Lattices, Linear Codes, and Invariants, Part II Noam D

fea-elkies-2.qxp 10/19/00 2:44 PM Page 1382

Lattices, Linear Codes, and Invariants, Part II Noam D. Elkies

n Part I of this article we introduced “lattices” As was true of Part I, there is little if any of the L Rn and described some of their relations mathematics described herein for whose discov- with other branches of mathematics, focus- ery I can claim credit. The one possible exception ing on “theta functions”. Those ideas have a is the use of theta functions near the end to relate natural combinatorial analogue in the theory the occurrences of the groups SL2(Z/pZ) and Iof “linear codes”. This theory, though much more SL (Z) in the functional equations for weight enu- 2 recent than the study of lattices, is more accessi- merators and lattices respectively; I know of no ble, and its numerous applications include the published statement of this observation, though construction and analysis of many important lat- it may well be common knowledge in some circles. tices. All other results and ideas I have attributed when A lattice L is a special kind of subgroup of the their source is known to me, and I apologize in ad- additive group Rn; in Part I we associated to L a vance for any mis- or missing attribution. theta function, which is a generating function for the lengths of the vectors of L. A linear code C, to Sphere Packing in Hamming Space: Error- be defined below, is a subgroup of a finite addi- correcting Codes tive group Fn. Analogous to the theta functions of Most of the problems and ideas concerning sphere lattices are “weight enumerators” of codes, which packing have natural, and often more tractable, dis- are generating functions for the coordinates of el- crete analogues in the theory of error-correcting ements of C. We shall see how most of the uses codes (ECCs). Though easier in many ways than the and properties of theta functions that we described sphere-packing problem, the theory of ECCs is in Part I have counterparts in the setting of weight much more recent: its systematic development enumerators. In particular, just as the theta func- began only with R. W. Hamming’s 1947 paper.1 In tion L() associated to a “self-dual lattice” L is in- our digital age, ECCs are ubiquitous wherever there variant under certain fractional linear transfor- is information to reliably store or transmit; appli- mations of the variable , we shall encounter cations range from the familiar compact disc in “self-dual codes” C with weight enumerators in- one’s computer or stereo to close-up photographs variant under certain linear transformations of of Jovian moons sent back to Earth with a trans- the variables. This invariance yields much infor- mitter too weak to power a lightbulb. The theo- mation about C, and about an associated self-dual retical study of ECCs has also led to surprisingly lattice LC and its theta function. varied and deep mathematics, including for instance orthogonal polynomials and arithmetic Noam D. Elkies is professor of mathematics at Harvard algebraic geometry. In the present exposition we University. His e-mail address is elkies@math. concentrate on the connections with sphere pack- harvard.edu. ings, particularly as regards theta functions and Part I of this article—concerning lattices, lattice packings their discrete analogues. of spheres, theta functions, and modular forms—appeared in the November 2000 issue of the Notices, pages 1Hamming’s work is discussed in the memorial article 1238–1245. about him in the September 1998 Notices.

1382 NOTICES OF THE AMS VOLUME 47, NUMBER 11 fea-elkies-2.qxp 10/19/00 2:44 PM Page 1383

P n To see ECCs as discrete sphere packings, we number of 1’s (equivalently, such that i=1 ai is must specify the metric space containing our even; here =2). A more interesting example is the n spheres. The space will be F , i.e., the set of ordered extended Hamming code H8, in which F = {0, 1} n-tuples of elements of a finite set F, for some again, n =8, and H8 consists of the words choice of F and n. In the ECC context, such n-tuples are often called words of length n, with 00000000, 00001111, 00110011, 00111100, letters drawn from an alphabet F. To assure that 01010101, 01011010, 01100110, 01101001, |Fn| > 1 (so that a word contains some informa- and their ones’ complements tion), we assume |F| > 1 and n>0. The set Fn itself is called Hamming space and is given a met- 11111111, 11110000, 11001100, 11000011, ric structure by the Hamming distance d( , ) de- 10101010, 10100101, 10011001, 10010110. fined thus: The distance between words a =(a1,... ,an) and b =(b1,... ,bn) is Thus |H8| =16, and one may check that =4. All these codes are known to have maximal size for d(a, b):=#{i | 1 i n, ai =6 bi}. their respective F, n, and . We shall again encounter each of these important codes, and espe- That is, d(a, b) is the number of single-letter cially H8, several times. changes (“errors”) one must make to get from a n to b. A code is then just a nonempty subset CF . Linear Codes The minimal (nonzero) distance of a code is The discrete analogue of a lattice is a linear code. (C) := min d(a, b). A linear code is a vector subspace of Hamming a,b∈C space Fn. For Fn to have the structure of a vector 6 a=b space, F must be a (finite) field, such as Z/pZ for 2 In the degenerate case |C| =1, we set (C)=n +1. some prime p. For instance, if in the previous In the standard application to error-resistant paragraph F is always chosen to be a field (so that { } Z Z { } data storage or transmission, the words that can in particular 0, 1 is identified with /2 ), and 0 be stored or transmitted are those in C, rather is chosen for the single-word code, then each of than arbitrary words in Fn. A code C with minimal the codes in that paragraph is linear. Henceforth distance is then said to detect 1 errors, and F will denote a finite field. to correct b( 1)/2c errors. This is because if The powerful framework of linear algebra makes some information is stored or sent as a word of C, it possible to work with codes much larger than and this word is changed in at most 1 coordi- would be accessible otherwise, since a linear code | |k nates, the resulting word cannot be in C, and thus of size F can be specified by only k basis words. cannot be the word originally intended; moreover, The minimal distance also simplifies somewhat: ∈ n if at most b( 1)/2c letters were changed, then the for any a, b F , we have d(a, b)=d(a b, 0) ; if original word is still uniquely determined, else by a, b are in a linear code, then so is a b, whence ∈C the triangle inequality C would contain two words is the minimum of d(c,0) over all nonzero c . n at distance at most 1. Equivalently, an e-error- For any c ∈ F , the distance d(c,0) is the number correcting code is a code C such that the (closed) of nonzero coordinates of c, a number known as n Hamming spheres Be(a):={x ∈ F | d(a, x) e} of the Hamming weight of c and denoted by wt(c). common radius e about the codewords a ∈Care Thus for a linear code is the minimum (nonzero pairwise disjoint. Such a code detects 2e errors and Hamming) weight. The basic problem for linear has minimal distance at least 2e +1. ECCs thus becomes: what is the maximum dimen- The basic problem of error-correcting codes is: sion of a linear code if its length, the size of the al- what is the maximum size of a code if its length, phabet, and a lower bound on the minimum weight the size of the alphabet, and a lower bound on the are given? minimal distance are given? That is, how efficiently As is the case for sphere packings, for most val- can we encode information while detecting or cor- ues of (|F|,n,) one cannot at present hope to recting a given number of errors? This is also a nat- solve the problem exactly or even asymptotically, ural mathematical problem, asking how many only to give upper and lower bounds. Many of the points can be packed into Fn without any two com- bounds for codes are analogous to sphere-packing ing closer than to each other. Naturally, the smaller is, the larger C can get, and conversely. 2It is a fundamental theorem of E. H. Moore that a set of At the extreme ends are C = Fn itself (maximal ef- q>1 elements can be given the structure of a field if and only if q is a power of a prime; in the vast majority of “real- ficiency but no error correction), and |C| =1(max- world” applications of ECCs, q is a power of 2, often ei- imal but no information). Other simple examples ther 2 itself or 256 = 28, but other choices of q are also | | are the repetition code, consisting of the F words important in the mathematical theory. A finite field of q all of whose letters are the same (with = n), and elements is often called “GF(q)”; the “GF” stands for the parity check code, for which F is {0, 1} and C “Galois field” , in tribute to Galois who first studied finite consists of the 2n 1 words a with an even fields in this generality.

DECEMBER 2000 NOTICES OF THE AMS 1383 fea-elkies-2.qxp 10/19/00 2:44 PM Page 1384

bounds. For instance, the Minkowski bound be- Weight Enumerators comes the Gilbert-Varshamov bound, and can be Once more in analogy with the sphere-packing sit- C proved in the same simple way: increase by one uation, we can gain some understanding of the dif- word at a time subject to the condition that no two ficult problem of the minimal weight of a linear words come closer than . Once no room is left, code by introducing generating functions for the the open balls of radius centered at C must much harder problem of the distribution of the cover Fn. Each of these balls contains the same weights or coordinates of all the codewords. These number of points, say V . Thus |C| |F|n/V . generating functions are called weight enumera- Warning: the formula ! tors, and are homogeneous polynomials of degree X1 n in several variables. The complete weight enu- n | | r V = ( F 1) merator is a polynomial cweC with integer coeffi- r r=0 cients in |F| variables Xa, with a ∈ F and Xa ∈ C. for the size of an open ball of radius r in Hamming It is defined as follows: X Yn is more complicated than the formula for the vol- cweC(X):= X . ume of a ball in Euclidean space. Thus the result- ci c∈C i=1 ing lower bound Ve/V2e for the packing density of Q na radius-e Hamming spheres does not simplify to That is, cweC is the polynomial whose a∈F Xa n 2 . One can, however, use Stirling’s formula to ob- coefficient is the number of codewords with n0 tain asymptotic formulas for Ve/V2e for large n. zero coordinates, n1 coordinates of 1, etc. Other In the setting of sphere packings, we reported weight enumerators can be obtained as special- in Part I that the Minkowski bound also holds for izations of cweC. For instance, for the weight dis- lattice packings, and indeed for average lattice tribution of C we are concerned only with the packings. Likewise here the Gilbert-Varshamov number of zero and nonzero coordinates in each bound holds for linear codes, and indeed for a codeword. We thus introduce the Hamming weight positive proportion of linear codes. (Here there enumerator hweC(X,Y). This is the homogeneous are only finitely many C for each choice of polynomial of degree n in two variables obtained C (F,n,dim ), so there is no difficulty in defining from cweC by setting Xa = Y for each nonzero this average.) It is even rather easy to prove that a ∈ F and by setting X0 = X. Equivalently, a randomly chosen code satisfies the Gilbert- X nwt(c) wt(c) Varshamov bound with positive probability. But, hweC(X,Y):= X Y again as with lattice packings, it is easy to choose c∈C a “random” code that almost certainly comes within Xn nm m a small factor of satisfying the Gilbert-Varshamov = Nm(C)X Y , bound, but hard to prove such an estimate be- m=0 cause no computationally feasible way is known where Nm(C) is the number of codewords of weight to find the minimal weight of a general linear code. m. For linear codes over a fixed field F, unlike sphere We illustrate these definitions with the weight packings, one can do much better than random for enumerators of the codes introduced earlier: | | 2 arbitrarily large n, as long as F = q1 for an inte- C { } n • if = 0 then cweC(X)=X0 and ger q1 7 and /n ∈ (a(q1),b(q1)) for certain n hweC(X,Y)=X ; P a(q1),b(q1) ∈ (0, 1). These are the famed “Goppa n n • if C = F then cweC(X)=( ∈ X ) and codes” , obtained by applying V. D. Goppa’s a F a hweC(X,Y)=(X +(|F|1)Y )n; construction to “modular curves” over F; again n • if C is theP repetition code in F then considerable machinery from number theory and n cweC(X)= ∈ X and hweC(X,Y)= algebraic geometry is needed to prove that these a F a Xn +(|F|1)Y n . codes improve on the Gilbert-Varshamov bound. Z Z These matters are discussed in [TV], esp. pages If F = /2 then the complete and Hamming 350ff. But when (|F|, /n) is outside the range weight enumerators are the same polynomial with where Goppa codes are known to improve on the the variables differently named; we call this poly- Gilbert-Varshamov bound, we face the same em- nomial simply WC . We then have: barrassment that afflicted us in the sphere- • The weight enumerator of the parity-check n n packing context. For instance, if F = Z/2Z and code of length n is ((X + Y ) +(X Y ) )/2; = n/4 for some large n, it is known that there • the extended Hamming code H8 has weight 8 4 4 8 exist linear codes whose dimension is at least enumerator WH8 (X,Y)=X +14X Y + Y . 3 In Part I of this article, we associated to any lat- ( 4 log2 3 o(1))n =(.1887 ... o(1))n, but we can- n not exhibit one and prove that it works, even tice L R a similar generating function L en- though a randomly chosen code of that dimension coding the squared lengths of lattice vectors. This has minimum weight n/4 with probability generating function, called the theta function of L, almost 1. is defined by

1384 NOTICES OF THE AMS VOLUME 47, NUMBER 11 fea-elkies-2.qxp 10/19/00 2:44 PM Page 1385

X X (x,x) m C(z):= z =1+ N (C)z . (This identity can be proved even when F is a fi- m Z Z x∈C m>0 nite field other than /p ; the cweC identity also has a generalization to arbitrary finite fields.) Note We noted various identities satisfied by theta func- that the weight enumerators we obtained for {0} tions. Weight enumerators of codes satisfy analo- and Fn, and for the repetition and parity-check gous identities. Like theta functions, they are codes over Z/2Z, do in fact satisfy these identities; multiplicative: the direct sum of any two linear 8 4 4 8 so does WH8 (X,Y)=X +14X Y + Y , which is C n1 C n2 codes 1 F and 2 F is a linear code multiplied by 24 under the linear transformation n +n C1 C2 R 1 2 , with complete weight enumera- (X,Y) 7→ (X + Y,X Y ). tor given by Applications of the MacWilliams identity include upper bounds on |C| for given n and . The cweC1C2 (X) = cweC1 (X) cweC2 (X). coefficients Nm(C) of hweC are constrained on the The same relation thus holds for the Hamming one hand by Nm(C) 0, N0(C)=1, and Nm(C)=0 weight enumerators of C , C , and C C . The for positive m<, and on the other hand by 1 2 1 2 ⊥ identity relating the theta functions of a lattice with Nm(C ) 0. For C of given size |C| , the C⊥ its dual also has an analogue here, obtained by MacWilliams identity expresses each Nm( ) as a C F. J. MacWilliams; it relates the weight enumerators linear combination of the Nm( ). If is large of a code C with its dual code enough the resulting linear constraints cannot all be simultaneously satisfied. For instance, if ⊥ C := {a ∈ Fn | (a, c) = 0 for all c ∈C}. (|F|,n,|C|)=(2, 8, 16) , one can calculate that 4, with equality only if N (C)=N (H ) for m m 8 Here ( , ) is the nondegenerate symmetric bilin- each m. These inequalities, generalized by J. Del- n ear pairing on F taking values in F, defined by sarte to nonlinear codes, are the source of most Xn of the best upper bounds known on |C| for large (a, c):= aici. n and . i=1 C⊥ C Self-dual Binary Codes and Their Weight Thus is a linear code of dimension n dim , Enumerators with (C⊥)⊥ = C. For example, the codes {0} and Fn As with lattices, it is for self-dual codes such as H are each other’s dual; over Z/2Z, so are the repe- 8 that the MacWilliams identity gives the most de- tition and parity-check codes of the same length, tailed information on N (C). Consider for instance while H is its own dual. There is a discrete ana- m 8 the case F = Z/2Z. We saw in this case that cweC logue of the Poisson summation formula that re- and hweC are the same polynomial, and called this C n → C ⊥ lates the sum over of a function f : F with polynomial WC . If C = C then |C| =2n/2 . Thus the sum over C⊥ of the “discrete Fourier transform” b the identity between WC and WC⊥ becomes the f of f. For instance, if F = Z/pZ with p prime, then b statement that WC is invariant under the linear we may define f by transformation (X,Y) ↔ 21/2(X + Y,X Y ) , X which reflects (X,Y) about the line Y = (tan /8)X fb(a):= f (c)e2i(a,c)/p, (since it rotates (X,Y) counterclockwise by /4 c∈F n and then reflects about the line X = Y). Since C is and discrete Poisson summation is the identity self-dual, (c,c)=0for each word c ∈C, and thus X X 3 1 b the weight of each word c is even. Therefore WC f (c)= ⊥ f (a). is invariant also under the reflection |C | ⊥ c∈C a∈C (X,Y) ↔ (X,Y ) in the Y-axis. These two reflec- P tions generate the 16-element dihedral group D16 . Now cweC(X) is just ∈C f (c) for the choice Q c Q A. M. Gleason determined the ring of polynomials n b n b f (c):= i=1 Xci . Then f (a)= i=1 Xai where in (X,Y) invariant under this group: it is generated X by two homogeneous polynomials, the quadratic b 2iac/p Xa := e Xc . X2 + Y 2 and the degree-8 polynomial cmodp (XY(X2 Y 2))2 vanishing to order 2 on each of the ∈ Z Z From discrete Poisson summation, we deduce the four lines Y/X = tan k/4, k /4 . See Figure 1. MacWilliams identity for complete weight enu- Thus we have Gleason’s theorem for self-dual codes C over the two-element field: WC must be a merators: 2 2 1 weighted-homogeneous polynomial in X + Y and ⊥ b 2 2 2 2 2 cweC(X)= |C⊥| cweC (X), (XY(X Y )) . For example, X + Y is the enumerator of the repetition code of length 2 (which from which follows the MacWilliams identity for is also the parity check code of the same length, Hamming weight enumerators: 3We remark parenthetically that c has even weight if 1 n ⊥ | | and only if it is orthogonal to the all-1’s word 1 , whence hweC(X,Y)= ⊥ hweC (X +( F 1)Y, X Y ). ⊥ |C | 1n ∈C = C.

DECEMBER 2000 NOTICES OF THE AMS 1385 fea-elkies-2.qxp 10/19/00 2:44 PM Page 1386

G1 is a unitary linear transformation, pre- 2 2 serving the Hermitian form |X| + |Y | ; thus G1 is contained in the unitary group U2(C), and the corresponding transformations z 7→ (az + b)/(cz + d) act on S by orientation-preserving isometries. The generators k z 7→ (1 + z)/(1 z) and z 7→ i z of G1 each per- mute the real axis, the imaginary axis, and the unit circle |z| =1; thus the same is true of G1. On the Riemann sphere S, the two axes and the unit circle become three pairwise orthogonal great circles. Thus G1 acts on S as a subgroup of the group of orientation-preserving symmetries of the regular octahedron whose vertices are the pairwise intersections of these great circles. See Figure 2. It is known that these symmetries constitute a group isomorphic with the symmetric group Sym4 on 4 letters.6 One readily checks that the resulting homomorphism from G1 to Sym4 is surjective. The kernel of the map G1 → Sym4 is the group 2 2 2 Figure 1. The graph of the function (XY(X Y )) with domain the of scalar matrices in G1. Since the determi- unit disk. The lines of the zero locus are shown in bold. The graph is nant of each element of g is a power of i (again invariant under the 16-element symmetry group of a regular octagon. this can be checked on the generators), these scalars must be 8-th roots of unity, and again

and is thus self-dual), while WH8 can be written as one can check that each 8-th root occurs. Thus G1 (X2 + Y 2)4 4(XY(X2 Y 2))2 . is a group of order 8 4! = 192. The code H8 satisfies a further constraint: all Since G1 contains the 8-th roots of unity, any its codewords have weight divisible by 4. Such a polynomial invariant under G1 must have degree code over Z/2Z is said to be doubly even. For any divisible by 8. Thus the length n of any doubly even self-dual code C (or a code contained in its dual) self-dual code is a multiple of 8. The ring of all G1- Z Z 7→ 1 invariant polynomials was again determined by over /2 , the map : c 2 wt(c) mod 2 is a homomorphism from C to Z/2Z, and the code is Gleason. It too is generated by two homogeneous 4 4 4 doubly even if and only if is the zero homo- polynomials, this time WH8 and (XY(X Y )) . Geometrically, the points z = Y/X where W van- morphism, a condition that can be checked on H8 ishes are the centers of the 8 faces of our octahe- generators of the code.4 In terms of WC , the con- dron, which are vertices of a cube inscribed in S, dition that C be doubly even is while (XY(X4 Y 4))4 has quadruple zeros at the WC(X,Y)=WC(X,iY). Thus if C is also self-dual six vertices of the octahedron. So, for instance, a then WC must be invariant under the group G gen- 1 doubly even self-dual code C with minimal distance erated by (X,Y) 7→ (X,iY) together with D . 16 at least 8 must have length n 24, and if n =24 This group can no longer be visualized in the then R2 real plane , so instead we consider its action on 3 4 4 4 1 WC = W 42(XY(X Y )) the ratio z = Y/X in the complex plane C . The lin- H8 ab ∈ 24 16 8 12 12 ear transformation ( cd) G1 acts on z by the = X + 759X Y + 2576X Y fractional linear transformation z 7→ + 759X8Y 16 + Y 24. (az + b)/(cz + d) . Since the denominator may vanish, we must consider z as an element of the In particular, C must contain exactly 759 words of Riemann sphere S = C ∪ {∞}.5 Each generator of its minimal weight 8. It turns out that such a code exists, and is 4In Part I an integral lattice was defined to be a lattice L unique up to coordinate permutations: the re- 7 such that (x, y) is an integer for all x and y in L. Such markable extended Golay code G24 , found by a lattice was defined to be even if the length of every vector is the square root of an even integer. The role of “even” in this situation mirrors that of “doubly even” for 6The four objects permuted are the opposite pairs of faces linear codes. In particular, an integral lattice is even if and of the octahedron; the homomorphism Sym4 → Sym3 is only if it is generated by vectors the square of whose then obtained from the permutation action on the three length is even. great circles, or equivalently on the three opposite pairs 5The Riemann sphere arises naturally as the complex of vertices of the octahedron. projective line P1(C)=(C2 {0})/C , since linear 7More properly, the “extended binary Golay code”, since transformations act linearly on C2 and commute with the there is also an “extended ternary Golay code” 12 multiplicative group C . G12 (Z/3Z) , which we shall encounter later.

1386 NOTICES OF THE AMS VOLUME 47, NUMBER 11 fea-elkies-2.qxp 10/19/00 2:44 PM Page 1387

M. J. E. Golay in 1954. This code can be defined in various ways; for example, G is generated by its 759 minimal words, whose supports constitute the Steiner system of 8-element sub- sets (octads) of a 24-element set, such that each 5-element subset is contained in a unique octad. It is known that this (5, 8, 24) Steiner system is unique, and its automorphism group is the quintuply transitive group M24, the largest of Mathieu’s sporadic simple groups; M24 is thus also the group of permutations preserving G24. By ignoring any one of the 24 coordinates we obtain Golay’s code G23, which has length 23, dimension 12, and minimal distance 7. Thus 23 G23 is a 3-error-correcting code. In (Z/2Z) , a Hamming sphere of radius 3 contains P 3 23 11 r=0 r =. 2048 words, i.e., exactly 2 = 23 |(Z/2Z) | |G23| . Therefore |G23| comprises the centers of a perfect packing of (Z/2Z)23 by radius-3 Hamming spheres! One explicit recipe for G23 is the span of the cyclic shifts of the word Figure 2. Under stereographic projection the images of the real axis, the imaginary axis, and the unit circle are three orthogonal great 11110101100110010100000, circles on the Riemann sphere. The six intersection points are the vertices of a regular octahedron. in which the i-th coordinate is 1 if and only if i is a nonzero square mod 23. The code G24 can groups in the Shephard-Todd list, and their in- be recovered from G23 by appending a “check variant rings, arise with some frequency in some digit” to each word of G23 to make its weight even. branches of mathematics. We have already en- Each of D16 and G1 is a finite subgroup of countered two of the groups in identities satisfied GLn(C) whose ring of invariant polynomials is gen- by weight enumerators of certain self-dual codes. erated by n polynomials. Such a group G GLn(C) Several others also occur in this way, as we shall is said to have free invariant ring (because a set see in the next section. of generators for the G-invariant polynomials is algebraically independent if and only if it has size Some Direct Connections between Weight n.) Other familiar examples are: Enumerators and Theta Functions • {1}GL1(C) , with invariant ring generated 2 The analogy we have drawn between lattices and by X ; linear codes seems particularly tight between self- • more generally, the m-th roots of unity in dual lattices and self-dual codes over Z/2Z, and GL (C), with invariants generated by Xm; and 1 between even self-dual lattices and doubly even the group of permutation matrices in GL (C), • n self-dual codes over Z/2Z. The analogy extends whose invariants are generated by the ele- even to the theta series and weight enumerators. mentary symmetric functions in the coordi- For instance, in the (doubly) even case, the theta nates of Cn. series is in the ring of modular forms for SL (Z), Once n>1, most finite subgroups of GL (C) do not 2 n whose generators have weights corresponding to have free invariant rings; already for n =2, the in- lattices of dimensions 8 and 24; and the weight variant ring of the 2-element group {1}GL2(C) requires 3 generators to account for X2, XY, and enumerator is in the ring of G1-invariant polyno- 2 mials, whose generators again have degrees 8 and Y . The classification of finite G GLn(C) with free invariant rings was completed in 1954 by 24. This apparent coincidence is explained by J. C. Shephard and J. A. Todd, who combined the- N. J. A. Sloane’s “Construction A”, which associates C Z Z n Rn oretical insights with explicit computation. As a to any linear code ( /2 ) a lattice LC , consequence of their theorem, it followed that a whose density, dual lattice, minimal (Euclidean) length,8 and theta function are predictable from finite group G GLn(C) has free invariant ring if C and only if it is generated by complex reflections, the corresponding invariants of . We devote this i.e., r ∈ GLn(C) such that ker(1 r) has dimension 8Inevitably the word “length” is used for both the length n 1. For instance, the automorphism group of the |v| of v ∈ Rn and the dimension of the finite vector root lattice E8 has free invariant ring, because it is space Fn containing C. It will always be clear from con- generated by reflections in the hyperplanes or- text which kind of length is meant at each use of the thogonal to the roots of E8. The complex reflection word.

DECEMBER 2000 NOTICES OF THE AMS 1387 fea-elkies-2.qxp 10/19/00 2:44 PM Page 1388

section to that construction and some of its con- 1/2 1/2 (/i) 0(1/)=2 0()+1() , sequences and variations. 1/2 1/2 The lattice LC comes from integer vectors that (/i) 1(1/)=2 0() 1() . reduce mod 2 to codewords. To make this con- 1/2 sistent with duality, we scale the lattice to multi- That is, the involution () ↔ (/i) (1/) ply all the inner products by 1/2: acts on (0,1) exactly as the MacWilliams involution (X,Y) ↔ 21/2(X + Y,X Y ) does! More- { 1/2 | ∈ Zn ∈C} LC := 2 v v ,vmod 2 . over, the translation 7→ +1 takes (0,1) to (0,i1). Thus if W (X,Y) is any homogeneous poly- We then have: nomial then W ( , ) is a modular form for SL (Z) n/2|C| 0 1 2 • the density of LC is 2 ; if and only if W is invariant under those two lin- • the dual lattice of LC is the lattice LC⊥ associ- ear transformations, and thus under the group G1 ated with the dual code. generated by them. Moreover, W ( , ) is a mod- C 0 1 In particular, LC is self-dual if and only if is, and ular form for the congruence subgroup generated C LC is even if and only if is doubly even. For ex- by ↔1/ and 7→ +2 if and only if W is in- ample, if C is the repetition code of length 2, then variant under the dihedral group D16 generated by R2 9 LC is a self-dual lattice in , and thus isometric (X,Y) ↔ 2 1/2(X + Y,X Y ) and (X,Y) ↔ Z2 with , as can also be seen directly. Likewise LH8 (X,Y ). This explains the “coincidence” involving 8 is an even self-dual lattice in R , and thus iso- dimensions 8 and 24: the basic modular forms metric with E8. This gives a different construction are obtained from the basic D16 or G1 invariants of the E8 lattice. (In this case it is not entirely triv- by substituting for X,Y the forms 0,1 of weight ial to see that the two constructions yield isomet- 1/2. We have already seen this for the theta series 2 ric lattices!) of Z and E8 ; we also have 24 = C 4 4 4 4 4 The theta series of L can be obtained from the 01(0 1) /16 . weight enumerator WC as follows: define 0(z) and 1(z) by Construction of the Leech Lattice X∞ Construction A also figures in Leech’s original con- 2k2 0(z):= z struction of L24, a lattice described but not defined k=∞ in Part I. There we asserted the existence of a L R24 =1+2(z2 + z8 + z18 + ), unique even self-dual lattice 24 with√ all nonzero vectors of length strictly greater than 2, X∞ 2(k+ 1 )2 and reported that this important lattice is, among (z):= z 2 1 other things, central to the classification of sim- k=∞ ple finite groups. The lattice L cannot be LC for 1/2 4 12 24 24 = z (1 + z + z + z + ); any code√ C, because LC has minimal length at most 2. But LG comes close: it is a self-dual even then 24 24 lattice in R , and since G24 has minimal weight LC = WC(0, 1). 8, the only vectors of length < 2 in LG24 are the 1/2 0 scaled unit vectors 2 ei. Let L , then, be the This is not hard to see from the fact that 0 is the index-2 sublattice of LG consisting of those theta series of 21/2Z while can be viewed as the P24 1 1/2 24 1/2 1 2 v ∈ LG for which v is a multiple of 4. theta series of 2 (Z + ). Special cases of this 24P i=1 i 2 24 identity are (This sum i=1 vi is already even for all ∈ 1/2 G G 2 2 2 v 2 L 24 because every word in 24 has even 0 + 1 = Z2 = Z, weight.) Then L0 is a lattice of minimal length at 8 4 4 8 least 2, and in fact exactly 2 because it contains 0 +1401 + 1 = E8 . √ vectors of the form 2 times the sum of two unit 0 24 A consequence either of the formula for LC or of vectors. The density of L is 1/2. Now√ let v1 ∈ R the definition of LC is that be the vector (3, 1, 1, 1,... ,1)/ 8 of length 2. 0 • the minimal length of LC is the square root of We can check that (v,v1) ∈ Z for all v ∈ L , and 1 C ∈ 0 ∈ 0 min 2, 2 ( ) . that 2v1 L while v1 / L . We can now define What then of the Poisson and MacWilliams iden- 0 ∪ 0 tities? Let z = ei as in Part I, with ∈Hand L24 := L (L + v1). Let us see that L24 is unimodular of minimal ():= (ei),():= (ei). L L i i length 2. It is unimodular because it has density 1. Since L24 is an even lattice, it is enough to show The Poisson identity relates L() with L (1/). that it has√ vectors of length 2 but has no vectors Applying this identity to the sums defining i(), 0 we find of length 2. We know already√ that L has vectors of length 2 but not of length 2. Thus√ we need only ∈ 0 | | 9As reported in Part I, for every n< 8 every self-dual lat- check that if v L + v1 then v > 2. But each√ tice in Rn is isometric with Zn. coordinate of v is an odd integer divided by 8,

1388 NOTICES OF THE AMS VOLUME 47, NUMBER 11 fea-elkies-2.qxp 10/19/00 2:44 PM Page 1389

so (v,v) 24/8 > 2. Therefore L24 has minimal When p =3, this condition still depends only on nonzero length 2, as claimed. This construction of wt(c) because a2 =1for both nonzero choices of L24 shows that the Mathieu group M24 is involved a ∈ Z/3Z, and we find that the Hamming weight in the group Co0 = Aut(L24) of isometries of the enumerator hweC(X,Y) is invariant under the Leech lattice; Conway used further properties of group G3 generated by G24 to construct the full group of isometries and (X,Y) 7→ 3 1/2(X +2Y,X Y ) prove that Co0/{1} is a sporadic simple group. and (X,Y) 7→ (X,e2i/3Y ). Construction A , for p = |F|, an Odd Prime p Both these linear maps preserve |X|2 +2|Y |2, and Construction A can be generalized and varied in are thus contained in U2(C) and act by orientation- many ways; the dozen that appear in the index of preserving isometries on the Riemann sphere pa- [CS] under “Construction” are a large but not ex- 1/2 rametrized by z =2 Y/X. We find that G3 acts haustive sample. The simplest variation is “Con- on the sphere by the group of orientation- Z Z Z Z struction Ap”, which replaces /2 by /p for preserving symmetries of the regular tetrahedron√ C Z Z n some odd prime p. To a linear code ( /p ) , with vertices z = ∞ and z = e2ik/3/ 2 for this construction associates the lattice k =0, 1, 2. This group is isomorphic with the al- 1/2 n ternating group Alt (each even permutation of the LC := {p v | v ∈ Z ,vmod p ∈C} 4 vertices arises uniquely), and the kernel of n n/2 in R , with density p |C| and dual lattice LC⊥. G3 → Alt4, which is the group of scalar matrices The theta series of LC can be obtained from the in G3, is the group of 4-th roots of unity. Thus if complete weight enumerator of C: C(Z/3Z)n is a self-dual code then n is a multi- (p) (p) (p) ple of 4. It turns out that G3, like G1, is a complex LC = cweC(0 , 1 ,... ,p1), reflection group, this time with invariant ring generated by polynomials of degrees 4 and 12. Once where for m mod p we have more, Gleason gave explicit generators: X4 +8XY3 , X with simple zeros at the vertices of our tetrahedron, (p) k2/p m (z):= z . and Y 3(X3 Y 3)3 , with√ triple zeros at the vertices k∈Z 2ik/3 kmmodp z =0 and z = e 2 of the dual tetrahedron. Recall that in the case of self-dual doubly even Under our usual substitution z = ei, each of codes in (Z/2Z)n the Gleason generators were (p) (p) these m becomes a modular form m of weight nicely explained by the Hamming and Golay codes G 1/2 for the congruence subgroup p SL2(Z) con- H8 and 24. There are analogous self-dual codes n sisting of matrices in congruent to ( 10) mod p. in (Z/3Z) . The “tetracode”, generated by 1110 01 4 3 By summing over k instead of k we may see that and 0121, has weight enumerator X +8XY . If a (p) (p) self-dual code C(Z/3Z)n has minimal distance m = m. Thus if p =3the theta series of LC still depends only on the Hamming weight enumerator 6 then n must be at least 12, and if n =12 then of C: hweC must be (3) (3) LC = hweC(0 , 1 ). (X4 +8XY3)3 24Y 3(X3 Y 3)3 For any p, the generators of behave nicely on the 12 6 6 3 9 12 (p) 2 = X + 264X Y + 440X Y +24Y . modular forms m : since each exponent k /p is congruent to m2/p mod 1, we have Once more Golay found a code G12 with this weight (p) 2i m2 (p) enumerator; like the tetracode, it is unique up to ( +2)=e p (); m m signed coordinate permutations. There is a strong and Poisson summation yields analogy between the codes G12 and G24: the supports of the minimal nonzero words in G12 con- 1/2 (p) stitute a Steiner (5, 6, 12) system, whose (/i) m (1/) X automorphism group is Mathieu’s quintuply tran- 1/2 2ijm/p (p) = p e j (). sitive sporadic Mathieu group M12. Ignoring any j modp one coordinate yields a code G11 of length 11, dimension 6, and minimal distance 5. Thus G is a So, as with p =2, we see that () ↔ 11 (p) 2-error-correcting code. As with G , the resulting (/i)1/2(1/) acts on the as p1/2 times 23 m packing of Hamming spheres is perfect, since each the discrete Fourier transform, i.e., by the linear P . 2 r 11 C radius-2 sphere contains exactly r=0 2 r = transformation that leaves cweC invariant if is 5 | Z Z 11| |G | 7→ 243 = 3 = ( /3 ) 11 words. A. Tietäväinen self-dual (MacWilliams again). Also, +2acts G G (p) and J. H. van Lint showed that 11 and 23 are the on the m by the diagonal linear transformation only perfect linear e-error correcting codes for 2im2/p Xm 7→ Pe Xm , which again fixes cweC be- e>1 except for trivial codes of size 1 and the only n 2 ∈C n cause i=1 ci =(c,c)=0for each c . slightly less trivial repetition code in (Z/2Z) for

DECEMBER 2000 NOTICES OF THE AMS 1389 fea-elkies-2.qxp 10/19/00 2:44 PM Page 1390

10 Z Z n =2e +1. The G12 is generated by the rows of What should SL2( /p ) have to do with weight a Hadamard matrix of order 12, i.e., a 12 12 ma- enumerators of self-dual codes? We return to the

trix H each of whose entries is 1, and whose theta function of LC. Since LC is obtained from (p) rows are pairwise orthogonal (equivalently, a 1 cweC by substituting m for Xm , and since T matrix such that HH =12I12 ). It is known that (p) (p) m = m, we consider the “symmetrized weight such a matrix of order 12 exists and is unique up enumerator” sweC, obtained from hweC by set- to signed permutations of the rows and columns. ting Xm = Xm. This is a homogeneous polyno- One choice is mial of degree n in (p +1)/2 variables. It is invari-   ant under the subgroup of Wp commuting with the ++++++++++++ ↔   involution Xm Xm; this subgroup turns out to  + + ++++    be the same as the group generated by the linear  + + ++++  2im2/p   transformations Xm 7→ e Xm and    +++ +++ X 7→ p1/2Xb that we encountered earlier. Up to   m m  + + + +++   scalars, this group is isomorphic with the projec-   Z Z Z Z { }  + + + +++  tive linear group PSL2( /p ):=SL2( /p )/ 1 .    + + + +++ Our explanation for the appearance of this group    +++ + ++ is the relationship between the congruence groups    ++++ + +  (p)   for which LC and the m are modular. For LC,   (p)  ++++ + +  that group is ; for , it is the normal subgroup   m + +++ + + of consisting of matrices congruent to ++ ++++ 10 ( 01) mod p. The quotient of by this subgroup is generated by 7→ +2 and ↔1/, which with the diagonals of +1’s determined by the (p) acts on the m linearly by transformations pro- nonzero squares mod 11. The span of the rows of (p) 2i m2 (p) portional to 7→ e p and the discrete H mod 3 generates G . m m 12 Fourier transform; on the other hand, the quo- We return now to self-dual codes C(Z/pZ) for tient is obtained by reducing the matrices in mod a general odd prime p. Once p>3, the condition p, and is thus identified with PSL2(Z/pZ)! (c,c)=0 no longer constrains wt(c), so we con- We illustrate this for the first two cases p =3, 5, sider the complete weight enumerator cweC. We C which are the only ones for which a complex re- have seen already that must be invariant under 11 2im2/p flection group arises. For p =3, the symmetrized Xm 7→ e Xm as well as the normalized dis- 1/2 b and Hamming weight enumerators coincide. We al- crete Fourier transform Xm 7→ p Xm. If more- ready found that hweC is invariant under G3, and over C contains the all-1’s word 1 then (c,1)=0 we recognized the quotient of G3 by its scalar sub- for each c ∈C, whence cweC is invariant also under 2im/p group as Alt4. We can now observe that Alt4 is in Xm 7→ e Xm. Thus cweC is invariant under fact isomorphic with SL2(Z/3Z). For p =5, we write the group generated by these three unitary linear p the symmetrized weight enumerator as transformations of C ; call this group Wp Up(C). It turns out that Weil had already extensively in- sweC(X,Y,Z) = hweC(X,Y,Z,Z,Y). vestigated this group in another context [W]. Per- C Z Z n haps surprisingly, this group is finite. Weil shows If ( /5 ) is self-dual then sweC(X,Y,Z) is in- this finiteness by proving that conjugation by el- variant under the reflection group G5 generated by (X,Y,Z) 7→ (X,e2i/5Y,e2i/5Z) and (by Mac- ements of Wp permutes the Heisenberg group Williams) the transformation Hp Up(C). This Hp is the non-commutative group 3   of order p and exponent p generated by X X 7→ e2im/p X and the cyclic permutation   m m  Y  7→ X 7→ X (with subscripts mod p and hence m m+1 Z Xp = X0). The commutator of these two linear     transformations is the scalar e2i/p. Thus the quo- 12√ √ 2 X √1      1(√5 1)/2(√ 5 1)/2   Y  . tient Hp of Hp by its scalar subgroup is isomor- 5 phic with (Z/pZ)2, and is normal in the quotient 1( 5 1)/2(5 1)/2 Z W p of Wp by its scalar subgroup. Moreover W p/Hp 2 11 acts on Hp = (Z/pZ) , and it turns out that What of p =2? Even the anomalous case of doubly even codes can be explained in a similar way; here instead W p/Hp = SL2(Z/pZ). of we have all of SL2(Z), and the normal subgroup for which and are modular consists of matrices 10The same is believed, but not yet proved, to be the case 0 1 10 for arbitrary codes, not only linear ones; Van Lint and congruent to ( 01) mod 4. Thus we expect the group Tietäväinen prove this only when the alphabet size is a PSL2(Z/4Z), and indeed PSL2(Z/4Z) is isomorphic with prime power. Sym4, the quotient of G1 by its scalar subgroup.

1390 NOTICES OF THE AMS VOLUME 47, NUMBER 11 fea-elkies-2.qxp 10/19/00 2:44 PM Page 1391

The simplest example is n =2, for which C consists of the multiples of (1, 2), and sweC(X,Y,Z)= X2 +4YZ . For this code, LC = Z2 , whence (5) 2 (5) (5) 2 (0 ) +41 2 = Z . Since G5 is a finite group that fixes the quadratic form X2 +4YZ, we can re- gard it after a linear change of variables as a subgroup of the orthogonal group O3(R). Thus once more we have a finite group of isometries of the sphere, though here not all these isometries are orientation preserving. For instance, the above 3 3 matrix yields a reflection. It turns out that G5 is the group of isometries of a regular icosahedron, and is thus isomorphic with {1}Alt5. This is a reflection group whose invariants are generated by polynomials of degrees 2, 6, and 10. We have already seen a degree-2 invariant; for the invariants of degrees 6 and 10, we may take the products of linear forms vanishing respectively on the planes perpendicular to the six opposite pairs of vertices of the icosahedron and the planes parallel to its ten opposite pairs of faces. For instance, we have the degree-6 invariant Y4 X (X + e2ik/5Y + e ik/5Z) k=0 = X6 20X4YZ + 80(XYZ)2 +32X(Y 5 + Z5).

(p) Once p 5, the m for 0 m (p +1)/2, while linearly independent, are not algebraically independent. For p =5, there is a single dependence, necessarily invariant under G5; we calculate that the above degree-6 invariant, evaluated at (5) (5) (5) 6 (X,Y,Z)=(0 ,1 ,2 ), equals Z , the cube of (5) (5) (5) our degree-2 invariant. That is, (0 ,1 ,2 ) satisfy the homogeneous sextic X4YZ (XYZ)2 X(Y 5 + Z5)+2(YZ)3 =0. This sextic, considered as a subset of the projective plane, is an example of a “modular curve”—but that is a topic for a different ex- pository article.

References [CS] J. H. CONWAY and N. J. A. SLOANE, Sphere Packings, Lattices and Groups, Springer, New York, 1993. [McWS] F. J. MACWILLIAMS and N. J. A. SLOANE, The Theory of Error-Correcting Codes, 3rd ed., North-Hol- land, Amsterdam-New York-Oxford, 1981. [S] J.-P. SERRE, A Course in Arithmetic, Springer, New York, 1973. [TV] M. A. TSFASMAN and S. G. VLA˘DUT¸, Algebraic-Geomet- ric Codes, Kluwer, Dordrecht, 1991. [W] A. WEIL, Sur certaines groupes d’opérateurs uni- taires, Acta Math. 111 (1964), 143–211.

DECEMBER 2000 NOTICES OF THE AMS 1391