The Weight Distribution of Quasi-quadratic Residue Codes

In this paper, we begin by reviewing some of the known properties of QQR codes and proved that $PSL_2(p)$ acts on the extended QQR code when $p \equiv 3 \pmod 4$. Using this discovery, we then showed their weight polynomials satisfy a strong divisibility condition, namely that they are divisible by $(x^2 + y^2)^{d-1}$, where $d$ is the corresponding minimum distance. Using this result, we were able to construct an efficient algorithm to compute weight polynomials for QQR codes and correct errors in existing results on quadratic residue codes. In the second half, we use the relation between the weight of codewords and the number of points on hyperelliptic curves to prove that the symmetrized distribution of a set of hyperelliptic curves is asymptotically normal.


1.
Introduction. Quasi-quadratic residue codes (QQR codes) are a family of binary linear codes. They were first introduced by Bazzi and Mitter [2] as a quasi-cyclic code. Their work set foundations for the study of QQR codes. They discovered the relation between weights of a QQR code and number of points on hyperelliptic curves. Joyner [8] built upon this relation, and revealed the link between the QQR code and the famous Goppa's Conjecture in coding theory.
We are interested in these codes mainly for two reasons: Firstly, they have close relations with hyperelliptic curves and Goppa's Conjecture, and serve as a strong tool in studying those objects. Secondly, they are very good codes. Computational results show they have large minimum distances when p ≡ 3 (mod 8).
QQR codes are similar to quadratic residue codes. They are asymptotically rate half codes (exactly rate half when p ≡ 3 (mod 4)). Also, as we will show, P SL 2 (p) acts as automorphisms of the extended QQR codes in a similar way as of the extended quadratic residue codes. Furthermore, when p ≡ 7 (mod 8), we will show that the QQR code is equivalent to the even subcode of the corresponding quadratic residue code direct sum with itself, and therefore their weight enumerators have close relations.
We will utilize the result that P SL 2 (p) acts on these codes to prove a new discovery about their weight polynomials, i.e. they are divisible by (x 2 + y 2 ) d−1 , where d is the corresponding minimum distance. The proof uses shadows of codes, a powerful tool to study weight polynomials. We also apply this idea to quadratic residue codes, and prove that their weight polynomials are divisible by (x + y) d , with d being the minimum distance.
These results impose strong conditions on the weight polynomials of quadratic residue codes and QQR codes. Combining the divisibility result and Gleason's Theorem, we can derive an efficient algorithm to compute the weight polynomials of QQR codes. We also use these results to correct the existing computational results for the weight polynomials of quadratic residue codes that were originally posted on [17].
We also answer in the negative the question posted by Joyner [8] asking whether QQR codes satisfy Riemann hypothesis.
On the other hand, the weight of their codewords can be expressed in terms of the number of points on corresponding hyperelliptic curves over finite fields. As it is usually easier to study linear codes, this provides a way of studying point distributions of hyperelliptic curves. We will implement this idea to prove a variant of a result of Larsen [10] on asymptotic normal distribution of numbers of points on hyperelliptic curves.
2. Construction and properties. We first give constructions and introduce properties of QQR codes. We also include an introduction to quadratic residue codes, as these will be used in later sections.
Throughout the entire paper, if not stated otherwise, p is a prime satisfying p ≡ 3 (mod 4).
Let S be a subset of F p . We can assign to S a polynomial in F 2 [x]/(x p − 1) by Let Q be the set of quadratic residues in F p and N be the quadratic non-residues in F p . Q is equivalent to N since r N can be obtained from r Q via the permutation y → ρy, y = 0, · · · , p − 1 where ρ is a primitive element of F p .
Notation. Note that with abuse of notation, we use Q to denote both the quadratic residues and the code generated by r Q . It should be clear in the context what we are referring to. Similarly for N . The generating matrices for Q and N are circulant matrices, and we denote them as G Q and G N respectively. Definition 2.2 (Quasi-quadratic residue code). For an odd prime p, is called the quasi-quadratic residue code associated with p. (r Q r S , r N r S ) is identified with an element in F 2p 2 in the usual way.
Notation. By "the corresponding quadratic residue code" to a QQR code, we mean the quadratic residue code associated with the same p. Similarly for "the corresponding QQR code" to a quadratic residue code, we mean the QQR code associated with the same p.
If we write then the generating matrix for the QQR code can be written as We list some known properties of QQR codes below. Interested readers can check [8] for more information.
QQR codes are even weight codes. They have length 2p and dimension p. QQR codes are self-dual.
Therefore [I|G Q ] is also a generating matrix for the QQR code.
When Bazzi and Mitter first introduced QQR codes, their generating matrices were given in the form [I|G Q ]. They gave a proof that these codes also have generating matrices in the form [G Q |G N ] when p ≡ 3 (mod 8). Most references on double circulant codes study codes whose generating matrices are in the form [I|A], where A is cyclic, such as Karlin's original paper on double circulant codes [9].
Joyner defined QQR codes using [G Q |G N ] as their generating matrices, and we will also use this version in our paper. Note that when p ≡ 7 (mod 8), the code generated by [I|G Q ] is not equivalent to the code generated by [G Q |G N ], and therefore these two definitions are not the same.
From the definitions of quadratic residue code and QQR code, it is obvious that when p ≡ 7 (mod 8), by only taking the first p bits of a QQR code, we can obtain the corresponding quadratic residue code. Moreover, we can show a stronger connection between quadratic residue codes and QQR codes in this case.
Notation. We denote d(C) as the function that outputs the minimum distance of a code C. Proposition 2.5. When p ≡ 7 (mod 8), let C be the QQR code associated with p, and let Q and N be the corresponding quadratic residue codes. Then C is the even subcode of Q ⊕ N .
Moreover, their minimum distances satisfy Also C is even, and therefore C is a subcode of the even subcode of Q ⊕ N . Q contains the all 1 codeword, and hence is not even. Therefore Q ⊕ N is also not even, and its even subcode is of codimension 1, which is dim(Q) + dim(N ) − 1 = p+1 2 + p+1 2 − 1 = p. Since dim(C) = p, C is equal to the even subcode of Q ⊕ N . For the last statement, as we will show in Proposition 3.16, d(Q) is odd. Also, there exists a codeword c ′ in C with weight d + 1 [3]. Therefore d(C) ≥ d + 1. On the other hand, since d + 1 is even, c ′ ⊕ 0 is in the even subcode of Q ⊕ N . So d(C) = d(Q) + 1.

Hyperelliptic Curves and Goppa's Conjecture.
For a code C[n, k, d], R := k n is the information rate. δ := d n is the relative minimum distance. δ indicates the error-correcting ability of a code. Ideally we want R and δ both large, but Manin [12] proved that for a fixed field F q , there exists a function α q (δ) such that for a given δ, there are infinitely many linear codes with rate approaching R only for rates below α q (δ).

Conjecture 1 (Goppa's Conjecture). The Gilbert-Varshamov bound is tight in the binary case.
QQR codes play an important role in the study of Goppa's Conjecture because of the following explicit relation with hyperelliptic curves.
Notation. We denote by wt(c) the function that outputs the weight of a codeword c.
Proposition 2.6 (Joyner [8]). Let C be a QQR code associated with p, and c = ( . Let X S (F p ) be the set of points on the hyperelliptic curve 3. If |S| is odd and p ≡ 3 (mod 4) This relation builds a connection between Goppa's Conjecture and hyperelliptic curves as in the following theorem. Interested readers can find more details in [8].
Theorem 2.7 (Joyner). Let B(c, p) be the statement: For all subsets S ⊆ F p , |X S (F p )| ≤ c · p holds. If B(1.77, p) is true for infinitely many primes with p ≡ 1 (mod 4), then Goppa's Conjecture is false.
Not only do QQR codes play an important role in this connection, but they are very good codes when p ≡ 3 (mod 8). Computational results so far all exceed the Gilbert-Varshamov bound. Since QQR codes are rate half codes, exceeding the Gilbert-Varshamov bound is equivalent to δ > 0.11. This gives Goppa's Conjecture a serious challenge.
3. Weight Polynomials of QQR codes. In this section, we will show a new result on weight polynomials of QQR codes.
Definition 3.1. The weight polynomial of a code (or a subset of it) is where A i denotes the number of codewords with weight i in C, and n is the length of the code.
When computing the weight polynomials of QQR codes, we found that they are divisible by (x 2 + y 2 ) m , where m is at least its minimum distance minus 1, and m ≡ 3 (mod 4). See Table 1. We can also see that for these p's, δ are all well above 0.11.  The fact that m ≡ 3 (mod 4) can be shown using Gleason's theorem.
The other property of the weight polynomial is stated in the following theorem.

Theorem 3.3. The weight polynomial of a QQR code is divisible by
Since m needs to satisfy m ≡ 3 (mod 4), m is larger than d − 1 sometimes. To prove Theorem 3.3, we need to introduce shadows.
3.1. Shadows. We say a binary code is doubly-even if all its weights are divisible by 4, or singly-even if its weights are even, but not doubly-even. Let C be a binary self-orthogonal code. Then C is even. Let C 0 be the subset of doubly-even codewords of C. If C is singly-even, then C 0 is a linear subcode of index 2 in C.
Definition 3.4 (Shadow [13]). The shadow S of a self-orthogonal binary code C is We will follow the notation of [13] and denote the weight polynomial of the shadow of C as S C (x, y). S C (x, y) can be computed from the weight polynomial of C.
We include the proof given in [13] here since it's short.
Proof. If C is singly-even, this is immediate using MacWilliams identity. Assume C is doubly-even. A C0 consists of the terms in A C whose powers of y are divisible by 4. So Using MacWilliams identity, we have Under a simple change of variable, the following lemma is immediate.
When C is singly-even, the shadow S of C is C ⊥ 0 \C ⊥ , which does not contain the 0 codeword. Therefore if S has minimum distance d, S C is divisible by (xy) d . From the lemma above, we immediately have the following.
Lemma 3.7. Let C be singly-even, and d be the minimum distance of its shadow.
Therefore, it is clear that, to prove Theorem 3.3, we just need to show the minimum distance of the shadow is at least its minimum distance minus 1.
In the next section, we will show this by proving a result about the automorphism group of extended QQR codes.

Automorphism groups.
Let C be the QQR code associated with p.
Since (r Q , r N ) ∈ C, and wt(r Q , All the codewords can be expressed in both vector forms and polynomial forms like 1. We will alternate between them depending on which one is appropriate in the context.
The proof uses the following lemma. This is a standard result that is easy to prove, and can be found in [11].

Proof. (of Proposition 3.8):
Let If k is odd, then k i=1 e ni = 1. But we already have p−1 0 e i = 1. Since {e i } is a basis of C, there can't be two different ways to write a vector in linear combinations of e i 's. Contradiction.

NIGEL BOSTON AND JING HAO
If k is even, then k i=1 e ni = 0, contradictory to the e i 's being linearly independent.
We conclude that C ′ has rank p − 1. Since C 0 also has dimension p − 1, is generated by C and α(or by C and β).
Since α has odd weight, α / ∈ C. The code generated by C and α has rank p + 1, and so does C ⊥ 0 , and hence they are the same.
From this proposition, we can see that C is the even weight subcode of C ⊥ 0 . Next, we will define an extended code for C ⊥ 0 by adding two parity check columns.
Definition 3.11. LetĈ be the extended code of C ⊥ 0 by adding a parity check for the first p bits and a parity check for the last p bits, i.e. if (a 0 , a 1 , · · · , a p−1 , b 0 , · · · , b p−1 ) ∈ C ⊥ 0 then it extends to (a 0 , a 1 , · · · , a p−1 , Notation. If c ∈ C, denoteĉ as the corresponding codeword in the extended code.
If we use { e i |i = 0, · · · , p − 1} ∪ {α} as the basis, then the generating matrix for C can be written as The permutations that showed up in our results act on the left half and the right half of a codeword in the same way. For simplicity, in the following theorem and its proof, we relabel the positions in a codeword by their original positions modulo p, starting from 0. By convention, we label the parity check positions by ∞. So starting from left, the positions in a codeword would be called position 0, · · · , p − 1, ∞, 0, · · · , p − 1, ∞.
Below is the main result on the automorphism group ofĈ.
Theorem 3.12. The automorphism group ofĈ contains P SL 2 (p) as a subgroup.
Here P SL 2 (p) is generated by the three permutations When p ≡ 3 (mod 8), we have shown that the code generated by [G Q |G N ] is the same as the code generated by [I|G Q ]. ThereforeĈ also entails a generating matrix as following.  This form has been extensively studied before, and is usually referred to as bordered double circulant codes. It has been shown that P SL 2 (p) acts on these codes using the generating matrices above in previous work, such as [5] and [16]. Our proof is an alternate to those when p ≡ 3 (mod 8). When p ≡ 7 (mod 8), these two codes are not equivalent, and therefore this is a new result.
The calculations presented in this proof are inspired by the proof of the theorem that the automorphism group of the extended quadratic residue code contains P SL 2 (p). One can check [11] for that. It uses the following theorem from number theory.
Theorem 3.13 (Perron). Let p = 4k + 3, and let Q be the quadratic residues in F p , N be the quadratic non-residues in F p . a = 0 ∈ F p .
• If a ∈ Q, then {a + r|r ∈ Q} contains k quadratic residues and k + 1 quadratic non-residues. • If a ∈ Q, then {a + s|s ∈ N } contains 0, k quadratic residues and k quadratic non-residues. • If a ∈ N , then {a + r|r ∈ Q} contains 0, k quadratic residues and k quadratic non-residues. • If a ∈ N , then {a+ s|s ∈ N } contains k + 1 quadratic residues and k quadratic non-residues.
V fixes C since it fixes both r Q and r N . The ∞ positions are sent to themselves. V also fixesα.
Therefore, what's left to show is that T also fixesĈ. We will show that by proving the following: • e 0 T = 1 + e 0 : If y is a quadratic residue, then − 1 y is a quadratic non-residue, and vice versa. It follows immediately that the equality is true for all positions that are neither 0 or ∞. It's easy to check the equality also follows through at 0 and ∞.
• If i ∈ Q, we will prove Focus on the left p + 1 bits first, and consider According to Theorem 3.13, {i + r|r ∈ Q} has k + 1 quadratic non-residues, k quadratic residues. Therefore − 1 i+r has k + 1 quadratic residues, and k quadratic non-residues.
We want to know whether any terms in T ( r∈Q x i+r ) would cancel with terms in r∈Q x r− 1 i . In this case, they need to have the same powers of x.
1. If − 1 i+r is a quadratic residue, then (2) ∈ N . Therefore there does not exist r ′ ∈ Q, s.t. − 1 i+r = r ′ − 1 i . Since there are 2k + 1 terms in (2) with quadratic residue powers of x, all terms with quadratic residue powers will show up in the sum. 2. If − 1 i+r is a quadratic non-residue, then there exists r ′ ∈ Q satisfying − 1 i+r = r ′ − 1 i . Since there are k quadratic non-residues in both {i + r|r ∈ Q} and {r − 1 i |r ∈ Q}, they will cancel in pairs. None of the terms with quadratic non-residue powers of x will show up in the sum. Lastly, check the 0 and ∞ positions separately. Since T ( r∈Q x i+r |1) has 1 at position 0, and so does ( r∈Q x r− 1 i |1), they will cancel in the sum.
T ( r∈Q x i+r |1) has 0 at ∞, therefore the sum has 1 at ∞. We conclude that Now for the right p + 1 bits, consider {s + i|s ∈ n} contains 0, k quadratic residues, k quadratic non-residues. Therefore {− 1 s+i } contains k residues and k non-residues and ∞. {s − 1 i } contains k + 1 quadratic residues, k quadratic non-residues.
1. If − 1 i+s ∈ Q, (4) ∈ Q, there does not exist s ′ ∈ N such that the two terms cancel. Since there are in total 2k + 1 terms in (3) with quadratic residue powers, all terms with quadratic residue powers will show up in the sum.
Since there are k quadratic non-residues in both {i + s|s ∈ N } and {s − 1 i }, they will cancel in pairs. None of the terms with quadratic non-residue powers of x will show up in the sum. Just like before, we can check (3) has 1 at position 0 and 0 at ∞. We conclude that Combining these two parts, we have e i T + e -1 i = e 0 +β • The case of i ∈ N can be proved in a similar fashion.
Lastly,α T =α. Since T sends all basis elements intoĈ, T fixes C.
In the same way that the result on automorphism groups of extended quadratic residue codes reveals the relation between its minimum distance and that of its expurgated code, this result leads to the following theorem on the minimum distance of the QQR code.
Theorem 3.14. Let C be a QQR code. The minimum distance of the shadow of C is at least that of C less 1.
Proof. If d(C ⊥ 0 ) is even, then since C is the even weight subcode of C ⊥ 0 , we must have d(C ⊥ 0 ) = d(C). Therefore d(C ⊥ 0 \C) > d(C). Let d(C ⊥ 0 ) be odd. Let c be a codeword in C ⊥ 0 that achieves the minimum distance. WLOG, assume c has an odd number of non-zero elements in the first p bits; then c has an even number of non-zero elements in the last p bits.ĉ is in the form ( * · · · * |1| * · · · * |0|) We claim that we can find a position y(0 ≤ y ≤ p − 1), such that the coordinate on position y from the left p + 1 bits is 0, and the coordinate on position y from the right p + 1 bits is also 0. Otherwise, for each position y, at least one of the coordinates is 1, and so wt(c) ≥ p, which contradicts the fact that c has minimum weight. So c is in the following form: ( * · · · 0 · · · * |1| * · · · 0 · · · * |0|) Since P SL 2 (p) acts transitively onĈ, we can find an element in P SL 2 (p) that exchanges y and ∞. Recall that P SL 2 (p) acts on the left half and the right half of a codeword in the same fashion. We would therefore obtain a new codeword inĈ in the following form: ( * · · · 1 · · · * |0| * · · · 0 · · · * |0|) By losing the two parity checks, we obtain a new codeword in C ⊥ 0 that has weight d(C ⊥ 0 ) + 1. Note that this codeword also belongs to C, and therefore Combining this with Lemma 3.7, we have provided a proof for Theorem 3.3.

3.3.
Computation algorithms for QQR codes. Computation of the weight polynomials is always an important topic in coding theory. Researchers have come up with clever enumeration methods to reduce the computation load and speed up the process. However in general, little was known about the structure of the weight polynomials, and therefore good tests for computational results were missing. Theorem 3.3 imposes a strong condition on the weight polynomials of QQR codes, and could serve as a test for existing and future computational results on the weight polynomials of QQR codes. On the other hand, we can also use this to derive an algorithm around this and dramatically reduce the amount of computation needed.
Since QQR codes are self-dual, by Gleason's theorem, their weight polynomials can be written as linear combinations of G(x, y) i J(x, y) j , with 2i + 8j = 2p. Now for a QQR code C, let We can use a recursive algorithm to recover the whole weight polynomial by knowing only a few A i . 1. A 0 = 1 because of the 0 codeword. Comparing coefficients of x 2p on both sides of (3), we have a p = 1. 2. We obtain a new equation by subtracting a p G(x, y) p on both sides of (5) with the highest power of x being x 2p−2 y 2 . 3. A 2 = 0 because d > 2. Compare coefficients of x 2p−2 y 2 on both sides of (6), and we have a p−4 = −p. 4. Repeat the steps until we have all the a i 's. Since A C is divisible by (x 2 + y 2 ) d−1 , we only need a i for i ≥ d − 1. For the case of p = 59, computing the whole weight enumerator using MAGMA using brutal force would take 190 years. Using this strategy, however, we need only a few A i 's. Assume the minimum distance is at least 14, which is reasonable based on the result for p = 43. This can also be confirmed computationally. Then the weight polynomial is divisible by (x 2 + y 2 ) 15 . Therefore to get all the a i (i = 15, · · · , 59), we only need A j 's for j = 14, 16, 18, 20, 22, which takes a few hours to compute. Note that this time is based on using existing commands in MAGMA, and could be even faster if combined with enumeration techniques.

THE WEIGHT DISTRIBUTION OF QUASI-QUADRATIC RESIDUE CODES 13
The huge speed up is because not all coefficients are created equal. The ones we needed for our computation are those A i 's with very small or very large i. These take much less time than those ones in the middle. We are avoiding, and computing using our algorithm, those coefficients in the middle that could take years to compute.
3.4. Zeta polynomials and Riemann hypothesis. In the last part of this section, we answer a question that was originally posted by Joyner in [8].
Let d be the minimum distance of a code C and d ⊥ the minimum distance of its dual code. Iwan Duursma introduced the zeta function Z = Z C associated to a linear code C over a finite field F q [4].
This is a polynomial with rational coefficients, called the zeta polynomial of the code C.
Given a self-dual code, it is always of interest whether its zeta polynomial satisfies the Riemann hypothesis. (In other words, its roots occur in self-reciprocal pairs). Joyner asked this question about the QQR codes for p ≡ 3 (mod 4). Using SAGE to compute zeta polynomials, we found that it does not satisfy the Riemann hypothesis for p = 23.
For p = 23, it has 15 pairs of complex conjugate roots of absolute value 1 √ 2 , together with real roots 0.508887881 and 0.982534697. The last two roots cause the code to fail the Riemann hypothesis.
3.5. Quadratic residue codes. As mentioned earlier, when p ≡ 7 (mod 8), QQR codes have a close relation with quadratic residue codes. In this section, we will first prove a similar divisibility property of quadratic residue codes using shadows of codes, and use their relation with QQR codes to give an alternative proof to Theorem 3.3.
We first introduce expurgated quadratic residue codes.
Definition 3.15 (Expurgated quadratic residue code). Let Q and N be the quadratic residue codes associated with p. The even subcodes of Q and N , which are denoted asQ andN respectively, are called expurgated quadratic residue codes.
We list some well-known properties of quadratic residue codes that will be used later. All can be found in [11]. Similar to Lemma 3.17, we can prove the following.
Lemma 3.17. Let C be a self-orthogonal binary code, and l its maximum weight. Then the weight polynomial of its shadow is divisible by (x + y) n−l .

Proof.
A C = x n + · · · + x n−l y l So A C is divisible by x n−l . From Lemma 3.5, it's immediate that S C is divisible by (x + y) n−l .
We can now prove a divisibility property on the weight polynomial of the quadratic residue code.
Theorem 3.18. Let p ≡ ±1 (mod 8) be prime, and C the quadratic residue code associated with p, then A C is divisible by (x + y) d , where d is its minimum distance.
Proof. We will only prove this for p ≡ −1 (mod 8). The case for p ≡ 1 (mod 8) is similar.
When p ≡ −1 (mod 8), letC be the corresponding expurgated quadratic residue code. ThenC ⊥ = C and C is generated byC and the all one codeword.
Since p ≡ 1 (mod 8), d ≡ 3 (mod 4). Let c be a codeword that achieves the minimum distance, and let c ′ be the sum of c and the all one codeword. Then c ′ has even weight p − d, and therefore is contained inC. Since C has odd length p, C does not contained the all one codeword, and therefore c ′ has the largest weight inC.
By definition, C is the shadow ofC. Therefore by Lemma 3.17, the weight polynomial ofC is divisible by (x + y) d .
When p ≡ 7 (mod 8), the QQR code C is the even subcode of Q ⊕ N . Therefore we have the following relation between their weight polynomials.
Proposition 3.19. When p ≡ 7 (mod 8), let C be the QQR code associated with p, and Q the corresponding quadratic residue code, then Proof. The weight polynomial of the direct sum of two codes is the product of their respective weight polynomials, and the weight polynomial of the even weight subcode of a code is just the sum of terms in its weight polynomials with even powers of y. This proposition is immediate after combining these two facts with Proposition 2.5.
We now give an alternative proof to Theorem 3.3 in the case p ≡ 7 (mod 8) using this relation.
Proof. When p ≡ 7 (mod 8), let C be the QQR code associated with p, and let Q andQ be the corresponding quadratic residue code and the expurgated quadratic residue code respectively.
Since Q is generated byQ and the all one codeword, Note that the minimum distance of Q is d − 1, we have (x + y) d−1 |AQ(x, y) + AQ(y, x) Change y for iy and −iy respectively, where i 2 = −1. We obtain SinceQ is doubly-even, for each term in A Q , powers of y are all divisible by 4 and powers of x are 3 (mod 4). Therefore AQ(x, iy) = AQ(x, y), AQ(iy, x) = −iAQ(y, x) AQ(x, −iy) = AQ(x, y), AQ(−iy, x) = iAQ(y, x) Hence which is divisible by (x 2 + y 2 ) d−1 .
3.6. Weight polynomials of quadratic residue codes in the literature. Previously, weight polynomials of quadratic residue codes have been computed up to p = 167. We are referring to the online table Weight Distributions of Quadratic Residue and Quadratic Double Circulant Codes over GF (2) [17]. This table is also the source for the same entries on The On-Line Encyclopedia of Integer Sequences (OEIS) [14]. We tested these results against Theorem 3.18. The results are shown in Table 2.   Table 2. Weight polynomials posted on [17] The weight polynomials posted for p = 113, 127, 137, 151, 167 are only divisible by x+y and no further, and therefore errors existed in these results. We investigated each case and give the results as follows.
3.6.1. p = 137, 151, 167. For p = 137, 151, 167, we found that the numbers from the original references of the online table are different from the numbers posted in the online table.
In particular, for p = 137, the numbers in the paper [15] are different from the online table.
For p = 151, 167, the numbers in [18] are different from the online table. We tested Theorem 3.18 against the numbers in these references and confirmed they satisfy the divisibility conditions. See Table 3.    3.6.2. Correction for p = 113. We could not find a reference for these numbers, but were able to find the correct weight polynomial in this case.
In fact, all the numbers in the online table are correct except A 56 and A 57 should be changed from 10375431209297308 to 10375431209297309. The resulted weight polynomial satisfy Theorem 3.18 and the four checks we listed above.
3.6.3. Correction for p = 127. We could not find a reference for p = 127 either. Therefore we deduced the correct weight polynomial based on the criteria it needs to satisfy.
By Theorem 3.18, the weight polynomial A Q is divisible by (x + y) 19 , therefore we have for some integers c j 's. Our goal is to solve these c j 's.

Expand Equation 7 and compare coefficients, we have
Therefore if the number of correct A j 's we know are greater than or equal to 108, we can set up enough equations to solve all the c i 's. Below are the A j 's we use.
• We use A 19 to A 43 (and A 84 to A 108 ) from the posted result, hoping they were correct. Therefore we used 13 coefficients from the table. Fortunately the 13 coefficients we use from the table seem correct. The weight polynomial we obtained using this approach passes the four checks we listed above. Therefore we are confident the answer is correct.
Below are the A j 's that needed to be corrected. Since the weight polynomials for quadratic residue codes are symmetric, we only listed A j 's for j ≤ 63.  Table 4. Correction for p = 127 4. Weight Distribution and Hyperelliptic Curves. The weights of QQR codes are closely linked with numbers of points on corresponding hyperelliptic curves. This connection enables us to study the distribution of number of points on hyperelliptic curves using the weight distribution of QQR codes.
In this section, we will first show a result on the weight distribution of QQR codes, and then demonstrate how to use this result to prove a corresponding result on hyperelliptic curves.
Let S ⊆ F p , and let c = (r Q r S , r N r S ). According to Proposition 2.6, we have The original statement posted in Joyner's paper is slightly different, since his count includes points at infinity. For simplicity, we modified the statement to restrict only to affine points.
In order to link the weight distribution of the QQR codes and the point distributions of hyperelliptic curves, we also need the following results: • If |S| is even, then |X S (F p )| ≡ 2 (mod 4).
We give a sketch of the proof as following: Proof. (sketch) Let χ = ( p ) be the quadratic residue character, which is 1 on the quadratic residues Q ∈ F p , -1 on the quadratic non-residues, and 0 on 0. Then Since p ≡ 3 (mod 4), we just need to show the following: • If |S| is even, a∈Fp χ(f S (a)) ≡ 3 (mod 4).
These are proven by induction on |S|, as follows: If |S| is odd, then |R| is even. By assumption a∈Fp χ(f R (a)) ≡ 3 (mod 4), and therefore a∈Fp χ(f S (a)) ≡ 0 (mod 4) Similarly, if |S| is even, then |R| is odd, and we have a∈Fp χ(f S (a)) ≡ 3 (mod 4) In Proposition 4.1, we notice that when |S| is even, a codeword c is associated with a curve y 2 = f S (x). When |S| is odd, c is associated with a curve y 2 = f S c (x) with |S c | even.
Therefore the curves that are linked with QQR codes are in the form where |S| is even. We denote this set of curves as C p .
Let B k be the number of curves in C p that have k affine points over F p , and let A k be the number of codewords with weight k.
From Proposition 2.6, it's clear that and from Proposition 4.1, we have the following relation between A k and B k : Let A k and B k be described as above, then Therefore we have obtained an explicit relation between the weight distribution of a QQR code associated with p and the point distribution of the hyperelliptic curves in the set C p .
The following diagram illustrates this interlacing pattern for p = 11. A k 's can be obtained from B k 's by symmetrizing the distribution of B k 's with respect to k. Next we will show a result on the point weight distribution of QQR codes. But firstly we need to formally define the moments of QQR codes from the discrete values of A k . These are standard definitions and can be found in [11].  The following is a classical theorem on the weight distribution of codes.
Theorem 4.5 (Sidel'nikov [11]). Let C be a binary code, and d ⊥ ≥ 3 the minimum distance of its dual code C ⊥ , then In other words, if d ⊥ tends to infinity for a series of codes, then its weight distribution is asymptotically normal. In Proposition 2.5, we showed that when p ≡ 7 (mod 8), the minimum distance of a QQR code is the minimum distance of its corresponding quadratic residue code plus 1. Since the minimum distances of quadratic residue codes have a well-known lower bound of √ p, the minimum distance of QQR codes are bounded below by √ p + 1. When p ≡ 3 (mod 8), Helleseth and Voloch have proven the following bound for QQR codes. Combining these and Theorem 4.5, we have the following theorem.
Theorem 4.7. The weight distribution of QQR codes are asymptotically normal. Figure 1 shows the comparison of the c.d.f among normal distribution, the QQR code with p = 3, and the QQR code with p = 59. Both p = 3 and p = 59 are approximating the normal distribution. Their c.d.f's are step functions by construction. p = 59 oscillates more frequently and more closely to the normal distribution. We imagine that with p bigger, the oscillation will become more frequent and closer to the normal distribution.
Since proposition 4.2 gives an explicit relation between the point distribution of hyperelliptic curves and weight distribution of QQR codes, we can get all the A k 's by using B k 's. Namely, set Therefore we have shown that, after symmetrizing the point distribution of hyperelliptic curves in C p , the result will converge to the normal distribution when p → ∞.
A recent study by Larsen [10] showed that, more or less, for a random curve of random genus, over a random finite field F q , T / √ q, is normally distributed, where T is the number of points on the curve. More precisely, • Fix g. As q → ∞, T / √ q defines a measure µ g on [−2g, 2g]. e.g. for g = 1, µ 1 is the Sato-Tate measure.
• The limit of these measures µ g when g → ∞ is the measure given by the standard normal distribution. Our result is a variant of Larsen's. The main differences are: • The set of curves in Larsen's result consist of all hyperelliptic curves defined over F q while ours is a subset of that given by the definition of C p . • We showed that after being symmetrized, the distribution approaches the standard normal distribution, while Larsen's result is on the point distribution itself. • Larsen's result uses theoretical results on hyperelliptic curves among others, while our result is simply a corollary from the study on QQR codes.

5.
Conclusion. In this paper, we begin by reviewing some of the known properties of QQR codes, and proved that P SL 2 (p) acts on the extended QQR code when p ≡ 3 (mod 4). Using this discovery, we then showed their weight polynomials satisfy a strong divisibility condition, namely that they are divisible by (x 2 + y 2 ) d−1 , where d is the corresponding minimum distance. Using this result, we were able to construct an efficient algorithm to compute weight polynomials for QQR codes and correct errors in existing results on quadratic residue codes.
In the second half, we use the relation between the weight of codewords and the number of points on hyperelliptic curves to prove that the symmetrized distribution of a set of hyperelliptic curves is asymptotically normal.
6. Acknowledgment. The authors want to thank Prof. Iwan M Duursma for his keen observation on the relation between weight polynomials and shadows.