Superconductor

And as described in the previous post, it's possible to define a group law for points on a circle and it's easy to generalize the geometric interpretation of this operation to points on other conics. Here's an example - of what adding the points (5/4,3/4) and (-5/4,-3/4) to get the point (-17/8,-15/8) on the hyperbola x² -y² = 1 looks like, using the point O = (1,0) as the additive identity, where we find the slope of the line through the two points we want to add, find the second point where the line through O with that slope intersects the curve and call that point the sum:

As described in the previous post, it's possible to define a group law for points on a circle and it's easy to generalize the geometric interpretation of this operation to points on other conics. Here's an example - of what adding the points (-1,0) and (2,3) to get the point (1,0) on the parabola y = x² -1 looks like, using the point O = (0,1) as the additive identity:

(I used this particular curve instead of the simpler y = x² because the simpler curve is singular because of the repeated root at x = 0 and I wanted to avoid worrying about that.)

Tomorrow: the same thing for points on a hyperbola.

It's fairly well known that you can define way to add points on an elliptic curve - defining a so-called "group law" for the points. It turns out that it's not too hard to do the same thing for a circle. This shouldn't be too surprising: an elliptic curve is roughly the product of two circles, so we should expect the same structure on just a single circle. And as I previously mentioned, all quadratics are really just circles if we define our coordinates correctly, so we should even expect this idea to work on other conics than circles.

With a circle, it's easy to find an appropriate group law: given points P = e^ia and Q = e^ib, just define P + Q = e^i(a+b). That corresponds to adding the angles to the points. But if we think a bit more about what this means geometrically, it's easy to apply the same idea to adding points on parabolas or hyperbolas. 

The slope of the line through P and Q is just

m = (cos b - cos a) / (sin b - sin a)

Now let's draw a line through (1,0) with a slope of m. This line is given by

y = m (x -1)

Substituting that into the equation of the circle

x² + y² = 1

we find that

x² + m²(x - 1)² = 1

or

(1 + m²) x² - 2 m² x + m² = 0

One solution to this is obvious: x = 1.

Once we see that, we can factor out (x - 1) to get the other root: x = (m² - 1) / (m² + 1).

And if we then substitute the definition of m in terms of a and b and simplify things a bit we find that this other root  actually x = cos(a + b) so that the sum of the two points is (cos(a + b), sin(a + b)).

This leads to the following geometric way of thinking about the group law on a circle

1. Draw a line through the two points P and Q
2. Draw the line with the same slope that passes through the point (1,0)
3. Call the second point where that line intersects the circle the point P + Q.

And just like the point at infinity is the additive identity in an elliptic curve group, the point O = (1,0) is the additive identity in this case. (And just like with elliptic curves, there's nothing special about this point. Any other one would have worked just as well.)

What does this look like?

Here's a picture that shows what adding the points (3/5,4/5) and (-4/5,-3/5) to get (0,-1) looks like:

Tomorrow: a picture of what doing this with points on a parabola looks like.

dF(x) / dx ≈ ΔF(x) / Δx

= (f(x) Δx) / Δx

= f(x)

Obvious, isn't it?

I was playing cards (a variant of Gin Rummy) with some people recently. When it was my turn to shuffle, I would try to do a very good job of it. I wanted the cards to be well-randomized.

We all noticed that when I shuffled, it took longer for someone to win the round. We assumed that the more random the cards, the harder it would be to get triplets or straights. You see, after a round, when we collected the cards, they were bunched together (people had laid down triplets and straights, the cards in their hands were collected in partial groups). Before the shuffle, they were not random. So a quick shuffle meant, obviously, that there was less randomizing, the bunches tended to stay together just a bit more for the next round. A card in play was more likely to have a "partner" card in play nearby. And more likely to be only 2 or 3 cards away, which is what was needed for the same person to get both cards on the deal.

OK, there's nothing radical about this analysis. But what was interesting for me was that one of the players started asking me to shuffle less. She won more with fewer shuffles. My guess is that there are two overall strategies, play as if the deck is random and play as if it is not. She had learned (maybe subconsciously) how to play with a strategy of non-random cards and this was successful whenever she played. However, that strategy did not work with more random cards.

I was playing with a graphing program this morning and tried graphing an elliptic curve and all of the lines that you'd use to add the points on the curve with integer coordinates using the cord-and-tanget method of addition. Here's what I got for the elliptic curve y² = x³ + 1.

There must be something interesting that you can state and prove about the intersections of those lines.

What is iⁱ? That's easy enough to figure out. What's slightly more difficult to understand is why I get asked questions like this. Something about giving answers, I suppose.

In any event, for any complex numbers a and b we have that

a^b = e^{b log a}

And for any complex z we have that

log z = ln |z| + i arg z

So that

log i = ln 1 + i (π/2 + 2nπ)

= i (π/2 + 2nπ)

So that we have that

iⁱ = e ^{i (i (π/2 + 2nπ))}

= e^–π/2 e^-2nπ

For the principle branch of the logarithm, this just reduces to

iⁱ = e^–π/2 ≈ 0.20788

but even in the cases where n ≠ 0 we still always have that iⁱ is a real number. In fact, if we plot the values of iⁱ for -2 ≤ n ≤ 2, here's what we get.

So in addition to having the principle value of e^–π/2, we can also make iⁱ either as big as we want to (by taking n<<0) or as close to 0 as we want (by taking n>>0), but in any case, it's still always a real number.

A circle is the limiting case of a polygon with lots of sides, so a reasonable question to ask (like I was recently asked) is exactly how many sides a polygon has to have for its area to be a good approximation to the area of a circle. Here's my answer to this question.

Suppose that we have a regular polygon with n sides and that the distance from the center of the polygon to any of its vertices is r. If we look at the wedge formed by drawing lines from the edges of a single side of the polygon to the center, we get something that looks like this, where the angle in the center of the wedge is 2π/n.

If we divide this wedge into two right triangles, we can then use some trigonometry to find the lengths of the sides of each of the triangles in terms of the length r and the angle 2π/n. This gives us something like this:

This means that the area of each of the wedges is

(r cos π/n) (r sin π/n)

= r² cos π/n sin π/n

= (r²/2) sin(2π/n)

and the area of the entire polygon is

A = n (r²/2) sin(2π/n) = πr² (n/2π) sin(2π/n)

Now what happens we increase the number of sides of the polygon?

As n gets big, 2π/n gets close to 0 so that

(n/2π) sin(2π/n) = sin(2π/n) / (2π/n)

gets close to 1, so we have that A gets close to πr², just like we expected.

Now the area of the circle with radius r is πr², so the difference between the area of the circle and the area of the polygon is

πr² - πr² (n/2π) sin(2π/n)

= πr² (1 - (n/2π) sin(2π/n))

If we plot

f(n) = 1 - (n/2π) sin(2π/n)

we find that it looks like this:

so it’s clearly possible to get a good approximation with not too many sides.

We actually have that f(8) = 0.900316, so that using just 8 sides gives us less than 10 percent error. To get to 5 percent error it turns out that we need to use 12 sides and to get 1 percent error we need to use 26 sides. This means that it's probably reasonable to say that a 26-sided polygon (icosikaihexagon?) is a good approximation to a circle. Here's a 26-gon that I drew using Google Sketchup that seems to show that a 26-gon is fairly circle-like:

Polygons with fewer sides might also be OK, depending on exactly how good you want your approximation of a circle to be.

Once you’ve generalized the idea of the tangent space of a curve in a way that's useful for curves over finite fields, it’s easy to use that idea to generalize the idea of a smooth curve. In particular, we say that a curve is smooth at a point if the dimension of the tangent space (like described in the previous post) at the point is the same as the dimension of the curve itself. And because this definition also works for curves defined over a finite field, we can talk about such curves as being "smooth," in a meaningful way.

Here are some examples of why this definition makes sense. Note that even though the pictures show graphs of real-valued function, this also makes sense for curves defined over finite fields.

Example 1

Suppose we have the curve defined by

y² = x³ + 1

At the point (2,1), the tangent space is just the line

y = 0

Here's what this looks like:

Since the dimension of the tangent space (1) is equal to the dimension of the curve (1) at the point (0,0), the curve is smooth at that point.

Example 2

Suppose that we have the curve defined by

y² = x³

At the point (0,0) we have that the line

y = ax

intersects this curve. On this line we have that

y² = a²x²

Setting the two expressions for y² equal to each other to get the intersection of the line and the curve we get that

x³ = a²x²

or

x³ - a²x² = 0

or

x²(x – a²) = 0

This means that the intersection of this line and the curve has multiplicity greater than 1, so that any line of the form

y = ax

is tangent to the curve like shown in this picture:

This means that the tangent space at the point (0,0) has dimension 2 while the curve only has dimension 1, so the curve isn’t smooth at (0,0).

Example 3

Suppose that we have the curve

y² = x³ + x²

Just like in the previous example, at the point (0,0) the line

y = ax

intersects the curve and where this line intersects the curve we have that

x³ + x² = a²x²

or

x³ + (1 – a²)x² = 0

or

x² (x + (1 – a²)) = 0

This means that the intersection of this line and the curve has multiplicity greater than 1, so that any line of the form

y = ax

is tangent to the curve like shown in this picture:

This means that the tangent space at the point (0,0) has dimension 2 while the curve only has dimension 1, so the curve isn’t smooth at (0,0).

In the previous posts that showed graphs of projective versions of a parabola and a hyperbola, it certainly looked like both of these really turned out to be circles in the projective plane. I've been asked about this a few times, so here's my explanation of why this is the case.

First, note that a circle looks like

x² + y² = 1

or

x² + y² = z²

In the case of the parabola defined by

y = x²

or

yz = x²

we can write

X = -ix

Y = (y + z) / 2

Z = (y – z) / 2

or

x = iX

y = Y + Z

z = Y – Z

to find that from

yz = x²

we have that

(Y + Z)(Y – Z) = (iX)²

or

Y² – Z² = -X²

or

X² + Y² = Z²

which is clearly a circle.

For the hyperbola defined by

xy = 1

or

xy = z²

we can do a similar change of variable, writing

x = X + Y

y = X – Y

z = iZ

to change

xy = z²

into

X² + Z² = Y²

which is also a circle.

It's even possible to generalize this to any conic. This means that it actually makes sense to say something vague like "with a suitable selection of coordinates" any complex projective conic can be written in the form

X² + Z² = Y²

so they're really all just circles in the projective plane.

This morning I was talking to one of our core crypto team when one of our engineers walked by. When he heard what we were talking about he said something like, “Wait a minute, how can you talk about things like derivatives and smooth curves when you’re dealing with curves over a finite field? Don’t you need some sort of continuous function to talk about things like that?” This led to a discussion of tangent spaces for arbitrary curves.

Here’s roughly what we talked about.

If you have a curve which has points whose coordinates come from an arbitrary field, and you want a definition of a tangent to the curve that makes sense, one way to do it is to generalize what we have for the continuous case.

Here’s a picture of the tangent to the curve y = x² at the point (1,1). It’s the line

y = 2x – 1

At the point (1,1) if we set the two expressions for y equal to each other we get that

x² = 2x – 1

or

x² – 2x – 1 = 0

which we can write as

(x – 1)² = 0

In we look at the tangent to the curve y = x³ at the point (1,1) we get that it’s the line

y = 3x – 2

And if we set these two expressions for y equal to each other we get that

x³ = 3x – 2

or

x³ – 3x + 2 = 0

which we can write as

(x – 1)²(x + 2) = 0

In both cases we have a repeated root where the tangent line intersects the curve.

In the general case we say that a line is tangent to a curve at a point if the multiplicity of the intersection of the line and the curve at the point is greater than 1. And that definition even makes sense for cases where we don’t have anything close to the continuity that we have in the case of functions of a real variable. Like we have with finite fields.

And once you have the idea of a generalized tangent line, getting a generalized tangent space is easy: it's just the set of all tangent lines.

For some reason I almost always get asked hard questions. That's probably because people can figure out the easy things by themselves. But I was particularly surprised by a question that one of our engineers recently asked me.

"What's the difference between a variety and a scheme?" he said.

"Ah," I said. "I'm not sure that there's an easy answer to that question, but let me try."

I'm not sure if what I said made sense, but I'm going to try to fit the high points of it into a single blog post that's not too long. So with any luck, the post "Algebraic geometry in 500 words or less" will be appearing here in January. And it might even be 500 words or less.

An elliptic curve defined by

y² = x³ + ax + b

has discriminant

D = 4 a³ + 27 b²

and is singular when D = 0.

When this happens we have that

b² = (-4/27) a³

If we think of that as a polynomial in a and b, that’s another singular elliptic curve, isn’t it? Now it's in a and b instead of in x and y.

I'll have to think about that for a while. It may or may not actually be interesting.

After my recent post about quaternions, I was asked why we can characterize an analytic function of a complex variable by ∂f/∂z* = 0. Here's why this is true.

Let's write 

f(z) = f(x + i y) = u(x, y) + i v(x, y)

so that we have

z* = x – i y

x = (z + z*) / 2

y = -i (z – z*) / 2

Now

∂f/∂z* = (∂f/∂x) (∂x/∂z*) + (∂f/∂y) (∂y/∂z*)

= (∂u/∂x + i ∂v/∂x) (1/2) + (∂u/∂y + i ∂v/∂y) (i/2)

= (∂u/∂x - ∂v/∂y) (1/2) + (∂v/∂x – ∂u/∂y) (i/2)

But the Cauchy-Riemann equations tell us that we have

∂u/∂x = ∂v/∂y

and

∂u/∂y = -∂v/∂x

so that just leaves us with

∂f/∂z* = (0)(1/2) + (0)(i/2) = 0

In a discussion of probability today, the topic of unbounded pdfs came up. Many people hadn't seen an example of one. One such example is f(x) = 1 / (2 √x) for 0< x ≤ 1 and 0 otherwise. It's unbounded, but we have that ∫f(x)dx = 1. Here's what it looks like.

When people take their first class is statistics they usually learn to calculate the sample variance as

s² = Σ_i=1:n (x_i – m)² / (n - 1)

where m is the sample mean because the Unicode character for x-bar doesn't display well in most browsers.

This often seems counter-intuitive to the students, and the teachers usually explain that this expression is used instead of the more intuitive

s² = Σ_i=1:n (x_i – m)² / n

because the version in which you divide by n - 1 is an unbiased estimator, or that it's expected value is the variance of the distribution that's being sampled.

This leaves people with the impression that unbiased estimators are better in some way than biased estimators are, but that's not always the case. Here's the standard example of an unbiased estimator that's not as good as a biased estimator.

Suppose that we have a Poission distribution with mean λ, so that

p(x = n) = λⁿ e^-λ / n!

and that we want to estimate the statistic W = e^-3λ based on a single sample of the distribution. It's easy to see that (-2)^x is an unbiased estimator for W because

E(W) = Σ _x=0:∞ (-2)^x λ^x e^-λ / x!

= e^-λ Σ _x=0:∞ (-2λ)^x e^-λ / x!

= e^-λ e^-2λ

= e^-3λ

But this statistic isn't a very good estimator for W in some ways. In particular, it's actually negative when x is odd while the underlying distribution is always positive.

An estimator that makes more sense is max{W,0}, which happens to be a biased estimator. That's always at least as good estimate for the true value that we're trying to estimate and is actually never worse. So just because an estimator is unbiased doesn't necessarily mean that it's good. it just means that its expected value is whatever it's trying to estimate.

The twisted cubic is a common example that's used in algebraic and differential geometry, but it can be hard to visualize. In particular, the twisted cubic can be parametrized as:

x(t) = t

y(t) = t²

z(t) = t³

What does this look like?

To find out, I used the graphing program on my son's iPad. This actually seemed to give more useful pictures than I got with other software that I have access to. Here's what this looked like, where we get the twisted cubic from the intersection of the curves

 y = x²

and

z = x³

That's not perfect, but it seems better than most pictures of the twisted cubic that I've seen in the past.

While watching the animation that I made of a family of elliptic curves I realized that it's possible for a curve of the form y² = x³ + ax + b to have an isolated point. An example of this is the curve

y² = x³ - 3x - 2

which looks roughly like this. There's an isolated point at (-1,0), even if it's hard to see in this picture.

But an isolated point is also either local maximum or minimum, so that the curve needs to be singular if it has an isolated point (its partial derivatives are zero at the isolated point). And because most people specifically define "elliptic curves" to only be non-singular curves, that probably explains why I've never come across any discussion of isolated points of elliptic curves. In this example, we have that

y² = x³ - 3x - 2 = (x + 1)²(x - 2)

so this curve is actually singular, just like it has to be.

Here's what y² = x⁶ - 14 x⁴ + 49 x² - 36 + t looks like for -20 ≤ t ≤ 80. Just like the last post, this animated GIF is fairly big, so you need to click on the image below to view it.

It was so much fun animating a family of elliptic curves that I decided to do the same thing for hyperelliptic curves. Here's an animated GIF of y² = x⁵ - 5 x³ - 4 x + t for -5 ≤ t ≤ 50. The actual animation is on a separate page because it's a fairly big image so you'll need to click on the image below to see it.

I thought it would be interesting to see what it wold look like if I created an animated GIF from graphs of elliptic curves as one of the coefficients in the Weierstrass form y² = x³ + ax + b changed.

Here's what I got with the curve y² = x³ - 2x + b for -4 ≤ b ≤ 8.

It's actually easy to create animations like these in Mathematica. In the older version (5.1) that I have, here's how you do it:

e = Table[ImplicitPlot[y^2 == x^3 - 2 x + t, {x, -4, 4}, PlotRange->{{-4,4}, {-4,4}}, AspectRatio->1], {t, -4, 8, 0.1}];

Export["C:\ec.gif", e, ConversionOptions->{"Loop"->True}]

It's even easier in the newer version, but I don't see a copy of Mathematica 8.0 as being in our budget any time soon.

After playing with the graphing program on my son's iPad for a while, I tried using it to plot a few 3-dimensional graphs. The first thing that I tried was to look at the elliptic curve

y² = x³ - 2x +2

When you graph this curve it looks like this:

Another way to think of this curve is as the intersection of the surfaces defined by

z = y² - x³

and

z = 2x - 2

When I plotted those surfaces on the iPad, here's what I got (roughly looking down the y-axis):

Here's another point of view that shows a better view the intersection of the two surfaces (roughly looking down the x-axis):

 

And here's another point of view that's roughly looking down the z-axis:

I'm not sure that point of view really provides any useful insight into elliptic curves, but it seemed sort of interesting.

I was trying a graphing application on my son's iPad last night when I came across a trig identity that I hadn't seen before. Here's how this happened.

To test the graphing program on the iPad, the first few graphs that I made were of elliptic and hyperelliptic curves like this:

Then, for no apparent reason, I thought to graph

y = sin x + cos x

Here's what the graph looked like:

I found that a bit surprising. That sure looks like either a sine or cosine of some sort, so it looked like there was some sort of trig identity like

sin x + cos x = α sin(x + β)

that I hadn't seen before. When I tried to understand what's going on here, I thought that it would probably be just easy to find a slightly more general identity, something like

a sin x +  b cos x = c sin(x + d)

Such an identity is actually fairly easy to find.

We can write

c sin(x + d) = c sin x cos d + c cos d sin x

so that we have that

a sin x +  b cos x = c sin x cos d + c cos x sin d

Comparing that parts of the LHS and RHS that involve sin x and cos x, we find that we want

a sin x = c sin x cos d

and

b cos x = c cos x sin d

or that

cos d = a / c

and

sin d = b /c

Substuting those into

cos²d + sin²d = 1

we get that

(a / c)² + (b / c)² = 1

or that

a² + b² = c²

so that we have that

c = √(a² + b²)

Now that we have c, we can now find d as

d = sin^-1(b / c)

So in the case that I first came across I had a = b = 1, so that c = √2 and d = π / 4 giving

sin x + cos x =  √2 sin(x + π / 4)

which is exactly what we see in the graph.

I was a bit surprised that I hadn't seen that particular identity before. It doesn't appear in my CRC math tables book. Maybe it's one of the more obscure ones.

In a previous post I mentioned how I had stumbled across some interesting properties of ellipses. One of them was the fact that if you square an ellipse that's centered at the origin you get another ellipse.

An alert reader pointed out an interesting implication of this, and that's the fact that you get elliptical orbits from either a force that's inverse to either the square of the distance between two objects or the distance itself.

There was even an article in the American Mathematical Monthly by Tristam Needham, "Newton and the Transmutation of Force," that described this. Newton was apparently quite surprised when he figured this out. Oddly enough, this was apparently one of the few times that Newton seemed surprised by anything.

Everyone who works with elliptic curves has probably heard that elliptic curves are called "elliptic curves" because they're connected to ellipses in some way, but not many people have actually taken the time to understand exactly what the connection really is. I just came across some notes that I made on this very topic several years ago and thought that the material might make a good blog post. It's tedious (perhaps even very tedious) stuff, but it's something that it's good to at least see once.

Let's see if I can write this up without introducing too many errors into it.

First, remember that elliptic curves in the Weierstrass form can be parameterized by the Weierstrass ℘-function. In particular, the ℘-function satisfies the differential equation

℘'(z)² = 4 ℘(z)³ - g₂ ℘(z) - g₃

and we have that

z - z₀ = _℘(z0)∫^℘(z) (4 w³ - g₂ w - g₃)^-1/2

so that the ℘-function is the inverse of a particular elliptic integral.

But why is that particular integral called an "elliptic integral?"

Suppose that we have an ellipse defined by

(x / a)² + (y / b)² = 1

which we can parameterize by

x(t) = a cos t

y(t) = b sin t

To get the length of this ellipse between t₁ and t₂ we need to calculate

_t1∫^t₂ ( (dx/dt)² + (dy/dt)² )^1/2 dt

The length of the entire ellipse is four times the length of just one quadrant of it, which we can find by calculating

L = 4 ₀∫^π/2 (a² cos²t + b² sin²t)^1/2 dt

Now

a² cos²t + b² sin²t = a² cos²t + a² sin²t – a² sin²t + b² sin²t

= a² (cos²t + sin²t) – (a² + b²) sin²t

= a² – (a² + b²) sin²t

= a² (1 – k² sin²t)

where

k = (a² – b²) / a²

Now let

cos t = (1 – u²)^-1/2

and

du = cos t dt

to get

L = 4 a ₀∫¹ (1 - k²u²) ((1 - u²) (1 - k²u²))^-1/2 du

= 4 a ₀∫¹ ((1 - u²) (1 - k²u²))^-1/2 du

- 4 a k² ₀∫¹ u² ((1 - u²) (1 - k²u²))^-1/2 du

So a reasonable first question to ask is how to evaluate the first of those two integrals, or how to find

∫ ((1 - u²) (1 - k²u²))^-1/2 du

To do this, let's write

v² = (1 - u²) (1 - k²u²) = (u - α) (u - β) (u - γ) (u - δ)

Dividing by (u - α)⁴ we get that

(v / (u - α)²)² = (1 + (α - β) / (u - α)) (1 + (α - γ) / (u - α)) (1 + (α - δ) / (u - α))

Changing variables to

x = 1 / (u – α)

y = v / (u – α)²

we get

y² = (1 + (α - β) x) (1 + (α - γ) x) (1 + (α - δ) x)

= x³ + A x² + B x + C

so that we find that we're interested in an integral that looks like

∫ (x³ + A x² + B x + C)^-1/2 dx

That's just one more change of variable (and if you've read this far it's one that I'm sure that you can easily figure out) away from being

∫ (4 x³ - g₂ x - g₃)^-1/2 dx

which is exactly the sort of integral that's the inverse of the Weierstrass ℘-function.

So there you have it - there really is a good reason for elliptic curves being called "elliptic curves." It's because they're connected to arc length integrals on an ellipse, and that's what the connection is.

When I read cryptography papers I often get frustrated because what was obvious to the authors often isn't obvious to me. This means that I often spend lots of time trying to figure out exactly why it makes sense to go from one line of a calculation or proof to the next line. But I've come to the conclusion that more often than not, the reason that these things end up being true is because of Euler's theorem.

Euler's theorem says that if a and n are integers that are relatively prime then we have that

a^φ(n) ≡ 1 (mod n)

where φ is Euler's totient function.

It's fairly easy to see why this is true.

First, note that if a and n are relatively prime then we have that if we have the cancellation property, or that if we have

a b ≡ a c (mod n)

then we also have that

b = c (mod n)

This is true because if we have that

a b ≡ a c (mod n)

then

n | (a b – a c) = a (b - c)

If a and n are relatively prime then n ∤ a so we have to have that

n | (b – c)

or that

b ≡ c (mod n)

Now let

k₁, …, k_φ(n)

be φ(n) integers that are less than n and relatively prime to n. If a and n are relatively prime then the integers

k₁ a, k₂ a, ..., k_φ(n) a

are all different mod n because if we had

k_i a ≡ k_j a (mod n)

then we would have

k_i ≡ k_j (mod n)

by the cancellation property. 

Now because each k_i a is relatively prime to n and there are only φ(n) different positive integers relatively prime to n, the integers

k₁ a, k₂ a,…, k_φ(n) a

must be congruent to

k₁, k₂,…, k_φ(n)

If we multiply all of these congruences together we get that

k₁ a k₂ a … k_φ(n) a ≡ k₁ k₂… k_φ(n) (mod n)

or that

a^φ(n) k₁ k₂ … k_φ(n) ≡ k₁ k₂… k_φ(n) (mod n)

After using the cancellation property several times we're left with

a^φ(n) ≡ 1 (mod n)

just like we wanted.

It looks like we won't be using anything except elliptic curves or hyperelliptic curves for a while. At least that's what the almost-certainly-authoritative Cleverbot thinks will happen.

I recently came across Arthur Benjamin's TED talk in which he claimed that math education needs a major change. He said that we need to refocus the goal of undergraduate education on probability and statistics instead of on calculus. I don’t agree with this, and here's why. Note that this doesn't mean that I think that probability and statistics isn't important. It just means that I disagree with the proposed change to math education.

Now it's certainly true that understanding some basic probability is an important part of a good education. Lots of the important policy decision that we make are based on data of some sort. It's easy for politicians and special interests to distort or misrepresent data (lie) to support their positions, and one way to be able to see through these distortions and misrepresentations (lies) is to understand how to interpret data, and that's what a basic understanding of probability gives you.

But to understand enough probability to see through the misrepresentations isn’t really that hard. It just takes the background of a one-semester class for which the prerequisite is nothing more than an understanding of basic algebra. That's probably not the sort of class that should be ultimate goal of an undergraduate education. It's really the sort of thing that should be taught in high school. That's where I first learned probability, and the class that I took probably provided all of the background that the average person needs to have.

Another reason that I disagree with this is that calculus is really the foundation for all engineering and science. It's also the foundation for probability. So if you want to understand pretty much anything technical at a non-trivial level, including probability, you really need to understand some calculus to do that. That's not true for probability. It's definitely important background to have, but it's not as fundamental as calculus. Calculus is the language used to describe all engineering and science. Probability isn't. And undergraduate calculus is also an important step on the way to other important tools.

Functions of a complex variable is a fascinating subject and is inherently interesting (at least to me) to learn about, and it's essentially just an extension of undergraduate calculus to functions of complex numbers instead of functions of real numbers. That's where elliptic curves come from, so there are definitely lots of practical applications of it.

Measure theory is also inherently interesting (same disclaimer here), and that's essentially what you get when you try to push the definitions of undergraduate calculus to their limits and a bit beyond. You then see how calculus can fall apart and find what it takes to fix it. And the most important application of measure theory actually seems to be probability. A statistic is a measurable function of a random variable, after all, and probability theory seems to be the most important example of where you actually need to worry about whether or not sets or functions are actually measurable.

So it seems to me that probability is important background that everyone should know, but it's also not the sort of material that should be the ultimate goal of undergraduate education. Calculus is a much better goal for that. It's both the language of science and engineering and the next step towards more advanced topics. Probability isn't.

(Although quantum mechanics involves some probability, it really seemed more like applied functional analysis than applied probability to me. And calculus may not be very helpful in understanding algebraic geometry, but then I'm not sure that anything's really very helpful for that. But then does anyone really understand algebraic geometry?)

Bézout's theorem says that two polynomials of degrees n and m intersect in nm points. But if we graph xy = 1 and y = x² it looks like they only intersect at the single point (1,1) instead of at four points.

To see all four points of intersection we need to look at the corresponding homogeneous curves xy = z² and yz = x². Here's what this looks like:

Holy cow! It looks like Wikipedia actually has enough entries about category theory to justify having a special category theory portal. For those fortunate enough to have avoided studying it, category theory is what mathematician Miles Reid once described as "surely one of the most sterile of all intellectual pursuits."

I realize that you can find pretty much anything on the Internet, but I can't quite believe that enough people care about category theory to justify its own portal on Wikipedia.

The ate pairing can be very useful for implementing pairing-based cryptography because it can be much faster that either the Tate or Weil pairing. It's what all of our shipping products are moving to for that very reason.

Note that the first letter of "ate" isn't capitalized while the first letters of "Tate" and "Weil" are. That's because the Tate pairing is named after John Tate and the Weil pairing is named after André Weil. The ate pairing isn't named after anyone, however, so the word "ate" isn't capitalized.

And that's a good thing. It turns out that if you capitalize it, you end up with the Greek goddess Ate. Here's how the Encyclopedia Mythica describes her:

The Greek personification of infatuation, the rash foolishness of blind impulse, usually caused by guilt and leading to retribution. The goddess of discord and mischief, she tempted man to do evil, and then lead him to ruin. She once even managed to entrap Zeus, but he hurled her down from the Olympus. Now she wanders the earth, as a kind of avenging spirit, but still working her mischief among mankind. Her sisters, the Litai, follow her and repair the damage she has wrought to mortals.

So never capitalize "ate." That may give you a pairing that you really don't want to use.

Here's another visualization of a projective elliptic curve. This time it's the curve y² = x³ - (60/13) x² + (71/13) x. This particular curve is just one that I happened to have lying around that shows the "barbell" shape that you can get with some elliptic curves.

And as Forrest Gump might say, that's all I know about graphs of projective elliptic curves.

After the gratuitous ASCII art for this blog's 1000th post, it's time to move on to number 1001. That's an interesting number because we can write it as

1001 = 7 x 11 x 13

The reason that I happen to know this is that I used 1001 to test a program that I wrote in high school that was supposed to find all the prime factors of an integer. Because 1001 *looks* prime, I used it to test the case where the input was actually a prime and was surprised to see something like this come out instead:

1001 is not prime

7

11

13

There's no real connection to cryptography of information security there at all, is there? Maybe there'll be some of that tomorrow.

 Posted by Terence Spies, CTO of Voltage Security:  

After making the graphs of projective curves that I recently did with POV-Ray, I realized that I didn't make a graph of a hyperbola. To take care of that oversight, here's the projective version of xy = 1, or xy = z². The blue line is the hyperbola. The red line is where z = 0. This shows how thinking of a hyperbola as a circle that happens to run through the point at infinity seems to be a reasonable idea.

Over the past 10 years, IBE has become the one of the fastest deployed encryption technologies as measured by the commercial adoption of Voltage SecureMail™ and the use of IBE as a general purpose key management solution used across the Voltage Security product line. Since its commercial launch 8 years ago, Voltage SecureMail has become one of the most widely adopted secure email products in the world with over one billion secure business emails sent annually and over 50 million worldwide users; those numbers are expected to double by 2014.

IBE was first introduced on Tuesday August 21 at the 2001 Crypto conference in a seminal paper by Dan Boneh, Stanford University, and Matt Franklin, University of California Davis. The paper, entitled “Identity-Based Encryption from the Weil Pairing,” set forth a simple but powerful approach for encrypting information with identity-based keys. This cryptography breakthrough became the founding technology for Voltage Security that was incorporated in 2002 by three Stanford students working with Professor Boneh: Matt Pauker, Rishi Kacker and Guido Appenzeller. In July 2003, the new company launched Voltage SecureMail, an email encryption product using IBE to secure messages without the difficulties and expenses of traditional certificates.

Key metrics in the 10 year history of IBE:

• 50 million Voltage SecureMail users worldwide.
• Approximately one billion IBE secured business emails will be sent in 2011.
• By 2014, it is estimated there will be 100 million Voltage SecureMail licensed users and over two billion secure emails will be sent that year.
• All the messages protected by IBE in 2011, if printed out, would circle the globe seven times.
• Nearly a third of the world’s 20 biggest public companies (per the Forbes Global 2000) have standardized on Voltage SecureMail.

 World’s Biggest Companies Standardize on Voltage SecureMail

Nearly 30% of the world’s 20 biggest public companies (as listed by Forbes Global 2000) have standardized on Voltage SecureMail powered by IBE including four of the world’s largest global financial institutions; one of the world’s largest retailers, one of the largest U.S. managed healthcare providers and several large regional healthcare providers.

Notable Voltage SecureMail customers from the last year include:

• One of the largest Wall Street banks with over 230,000 employees standardizes on Voltage SecureMail
• A major Wall Street bank and Fortune 100 financial services provider with global operations chooses Voltage SecureMail for its 100,000 employees around the world.
• A major credit card brand with over 60,000 employees standardizes on Voltage SecureMail
• An award-winning regional health care organization replaces a non-functioning email security solution from one of the largest technology companies in the world with a policy-based encryption solution from Voltage SecureMail

• A Fortune 50 global financial services company deploys Voltage SecureMail to over 320,000 internal and several million external users across 86 countries, replacing an aging PKI-based encryption technology.

In addition, over 1000 enterprise companies have standardized on Voltage SecureMail, and thousands of mid-size to smaller business use the cloud-based Voltage SecureMail Cloud™ solution to protect private and confidential information.

More information at www.voltage.com

As if the previous post showing a picture of a projective elliptic curve wasn't bad enough, I had to tweak the POV-Ray scene file a bit to get it to plot a projective imaginary hyperelliptic curve. Here's what y² = x⁵ + x looks like. As before, the red curve shows where z = 0 and the blue is the hyperelliptic curve.

I finally managed to get a reasonable projective graph of an elliptic curve. Here's what it looks like. The elliptic curve y² = x³ + x is blue and the line where z = 0 is red.  As before, these were created using POV-Ray. It's interesting to see the inflection point of the elliptic curve on these graphs.

The projective curve

y²z = x³ + axz² + bz³

meets z = 0 at (0,1,0), and if we set y = 1 in the projective curve we're left with 

z = x³ + axz² + bz³

Out close to  z = 0, this looks roughly like z = x³, which gives us the inflection point that we see in these graphs.

 
I still haven't been able to get a graph of a projective elliptic curve that looks the way I want it to, but I've learned a few things about making projective graphs with POV-Ray. In particular, it seems useful to show a circle that shows where z = 0 is. If you add this to the graphs of a few simple polynomials, here's what you get.

Here's the graph of y = x².

Here's the graph of y = x³.

Here's the graph of y = x⁴.

Here's the graphy of y = x⁵.

On our recent Jack Bauer day, I was trying to implement the Tate pairing using hyperelliptic curve groups when I came across a bug in the program that I was working on. In one place I had accidentally implemented complex numbers in an incorrect way. For a complex number z = x + i y I had implemented i² = 1 instead of i² = -1.

I found this bug fairly quickly, but then I started thinking about the properties of numbers the form z = x + i y where i² = 1 instead of i² = -1. I followed this tangent for a while and never actually got back to the Tate pairing.

I didn’t know this at the time, but numbers of the numbers the form z = x + i y where i² = 1 are sometimes called "hyperbolic numbers." They're probably not as useful as the complex numbers because they’re not a field. That’s easy to see because they have zero divisors because we always have

(x + x i)(x – x i) = 0

But you get something sort of interesting if you look at what you get for the analog of an analytic function in the hyperbolic numbers. In the complex numbers, if we have an analytic function

f(z) = f(x + i y) = u(x,y) + i v(x,y)

then the Cauchy-Riemann equations tell us that we have

∂u/∂x = ∂v/∂y

and

∂u/∂y = -∂v/∂x

A quick corollary of the CRE is that u and v satisfy Laplace’s equation, or that

∂²u/∂x² + ∂²u/∂y² = 0

and

∂²v/∂x² + ∂²v/∂y² = 0

What about the case where we use hyperbolic numbers instead of complex numbers?

It turns out that the CRE aren’t true for functions of hyperbolic numbers, but we find that we now have

∂u/∂x = ∂v/∂y

and

∂u/∂y = ∂v/∂x

A quick corollary of these is that u and v now satisfy the wave equation, or that

∂²u/∂x² = ∂²u/∂y²

and

∂²v/∂x² = ∂²v/∂y²

After thinking about hyperbolic numbers for a while I looked around the Internet and found "Hyperbolic Analysis" by Andrei Khrennikov and Gavriel Segre and "Hyperbolic Cauchy Integral Formula for the Split Complex Numbers" by Matvei Libine, at which point I stopped thinking about them and started fighting with HTML to write this post. I never did get back to the Tate pairing on hyperellitpic curves. Maybe I'll try that next Jack Bauer day.

After some more discussion about probability distributions without a mean, I made some graphs that might show what's going on. In particular, consider the pdf

f(x) = 1 / (π (1 + x²))

Here's what that distribution looks like. It certainly looks like it might have mean zero.

But just like the example in last week's post, this pdf has the property that although

_-∞∫^∞ f(x) dx = 1

we also have

_-∞∫^∞ x f(x) dx

diverges, so the mean of this distribution doesn't exist.

We can get a rough idea from its graph why this particular distribution has no mean. If we compare it (red) to a (0,1) normal distribution (blue), this is what we see:

 
So it looks like the problem is roughly that the tails of the red distribution are too big, so that their contribution to the mean is too much for the mean to exist.

Another interesting bit of probability trivia came up today in a discussion of random versus deterministic encryption. In particular, it's possible to have an event that's independent of itself. Here's why.

Two events A and B are independent if we have

P(A ∩ B) = P(A) P(B)

So an event A is independent of itself if we have

P(A ∩ A) = P(A) P(A)

or

P(A) = P(A)²

That's true if either P(A) = 0 or P(A) = 1, in which case the event A is independent of itself.

After last week's post about the relationship between quaternions and the dot and cross products of vectors, I was asked why I thought quaternions didn't end up being very useful. I'd guess that the short answer is that they really don't model the real world very well.

It definitely isn't because multiplication of quaternions isn't commutative. Matrix multiplication also isn't commutative, yet matrices have ended up being very useful.

Instead, I'd guess that the problem with quaternions is that calculus doesn't work very well with them. With the complex numbers, there's a nice, clean way to characterize analytic functions: df/dz* = 0. But that doesn't seem to extend to the quaternions very well.

If we have a quaternion

q = q₀ + q₁ i + q₂ j + q₃ k

and its conjugate

q* = q₀ - q₁ i - q₂ j - q₃ k

then we have

qq* = q₀² + q₁² + q₂² + q₃²

which looks about right.

But we also find that we can write

q* = -(q + i q i + j q j + k q k) / 2

And because q and q* are connected in this way, we can never find a nice condition like df/dq* = 0 to characterize functions of a quaternion variable like we can for analytic functions. So I'd guess that's also part of why they haven't ended up being very useful.

While talking about random versus deterministic encryption this morning, we got into an interesting digression about probability. In particular, about the fact that not all probability distributions have a mean. Here's an example of this.

Let f(x) = 1 / x² for x ≥ 1 and 0 otherwise.

We have

∫_x≥0 f(x) dx = 1

so this f(x) makes sense as a pdf. But we find that the expected value

E(X) = ₁∫^∞ x f(x) dx

= ₁∫^∞ dx / x

This integral diverges, so the mean does not exist in this particular case.

(If you're familiar with Lebesgue integrals, you might want to define f(x) to be 1 / (2x²) for |x| ≥ 1. That gives a mean of ∞ - ∞ which is even undefined for Lebesgue integrals.)

It's also easy to create examples of discrete random variables that don't have a mean. We have that

∑_n≥1 1 / n² = π² / 6

so f(n) = 6 / (π² n²) makes sense as a discrete pdf. But we find that the expected value is

E(N) = ∑_n≥1 n f(n)

= (6/π²) ∑_n≥1 1 / n

This sum diverges, so the mean does not exist.

I was reading about quaternions last night when I came across an interesting bit of history.

Quaternions are generalizations of the complex numbers with four components instead of just two. We can write a quaternion a as being

a = a₀ + a₁ i + a₂ j + a₃ k

where i, j and k satisfy

i² = j² = k² = -1

i j = k = -j i

j k = i = -k j

k i = j = -i k

Note that multiplication of quaternions isn't commutative, so if a and b are quaternions then we don't necessarily have that ab = ba. Quaternions were apparently the first significant example of a structure where this was the case. But there's more to their history than that.

Let's split a quaternion a into a "scalar part" a₀ and a "vector part"

a_v = a₁ i + a₂ j + a₃ k

When we do that, we find that we can write the product of two quaternions a and b as

ab = (a₀ + a_v)(b₀ + b_v)

= a₀ b₀ – a_v ⋅ b_v + a₀b_v + b₀a_v + a_v × b_v

If a and b are "pure vectors," or that a₀ = b₀ = 0 then this reduces to

ab =  a_v × b_v – a_v ⋅ b_v

The first time that the dot product and cross product of vectors were defined was apparently to write multiplication of quaternions like this. The concepts didn't turn out to be very useful for understanding quaternions, but physicists soon realized that the operations were useful. They took the ideas and ran with them, and their future development ended up being totally independent from where they were originally invented. That’s something that I hadn't heard before.

Nathan Carter's book Visual Group Theory tries to help you understand group theory through a set of pictures. Some of these made sense to me while others didn't. Here's the illustration of the structure of dihedral groups from a presentation that Carter gave before the book was available. That seems to show their structure in a very useful way.

 

Carter's book runs 297 pages, many of which are illustrations like this one. It's a book that I would have found very useful back when I was taking classes in group theory. It would have definitely helped to make some concepts clearer. If you're interested in group theory, this is probably a book that you'll want to have a copy of.

Carter has also developed software that lets you create visualizations of groups. This is Group Explorer, and it's something that I wish I had time to actually try. Maybe I'll do that on Voltage's next Jack Bauer Day.

Because the machinery that Voltage's IBE algorithms use comes from algebraic geometry, the engineers who work on our core cryptography need to understand at least a little of it. So I wasn't too surprised this morning when I was asked what the connection is between the spectrum of a ring and the spectrum of a matrix. Here’s the totally non-rigorous answer that I came up with.

Suppose that we have an n x n matrix A over the complex numbers ℂ. The spectrum of A is the set of eigenvalues of A, or the solutions to

f(x) = det(A – x I) = 0

The spectrum of a ring is the set of prime ideals of the ring.

These two ideas sound like they’re totally unrelated at first, but there’s actually a connection. Here’s an example that shows this.

The Cayley-Hamilton theorem tells us that the matrix A satisfies f(x). So if we write

f(x) = a₀ + a₁ x + a₂ x² + … + a_n-1 x^n-1 + xⁿ

then we also have that

f(A) = a₀ I + a₁ A + a₂ A² + … + a_n-1 A^n-1 + Aⁿ = 0

To make things simpler, let's suppose that A has n distinct eigenvalues, and let's write

f(x) = (x - λ₁) (x - λ₂) ... (x - λ_n)

Now consider the ring ℂ[A] where

ℂ[A] = {z₀ + z₁ A + z₂ A² + …, z_i∈ℂ}

Because we have that

f(A) = a₀ I + a₁ A + a₂ A² + … + a_n-1 A^n-1 + Aⁿ= 0

we can reduce elements of ℂ[A] modulo f(A) to get rid of powers of A higher than n - 1. That's just like working in the quotient ring

ℂ[A] / (f(A))

But we can also think of this quotient as

ℂ[A] / ((A - λ₁ I) (A - λ₂ I) ... (A - λ_n I))

From there, the correspondence between the eigenvalues λ_i and the prime ideals (A - λ_i I) seems fairly natural. Or at least it's where most people seem to say, "Ah, I see the connection now." So if you're going to generalize this idea to other rings, calling the set of prime ideals the spectrum of the ring actually seems to make sense.