# Category Archives: Math.NT

## A Notebook Preparing for a Talk at Quebec-Maine

This is a notebook containing a representative sample of the code I used to  generate the results and pictures presented at the Quebec-Maine Number Theory Conference on 9 October 2016. It was written in a Jupyter Notebook using Sage 7.3, and later converted for presentation on this site.
There is a version of the notebook available on github. Alternately, a static html version without WordPress formatting is available here. Finally, this notebook is also available in pdf form.
The slides for my talk are available here.

# Testing for a Generalized Conjecture on Iterated Sums of Coefficients of Cusp Forms¶

Let $f$ be a weight $k$ cusp form with Fourier expansion

$$f(z) = \sum_{n \geq 1} a(n) e(nz).$$

Deligne has shown that $a(n) \ll n^{\frac{k-1}{2} + \epsilon}$. It is conjectured that

$$S_f^1(n) := \sum_{m \leq X} a(m) \ll X^{\frac{k-1}{2} + \frac{1}{4} + \epsilon}.$$

It is known that this holds on average, and we recently showed that this holds on average in short intervals.
(See HKLDW1, HKLDW2, and HKLDW3 for details and an overview of work in this area).
This is particularly notable, as the resulting exponent is only 1/4 higher than that of a single coefficient.
This indicates extreme cancellation, far more than what is implied merely by the signs of $a(n)$ being random.

It seems that we also have

$$\sum_{m \leq X} S_f^1(m) \ll X^{\frac{k-1}{2} + \frac{2}{4} + \epsilon}.$$

That is, the sum of sums seems to add in only an additional 1/4 exponent.
This is unexpected and a bit mysterious.

The purpose of this notebook is to explore this and higher conjectures.
Define the $j$th iterated sum as

$$S_f^j(X) := \sum_{m \leq X} S_f^{j-1} (m).$$

Then we numerically estimate bounds on the exponent $\delta(j)$ such that

$$S_f^j(X) \ll X^{\frac{k-1}{2} + \delta(j) + \epsilon}.$$

In [1]:
# This was written in SageMath 7.3 through a Jupyter Notebook.

# sage plays strangely with ipython. This re-allows inline plotting
from IPython.display import display, Image


We first need a list of coefficients of one (or more) cusp forms.
For initial investigation, we begin with a list of 50,000 coefficients of the weight $12$ cusp form on $\text{SL}(2, \mathbb{Z})$, $\Delta(z)$, i.e. Ramanujan’s delta function.
We will use the data associated to the 50,000 coefficients for pictoral investigation as well.

We will be performing some numerical investigation as well.
For this, we will use the first 2.5 million coefficients of $\Delta(z)$

In [2]:
# Gather 10 coefficients for simple checking
check_10 = delta_qexp(11).coefficients()
print check_10

fiftyk_coeffs = delta_qexp(50000).coefficients()
print fiftyk_coeffs[:10] # these match expected

twomil_coeffs = delta_qexp(2500000).coefficients()
print twomil_coeffs[:10] # these also match expected

[1, -24, 252, -1472, 4830, -6048, -16744, 84480, -113643, -115920]
[1, -24, 252, -1472, 4830, -6048, -16744, 84480, -113643, -115920]
[1, -24, 252, -1472, 4830, -6048, -16744, 84480, -113643, -115920]

In [3]:
# Function which iterates partial sums from a list of coefficients

def partial_sum(baselist):
ret_list = [baselist[0]]
for b in baselist[1:]:
ret_list.append(ret_list[-1] + b)
return ret_list

print check_10
print partial_sum(check_10) # Should be the partial sums

[1, -24, 252, -1472, 4830, -6048, -16744, 84480, -113643, -115920]
[1, -23, 229, -1243, 3587, -2461, -19205, 65275, -48368, -164288]

In [4]:
# Calculate the first 10 iterated partial sums
# We store them in a single list list, sums_list
# the zeroth elelemnt of the list is the array of initial coefficients
# the first element is the array of first partial sums, S_f(n)
# the second element is the array of second iterated partial sums, S_f^2(n)

fiftyk_sums_list = []
fiftyk_sums_list.append(fiftyk_coeffs) # zeroth index contains coefficients
for j in range(10):                    # jth index contains jth iterate
fiftyk_sums_list.append(partial_sum(fiftyk_sums_list[-1]))

print partial_sum(check_10)
print fiftyk_sums_list[1][:10]         # should match above

twomil_sums_list = []
twomil_sums_list.append(twomil_coeffs) # zeroth index contains coefficients
for j in range(10):                    # jth index contains jth iterate
twomil_sums_list.append(partial_sum(twomil_sums_list[-1]))

print twomil_sums_list[1][:10]         # should match above

[1, -23, 229, -1243, 3587, -2461, -19205, 65275, -48368, -164288]
[1, -23, 229, -1243, 3587, -2461, -19205, 65275, -48368, -164288]
[1, -23, 229, -1243, 3587, -2461, -19205, 65275, -48368, -164288]


As is easily visible, the sums alternate in sign very rapidly.
For instance, we believe tha the first partial sums should change sign about once every $X^{1/4}$ terms in the interval $[X, 2X]$.
In this exploration, we are interested in the sizes of the coefficients.
But in HKLDW3, we investigated some of the sign changes of the partial sums.

Now seems like a nice time to briefly look at the data we currently have.
What do the first 50 thousand coefficients look like?
So we normalize them, getting $A(n) = a(n)/n^{5.5}$ and plot these coefficients.

In [5]:
norm_list = []
for n,e in enumerate(fiftyk_coeffs, 1):
normalized_element = 1.0 * e / (1.0 * n**(5.5))
norm_list.append(normalized_element)
print norm_list[:10]

1

In [6]:
# Make a quick display
normed_coeffs_plot = scatter_plot(zip(range(1,60000), norm_list), markersize=.02)
normed_coeffs_plot.save("normed_coeffs_plot.png")
display(Image("normed_coeffs_plot.png"))


Since some figures will be featuring prominently in the talk I’m giving at Quebec-Maine, let us make high-quality figures now.

1. 00000000000000, -0.530330085889911, 0.598733612492945, -0.718750000000000, 0.691213333204735, -0.317526448138560, -0.376547696558964, 0.911504835123284, -0.641518061271148, -0.366571226366719
Posted in Math.NT, Mathematics, Open, Programming, sagemath | | 1 Comment

## Paper: Sign Changes of Coefficients and Sums of Coefficients of Cusp Forms

This is joint work with Thomas Hulse, Chan Ieong Kuan, and Alex Walker, and is a another sequel to our previous work. This is the third in a trio of papers, and completes an answer to a question posed by our advisor Jeff Hoffstein two years ago.

We have just uploaded a preprint to the arXiv giving conditions that guarantee that a sequence of numbers contains infinitely many sign changes. More generally, if the sequence consists of complex numbers, then we give conditions that guarantee sign changes in a generalized sense.

Let $\mathcal{W}(\theta_1, \theta_2) := { re^{i\theta} : r \geq 0, \theta \in [\theta_1, \theta_2]}$ denote a wedge of complex plane.

Suppose ${a(n)}$ is a sequence of complex numbers satisfying the following conditions:

1. $a(n) \ll n^\alpha$,
2. $\sum_{n \leq X} a(n) \ll X^\beta$,
3. $\sum_{n \leq X} \lvert a(n) \rvert^2 = c_1 X^{\gamma_1} + O(X^{\eta_1})$,

where $\alpha, \beta, c_1, \gamma_1$, and $\eta_1$ are all real numbers $\geq 0$. Then for any $r$ satisfying $\max(\alpha+\beta, \eta_1) – (\gamma_1 – 1) < r < 1$, the sequence ${a(n)}$ has at least one term outside any wedge $\mathcal{W}(\theta_1, \theta_2)$ with $0 \theta_2 – \theta_1 < \pi$ for some $n \in [X, X+X^r)$ for all sufficiently large $X$.

These wedges can be thought of as just slightly smaller than a half-plane. For a complex number to escape a half plane is analogous to a real number changing sign. So we should think of this result as guaranteeing a sort of sign change in intervals of width $X^r$ for all sufficiently large $X$.

The intuition behind this result is very straightforward. If the sum of coefficients is small while the sum of the squares of the coefficients are large, then the sum of coefficients must experience a lot of cancellation. The fact that we can get quantitative results on the number of sign changes is merely a task of bookkeeping.

Both the statement and proof are based on very similar criteria for sign changes when ${a(n)}$ is a sequence of real numbers first noticed by Ram Murty and Jaban Meher. However, if in addition it is known that

\sum_{n \leq X} (a(n))^2 = c_2 X^{\gamma_2} + O(X^{\eta_2}),

and that $\max(\alpha+\beta, \eta_1, \eta_2) – (\max(\gamma_1, \gamma_2) – 1) < r < 1$, then generically both sequences ${\text{Re} (a(n)) }$ and ${ \text{Im} (a(n)) }$ contain at least one sign change for some $n$ in $[X , X + X^r)$ for all sufficiently large $X$. In other words, we can detect sign changes for both the real and imaginary parts in intervals, which is a bit more special.

It is natural to ask for even more specific detection of sign changes. For instance, knowing specific information about the distribution of the arguments of $a(n)$ would be interesting, and very closely reltated to the Sato-Tate Conjectures. But we do not yet know how to investigate this distribution.

In practice, we often understand the various criteria for the application of these two sign changes results by investigating the Dirichlet series
\begin{align}
&\sum_{n \geq 1} \frac{a(n)}{n^s} \\
&\sum_{n \geq 1} \frac{S_f(n)}{n^s} \\
&\sum_{n \geq 1} \frac{\lvert S_f(n) \rvert^2}{n^s} \\
&\sum_{n \geq 1} \frac{S_f(n)^2}{n^s},
\end{align}
where

S_f(n) = \sum_{m \leq n} a(n).

In the case of holomorphic cusp forms, the two previous joint projects with this group investigated exactly the Dirichlet series above. In the paper, we formulate some slightly more general criteria guaranteeing sign changes based directly on the analytic properties of the Dirichlet series involved.

In this paper, we apply our sign change results to our previous work to show that $S_f(n)$ changes sign in each interval $[X, X + X^{\frac{2}{3} + \epsilon})$ for sufficiently large $X$. Further, if there are coefficients with $\text{Im} a(n) \neq 0$, then the real and imaginary parts each change signs in those intervals.

We apply our sign change results to single coefficients of $\text{GL}(2)$ cusp forms (and specifically full integral weight holomorphic cusp forms, half-integral weight holomorphic cusp forms, and Maass forms). In large part these are minor improvements over folklore and what is known, except for the extension to complex coefficients.

We also apply our sign change results to single isolated coefficients $A(1,m)$ of $\text{GL}(3)$ Maass forms. This seems to be a novel result, and adds to the very sparse literature on sign changes of sequences associated to $\text{GL}(3)$ objects. Murty and Meher recently proved a general sign change result for $\text{GL}(n)$ objects which is similar in feel.

As a final application, we also consider sign changes of partial sums of $\nu$-normalized coefficients. Let

S_f^\nu(X) := \sum_{n \leq X} \frac{a(n)}{n^{\nu}}.

As $\nu$ gets larger, the individual coefficients $a(n)n^{-\nu}$ become smaller. So one should expect that sign changes in ${S_f^\nu(n)}$ to change based on $\nu$. And in particular, as $\nu$ gets very large, the number of sign changes of $S_f^\nu$ should decrease.

Interestingly, in the case of holomorphic cusp forms of weight $k$, we are able to show that there are sign changes of $S_f^\nu(n)$ in intervals even for normalizations $\nu$ a bit above $\nu = \frac{k-1}{2}$. This is particularly interesting as $a(n) \ll n^{\frac{k-1}{2} + \epsilon}$, so for $\nu > \frac{k-1}{2}$ the coefficients are \emph{decreasing} with $n$. We are able to show that when $\nu = \frac{k-1}{2} + \frac{1}{6} – \epsilon$, the sequence ${S_f^\nu(n)}$ has at least one sign change for $n$ in $[X, 2X)$ for all sufficiently large $X$.

It may help to consider a simpler example to understand why this is surprising. Consider the classic example of a sequence of $b(n)$, where $b(n) = 1$ or $b(n) = -1$, randomly, with equal probability. Then the expected size of the sums of $b(n)$ is about $\sqrt n$. This is an example of \emph{square-root cancellation}, and such behaviour is a common point of comparison. Similarly, the number of sign changes of the partial sums of $b(n)$ is also expected to be about $\sqrt n$.

Suppose now that $b(n) = \frac{\pm 1}{\sqrt n}$. If the first term is $1$, then it takes more then the second term being negative to make the overall sum negative. And if the first two terms are positive, then it would take more then the following three terms being negative to make the overall sum negative. So sign changes of the partial sums are much rarer. In fact, they’re exceedingly rare, and one might barely detect more than a dozen through computational experiment (although one should still expect infinitely many).

This regularity, in spite of the decreasing size of the individual coefficients $a(n)n^{-\nu}$, suggests an interesting regularity in the sign changes of the individual $a(n)$. We do not know how to understand or measure this effect or its regularity, and for now it remains an entirely qualitative observation.

For more details and specific references, see the paper on the arXiv.

## Math 420: Supplement on Gaussian Integers

This is a brief supplemental note on the Gaussian integers, written for my Spring 2016 Elementary Number Class at Brown University. With respect to the book, the nearest material is the material in Chapters 35 and 36, but we take a very different approach.

A pdf of this note can be found here. I’m sure there are typos, so feel free to ask me or correct me if you think something is amiss.

In this note, we cover the following topics.

1. What are the Gaussian integers?
2. Unique factorization within the Gaussian integers.
3. An application of the Gaussian integers to the Diophantine equation ${y^2 = x^3 – 1}$.
4. Other integer-like sets: general rings.
5. Specific examples within ${\mathbb{Z}[\sqrt{2}]}$ and ${\mathbb{Z}[\sqrt{-5}]}$.

1. What are the Gaussian Integers?

The Gaussian Integers are the set of numbers of the form ${a + bi}$, where ${a}$ and ${b}$ are normal integers and ${i}$ is a number satisfying ${i^2 = -1}$. As a collection, the Gaussian Integers are represented by the symbol ${\mathbb{Z}[i]}$, or sometimes ${\mathbb{Z}[\sqrt{-1}]}$. These might be pronounced either as The Gaussian Integers or as Z append i.

In many ways, the Gaussian integers behave very much like the regular integers. We’ve been studying the qualities of the integers, but we should ask — which properties are really properties of the integers, and which properties hold in greater generality? Is it the integers themselves that are special, or is there something bigger and deeper going on?

These are the main questions that we ask and make some progress towards in these notes. But first, we need to describe some properties of Gaussian integers.

We will usually use the symbols ${z = a + bi}$ to represent our typical Gaussian integer. One adds and multiples two Gaussian integers just as you would add and multiply two complex numbers. Informally, you treat ${i}$ like a polynomial indeterminate ${X}$, except that it satisfies the relation ${X^2 = -1}$.

Definition 1 For each complex number ${z = a + bi}$, we define the conjugate of ${z}$, written as ${\overline{z}}$, by

\overline{z} = a – bi.

We also define the norm of ${z}$, written as ${N(z)}$, by

N(z) = a^2 + b^2.

You can check that ${N(z) = z \overline{z}}$ (and in fact this is one of your assigned problems). You can also chack that ${N(zw) = N(z)N(w)}$, or rather that the norm is multiplicative (this is also one of your assigned problems).

Even from our notation, it’s intuitive that ${z = a + bi}$ has two parts, the part corresponding to ${a}$ and the part corresponding to ${b}$. We call ${a}$ the real part of ${z}$, written as ${\Re z = a}$, and we call ${b}$ the imaginary part of ${z}$, written as ${\Im z = b}$. I should add that the name ”imaginary number” is a poor name that reflects historical reluctance to view complex numbers as acceptable. For that matter, the name ”complex number” is also a poor name.

As a brief example, consider the Gaussian integer ${z = 2 + 5i}$. Then ${N(z) = 4 + 25 = 29}$, ${\Re z = 2}$, ${\Im z = 5}$, and ${\overline{z} = 2 – 5i}$.

We can ask similar questions to those we asked about the regular integers. What does it mean for ${z \mid w}$ in the complex case?

Definition 2 We say that a Gaussian integer ${z}$ divides another Gaussian integer ${w}$ if there is some Gaussian integer ${k}$ so that ${zk = w}$. In this case, we write ${z \mid w}$, just as we write for regular integers.

For the integers, we immediately began to study the properties of the primes, which in many ways were the building blocks of the integers. Recall that for the regular integers, we said ${p}$ was a prime if its only divisors were ${\pm 1}$ and ${\pm p}$. In the Gaussian integers, the four numbers ${\pm 1, \pm i}$ play the same role as ${\pm 1}$ in the usual integers. These four numbers are distinguished as being the only four Gaussian integers with norm equal to ${1}$.

That is, the only solutions to ${N(z) = 1}$ where ${z}$ is a Gaussian integer are ${z = \pm 1, \pm i}$. We call these four numbers the Gaussian units.

With this in mind, we are ready to define the notion of a prime for the Gaussian integers.

Definition 3 We say that a Gaussian integer ${z}$ with ${N(z) > 1}$ is a Gaussian prime if the only divisors of ${z}$ are ${u}$ and ${uz}$, where ${u = \pm 1, \pm i}$ is a Gaussian unit.

Remark 1 When we look at other integer-like sets, we will actually use a different definition of a prime.

It’s natural to ask whether the normal primes in ${\mathbb{Z}}$ are also primes in ${\mathbb{Z}[i]}$. And the answer is no. For instance, ${5}$ is a prime in ${\mathbb{Z}}$, but

5 = (1 + 2i)(1 – 2i)

in the Gaussian integers. However, the two Gaussian integers ${1 + 4i}$ and ${1 – 4i}$ are prime. It also happens to be that ${3}$ is a Gaussian prime. We will continue to investigate which numbers are Gaussian primes over the next few lectures.

With a concept of a prime, it’s also natural to ask whether or not the primes form the building blocks for the Gaussian integers like they form the building blocks for the regular integers. We take up this in our next topic.

2. Unique Factorization in the Gaussian Integers

Let us review the steps that we followed to prove unique factorization for ${\mathbb{Z}}$.

1. We proved that for ${a,b}$ in ${\mathbb{Z}}$ with ${b \neq 0}$, there exist unique ${q}$ and ${r}$ such that ${a = bq + r}$ with ${0 \leq r < b}$. This is called the Division Algorithm.
2. By repeatedly applying the Division Algorithm, we proved the Euclidean Algorithm. In particular, we showed that the last nonzero remainder was the GCD of our initial numbers.
3. By performing reverse substition on the steps of the Euclidean Algorithm, we showed that there are integer solutions in ${x,y}$ to the Diophantine equation ${ax + by = \gcd(a,b)}$. This is often called Bezout’s Theorem or Bezout’s Lemma, although we never called it by that name in class.
4. With Bezout’s Theorem, we showed that if a prime ${p}$ divides ${ab}$, then ${p \mid a}$ or ${p \mid b}$. This is the crucial step towards proving Unique Factorization.
5. We then proved Unique Factorization.

Each step of this process can be repeated for the Gaussian integers, with a few notable differences. Remarkably, once we have the division algorithm, each proof is almost identical for ${\mathbb{Z}[i]}$ as it is for ${\mathbb{Z}}$. So we will prove the division algorithm, and then give sketches of the remaining ideas, highlighting the differences that come up along the way.

In the division algorithm, we require the remainder ${r}$ to ”be less than what we are dividing by.” A big problem in translating this to the Gaussian integers is that the Gaussian integers are not ordered. That is, we don’t have a concept of being greater than or less than for ${\mathbb{Z}[i]}$.

When this sort of problem emerges, we will get around this by taking norms. Since the norm of a Gaussian integer is a typical integer, we will be able to use the ordering of the integers to order our norms.

Theorem 4 For ${z,w}$ in ${\mathbb{Z}[i]}$ with ${w \neq 0}$, there exist ${q}$ and ${r}$ in ${\mathbb{Z}[i]}$ such that ${z = qw + r}$ with ${N(r) < N(w)}$.

Proof: Here, we will cheat a little bit and use properties about general complex numbers and the rationals to perform this proof. One can give an entirely intrinsic proof, but I like the approach I give as it also informs how to actually compute the ${q}$ and ${r}$.

The entire proof boils down to the idea of writing ${z/w}$ as a fraction and approximating the real and imaginary parts by the nearest integers.

Let us now transcribe that idea. We will need to introduce some additional symbols. Let ${z = a_1 + b_1 i}$ and ${w = a_2 + b_2 i}$.

Then
\begin{align}
\frac{z}{w} &= \frac{a_1 + b_1 i}{a_2 + b_2 i} = \frac{a_1 + b_1 i}{a_2 + b_2 i} \frac{a_2 – b_2 i}{a_2 – b_2 i} \\
&= \frac{a_1a_2 + b_1 b_2}{a_2^2 + b_2^2} + i \frac{b_1 a_2 – a_1 b_2}{a_2^2 + b_2 ^2} \\
&= u + iv.
\end{align}
By rationalizing the denominator by multiplying by ${\overline{w}/ \overline{w}}$, we are able to separate out the real and imaginary parts. In this final expression, we have named ${u}$ to be the real part and ${v}$ to be the imaginary part. Notice that ${u}$ and ${v}$ are normal rational numbers.

We know that for any rational number ${u}$, there is an integer ${u’}$ such that ${\lvert u – u’ \rvert \leq \frac{1}{2}}$. Let ${u’}$ and ${v’}$ be integers within ${1/2}$ of ${u}$ and ${v}$ above, respectively.

Then we claim that we can choose ${q = u’ + i v’}$ to be the ${q}$ in the theorem statement, and let ${r}$ be the resulting remainder, ${r = z – qw}$. We need to check that ${N(r) < N(w)}$. We will check that explicitly.

We compute
\begin{align}
N(r) &= N(z – qw) = N\left(w \left(\frac{z}{w} – q\right)\right) = N(w) N\left(\frac{z}{w} – q\right).
\end{align}
Note that we have used that ${N(ab) = N(a)N(b)}$. In this final expression, we have already come across ${\frac{z}{w}}$ before — it’s exactly what we called ${u + iv}$. And we called ${q = u’ + i v’}$. So our final expression is the same as

N(r) = N(w) N(u + iv – u’ – i v’) = N(w) N\left( (u – u’) + i (v – v’)\right).

How large can the real and imaginary parts of ${(u-u’) + i (v – v’)}$ be? By our choice of ${u’}$ and ${v’}$, they can be at most ${1/2}$.

So we have that

N(r) \leq N(w) N\left( (\tfrac{1}{2})^2 + (\tfrac{1}{2})^2\right) = \frac{1}{2} N(w).

And so in particular, we have that ${N(r) < N(w)}$ as we needed. $\Box$

Note that in this proof, we did not actually show that ${q}$ or ${r}$ are unique. In fact, unlike the case in the regular integers, it is not true that ${q}$ and ${r}$ are unique.

Example 1 Consider ${3+5i, 1 + 2i}$. Then we compute

\frac{3+5i}{1+2i} = \frac{3+5i}{1+2i}\frac{1-2i}{1-2i} = \frac{13}{5} + i \frac{-1}{5}.

The closest integer to ${13/5}$ is ${3}$, and the closest integer to ${-1/5}$ is ${0}$. So we take ${q = 3}$. Then ${r = (3+5i) – (1+2i)3 = -i}$, and we see in total that

3+5i = (1+2i) 3 – i.

Note that ${N(-i) = 1}$ and ${N(1 + 2i) = 5}$, so this choice of ${q}$ and ${r}$ works.

As ${13/5}$ is sort of close to ${2}$, what if we chose ${q = 2}$ instead? Then ${r = (3 + 5i) – (1 + 2i)2 = 1 + i}$, leading to the overall expression

3_5i = (1 + 2i) 2 + (1 + i).

Note that ${N(1+i) = 2 < N(1+2i) = 5}$, so that this choice of ${q}$ and ${r}$ also works.

This is an example of how the choice of ${q}$ and ${r}$ is not well-defined for the Gaussian integers. In fact, even if one decides to choose ${q}$ to that ${N(r)}$ is minimal, the resulting choices are still not necessarily unique.

This may come as a surprise. The letters ${q}$ and ${r}$ come from our tendency to call those numbers the quotient and remainder after division. We have shown that the quotient and remainder are not well-defined, so it does not make sense to talk about ”the remainder” or ”the quotient.” This is a bit strange!

Are we able to prove unique factorization when the process of division itself seems to lead to ambiguities? Let us proceed forwards and try to see.

Our next goal is to prove the Euclidean Algorithm. By this, we mean that by repeatedly performing the division algorithm starting with two Gaussian integers ${z}$ and ${w}$, we hope to get a sequence of remainders with the last nonzero remainder giving a greatest common divisor of ${z}$ and ${w}$.

Before we can do that, we need to ask a much more basic question. What do we mean by a greatest common divisor? In particular, the Gaussian integers are not ordered, so it does not make sense to say whether one Gaussian integer is bigger than another.

For instance, is it true that ${i > 1}$? If so, then certainly ${i}$ is positive. We know that multiplying both sides of an inequality by a positive number doesn’t change that inequality. So multiplying ${i > 1}$ by ${i}$ leads to ${-1 > i}$, which is absurd if ${i}$ was supposed to be positive!

To remedy this problem, we will choose a common divisor of ${z}$ and ${w}$ with the greatest norm (which makes sense, as the norm is a regular integer and thus is well-ordered). But the problem here, just as with the division algorithm, is that there may or may not be multiple such numbers. So we cannot talk about ”the greatest common divisor” and instead talk about ”a greatest common divisor.” To paraphrase Lewis Carroll’s\footnote{Carroll was also a mathematician, and hid some nice mathematics inside some of his works.} Alice, things are getting curiouser and curiouser!

Definition 5 For nonzero ${z,w}$ in ${\mathbb{Z}[i]}$, a greatest common divisor of ${z}$ and ${w}$, denoted by ${\gcd(z,w)}$, is a common divisor with largest norm. That is, if ${c}$ is another common divisor of ${z}$ and ${w}$, then ${N(c) \leq N(\gcd(z,w))}$.

If ${N(\gcd(z,w)) = 1}$, then we say that ${z}$ and ${w}$ are relatively prime. Said differently, if ${1}$ is a greatest common divisor of ${z}$ and ${w}$, then we say that ${z}$ and ${w}$ are relatively prime.

Remark 2 Note that ${\gcd(z,w)}$ as we’re writing it is not actually well-defined, and may stand for any greatest common divisor of ${z}$ and ${w}$.

With this definition in mind, the proof of the Euclidean Algorithm is almost identical to the proof of the Euclidean Algorithm for the regular integers. As with the regular integers, we need the following result, which we will use over and over again.

Lemma 6 Suppose that ${z \mid w_1}$ and ${z \mid w_2}$. Then for any ${x,y}$ in ${\mathbb{Z}[i]}$, we have that ${z \mid (x w_1 + y w_2)}$.

Proof: As ${z \mid w_1}$, there is some Gaussian integer ${k_1}$ such that ${z k_1 = w_1}$. Similarly, there is some Gaussian integer ${k_2}$ such that ${z k_2 = w_2}$.

Then ${xw_1 + yw_2 = zxk_1 + zyk_2 = z(xk_1 + yk_2)}$, which is divisible by ${z}$ as this is the definition of divisibility. $\Box$

Notice that this proof is identical to the analogous statement in the integers, except with differently chosen symbols. That is how the proof of the Euclidean Algorithm goes as well.

Theorem 7 let ${z,w}$ be nonzero Gaussian integers. Recursively apply the division algorithm, starting with the pair ${z, w}$ and then choosing the quotient and remainder in one equation the new pair for the next. The last nonzero remainder is divisible by all common divisors of ${z,w}$, is itself a common divisor, and so the last nonzero remainder is a greatest common divisor of ${z}$ and ${w}$.

Symbolically, this looks like
\begin{align}
z &= q_1 w + r_1, \quad N(r_1) < N(w) \\\\
w &= q_2 r_1 + r_2, \quad N(r_2) < N(r_1) \\\\
r_1 &= q_3 r_2 + r_3, \quad N(r_3) < N(r_2) \\\\
\cdots &= \cdots \\\\
r_k &= q_{k+2} r_{k+1} + r_{k+2}, \quad N(r_{k+2}) < N(r_{k+1}) \\\\
r_{k+1} &= q_{k+3} r_{k+2} + 0,
\end{align}
where ${r_{k+2}}$ is the last nonzero remainder, which we claim is a greatest common divisor of ${z}$ and ${w}$.

Proof: We are claiming several thing. Firstly, we should prove our implicit claim that this algorithm terminates at all. Is it obvious that we should eventually reach a zero remainder?

In order to see this, we look at the norms of the remainders. After each step in the algorithm, the norm of the remainder is smaller than the previous step. As the norms are always nonnegative integers, and we know there does not exist an infinite list of decreasing positive integers, we see that the list of nonzero remainders is finite. So the algorithm terminates.

We now want to prove that the last nonzero remainder is a common divisor and is in fact a greatest common divisor. The proof is actually identical to the proof in the integer case, merely with a different choice of symbols.

Here, we only sketch the argument. Then the rest of the argument can be found by comparing with the proof of the Euclidean Algorithm for ${\mathbb{Z}}$ as found in the course textbook.

For ease of exposition, suppose that the algorithm terminated in exatly 3 steps, so that we have
\begin{align}
z &= q_1 w + r_1, \\
w &= q_2 r_1 + r_2 \\
r_1 &= q_3 r_2 + 0.
\end{align}

On the one hand, suppose that ${d}$ is a common divisor of ${z}$ and ${w}$. Then by our previous lemma, ${d \mid z – q_1 w = r_1}$, so that we see that ${d}$ is a divisor of ${r_1}$ as well. Applying to the next line, we have that ${d \mid w}$ and ${d \mid r_1}$, so that ${d \mid w – q_2 r_1 = r_2}$. So every common divisor of ${z}$ and ${w}$ is a divisor of the last nonzero remainder ${r_2}$.

On the other hand, ${r_2 \mid r_1}$ by the last line of the algorithm. Then as ${r_2 \mid r_1}$ and ${r_2 \mid r_1}$, we know that ${r_2 \mid q_2 r_1 + r_2 = w}$. Applying this to the first line, as ${r_2 \mid r_1}$ and ${r_2 \mid w}$, we know that ${r_2 \mid q_1 w + r_1 = z}$. So ${r_2}$ is a common divisor.

We have shown that ${r_2}$ is a common divisor of ${z}$ and ${w}$, and that every common divisor of ${z}$ and ${w}$ divides ${r_2}$. How do we show that ${r_2}$ is a greatest common divisor?

Suppose that ${d}$ is a common divisor of ${z}$ and ${w}$, so that we know that ${d \mid r_2}$. In particular, this means that there is some nonzero ${k}$ so that ${dk = r_2}$. Taking norms, this means that ${N(dk) = N(d)N(k) = N(r_2)}$. As ${N(d)}$ and ${N(k)}$ are both at least ${1}$, this means that ${N(d) \leq N(r_2)}$.

This is true for every common divisor ${d}$, and so ${N(r_2)}$ is at least as large as the norm of any common divisor of ${z}$ and ${w}$. Thus ${r_2}$ is a greatest common divisor.

The argument carries on in the same way for when there are more steps in the algorithm. $\Box$

Theorem 8 The greatest common divisor of ${z}$ and ${w}$ is well-defined, up to multiplication by ${\pm 1, \pm i}$. In other words, if ${\gcd(z,w)}$ is a greatest common divisor of ${z}$ and ${w}$, then all greatest common divisors of ${z}$ and ${w}$ are given by ${\pm \gcd(z,w), \pm i \gcd(z,w)}$.

Proof: Suppose ${d}$ is a greatest common divisor, and let ${\gcd(z,w)}$ denote a greatest common divisor resulting from an application of the Euclidean Algorithm. Then we know that ${d \mid \gcd(z,w)}$, so that there is some ${k}$ so that ${dk = \gcd(z,w)}$. Taking norms, we see that ${N(d)N(k) = N(\gcd(z,w)}$.

But as both ${d}$ and ${\gcd(z,w)}$ are greatest common divisors, we must have that ${N(d) = N(\gcd(z,w))}$. So ${N(k) = 1}$. The only Gaussian integers with norm one are ${\pm 1, \pm i}$, so we have that ${du = \gcd(z,w)}$ where ${u}$ is one of the four Gaussian units, ${\pm 1, \pm i}$.

Conversely, it’s clear that the four numbers ${\pm \gcd(z,w), \pm i \gcd(z,w)}$ are all greatest common divisors. $\Box$

Now that we have the Euclidean Algorithm, we can go towards unique factorization in ${\mathbb{Z}[i]}$. Let ${g}$ denote a greatest common divisor of ${z}$ and ${w}$. Reverse substitution in the Euclidean Algorithm shows that we can find Gaussian integer solutions ${x,y}$ to the (complex) linear Diophantine equation

zx + wy = g.

Let’s see an example.

Example 2 Consider ${32 + 9i}$ and ${4 + 11i}$. The Euclidean Algorithm looks like
\begin{align}
32 + 9i &= (4 + 11i)(2 – 2i) + 2 – 5i, \\\\
4 + 11i &= (2 – 5i)(-2 + i) + 3 – i, \\\\
2 – 5i &= (3-i)(1-i) – i, \\\\
3 – i &= -i (1 + 3i) + 0.
\end{align}
So we know that ${-i}$ is a greatest common divisor of ${32 + 9i}$ and ${4 + 11i}$, and so we know that ${32+9i}$ and ${4 + 11i}$ are relatively prime. Let us try to find a solution to the Diophantine equation

x(32 + 9i) + y(4 + 11i) = 1.

Performing reverse substition, we see that
\begin{align}
-i &= (2 – 5i) – (3-i)(1-i) \\\\
&= (2 – 5i) – (4 + 11i – (2-5i)(-2 + i))(1-i) \\\\
&= (2 – 5i) – (4 + 11i)(1 – i) + (2 – 5i)(-2 + 1)(1 – i) \\\\
&= (2 – 5i)(3i) – (4 + 11i)(1 – i) \\\\
&= (32 + 9i – (4 + 11i)(2 – 2i))(3i) – (4 + 11i)(1 – i) \\\\
&= (32 + 9i) 3i – (4 + 11i)(2 – 2i)(3i) – (4 + 11i)(1-i) \\\\
&= (32 + 9i) 3i – (4 + 11i)(7 + 5i).
\end{align}
Multiplying this through by ${i}$, we have that

1 = (32 + 9i) (-3) + (4 + 11i)(5 – 7i).

So one solution is ${(x,y) = (-3, 5 – 7i)}$.

Although this looks more complicated, the process is the same as in the case over the regular integers. The apparent higher difficulty comes mostly from our lack of familiarity with basic arithmetic in ${\mathbb{Z}[i]}$.

The rest of the argument is now exactly as in the integers.

Theorem 9 Suppose that ${z, w}$ are relatively prime, and that ${z \mid wv}$. Then ${z \mid v}$.

Proof: This is left as an exercise (and will appear on the next midterm in some form — cheers to you if you’ve read this far in these notes). But it’s now the almost the same as in the regular integers. $\Box$

Theorem 10 Let ${z}$ be a Gaussian integer with ${N(z) > 1}$. Then ${z}$ can be written uniquely as a product of Gaussian primes, up to multiplication by one of the Gaussian units ${\pm 1, \pm i}$.

Proof: We only sketch part of the proof. There are multiple ways of doing this, but we present the one most similar to what we’ve done for the integers. If there are Gaussian integers without unique factorization, then there are some (maybe they tie) with minimal norm. So let ${z}$ be a Gaussian integer of minimal norm without unique factorization. Then we can write

p_1 p_2 \cdots p_k = z = q_1 q_2 \cdots q_\ell,

where the ${p}$ and ${q}$ are all primes. As ${p_1 \mid z = q_1 q_2 \cdots q_\ell}$, we know that ${p_1}$ divides one of the ${q}$ (by Theorem~9), and so (up to units) we can say that ${p_1}$ is one of the ${q}$ primes. We can divide each side by ${p_1}$ and we get two supposedly different factorizations of a Gaussian integer of norm ${N(z)/N(p_1) < N(z)}$, which is less than the least norm of an integer without unique factorization (by what we supposed). This is a contradiction, and we can conclude that there are no Gaussian integers without unique factorization. $\Box$

If this seems unclear, I recommend reviewing this proof and the proof of unique factroziation for the regular integers. I should also mention that one can modify the proof of unique factorization for ${\mathbb{Z}}$ as given in the course textbook as well (since it is a bit different than what we have done). Further, the course textbook does proof of unique factorization for ${\mathbb{Z}[i]}$ in Chapter 36, which is very similar to the proof sketched above (although the proof of Theorem~9 is very different.)

3. An application to ${y^2 = x^3 – 1}$.

We now consider the nonlinear Diophantine equation ${y^2 = x^3 – 1}$, where ${x,y}$ are in ${\mathbb{Z}}$. This is hard to solve over the integers, but by going up to ${\mathbb{Z}[i]}$, we can determine all solutions.

In ${\mathbb{Z}[i]}$, we can rewrite $$y^2 + 1 = (y + i)(y – i) = x^3. \tag{1}$$
We claim that ${y+i}$ and ${y-i}$ are relatively prime. To see this, suppose that ${d}$ is a common divisor of ${y+i}$ and ${y-i}$. Then ${d \mid (y + i) – (y – i) = 2i}$. It happens to be that ${2i = (1 + i)^2}$, and that ${(1 + i)}$ is prime. To see this, we show the following.

Lemma 11 Suppose ${z}$ is a Gaussian integer, and ${N(z) = p}$ is a regular prime. Then ${z}$ is a Gaussian prime.

Proof: Suppose that ${z}$ factors nontrivially as ${z = ab}$. Then taking norms, ${N(z) = N(a)N(b)}$, and so we get a nontrivial factorization of ${N(z)}$. When ${N(z)}$ is a prime, then there are no nontrivial factorizations of ${N(z)}$, and so ${z}$ must have no nontrivial factorization. $\Box$

As ${N(1+i) = 2}$, which is a prime, we see that ${(1 + i)}$ is a Gaussian prime. So ${d \mid (1 + i)^2}$, which means that ${d}$ is either ${1, (1 + i)}$, or ${(1+i)^2}$ (up to multiplication by a Gaussian unit).

Suppose we are in the case of the latter two, so that ${(1+i) \mid d}$. Then as ${d \mid (y + i)}$, we know that ${(1 + i) \mid x^3}$. Taking norms, we have that ${2 \mid x^6}$.

By unique factorization in ${\mathbb{Z}}$, we know that ${2 \mid x}$. This means that ${4 \mid x^2}$, which allows us to conclude that ${x^3 \equiv 0 \pmod 4}$. Going back to the original equation ${y^2 + 1 = x^3}$, we see that ${y^2 + 1 \equiv 0 \pmod 4}$, which means that ${y^2 \equiv 3 \pmod 4}$. A quick check shows that ${y^2 \equiv 3 \pmod 4}$ has no solutions ${y}$ in ${\mathbb{Z}/4\mathbb{Z}}$.

So we rule out the case then ${(1 + i) \mid d}$, and we are left with ${d}$ being a unit. This es exactly the case that ${y+i}$ and ${y-i}$ are relatively prime.

Recall that ${(y+i)(y-i) = x^3}$. As ${y+i}$ and ${y-i}$ are relatively prime and their product is a cube, by unique factorization in ${\mathbb{Z}[i]}$ we know that ${y+i}$ and ${y-i}$ much each be Gaussian cubes. Then we can write ${y+i = (m + ni)^3}$ for some Gaussian integer ${m + ni}$. Expanding, we see that

y+i = m^3 – 3mn^2 + i(3m^2n – n^3).

Equating real and imaginary parts, we have that
\begin{align}
y &= m(m^2 – 3n^2) \\
1 &= n(3m^2 – n^2).
\end{align}
This second line shows that ${n \mid 1}$. As ${n}$ is a regular integer, we see that ${n = 1}$ or ${-1}$.

If ${n = 1}$, then that line becomes ${1 = (3m^2 – 1)}$, or after rearranging ${2 = 3m^2}$. This has no solutions.

If ${n = -1}$, then that line becomes ${1 = -(3m^2 – 1)}$, or after rearranging ${0 = 3m^2}$. This has the solution ${m = 0}$, so that ${y+i = (-i)^3 = i}$, which means that ${y = 0}$. Then from ${y^2 + 1 = x^3}$, we see that ${x = 1}$.

And so the only solution is ${(x,y) = (1,0)}$, and there are no other solutions.

4. Other Rings

The Gaussian integers have many of the same properties as the regular integers, even though there are some differences. We could go further. For example, we might consider the following integer-like sets,

\mathbb{Z}(\sqrt{d}) = { a + b \sqrt{d} : a,b \in \mathbb{Z} }.

One can add, subtract, and multiply these together in similar ways to how we can add, subtract, and multiply together integers, or Gaussian integers.

We might ask what properties these other integer-like sets have. For instance, do they have unique factorization?

More generally, there is a better name than ”integer-like set” for this sort of construction.

Suppose ${R}$ is a collection of elements, and it makes sense to add, subtract, and multiply these elements together. Further, we want addition and multiplication to behave similarly to how they behave for the regular integers. In particular, if ${r}$ and ${s}$ are elements in ${R}$, then we want ${r + s = s + r}$ to be in ${R}$; we want something that behaves like ${0}$ in the sense that ${r + 0 = r}$; for each ${r}$, want another element ${-r}$ so that ${r + (-r) = 0}$; we want ${r \cdot s = s \cdot r}$; we want something that behaves like ${1}$ in the sense that ${r \cdot 1 = r}$ for all ${r \neq 0}$; and we want ${r(s_1 + s_2) = r s_1 + r s_2}$. Such a collection is called a ring. (More completely, this is called a commutative unital ring, but that’s not important.)

It is not important that you explicitly remember exactly what the definition of a ring is. The idea is that there is a name for things that are ”integer-like” and that we might wonder what properties we have been thinking of as properties of the integers are actually properties of rings.

As a total aside: there are very many more rings too, things that look much more different than the integers. This is one of the fundamental questions that leads to the area of mathematics called Abstract Algebra. With an understanding of abstract algebra, one could then focus on these general number theoretic problems in an area of math called Algebraic Number Theory.

5. The rings ${\mathbb{Z}[\sqrt{d}]}$

We can describe some of the specific properties of ${\mathbb{Z}[\sqrt{d}]}$, and suggest how some of the ideas we’ve been considering do (or don’t) generalize. For a general element ${n = a + b \sqrt{d}}$, we can define the conjugate ${\overline{n} = a – b\sqrt {d}}$ and the norm ${N(n) = n \cdot \overline{n} = a^2 – d b^2}$. We call those elements ${u}$ with ${N(u) = 1}$ the units in ${\mathbb{Z}[\sqrt{d}]}$.

Some of the definitions we’ve been using turn out to not generalize so easily, or in quite the ways we expect. If ${n}$ doesn’t have a nontrivial factoriation (meaning that we cannot write ${n = ab}$ with ${N(a), N(b) \neq 1}$), then we call ${n}$ an irreducible. In the cases of ${\mathbb{Z}}$ and ${\mathbb{Z}[i]}$, we would have called these elements prime.

In general, we call a number ${p}$ in ${\mathbb{Z}{\sqrt{d}}}$ a prime if ${p}$ has the property that ${p \mid ab}$ means that ${p \mid a}$ or ${p \mid b}$. Of course, in the cases of ${\mathbb{Z}}$ and ${\mathbb{Z}[i]}$, we showed that irreducibles are primes. But it turns out that this is not usually the case.

Let us look at ${\mathbb{Z}{\sqrt{-5}}}$ for a moment. In particular, we can write ${6}$ in two ways as

6 = 2 \cdot 3 = (1 + \sqrt{-5})(1 – \sqrt{-5}).

Although it’s a bit challenging to show, these are the only two fundamentally different factorizations of ${6}$ in ${\mathbb{Z}[\sqrt{-5}]}$. One can show (it’s not very hard, but it’s not particularly illuminating to do here) that neither ${2}$ or ${3}$ divides ${(1 + \sqrt{-5})}$ or ${(1 – \sqrt{-5})}$ (and vice versa), which means that none of these four numbers are primes in our more general definition. One can also show that all four numbers are irreducible.

What does this mean? This means that ${6}$ can be factored into irreducibles in fundamentally different ways, and that ${\mathbb{Z}[\sqrt{-5}]}$ does not have unique factorization.

It’s a good thought exercise to think about what is really different between ${\mathbb{Z}[\sqrt{-5}]}$ and ${\mathbb{Z}}$. At the beginning of this course, it seemed extremely obvious that ${\mathbb{Z}}$ had unique factorization. But in hindsight, is it really so obvious?

Understanding when there is and is not unique factorization in ${\mathbb{Z}[\sqrt{d}]}$ is something that people are still trying to understand today. The fact is that we don’t know! In particular, we really don’t know very much when ${d}$ is positive.

One reason why can be seen in ${\mathbb{Z}[\sqrt{2}]}$. If ${n = a + b \sqrt{2}}$, then ${N(n) = a^2 – 2 b^2}$. A very basic question that we can ask is what are the units? That is, which ${n}$ have ${N(n) = 1}$?

Here, that means trying to solve the equation $$a^2 – 2 b^2 = 1. \tag{2}$$
We have seen this equation a few times before. On the second homework assignment, I asked you to show that there were infinitely many solutions to this equation by finding lines and intersecting them with hyperbolas. We began to investigate this Diophantine equation because each solution leads to another square-triangular number.

So there are infinitely many units in ${\mathbb{Z}[\sqrt{2}]}$. This is strange! For instance, ${3 + 2 \sqrt{2}}$ is a unit, which means that it behaves just like ${\pm 1}$ in ${\mathbb{Z}}$, or like ${\pm 1, \pm i}$ in ${\mathbb{Z}[i]}$. Very often, the statements we’ve been looking at and proving are true ”up to multiplication by units.” Since there are infinitely many in ${\mathbb{Z}[\sqrt 2]}$, it can mean that it’s annoying to determine even if two numbers are actually the same up to multiplication by units.

As you look further, there are many more strange and interesting behaviours. It is really interesting to see what properties are very general, and what properties vary a lot. It is also interesting to see the different ways in which properties we’re used to, like unique factorization, can fail.

For instance, we have seen that ${\mathbb{Z}[\sqrt -5]}$ does not have unique factorization. We showed this by seeing that ${6}$ factors in two fundamentally different ways. In fact, some numbers in ${\mathbb{Z}[\sqrt -5]}$ do factor uniquely, and others do not. But if one does not, then it factors in at most two fundamentally different ways.

In other rings, you can have numbers which factor in more fundamentally different ways. The actual behaviour here is also really poorly understood, and there are mathematicians who are actively pursuing these topics.

It’s a very large playground out there.

## A Brief Notebook on Cryptography

This is a post written for my Spring 2016 Number Theory class at Brown University. It was written and originally presented from a Jupyter Notebook, and changed for presentation on this site. There is a version of the notebook available at github.

# Cryptography¶

Recall the basic setup of cryptography. We have two people, Anabel and Bartolo. Anabel wants to send Bartolo a secure message. What do we mean by “secure?” We mean that even though that dastardly Eve might intercept and read the transmitted message, Eve won’t learn anything about the actual message Anabel wants to send to Bartolo.

Before the 1970s, the only way for Anabel to send Bartolo a secure message required Anabel and Bartolo to get together beforehand and agree on a secret method of communicating. To communicate, Anabel first decides on a message. The original message is sometimes called the plaintext. She then encrypts the message, producing a ciphertext.

She then sends the ciphertext. If Eve gets hold of hte ciphertext, she shouldn’t be able to decode it (unless it’s a poor encryption scheme).

When Bartolo receives the ciphertext, he can decrypt it to recover the plaintext message, since he agreed on the encryption scheme beforehand.

## Caesar Shift¶

The first known instance of cryptography came from Julius Caesar. It was not a very good method. To encrypt a message, he shifted each letter over by 2, so for instance “A” becomes “C”, and “B” becomes “D”, and so on.

Let’s see what sort of message comes out.

alpha = "abcdefghijklmnopqrstuvwxyz".upper()
punct = ",.?:;'\n "

from functools import partial

def shift(l, s=2):
l = l.upper()
return alpha[(alpha.index(l) + s) % 26]

def caesar_shift_encrypt(m, s=2):
m = m.upper()
c = "".join(map(partial(shift, s=s), m))
return c

def caesar_shift_decrypt(c, s=-2):
c = c.upper()
m = "".join(map(partial(shift, s=s), c))
return m

print "Original Message: HI"
print "Ciphertext:", caesar_shift_encrypt("hi")

Original Message: HI
Ciphertext: JK

m = """To be, or not to be, that is the question:
Whether 'tis Nobler in the mind to suffer
The Slings and Arrows of outrageous Fortune,
Or to take Arms against a Sea of troubles,
And by opposing end them."""

m = "".join([l for l in m if not l in punct])

print "Original Message:"
print m

print
print "Ciphertext:"
tobe_ciphertext = caesar_shift_encrypt(m)
print tobe_ciphertext

Original Message:
TobeornottobethatisthequestionWhethertisNoblerinthemindtosuffer
TheSlingsandArrowsofoutrageousFortuneOrtotakeArmsagainstaSeaof
troublesAndbyopposingendthem

Ciphertext:
VQDGQTPQVVQDGVJCVKUVJGSWGUVKQPYJGVJGTVKUPQDNGTKPVJGOKPFVQUWHHGT
VJGUNKPIUCPFCTTQYUQHQWVTCIGQWUHQTVWPGQTVQVCMGCTOUCICKPUVCUGCQH
VTQWDNGUCPFDAQRRQUKPIGPFVJGO

print "Decrypted first message:", caesar_shift_decrypt("JK")

Decrypted first message: HI

print "Decrypted second message:"
print caesar_shift_decrypt(tobe_ciphertext)

Decrypted second message:
TOBEORNOTTOBETHATISTHEQUESTIONWHETHERTISNOBLERINTHEMINDTOSUFFER
THESLINGSANDARROWSOFOUTRAGEOUSFORTUNEORTOTAKEARMSAGAINSTASEAOF
TROUBLESANDBYOPPOSINGENDTHEM


Is this a good encryption scheme? No, not really. There are only 26 different things to try. This can be decrypted very quickly and easily, even if entirely by hand.

## Substitution Cipher¶

A slightly different scheme is to choose a different letter for each letter. For instance, maybe “A” actually means “G” while “B” actually means “E”. We call this a substitution cipher as each letter is substituted for another.

import random
permutation = list(alpha)
random.shuffle(permutation)

# Display the new alphabet
print alpha
subs = "".join(permutation)
print subs

ABCDEFGHIJKLMNOPQRSTUVWXYZ
EMJSLZKAYDGTWCHBXORVPNUQIF

def subs_cipher_encrypt(m):
m = "".join([l.upper() for l in m if not l in punct])
return "".join([subs[alpha.find(l)] for l in m])

def subs_cipher_decrypt(c):
c = "".join([l.upper() for l in c if not l in punct])
return "".join([alpha[subs.find(l)] for l in c])

m1 = "this is a test"

print "Original message:", m1
c1 = subs_cipher_encrypt(m1)

print
print "Encrypted Message:", c1

print
print "Decrypted Message:", subs_cipher_decrypt(c1)

Original message: this is a test

Encrypted Message: VAYRYREVLRV

Decrypted Message: THISISATEST

print "Original message:"
print m

print
c2 = subs_cipher_encrypt(m)
print "Encrypted Message:"
print c2

print
print "Decrypted Message:"
print subs_cipher_decrypt(c2)

Original message:
TobeornottobethatisthequestionWhethertisNoblerinthemindtosuffer
TheSlingsandArrowsofoutrageousFortuneOrtotakeArmsagainstaSeaof
troublesAndbyopposingendthem

Encrypted Message:
VHMLHOCHVVHMLVAEVYRVALXPLRVYHCUALVALOVYRCHMTLOYCVALWYCSVHRPZZLO
VALRTYCKRECSEOOHURHZHPVOEKLHPRZHOVPCLHOVHVEGLEOWREKEYCRVERLEHZ
VOHPMTLRECSMIHBBHRYCKLCSVALW

Decrypted Message:
TOBEORNOTTOBETHATISTHEQUESTIONWHETHERTISNOBLERINTHEMINDTOSUFFER
THESLINGSANDARROWSOFOUTRAGEOUSFORTUNEORTOTAKEARMSAGAINSTASEAOF
TROUBLESANDBYOPPOSINGENDTHEM


Is this a good encryption scheme? Still no. In fact, these are routinely used as puzzles in newspapers or puzzle books, because given a reasonably long message, it’s pretty easy to figure it out using things like the frequency of letters.

For instance, in English, the letters RSTLNEAO are very common, and much more common than other letters. So one might start to guess that the most common letter in the ciphertext is one of these. More powerfully, one might try to see which pairs of letters (called bigrams) are common, and look for those in the ciphertext, and so on.

From this sort of thought process, encryption schemes that ultimately rely on a single secret alphabet (even if it’s not our typical alphabet) fall pretty quickly. So… what about polyalphabetic ciphers? For instance, what if each group of 5 letters uses a different set of alphabets?

This is a great avenue for exploration, and there are lots of such encryption schemes that we won’t discuss in this class. But a class on cryptography (or a book on cryptography) would certainly go into some of these. It might also be a reasonable avenue of exploration for a final project.

## The German Enigma¶

One very well-known polyalphabetic encryption scheme is the German Enigma used before and during World War II. This was by far the most complicated cryptosystem in use up to that point, and the story of how it was broken is a long and tricky one. Intial successes towards breaking the Enigma came through the work of Polish mathematicians, fearful (and rightfully so) of the Germans across the border. By 1937, they had built replicas and understood many details of the Enigma system. But in 1938, the Germans shifted to a more secure and complicated cryptosystem. Just weeks before the German invasion of Poland and the beginning of World War II, Polish mathematicians sent their work and notes to mathematicians in France and Britain, who carried out this work.

The second major progress towards breaking the Enigma occurred largely in Bletchley Park in Britain, a communication center with an enormous dedicated effort to breaking the Enigma. This is where the tragic tale of Alan Turing, recently popularized through the movie The Imitation Game, begins. This is also the origin tale for modern computers, as Alan Turing developed electromechanical computers to help break the Enigma.

The Enigma worked by having a series of cogs or rotors whose positions determined a substitution cipher. After each letter, the positions were changed through a mechanical process. An Enigma machine is a very impressive machine to look at [and the “computer” Alan Turing used to help break them was also very impressive].

Below, I have implemented an Enigma, by default set to 4 rotors. I don’t expect one to understand the implementation. The interesting part is how meaningless the output message looks. Note that I’ve kept the spacing and punctuation from the original message for easier comparison. Really, you wouldn’t do this.

The plaintext used for demonstration is from Wikipedia’s article on the Enigma.

from random import shuffle,randint,choice
from copy import copy
num_alphabet = range(26)

def en_shift(l, n):                         # Rotate cogs and arrays
return l[n:] + l[:n]

class Cog:                                  # Each cog has a substitution cipher
def __init__(self):
self.shuf = copy(num_alphabet)
shuffle(self.shuf)                  # Create the individual substition cipher
return                              # Really, these were not random

def subs_in(self,i):                    # Perform a substition
return self.shuf[i]

def subs_out(self,i):                   # Perform a reverse substition
return self.shuf.index(i)

def rotate(self):                       # Rotate the cog by 1.
self.shuf = en_shift(self.shuf, 1)

def setcog(self,a):                     # Set up a particular substitution
self.shuf = a

class Enigma:
self.numcogs = numcogs
self.cogs = []
self.oCogs = []                     # "Original Cog positions"

for i in range(0,self.numcogs):     # Create the cogs
self.cogs.append(Cog())
self.oCogs.append(self.cogs[i].shuf)

refabet = copy(num_alphabet)
self.reflector = copy(num_alphabet)
while len(refabet) > 0:             # Pair letters in the reflector
a = choice(refabet)
refabet.remove(a)

b = choice(refabet)
refabet.remove(b)

self.reflector[a] = b
self.reflector[b] = a

def print_setup(self): # Print out substituion setup.
print "Enigma Setup:\nCogs: ",self.numcogs,"\nCog arrangement:"
for i in range(0,self.numcogs):
print self.cogs[i].shuf
print "Reflector arrangement:\n",self.reflector,"\n"

def reset(self):
for i in range(0,self.numcogs):
self.cogs[i].setcog(self.oCogs[i])

def encode(self,text):
t = 0     # Ticker counter
ciphertext=""
for l in text.lower():
num = ord(l) % 97
# Handle special characters for readability
if (num>25 or num<0):
ciphertext += l
else:
pass

else:
# Pass through cogs, reflect, then return through cogs
t += 1
for i in range(self.numcogs):
num = self.cogs[i].subs_in(num)

num = self.reflector[num]

for i in range(self.numcogs):
num = self.cogs[self.numcogs-i-1].subs_out(num)
ciphertext += "" + chr(97+num)

# Rotate cogs
for i in range(self.numcogs):
if ( t % ((i*6)+1) == 0 ):
self.cogs[i].rotate()
return ciphertext.upper()

plaintext="""When placed in an Enigma, each rotor can be set to one of 26 possible positions.
When inserted, it can be turned by hand using the grooved finger-wheel, which protrudes from
the internal Enigma cover when closed. So that the operator can know the rotor's position,
each had an alphabet tyre (or letter ring) attached to the outside of the rotor disk, with
26 characters (typically letters); one of these could be seen through the window, thus indicating
the rotational position of the rotor. In early models, the alphabet ring was fixed to the rotor
disk. A later improvement was the ability to adjust the alphabet ring relative to the rotor disk.
The position of the ring was known as the Ringstellung ("ring setting"), and was a part of the
initial setting prior to an operating session. In modern terms it was a part of the
initialization vector."""

# Remove newlines for encryption
pt = "".join([l.upper() for l in plaintext if not l == "\n"])
# pt = "".join([l.upper() for l in plaintext if not l in punct])

x=enigma(4)
#x.print_setup()

print "Original Message:"
print pt

print
ciphertext = x.encode(pt)
print "Encrypted Message"
print ciphertext

print
# Decryption and encryption are symmetric, so to decode we reset and re-encrypt.
x.reset()
decipheredtext = x.encode(ciphertext)
print "Decrypted Message:"
print decipheredtext

Original Message:
WHEN PLACED IN AN ENIGMA, EACH ROTOR CAN BE SET TO ONE OF 26 POSSIBLE POSITIONS.
WHEN INSERTED, IT CAN BE TURNED BY HAND USING THE GROOVED FINGER-WHEEL, WHICH
PROTRUDES FROM THE INTERNAL ENIGMA COVER WHEN CLOSED. SO THAT THE OPERATOR CAN
KNOW THE ROTOR'S POSITION, EACH HAD AN ALPHABET TYRE (OR LETTER RING) ATTACHED
TO THE OUTSIDE OF THE ROTOR DISK, WITH 26 CHARACTERS (TYPICALLY LETTERS); ONE
OF THESE COULD BE SEEN THROUGH THE WINDOW, THUS INDICATING THE ROTATIONAL
POSITION OF THE ROTOR. IN EARLY MODELS, THE ALPHABET RING WAS FIXED TO THE
ROTOR DISK. A LATER IMPROVEMENT WAS THE ABILITY TO ADJUST THE ALPHABET RING
RELATIVE TO THE ROTOR DISK. THE POSITION OF THE RING WAS KNOWN AS THE
RINGSTELLUNG ("RING SETTING"), AND WAS A PART OF THE INITIAL SETTING PRIOR TO
AN OPERATING SESSION. IN MODERN TERMS IT WAS A PART OF THE INITIALIZATION VECTOR.

Encrypted Message
RYQY LWMVIH OH EK GGWFBO, PDZN FNALL ZEP AP IUD JM FEV UG 26 HGRKODYT XWOLIYTSA.
TJQK KBCNVMHG, VS YBB XI BYZTVU XP BGWP IFNIY UQZ IQUPTKJ QXPVYE-EAOVT, PYMNN
RXFIOWYVK LWNN OJL JXZBTRVP YMQCXX STJQF KXNZ LXSWDC. LK KGRH ZKT RDZUMCWA GKY
LYKC LLV ZNFAD'Z BAXLDFTH, QSHA NBY RZ SXEXDAMP FXUS (WC RWHZOX ARWP) VKYNDJQP
WL OLW ICBALPI RV ISD GXSDQ ZKMJ, OHNN 26 IBGUHNYIQE (GDBNTEBWP QGECUNA); QPG
SQ JYUQX NDBWB NM AAUF RUNKYDL OLD LMPZQV, ZMKP SQZFDEHKCI KLJ AKPZLRAZZX
QXPJEXLV HS AFG IIMGK. NT PVAYP RFOKYV, XUY CHZAQEXG DUSS CKN YENSR FX PLS CYMZK
YHTB. J RLZLB DNIDWNWAIOO HOK PGM HVXXHIJ VV SCTNIC QGM TFKPQYPQ XFQU PSAECHTX
RA QUW CUNRV JCUW. LCP GFKZLLXW LN YWF OAQM CMF YVTQH EI JAU LZTXEYDGDFLQ
("CDBS TQHUEIR"), BLN QIG O UHJJ DV DQY KQGVFKI EBEFRCT WEZWG LJ WC NIAUKIYQJ
EHZLZLS. TY XPZSBL IPGWN ZS IUY E YQMD BW NVF QYWSDMTRSNSHYO GJGNUL.

Decrypted Message:
WHEN PLACED IN AN ENIGMA, EACH ROTOR CAN BE SET TO ONE OF 26 POSSIBLE POSITIONS.
WHEN INSERTED, IT CAN BE TURNED BY HAND USING THE GROOVED FINGER-WHEEL, WHICH
PROTRUDES FROM THE INTERNAL ENIGMA COVER WHEN CLOSED. SO THAT THE OPERATOR
CAN KNOW THE ROTOR'S POSITION, EACH HAD AN ALPHABET TYRE (OR LETTER RING)
ATTACHED TO THE OUTSIDE OF THE ROTOR DISK, WITH 26 CHARACTERS (TYPICALLY
LETTERS); ONE OF THESE COULD BE SEEN THROUGH THE WINDOW, THUS INDICATING THE
ROTATIONAL POSITION OF THE ROTOR. IN EARLY MODELS, THE ALPHABET RING WAS FIXED
TO THE ROTOR DISK. A LATER IMPROVEMENT WAS THE ABILITY TO ADJUST THE ALPHABET
RING RELATIVE TO THE ROTOR DISK. THE POSITION OF THE RING WAS KNOWN AS THE
RINGSTELLUNG ("RING SETTING"), AND WAS A PART OF THE INITIAL SETTING PRIOR TO
AN OPERATING SESSION. IN MODERN TERMS IT WAS A PART OF THE INITIALIZATION VECTOR.


The advent of computers brought in a paradigm shift in approaches towards cryptography. Prior to computers, one of the ways of maintaining security was to come up with a hidden key and a hidden cryptosystem, and keep it safe merely by not letting anyone know anything about how it actually worked at all. This has the short cute name security through obscurity. As the number of type of attacks on cryptosystems are much, much higher with computers, a different model of security and safety became necessary.

It is interesting to note that it is not obvious that security through obscurity is always bad, as long as it’s really really well-hidden. This is relevant to some problems concerning current events and cryptography.

# Public Key Cryptography¶

The new model begins with a slightly different setup. We should think of Anabel and Bartolo as sitting on opposite sides of a classroom, trying to communicate securely even though there are lots of people in the middle of the classroom who might be listening in. In particular, Anabel has something she wants to tell Bartolo.

Instead of keeping the cryptosystem secret, Bartolo tells everyone (in our metaphor, he shouts to the entire classroom) a public key K, and explains how to use it to send him a message. Anabel uses this key to encrypt her message. She then sends this message to Bartolo.

If the system is well-designed, no one will be able to understand the ciphertext even though they all know how the cryptosystem works. This is why the system is called Public Key.

Bartolo receives this message and (using something only he knows) he decrypts the message.

We will learn one such cryptosystem here: RSA, named after Rivest, Shamir, and Addleman — the first major public key cryptosystem.

## RSA¶

Bartolo takes two primes such as $p = 12553$ and $q = 13007$. He notes their product
$$m = pq = 163276871$$
and computes $\varphi(m)$,
$$\varphi(m) = (p-1)(q-1) = 163251312.$$
Finally, he chooses some integer $k$ relatively prime to $\varphi(m)$, like say
$$k = 79921.$$
Then the public key he distributes is
$$(m, k) = (163276871, 79921).$$

In order to send Bartolo a message using this key, Anabel must convert her message to numbers. She might use the identification A = 11, B = 12, C = 13, … and concatenate her numbers. To send the word CAB, for instance, she would send 131112. Let’s say that Anabel wants to send the message

NUMBER THEORY IS THE QUEEN OF THE SCIENCES

Then she needs to convert this to numbers.

conversion_dict = dict()
alpha = "abcdefghijklmnopqrstuvwxyz".upper()
curnum = 11
for l in alpha:
conversion_dict[l] = curnum
curnum += 1

print "Original Message:"
msg = "NUMBERTHEORYISTHEQUEENOFTHESCIENCES"
print msg
print

def letters_to_numbers(m):
return "".join([str(conversion_dict[l]) for l in m.upper()])

print "Numerical Message:"
msg_num = letters_to_numbers(msg)
print msg_num

Original Message:
NUMBERTHEORYISTHEQUEENOFTHESCIENCES

Numerical Message:
2431231215283018152528351929301815273115152425163018152913191524131529


So Anabel’s message is the number

$$2431231215283018152528351929301815273115152425163018152913191524131529$$

which she wants to encrypt and send to Bartolo. To make this manageable, she cuts the message into 8-digit numbers,

$$24312312, 15283018, 15252835, 19293018, 15273115, 15242516, 30181529, 13191524, 131529.$$

To send her message, she takes one of the 8-digit blocks and raises it to the power of $k$ modulo $m$. That is, to transmit the first block, she computes

$$24312312^{79921} \equiv 13851252 \pmod{163276871}.$$

# Secret information
p = 12553
q = 13007
phi = (p-1)*(q-1) # varphi(pq)

# Public information
m = p*q # 163276871
k = 79921

print pow(24312312, k, m)

13851252


She sends this number
$$13851252$$
to Bartolo (maybe by shouting. Even though everyone can hear, they cannot decrypt it). How does Bartolo decrypt this message?

He computes $\varphi(m) = (p-1)(q-1)$ (which he can do because he knows $p$ and $q$ separately), and then finds a solution $u$ to
$$uk = 1 + \varphi(m) v.$$
This can be done quickly through the Euclidean Algorithm.

def extended_euclidean(a,b):
if b == 0:
return (1,0,a)
else :
x, y, gcd = extended_euclidean(b, a % b) # Aside: Python has no tail recursion
return y, x - y * (a // b),gcd           # But it does have meaningful stack traces

# This version comes from Exercise 6.3 in the book, but without recursion
def extended_euclidean2(a,b):
x = 1
g = a
v = 0
w = b
while w != 0:
q = g // w
t = g - q*w
s = x - q*v
x,g = v,w
v,w = s,t
y = (g - a*x) / b
return (x,y,g)

def modular_inverse(a,m) :
x,y,gcd = extended_euclidean(a,m)
if gcd == 1 :
return x % m
else :
return None

print "k, p, q:", k, p, q
print
u = modular_inverse(k,(p-1)*(q-1))
print u

k, p, q: 79921 12553 13007

145604785


In particular, Bartolo computes that his $u = 145604785$. To recover the message, he takes the number $13851252$ sent to him by Anabel and raises it to the $u$ power. He computes
$$13851252^{u} \equiv 24312312 \pmod{pq},$$
which we can see must be true as
$$13851252^{u} \equiv (24312312^{k})^u \equiv 24312312^{1 + \varphi(pq)v} \equiv 24312312 \pmod{pq}.$$
In this last step, we have used Euler’s Theorem to see that
$$24312312^{\varphi(pq)v} \equiv 1 \pmod{pq}.$$

# Checking this power explicitly.
print pow(13851252, 145604785, m)

24312312


Now Bartolo needs to perform this process for each 8-digit chunk that Anabel sent over. Note that the work is very easy, as he computes the integer $u$ only once. Each other time, he simply computes $c^u \pmod m$ for each ciphertext $c$, and this is very fast with repeated-squaring.

We do this below, in an automated fashion, step by step.

First, we split the message into 8-digit chunks.

# Break into chunks of 8 digits in length.
def chunk8(message_number):
cp = str(message_number)
ret_list = []
while len(cp) > 7:
ret_list.append(cp[:8])
cp = cp[8:]
if cp:
ret_list.append(cp)
return ret_list

msg_list = chunk8(msg_num)
print msg_list

['24312312', '15283018', '15252835', '19293018', '15273115',
'15242516', '30181529', '13191524', '131529']


This is a numeric representation of the message Anabel wants to send Bartolo. So she encrypts each chunk. This is done below

# Compute ciphertexts separately on each 8-digit chunk.
def encrypt_chunks(chunked_list):
ret_list = []
for chunk in chunked_list:
#print chunk
#print int(chunk)
ret_list.append(pow(int(chunk), k, m))
return ret_list

cipher_list = encrypt_chunks(msg_list)
print cipher_list

[13851252, 14944940, 158577269, 117640431, 139757098, 25099917,
88562046, 6640362, 10543199]


This is the encrypted message. Having computed this, Anabel sends this message to Bartolo.

To decrypt the message, Bartolo uses his knowledge of $u$, which comes from his ability to compute $\varphi(pq)$, and decrypts each part of the message. This looks like below.

# Decipher the ciphertexts all in the same way
def decrypt_chunks(chunked_list):
ret_list = []
for chunk in chunked_list:
ret_list.append(pow(int(chunk), u, m))
return ret_list

decipher_list = decrypt_chunks(cipher_list)
print decipher_list

[24312312, 15283018, 15252835, 19293018, 15273115, 15242516,
30181529, 13191524, 131529]


Finally, Bartolo concatenates these numbers together and translates them back into letters. Will he get the right message back?

alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"

# Collect deciphered texts into a single list, and translate back into letters.
def chunks_to_letters(chunked_list):
s = "".join([str(chunk) for chunk in chunked_list])
ret_str = ""
while s:
ret_str += alpha[int(s[:2])-11].upper()
s = s[2:]
return ret_str

print chunks_to_letters(decipher_list)

NUMBERTHEORYISTHEQUEENOFTHESCIENCES


Yes! Bartolo successfully decrypts the message and sees that Anabel thinks that Number Theory is the Queen of the Sciences. This is a quote from Gauss, the famous mathematician who has been popping up again and again in this course.

## Why is this Secure?¶

Let’s pause to think about why this is secure.

What if someone catches the message in transit? Suppose Eve is eavesdropping and hears Anabel’s first chunk, $13851252$. How would she decrypt it?

Eve knows that she wants to solve
$$x^k \equiv 13851252 \pmod {pq}$$
or rather
$$x^{79921} \equiv 13851252 \pmod {163276871}.$$
How can she do that? We can do that because we know to raise this to a particular power depending on $\varphi(163276871)$. But Eve doesn’t know what $\varphi(163276871)$ is since she can’t factor $163276871$. In fact, knowing $\varphi(163276871)$ is exactly as hard as factoring $163276871$.

But if Eve could somehow find $79921$st roots modulo $163276871$, or if Eve could factor $163276871$, then she would be able to decrypt the message. These are both really hard problems! And it’s these problems that give the method its security.

More generally, one might use primes $p$ and $q$ that are each about $200$ digits long, and a fairly large $k$. Then the resulting $m$ would be about $400$ digits, which is far larger than we know how to factor effectively. The reason for choosing a somewhat large $k$ is for security reasons that are beyond the scope of this segment. The relevant idea here is that since this is a publicly known encryption scheme, many people have strenghtened it over the years by making it more secure against every clever attack known. This is another, sometimes overlooked benefit of public-key cryptography: since the methodology isn’t secret, everyone can contribute to its security — indeed, it is in the interest of anyone desiring such security to contribute. This is sort of the exact opposite of Security through Obscurity.

The nature of code being open, public, private, or secret is also very topical in current events. Recently, Volkswagen cheated in its car emissions-software and had it report false outputs, leading to a large scandal. Their software is proprietary and secret, and the deliberate bug went unnoticed for years. Some argue that this means that more software, and especially software that either serves the public or that is under strong jurisdiction, should be publicly viewable for analysis.

Another relevant current case is that the code for most voting machines in the United States is proprietary and secret. Hopefully they aren’t cheating!

On the other side, many say that it is necessary for companies to be able to have secret software for at least some time period to recuperate the expenses that go into developing the software. This is similar to how drug companies have patents on new drugs for a number of years. This way, a new successful drug pays for its development since the company can charge above the otherwise-market-rate.

Further, many say that opening some code would open it up to attacks from malicious users who otherwise wouldn’t be able to see the code. Of course, this sounds a lot like trying for security through obscurity.

This is a very relevant and big topic, and the shape it takes over the next few years may very well have long-lasting impacts.

## Condensed Version¶

Now that we’ve gone through it all once, we have a condensed RSA system set up with our $p, q,$ and $k$ from above. To show that this can be done quickly with a computer, let’s do another right now.

Let us encrypt, transmit, and decrypt the message

“I have never done anything useful. No discovery of mine has made, or is likely to make, directly or indirectly, for good or ill, the least difference to the amenity of the world”.

First, we prepare the message for conversion to numbers.

message = """I have never done anything useful. No discovery of mine has made,
or is likely to make, directly or indirectly, for good or ill, the least
difference to the amenity of the world"""

message = "".join([l.upper() for l in message if not l in "\n .,"])
print "Our message:\n"+message

Our message:
TOMAKEDIRECTLYORINDIRECTLYFORGOODORILLTHELEASTDIFFERENCETOTHE
AMENITYOFTHEWORLD


Now we convert the message to numbers, and transform those numbers into 8-digit chunks.

numerical_message = letters_to_numbers(message)
print "Our message, converted to numbers:"
print numerical_message
print

plaintext_chunks = chunk8(numerical_message)
print "Separated into 8-digit chunks:"
print plaintext_chunks

Our message, converted to numbers:
1918113215241532152814252415112435301819241731291516312224251419
2913253215283525162319241518112923111415252819292219211522353025
2311211514192815133022352528192414192815133022351625281725251425
2819222230181522151129301419161615281524131530253018151123152419
303525163018153325282214

Separated into 8-digit chunks:
['19181132', '15241532', '15281425', '24151124', '35301819',
'24173129', '15163122', '24251419', '29132532', '15283525',
'16231924', '15181129', '23111415', '25281929', '22192115',
'22353025', '23112115', '14192815', '13302235', '25281924',
'14192815', '13302235', '16252817', '25251425', '28192222',
'30181522', '15112930', '14191616', '15281524', '13153025',
'30181511', '23152419', '30352516', '30181533', '25282214']


We encrypt each chunk by computing $P^k \bmod {m}$ for each plaintext chunk $P$.

ciphertext_chunks = encrypt_chunks(plaintext_chunks)
print ciphertext_chunks

[99080958, 142898385, 80369161, 11935375, 108220081, 82708130,
158605094, 96274325, 154177847, 121856444, 91409978, 47916550,
155466420, 92033719, 95710042, 86490776, 15468891, 139085799,
68027514, 53153945, 139085799, 68027514, 9216376, 155619290,
83776861, 132272900, 57738842, 119368739, 88984801, 83144549,
136916742, 13608445, 92485089, 89508242, 25375188]


This is the message that Anabel can sent Bartolo.

To decrypt it, he computes $c^u \bmod m$ for each ciphertext chunk $c$.

deciphered_chunks = decrypt_chunks(ciphertext_chunks)
print "Deciphered chunks:"
print deciphered_chunks

Deciphered chunks:
[19181132, 15241532, 15281425, 24151124, 35301819, 24173129,
15163122, 24251419, 29132532, 15283525, 16231924, 15181129,
23111415, 25281929, 22192115, 22353025, 23112115, 14192815,
13302235, 25281924, 14192815, 13302235, 16252817, 25251425,
28192222, 30181522, 15112930, 14191616, 15281524, 13153025,
30181511, 23152419, 30352516, 30181533, 25282214]


Finally, he translates the chunks back into letters.

decoded_message = chunks_to_letters(deciphered_chunks)
print "Decoded Message:"
print decoded_message

Decoded Message:
TOMAKEDIRECTLYORINDIRECTLYFORGOODORILLTHELEASTDIFFERENCETOTHE
AMENITYOFTHEWORLD


Even with large numbers, RSA is pretty fast. But one of the key things that one can do with RSA is securely transmit secret keys for other types of faster-encryption that don’t work in a public-key sense. There is a lot of material in this subject, and it’s very important.

The study of sending and receiving secret messages is called Cryptography. There are lots of interesting related topics, some of which we’ll touch on in class.

The study of analyzing and breaking cryptosystems is called Cryptanalysis, and is something I find quite fun. But it’s also quite intense.

I should mention that in practice, RSA is performed a little bit differently to make it more secure.

Aside: this is the first time I’ve converted a Jupyter Notebook, and it turns out it’s very easy. However, there are a few formatting annoyances that I didn’t consider, but which are too minor to spend time fixing. But now I know!
| Tagged , , , , | 4 Comments

## Paper: The Second Moments of Sums of Fourier Coefficients of Cusp Forms

This is joint work with Thomas Hulse, Chan Ieong Kuan, and Alex Walker.

We have just uploaded a paper to the arXiv on the second moment of sums of Fourier coefficients of cusp forms. This is the first in a trio of papers that we will be uploading and submitting in the near future.

Suppose ${f(z)}$ and ${g(z)}$ are weight ${k}$ holomorphic cusp forms on ${\text{GL}_2}$ with Fourier expansions

\begin{align} f(z) &= \sum_{n \geq 1} a(n) e(nz) \\ g(z) &= \sum_{n \geq 1} b(n) e(nz). \end{align}

Denote the sum of the first ${n}$ coefficients of a cusp form ${f}$ by $$S_f(n) := \sum_{m \leq n} a(m). \tag{1}$$

We consider upper bounds for the second moment of ${S_f(n)}$.

The famous Ramanujan-Petersson conjecture gives us that ${a(n)\ll n^{\frac{k-1}{2} + \epsilon}}$. So one might assume ${S_f(X) \ll X^{\frac{k-1}{2} + 1 + \epsilon}}$. However, we expect the better bound $$S_f(X) \ll X^{\frac{k-1}{2} + \frac{1}{4} + \epsilon}, \tag{2}$$

which we refer to as the “Classical Conjecture,” echoing Hafner and Ivić [HI].

Chandrasekharan and Narasimhan [CN] proved that the Classical Conjecture is true on average by showing that $$\sum_{n \leq X} \lvert S_f(n) \rvert^2 = CX^{k- 1 + \frac{3}{2}} + B(X), \tag{3}$$

where ${B(x)}$ is an error term, $$B(X) = \begin{cases} O(X^{k}\log^2(X)) \ \Omega\left(X^{k – \frac{1}{4}}\frac{(\log \log \log X)^3}{\log X}\right), \end{cases} \tag{4}$$

and ${C}$ is the constant, $$C = \frac{1}{(4k + 2)\pi^2} \sum_{n \geq 1}\frac{\lvert a(n) \rvert^2}{n^{k + \frac{1}{2}}}. \tag{5}$$

A application of the Cauchy-Schwarz inequality to~(3) leads to the on-average statement that $$\frac{1}{X} \sum_{n \leq X} |S_f(n)| \ll X^{\frac{k-1}{2} + \frac{1}{4}}. \tag{6}$$

From this, [HI] were able to show in some cases that $$S_f(X) \ll X^{\frac{k-1}{2} + \frac{1}{3}}. \tag{7}$$

Better lower bounds are known for ${B(X)}$. In the same work [HI] improved the lower bound of [CN] for full-integral weight forms of level one and showed that $$B(X) = \Omega\left(X^{k – \frac{1}{4}}\exp\left(D \tfrac{(\log \log x )^{1/4}}{(\log \log \log x)^{3/4}}\right)\right), \tag{8}$$

for a particular constant ${D}$.

The question of better understanding ${B(X)}$ is analogous to understanding the error term in the circle problem or divisor problem. In our paper, we introduce the Dirichlet series $$D(s, S_f \times S_g) := \sum_{n \geq 1} \frac{S_f(n) \overline{S_g(n)}}{n^{s + k – 1}}$$

D(s, S_f \times \overline{S_g}) &:= \sum_{n \geq 1} \frac{S_f(n)S_g(n)}{n^{s + k – 1}} and provide their meromorphic continuations. From our review of the literature, these Dirichlet series and their meromorphic continuations are new and provide new approaches to the classical problems related to ${S_f(n)}$.

Our primary result is the meromorphic continuation of ${D(s, S_f \times S_g)}$. As a first application, we prove a smoothed generalization to~(3).

Theorem 1 Suppose either that ${f = g}$ is a Hecke eigenform or that ${f}$ and ${g}$ have real coefficients. \begin{equation*} \frac{1}{X} \sum_{n \geq 1}\frac{S_f(n)\overline{S_g(n)}}{n^{k – 1}}e^{-n/X} = CX^{\frac{1}{2}} + O_{f,g,\epsilon}(X^{-\frac{1}{2} + \theta + \epsilon}) \end{equation*} where \begin{equation*} C = \frac{\Gamma(\tfrac{3}{2}) }{4\pi^2} \frac{L(\frac{3}{2}, f\times g)}{\zeta(3)}= \frac{\Gamma(\tfrac{3}{2})}{4\pi ^2} \sum_{n \geq 1} \frac{a(n)\overline{b(n)}}{n^{k + \frac{1}{2}}}, \end{equation*} and ${\theta}$ denotes progress towards Selberg’s Eigenvalue Conjecture. Similarly, \begin{equation*} \frac{1}{X} \sum_{n \geq 1}\frac{S_f(n)S_g(n)}{n^{k – 1}}e^{-n/X} = C’X^{\frac{1}{2}} + O_{f,g,\epsilon}(X^{-\frac{1}{2} + \theta + \epsilon}), \end{equation*} where \begin{equation*} C’ = \frac{\Gamma(\tfrac{3}{2})}{4\pi^2} \frac{L(\frac{3}{2}, f\times \overline{g})}{\zeta(3)} = \frac{\Gamma(\tfrac{3}{2})}{4\pi ^2} \sum_{n \geq 1} \frac{a(n)b(n)}{n^{k + \frac{1}{2}}}.\end{equation*}

We have a complete meromorphic continuation, and it would not be hard to give additional terms in the asymptotic. But the next terms come from zeroes of the zeta function and are complicated to nail down exactly.

Choosing ${f = g}$, we recover a proof of the Classical Conjecture on Average. More interestingly, we show that the secondary growth terms do not arise from a pole, nor are there prescribed polar reasons for growth. The secondary growth in the classical result comes from choosing a sharp cutoff instead of the nicely behaving and natural smooth cutoffs.

We prove analogous results for sums of normalized Fourier coefficients $$S_f^\alpha(n) := \sum_{m \leq n} \frac{a(m)}{m^\alpha} \tag{9}$$

for ${0 \leq \alpha < k}$.

In the path to proving these results, we explicitly demonstrate remarkable cancellation between Rankin-Selberg convolution ${L}$-functions ${L(s, f\times g)}$ and shifted convolution sums $$Z(s, 0; f,g) := \sum_{n, h} \frac{a(n)\overline{b(n-h)}}{n^{s + k – 1}}. \tag{10}$$

Comparing our results and methodologies with the main results of [CN] guarantees similar cancellation for general level and general weight, including half-integral weight forms.

We provide additional applications of the meromorphic continuation of ${D(s, S_f \times S_g)}$ in forthcoming works, which will be uploaded to the arXiv and described briefly here soon.

For exact references, see the paper.

Posted in Math.NT, Mathematics, Uncategorized | | 2 Comments

## Estimating the number of squarefree integers up to $X$

I recently wrote an answer to a question on MSE about estimating the number of squarefree integers up to $X$. Although the result is known and not too hard, I very much like the proof and my approach. So I write it down here.

First, let’s see if we can understand why this “should” be true from an analytic perspective.

We know that
$$\sum_{n \geq 1} \frac{\mu(n)^2}{n^s} = \frac{\zeta(s)}{\zeta(2s)},$$
and a general way of extracting information from Dirichlet series is to perform a cutoff integral transform (or a type of Mellin transform). In this case, we get that
$$\sum_{n \leq X} \mu(n)^2 = \frac{1}{2\pi i} \int_{(2)} \frac{\zeta(s)}{\zeta(2s)} X^s \frac{ds}{s},$$
where the contour is the vertical line $\text{Re }s = 2$. By Cauchy’s theorem, we shift the line of integration left and poles contribute terms or large order. The pole of $\zeta(s)$ at $s = 1$ has residue
$$\frac{X}{\zeta(2)},$$
so we expect this to be the leading order. Naively, since we know that there are no zeroes of $\zeta(2s)$ on the line $\text{Re } s = \frac{1}{2}$, we might expect to push our line to exactly there, leading to an error of $O(\sqrt X)$. But in fact, we know more. We know the zero-free region, which allows us to extend the line of integration ever so slightly inwards, leading to a $o(\sqrt X)$ result (or more specifically, something along the lines of $O(\sqrt X e^{-c (\log X)^\alpha})$ where $\alpha$ and $c$ come from the strength of our known zero-free region.

In this heuristic analysis, I have omitted bounding the top, bottom, and left boundaries of the rectangles of integration. But proceeding in a similar way as in the proof of the analytic prime number theorem, you could proceed here. So we expect the answer to look like
$$\frac{X}{\zeta(2)} + O(\sqrt X e^{-c (\log X)^\alpha})$$
using no more than the zero-free region that goes into the prime number theorem.

We will now prove this result, but in an entirely elementary way (except that I will refer to a result from the prime number theorem). This is below the fold.

## Another proof of Wilson’s Theorem

While teaching a largely student-discovery style elementary number theory course to high schoolers at the Summer@Brown program, we were looking for instructive but interesting problems to challenge our students. By we, I mean Alex Walker, my academic little brother, and me. After a bit of experimentation with generators and orders, we stumbled across a proof of Wilson’s Theorem, different than the standard proof.

Wilson’s theorem is a classic result of elementary number theory, and is used in some elementary texts to prove Fermat’s Little Theorem, or to introduce primality testing algorithms that give no hint of the factorization.

Theorem 1 (Wilson’s Theorem) For a prime number ${p}$, we have $$(p-1)! \equiv -1 \pmod p. \tag{1}$$

The theorem is clear for ${p = 2}$, so we only consider proofs for “odd primes ${p}$.”

The standard proof of Wilson’s Theorem included in almost every elementary number theory text starts with the factorial ${(p-1)!}$, the product of all the units mod ${p}$. Then as the only elements which are their own inverses are ${\pm 1}$ (as ${x^2 \equiv 1 \pmod p \iff p \mid (x^2 – 1) \iff p\mid x+1}$ or ${p \mid x-1}$), every element in the factorial multiples with its inverse to give ${1}$, except for ${-1}$. Thus ${(p-1)! \equiv -1 \pmod p.} \diamondsuit$

Now we present a different proof.

Take a primitive root ${g}$ of the unit group ${(\mathbb{Z}/p\mathbb{Z})^\times}$, so that each number ${1, \ldots, p-1}$ appears exactly once in ${g, g^2, \ldots, g^{p-1}}$. Recalling that ${1 + 2 + \ldots + n = \frac{n(n+1)}{2}}$ (a great example of classical pattern recognition in an elementary number theory class), we see that multiplying these together gives ${(p-1)!}$ on the one hand, and ${g^{(p-1)p/2}}$ on the other.

As ${g^{(p-1)/2}}$ is a solution to ${x^2 \equiv 1 \pmod p}$, and it is not ${1}$ since ${g}$ is a generator and thus has order ${p-1}$. So ${g^{(p-1)/2} \equiv -1 \pmod p}$, and raising ${-1}$ to an odd power yields ${-1}$, completing the proof $\diamondsuit$.

After posting this, we have since seen that this proof is suggested in a problem in Ireland and Rosen’s extremely good number theory book. But it was pleasant to see it come up naturally, and it’s nice to suggest to our students that you can stumble across proofs.

It may be interesting to question why ${x^2 \equiv 1 \pmod p \iff x \equiv \pm 1 \pmod p}$ appears in a fundamental way in both proofs.

This post appears on the author’s personal website davidlowryduda.com and on the Math.Stackexchange Community Blog math.blogoverflow.com. It is also available in pdf note form. It was typeset in \TeX, hosted on WordPress sites, converted using the utility github.com/davidlowryduda/mse2wp, and displayed with MathJax.

Posted in Expository, Math.NT, Mathematics | | 1 Comment

## Functional Equations for L-Functions arising from Modular Forms

In this note, I remind myself of the functional equations for the ${L}$-functions ${\displaystyle \sum_{n\geq 0} \frac{a(n)}{n^s}}$ and ${\displaystyle \sum_{n\geq 0} \frac{a(n)}{n^s}e(\frac{n\overline{r}}{c})}$, where ${\overline{r}}$ is the multiplicative inverse of ${r \bmod c}$.

## Friendly Introduction to Sieves with a Look Towards Progress on the Twin Primes Conjecture

This is an extension and background to a talk I gave on 9 October 2013 to the Brown Graduate Student Seminar, called `A friendly intro to sieves with a look towards recent progress on the twin primes conjecture.’ During the talk, I mention several sieves, some with a lot of detail and some with very little detail. I also discuss several results and built upon many sources. I’ll provide missing details and/or sources for additional reading here.

Furthermore, I like this talk, so I think it’s worth preserving.

1. Introduction

We talk about sieves and primes. Long, long ago, Euclid famously proved the infinitude of primes (${\approx 300}$ B.C.). Although he didn’t show it, the stronger statement that the sum of the reciprocals of the primes diverges is true:

$\displaystyle \sum_{p} \frac{1}{p} \rightarrow \infty,$

where the sum is over primes.

Proof: Suppose that the sum converged. Then there is some ${k}$ such that

$\displaystyle \sum_{i = k+1}^\infty \frac{1}{p_i} < \frac{1}{2}.$

Suppose that ${Q := \prod_{i = 1}^k p_i}$ is the product of the primes up to ${p_k}$. Then the integers ${1 + Qn}$ are relatively prime to the primes in ${Q}$, and so are only made up of the primes ${p_{k+1}, \ldots}$. This means that

$\displaystyle \sum_{n = 1}^\infty \frac{1}{1+Qn} \leq \sum_{t \geq 0} \left( \sum_{i > k} \frac{1}{p_i} \right) ^t < 2,$

where the first inequality is true since all the terms on the left appear in the middle (think prime factorizations and the distributive law), and the second inequality is true because it’s bounded by the geometric series with ratio ${1/2}$. But by either the ratio test or by limit comparison, the sum on the left diverges (aha! Something for my math 100 students), and so we arrive at a contradiction.

Thus the sum of the reciprocals of the primes diverges. $\diamondsuit$

## Response to bnelo12’s question on Reddit (or the Internet storm on $1 + 2 + \ldots = -1/12$)

bnelo12 writes (slightly paraphrased)

Can you explain exactly how ${1 + 2 + 3 + 4 + \ldots = – \frac{1}{12}}$ in the context of the Riemann ${\zeta}$ function?

We are going to approach this problem through a related problem that is easier to understand at first. Many are familiar with summing geometric series

$\displaystyle g(r) = 1 + r + r^2 + r^3 + \ldots = \frac{1}{1-r},$

which makes sense as long as ${|r| < 1}$. But if you’re not, let’s see how we do that. Let ${S(n)}$ denote the sum of the terms up to ${r^n}$, so that

$\displaystyle S(n) = 1 + r + r^2 + \ldots + r^n.$

Then for a finite ${n}$, ${S(n)}$ makes complete sense. It’s just a sum of a few numbers. What if we multiply ${S(n)}$ by ${r}$? Then we get

$\displaystyle rS(n) = r + r^2 + \ldots + r^n + r^{n+1}.$

Notice how similar this is to ${S(n)}$. It’s very similar, but missing the first term and containing an extra last term. If we subtract them, we get

$\displaystyle S(n) – rS(n) = 1 – r^{n+1},$

which is a very simple expression. But we can factor out the ${S(n)}$ on the left and solve for it. In total, we get

$\displaystyle S(n) = \frac{1 – r^{n+1}}{1 – r}. \ \ \ \ \ (1)$

This works for any natural number ${n}$. What if we let ${n}$ get arbitrarily large? Then if ${|r|<1}$, then ${|r|^{n+1} \rightarrow 0}$, and so we get that the sum of the geometric series is

$\displaystyle g(r) = 1 + r + r^2 + r^3 + \ldots = \frac{1}{1-r}.$

But this looks like it makes sense for almost any ${r}$, in that we can plug in any value for ${r}$ that we want on the right and get a number, unless ${r = 1}$. In this sense, we might say that ${\frac{1}{1-r}}$ extends the geometric series ${g(r)}$, in that whenever ${|r|<1}$, the geometric series ${g(r)}$ agrees with this function. But this function makes sense in a larger domain then ${g(r)}$.

People find it convenient to abuse notation slightly and call the new function ${\frac{1}{1-r} = g(r)}$, (i.e. use the same notation for the extension) because any time you might want to plug in ${r}$ when ${|r|<1}$, you still get the same value. But really, it’s not true that ${\frac{1}{1-r} = g(r)}$, since the domain on the left is bigger than the domain on the right. This can be confusing. It’s things like this that cause people to say that

$\displaystyle 1 + 2 + 4 + 8 + 16 + \ldots = \frac{1}{1-2} = -1,$

simply because ${g(2) = -1}$. This is conflating two different ideas together. What this means is that the function that extends the geometric series takes the value ${-1}$ when ${r = 2}$. But this has nothing to do with actually summing up the ${2}$ powers at all.

So it is with the ${\zeta}$ function. Even though the ${\zeta}$ function only makes sense at first when ${\text{Re}(s) > 1}$, people have extended it for almost all ${s}$ in the complex plane. It just so happens that the great functional equation for the Riemann ${\zeta}$ function that relates the right and left half planes (across the line ${\text{Re}(s) = \frac{1}{2}}$) is

$\displaystyle \pi^{\frac{-s}{2}}\Gamma\left( \frac{s}{2} \right) \zeta(s) = \pi^{\frac{s-1}{2}}\Gamma\left( \frac{1-s}{2} \right) \zeta(1-s), \ \ \ \ \ (2)$

where ${\Gamma}$ is the gamma function, a sort of generalization of the factorial function. If we solve for ${\zeta(1-s)}$, then we get

$\displaystyle \zeta(1-s) = \frac{\pi^{\frac{-s}{2}}\Gamma\left( \frac{s}{2} \right) \zeta(s)}{\pi^{\frac{s-1}{2}}\Gamma\left( \frac{1-s}{2} \right)}.$

If we stick in ${s = 2}$, we get

$\displaystyle \zeta(-1) = \frac{\pi^{-1}\Gamma(1) \zeta(2)}{\pi^{\frac{-1}{2}}\Gamma\left( \frac{-1}{2} \right)}.$

We happen to know that ${\zeta(2) = \frac{\pi^2}{6}}$ (this is called Basel’s problem) and that ${\Gamma(\frac{1}{2}) = \sqrt \pi}$. We also happen to know that in general, ${\Gamma(t+1) = t\Gamma(t)}$ (it is partially in this sense that the ${\Gamma}$ function generalizes the factorial function), so that ${\Gamma(\frac{1}{2}) = \frac{-1}{2} \Gamma(\frac{-1}{2})}$, or rather that ${\Gamma(\frac{-1}{2}) = -2 \sqrt \pi.}$ Finally, ${\Gamma(1) = 1}$ (on integers, it agrees with the one-lower factorial).

Putting these together, we get that

$\displaystyle \zeta(-1) = \frac{\pi^2/6}{-2\pi^2} = \frac{-1}{12},$

which is what we wanted to show. ${\diamondsuit}$

The information I quoted about the Gamma function and the zeta function’s functional equation can be found on Wikipedia or any introductory book on analytic number theory. Evaluating ${\zeta(2)}$ is a classic problem that has been in many ways, but is most often taught in a first course on complex analysis or as a clever iterated integral problem (you can prove it with Fubini’s theorem). Evaluating ${\Gamma(\frac{1}{2})}$ is rarely done and is sort of a trick, usually done with Fourier analysis.

As usual, I have also created a paper version. You can find that here.

Posted in Expository, Math.NT, Mathematics | | 4 Comments