n, k, d] code can correct is ⌊ d−1
where ⌊x⌋ denotes the largest integer smaller or equal than x.
Proof: Assume that vector a was transmitted but a possibly corrupted version of a, say r,
was received. Moreover, assume that no more than ⌊ d−1 2
⌋ errors have occurred.
Consider the set of 2k spheres of radius ⌊ d−12
⌋ whose centers are the codewords in C. By
the definition of d, all these spheres are disjoint. Hence, r belongs to one and only one
sphere: the one whose center is codeword a. So, the decoder looks for the sphere in which r
belongs, and outputs the center of that sphere as the decoded vector. As we see, whenever
the number of errors is at most ⌊ d−1
⌋, this procedure will give the correct answer.
Moreover, ⌊(d − 1)/2⌋ is the maximum number of errors that the code can correct. For let
a, b ∈ C such that dH (a, b) = d. Let u be a vector such that dH (a, u) = 1 + ⌊(d − 1)/2⌋
and dH (b, u) = d − 1 − ⌊(d − 1)/2⌋. We easily verify that dH (b, u) ≤ dH (a, u), so, if a is
transmitted and u is received (i.e., 1 + ⌊(d − 1)/2⌋ errors have occurred), the decoder cannot
decide that the transmitted codeword was a, since codeword b is at least as close to u as a.✷
Example 1.1.1 Consider the following 1-1 relationship between GF (2)2 and GF (2)5 defin-
ing the encoding:
00 ↔ 00000
10 ↔ 00111
01 ↔ 11100
11 ↔ 11011
The 4 codewords in GF (2)5 constitute a [5, 2, 3] code C. From Lemma 1.1.1, C can correct
1 error.
For instance, assume that we receive the word r = 10100. The decoder looks into the 4
spheres of radius 1 (each sphere has 6 elements!) around each codeword. In effect, the
sphere with center 11100 consists of the center and of the 5 words at distance 1 from such
center: 01100, 10100, 11000, 11110 and 11101. Notice that r belongs in the sphere with
center 11100.
If we look at the table above, the final output of the decoder is the information block 01.
However, let’s assume that the transmitted codeword was 00000, and two errors occur such
that the received word is 00101. We can see that this received word belongs in the sphere
with center the codeword 00111, so it will be erroneously decoded. This happens because
the number of errors has exceeded the maximum allowed by the error-correcting capability
of the code. ✷
Example 1.1.1 shows that the decoder has to make at most 24 checks before arriving to the
correct decision. When large codes are involved, as is the case in applications, this decoding
procedure is not practical, since it amounts to an exhaustive search over a huge set of vectors.
A large part of this course will be devoted to finding codes with efficient decoding procedures.
One of the goals in the theory of error-correcting codes is finding codes with high rate
and minimum distance as large as possible. The possibility of finding codes with the right
properties is often limited by bounds that constrain the choice of parameters n, k and d. We
give some of these bounds in the next section.
Let us point out that error-correcting codes can be used for detection instead of correction
of errors. The simplest example of an error-detecting code is given by a parity code: a parity
is added to a string of bits in such a way that the total number of bits is even (a more
sophisticated way of saying this, is that the sum modulo-2 of the bits has to be 0). For
example, 0100 is encoded as 01001. If an error occurs, or, more generally, an odd number
of errors, these errors will be detected since the sum modulo 2 of the received bits will be 1.
Notice that 2 errors will be undetected. In general, if an [n, k, d] code is used for detection
only, the decoder checks whether the received vector is in the code or not. If it is not, then
errors are detected. It is easy to see that an [n, k, d] code can detect up to d − 1 errors.
Also, we can choose to correct less than ⌊ d−1
⌋ errors, say s errors, by taking disjoint spheres
of radius s around codewords, and using the remaining capacity to detect errors. In other
words, we want to correct up to s errors or detect up to s + t errors when more than s errors
occur. The relation between s, t and the minimum distance d is given in Problem 1.1.2.
Another application of error-correcting codes is in erasure correction. An erased bit is a bit
that cannot be read, so the decoder has to decide if it was a 0 or a 1. An erasure is normally
denoted with the symbol ?. For instance, 01?0 means that we cannot read the third symbol.
Obviously, it is easier to correct erasures than to correct errors, since in the case of erasures
we already know the location, we simply have to find what the erased bit was. It is not
hard to prove that an [n, k, d] code can correct up to d − 1 erasures. We may also want to
simultaneously correct errors and erasures. This situation is treated in Problem 1.1.3, which
gives the number of errors and erasures that a code with minimum distance d can correct.
In fact, both Problems 1.1.2 and 1.1.3 can be viewed as generalizations of Lemma 1.1.1.
1.1.1 Prove that the Hamming distance dH satisfies the axioms of distance.
1.1.2 Let C be a code with minimum distance d and let s and t be two numbers such that
2s + t ≤ d − 1. Prove that C can correct up to s errors or detect up to s + t errors when
more than s errors occurred.
1.1.3 Prove that a code C with minimum distance d can correct s errors together with t
erasures whenever 2s + t ≤ d − 1
Problem 1.1.1
Let a = (a1 , a2 , . . . , an ), b = (b1 , b2 , . . . , bn ) and c = (c1 , c2 , . . . , cn ). It is clear that dH (a, b) =
0 if and only if a = b and that dH (a, b) = dH (b, a). So, it remains to be proved the triangle
dH (a, c) = |S(a, c)| ≤ |S(a, b)| + |S(b, c)| = dH (a, b) + dH (b, c).
Problem 1.1.2
Consider the spheres with radius s and the codewords of C as centers. These spheres are
disjoint, hence, when s or fewer errors occur, they will be corrected (see Lemma 1.1.1).
Assume that u ∈ C is transmitted and l errors occurred, where s + 1 ≤ l ≤ s + t. Let r be
the received vector. Since dH (u, r) > s, r is not in the sphere with center u and radius s.
Assume that r is in the sphere with center v and radius s, for some v ∈ C, v 6= u. In this
case, we would have incorrect decoding and the l errors would be undetected. But
Problem 1.1.3
Let u be the transmitted codeword and r the received word. Let T be the set of erased
locations and S be the set of locations in error; hence |T | = t and |S| = s. Assume that r is
decoded as a codeword v 6= u, where v has suffered at most s′ = ⌊(d − 1 − t)/2⌋ errors in a
set of locations S ′ . Hence, u and v may differ only in the set of erasures T and in the error
sets S and S ′ . Hence,
1. 0 ∈ C.
2. ∀ a, b ∈ C, a⊕b ∈ C.
The symbol 0 denotes the all-zero vector. In general, we denote vectors with underlined
letters, otherwise letters denote scalars.
In Section 1.1, we assumed that a code had 2k elements, k being the dimension. However,
we can define a code of length n as any subset of GF (2)n . To a large extent, this course is
about picking out the right subset of GF (2)n to form codes with a rich structure.
There are many interesting combinatorial questions regarding non-linear codes. Probably,
the most important question is the following: given the length n and the minimum distance
d, what is the maximum number of codewords that a code can have? For more about non-
linear codes, the reader is referred to [21]. From now on, when we say code, we assume that
the code is linear (unless otherwise stated). Linear codes are in general easier to encode and
decode than their non-linear counterparts, hence they are more suitable for implementation
in applications.
In order to find the minimum distance of a linear code, it is enough to find its minimum
weight. We say that the (Hamming) weight of a vector u is the distance between u and
the zero vector. In other words, the weight of u, denoted wH (u), is the number of non-zero
coordinates of the vector u. The minimum weight of a code is the minimum between all the
weights of the non-zero codewords. The proof of the following lemma is left as a problem.
Lemma 1.2.1 Let C be a linear [n, k, d] code. Then, the minimum distance and the mini-
mum weight of C are the same.
Next, we introduce two important matrices that define a linear error-correcting code. Since
a code C is now a subspace, the dimension k of C is the cardinality of a basis of C. We
denote by [n, k, d], as in the previous section, a code of length n, dimension k and minimum
distance d. We say that a k × n matrix G is a generator matrix of a code C if the rows of
G are a basis of C. Given a generator matrix, the encoding process is simple. Explicitly, let
u be an information vector of length k and G a k × n generator matrix, then u is encoded
into the n-vector v given by
v = u G. (1.1)
Notice that, although a code may have many generator matrices, the encoding depends on
the particular matrix chosen, according to Equation (1.1). We say that G is a systematic
generator matrix if G can be written as
G = (Ik |V ), (1.2)
where Ik is the k × k identity matrix and V is a k × (n − k) matrix. A systematic generator
matrix has the following advantage: given an information vector u of length k, the encoding
given by (1.1) outputs a codeword (u, w), where w has length n − k. In other words, a
systematic encoder adds n − k redundant bits to the k information bits, so information
and redundancy are clearly separated. This also simplifies the decoding process, since, after
decoding, the redundant bits are simply discarded. For that reason, most encoders used in
applications are systematic.
A permutation of the columns of a generator matrix gives a new generator matrix defining
a new code. The codewords of the new code are permutations of the coordinates of the
codewords of the original code. We then say that the two codes are equivalent. Notice that
equivalent codes have the same distance properties, so their error correcting capabilities are
exactly the same.
By permuting the columns of the generator matrix in Example 1.2.1, we obtain the following
generator matrix G′ :
′ 1 0 0 1 1
G = (1.3)
0 1 1 1 0
The matrix G′ defines a systematic encoder for a code that is equivalent to the one given in
Example 1.1.1. For instance, the information vector 11 is encoded into 11 101.
In fact, by row operations and column permutations, any generator matrix can be trans-
formed into a systematic generator matrix, so it is always possible to find a systematic
encoder for a linear code. However, when we permute columns, we obtain an equivalent
code to the original one, not the original code itself. If we want to obtain exactly the same
code, only row operations are allowed in order to obtain a systematic generator matrix.
The second important matrix related to a code is the so called parity check matrix. We say
that an (n − k) × n matrix H is a parity check matrix of an [n, k] code C if and only if, for
any c ∈ C,
c H T = 0, (1.4)
where H T denotes the transpose of matrix H and 0 is a zero vector of length n − k. We say
that the parity check matrix H is in systematic form if
H = (W |In−k ), (1.5)
where In−k is the (n − k) × (n − k) identity matrix and W is an (n − k) × k matrix.
Given a systematic generator matrix G of a code C, it is easy to find the systematic parity
check matrix H (and conversely). Explicitly, if G is given by (1.2), H is given by
H = (V T |In−k ) (1.6)
We leave the proof of this fact to the reader.
For example, the systematic parity check matrix of the code whose systematic generator
matrix is given by (1.3), is
0 1 1 0 0
H= 1 1 0 1 0
1 0 0 0 1
We state now an important property of parity check matrices.
Lemma 1.2.2 Let C be a linear [n, k, d] code and H a parity-check matrix. Then, any d − 1
columns of H are linearly independent.
Proof: Numerate the columns of H from 0 to n − 1. Assume that columns 0 ≤ i1 < i2 <
. . . < im ≤ n − 1 are linearly dependent, where m ≤ d − 1. Without loss of generality, we
may assume that the sum of these columns is equal to the column vector zero. Let v be a
vector of length n whose non-zero coordinates are in locations i1 , i2 , . . . , im . Then, we have
v H T = 0,
hence v is in C. But v has weight m ≤ d − 1, contradicting the fact that C has minimum
distance d. ✷
Corollary 1.2.1 For any linear [n, k, d] code, the minimum distance d is the smallest number
m such that there is a subset of m linearly dependent columns.
d ≤ n − k + 1.
Codes meeting the Singleton bound are called Maximum Distance Separable (MDS). In fact,
except for trivial cases, binary codes are not MDS (Problem 1.2.4). In order to obtain MDS
codes, we will define codes over larger fields, like the so called Reed Solomon codes, to be
described later in the course.
We also give a second bound relating the redundancy and the minimum distance of an
[n, k, d] code: the so called Hamming or volume bound. Let us denote by V (r) the number
of elements in a sphere of radius r whose center is an element in GF (2)n . It is easy to verify
X n
V (r) = . (1.8)
i=0 i
We then have:
Proof: Notice that the 2k spheres with the 2k codewords as centers and radius ⌊(d − 1)/2⌋
are disjoint. The total number of vectors contained in these spheres is 2k V (⌊(d − 1)/2⌋).
This number has to be smaller than or equal to the total number of vectors in the space, i.e.,
A perfect code is a code for which Inequality (1.9) is in effect equality. Geometrically, a
perfect code is a code for which the 2k spheres of radius ⌊(d − 1)/2⌋ and the codewords as
centers cover the whole space.
There are not many perfect codes. In the binary case, the only non-trivial linear perfect
codes are the Hamming codes and the [23, 12, 7] Golay code, to be presented later in this
chapter. However, the proof of this fact is beyond the scope of this course. We refer the
interested reader to [19].
1.2.2 Prove that if G is a systematic generator matrix of a code given by (1.2), then a
systematic parity check matrix of the code is given by (1.6).
1.2.3 Let C 1 be the code formed by all the vectors of length n and even weight and C 2 be
the code whose only codewords are the all-zero and the all-1 vectors (also of length n). Find
the minimum distance and systematic generator and parity check matrices for both C 1 and
1.2.4 Find all binary linear MDS codes. Prove your statement.
1.2.5 Let C be an [n, k] code with parity check matrix H. Let C ′ be a code obtained by
adding a parity check bit to every codeword of C. C ′ is called an extended C code. In
particular, notice that if C is an [n, k, 2t + 1] code, then C ′ is an [n + 1, k, 2t + 2] code.
Find a parity check matrix H ′ for C ′ as a function of H.
Problem 1.2.1
Let w be the minimum weight of C. In particular, d ≤ w.
Assume that u, v ∈ GF (2)n . Claim: dH (u, v) = wH (u ⊕ v). In effect, let ui and vi be the
i-th coordinates in u and v respectively. If ui = vi , then ui ⊕ vi = 0, otherwise ui ⊕ vi = 1.
So, the number of coordinates in which u ⊕ v is 1 coincides with the number of coordinates
in which u and v differ, hence, the claim follows.
Now, assume that u, v ∈ C and dH (u, v) = d. Since C is linear, u ⊕ v ∈ C. By the claim
above, wH (u ⊕ v) = d, hence, w ≥ d. This completes the proof.
Problem 1.2.2
Since the rows of G form a basis of the code, it is enough to prove that the rows of G and
the rows of H are orthogonal. In other words, we have to prove that
GH T = 0k×(n−k)
Problem 1.2.3
Clearly, C 1 and C 2 are linear codes, so it is enough to find the minimum weight in both.
Since all codewords have even weight, the minimum weight of C 1 is 2, while C 2 has only one
non-zero codeword, hence its minimum weight is n.
Since exactly half of the vectors in GF (2)n have even weight, C 1 has dimension n − 1, i.e.,
C 1 is an [n, n − 1, 2] code. A systematic generator matrix for C 1 is given by
1 0 0 ... 0 1
0 1 0 ... 0 1
G1 =
0 0 1 ... 0 1
= (In−1 |(1n−1 )T ),
.. .. .. .. .. ..
. . . . . .
0 0 0 ... 1 1
where 1n−1 denotes an all-1 vector of length n − 1. A systematic parity check matrix is given
by H1 = 1n , 1n the all-1 vector of length n.
For C 2 , the roles are reversed. We verify immediately that C 2 is an [n, 1, n] code. A systematic
generator matrix for C 2 is given by G2 = H1 and a systematic parity check matrix by
H 2 = G1 .
C 1 and C 2 are duals of each other, i.e., C1 = C2⊥ . C 1 is called the parity-check code of length
n and C 2 the repetition code of length n.
Problem 1.2.4
Let us find all the binary MDS codes of length n. From the previous problem, we see that
both the [n, n − 1, 2] even weight code and the [n, 1, n] repetition code are MDS. Also, the
whole space GF (2)n is an [n, n, 1] code, hence it is MDS.
We claim that those are the only binary MDS codes. In effect, assume that C is an [n, k, n −
k + 1] binary code, k < n. Let G be a systematic generator matrix, i.e., G = (Ik |V ), V a
k × (n − k) matrix. Since d = n − k + 1, in particular, each row in G has weight ≥ n − k + 1,
hence, V is an all-1 matrix. If n − k = 1, we obtain the generator matrix corresponding to
the even weight code, so assume that n − k > 1. In particular, d = n − k + 1 > 2.
If k = 1, we obtain the generator matrix corresponding to the repetition code, so assume
also that k > 1. Let g 1 and g 2 be the first and second rows in G respectively, then,
g 1 ⊕ g 2 = (11, 0n−2 ) ∈ C.
But this codeword has weight 2, contradicting the fact that the minimum distance is greater
than 2.
Problem 1.2.5
Let H be an (n − k) × k parity-check matrix for C, then a parity check matrix for C ′ is given
by the (n + 1 − k) × (n + 1) matrix
0 !
H ..
H|(0n−k )T
H = . = .
11 ... 1
In effect, if u ∈ C ′ , notice that, in particular, the first n bits of u are in C, so its inner product
with any of the first n − k rows of H ′ will be zero. Finally, since the exclusive-OR of all the
bits in u is zero, this is equivalent to say that its inner product with the all-1 vector is zero.
s = rH T . (1.11)
Notice that, if no errors occurred, the syndrome of r is the zero vector. The syndrome,
however, tells us more than a vector being in the code or not. Say, as before, that u was
transmitted and r was received, where r = u⊕e, e an error vector. Notice that,
s = rH T = (u⊕e)H T = uH T ⊕eH T = eH T ,
since u is in C. Hence, the syndrome does not depend on the received vector but on the
error vector. In the next lemma, we show that to every error vector of weight ≤ (d − 1)/2
corresponds a unique syndrome.
Lemma 1.3.1 Let C be a linear [n, k, d] code with parity check matrix H. Then, there is a
1-1 correspondence between errors of weight ≤ (d − 1)/2 and syndromes.
Proof: Let e1 and e2 be two distinct error vectors of weight ≤ (d − 1)/2 with syndromes
s1 = e1 H T and s2 = e2 H T . If s1 = s2 , then s = (e1 ⊕e2 )H T = s1 ⊕s2 = 0, hence e1 ⊕e2 ∈ C.
But e1 ⊕e2 has weight ≤ d − 1, a contradiction. ✷
Lemma 1.3.1 gives the key for a decoding method that is more efficient than exhaustive
search. We can construct a table with the 1-1 correspondence between syndromes and error
patterns of weight ≤ (d − 1)/2 and decode by look-up table. In other words, given a received
vector, we first find its syndrome and then we look in the table to which error pattern it
corresponds. Once we obtain the error pattern, we add it to the received vector, retrieving
the original information. This procedure may be efficient for small codes, but it is still too
complex for large codes.
Example 1.3.1 Consider the code whose parity matrix H is given by (1.7). We have seen
that this is a [5, 2, 3] code. We have 6 error patterns of weight ≤ 1. The 1-1 correspondence
between these error patterns and the syndromes, can be immediately verified to be
00000 ↔ 000
10000 ↔ 011
01000 ↔ 110
00100 ↔ 100
00010 ↔ 010
00001 ↔ 001
For instance, assume that we receive the vector r = 10111. We obtain the syndrome s =
rH T = 100. Looking at the table above, we see that this syndrome corresponds to the error
pattern e = 00100. Adding this error pattern to the received vector, we conclude that the
transmitted vector was r⊕e = 10011. ✷
We say that a coset of a code C is a set of elements v ⊕ C, where v is any vector. Notice that
if v and w are in the same coset, then v ⊕ w is in the code. Also, if v and w are in the same
coset, then v ⊕ C = w ⊕ C. Cosets are disjoint and the union of all of them gives a partition
of the space GF (2)n . We prove these facts in the Problems.
Lemma 1.3.2 Let C be a linear [n, k, d] code, then, there is a 1-1 onto correspondence
between cosets and syndromes.
Proof: Observe that all elements in the same coset have the same syndrome. Assume that
the elements u and v have the same syndrome s; then u ⊕ v is in C, hence, u and v are in
the same coset, showing that to every coset correponds a unique syndrome.
Conversely, let H be a systematic parity check matrix of C as in (1.5). Given a syndrome s,
the vector (0, s) has syndrome s, where 0 is a zero vector of length k. Hence, to s corresponds
the coset defined by (0, s), which is unique.
Let us give another proof using linear algebra. Let f : GF (2)n →GF (2)n−k , f (v) = vH T .
By the definition of H, ker(f ) = C. Hence, n = dim(ker(f )) + dim(f (GF (2)n )) = k +
dim(f (GF (2)n)), i.e., dim(f (GF (2)n )) = n − k and f is onto. ✷
In each coset, an element of minimum weight is called a coset leader. If there is an element
of weight ≤ (d − 1)/2, then, by Lemma 1.3.1, this element is the coset leader and is unique.
Definition 1.3.1 A standard array of an [n, k, d] code C is a 2n−k × 2k matrix such that:
2. The entries in each row are the elements of the different cosets of C.
3. The first element in each row corresponds to a coset leader in the coset.
The next example illustrates a decoding method using the standard array of a code.
Example 1.3.2 Consider the code C with parity check matrix H given by (1.7). Below we
give the standard array of C.
message 00 01 10 11 syndrome
code 00000 01110 10011 11101 000
coset 10000 11110 00011 01101 011
coset 01000 00110 11011 10101 110
coset 00100 01010 10111 11001 100
coset 00010 01100 10001 11111 010
coset 00001 01111 10010 11100 001
coset 11000 10110 01011 00101 101
coset 10100 11010 00111 01001 111
The second row contains the code itself, while the remaining rows contain the cosets. The
first column contains the coset leaders. For convenience, we have included a first row with
the information string and a fifth column with the syndromes. As in Example 1.3.1, assume
that we want to decode the vector r = 10111. We obtain the syndrome s = rH T = 100. We
then proceed to locate vector r in the row corresponding to this syndrome in the standard
array. We can see that r is in the third entry of the row. The decoded vector is then the one
corresponding to the third entry in the code row, i.e., codeword 10011, since this codeword is
obtained by adding the received vector to the coset leader 00100, which is the error pattern.
In general, since we are only interested in the information bits, the final output of the decoder
is 10. ✷
Decoding by standard array has more conceptual than practical application. In this course
we will study some codes with more efficient decoding algorithms.
Observe that standard array decoding can be used to decode beyond the minimum distance
of the code. In general, given a v ∈ GF (2)n and C a code of length n, we say that maximum
likelihood decoding of v with respect to C is finding the closest codeword in C (in Hamming
distance) to v. This closest codeword might be at a distance that exceeds the minimum
distance of the code. Also, the closest codeword might not necessarily be unique. For
instance, consider the standard array in Example 1.3.2. If the syndrome is 101, the decoder
decides that the error is the coset leader 11000. But it could as well have decided that the
error was 00101: both possibilities are equally likely.
In general, maximum likelihood decoding is a difficult problem. Most decoding methods
decode up to the minimum distance of the code.
1.3.1 Let H be a systematic parity check matrix of a code C as given by (1.5). Assume
that C can correct up to t errors. Let r be a received vector whose syndrome s = rH T has
weight ≤ t. Prove that the only error pattern of weight ≤ t is e = (0k |s), where 0k is an all-0
vector of length k.
1.3.2 Let C be a code of length n, v any vector in GF (2)n and v ⊕ C the coset of C
corresponding to v. Prove that:
1. If w ∈ v ⊕ C, then, v ⊕ w ∈ C and v ⊕ C = w ⊕ C.
2. If w 6∈ v ⊕ C, then, v ⊕ C ∩ w ⊕ C = ∅.
1.3.3 Consider the code whose parity check matrix is given by (1.7). Do maximum likeli-
hood decoding of the vector 00111 with respect to this code. Is the answer unique? If not,
find all possible answers.
Problem 1.3.1
We can easily verify that eH T = (0k |s)H T = s. Since the code can correct up to t errors, by
Lemma 1.3.1, the syndrome is unique, so, if t or less errors have occurred, the error pattern
is given by e.
This problem is important because of the following: if we assume that the first k information
bits carry information, an error pattern given by e means that the errors occurred in the
redundant part. So, the decoder may choose to ignore the redundant bits and output the
first k bits whenever the syndrome has weight ≤ t. We use this fact in Section 1.6 when
decoding the Golay code.
Problem 1.3.2
(a) If w ∈ v ⊕ C, there is a c ∈ C such that w = v ⊕ c. Hence, w ⊕ v = c ∈ C.
Now, let w ⊕ c′ ∈ w ⊕ C. Hence, w ⊕ c′ = v ⊕ (c ⊕ c′ ) ∈ v ⊕ C, since c ⊕ c′ ∈ C. So,
w ⊕ C ⊆ v ⊕ C. Similarly, we prove v ⊕ C ⊆ w ⊕ C, completing the proof.
(b) Assume u ∈ v ⊕ C ∩ w ⊕ C. Hence, u = v ⊕ c = w ⊕ c′ , where c, c′ ∈ C. In particular,
w = v ⊕ (c ⊕ c′ ) ∈ v ⊕ C, since c ⊕ c′ ∈ C. This is a contradiction.
Problem 1.3.3
Computing the syndrome of 00111, this syndrome is 111. Looking at the standard array in
Example 1.3.2, we see that 00111 belongs in the last row. If we consider the error to be the
coset leader 10100, 00111 is decoded as 10011. However, there is another error pattern of
weight 2 in the coset, 01001. If we choose this pattern as the error vector, 00111 is decoded
as 01110. Those are the two possible solutions of maximum likelihood decoding, i.e., there
are no vectors in C at distance 1 or less from 00111, and there are exactly two vectors at
distance 2, 10011 and 01110.
Example 1.4.1 Consider the [7, 4, 3] Hamming code C with parity check matrix
0 0 0 1 1 1 1
H= 0 1 1 0 0 1 1 (1.12)
1 0 1 0 1 0 1
Assume that vector r = 1100101 is received. The syndrome is s = rH T = 001, which is the
binary representation of the number 1. Hence, the first location is in error, so the decoder
estimates that the transmitted vector was v = 0100101. ✷
We can obtain 1-error correcting codes of any length simply by shortening a Hamming code.
This procedure works as follows: assume that we want to encode k information bits into a
1-error correcting code. Let r be the smallest number such that k ≤ 2r − r − 1. Let H be
the parity-check matrix of a [2r − 1, 2r − r − 1, 3] Hamming code. Then construct a matrix
H ′ by eliminating some 2r − r − 1 − k columns from H. The code whose parity-check matrix
is H ′ is a [k + r, k, d] code with d ≥ 3, hence it can correct one error. We call it a shortened
Hamming code. For instance, the [5, 2, 3] code whose parity-check matrix is given by (1.7),
is a shortened Hamming code.
In general, if H is the parity-check matrix of a code C, H ′ is a matrix obtained by eliminating
a certain number of columns from H and C ′ is the code with parity-check matrix H ′ , we say
that C ′ is obtained by shortening C.
A [2r − 1, 2r − r − 1, 3] Hamming code can be extended to a [2r , 2r − r − 1, 4] Hamming code
by adding to each codeword a parity bit that is the exclusive-OR of the first 2r − 1 bits. The
new code is called an extended Hamming code.
1.4.2 Let
0 1 1 1 0 0
H= 1 0 1 0 1 0
1 1 0 0 0 1
be a systematic parity check matrix for a (shortened) [6, 3, 3] Hamming code. Construct the
standard array for the code. Add a row for the information symbols and a column for the
1.4.3 Find systematic generator and parity-check matrices for the extended [8, 4, 4] Ham-
ming code.
1.4.4 Given two vectors u = u0 , u1, . . . , un−1 and v = v0 , v1 , . . . , vn−1 , we say that the inner
product between u and v, denoted u · v, is the bit
u·v = ui vi .
Given a code C, we say that the dual of C, denoted C ⊥ , is the set of all vectors v such that
v · u = 0 for all u ∈ C. If v · u = 0, we say that u and v are orthogonal.
Let C be an [n, k] code with generator matrix G and parity check matrix H. Prove:
1.4.5 Let C be the [7, 4, 3] Hamming code with H in systematic form. Find C ⊥ together
with its parity check and generator matrices. What is the minimum distance of C ⊥ ?
1.4.6 We say that an [n, k] code C is self-dual if C = C ⊥ . Let G be a generator matrix of C.
Prove that C is self-dual if and only if any two (not necessarily distinct) rows of G are or-
thogonal and k = n/2. Is the [8, 4, 4] extended Hamming code self-dual (see Problem 1.4.3)?
Problem 1.4.1
Notice that, according to (1.4), V (⌊(d − 1)/2⌋) = V (1) = 1 + (2r − 1) = 2r , so, r = log2 V (1),
proving that the Hamming bound (1.9) is met with equality.
Problem 1.4.2
Using the matrix H, the standard array of the code is
message 000 001 010 100 011 101 110 111 synd
code 000000 001110 010101 100011 011011 101101 110110 111000 000
coset 000001 001111 010100 100010 011010 101100 110111 111001 001
coset 000010 001100 010111 100001 011001 101111 110100 111010 010
coset 000100 001010 010001 100111 011111 101001 110010 111100 100
coset 001000 000110 011101 101011 010011 100101 111110 110000 110
coset 010000 011110 000101 110011 001011 111101 100110 101000 101
coset 100000 101110 110101 000011 111011 001101 010110 011000 011
coset 100100 101010 110001 000111 111111 001001 010010 011100 111
The first row carries the uncoded messages, the second row the code itself and the other
rows the cosets. We write the coset leaders in the first column and the syndromes in the last
Problem 1.4.3
A (systematic) parity check matrix for the [7, 4, 3] Hamming code is given by
0 1 1 1 1 0 0
H= 1 0 1 1 0 1 0 (1.13)
1 1 0 1 0 0 1
By Problem 1.2.5, a parity check matrix for the extended [8, 4, 4] Hamming code is given by
0 1 1 1 1 0 0 0
1 0 1 1 0 1 0 0
H′ =
1 1 0 1 0 0 1 0
1 1 1 1 1 1 1 1
Replacing the last row by the exclusive-OR of the 4 rows, we obtain the following systematic
parity check matrix for the [8, 4, 4] extended Hamming code:
0 1 1 1 1 0 0 0
1 0 1 1 0 1 0 0
H ′′ =
1 1 0 1 0 0 1 0
1 1 1 0 0 0 0 1
By (1.2) and (1.6), a systematic generator matrix for the code is given by
1 0 0 0 0 1 1 1
0 1 0 0 1 0 1 1
G′′ =
0 0 1 0 1 1 0 1
0 0 0 1 1 1 1 0
Problem 1.4.4
1. Every row in H is orthogonal to every element in C, by the definition of parity check
matrix, hence, every row is in C ⊥ . Also, the n − k rows are linearly independent. If there
would be another codeword in C ⊥ that is independent from the n − k rows of H, the space
C would satisfy n − k + 1 independent linear homogeneous equations. This contradicts the
fact that C has dimension k (this argument can be seen also by taking the generator and
parity check matrices to systematic form).
So, each element in C ⊥ is generated by the rows of H, i.e., H is a generator matrix for C ⊥ .
An analogous argument may be used to show that G is a parity check matrix for C ⊥ .
2. Since H is a generator matrix for C ⊥ , then dim(C ⊥ ) = n − k.
3. Let u ∈ C. Let v be any element in C ⊥ . Hence, v ·u = 0, i.e., u ∈ (C ⊥ )⊥ . Thus, C ⊆ (C ⊥ )⊥ .
On the other hand, dim((C ⊥ )⊥ ) = n − dim(C ⊥ ) = n − (n − k) = k = dim(C).
An even easier argument, using part 1 of the problem: notice that C and (C ⊥ )⊥ have the
same generator matrix G, so they must be equal.
Problem 1.4.5
A systematic parity check matrix for the [7, 4, 3] Hamming code is given by (1.13). By (1.2)
and (1.6), a systematic generator matrix for the code is given by
1 0 0 0 0 1 1
0 1 0 0 1 0 1
G= .
0 0 1 0 1 1 0
0 0 0 1 1 1 1
By Problem 1.4.4, H is a generator matrix for C ⊥ and G is a parity check matrix. Using H,
we can find the 8 codewords in C ⊥ :
Problem 1.4.6
Assume that any two rows in G are orthogonal and dim(C) = n/2. Then, any two codewords
in C are orthogonal, since they are linear combinations of the rows of G. Hence, C ⊆ C ⊥ .
On the other hand, dim(C) = dim(C ⊥ ) = n/2, so, C = C ⊥ .
Conversely, assume that C = C ⊥ . By Problem 1.4.4, dim(C ⊥ ) = n − dim(C) = dim(C), so,
dim(C) = n/2. In particular, since any two rows in G are in C ⊥ they are orthogonal.
The [8, 4, 4] extended Hamming code is self-dual. In effect, if we consider the generator
matrix G′′ of the code given in Problem 1.4.3, we see that any two rows are orthogonal.
Since the dimension of the code is 4=8/2, the result follows.
r r0
❍ ✟✟
p ❍❍ ✟✟
p✟✟ ❍❍
✟ ❍❍r
1 ✟
r 1
Figure 1.1: BSC
For instance, if C is the [5, 2, 3] code whose standard array is given in Example 1.3.2 and
p = .01, we have, using (1.14),
Perr ≤ 0.00097.
As we can see, the two values are very close to each other.
After decoding, some symbols may be in error and some may not. A more important
parameter than Perr is the average probability of bit error after decoding, that we denote
perr .
After decoding, the output of the decoder are the k information bits. Let pi denote the
probability that bit i is in error after decoding, 0 ≤ i ≤ k − 1, then we have
1 k−1
perr = pi (1.17)
k i=0
Finding an exact expression for perr is a difficult problem in general. An analysis of the
[5, 2, 3] code with standard array given in Example 1.3.2 will illustrate this point. Once the
error is corrected, the decoder outputs the first 2 information bits, so (1.17) becomes
perr = (p0 + p1 ) (1.18)
Let us start by finding p0 . Since all codewords are equally likely to be transmitted, without
loss of generality, assume that the 0-codeword was the transmitted one. Therefore, the
error pattern will be equal to the received vector. Looking at the standard array given in
Example 1.3.2 we see that the first bit will be in error only when an error pattern in the
third or in the fourth columns of the array has occurred. In these two columns, there are 5
patterns of weight 2, 7 patterns of weight 3, 3 patterns of weight 4 and 1 pattern of weight
5. Hence,
Definition 1.5.1 Given a BSC with probability of bit error p, we say that the capacity of
the channel is
Theorem 1.5.1 (Shannon) For any ǫ > 0 and R < C(p), there is an [n, k] binary code of
rate k/n ≥ R with Perr < ǫ.
For a proof of Theorem 1.5.1 and its generalizations, the reader is referred to [8][22], or even
to Shannon’s original paper [32].
Theorem 1.5.1 has enormous theoretical importance: it shows that reliable communication
is not limited in the presence of noise, only the rate of communication is. For instance, if
p = .01 as in the examples above, the capacity of the channel is C(.01) = .9192. Hence,
there are codes of rate ≥ .9 with Perr arbitrarily small. It also tells us not to look for codes
with rate .92 making Perr arbitrarily small.
The proof of Theorem 1.5.1, though, is based on probabilistic methods and the assumption
of arbitrarily large values of n. In practical applications, n cannot be too large. The theorem
does not tell us how to construct efficient codes, it just asserts their existence. Moreover,
when we construct codes, we want them to have efficient encoding and decoding algorithms.
One of the goals of this course is exhibiting some of the most widely used codes in applications
together with their encoding and decoding procedures.
1.5.1 Let C be a perfect code. Prove that Inequality (1.14) becomes equality for C.
1.5.2 Find an exact expression for Perr when the [5, 2, 3] code with standard array given in
Example 1.3.2 is used. Calculate the value of Perr for p = .01.
1.5.3 Prove that perr < Perr when standard array decoding is used.
1.5.4 Assume that only the rows with coset leaders of weight ≤ 1 in the standard array of
Example 1.3.2 are used for decoding, while the last 2 rows are used for error detection. In
other words, if the syndrome is either 101 or 111 the decoder declares an uncorrectable error
since it knows that more than one error has occurred. We denote by Pdet the probability
that the decoder detects errors but does not correct them. With this decoding scheme, find
Perr , perr and Pdet . Calculate the value of each of these expressions for p = .01.
1.5.5 Consider the standard array of the [6, 3, 3] shortened Hamming code of Problem 1.4.2.
Assume that the last row is used for error detection only. Find exact expressions for Perr ,
perr and Pdet . Calculate the values of these expressions for p = .01.
Problem 1.5.1
Assume that C is a perfect [n, k, 2t + 1] code, then, the spheres of radius t around each
codeword cover the whole space. If t + 1 or more errors occur, then the received word
will fall into a sphere that is different to the one corresponding to the transmitted codeword.
Since the decoder outputs the center of the sphere where the received word belongs, whenever
≥ t + 1 errors occur we have incorrect decoding. Hence, Inequality (1.14) becomes equality
in this case.
Problem 1.5.2
Without loss of generality, assume that 00000 has been transmitted. Looking at the standard
array in Example 1.3.2, we see that a decoding error will occur only when the received vector
is not in the first column (which corresponds to the coset leaders). The second, third and
fourth column contain every vector of weight ≥ 2, except two. Hence, we obtain
! !
X 5 i
Perr = p (1 − p)5−i − 2p2 (1 − p)3 = 8p2 (1 − p)3 + 10p3 (1 − p)2 + 5p4 (1 − p) + p5 .
i=2 i
For p = .01, the expression above gives Perr = .00079. The reader should compare this value
with the upper bound given in (1.16).
Problem 1.5.3
Let pi be the probability that bit i is in error after decoding when a standard array for an
[n, k, ] code is used, 0 ≤ i ≤ k −1. Let pj be the maximum of these values, so, since perr is the
average of the pi ’s, perr ≤ pj . If we take a first row in the standard array for the information
symbols as in Example 1.3.2, we see that bit j will be incorrectly decoded only when the
error pattern belongs in one of the columns corresponding to an information vector for which
bit j is 1. Notice that there are exactly 2k−1 such columns, while we have incorrect decoding
occurs when the error pattern is in any of the 2k − 1 columns excluding the first one. In
particular, we have incorrect decoding when bit j is incorrectly decoded; hence pj ≤ Perr .
Notice that we have equality only when k = 1.
Problem 1.5.4
With the decoding system of this problem, incorrect decoding occurs only when the error
pattern belongs in the rows corresponding to coset leaders of weight ≤ 1 and in any column
except the first one. We see that there are 6 error patterns of weight 2, 6 error patterns of
weight 3, 5 error patterns of weight 4 and 1 error pattern of weight 5. Hence, we have
Problem 1.5.5
Using the standard array of Problem 1.4.2, a decoding error occurs when the error pattern
belongs in a column different from the first one and in a row different from the last one.
We see that there are 12 error patterns of weight 2, 16 error patterns of weight 3, 15 error
patterns of weight 4 and 6 error patterns of weight 5. So,
Similarly, the second information bit will be decoded in error only when the error pattern
belongs in the 3rd, 5th, 7th and 8th column, but not in the last row. In this case, we see
Finally, the third information bit will be decoded in error only when the error pattern belongs
in the 2nd, 5th, 6th and 8th column, but not in the last row; hence,
This gives
p0 + p1 + p2 1
perr = = 6p2 (1 − p)4 + 10p3 (1 − p)3 + 8p4 (1 − p)2 + 4p5 (1 − p) + p6 .
3 3
We detect an error when the error pattern belongs in the last row, i.e.,
H = (P | I11 ) (1.21)
1 0 1 0 0 0 1 1 1 0 1 1
1 1 0 1 0 0 0 1 1 1 0 1
0 1 1 0 1 0 0 0 1 1 1 1
1 0 1 1 0 1 0 0 0 1 1 1
1 1 0 1 1 0 1 0 0 0 1 1
P =
1 1 1 0 1 1 0 1 0 0 0 1
0 1 1 1 0 1 1 0 1 0 0 1
0 0 1 1 1 0 1 1 0 1 0 1
0 0 0 1 1 1 0 1 1 0 1 1
1 0 0 0 1 1 1 0 1 1 0 1
0 1 0 0 0 1 1 1 0 1 1 1
The matrix P has a very particular structure. Let p0 , p1 , . . . , p10 be the first 11 bits of each
row of P . Denote by ρi (v) i cyclic rotations to the right of a vector v. We observe that each
pi is a rotation to the right of the previous pi , i.e., pi = ρi (p0 ), 0 ≤ i ≤ 10.
The extended Golay code is the [24, 12] code obtained by adding a parity bit to each codeword
of the Golay code (see Problem 1.2.5). We denote by G 24 the extended Golay code. A
systematic parity check matrix for G 24 is given by
H1 = (Q | I12 ), (1.23)
where Q is the 12 × 12 matrix given by
Q= , (1.24)
111 , 0
P is given by (1.22) and 111 is the all-1 vector of length 11.
Corollary 1.6.1 Let H1 be the parity check matrix of G 24 given by (1.23). Then, H1 is also
a generator matrix of G 24 and so is
H2 = (I12 | QT ). (1.25)
Also, each codeword in G 24 has weight divisible by 4.
Proof: The claims about the parity check and generator matrices are immediate following
the fact that G 24 is self dual. The fact that every codeword has weight divisible by 4 follows
from Problem 1.6.3. ✷
The next lemma is the main result concerning the Golay code.
Lemma 1.6.2 The minimum distance of the code G 24 is 8, i.e., G 24 can correct three errors
and detect four.
Proof: According to Corollary 1.6.1, it is enough to prove that there are no codewords of
weight 4. Assume that there is a codeword of weight 4, say (u | v), where u and v have length
12. If wH (u) = 0, using the generator matrix H2 given by (1.25), u is encoded uniquely into
the zero vector, a contradiction. If wH (u) = 1, then (u | v) is a row in H2 , a contradiction
since v has weight 3 and cannot be in QT . If wH (u) = 2, then v is the sum of two rows of
QT . But v cannot have weight 2 by Problem 1.6.2.
If v has weight 1 or 0, a similar proof follows with respect to the generator matrix H1 .
This shows that there are no codewords of weight 4, so, by Corollary 1.6.1, the next possibility
is codewords of weight 8. Notice that there are codewords of weight 8. For instance any
of the first eleven rows in the generator matrix H1 is a codeword of weight 8. Hence, the
minimum distance in G 24 is 8. ✷
Corollary 1.6.2 The minimum distance of the code G 23 is 7, i.e., G 23 can correct three
Having determined that G 24 has minimum distance 8, the next step is providing a decoding
algorithm that will correct 3 errors and detect 4. There are many methods to decode the
Golay code. We give one of them.
Let u = (u1 | u2 ) be a transmitted codeword, where each part u1 and u2 has length 12. We
may assume that the first 12 bits (i.e., the vector u1 ), carry the information, while the last
12 bits (i.e., u2 ), represent the redundancy. Let r = (r 1 | r 2 ) be a possibly corrupted version
of u and e = (e1 | e2 ) be the error vector, wH (e) ≤ 4. Hence, r = u ⊕ e. The decoder is
interested in estimating the information bits only.
Assume first that wH (e) ≤ 3. If wH (e1 ) = 0, then, if we calculate the syndrome s1 = rH1T , we
see that wH (s1 ) ≤ 3. Moreover, the error pattern is exactly e = (0 | s1 ) (see Problem 1.3.1).
This means, there were no errors in the information part and the decoder outputs r 1 as an
estimate of u1 .
Similarly, if wH (e2 ) = 0, then the error vector is exactly e = (s2 | 0), where s2 = rH2T .
Hence, the decoder outputs r1 ⊕ s2 as estimate of the information bits.
So, if wH (s1 ) > 3 and wH (s2 ) > 3, then e1 6= 0 and e2 6= 0. Since wH (e) ≤ 3, then either
wH (e1 ) = 1 or wH (e2 ) = 1.
Let r(i) , 0 ≤ i ≤ 23, be the the received vector r with location i complemented.
If wH (e1 ) = 1 and location i, 0 ≤ i ≤ 11, is in error, then the syndrome s1 = r (i) H1T has
weight ≤ 2. The error vector is then (δi | s1 ), where δi denotes a vector of length 12 with a
1 in location i, 0 elsewhere. The decoder outputs r 1 ⊕ δi as an estimate of the information
bits. This operation is repeated at most 12 times in order to check if exactly one of the first
12 bits is in error.
If none of the syndromes s1 = r(i) H1T , 0 ≤ i ≤ 11, has weight ≤ 2, a similar procedure
is implemented for r (i) , 12 ≤ i ≤ 23. We now check the 12 syndromes s2 = r(i) H2T ,
12 ≤ i ≤ 23. If one of them, say i, has weight ≤ 2, then the error vector is (s2 | δi−12 ) and
the estimate of the information part is r1 ⊕ s2 .
(i) (i)
If after the 24 checks described above neither s1 nor s2 have weight ≤ 2, then the decoder
decides that 4 errors have occurred and declares an uncorrectable error.
As a result of the discussion above, we obtain the following algorithm:
Algorithm 1.6.1 (Decoding Algorithm for the Extended Golay Code) Let
r = (r1 | r 2 ) be a received word, and let s1 = rH1T and s2 = rH2T . Denote by q 0 , q 1 , . . . , q11
the rows of Q, where Q is given by (1.24), by q ′0 , q′1 , . . . , q ′11 the rows of QT , and by δi a
vector of length 12 with a 1 in location i, 0 ≤ i ≤ 11, 0 elsewhere. Then:
The Golay code was introduced for the first time in [10].
1.6.1 Prove that matrix H1 given by (1.23) is a systematic parity check matrix for G 24 .
1.6.2 Prove that the distance between any two rows (resp. columns) of Q in (1.24) is 6
and the inner product of any two distinct rows of Q is 0.
1.6.3 Prove that if C is a self dual code with generator matrix G, and each row of G has
weight divisible by 4, then every codeword in C has weight divisible by 4.
1.6.5 Decode the following vectors in (GF (2))23 with respect to G 23 (give as output only
the 12 information bits):
r = 11001110110001111011101 and r = 01001111101101111000000.
Problem 1.6.1
By Problem 1.2.5, a parity-check matrix is given by
H .. 11
P I11 .. 11
H′ = .
= .
11 . . . 1}
| {z 1 11 . . . 1} 11
| {z . . . 1}
| {z 1
23 12 11
Replacing the last row by the sum of all the rows in H , we obtain the systematic parity-check
matrix H1 .
Problem 1.6.2
Calling pi the first 11 bits of each row in P , 0 ≤ i ≤ 10, we had, pi = ρi (p0 ). Similarly, if we
denote by p′i the transpose of each of the first 11 columns in P , 0 ≤ i ≤ 10, we verify that
p′i = ρi (p′0 ).
Hence, the distance between row i, 0 ≤ i ≤ 10, of Q and row 11, is equal to dH (p0 ⊕111 )+1 =
(11 − wH (p0 )) + 1 = 6. We similarly prove that the distance between column i, 0 ≤ i ≤ 10,
of Q and column 11, is 6.
Consider now the distance between rows (resp. columns) i and j, 0 ≤ i < j ≤ 10. It is
enough to consider the distance between pi and pj (resp. p′i and p′j ), since the last bit in
these rows (resp. columns) is 1.
Notice that dH (pi , pj ) = dH (ρi (p0 ), ρj (p0 )) = dH (p0 , ρj−i (p0 )) = dH (p0 , pj−i ). Hence, it is
enough to verify that the distance between the first row of P and any other row has weight
6, which is easily done. A similar proof holds for columns (or, observe that column qi is
equal to row pi plus (0, 1, 1, . . . , 1)).
To prove that the inner product between any two rows of Q is 0, it is enough to show that
the set where any two rows is 1 is an even number. Following a procedure similar to the one
described above (essentially, by comparing any row to the first row), we see that, from rows
0 to 10, the set where both rows are 1 has cardinality 4. The set where one of the first 11
rows and row 12 are 1 has cardinality 6. Hence, the result follows.
A similar proof is valid for columns.
Problem 1.6.3
Let u and v be two orthogonal vectors whose weight is divisible by 4. Since the vectors are
orthogonal, the number of coordinates where the two vectors are 1 is an even number. Let
us call this number 2l. Hence, wH (u ⊕ v) = wH (u) + wH (v) − 4l. This number is divisible
by 4.
Now, since any two rows of G are orthogonal and their weight is divisible by 4, their sum is
also divisible by 4. In particular, the same is true for the sum of any finite number of rows
of G, i.e., for any codeword of C.
Problem 1.6.4
G 23 is a [23, 12, 7] code. According to (1.8), V (3) = 23
+ 23
+ 23
+ 233
= 2048 = 211 ,
hence, n−k = 11 = log2 V (3) = log2 V (⌊(d−1)/2⌋) and Inequality (1.9) is met with equality.
Problem 1.6.5
Let r = 110011101100 01111011101. Consider the vector r, 0 ∈ GF (2)24 . If we apply the
decoding algorithm to r, 0, we see that its syndrome is s1 = (r, 0)H1T = 111010100011. For
(1) (1)
i = 1, we see that s1 = s1 ⊕ q ′2 = 100001000000. Hence, wH (s1 ) ≤ 2, so the error in the
first 12 bits has occured in the second bit (we count from 0).
So, the output of the decoder is r 1 ⊕ δ1 = 100011101100.
Consider now r = 010011111011 01111000000. If we take the vector r, 0 as before, we can
verify that the algorithm declares an uncorrectable error (i.e., 4 errors have occurred). So,
we consider r, 1. Let s1 and s2 be the syndromes of r, 1 as defined by the algorithm. We can
see that s1 = rH1T = 110001100100 and s2 = rH2T = 011001110011. Neither of them has
weight ≤ 3. We also verify that wH (s1 ) > 2, for all 0 ≤ i ≤ 11. On the other hand, we can
(1) (1)
see that s2 = s2 ⊕ q 1 = 001000000100, hence, wH (s2 ) = 2. The output of the decoder is
r 1 ⊕ s2 = 011011111111.
Chapter 2
2.1 Introduction
In this chapter, we want to introduce the family of multiple error-correcting Reed Solomon
(RS) codes. RS codes operate not over bits, as was the case of the codes studied in the
previous chapter, but over bytes. Each byte is a vector composed by several bits. Typical
cases in magnetic and optical recording involve 8-bit bytes. In order to operate with bytes,
we need a method to multiply them. To this end, we develop the theory of finite fields. In
the previous chapter, we considered codes whose coordinates were elements of the binary
field GF (2). In this chapter the codes will have coordinates over any finite field.
polynomial of degree ≤ ν − 1 as follows: the vector a = (a0 , a1 , . . . , aν−1 ) corresponds to the
polynomial a(α) = a0 + a1 α + . . . + aν−1 αν−1 .
The goal now is to give to (GF (p))ν the structure of a field. We will denote such a field
by GF (pν ). The sum in GF (pν ) is the usual sum of vectors in (GF (p))ν . We need now to
define a product.
Let f (x) be an irreducible polynomial of degree ν whose coefficients are in GF (p). Let
a(α) and b(α) be two elements of GF (pν ). We define the product between a(α) and b(α) in
GF (pν ) as the unique polynomial c(α) of degree ≤ ν − 1 such that c(α) is congruent to the
product a(α)b(α) modulo f (α). In other words, c(α) is the residue of dividing a(α)b(α) by
f (α).
The sum and product operations defined above will give to GF (pν ) a field structure. From
now on, we denote the elements in GF (pν ) as polynomials in α of degree ≤ ν − 1 with
coefficients in GF (p). Given two polynomials a and b with coefficients in GF (p), a(α)b(α)
denotes the product in GF (pν ), while a(x)b(x) denotes the regular product of polynomials.
Notice that, in particular f (α) = 0 over GF (pν ), since f (x) ≡ 0 (mod f (x)).
So, the set GF (pν ) given by the irreducible polynomial f (x) of degree ν, is the set of polyno-
mials of degree ≤ ν − 1, where the sum operation is the regular sum of polynomials, and the
product operation is the residue of dividing by f (x) the regular product of two polynomials.
The next lemma proves that GF (pν ) is indeed a field.
Lemma 2.2.1 The set GF (pν ) defined by an irreducible polynomial f of degree ν is a field.
Proof: It is clear that the usual associative, commutative, additive inverse, existence of
0 and 1, hold for both sum and product. The only difficulty is showing the existence of
multiplicative inverse.
We have to prove that for every a(α) ∈ GF (pν ), a(α) 6= 0, there is a b(α) such that
a(α)b(α) = 1. Since f (x) is irreducible and deg(a(x)) < deg(f (x)), a(x) and f (x) are
relatively prime, i.e., gcd(a(x), f (x)) = 1. By Euclid’s algorithm for polynomials, there are
polynomials b(x) and c(x) such that
We have shown how to construct a finite field of cardinality pν : we simply take the polyno-
mials of degree ≤ ν − 1 with coefficients in GF (p) and consider them modulo an irreducible
polynomial f (x) of degree ν.
In fact, every finite field has cardinality a power of a prime (see Problem 2.2.3). Moreover,
every finite field is isomorphic to a field as described above. Given two fields F and F ′ with
zero elements 0 and 0’ and one elements 1 and 1’ respectively, we say that F and F ′ are
isomorphic if there is a 1-1 onto function g : F →F ′ preserving sums and products.
If q is a prime power, we denote by GF (q) the finite field with q elements (up to isomorphism).
Another important property of a finite field is that its non-zero elements are a cyclic group,
i.e., there is an element in the field whose powers generate all the non-zero elements. In
order to prove this, we need an auxiliary lemma.
Let G be a finite multiplicative abelian group. Consider the powers of an element a ∈ G,
say, 1 = a0 , a = a1 , a2 , . . . , al−1 , and assume that l is the first value such that al = 1. We say
that l is the order of a.
2. Assume that l is the order of a ∈ G and j divides l. Prove that aj has order l/j.
3. Assume that a has order l and n is relatively prime to l. Prove that an has order l.
We give the proof of Lemma 2.2.2 as a problem (Problem 2.2.4). We are ready now to prove
that F − {0} is cyclic for any finite field F .
Lemma 2.2.3 Let F be a finite field. Then, F − {0} is a cyclic group with respect to the
product operation.
Proof: Let m be the exponent of the multiplicative group F − {0}. We have to prove that
m = |F | − 1. Consider the polynomial xm − 1. By Lemma 2.2.2, the order of every element
in F − {0} divides m. In particular, if a ∈ F − {0}, am = 1. In other words, a is a root of
xm − 1. Since xm − 1 has at most m different roots, and every element in F − {0} is a root,
m = |F | − 1. ✷
Example 2.2.1 Let us construct the field GF (8). Consider the polynomials of degree ≤ 2
over GF (2). Let f (x) = 1 + x + x3 . Since f (x) has no roots over GF (2), it is irreducible
(notice that such an assessment can be made only for polynomials of degree 2 or 3). Let us
Vector Polynomial Power of α Logarithm
000 0 0 −∞
100 1 1 0
010 α α 1
001 α2 α2 2
110 1+α α 3
2 4
011 α+α α 4
111 1 + α + α2 α5 5
2 6
101 1+α α 6
It is often convenient to express the elements in a finite field as powers of α: when we multiply
two of them, we obtain a new power of α whose exponent is the sum of the two exponents
modulo q − 1. Explicitly, if i and j are the logarithms of two elements in GF (q), then their
product has logarithm i + j (mod(q − 1)). In the example above, if we want to multiply the
vectors 101 and 111, we first look at their logarithms. They are 6 and 5 respectively, so the
logarithm of the product is 6 + 5 (mod 7) = 4, corresponding to the vector 011.
In order to add vectors, the best way is to express them in vector form and add coordinate
to coordinate in the usual way.
2.2.3 Let F be a finite field with characteristic p. Prove that the cardinality of F is a
power of p.
2.2.5 Find all the irreducible polynomials of degree 4 over GF (2). Determine which ones
of those polynomials are primitive.
2.2.6 Using a primitive polynomial in the previous problem, construct the field GF (16) by
providing a table similar to Table 2.1.
2.2.7 Using the irreducible polynomial 2 + x + x2 over GF (3), construct the table of the
finite field GF (9). Is the polynomial primitive?
Problem 2.2.1
Assume that Zm is a field. If m is not prime, say, m = ab with a > 1 and b > 1, then
ab ≡ 0 (mod m), i.e., the product of a and b is 0 in Zm , contradicting the fact that Zm is a
Conversely, if m is prime, let a ∈ Zm , a 6= 0. We have to prove that a is invertible. Since a and
m are relatively prime in Z, there is a c and a d such that ca + dm = 1, i.e., ca ≡ 1 ( mod m).
Without loss, we can take c in Zm ; hence the product of c and a is 1 in Zm , meaning that c
is the multiplicative inverse of a.
Problem 2.2.2
Denote by ⊙ the product in F . Without loss of generality, since a = a ⊙ 1, we can
z }| {
take a = 1. We call m = 1 + 1 + · · · + 1. Since the field is finite, there is an m such
z }| {
that m = 1 + 1 + · · · + 1 = 0. Let m be the smallest such number. We claim, m is
z }| {
prime. If not, m = ab for a > 1 and b > 1. In this case, m = 1 + 1 + · · · + 1 =
a b
z }| { z }| {
1 + 1 + · · · + 1 ⊙ 1 + 1 + · · · + 1 = a ⊙ b = 0. This contradicts the fact that F is a field.
Problem 2.2.3
Let Fp be the subset of F formed by sums of 1, i.e.,
z }| {
Fp = {m : m = 1 + 1 + · · · + 1}.
Fp is a subfield of F , it is isomorphic to Zp . Consider F as a vector space over Fp . Then,
F has a certain dimension, say k, as a vector space over Fp . Hence, any element v in F can
be written uniquely as a linear combination of a basis v 1 , v2 , . . . , v k , i.e., there are unique
t1 , t2 , . . . , tk in Fp such that v = t1 v1 + t2 v2 + · · · + tk v k . There is a total of pk different linear
combinations of v 1 , v 2 , . . . , vk , so the cardinality of F is pk .
Problem 2.2.4
1. If we divide l′ by l, we obtain l′ = ql + r, where 0 ≤ r < l. Now, al = aql+r = (al )q ar =
ar = 1. Since l is the order of a, then r = 0.
2. Notice that (aj )l/j = al = 1. Now, assume that (aj )s = 1 for some s, then, ajs = 1,
and since l is the order of a, l divides js. Since j divides l, l/j divides s, proving that
l/j is the order of aj .
3. Notice that (an )l = (al )n = 1. Now, assume that (an )m = anm = 1 for some m. Then, l
divides nm, and since l and n are relatively prime, l divides m.
4. It is clear that (ab)mn = amn bmn = (am )n (bn )m = 1. We have to show now that, if there
is an l > 0 such that (ab)l = 1, then mn ≤ l. Notice that, if (ab)l = al bl = 1, then,
al = b−l . Thus, (al )n = (b−l )n = (bn )−l = 1, so aln = 1 and then, m divides ln. Since m
and n are relatively prime, m divides l. Similarly, n divides l, and since m and n are
relatively prime, mn divides l.
Problem 2.2.5
The binary polynomials of degree 4 have the form a0 + a1 x + a2 x2 + a3 x3 + x4 , where
ai ∈ GF (2). If the polynomial is irreducible, a0 = 1, if not 0 would be a root. The
polynomial 1 + x + x2 + x3 + x4 is irreducible, since it has no roots and is not the product
of two irreducible polynomials of degree 2. The only binary irreducible polynomial of degree
2 is in fact 1 + x + x2 . The square of this polynomial is 1 + x2 + x4 . The polynomials of
weight 4 cannot be irreducible, since 1 is a root of them. So, the two remaining irreducible
polynomials of degree 4 are 1 + x + x4 and 1 + x3 + x4 .
The polynomial 1 + x + x2 + x3 + x4 is not primitive. In effect, replace x by α and describe
GF (16) as polynomials in α modulo 1 + α + α2 + α3 + α4 . Notice that α5 = 1, hence, the
polynomial is not primitive. The other two polynomials are primitive. One of them is shown
in the next problem, the other one behaves similarly.
Problem 2.2.6
If we consider the primitive polynomial 1 + x + x4 , the finite field is represented by
Problem 2.2.7
The field is represented by
Theorem 2.3.1 C is an [n, k] cyclic code over GF (q) if and only if there is a (monic)
polynomial g(x) of degree n − k such that g(x) divides xn − 1 and each c(x) ∈ C is a multiple
of g(x), i.e., c(x) ∈ C if and only if c(x) = f (x)g(x), deg(f ) < k. We call g(x) a generator
polynomial of C.
Proof: Let g(x) be a monic polynomial in C such that g(x) has minimal degree. If deg(g) = 0
(i.e., g = 1), then C is the whole space (GF (q))n , so assume deg(g) ≥ 1. Let c(x) be any
element in C. We can write c(x) = f (x)g(x) + r(x), where deg(r) < deg(g). Since deg(f g) <
n, g ∈ C and C is cyclic, in particular, f (x)g(x) ∈ C. Hence, r(x) = c(x) − f (x)g(x) ∈ C. If
r 6= 0, we would contradict the fact that g(x) has minimal degree, hence, r = 0 and c(x) is
a multiple of g(x).
Similarly, we can prove that g divides xn − 1. Let xn − 1 = h(x)g(x) + r(x), where deg(r) <
deg(g). In particular, h(x)g(x) ≡ −r(x) mod (xn − 1), hence, r(x) ∈ C. Since g(x) has
minimal degree, r = 0, so g(x) divides xn − 1.
Conversely, assume that every element in C is a multiple of g(x) and g divides xn − 1. It is
immediate that the code is linear and that it has dimension k. Let c(x) ∈ C, hence, c(x) =
f (x)g(x) with deg(f ) < k. Also, since g(x) divides xn − 1, xn − 1 = h(x)g(x). Assume that
c(x) = c0 +c1 x+c2 x2 +· · ·+cn−1xn−1 , then, xc(x) ≡ cn−1 +c0 x+· · ·+cn−2 xn−1 ( mod xn −1).
We have to prove that cn−1 + c0 x + · · · + cn−2 xn−1 = q(x)g(x), where q(x) has degree ≤ k − 1.
Notice that
Theorem 2.3.1 gives a method to find all cyclic codes of length n: simply take all the (monic)
factors of xn − 1. Each one of them is the generator polynomial of a cyclic code.
Example 2.3.1 Consider the [8, 3] cyclic code over GF (3) generated by g(x) = 2 + x2 +
x3 + 2x4 + x5 . We can verify that x8 − 1 = g(x)(1 + x2 + x3 ), hence, g(x) indeed generates
a cyclic code.
In order to encode an information polynomial over GF (3) of degree ≤ 2 into a codeword,
we multiply it by g(x).
Say that we want to encode u = (2, 0, 1), which in polynomial form is u(x) = 2 + x2 . Hence,
the encoding gives c(x) = u(x)g(x) = 1 + x2 + 2x3 + 2x4 + 2x6 + x7 . In vector form, this
gives c = (1 0 1 2 2 0 2 1). ✷
The encoding method of a cyclic code with generator polynomial g is then very simple:
we multiply the information polynomial by g. However, this encoder is not systematic. A
systematic encoder of a cyclic code is given by the following algorithm:
In order to prove that Algorithm 2.3.1 really provides a systematic encoder for cyclic codes,
we have to show two facts: one is that the encoder is really systematic. This is easily seen,
since 0 ≤ deg(r) < n − k, hence, k ≤ deg(xk r(x)) < n. If u(x) and r(x) in vector notation
are given by u = (u0 , u1 , . . . , uk−1) and r = (r0 , r1 , . . . , rn−k−1), then c(x) in vector notation
is given by c = (u0 , u1 , . . . , uk−1, −r0 , −r1 , . . . , −rn−k−1 ).
The second fact we need to verify is that c(x) in effect belongs in C, i.e., g(x) divides
c(x). Notice that, by the definition of r(x), xn−k u(x) = q(x)g(x) + r(x), for a certain q(x).
Multiplying both sides of this equality by xk mod (xn − 1), we obtain u(x) ≡ xk q(x)g(x) +
xk r(x) mod (xn − 1). Hence, c(x) = u(x) − xk r(x) ≡ xk q(x)g(x) mod (xn − 1), i.e., c(x) ∈ C.
Example 2.3.2 Consider the [8, 3] cyclic code over GF (3) of Example 2.3.1. If we want
to encode systematically the information vector u = (2, 0, 1) (or u(x) = 2 + x2 ), we have
to obtain first the residue of dividing x5 u(x) = 2x5 + x7 by g(x). This residue is r(x) =
2 + x+ 2x2 . Hence, the output of the encoder is c(x) = u(x) −xk r(x) = 2 + x2 + x3 + 2x4 + x5 .
In vector form, this gives c = (2 0 1 1 2 1 0 0). ✷
In the next section, we define the very important family of Reed Solomon codes.
2.3.1 Let C be an [n, k, d] linear code over GF (q). Prove that Lemma 1.2.2, Corollary 1.2.1
and the Singleton bound (Corollary 1.2.2) for binary codes also hold in this case. Is the same
true for the Hamming bound given by Lemma 1.2.3? If not, give an appropriate version of
the Hamming bound for C.
2.3.2 Let C be a cyclic code over GF (q). Prove that there is a (monic) polynomial h(x) of
degree k such that, for every c(x) ∈ C, c(x)h(x) ≡ 0 mod (xn − 1). The polynomial h(x) is
called the parity check polynomial of the code C.
2.3.3 Given a cyclic code C with generator polynomial g(x) and parity check polynomial
h(x), find a generator matrix and a parity check matrix for the code.
2.3.5 Consider the cyclic code C over GF (2) with generator polynomial g(x) = 1 + x + x3
and length 7.
2.3.6 Consider the [8, 5] cyclic code over GF (3) generated by g(x) = 1 + x + x3 .
Problem 2.3.1
Let us prove Lemma 1.2.2 in this general case. Denote the columns of H c0 , c1 , . . . , cn−1 .
Assume that columns 0 ≤ i1 < i2 < . . . < im ≤ n − 1 are linearly dependent, where
m ≤ d − 1. Hence, there exist a1 , a2 , . . . , am in GF (q) such that m l=1 al cil = 0, where 0
denotes the all-zero column.
Without loss of generality, assume that the al ’s are non-zero. Let v be a vector of length n
and weight m whose non-zero coordinates are a1 , a2 , . . . , am in locations i1 , i2 , . . . , im . Thus,
we have
v HT = al cil = 0;
hence v is in C. But v has weight m ≤ d − 1, contradicting the fact that C has minimum
distance d.
Corollaries 1.2.1 and 1.2.2 (Singleton Bound) are analogous to the binary case.
The Hamming bound, though, does not look exactly the same. Let us denote by Vq (r) the
number of elements in a sphere of radius r whose center is an element in GF (q)n . An easy
counting argument gives
X n
Vq (r) = (q − 1)i . (2.2)
i=0 i
Notice that (2.2) generalizes the case q = 2 given by (1.8). The Hamming bound in the
general case then becomes:
Problem 2.3.3
Let g(x) = g0 +g1 x+· · ·+gn−k−1xn−k−1 +gn−k xn−k and h(x) = h0 +h1 x+· · ·+hk−1 xk−1 +hk xk .
Notice that the k codewords g(x), xg(x), x2g(x), . . . , xk−1 g(x) are linearly independent. Since
C has dimension k, they form a basis for the code and can be taken as the rows of a generator
If we write the matrix explicitly, we obtain
g0 g1
g2 . . . gn−k 0 0 0 ... 0
0 g0
g1 . . . gn−k−1 gn−k 0 0 ... 0
G =
.. ..
.. . . .. .. .. .. . . .. k.
. . . . . . . . . .
0 0 0 . . . . . . 0 g0 g1 . . . . . . gn−k
Problem 2.3.4
Notice that x4 − 1 = (x − 1)(x + 1)(x2 + 1), so, excluding trivial cases (i.e., (GF (3)4 and the
0-code), the codes are generated by the factors of x4 − 1. They are:
Problem 2.3.5
3. By observing the parity check matrix H above, we see that the columns of H are all
the possible vectors of length 3 over GF (2), hence, C is equivalent to a Hamming code
and has minimum distance 3.
4. In polynomial form, 1011 corresponds to u(x) = 1 + x2 + x3 . The residue of dividing
x3 (1 + x2 + x3 ) by g(x) = 1 + x + x3 is r(x) = 1, so, the encoded polynomial is
u(x) − x4 r(x) = 1 + x2 + x3 + x4 . In vector form, this corresponds to codeword
Problem 2.3.6
2. By Problem 2.3.3, it is enough to observe that g(x) = h̃(x), where h(x) is the parity
check polynomial of the [8, 3] code of Example 2.3.1, since the parity check matrix of
one is the generator matrix of the other.
1 α α2 ... αn−1
1 α2 α4 ... α2(n−1)
.. .. .. .. .. (2.6)
. . . . .
1 αn−k α(n−k)2 . . . α(n−k)(n−1)
In order to show that H is in fact a parity check matrix, we need to prove that the rows of
H are linearly independent. The next lemma provides an even stronger result.
Lemma 2.4.1 Any set of n−k columns in matrix H defined by (2.6) is linearly independent.
Proof: Take a set 0 ≤ i1 < i2 < . . . < in−k ≤ n − 1 of columns of H. Denote αij by
αj , 1 ≤ j ≤ n − k. Columns i1 , i2 , . . . , in−k are linearly independent if and only if their
determinant is non-zero, i.e., if and only if
α1 α2 ... αn−k
(α1 )2 (α2 )2 ... (αn−k )2
.. .. .. .. 6= 0. (2.7)
. . . .
(α1 )n−k (α2 )n−k . . . (αn−k )n−k
1 1 ... 1
α1 α2 ... αn−k
V (α1 , α2 , . . . , αn−k ) = det
.. .. .. ..
. . . .
(α1 )n−k−1 (α2 )n−k−1 . . . (αn−k )n−k−1
We call the determinant V (α1 , α2 , . . . , αn−k ) a Vandermonde determinant: it is the determi-
nant of an (n − k) × (n − k) matrix whose rows are the powers of vector α1 , α2 , . . . , αn−k ,
the powers running from 0 to n − k − 1. By properties of determinants, if we consider the
determinant in (2.7), we have
α1 α2 ... αn−k
(α1 )2 (α2 )2 ... (αn−k )2
.. .. .. .. = α1 α2 . . . αn−k V (α1 , α2 , . . . , αn−k ). (2.9)
. . . .
(α1 )n−k (α2 )n−k . . . (αn−k )n−k
Hence, by (2.7) and (2.9), since the αj ’s are non-zero, it is enough to prove that
V (α1 , α2 , . . . , αn−k ) 6= 0. By Problem 2.4.1, we have that
V (α1 , α2 , . . . , αn−k ) = (αj − αi ). (2.10)
Since α is a primitive element in GF (q), its powers αl , 0 ≤ l ≤ n − 1 are distinct. In
particular, the αi ’s, 1 ≤ i ≤ n − k are distinct, hence, the product at the right hand side
of (2.10) is non-zero. ✷
Since RS codes meet the Singleton bound with equality, they are MDS. We have seen that
in the binary case, the only MDS codes were trivial ones (see Problem 1.2.4).
Example 2.4.1 Consider the [7, 3, 5] RS code over GF (8), where GF (8) is given by Ta-
ble 2.1. The generator polynomial is
u(x)g(x) = α2 + α4 x + α2 x2 + α6 x3 + α6 x4 + α4 x5 + α5 x6 .
In vector form the output of the encoder is given by the 7 bytes 001 011 001 101 101 011 111.
If we encode u(x) using a systematic encoder (Algorithm 2.3.1), then the output of the
encoder is
α6 + α2 x + α5 x2 + α6 x3 + α5 x4 + α4 x5 + α4 x6 ,
which in vector form is 101 001 111 101 111 011 011. ✷
We have defined RS codes, proven that they are MDS and showed how to encode them
systematically. The next step, to be developed in the next sections, is decoding them.
2.4.2 Let α be a primitive element in GF (q) and n = q − 1. Prove that, for s 6≡ 0 mod n,
Pn−1 is Pn−1 is
i=0 α = 0 and for s ≡ 0 mod n, i=0 α = n.
2.4.3 Consider a [15, 9] RS code over GF (16), where GF (16) was constructed in Prob-
lem 2.2.6. Encode systematically the polynomial u(x) = α3 + α9 x2 + α7 x3 + α5 x4 + α10 x6 +
α2 x7 + α12 x8 .
2.4.4 Consider an [8, 4] RS code over GF (9), where GF (9) was constructed in Prob-
lem 2.2.7. Encode systematically the polynomial u(x) = α2 + α2 x + α7 x2 + α3 x3 .
2.4.5 Verify that, if we define, more generally, an [n, k] RS code as the set of polynomials of
degree ≤ n−1 having as roots the consecutive powers αm , αm+1 , . . . , αm+n−k−1 , the minimum
distance of the code is n − k + 1.
2.4.6 Write a computer program that encodes systematically an information polynomial of
degree ≤ k − 1 into an [n, k] RS code.
Problem 2.4.1
We prove the result by induction on m. If m = 2, it is clear that V (α1 , α2 ) = α2 − α1 . So,
assume that the result is true for m ≥ 2, let’s prove that it is true for m + 1. Replacing α1
by x in V (α1 , α2 , . . . , αm+1 ), we obtain a polynomial of degree m on x, i.e.,
1 1 ... 1
x α2 ... αm+1
f (x) = det
.. .. .. ..
. . . .
xm (α2 )m . . . (αm+1 )m
f (x) = C(x − α2 )(x − α3 ) . . . (x − αm+1 ) = (−1)m C (αj − x), (2.12)
1 1 ... 1
α2 α3 ... αm+1
C = (−1) det
.. .. .. ..
. . . .
(α2 )m−1 (αe )m−1 . . . (αm+1 )m−1
But the determinant in the right is V (α2 , α3 , . . . , αm+1 ), so, by induction, (2.13) becomes
C = (−1)m (αj − αi ). (2.14)
Replacing in (2.12) x by α1 and C by the value obtained in (2.14), we obtain the result.
Problem 2.4.2
Pn−1 is
If s ≡ 0 (mod n), αis = (αs )i = 1, so i=0 α = n. So, assume that s 6≡ 0 (mod n); hence,
since α is primitive, αs 6= 1. Now,
n−1 n−1
X X (αs )n − 1
αis = (αs )i = = 0,
i=0 i=0 αs − 1
since (αs )n = 1.
Problem 2.4.3
The generator polynomial is
(x − αi ) = α6 + α9 x + α6 x2 + α4 x3 + α14 x4 + α10 x5 + x6 .
c(x) = α3 +α9 x2 +α7 x3 +α5 x4 +α10 x6 +α2 x7 +α12 x8 +α14 x9 +α8 x10 +α11 x11 +α4 x12 +α2 x13 .
Problem 2.4.4
The generator polynomial is
(x − αi ) = α2 + α4 x + α2 x2 + α7 x3 + x4 .
c(x) = α2 + α2 x + α7 x2 + α3 x3 + α3 x4 + α4 x5 + x6 + αx7 .
In vector form, this corresponds to vector
c = (12 12 11 22 22 20 10 01).
Problem 2.4.5
Let C be the code formed by the set of polynomials of degree ≤ n − 1 having as roots the
consecutive powers αm , αm+1 , . . . , αm+n−k−1 , α a primitive element. Then, a parity check
matrix for the code is given by
1 αm (αm )2 ... (αm )n−1
1 αm+1 (αm+1 )2 ... (αm+1 )n−1
.. .. .. .. .. (2.15)
. . . . .
1 αm+n−k−1 (αm+n−k−1 )2 . . . (αm+n−k−1)n−1
We show now that any set of n − k columns in matrix H defined by (2.15) is linearly
In effect, take a set 0 ≤ i1 < i2 < . . . < in−k ≤ n − 1 of columns of H. Denote αij by
αj , 1 ≤ j ≤ n − k. Columns i1 , i2 , . . . , in−k are linearly independent if and only if their
determinant is non-zero, i.e., if and only if
αm1 αm2 ... αm
1 αm+1
2 ... αm+1
det .. .. .. .. 6= 0. (2.16)
. . . .
α1m+n−k−1 α2m+n−k−1 . . . αn−k
αm m m
1 α2 . . . αn−k V (α1 , α2 , . . . , αm ),
R(x) = α6 + α2 x + α3 x2 + α2 x3 + α4 x4 + αx5 + x6 .
Evaluating the syndromes, we obtain S1 = R(α) = α2 and S2 = R(α2 ) = α4 . Thus, S2 /S1 =
α2 , meaning that location 2 is in error. The error value is E2 = (S1 )2 /S2 = (α2 )2 /α4 = 1,
which in vector form is 100. The output of the decoder is then
Let E be the subset of {0, 1, . . . , n − 1} of locations in error, i.e., E = {l : El 6= 0}. With this
notation, (2.17) becomes
Sj = Ei αij , 1 ≤ j ≤ n − k. (2.19)
The decoder will find the error set E and the error values Ei when the error correcting
capability of the code is not exceeded. Thus, if s is the number of errors and 2s ≤ n − k,
the system of equations given by (2.19) has a unique solution. However, this is a non-linear
system, and it is very difficult to solve it directly. We will study methods of transforming
parts of the decoding process into a linear problem.
In order to find the set of locations in error E and the corresponding error values {Ei : i ∈ E},
we define two polynomials. The first one is called the error locator polynomial, which is the
polynomial that has as roots the values α−i , where i ∈ E. We denote this polynomial by
σ(x). Explicitly,
σ(x) = (x − α−i ). (2.20)
If somehow we can determine the polynomial σ(x), by finding its roots, we can obtain the
set E of locations in error. Once we have the set of locations in error, we need to find the
errors themselves. We define a second polynomial, called the error evaluator polynomial and
denoted by ω(x), as follows:
ω(x) = Ei (x − α−l ). (2.21)
i∈E l∈E
Since an [n, k] RS code corrects at most (n − k)/2 errors, we assume that |E| = deg(σ) ≤
(n − k)/2. Notice also that deg(ω) ≤ |E| − 1, since ω is a sum of polynomials of degree
|E| − 1. Moreover,
ω(α−i )
Ei = , (2.22)
σ ′ (α−i )
where σ ′ denotes the (formal) derivative of σ (see Problem 2.5.3).
Let us prove some of these facts in the following lemma:
Lemma 2.5.1 The polynomials σ(x) and ω(x) are relatively prime, and the error values Ei
are given by (2.22).
Proof: In order to show that σ(x) and ω(x) are relatively prime, it is enough to observe
that they have no roots in common. In effect, if α−j is a root of σ(x), then j ∈ E. By (2.21),
ω(α−j ) = Ei (α−j − α−l ) = Ej (α−j − α−l ) 6= 0. (2.23)
i∈E l∈E l∈E
l6=i l6=j
σ ′ (α−j ) = (α−j − α−l ). (2.24)
The decoding methods of RS codes are based on finding the error locator and the error
evaluator polynomials. By finding the roots of the error locator polynomial, we determine
the locations in error, while the errors themselves can be found using (2.22). We will establish
a relationship between σ(x) and ω(x), but first we need to define a third polynomial, the
syndrome polynomial. We define the syndrome polynomial as the polynomial of degree
≤ n − k − 1 whose coefficients are the n − k syndromes. Explicitly,
2 n−k−1
S(x) = S1 + S2 x + S3 x + . . . + Sn−k x = Sj+1 xj . (2.25)
Theorem 2.5.1 There is a polynomial µ(x) such that the error locator, the error evaluator
and the syndrome polynomials verify the following equation:
S(x) = Sj+1 xj
= Ei α xj
j=0 i∈E
X n−k−1
= Ei α (αi x)j
i∈E j=0
X (αi x)n−k − 1
= Ei αi
αi x − 1
X (αi x)n−k − 1
= Ei , (2.28)
x − α−i
since m l
l=0 a = (a
− 1)/(a − 1) for a 6= 1 (Problem 2.5.1).
Multiplying both sides of (2.28) by σ(x), where σ(x) is given by (2.20), we obtain
σ(x)S(x) = Ei ((αi x)n−k − 1) (x − α−l )
i∈E l∈E
(x − α−l ) + Ei αi(n−k) (x − α−l ) xn−k
= − Ei
i∈E l∈E i∈E l∈E
l6=i l6=i
= −ω(x) + µ(x)x ,
The decoding methods for RS codes concentrate on solving the key equation. In the next
section we study the simplest (conceptually) of these methods, the Peterson-Gorenstein-
Zierler decoder.
2.5.1 Prove that, for a 6= 1, i=0 ai = (an − 1)/(a − 1).
2.5.2 Consider the [15, 13] RS code over GF (16). Decode the received word
R(x) = α3 + αx + α6 x2 + α5 x3 + α8 x4 + x5 + α3 x6 + α8 x7 + α6 x8 + α6 x9 + α3 x10
+α4 x11 + α12 x12 + α12 x13 + α13 x14 .
2. If the field F has characteristic 2, find f ′ and f ′′ for the polynomial f above.
2.5.4 Let C be an [n, k] RS code. Assume that t erasures have occurred, and a number of
errors s ≤ (n − k − t)/2. Let E 1 be the set of locations in error and E 2 the set of erased
locations (notice, E 2 is known). Let E = E 1 ∪ E 2 , and define the error locator polynomial
σ 1 (x) = (x − α−i ), (2.29)
i∈E 1
ω(x) = Ei (x − α−l ). (2.31)
i∈E l∈E
Give an equivalent form of the key equation (2.27) for this case.
2.5.5 As in Problem 2.4.5, consider an [n, k] RS code as the set of polynomials of degree
≤ n − 1 having as roots the consecutive powers αm , αm+1 , . . . , αm+n−k−1 . Give an equivalent
form of the key equation (2.27) for this case. Give also an equivalent form for errors and
erasures, as in Problem 2.5.4.
Problem 2.5.1
Notice that
Problem 2.5.2
Evaluating the syndromes, we obtain S1 = R(α) = α3 = Ei αi and S2 = R(α2 ) = α7 = Ei α2i ,
i the location in error, Ei the error value. This gives, αi = S2 /S1 = α4 , i.e., i = 4. Also,
E4 = (S1 )2 /S2 = α14 . Hence, symbol 4 has to be replaced by α8 − α14 = α6 . If the
information is carried in the first 13 bytes, the output of the decoder is
U(x) = α3 + αx + α6 x2 + α5 x3 + α6 x4 + x5 + α3 x6 + α8 x7 + α6 x8 + α6 x9 + α3 x10
+α4 x11 + α12 x12
Problem 2.5.3
1. Let f (x) = m a xi and g(x) = m i=0 bP
i x , so, (f + g)(x)
(ai + bi )xi and (f +
Pm−1i=0 i i=0P
g) (x) = i=0 (i + 1)(ai+1 + bi+1 )x = ( i=0 (i + 1)ai+1 x ) + ( m−1
′ i m−1 i i
i=0 (i + 1)bi+1 x ) =
f ′ (x) + g ′ (x).
Given the linearity of the derivative with respect to the sum, it is enough to prove
the result for f (x) = xi and g(x) = xj , 0 ≤ i, j. Notice that (f g)′(x) = (xi+j )′ =
(i + j)xi+j−1 = (ixi−1 )xj + xi (jxj−1 ) = (f (x))′ g(x) + f (x)(g(x))′ .
2. Let f (x) = a0 + a1 x + · · · + am xm , where ai ∈ GF (2). Then, f ′ (x) = a1 + 2a2 x + · · · +
mam xm−1 = a1 + a3 x2 + a5 x4 + · · ·, since, in a field of characteristic 2, 2j = 0 and
2j + 1 = 1. Differentiating this first derivative, we obtain f ′′ (x) = 0.
Problem 2.5.4
If σ(x) = σ 1 (x)σ 2 (x), the key equation is the same, i.e.,
Problem 2.5.5
In order to find the set of locations in error E and the corresponding error values {Ei : i ∈ E},
we define again the error locator polynomial as given by (2.20). However, the error evaluator
polynomial needs a slightly different definition (in fact, it is a generalization of (2.21)) as
ω(x) = Ei α(m−1)i (x − α−l ). (2.33)
i∈E l∈E
Since an [n, k] RS code corrects at most (n − k)/2 errors, we assume that |E| = deg(σ) ≤
(n − k)/2. Notice also that deg(ω) ≤ |E| − 1, since ω is a sum of polynomials of degree
|E| − 1. Moreover,
ω(α−i )α−(m−1)i
Ei = . (2.34)
σ ′ (α−i )
Similarly to Lemma 2.5.1, we can prove that the polynomials σ(x) and ω(x) are relatively
prime, and the error values Ei are given by (2.34). Therefore, if we find σ(x) and ω(x), we
can determine the error locations and their values.
Now, similarly to (2.25), we define the syndrome polynomial as the polynomial of degree
≤ n − k − 1 whose coefficients are the n − k syndromes Si , m ≤ i ≤ m + n − k − 1. Explicitly,
S(x) = Sm + Sm+1 x + Sm+2 x2 + . . . + Sm+n−k−1 xn−k−1 = Sm+j xj . (2.35)
As before, R(x) is in C if and only if S(x) = 0 and E denotes the set of locations in error.
S(x) = Sm+j xj
= Ei αi(m+j) xj
j=0 i∈E
X n−k−1
= Ei αmi (αi x)j
i∈E j=0
mi (α x)n−k − 1
= Ei α
αi x − 1
X (αi x)n−k − 1
= Ei α(m−1)i ,
x − α−i
Pm l
since l=0 a = (am+1 − 1)/(a − 1) for a 6= 1. Multiplying both sides by σ(x), we obtain
σ(x)S(x) = Ei α(m−1)i ((αi x)n−k − 1) (x − α−l )
i∈E l∈E
= − Ei α(m−1)i (x − α−l ) + µ(x)xn−k
i∈E l∈E
= −ω(x) + µ(x)xn−k ,
therefore, the key equation, as given by Theorem 2.5.1, looks the same, but ω(x) is now
given by (2.33) and the error values by (2.34).
As far as erasures are concerned, the treatment is completely analogous to the one in Prob-
lem 2.5.3, except that ω(x) is given by (2.33) and the error values by (2.34).
σ l Sj+1−l = 0 , s ≤ j ≤ n − k − 1. (2.36)
S2 S3 ... Ss+1 σ s−1 −S1
S3 S4 ... Ss+2
σ s−2
.. .. .. .. .. = .. . (2.38)
. . . .
Sn−k−s+1 Sn−k−s+2 . . . Sn−k σ0 −Sn−k−s
In order to solve (2.38), it is enough to take the first s rows in the matrix at the left (the
remaining rows may be used for verification), thus, we obtain
S2 S3 ... Ss+1 σ s−1 −S1
S3 S4 ... Ss+2
σ s−2
.. .. .. ..
.. .
. . . . . .
Ss+1 Ss+2 . . . S2s σ0 −Ss
Finding σ(x) using (2.39) provides the basis for the so called Peterson-Gorenstein-Zierler
decoder. Let
S2 S3 ... Sr+1
S3 S4 ... Sr+2
Sr =
.. .. .. .. , (2.40)
. . . .
Sr+1 Sr+2 . . . S2r
where 2r ≤ n − k. Since s errors have occurred and this is within the error-correcting
capability of the code, Ss is non-singular. We will prove that Sr is singular for s < r ≤
(n − k)/2. Hence, the decoder starts checking if Sr is non-singular for the largest possible
r (i.e., r = ⌊(n − k)/2⌋). When it finds an r such that Sr is non-singular, this r gives the
number of errors s. Then, (2.39) can be solved simply by inverting Ss , i.e.,
σ s−1 −S1
σ s−2
= (Ss )
.. .
. .
σ0 −Ss
Once we have obtained σ(x), by (2.26), we can compute ω(x) by calculating the coefficients
j, 0 ≤ j ≤ s − 1, of σ(x)S(x) and changing their sign. We then find the error values
using (2.22).
The roots of the polynomial σ(x) are found using an exhaustive search algorithm called
Chien search. Once the roots are found, we know the locations of errors. However, we must
not forget that if a root α−i has been found, the error is in location i, not in location −i.
For instance, in GF (256), if α85 is a root of σ(x), since α85 = α−170 , the error is in location
Another possibility for finding the error values El , 1 ≤ l ≤ s, once we have obtained the s
error locations, is the following (the decoding process has been transformed into a problem
of correcting erasures only): since the syndromes are given by
Sj = αjl El , 1 ≤ j ≤ s, (2.42)
this is a system of s linear equations with s unknowns, which can be solved by inverting the
matrix of coefficients (αjl ) , l ∈ E , 1 ≤ j ≤ s.
The next lemma proves that Sr is singular for s < r ≤ (n − k)/2.
Proof: Let s < r ≤ (n − k)/2. Let the error set be E = {i1 , i2 , . . . , is }, and consider the
errors Ei1 , Ei2 , . . . , Eis . Consider the r × r matrices
1 1 ... 1 1 1 ... 1
α i1 α i2 α is
... 0 0 ... 0
A =
α2i1 α2i2 ... α2is 0 0 ... 0
.. .. .. .. .. .. .. ..
. . . . . . . .
α(r−1)i1 α(r−1)i2 . . . α(r−1)is 0 0 . . . 0
Ei1 α2i1 0 ... 0 0 0 ... 0
0 Ei2 α2i2 ... 0 0 0 ... 0
.. .. .. .. .. .. .. ..
. . . . . . . .
B =
0 0 ... Eis α2is 0 0 ... 0 .
0 0 ... 0 0 0 ... 0
.. .. .. .. .. .. .. ..
. . . . . . . .
0 0 ... 0 0 0 ... 0
Notice that
Ei1 α2i1 Ei1 α3i1 . . . Ei1 α(r+1)i1
Ei2 α2i2 Ei2 α3i2 . . . Ei2 α(r+1)i2
.. .. .. ..
. . . .
Eis α2is Eis α 3is
... Eis α(r+1)is ,
0 0 ... 0
.. .. .. ..
. . . .
0 0 ... 0
Ps 2il Ps Ps
l=1 Eil α E α3il ... E α(r+1)il
Ps 3il Psl=1 il 4i Psl=1 il (r+2)i
E α Eil α l ... l=1 Eil α
. l=1 il l=1
ABAT = . .. .. ..
. . . .
Ps (r+1)i Ps Ps
l=1 Eil α l
l=1 Eil α(r+2)il . . . l=1 Eil α
S2 S3 ... Sr+1
S3 S4 ... Sr+2
.. .. .. ..
. . . .
Sr+1 Sr+2 . . . S2r
= Sr ,
the last two equalities by (2.42) and (2.40) respectively. Since Sr = ABAT ,
! ! !
S2 S3 σ1 −S1
= , (2.46)
S3 S4 σ0 −S2
S1 S3 − (S2 )2
σ0 = (2.47)
S2 S4 − (S3 )2
S2 S3 − S1 S4
σ1 = (2.48)
S2 S4 − (S3 )2
If ω(x) = ω 0 + ω 1 x, then the coefficients of ω are the coefficients 0 and 1 of σ(x)S(x) with
the sign changed, i.e.,
ω 0 = −σ 0 S1 (2.49)
ω 1 = −σ 0 S2 − σ 1 S1 , (2.50)
R(x) = α4 + α6 x + α5 x2 + α5 x3 + α5 x4 + α6 x5 + αx6 .
Evaluating the syndromes, we obtain S1 = R(α) = α5 , S2 = R(α2 ) = α, S3 = R(α3 ) = 0
and S4 = R(α4 ) = α3 . By (2.47) and (2.48), we obtain σ 0 = α5 and σ 1 = α4 , i.e., σ(x) =
α5 + α4 x + x2 . Searching the roots of σ(x), we verify that these roots are α0 = 1 and α5 ;
hence, the errors are in locations 0 and 2. Using (2.49) and (2.50), we obtain ω 0 = σ 0 S1 = α3
and ω 1 = σ 0 S2 + σ 1 S1 = 1; hence, ω(x) = α3 + x. The derivative of σ(x) is σ ′ (x) = α4 .
By (2.22), we obtain E0 = ω(1)/σ ′ (1) = α4 and E2 = ω(α5 )/σ′ (α5 ) = α5 . Adding E0 and
E2 to the received locations 0 and 2, the decoder concludes that the transmitted polynomial
F (x) = α6 x + α5 x3 + α5 x4 + α6 x5 + αx6 ,
which in vector form is
By looking at Algorithm 2.6.1, we can see that we have added a step: before releasing
the output, we check if the syndromes of the error polynomial coincide with the original
syndromes, therefore, the output of the decoder is in the code. This step is important to
avoid a miscorrection for cases in which the number of errors that the code can handle has
been exceeded. It assures that the decoder will not output anything that is not a codeword.
The Peterson-Gorenstein-Zierler algorithm is important both historically and conceptually.
It is also efficient to handle a small number of errors. However, when the number of errors
is relatively large, it becomes too complex. One of the reasons is that we have to check
repeatedly if the matrix Sr is non-singular, until we find the correct number of errors. This
process may involve too many multiplications in a finite field. A more efficient decoding
algorithm, and a one widely used in practice, is the so called Berlekamp-Massey algorithm [2].
This algorithm exploits the particular structure of the matrix Sr . Another efficient decoding
algorithm is obtained by using Euclid’s algorithm for division of polynomials. We present
Euclid’s algorithm in the next section.
2.6.1 Consider the [10, 4] (shortened) RS code over the finite field GF (16) generated by
1 + x + x4 . Decode the received vector
r = (1110 1110 0010 0110 1110 0101 0110 0001 0001 0011),
Notice that the code is shortened, therefore, the first four bytes correspond to information
while the last six correspond to the redundancy. In polynomial form, the first 4 bytes are
followed by 5 0-bytes, therefore, the polynomial form of r with coefficients as powers of α is
given by
2.6.2 Consider the [8, 4] RS code over the finite field GF (9) generated by 2+x+x2 . Decode
the received vector
r = (11 01 22 20 11 21 21 12).
2.6.3 Consider the [8, 2] RS code over the finite field GF (9) generated by 2+x+x2 . Decode
the received vector
r = (21 00 22 11 20 00 02 01).
2.6.4 Consider the [10, 2] RS code over the finite field GF (11) generated by g(x) = (x −
2)(x − 22 ) . . . (x − 28 ) (notice that 2 is primitive in GF (11)). Decode the received vector
r = (7 1 3 3 4 7 10 5 6 8).
2.6.5 Using the key equation for errors and erasures obtained in Problem 2.5.4, obtain a
version of the Peterson-Gorenstein-Zierler decoder for errors and erasures. Use it to decode
r = (0011 1100 1111 0110 ???? 1101 1010 ???? 0001 1110),
over the [10, 4] (shortened) RS code of Problem 2.6.1 (the symbol ? denotes an erased bit).
2.6.6 As in Problems 2.4.5 and 2.5.5, consider an [n, k] RS code as the set of polynomials
of degree ≤ n − 1 having as roots the consecutive powers αm , αm+1 , . . . , αm+n−k−1 . Give an
equivalent form of the Peterson-Gorenstein-Zierler decoder for this case.
Consider the [15, 9] RS code over GF (16), GF (16) generated by 1 + x + x4 , whose roots are
1, α, . . . , α5 (i.e., m = 0 in the description above). Use the modified Peterson-Gorenstein-
Zierler decoder to decode the received polynomial
R(x) = 1+α12 x+α10 x2 +αx4 +α8 x5 +α10 x6 +α6 x7 +α8 x8 +α5 x10 +α14 x11 +α10 x12 +x13 +α12 x14 .
2.6.7 As in Problem 2.6.6, consider an [n, k] RS code as the set of polynomials of degree
≤ n − 1 having as roots the consecutive powers αm , αm+1 , . . . , αm+n−k−1 . Give an equivalent
form of the Peterson-Gorenstein-Zierler decoder for errors and erasures, as in Problem 2.6.5.
As in Problem 2.6.6, consider the [15, 9] RS code over GF (16) generated by 1 + x + x4
whose roots are 1, α, . . . , α5 . Use the error-erasure version of the Peterson-Gorenstein-Zierler
decoder to decode
Problem 2.6.1
We apply Algorithm 2.6.1. The 6 syndromes of the received vector R(x) are
S1 = R(α ) = α3
S2 = R(α2 ) = α2
S3 = R(α3 ) = α12
S4 = R(α4 ) = 0
S5 = R(α5 ) = α12
S6 = R(α6 ) = α
α2 α12 0 σ2 α3
α 0 α12 σ 1 = α2
0 α12 α σ0 α12
ω 0 = −σ 0 S1 = α4
ω 1 = −(σ 0 S2 + σ 1 S1 ) = α8
ω 2 = −(σ 0 S3 + σ 1 S2 + σ 2 S1 ) = α2
Finally, substracting the values E0 , E1 and E2 from R0 , R2 and R12 , we obtain the estimate
for R(x)
Taking only the information part in vector form, i.e., the first four bytes, the output of the
decoder is
Problem 2.6.2
The finite field is described in Problem 2.2.7. If we write the received vector in polynomial
form, we obtain
R(x) = α7 + αx + α3 x2 + α4 x3 + α7 x4 + α6 x5 + α6 x6 + α2 x7 .
S1 = R(α ) = α5
S2 = R(α2 ) = 0
S3 = R(α3 ) = 1
S4 = R(α4 ) = α7
! ! !
0 1 σ1 α
= ,
1 α7 σ0 0
ω 0 = −σ 0 S1 = α2
ω 1 = −(σ 0 S2 + σ 1 S1 ) = α5
Therefore, the error evaluator polynomial is ω(x) = α2 + α5 x. The derivative of σ(x) is
σ ′ (x) = α10 + α4 x2 .
The error values are:
C(x) = α7 + αx + α5 x2 + α4 x3 + α7 x4 + α2 x5 + α6 x6 + α2 x7 .
In vector form, this gives
c = (11 01 02 20 11 12 21 12).
If we are interested only in the information part, the final output of the decoder is
u = (11 01 02 20).
Problem 2.6.3
If we write the received vector in polynomial form, we obtain
R(x) = α6 + α3 x2 + α7 x3 + α4 x4 + α5 x6 + αx7 .
The syndromes are given by
S1 = R(α ) = α7
S2 = R(α2 ) = 0
S3 = R(α3 ) = α7
S4 = R(α4 ) = α4
S5 = R(α5 ) = 0
S6 = R(α6 ) = 1
0 α7 α4 σ2 α3
7 4
α α 0 σ1 = 0
4 3
α 0 1 σ0 α
ω 0 = −σ 0 S1 = 1
ω 1 = −(σ 0 S2 + σ 1 S1 ) = α2
ω 2 = −(σ 0 S3 + σ 1 S2 + σ 2 S1 ) = α5
Therefore, the error evaluator polynomial is ω(x) = 1 + α2 x + α5 x2 . The derivative of σ(x)
is σ ′ (x) = α7 + α4 x.
The error values are:
E0 = ω(1)/σ′ (1) = α5
E1 = ω(α−2 )/σ ′ (α−2 ) = α2
E2 = ω(α−5 )/σ ′ (α−5 ) = α6
Finally, substracting the values E0 , E1 and E2 from R0 , R2 and R5 , we obtain the estimate
for R(x)
C(x) = α3 + x2 + α7 x3 + α4 x4 + α2 x5 + α5 x6 + αx7 .
In vector form, this gives
c = (22 00 10 11 20 12 02 01).
If we are interested only in the information part, the output of the decoder is
u = (22 00).
Problem 2.6.4
In polynomial form, the received vector can be written as
20 21 22 23 24 25 26 27 28 29
1 2 4 8 5 10 9 7 3 6
The 8 syndromes corresponding to R(x) are given by
S1 = R(2 ) = 7
S2 = R(22 ) = 6
S3 = R(23 ) = 8
S4 = R(24 ) = 6
S5 = R(25 ) = 6
S6 = R(26 ) = 1
S7 = R(27 ) = 8
S8 = R(28 ) = 3
6 8 6 6 σ3 4
8 6 6 1
= ,
6 6 1 8 σ1 3
6 1 8 3 σ0 5
ω0 = −σ 0 S1 = 5
ω1 = −(σ 0 S2 + σ 1 S1 ) = 6
ω2 = −(σ 0 S3 + σ 1 S2 + σ 2 S1 ) = 9
ω3 = −(σ 0 S4 + σ 1 S3 + σ 2 S2 + σ 3 S1 ) = 3
Therefore, the error evaluator polynomial is ω(x) = 5 + 6x + 9x2 + 3x3 . The derivative of
σ(x) is σ ′ (x) = 2 + 10x + 8x2 + 4x3 .
The error values are:
E0 = ω(1)/σ ′ (1) = 6
E1 = ω(2−1 )/σ ′ (2−1 ) = 3
E2 = ω(2−3 )/σ ′ (2−3 ) = 1
E3 = ω(2−4 )/σ ′ (2−4 ) = 4
Finally, substracting the values E0 , E1 , E2 and E3 from R0 , R1 , R3 and R4 , we obtain the
estimate for r
c = (1 9 3 2 0 7 10 5 6 8).
If we are interested only in the information part, the output of the decoder is
u = (1 9).
Problem 2.6.5
In this case, we use the modified key equation (2.32) obtained in Problem 2.5.4. We refer to
the notation in that problem.
Assume that s errors and t erasures have occurred such that 2s + t ≤ n − k − 1, i.e., we are
within the error correcting capability of the code. Note that σ 1 (x) has degree s, Ŝ(x) has
degree n − k − 1 + t and ω(x) has degree ≤ s + t − 1. Moreover, let
(1) (1) (1)
σ 1 (x) = σ 0 + σ 1 x + . . . + σ s−1 xs−1 + xs .
Also, let
If we just consider the first s equations above, and we keep the rest for verification, since
σ (1)
s = 1, we can express them as the matrix multiplication
Ŝ t+2 Ŝ t+3 ... Ŝ s+t+1 σ s−1 −Ŝ t+1
Ŝ t+3 Ŝ t+4 ... Ŝ s+t+2
σ s−2
−Ŝ t+2
.. .. .. .. .. = .. . (2.51)
. . . .
Ŝ s+t+1 Ŝ s+t+2 . . . Ŝ 2s+t σ0 −Ŝ s+t
Now we can find σ 1 (x) using (2.51). This gives an error-erasure Peterson-Gorenstein-Zierler
In effect, let
Ŝ t+2 Ŝ t+3 ... Ŝ t+r+1
Ŝ t+3 Ŝ t+4 ... Ŝ t+r+2
Ŝr = .. .. .. .. , (2.52)
. . . .
Ŝ t+r+1 Ŝ t+r+2 . . . Ŝ t+2r
where 2r ≤ n − k − t. Since s errors and t erasures have occurred and this is within the
error-correcting capability of the code, Ŝs is non-singular. Similarly to Lemma 2.6.1, we can
prove that Ŝr is singular for s < r ≤ (n − k − t)/2. Hence, the decoder starts checking if
Ŝr is non-singular for the largest possible r (i.e., r = ⌊(n − k − t)/2⌋). The moment it finds
an r such that Ŝr is non-singular, this r gives the number of errors s. Then, (2.51) can be
solved simply by inverting Ŝs , i.e.,
σ s−1 −Ŝ t+1
σ s−2
−Ŝ t+2
.. = (Ŝs ) .. . (2.53)
σ0 −Ŝ s+t
Once we have obtained σ 1 (x), we can compute ω(x) by calculating the coefficients j, 0 ≤ j ≤
t + s − 1, of σ 1 (x)Ŝ(x) and changing their sign. We then find the error values using (2.22).
Consider now r as given in the problem. Since this is a shortened code, we add 0’s in
appropriate information bytes as in Problem 2.6.1. Thus, in polynomial form r becomes
Since Ŝ 4 6= 0, one error has occurred and the error locator polynomial σ (1) (x) has degree 1.
(1) (1) (1)
Applying the algorithm, we obtain Ŝ 4 σ 0 = Ŝ 3 , i.e., α13 σ 0 = α10 and σ 0 = α12 . So, the
error locator polynomial is
ω(x) = α5 + α6 x + α12 x2 .
The error values are given by:
C(x) = α6 + α4 x + α12 x2 + αx3 + α13 x9 + α7 x10 + α8 x11 + α5 x12 + α3 x13 + α10 x14 .
Considering only the four information bytes, the output of the decoder is
Problem 2.6.6
As in Problem 2.5.5, we have the modified key equation
Sm+1 Sm+2 ... Sm+s σ s−1 −Sm
Sm+2 Sm+3 ... Sm+s+1
σ s−2
.. .. .. .. .. = .. .
. . . .
Sm+n−k−s Sm+n−k−s+1 . . . Sm+n−k−1 σ0 −Sm+n−k−s−1
In order to solve this system, it is enough to take the first s rows in the matrix at the left
(the remaining rows may be used for verification), thus, we obtain
Sm+1 Sm+2 ... Sm+s σ s−1 −Sm
Sm+2 Sm+3 ... Sm+s+1
σ s−2
.. .. .. .. .. = .. . (2.57)
. . . .
Sm+s Sm+s+1 . . . Sm+2s−1 σ0 −Sm+s−1
Sm+1 Sm+2 ... Sm+r
Sm+2 Sm+3 ... Sm+r+1
Sm,r =
.. .. .. .. , (2.58)
. . . .
Sm+r Sm+r+1 . . . Sm+2r−1
where 2r ≤ n − k. Since s errors have occurred and this is within the error-correcting
capability of the code, Sm,s is non-singular. We can prove that Sm,r is singular for s < r ≤
(n−k)/2 as in Lemma 2.6.1. Hence, the decoder starts checking if Sm,r is non-singular for the
largest possible r (i.e., r = ⌊(n − k)/2⌋). When it finds an r such that Sm,r is non-singular,
this r gives the number of errors s. Then, (2.57) can be solved simply by inverting Sm,s , i.e.,
σ s−1 −Sm
σ s−2
= (Sm,s )
.. .
. .
σ0 −Sm+s−1
Once we have obtained σ(x), by (2.54), we can compute ω(x) by calculating the coefficients
j, 0 ≤ j ≤ s − 1, of σ(x)S(x) and changing their sign. We then find the error values
using (2.34).
Consider now the polynomial R(x) described in the problem. We do the computations using
the table of the field described in Problem 2.2.6. The syndromes are:
S0 = R(1) = α5
S1 = R(α) = α7
S2 = R(α2 ) = α8
S3 = R(α3 ) = α6
S4 = R(α4 ) = α9
S5 = R(α5 ) = 1,
S(x) = α5 + α7 x + α8 x2 + α6 x3 + α9 x4 + x5 .
S1 S2 S3
det(S0,3 ) = det S2 S3 S4 .
S3 S4 S5
We can verify that det(S0,3 ) = 0, thus S0,3 is singular. Next, we can see that
S1 S2
det(S0,2 ) = det 6= 0.
S2 S3
! ! !
S1 S2 σ1 S0
= ,
S2 S3 σ0 S1
σ(x) = α5 + x + x2 .
The roots of this polynomial are α = α−14 and α4 = α−11 , therefore, the errors are in
locations 11 and 14. In order to find ω(x), we need to estimate the coefficients 0 and 1 of
σ(x)S(x). This gives ω 0 = α10 and ω 1 = α14 , thus,
Also, we obtain
σ ′ (x) = 1.
ω(α4 )α11
E11 = = α8
σ ′ (α4 )
E14 = = α4
σ ′ (α)
Finally, substracting the errors from R(x) at locations 11 and 14, we obtain the decoded
C(x) = 1+α12 x+α10 x2 +αx4 +α8 x5 +α10 x6 +α6 x7 +α8 x8 +α5 x10 +α6 x11 +α10 x12 +x13 +α6 x14 .
Problem 2.6.7
We use the modified key equation (2.32) obtained in Problem 2.5.4, but S(x) is given by (2.35,
ω(x) is given by (2.33) and the error values by (2.34).
Assume that s errors and t erasures have occurred such that 2s + t ≤ n − k − 1, i.e., we are
within the error correcting capability of the code. Note that σ 1 (x) has degree s, Ŝ(x) has
degree n − k − 1 + t and ω(x) has degree ≤ s + t − 1. Moreover, let
(1) (1) (1)
σ 1 (x) = σ 0 + σ 1 x + . . . + σ s−1 xs−1 + xs .
Also, let
If we just consider the first s equations above, and we keep the rest for verification, since
σ (1)
s = 1, we can express them as the matrix multiplication
Ŝ m+t+1 Ŝ m+t+2 ... Ŝ m+s+t σ s−1 −Ŝ m+t
Ŝ m+t+2 Ŝ m+t+3 ... Ŝ m+s+t+1
σ s−2
−Ŝ m+t+1
.. .. .. .. .. = .. . (2.60)
. . . .
Ŝ m+s+t Ŝ m+s+t+1 . . . Ŝ m+2s+t−1 σ0 −Ŝ m+s+t−1
Now we can find σ 1 (x) using (2.60). This gives an error-erasure Peterson-Gorenstein-Zierler
In effect, let
Ŝ m+t+1 Ŝ m+t+2 ... Ŝ m+t+r
Ŝ m+t+2 Ŝ m+t+3 ... Ŝ m+t+r+1
Ŝm,r = .. .. .. .. , (2.61)
. . . .
Ŝ m+t+r Ŝ m+t+r+1 . . . Ŝ m+t+2r−1
where 2r ≤ n − k − t. Since s errors and t erasures have occurred and this is within the
error-correcting capability of the code, Ŝm,s is non-singular. Similarly to Lemma 2.6.1, we
can prove that Ŝm,r is singular for s < r ≤ (n − k − t)/2. Hence, the decoder starts checking
if Ŝm,r is non-singular for the largest possible r (i.e., r = ⌊(n − k − t)/2⌋). The moment it
finds an r such that Ŝm,r is non-singular, this r gives the number of errors s. Then, (2.60)
can be solved simply by inverting Ŝm,s , i.e.,
σ s−1 −Ŝ t+1
σ s−2
−Ŝ t+2
.. = (Ŝm,s ) .. .
σ0 −Ŝ s+t
Once we have obtained σ 1 (x), we can compute ω(x) by calculating the coefficients j, 0 ≤ j ≤
t + s − 1, of σ 1 (x)Ŝ(x) and changing their sign. We then find the error values using (2.34).
Consider now the polynomial R(x) given in the problem. It has erasures in locations 1 and
3, therefore, the erasure-locator polynomial is
S0 = R(1) = α12
S1 = R(α) = α2
S2 = R(α2 ) = α
S3 = R(α3 ) = α5
S4 = R(α4 ) = α10
S5 = R(α5 ) = α2 ,
! (1)
! !
α9 α14 σ1 α7
= .
α14 α9 (1)
σ0 α9
σ 1 (x) = α9 + α2 x + x2 .
The roots of this polynomial are α3 and α6 , therefore, the errors are in locations 9 and 12.
The error-erasure locator polynomial is given by
ω(x) = α2 + αx + α8 x2 + α7 x3 .
The derivative of σ(x) is
σ ′ (x) = α2 + αx2 .
Using (2.34), the error values are:
= ωσ(′α(α14)α)
E1 = α12
= ωσ(α
12 )α3
E3 ′ (α12 ) = 0
= ωσ(α
6 )α9
E9 ′ (α6 ) = α6
= ωσ(α′ (α)α
3 12
E12 3) = α6
Substracting these error values from R(x) at locations 1, 3, 9 and 12, we obtain the decoded
C(x) = 1+α12 x+α10 x2 +αx4 +α8 x5 +α10 x6 +α6 x7 +α8 x8 +α5 x10 +α6 x11 +α10 x12 +x13 +α6 x14 .
Since r−1 = A = (1)A + (0)B and r0 = B = (0)A + (1)B, we set the initial conditions
s−1 = 1, t−1 = 0, s0 = 0 and t0 = 1.
Let us illustrate the process with A = 124 and B = 46. We will find gcd(124, 46). The idea
is to divide recursively by the residues of the division until obtaining a last residue 0. Then,
the last divisor is the gcd. The procedure works as follows:
Example 2.7.1 Consider the [7, 3, 5] RS code over GF (8) of Example 2.6.1, and assume
that we want to decode the received vector
R(x) = α4 + α6 x + α5 x2 + α5 x3 + α5 x4 + α6 x5 + αx6 .
This vector was decoded in Example 2.6.1 using the Peterson-Gorenstein-Zierler decoder.
We will decode it next using Euclid’s algorithm. Evaluating the syndromes, we obtain
S1 = R(α ) = α5
S2 = R(α2 ) = α
S3 = R(α3 ) = 0
S4 = R(α4 ) = α3
2.7.2 Using the key equation for errors and erasures obtained in Problem 2.5.4, obtain a
version of Euclid’s algorithm for decoding errors and erasures. Use it to decode r, where r
is the same as in Problem 2.6.5.
2.7.3 As in Problem 2.6.7, consider the [15, 9] RS code over GF (16) whose roots are
1, α, . . . , α5 . Use the error-erasure version Euclid’s algorithm to decode R(x), R(x) being
the same polynomial as in Problem 2.6.7.
2.7.4 Write a computer program implementing Euclid’s algorithm for decoding both errors
and erasures.
Problem 2.7.1
Consider Problem 2.6.1. Using the syndromes found in this problem, the syndrome polyno-
mial is given by
Multiplying t3 (x) and r3 (x) by α13 , we obtain σ(x) = α + α10 x + α2 x2 + x3 and ω(x) =
α4 + α8 x + α2 x2 . These are the same values of σ(x) and of ω(x) found in Problem 2.6.1, so
the rest of the decoding proceeds the same way.
Consider Problem 2.6.2. Using the syndromes found in this problem, the syndrome polyno-
mial is given by
S(x) = α5 + x2 + α7 x3 .
We apply now Euclid’s algorithm with respect to x4 and S(x). Proceeding as in Exam-
ple 2.7.1, we obtain the following table:
S(x) = α7 + α7 x2 + α4 x3 + x5 .
We apply now Euclid’s algorithm with respect to x6 and S(x). Proceeding as in Exam-
ple 2.7.1, we obtain the following table:
3 α + α3 x + α6 x2 α6 + x α2 + α4 x + α5 x2 + α5 x3
Multiplying t3 (x) by α3 and r3 (x) by −α3 = α7 , we obtain σ(x) = α5 + α7 x + x2 + x3 and
ω(x) = 1+α2 x+α5 x2 . These are the same values of σ(x) and of ω(x) found in Problem 2.6.3,
so the rest of the decoding proceeds the same way.
Consider Problem 2.6.4. S(x) is obtained using the syndromes calculated there. Applying
Euclid’s algorithm with respect to x8 and S(x), we obtain the following table:
We then obtain σ(x) = 7t4 (x) = 4 + 2x + 5x2 + 10x3 + x4 and ω(x) = (−7)r4 (x) = 5 + 6x +
9x2 + 3x3 . These values of σ(x) and ω(x) are the same as those found in Problem 2.6.4, so
the rest of the decoding proceeds the same way.
Problem 2.7.2
Again we refer to the modified key equation (2.32) obtained in Problem 2.5.4 and to the
notation in that problem and in Problem 2.6.5. Assume that t erasures have occurred, with
t ≥ 1. Therefore, the code can correct up to s = ⌊(n − k − t)/2⌋ errors, where n − k is the
redundancy of the code.
Writing the modified key equation (2.32) as an equality, we have to solve
Next we apply the Euclid’s algorithm process with respect to r−1 (x) = Ŝ(x) and to r0 (x) =
xn−k . Notice that, since t ≥ 1, deg(Ŝ(x)) ≥ n − k. At step n of the algorithm, we find sn (x)
and tn (x) such that rn (x) = sn (x)Ŝ(x) + tn (x)xn−k , where rn (x) is the residue of dividing
rn−2 (x) by rn−1 (x). The algorithm stops when deg(rn (x)) ≤ s+t−1 (recall that in the case of
no erasures, i.e., t = 0, the algorithm stopped when deg(rn (x)) ≤ s − 1). Therefore, for that
n, ω(x) = −λrn (x) and σ 1 (x) = λsn (x), where λ is a constant making σ 1 (x) monic. Finally,
the error-erasure locator polynomial is σ(x) = σ 1 (x)σ 2 (x), and the rest of the algorithm
proceeds like in Problem 2.6.5.
Next we apply Euclid’s algorithm to decode the received vector given in Problem 2.6.5. We
had found in that problem that r−1 (x) = Ŝ(x) = α8 + α2 x + α10 x2 + α13 x3 + αx4 + α4 x5 +
α13 x6 + α14 x7 . Also, r0 (x) = x6 . Notice that s = ⌊(n − k − t)/2⌋ = ⌊(6 − 2)/2⌋ = 2, thus,
the algorithm will stop when deg(rn (x)) ≤ s + t − 1 = 3.
Applying Euclid’s algorithm, we obtain
Problem 2.7.3
Next we apply Euclid’s algorithm to decode the received vector given in Problem 2.6.7. We
had found in that problem that
Also, r0 (x) = x6 . Notice that s = ⌊(n − k − t)/2⌋ = ⌊(6 − 2)/2⌋ = 2, thus, the algorithm
will stop when deg(rn (x)) ≤ s + t − 1 = 3.
Applying Euclid’s algorithm, we obtain
Definition 2.8.1 Let GF (q) be a field and GF (q ′) a subfield of GF (q). Consider an [n, k]
RS code C over GF (q), where n = q − 1, and the generator polynomial has the form g(x) =
Qn−k i ′ ′
i=1 (x − α ), α a primitive element in GF (q). A BCH code C over GF (q ) corresponding
to C is the subcode of C consisting of those codewords whose entries are in GF (q ′ ), i.e.,
Pn−1 Pn−1
C(x) = i=0 ci xi ∈ C ′ if and only if C(x) = i=0 ci xi ∈ C and ci ∈ GF (q ′), 0 ≤ i ≤ n − 1.
Notice that the BCH code C ′ as given by Definition 2.8.1 is still cyclic, but it is not clear
yet what its dimension and minimum distance are. We can only say at this point that
d′ ≥ n − k + 1, where d′ denotes the minimum distance of C ′ . Apparently, if d′ > n − k + 1,
it looks like we are breaking the Singleton bound, but the dimension of the BCH code, let’s
call it k ′ , goes down, i.e., k ′ < k, so there will be no violation. In a while, we will show how
to find k ′ .
Often, the minimum distance n − k + 1 of the underlying RS code is called the designed
distance of the BCH code. Notice also that, in particular, if GF (q ′ ) = GF (q), then C = C ′ ,
so RS codes may be considered as special cases of BCH codes.
An important case is when q = 2b and we take as a subfield GF (2), so we obtain binary BCH
codes. Notice also that the consecutive powers of α do not need to start at α = 1, but at any
power αm . The same considerations given for RS codes apply here.
In order to determine the dimension of a BCH code, we need to obtain its generator poly-
nomial, since the degree of the generator polynomial is equal to the redundancy n − k ′ .
We need a couple of definitions. Given an element β in GF (q), consider the smallest degree
polynomial with coefficients in GF (q ′) having β as a root. We call such a polynomial
2.8. BCH CODES 85
the minimal polynomial of β with respect to GF (q ′), and we denote it fβ (x). In other
words, fβ (x) is a polynomial with coefficients in GF (q ′ ) such that fβ (β) = 0 and, if g(x) is
a polynomial with coefficients in GF (q ′ ) such that g(β) = 0, then deg(fβ ) ≤ deg(g). When
we refer to a minimal polynomial of β, we will omit the “with respect to GF (q ′ )” when the
context is clear.
So, consider fβ (x). An important observation is that fβ (x) is irreducible over GF (q ′ ). In
effect, assume that fβ (x) = h(x)q(x), where both h(x) and q(x) have degree smaller than the
degree of fβ (x) and their coefficients are in GF (q ′ ). In particular, fβ (β) = h(β)q(β) = 0, so,
either h(β) = 0 or q(β) = 0. This contradicts the minimality of the degree of fβ (x).
Also, if g(x) is a polynomial with coefficients in GF (q ′ ) such that g(β) = 0, then fβ (x) divides
g(x). In effect, assume that it does not, then, by Euclid’s algorithm, g(x) = q(x)fβ (x) + r(x),
where deg(r) < deg(fβ ). Thus, 0 = g(β) = q(β)fβ (β) + r(β), i.e., r(β) = 0, contradicting the
minimality of deg(fβ ).
Since β ∈ GF (q), in particular, β q−1 = 1, i.e., β is a root of the polynomial xq−1 − 1.
Therefore, fβ (x) divides xq−1 − 1 for each β ∈ GF (q).
Consider now fβ (x) with respect to GF (p). If q = pb , observe that b′ = deg(fβ ) ≤ b. In effect,
P′ ′
let fβ (x) = bi=0 ai xi , ai ∈ GF (p) and ab′ 6= 0. Since fβ (β) = 0, the elements 1, β, β 2 , . . . , β b
are linearly dependent. However, the elements 1, β, β 2 , . . . , β b −1 are linearly independent,
otherwise we would have a non-zero linear combination of them equal to 0, contradicting
the minimality of deg(fβ ) = b′ . The total number of linear combinations of 1, β, β 2 , . . . , β b −1
over GF (p) is pb ≤ pb , so b′ ≤ b.
An easy corollary of this observation is that, if β is primitive in GF (q), then b′ = deg(fβ ) = b,
since each power of β can be expressed as a linear combination of 1, β, β 2 , . . . , β b −1 over
GF (p), and the powers of β generate all the non-zero elements in GF (q).
Consider GF (q), q = pb , and assume that α is primitive in GF (q). Let q ′ = pb , where b′
divides b. As before, let l = (q − 1)/(q ′ − 1) and β = αl . We have seen that the powers of β
generate q ′ − 1 different elements in GF (q). The minimal polynomial of β, fβ (x), generates
a subfield GF (q ′) ⊆ GF (q). Moreover, fβ (x) is primitive in GF (q ′ ), thus, it has degree b′ .
Next we want to show how to find explicitly the minimal polynomial fβ (x). Consider the set
′ ′ 2 ′ i ′ (b/b′ )−1
Sβ (q ′ ) = {β, β q , β (q ) , . . . , β (q ) , . . . , β (q ) } (2.66)
The set Sβ (q ′ ) is called the set of conjugates of β with respect to GF (q ′ ) (notice that
′ (b/b′ ) b′ (b/b′ ) b
β (q ) = βp = β p = β q = β). Any two elements in Sβ (q ′ ) are said to be conjugates
with respect to GF (q ′ ) (we will omit the “with respect to GF (q ′ )” when the context is
clear). If β and β ′ are conjugates, it can be proven that Sβ (q ′ ) = Sβ ′ (q ′ ) (Problem 2.8.3).
Problem 2.8.3 also shows that the different sets of conjugates give a partition of the non-zero
elements of GF (q).
S1 (2) = {1}
Sα (2) = {α, α2 , α4 }
Sα3 (2) = {α3 , α6 , α5 }
S1 (2) = {1}
Sα (2) = {α, α2 , α4 , α8 }
Sα3 (2) = {α3 , α6 , α12 , α9 }
Sα5 (2) = {α5 , α10 }
Sα7 (2) = {α7 , α14 , α13 , α11 }
Notice that GF (4) as a subfield of GF (16) consists of the elements {0, 1, α5 , α10 } (Prob-
lem 2.8.2). The sets of conjugates with respect to GF (4) are given by
S1 (4) = {1}
Sα (4) = {α, α4 }
Sα2 (4) = {α2 , α8 }
Sα3 (4) = {α3 , α12 }
Sα5 (4) = {α5 }
Sα6 (4) = {α6 , α9 }
Sα7 (4) = {α7 , α13 }
Sα10 (4) = {α10 }
Sα11 (4) = {α11 , α14 }
Assume that C(x) is a polynomial whose coefficients are in GF (q ′ ). We can prove that if
β ∈ GF (q) and C(β) = 0, then C(β q ) = 0 (Problem 2.8.4). In particular, if
C(α) = C(α2 ) = . . . = C(αn−k ) = 0 (i.e., C(x) is in the BCH code), then the conjugates of
the roots α, α2 , . . . , αn−k are also roots of C(x).
Let β ∈ GF (q). We can show that the minimal polynomial fβ (x) is given by
fβ (x) = (x − γ)
γ ∈Sβ (q′ )
2.8. BCH CODES 87
We have to prove that the coefficients of γ ∈Sβ (q′ ) (x − γ) are in GF (q ′) (Problem 2.8.4), that
it is irreducible over GF (q ′ ), and that it is the smallest degree polynomial with coefficients
in GF (q ′ ) having β as a root (Problem 2.8.5). Also, by Problem 2.8.3, if β and β ′ are
conjugates, then fβ (x) = fβ ′ (x).
Example 2.8.2 Consider GF (8) as given by Table 2.1. Using Example 2.8.1, we have
f1 (x) = 1+x
fα (x) = (x + α)(x + α )(x + α ) = 1 + x + x3
2 4
f1 (x) = 1+x
2 4 8
fα (x) = (x + α)(x + α )(x + α )(x + α ) = 1 + x + x4
3 6 12 9
fα3 (x) = (x + α )(x + α )(x + α )(x + α ) = 1 + x + x2 + x3 + x4
fα5 (x) = (x + α5 )(x + α10 ) = 1 + x + x2
7 14 13 11
fα7 (x) = (x + α )(x + α )(x + α )(x + α ) = 1 + x3 + x4
Finally, following Example 2.8.1, the minimal polynomials with respect to GF (4) are given
f1 (x) = 1+x
fα (x) = (x + α)(x + α4 ) = α5 + x + x2
fα2 (x) = (x + α2 )(x + α8 ) = α10 + x + x2
fα3 (x) = (x + α3 )(x + α12 ) = 1 + α10 x + x2
fα5 (x) = α5 + x
6 9
fα6 (x) = (x + α )(x + α ) = 1 + α5 x + x2
fα7 (x) = (x + α7 )(x + α13 ) = α5 + α5 x + x2
fα10 (x) = α10 + x
11 14
fα11 (x) = (x + α )(x + α ) = α10 + α10 x + x2
Assume that C(x) is in the BCH code C ′ as given by Definition 2.8.1, then C(α) = C(α2 ) =
. . . = C(αn−k ) = 0, α primitive in GF (q), and the coefficients of C(x) are in GF (q ′ ). Consider
the minimal polynomials fα (x), fα2 (x), . . . , fαn−k (x). Each one of them has its coefficients
in GF (q ′ ) and divides C(x), then, the least common multiple of these minimal polynomials
also divides C(x). Since, by Problem 2.8.4, for two different powers of α, their minimal
polynomials are either the same or relatively prime, then the least common multiple is the
product of the distinct minimal polynomials. The generator polynomial g(x) of the BCH
code, in particular, is also a codeword, so this product of minimal polynomials divides g(x).
Therefore, it has to coincide with g(x).
Example 2.8.3 Consider GF (8) as given by Table 2.1, and BCH codes over GF (2). Take
a [7,5,3] RS code C over GF (8). The corresponding BCH code C ′ over GF (2) is given by all
the codewords C(x) = 6i=0 ci xi such that C(α) = C(α2 ) = 0 and ci ∈ GF (2), 0 ≤ i ≤ 6. Let
us find its generator polynomial g(x), and thus its dimension k = 7 − deg(g).
Notice that, by Example 2.8.2, fα (x) = fα2 (x). Thus, the generator polynomial is given by
BCH codes can be decoded using the decoding algorithms of RS codes. In some cases, the
decoding is going to be easier. For instance, if we are correcting errors using a BCH code
over GF (2), it is enough to find the error locator polynomial σ(x): by finding the roots of
σ(x), we know the error locations, and then we simply flip the bits in those locations. We
don’t need to worry about finding the error evaluator polynomial ω(x).
Let us point out that even when the minimum distance of a BCH code exceeds the designed
distance n − k + 1, the decoding algorithm decodes up to the designed distance, since in fact
it is correcting the underlying RS code.
Let us end this section by indicating how to find the isomorphism between two versions of
GF (q), say, F1 and F2 . Assume that α is in F1 with minimal polynomial fα (x) over GF (p),
which divides xq − 1. The degree of fα (x) is equal to the size of the set of conjugates of α,
i.e., deg(fα ) = |Sα (p)|. Now, consider α1 , α2 , . . . , αm ∈ F1 such that F1 − {0} = ∪m
i=1 Sαi (p)
Pm Pm
and Sαi (p) ∩ Sαj (p) = ∅ for i 6= j. In particular, i=1 |Sαi (p)| = i=1 deg(fαi ) = q − 1. Since
each fαi (x) divides xq −1, the product of the fαi ’s also divides xq −1, since they are relatively
prime. Since the sum of their degrees equals q −1, this means, the product of the fαi ’s equals
xq − 1, giving a unique prime factorization of xq − 1. Explicitly,
xq − 1 = fαi (x).
m ′
x −1 = fβj (x).
But since the factorization of xq − 1 over GF (p) in irreducible factors must be unique, this
means, m = m′ , and for each αi ∈ F1 , there is a β j ∈ F2 such that fαi (x) = fβj (x).
Now, let α be primitive in F1 . By the previous observation, we know that there is an element
β ∈ F2 such that fβ (x) = fα (x). The isomorphism h : F1 →F2 is determined by h(α) = β.
Since this is an isomorphism, h(αi ) = (h(α))i = β i . The fact that fβ (x) = fα (x) determines
that h(αi + αj ) = h(αi ) + h(αj ) = β i + β j . Let us illustrate the isomorphism with an example.
h(0) = 0
h(1) = 1
h(α) = β5
h(α2 ) = β2
h(α3 ) = β7
h(α4 ) = β4
h(α5 ) = β
h(α6 ) = β6
h(α7 ) = β3
2.8. BCH CODES 91
2.8.1 Let p be a prime. Prove that pb − 1 divides pb − 1 if and only if b′ divides b.
2.8.2 Find all the subfields of GF (16) and GF (64).
2.8.3 Consider the field GF (q), q = pb , and let GF (q ′ ) be a subfield of GF (q), q ′ = pb and
b′ divides b. Let β and β ′ be two elements in GF (q).
1. If β and β ′ are conjugates, prove that Sβ (q ′ ) = Sβ ′ (q ′ ).
2. If β and β ′ are not conjugates, prove that Sβ (q ′ ) ∩ Sβ ′ (q ′ ) = ∅.
2.8.4 Consider the field GF (q), q = pb , and let GF (q ′ ) be a subfield of GF (q), q ′ = pb and
b′ divides b.
1. Let a ∈ GF (q). Prove that a ∈ GF (q ′) if and only if aq = a.
2. Let f (x) be a polynomial with coefficients in GF (q). Prove that the coefficients of
′ ′
f (x) are in GF (q ′ ) if and only if f (xq ) = (f (x))q .
3. Let f (x) be a polynomial with coefficients in GF (q ′ ) and let β ∈ GF (q). Prove that if
f (β) = 0, then f (γ) = 0, for any γ ∈ Sβ (q ′ ).
4. Let β ∈ GF (q). Prove that the coefficients of the polynomial
fβ (x) = (x − γ) (2.67)
γ ∈Sβ (q′ )
are in GF (q ′ ).
5. Let β, γ ∈ GF (q). Prove that either fβ (x) = fγ (x) or gcd(fβ (x), fγ (x)) = 1.
2.8.5 Let β ∈ GF (q). Consider the polynomial fβ (x) given by (2.67). Assume that g(x) is
a polynomial with coefficients in GF (q ′ ) and g(β) = 0. Prove that fβ (x) divides g(x).
2.8.6 Find the dimensions of the binary BCH codes of length 31 with designed distances
3, 4, 5, 6, 7, 8 and 9.
2.8.7 Consider GF (16) generated by the primitive polynomial 1 + y + y 4 (Problem 2.2.6),
and the [15, 5] BCH code with designed distance 7 (Example 2.8.4). Decode the received
r = (1 0 1 0 1 0 1 0 0 1 1 1 0 0 0),
which in polynomial form is
Problem 2.8.1
Dividing b by b′ and finding the residue, we can write b = lb′ + r, where 0 ≤ r < b′ .
Now, notice that
pb − 1 = plb +r − 1
= pr ((pb )l − 1) + pr − 1
′ ′ ′
= pr (p(l−1)b + p(l−2)b + · · · + 1)(pb − 1) + pr − 1,
this last equality by Problem 2.5.1. Since r < b′ , then pr − 1 < pb − 1, therefore, by Euclid’s
′ ′
algorithm, pr − 1, is the residue of dividing pb − 1 by pb − 1. Thus, pb − 1 divides pb − 1 if
and only if pr − 1 = 0, if and only if r = 0, if and only if b′ divides b.
Problem 2.8.2
Let us start with GF (16) = GF (24 ). The subfields of GF (24) are all those GF (2b ) such that
b divides 4. The divisors of 4 are 1, 2 and 4 itself, so the subfields of GF (16) are GF (2),
GF (4) and GF (16) itself. Let us look at GF (4). If α is a primitive element in GF (16),
then α5 is a primitive element in GF (4) when taken as a subfield of GF (16). Therefore,
GF (4) = {0, 1, α5 , α10 }.
Similarly, GF (64) = GF (26 ). The subfields of GF (26) are all those GF (2b ) such that b divides
6. The divisors of 6 are 1, 2, 3 and 6 itself, so the subfields of GF (64) are GF (2), GF (4),
GF (8) and GF (64) itself. If α is a primitive element in GF (64), then α21 is a primitive
element in GF (4) and α9 is a primitive element in GF (8) when GF (4) and GF (8) are taken
as subfields of GF (64). Therefore,
Problem 2.8.3
Consider the field GF (q), q = pb , and let GF (q ′ ) be a subfield of GF (q), q ′ = pb and b′ divides
b. Let β and β ′ be two elements in GF (q).
′ ′ 2 ′ i ′ j ′ (b/b′ )−1
Sγ (q ′ ) = {γ, γ q , γ (q ) , . . . , γ (q ) , . . . , γ (q ) , . . . , γ (q ) }
2.8. BCH CODES 93
(q ′ )i (q ′ )j
where β = γ and β ′ = γ for, say, 0 ≤ i < j ≤ (b/b′ ) − 1. So,
′ ′ 2 ′ (b/b′ )−1
Sβ (q ′ ) = {β, β q , β (q ) , . . . , β (q ) }
′ ′ (b/b′ ) ′ (b/b′ )+1 ′ (b/b′ )+i−1
(q ′ )i (q ′ )i+1 (q ′ )(b/b )−1
= {γ ,γ ,...,γ , γ (q ) , γ (q ) , . . . , γ (q ) }
(q ′ )i (q ′ )i+1 (q ′ )(b/b )−1 q′ (q ′ )i−1
= {γ ,γ ,...,γ , γ, γ , . . . , γ },
′ (b/b′ )
since γ (q ) = γ. Therefore, Sβ (q ′ ) = Sγ (q ′ ), and similarly, Sβ ′ (q ′ ) = Sγ (q ′ ), proving
the assertion.
Problem 2.8.4
1. Assume that a ∈ GF (q ′). If a = 0, certainly 0q = 0. If a 6= 0, then GF (q ′ ) − {0} is a
′ ′
multiplicative group of order q ′ − 1, and aq −1 = 1, therefore, aq = a.
Conversely, assume that aq = a, which is certainly satisfied for a = 0. Now, consider
the q ′ − 1 non-zero elements in GF (q ′ ). They constitute a (unique) subgroup of the
cyclic multiplicative group GF (q) − {0}. This subgroup GF (q ′ ) − {0} has order q ′ − 1
(remember, q ′ − 1 divides q − 1). Now, if we take a 6= 0, then aq −1 = 1, so a ∈
GF (q ′ ) − {0}. Thus, the set of elements a such that aq = a coincides with GF (q ′).
2. Let f (x) = m i
i=0 ai x . Since the field has characteristic p, taking powers of p is a
distributive (or linear) operation on sums. Therefore,
X m
X ′
q′ i q′ ′
(f (x)) = ( ai x ) = aqi (xq )i
i=0 i=0
q′ ′
f (x ) = ai (xq )i
So, f (xq ) = (f (x))q , if and only if aqi = ai for 0 ≤ i ≤ m, if and only if ai ∈ GF (q ′ ) by
′ ′
′ i ′ i
f (γ) = f (β (q ) ) = (f (β))(q ) = 0.
′ Y ′
(fβ (x))q = ( (x − γ))q
γ ∈Sβ
Y ′ ′
= (xq − γ q )
γ ∈Sβ
Y ′
= (xq − γ)
γ ∈Sβ q′
Y ′
= (xq − γ) (Problem 2.8.3)
γ ∈Sβ
= fβ (xq ),
Problem 2.8.5
If g(β) = 0, then g(γ) = 0 for any γ ∈ Sβ (q ′ ) by Problem 2.8.4, part 3. So, x − γ divides g(x)
for every γ ∈ Sβ (q ′ ), therefore, fβ (x) divides g(x). This shows that fβ (x) as given by (2.67)
is the minimal polynomial of β with respect to GF (q ′ ).
Problem 2.8.6
Let us write down the conjugacy sets of the non-zero elements in GF (32). Since α31 = 1, we
S1 (2) = {1}
Sα (2) = {α, α2 , α4 , α8 α16 }
2.8. BCH CODES 95
Sα3 (2) = {α3 , α6 , α12 , α24 , α17 }
Sα5 (2) = {α5 , α10 , α20 , α9 , α18 }
Sα7 (2) = {α7 , α14 , α28 , α25 , α19 }
Sα11 (2) = {α11 , α22 , α13 , α26 , α21 }
Sα15 (2) = {α15 , α30 , α29 , α27 , α23 }
This means, each minimal polynomial fαi (x) has degree 5.
For designed distance 3, since the roots are α and α2 , g(x) = fα (x), thus, the BCH code has
dimension 31 − 5 = 26.
For designed distance 4, since the roots are α, α2 and α3 , g(x) = fα (x)fα3 (x), thus, the
BCH code has dimension 31 − 10 = 21. The same is valid for designed distance 5, since
fα4 (x) = fα (x).
For designed distance 6, g(x) = fα (x)fα3 (x)fα5 (x), thus, the BCH code has dimension 31 −
15 = 16. The same is valid for designed distance 7, since fα6 (x) = fα3 (x).
For designed distance 8, g(x) = fα (x)fα3 (x)fα5 (x)fα7 (x), thus, the BCH code has dimension
31 − 20 = 11. The same is valid for designed distance 9, since fα8 (x) = fα (x).
Problem 2.8.7
The syndromes are
S1 = R(α) = α14
S2 = R(α2 ) = α13
S3 = R(α3 ) = α6
S4 = R(α4 ) = α11
S5 = R(α5 ) = 1
S6 = R(α6 ) = α12
Applying Euclid’s algorithm, we obtain
c = (1 0 0 1 1 0 1 0 1 1 1 1 0 0 0).
0 0 0 1 0 1 1 0 0 0 0 0 0 0 0
0 0 0 0 0 0 1 1 1 1 0 0 0 0 0
1 0 0 0 0 0 0 0 0 0 0 0 1 0 0
There is a relationship between the burst-correcting capability of a code and its redundancy.
This relationship is called the Reiger bound and is presented next.
Theorem 2.9.1 (Reiger Bound) Let C be an [n, k] linear code over a field GF (q) that
can correct all bursts of length up to l. Then 2l ≤ n − k.
Proof: Recall that the total number of syndromes is q n−k Consider the q 2l vectors whose
first n − 2l coordinates are zero. Those q 2l vectors have different syndromes. Otherwise, if
two such vectors have the same syndrome, their difference is in the code. This difference is a
burst of length ≤ 2l, which can be viewed as the sum of two bursts of length ≤ l each. These
two bursts of length ≤ l have the same syndrome, a contradiction. Thus, the number of
syndromes corresponding to the q 2l vectors whose first n − 2l coordinates are zero is exactly
q 2l , and this number cannot exceed the total number of syndromes, q n−k .
The result follows. ✷
Cyclic binary codes that can correct bursts were obtained by computer search. A well known
family of burst-correcting codes are the so called Fire codes. For a description of Fire codes
and lists of good binary cyclic burst-correcting codes, we refer the reader to [3, 18]. Here, we
will concentrate on the use of RS codes for burst correction. There are good reasons for this.
One of them is that, although good burst-correcting codes have been found by computer
search, there are no known general constructions giving cyclic codes that approach the
Reiger bound. Interleaving of RS codes on the other hand, to be described below, provides
a burst-correcting code whose redundancy, asymptotically, approaches the Reiger bound.
The longer the burst we want to correct, the more efficient interleaving of RS codes is. The
second reason for choosing interleaving of RS codes, and probably the most important one, is
that, by increasing the error-correcting capability of the individual RS codes, we can correct
multiple bursts, as we will see. The known cyclic codes are designed, in general, to correct
only one burst.
Let us start with the use of regular RS codes for correction of bursts. Let C be an [n, k] RS
code over GF (2b ) (i.e., b-bit bytes). If this code can correct s bytes, in particular, it can
correct a burst of length up to (s − 1)b + 1 bits. In effect, a burst of length (s − 1)b + 2 bits
may affect s + 1 consecutive bytes, exceeding the byte-correcting capability of the code. This
happens when the burst (s − 1)b + 2 bits starts in the last bit of a byte. How good are then
RS codes as burst-correcting codes? Given a binary [n, k] that can correct bursts of length
up to l, we define a parameter, called the burst-correcting efficiency of the code, as follows:
el = (2.68)
Notice that, by the Reiger bound, el ≤ 1. The closer el is to 1, the more efficient the code
is for correction of bursts. Going back to our [n, k] RS code over GF (2b ), it can be regarded
as an [nb, kb] binary code. Assuming that the code can correct s bytes and its redundancy
is n − k = 2s, its burst-correcting efficiency is
(s − 1)b + 1
e(s−1)b+1 = .
Notice that, for s→∞, e(s−1)b+1 →1, justifying our assertion that for long bursts, RS codes
are efficient as burst-correcting codes. However, when s is large, there is a problem regarding
complexity. It may not be practical to implement a RS code with too much redundancy. An
alternative would be to implement a 1-byte correcting RS code interleaved s times. Given
an [n, k] code interleaved m times, the scheme looks as follows:
If C 1 has minimum distance d1 and C 2 has minimum distance d2 , it is easy to see that the
product code, that we denote C 1 × C 2 , has minimum distance d1 d2 (Problem 2.9.1).
In general, the symbols are read out in row order (although other readouts, like diagonal
readouts, are also possible). For encoding, first the column redundant symbols are obtained,
and then the row redundant symbols. For obtaining the checks on checks ci,j , k1 ≤ i ≤ n1 −1,
k2 ≤ j ≤ n2 − 1, it is easy to see that it is irrelevant if we encode on columns or on rows
first.If the symbols are read in row order, normally C 1 is called the outer code and C 2 the
inner code. For decoding, there are many possible procedures. The idea is to correct long
bursts together with random errors. The inner code C 2 corrects first. In that case, two events
may happen when its error-correcting capability is exceeded: either the code will detect the
error event or it will miscorrect. If the code detects an error event (that may well have been
caused by a long burst), one alternative is to declare an erasure in the whole row, which
will be communicated to the outer code C 1 . The other event is a miscorrection, that cannot
be detected. In this case, we expect that the errors will be corrected by the error-erasure
decoder of the outer code.
Another alternative is to use part of the power of the inner code to correct and the rest to
detect. If the channel is dominated by long bursts, we might want to increase the detection
capability of the inner code and its ability to declare erasures to the outer code. In that
case, the task of the outer code is facilitated, since it can correct roughly double the number
of erasures as errors. Then the outer code will correct errors together with erasures. Finally,
we can use the inner code once more, this time with full correction capability, to wipe out
any remaining errors left out by the outer code.
The methods described above concentrate on correcting bursts. Let us point out that there
are methods to decode product codes up to the full minimum distance [3].
Product codes are important in practical applications. For instance, the code used in the
DVD (Digital Video Disk) is a product code where C 1 is a [208, 192, 17] RS code and C 2 is a
[182, 172, 11] RS code. Both RS codes are defined over GF (256), where GF (256) is generated
by the primitive polynomial 1 + x2 + x3 + x4 + x8 .
2.9.1 Let C 1 and C 2 be linear codes with minimum distance d1 and d2 respectively. Prove
that the minimum distance of C 1 × C 2 is d1 d2 .
Problem 2.9.1
Take a non-zero codeword in C 1 × C 2 and consider a row that is non-zero, say row i. Let the
non-zero coordinates in row i be j1 , j2 , . . . , jl . Since, in particular, row i is a codeword in C 2 ,
then l ≥ d2 . Also, each of the columns j1 , j2 , . . . , jl corresponds to a non-zero codeword in
C 1 , thus, each of those columns has weight at least d1 . So, adding the weights of columns
j1 , j2 , . . . , jl , we have at least d1 l ≥ d1 d2 1’s.
