Uncharged Lines:

Uncharged Squares:

Uncharged Hexagons:

Uncharged Cubes:

T_2k Variants (Infinite Family):

A chain of the form

for any integer k.

Charged Triangles:

Charged Squares:

or

C_2k Variants (Infinite Family):

A chain of the form

for any integer k.

For a couple of the remaining fields, the problem is easy: there’s only a finite supply of graphs featuring a non-rational integer label, which can be found simply by running a growing process to termination. But once you move to fields with norm 2 integers, there’s enough freedom for things to get interesting: I’ve been working in the rings of integers of Q(√ -2) and Q(√ -7), where I can demonstrate an infinite family of such graphs and so the growing algorithm can never terminate. Nonetheless, in the simpler, ‘uncharged’ version of the problem, I have (proven) a complete classification in both of these fields. With a bit more work I’ve now settled the general case in Q(√ -2) and expect the logic of the argument (although not the precise results) to carry over to Q(√ -7).

That argument is essentially a lengthy case analysis; rather than get into the details I thought I’d just present the ‘zoo’ of possible graphs. The forms presented are necessary conditions (any cyclotomic graph will take one of these forms) but not sufficient (there may be non-cyclotomic graphs satisfying the form). However, no form contains no cyclotomic graphs - for a given form, including any instance of the infinite ones, I can exhibit at least one class of cyclotomic graphs.

After applying a numbering, the visual styling of an edge between two nodes i<j indicates the norm of the edge label (entry [i,j] of the matrix; take the conjugate for entry [j,i]); uncharged nodes are indicated by a point whilst [C] denotes a charged node (value of ±1 for entry [i.i] if node i is charged, otherwise zero). The precise choice of labels and charges requires some care over signs to ensure that the matrix has minimal polynomial x²-4; working with forms saves tracking such details, choosing equivalence class representatives, etc.

Then for the ring of integers of Q(√ -2) any connected maximal cyclotomic graph with a non-rational integer label must take one of the following forms:

Uncharged Squares:

Uncharged Cubes:

T_2k Variants (Infinite Family):

A chain of the form

for any integer k.

Charged Triangles:

Charged Squares:

or

C_2k Variants (Infinite Family):

A chain of the form

for any integer k.

As I said, I expect this to easily generalise to Q(√-7); the remaining fields Q(√-1) and Q(√-3) present more of a computational challenge, but meeting that challenge will hopefully be rewarded with more interesting behaviour!

The topics covered are: Diffie-Hellman and one-way functions for key exchange; the generic Discrete Logarithm Problem and BSGS algorithm; scalar multiplication- addition chains, fast exponentiation, m-ary methods and windowing; group law implementations, Side-channel attacks and the Edwards form.

I’ve discussed several of these ideas elsewhere on this blog, as well as the cryptanalysis ideas I mentioned on the day but which are not in the notes. I also refered to a recent real-world example of a side-channel attack; see this story from The Register for details.

Greedy pig is a simple maths game for groups that serves as an introduction to probability. I used it recently as a warm-up activity for a maths hour with local primary school children (around 11 years old), where it was well-received. For older students, it could provide the starting point for a discussion of topics such as the gambler’s fallacy or for a statistical investigation.

How to Play

A pair of dice are thrown, and their total recorded as a starting score for all participants. Play then proceeds in rounds. Before each round, players decide whether to stick with their current score, or continue playing. To play a round, roll a die; each player who is still in adds that many points to their score- unless a two is thrown, in which case they lose all their points. Play proceeds until all participants have decided to keep their score, or a two eliminates all remaining players. The winners of the game are the players with the highest score; it’s worth playing around three games and taking a combined total.

Practical issues when running the game

Keeping track of who’s in or out is most easily done by having students stand up if they wish to gamble or sit down if they wish to stick with their score. Apart from making it easy to spot when a player is trying to sneak back into the game, this is also good as it gives the students an idea of how confident their peers are to continue, and you’ll get lots of them wavering up and down as they try to decide!

Recording scores of players as they drop out is harder, but vital- children may try to cheat, or accuse each other of doing so, when it comes to declaring their final total. It’s definitely worth keeping a running tally of throws and totals on the blackboard -with the students doing the adding up! For smaller groups, you might be able to give out tokens or numbered cards as players save their score, but with larger groups (we had around 30 students per session) this would probably slow things down a lot. Perhaps give each student a piece of paper and a pen to write their score on (nice and large!) to hold up once they’ve sat down.

Some children are very risk adverse, and sit down almost immediately; others just stay standing until they get knocked out by a two. To make sure this isn’t due to misunderstanding the game, it’s worth doing a practice run first. It’s interesting to watch how strategies adapt as the players get more experience- particularly if the two is thrown surprisingly early or late in a game (we hit a total in the 70s for one session, which skewed things somewhat!)

Strategy

Can we say anything mathematically about when a player should sit down? That is, should we gamble a given total or not? You might want to think about this yourself before reading on.

To model this game, we can consider the expectation of a round- that is, the average outcome in the long run. Suppose then we have a total of N. Obviously, it’s only worth playing if our expected increase in the total offsets the risk of losing it all. One sixth of the time, a one will be thrown in the next round, leading to a gain of 1; with equal probability we might gain 3,4,5, or 6. So five sixths of the time, we gain some amount. But the remaining sixth of the time, we’ll hit a two and lose everything; this can be thought of as a ‘gain’ of minus N. So our expected gain by staying in is:

(1/6)*1+(1/6)*(-N)+(1/6)*3+(1/6)*4+(1/6)*5+(1/6)*6 = (1/6)*(1+3+4+5+6-N) = (19-N)/6.

Hence, for a play to be worthwhile, we need (19-N)/6 (and thus 19-N) to be positive. That is, we should be willing to gamble on a total of 19 or less, but a total of 20 or above should be banked.

Game Theory

However, as is always the case with expectation theory, this analysis depends on playing a large number of games and considering the total (or average) score across them. Playing just a few games tends to encourage an ‘all or nothing’ approach wherein players are more interested in winning in absolute terms (that is, being best in class) than the score attained in the progress.

Of course, the ideal time to bank is just before the two is thrown, thus leaving you with the maximum possible score (anyone who sat out earlier has less; anyone who stayed in scores zero). The problem is that by banking a score in a given round with the hope of winning that particular game, you are effectively gambling on it being the next throw being a two, and you’ll only be right one sixth of the time. The remaining five sixths of the time, you’ll be wrong and the others get a higher score- in a group situation, any of them could now retire with a better score than you, and in a 1-on-1 duel your opponent can bank immediately to guarantee the win.

But then, if everyone adopts this brinksmanship strategy of always staying in, then eventually they will all go over the brink and score zero. Depending on how the payoffs are modelled (which is of course crucial!) this two-player version of a round of Greedy Pig can be interpreted in game-theoretic terms as follows. If neither player has an advantage over the other, either by ending the game with a tied score, or by proceeding to another round, then assign them a score of 1, unless both players tied with zero, in which case score 0. Else, if one player wins the game this round and the other loses, the winner scores 2 and the loser 0. Mixing in the probabilities of winning or losing depending on a play of stick or gamble, we get a payoff bimatrix:

Notice that for player 1 the ‘gamble’ row dominates the ’stick’ row (and equivalently for player 2 in columns), and thus each player must gamble despite the fact that they each prefer the outcome of both sticking (score 1) to both gambling (score 5/6). Thinking of sticking as cooperating, and gambling as defecting, this is precisely the famous prisoner’s dilemma!

Variations

More advanced versions of Greedy Pig, and the resulting changes in optimal strategy, can be explored. For instance, you could cap the number of rounds to be played. A pair of dice could be used, scoring by either adding the total of both or taking their difference; this also allows for a range of elimination conditions: ending the game on a double, when either die is a 2, for a particular total etc. You could also vary the frequency with which players choose to gamble, such as commiting them to two throws of the die each round. But, particularly for younger children, beware of making the game too complicated at the expense of fun!

Based on my experiences running primary school workshops as part of the Science Communcation in Action scheme at the University of Edinburgh. Unfortunately, I do not know who deserves the original credit for this game.

But I can at least set the stage for more technically-minded readers (a friendlier explanation/illustration will hopefully follow once I truly understand all this!). Chris has characterised all symmetric integer matrices with the property that their eigenvalues are at most 2 in modulus; under a suitable transformation of their characteristic polynomials, these give cyclotomic polynomials and thus are referred to as cyclotomic matrices. Conveniently, any submatrix of a cyclotomic matrix is itself cyclotomic, so it suffices to find maximal examples. Although there are infinite families of these matrices, there are only a few ‘types’ possible.

These types are best understood by considering not the matrix, but an associated graph, where values in the matrix determine the weights on edges and nodes of the graph. This introduces a notion of equivalence, since many matrices will correspond to the same graph or certain well-defined variations on it. Further, we can adjoin nodes and edges to the corresponding graph to try and ‘grow’ towards maximal examples.

The motivation comes from finding polynomials of small Mahler measure- whilst a cyclotomic polynomial has measure 1, all others seem to be pushed away, with the smallest known value being 1.176… The question is how to generate small examples, and these matrices provide a way: by adjoining a single extra node to a maximal cyclotomic graph, a non-cyclotomic graph/matrix is obtained and thus a non-cyclotomic polynomial. The minimal graphs with this property (non-cyclotomic, but all subgraphs cyclotomic) often correspond to polynomials with some of the smallest known Mahler measures.

But some examples are not generated in this way, which is where I’ve stepped in. There is no reason to restrict attention to integer matrices, and I’ve established which imaginary quadratic extensions of the rationals give rise to rings of integers over which suitable matrices can be found. For a couple of fields, there are very few new (non rational-integer) cyclotomic matrices, and I have a complete description of them, but in others there are again infinite families as well as occasional examples that don’t generalise.

So I explore this behaviour by growing graphs/matrices, and try to spot patterns as they emerge from the fragments. I use the university’s parallel computing cluster Eddie for brute force work in SAGE, but such is the nature of the combinatorial explosion that even this doesn’t suffice without some mathematical insight along the way, as I try to refine my growing algorithms and capture equivalence as early as possible. I’m hopefully nearing the point where all examples fit into known families, at which point I’ll need to switch into serious mathematician mode and try and prove why this should be so. But for now I need to make sure that nothing unexpected tumbles out of each batch of calculations!

On a completely unrelated note, I’ve dragged modulo errors up to date with wordpress 2.5 and switched themes; please shout if you find I’ve broken something along the way.

The Euclidean Algorithm

Euclid’s algorithm recovers the greatest common divisor of two numbers a and b- that is, the largest x with the property that x|a and x|b (we write
x = gcd(a, b)). Thus, anything that is true of divisors of a and b in general is true of their g.c.d in particular.

To this end, recall that if x|a and x|b then x|a ± b. Further, if x|b then x|λb for any integer λ. Combining the two, we have that

x|a and x|b ⇒ x|(a ± λb) for all λ     (1)

How does this help us? Since gcd(a, b) = gcd(b, a), we can assume w.l.o.g that a ≥ b. Then by the quotient-remainder theorem, we can write a as a = qb + r for some integers q, r with 0 ≤ r < b. Rearranging gives us r = a -qb, so by (1) we have

x|a and x|b ⇒ x|(a - qb) = r     (2)

So in particular

gcd(a, b)|a and gcd(a, b)|b ⇒ gcd(a, b)|r     (3)

So, to solve the question of finding gcd(a, b), we can instead solve the question of finding gcd(b, r). Notice that b ≤ a and r < b, so this second question is easier.

Repeating this process, the pairs of terms keep decreasing until eventually we have the question “find the g.c.d. of r and 0″ for some r. But as anything divides 0, gcd(r, 0) = r. So there is always a final question; that question is easy to answer; and its answer is the same as the original g.c.d. we were looking for!

Worked Example

Suppose then that we want to find the g.c.d. of 51 and 36. We first appeal to the quotient-remainder theorem:

51 = 36 + 15

Thus any divisor of 51 and 36 (including the greatest) is also a divisor of 15. So we turn our attention to the easier problem of the g.c.d. of 36 and 15. Again by quotient-remainder

36 = 2 * 15 + 6

so it suffices to find gcd(15,6). Noting that

15 = 2 * 6 + 3

we discover that this is the same as the g.c.d. of 6 and 3. But

6 = 2 * 3 + 0

so that’s simply gcd(3,0)=3. Thus we have

gcd(51, 36) = gcd(36, 15) = gcd(15, 6) = gcd(6, 3) = gcd(3, 0) = 3

The Extended Euclidean Algorithm

Typically, one tabulates their progress through the algorithm more compactly; using the previous example we have

51 = 36 + 15      (4)

36 = 2 * 15 + 6   (5)

15 = 2 * 6 + 3     (6)

6   = 2 * 3 + 0     (7)

With such a representation, we can now tackle a related problem - given a, b, finding x, y such that

ax + by = gcd(a, b)

For our example, this means finding x, y with the property that 51x+36y = 3.

Notice that we do not have an identity in terms of 3, 36 and 51 anywhere in the table. But from (6), we do have an identity for 3 in terms of 15 and 6:

3 = 15 - 2 * 6

Then (5) tells us that

6 = 36 - 2 * 15

so we can rewrite our result for 3 in terms of 36 and 15 instead of 15 and 6, and so on.

In this way, we can chain upwards through the table to an identity for 3 ultimately in terms of 51 and 36- this process is known as the extended euclidean algorithm. Whereas the Euclidean algorithm works down from a and b, through simpler and simpler terms to the g.c.d., so the extended version works up from that g.c.d. through increasingly complicated terms to an expression in terms of a and b.

For our example, this works as follows:

3 = 15 - 2 * 6                               by (6)

   = 15 - 2 * (36 - 2 * 15)            by (5)

   = 5 * 15 - 2 * 36           (simplifying)

   = 5 * (51 - 36) - 2 * 36            by (4)

   = 5 * 51 - 7 * 36           (simplifying)

Linear Diophantine Equations

Why is all this useful? In number theory, the study of Diophantine equations concerns finding integer solutions to equations, where possible. Typically we seek to classify such equations based on whether we can find infinitely many such solutions, only finitely many, or none at all. The general question as to whether solutions exist is actually undecidable, but in various special cases we can say something.

Armed with the extended euclidean algorithm, we can tackle the case of linear diophantine equations in two variables:

For fixed integers a, b, c, do there exist integer solutions x, y of ax + by = c ?

Existence

Suppose c = λgcd(a, b) for some integer λ . Then, by the extended Euclidean algorithm we have x’, y’ with the property ax’+by’=gcd(a, b). So x = λx’, y = λy’ solve the linear diophantine equation, since

ax + by = aλx’ + bλy’ = λ(ax’ + by’) = λgcd(a, b) = c

Conversely, suppose c is not a multiple of gcd(a, b). Then, if the equation had solutions x, y then we’d have that gcd(a, b)|a|ax and gcd(a, b)|b|by so gcd(a, b)|ax + by = c, which is a contradiction.

Hence, the linear diophantine equation in two variables ax + by = c has integer solutions if and only if c is a multiple of gcd(a, b).

Number of Solutions

Assuming solutions exist, how many are there? Although the g.c.d. is unique, suitable pairs (x, y) with ax+by = gcd(a, b) (and hence solutions to the linear diophantine equation) are not. To see this, consider one of the standard tricks of analysis, adding and subtracting the same thing:

ax+by = λgcd(a, b) ) ax+by+ab-ab = λgcd(a, b) ) a(x+b)+b(y-a) = λgcd(a, b)

That is, if (x, y) satisfy the equation, so do (x + b, y - a). Which means we can apply the result again, giving (x+2b, y-2a). These will always be pairs of integer solutions, and so the existence of just one pair (x, y) gives us an infinite family (x + ib, y - ia) of solutions.

Hence we conclude that the linear diophantine equation in two variables ax+by = c has infinitely many integer solutions if c is a multiple of gcd(a, b), and none otherwise.

• The use of precomputed inverses for all steps, and precomputed squares/products for each step, as described by Stange,
• computation with a local vector to avoid overhead from function calls to keep the dictionary up-to-date,
• mixed block lengths as described in the previous post,
• and compilation to pyrex.

Thus it’s the fastest implementation I currently have for finding Tate pairings in SAGE (about twice as fast as accessing Stange’s PARI script from SAGE). Attach it in the normal way; example calculations are here.

In an earlier post I described Stange’s algorithm for efficiently finding terms in elliptic nets (with a view to pairing computation). I also made the observation that a shorter block structure could be used for doubling- but once employed, it was not possible to perform a double-and-add. This meant that unless the desired term had a higher power of two as a factor then savings would be minor.

However, for a cost it is possible to ‘upgrade’ these short blocks to long blocks, since they contain enough information to recover the missing (k+4,0) term:

Better still, this only introduces an additional two multiplications and one inversion, since some of the terms feature in the precomputation (and assuming (2,0)² is computed once and stored for subsequent use):

Thus, given a short block centred at k, we can obtain the short block centred at 2k+1 (that is, perform a shortDoubleAdd). The dependencies are as follows:

Notice that a shortDoubleAdd is more expensive than DoubleAdd, even though it gives a short rather than long block! Thus a purely short-block algorithm would perform worse than the standard algorithm for binary strings with a high Hamming weight, since for each Double-and-add an inversion is introduced in place of a multiplication. However, when the Hamming weight is low, then the occasional cost of an inversion is balanced by the savings accrued during short doublings. To exploit this, whilst guarding against too many inversions, we introduce an algorithm that uses a mixture of standard (‘long’) and short blocks. Since only a single inversion is required to switch to long blocks, doing so allows us to more efficiently compute long runs of 1s in the binary representation by spreading the cost across several DoubleAdds.

We consider the generation of long or short blocks with centre 2k (double) or 2k + 1 (double-and-add) from long or short blocks of centre k. The cheapest such operation is the generation of the short block with centre 2k from a short or long block with centre k, at a cost of 31 multiplications, 6 squarings and no inversions. Using this as a base line, each procedure introduces the following additional operations:

We adopt a windowing approach with two-bit windows: that is, bit b_i informs whether we are to double or double-and-add, but b_i-1 is also examined to determine whether we should generate a long or short block.

• For b_ib_i-1=00, the short block approach clearly minimises the cost through these two bits.
• For b_ib_i-1=11, one should stay with long blocks if these are already in use, to avoid inversion. If short, adopting the long block immediately will mean only a single inversion is required for the following run of 1s.
• For b_ib_i-1=10, if short, then an inversion is required whether you go long or not: since being long is not necessary for the following double, we keep the multiplication count down by 2 by staying short. Similarly for long: no inversion is required to perform the Double-and-add for either length, but as the next operation will be a double, we go short to avoid the unnecessary 2 multiplications.
• For b_ib_i-1=01, then it is always worth staying short if you already are, defering the inversion until it is strictly required for b_i-1=1 (possibly choosing to go long then based on b_i-2). If currently long, going short will save 4 multiplications and a squaring (approximately 5 multiplications). Even if it proves necessary to upgrade to long for the very next bit, that will only cost around 3.6 multiplications (based on 1I=1.6M, see performance section). Thus even a single zero bit is worth going short for.

Hence the approach is to always go to (or stay with, if already the case) short blocks, unless b_ib_i-1=11 in which case one should go to (or stay with) long blocks. Thus a 2-bit window is sufficient to determine appropriate block length, leading to the following algorithm.

2-Bit Window Algorithm

Double-and-add Mixed-blocks Algorithm

INPUT: Integer n and long block centred at 1.

OUTPUT: Block centred at n.

1. Compute binary digits d_i of n such that n=(d_kd_k-1…d₁)₂ with d_k=1.
2. Set c=1 (centre), Set status=’long’
3. For i=k-1 down to 2 do:
   • If status=’long’
     • If d_i=1
       • If d_{i-1}=1 Compute block with centre 2c+1 via DoubleAddLongFromLong; Set c to 2c+1.
       • Else Compute short block with centre 2c+1 via DoubleAddShortFromLong; Set c to 2c+1; Set status=’short’.
     • Else
       Compute short block with centre 2c via DoubleShortFromLong; Set c to 2c; Set status=’short’.
   • Else
     • If d_i=1
       • If d_{i-1}=1 Compute block with centre 2c+1 via DoubleAddLongFromShort; Set c to 2c+1; Set status=’long’.
       • Else Compute block with centre 2c+1 via DoubleAddShortFromShort; Set c to 2c+1.
     • Else
       Compute short block with centre 2c via DoubleShortFromShort; Set c to 2c.
4. • If d_1=1
     • If status=’short’ Compute block with centre 2c+1 via DoubleAddShortFromShort.
     • Else Compute block with centre 2c+1 via DoubleAddShortFromLong.
   • Else Compute short block with centre 2c via DoubleShortFromShort.
5. Return final block.

Performance

As described before, the maximum possible gain is when n is a power of two, in which case the algorithm proceeds entirely by short doubles. In this case, there is a 12 percent reduction in the number of multiplications/squarings performed, with no inversions required.

Brute-force analysis of all possible 16-bit strings gives an average reduction of around 9 percent in the number of multiplications/squarings performed. Costing each inversion at 1.6 multiplications (based on average performance in SAGE for a 256-bit prime field), this leads to an average reduction of around 5 percent in the number of multiplications required for such strings. Testing several hundred 256-bit strings gives a similar figure.

Clearly, inversion is not viable if it will lead to a division-by-zero error. However, since the first zero along (i,0) will arise at (m,0), no such error will occur when performing Tate pairing computations.

A summary of this post and the earlier one on Stange’s algorithm is available as pdf, containing (hopefully) clearer copies of the dependency graphs.

As last year, the course runs for two weeks in August, with a fairly intensive schedule of lectures and problem classes; when I attended, the students also spent a couple of days preparing a presentation for the final day. The pace is reasonably demanding, and the ideal audience would be students just finishing undergrad and about to enter study for an MSc or PhD (although I went after a year of postgrad study).

There are also social activities organised by both the department and the university - there are fifty courses scheduled across the summer in a wide range of subjects, so you’ll have the opportunity to mix with students from outside of mathematics too. Utrecht itself is a beautiful city - night canoeing through the canals is highly recommended! - and daytrips further afield are also offered.

For further details on the summerschool programme, see here; specifics for the mathematics course are being made available on the department pages. I also took some photos during my stay. Feel free to leave any questions you have in the comments!