Algebra — Quick Math Intuitions https://quickmathintuitions.org/category/algebra/ Sharing quick intuitions for math ideas Thu, 31 Aug 2023 05:27:06 +0000 en-US hourly 1 https://wordpress.org/?v=6.7.4 A gentle (and short) introduction to Gröbner Bases https://quickmathintuitions.org/gentle-introduction-grobner-bases/?pk_campaign=&pk_source= https://quickmathintuitions.org/gentle-introduction-grobner-bases/#respond Wed, 03 Jun 2020 08:19:27 +0000 https://quickmathintuitions.org/?p=372 Taken from my report for a Computer Algebra course. Motivation We know there are plenty of methods to solve a system of linear equations (to name a few: Gauss elimination,…

The post A gentle (and short) introduction to Gröbner Bases appeared first on Quick Math Intuitions.

]]>

Taken from my report for a Computer Algebra course.

Motivation

We know there are plenty of methods to solve a system of linear equations (to name a few: Gauss elimination, QR or LU factorization). In fact, it is straightforward to check whether a linear system has any solutions, and if it does, how many of them there are. But what if the system is made of non-linear equations? The invention of Groebner bases and the field of computational algebra came up to answer these questions.

In this text we will recap the theory behind single-variable polynomials and extend it to multiple-variable ones, ultimately getting to the definition of Groebner bases.

In some cases, the transition from one to multiple variables is smooth and pretty much an extension of the simple case (for example for the Greatest Common Divisor algorithm). In other cases, however, there are conceptual jumps to be made. To give an example, single variable polynomials have always a finite number of roots, while this does not hold for multivariable polynomials. Intuitively, the reason is that a polynomial in one variable describes a curve in the plane, which can only intersect the x-axis a discrete and finite number of times. On the other hand, a multivariate polynomial describes a surface in space, which will always intersect the 0-plane in a continuum of points.

Preliminaries

All throughout these notes, it will be important to have in mind some basic algebra definitions.

To begin with, we ask what is the most basic (but useful) structure we can put on a set. We ask, for example, given the set of natural numbers, what do we need to do to allow basic manipulation (i.e. summation)? This leads us to the definition of group.

DEF 1: A group is made of a set \mathcal{G} with one binary operation + such that:

  • The operation is closed: a+b \in \mathcal{G} \ \forall a,b \in \mathcal{G}
  • The operation is associative: a+(b+c)=(a+b)+c \ \forall a,b,c \in \mathcal{G}
  • The operation + has an identity element 0 s.t. g+0 = g \ \forall g \mathcal{G}
  • Each element has an inverse element: \forall g \in \mathcal{G}, \exists h \in \mathcal{G} : g+h=0

A group is usually denoted with (\mathcal{G}, +).
Notice that we did not ask anything about commutativity!

Then, the notion of group can be made richer and more complex: first into that of ring, then into that of field.

DEF 2: A ring is a group with an extra operation (\mathcal{G}, +, *) which sastisfies the following properties:

  • The operation + is commutative: a+b=b+a \ \forall a,b \in \mathcal{G}
  • The operation * is closed: a*b \in \mathcal{G} \ \forall a,b \in \mathcal{G}
  • The operation * has an identity element 1 s.t. g*1 = g \ \forall g
  • The operation * is associative: a*(b*c)=(a*b)*c \ \forall a,b,c \in \mathcal{G}
  • The operation * is distributive with respect to +

DEF. 3: A field \mathcal{K} is a ring in which all elements have an inverse with respect to the operation *.

All throughout these notes, the symbol \mathcal{K} will denote a field.

DEF 4: A monomial is a product x_1^{\alpha_1} \cdots x_n^{\alpha_n}, with \alpha_i \in \mathbb{N}. Its degree is the sum of the exponents.

DEF 5: A polynomial is a linear combinations of monomials.

We conclude by noting that the space of polynomials with coefficients taken from a field \mathcal{K} makes a ring, denoted with \mathcal{K}[x_1, \cdots, x_n].

Affine varieties and ideals

Our first step towards formalizing the theory for non-linear systems is to understand what the space of solutions looks like. As much as we know that linear spaces are the solutions spaces for linear systems, there is something analogous for non-linear systems, and that is affine varieties.

DEF 6: Given f_1, \cdots, f_s polynomials in \mathcal{K}[x_1, \cdots, x_n], the affine variety over them is the set of their common roots:

    \[V(f_1, \cdots, f_s) = \{ (a_1, \cdots, a_n) \in \mathcal{K}^n : f_i(a_1, \cdots, a_n) = 0 \ \forall i = 1, \cdots, s\}\]

EX 1: V(x_1+x_2-1, x_2+1) = \{ (2, -1) \}

When working with rings, as it is our case, the notion of ideal is important. The reason for its importance is that ideals turn out to be kernels of ring homomorphisms — or, in other words, that they are the “good sets” that can be used to take ring quotients.

DEF 7: An ideal is a subset I \subset \mathcal{K}[x_1, \cdots, x_n] such that:

  • 0 \in I
  • it is closed w.r.t +: f+g \in I \ \forall f,g \in I
  • it is closed w.r.t * for elements in the ring: f*g \in I \ \forall f \in I, g \in \mathcal{K}[x_1, \cdots, x_n]

Given some elements of a ring, we might wonder what is the way to build an ideal (the smallest) that would contain them.

DEF 8: Given f_1, \cdots, f_s polynomials, the ideal generated by them is the set of combinations with coefficients taken from the ring:

    \[<f_1, \cdots, f_s> = \{ \sum_i^s h_i f_i, \ \ h_i \in \mathcal{K}[x_1, \cdots, x_n] \}\]

Having introduced ideals, we immediately find a result that is linked to our purpose of non-linear systems inspection: a simple way to check if a system has solutions or not.

THEO 1: If 1 \in I=<f_1, \cdots, f_s>, then V(I) = \emptyset.
PROOF: Since 1 \in I, it must be possible to write it as a combination of the form 1 = \sum h_i f_i. Now, if we suppose that V(I) is not empty, then one of its points a is a root of all the f_i. This would mean that \sum h_i f_i(a) = 0 \neq 1, which is absurd.

Groebner bases

Groebner bases give a computational method for solving non-linear systems of equations through an apt sequence of intersection of ideals. To state its definition, we first need to know what a monomial ordering is. Intuitively, we can think of such an ordering as a way to compare monomials — the technical definition does not add much more concept. Different orderings are possible.

Once we have a way of ordering monomials, it is also possible to define the leading monomial (denoted as LM) of a given polynomial. For single variable polynomials it is pretty straightforward, but for the multi-variate case we need to define an ordering first (some possible options are: lexicographic, graded lexicographic, graded reverse lexicographic).

DEF 9: Given a monomial ordering, a Groebner basis of an ideal I w.r.t the ordering is a finite subset G = \{ g_1, \cdots, g_s \} \subset I s.t. <LM(g_1), \cdots, LM(g_s)> = LM(I).

This basis is a generating set for the ideal, but notice how it depends on the ordering! Finally, it is possible to prove that every ideal has a Groebner basis (Hilbert’s basis theorem).

From here now, the rationale is that, given a system of polynomial equations, we can see the polynomials as generators of some ideal. That ideal will have a Groebner basis, and there is an algorithm to build one (Buchberger algorithm). From there, apt ideal operations will allow to solve the system by eliminating the variables.

We now describe this elimination algorithm with an example:

(1)   \begin{equation*} \begin{cases} x^2+y+z=1 \\ x + y^2 +z=1 \\ x+y+z^2=1 \end{cases} \end{equation*}

Given the ideal

    \[I = <x^2+y+z-1, x + y^2 +z-1, x+y+z^2-1>,\]

then a Groebner basis with respect to the (lexicographical order) is

(2)   \begin{equation*} \begin{cases} g_1=x+y+z^2-1 \\ g_2=y^2-y-z^2+z \\ g_3=2yz^2+z^4-z^2\\ g_4=z^6-4z^4+4z^3-z^2 \end{cases} \end{equation*}

which can be used to compute the solutions of the initial system (1).

To do so, first consider the ideal I \cap \mathbb{C}[z], which practically corresponds to all polynomials in I where x,y are not present. In our case, we are left only with one element from the basis which only involve z: g_4=z^6-4z^4+4z^3-z^2. The roots of g_4 are 0,1,-1 \pm \sqrt{2}.

The values for z can then be used to find the possible values for y using polynomial g_3, g_2, which only involve y,z. Finally, once possible values for y,z are known, they can be used to find the corresponding values for x through g_1.

This example will yield the following solutions:

(3)   \begin{equation*} \begin{cases} (1, 0, 0), (0, 1, 0), (0, 0, 1), \\ (-1 + \sqrt{2}, -1 + \sqrt{2}, -1 + \sqrt{2}), \\ (-1 - \sqrt{2}, -1 - \sqrt{2}, -1 - \sqrt{2}) \end{cases} \end{equation*}

The post A gentle (and short) introduction to Gröbner Bases appeared first on Quick Math Intuitions.

]]> https://quickmathintuitions.org/gentle-introduction-grobner-bases/feed/ 0 But WHY is the Lattices Bounded Distance Decoding Problem difficult? https://quickmathintuitions.org/why-lattices-bounded-distance-decoding-problem-difficult/?pk_campaign=&pk_source= https://quickmathintuitions.org/why-lattices-bounded-distance-decoding-problem-difficult/#respond Wed, 28 Aug 2019 20:54:04 +0000 http://quickmathintuitions.org/?p=306 This is taken from my Master Thesis on Homomorphic Signatures over Lattices. Introduction to lattices and the Bounded Distance Decoding Problem A lattice is a discrete subgroup , where the…

The post But WHY is the Lattices Bounded Distance Decoding Problem difficult? appeared first on Quick Math Intuitions.

]]>

This is taken from my Master Thesis on Homomorphic Signatures over Lattices.

Introduction to lattices and the Bounded Distance Decoding Problem

A lattice is a discrete subgroup \mathcal{L} \subset \mathbb{R}^n, where the word discrete means that each x \in \mathcal{L} has a neighborhood in \mathbb{R}^n that, when intersected with \mathcal{L} results in x itself only. One can think of lattices as being grids, although the coordinates of the points need not be integer. Indeed, all lattices are isomorphic to \mathbb{Z}^n, but it may be a grid of points with non-integer coordinates.

Another very nice way to define a lattice is: given n independent vectors b_i \in \mathbb{R}^n, the lattice \mathcal{L} generated by that base is the set of all linear combinations of them with integer coefficients:

    \[\mathcal{L} = \{\sum\limits_{i=0}^{n} z_i b_i, \ b_i \in \mathbb{R}^n, z_i \in \mathbb{Z} \}\]

Then, we can go on to define the Bounded Distance Decoding problem (BDD), which is used in lattice-based cryptography (more specifically, for example in trapdoor homomorphic encryption) and believed to be hard in general.

Given an arbitrary basis of a lattice \mathcal{L}, and a point x \in \mathbb{R}^n not necessarily belonging to \mathcal{L}, find the point of \mathcal{L} that is closest to x. We are also guaranteed that x is very close to one of the lattice points. Notice how we are relying on an arbitrary basis – if we claim to be able to solve the problem, we should be able to do so with any basis.

Bounded Distance Problem example: given the blue points, devise an algorithm that pinpoints the one closest to the red target.

Now, as the literature goes, this is a problem that is hard in general, but easy if the basis is nice enough. So, for example for encryption, the idea is that we can encode our secret message as a lattice point, and then add to it some small noise (i.e. a small element v \in \mathbb{R}^n). This basically generates an instance of the BDD problem, and then the decoding can only be done by someone who holds the good basis for the lattice, while those having a bad basis are going to have a hard time decrypting the ciphertext.

However, albeit of course there is no proof of this (it is a problem believed to be hard), I wanted to get at least some clue on why it should be easy with a nice basis and hard with a bad one (GGH is an example schema that employs techniques based on this).

So now to our real question: why is the Bounded Distance Decoding problem hard (or easy)? Nobody I asked could answer my questions, nor could I find any resource detailing it, so here come my intuitions.

Why the Bounded Distance Decoding problem is easy with a nice basis

Let’s first say what a good basis is. A basis is good if it is made of nearly orthogonal short vectors. This is a pretty vague definition, so let’s make it a bit more specific (although tighter): we want a base in which each of its b_i is of the form (0, ..., 0, k, 0, ..., 0) for some k \in \mathbb{R}. One can imagine k being smaller than some random value, like 10. (This shortness is pretty vague and its role will be clearer later.) In other words, a nice basis is the canonical one, in which each vector has been re-scaled by an independent real factor.

To get a flavor of why the Bounded Distance Decoding problem is easy with a nice basis, let’s make an example. Consider \mathbb{R}^2, with b_0 = (\frac{1}{2}, 0), b_1 = (0, \frac{5}{4}) as basis vectors. Suppose we are given x = (\frac{3}{7}, \frac{9}{10}) as challenge point. It does not belong to the lattice generated by b_0, b_1, but it is only (\frac{1}{14}, \frac{9}{25}) away from the point (\frac{1}{2}, \frac{5}{4}), which does belong to the lattice.

Now, what does one have to do to solve this problem? Let’s get a graphical feeling for it and formalize it.

Buonded Distance Decoding problem example with good basis
Buonded Distance Decoding problem example with good basis

We are looking for the lattice point closest to x. So, sitting on x, we are looking for the linear combination with integer coefficients of the basis vectors that is closest to us. Breaking it component-wise, we are looking for \min y, z \in \mathbb{R} and k, j \in \mathbb{Z} such that they are solution of:

    \[\begin{cases} \frac{3}{7} + y = \frac{1}{2} k \\ \frac{9}{10} + z = \frac{5}{4} j \end{cases}\]

This may seem a difficult optimization problem, but in truth it is very simple! The reason is that each of the equations is independent, so we can solve them one by one – the individual minimum problems are easy and can be solved quickly. (One could also put boundaries on y, z with respect to the norm of the basis vectors, but it is not vital now.)

So the overall complexity of solving BDD with a good basis is \theta(\theta(\min)n), which is okay.

Why the Bounded Distance Decoding problem is hard with a bad basis

A bad basis is any basis that does not satisfy any of the two conditions of a nice basis: it may be poorly orthogonal, or may be made of long vectors. We will later try to understand what roles these differences play in solving the problem: for now, let’s just consider an example again.

Another basis for the lattice generated by the nice basis we picked before ((\frac{1}{2}, 0), (0, \frac{5}{4})) is b_0 = (\frac{9}{2}, \frac{5}{4}), b_1 = (5, \frac{10}{4}). This is a bad one.

Buonded Distance Decoding problem example with bad basis
Buonded Distance Decoding problem example with bad basis

Let’s write down the system of equations coordinate-wise as we did for the nice basis. We are looking for \min y, z \in \mathbb{R} and k, j \in \mathbb{Z} such that they are solution of:

    \[\begin{cases} \frac{3}{7} + y = \frac{9}{2} k + 5 j \\ \frac{9}{10} + z = \frac{5}{4} k + \frac{10}{4} j \end{cases}\]

Now look! This may look similar as before, but this time it really is a system, the equations are no longer independent: we have 3 unknowns and 2 equations. The system is under-determined! This already means that, in principle, there are infinite solutions. Moreover, we are also trying to find a solution that is constrained to be minimum. Especially with big n, solving this optimization problem can definitely be non-trivial!

On the differences between a good and a bad basis

So far so good: we have discovered why the Bounded Distance Decoding problem is easy with a good basis and difficult with a bad one. But still, what does a good basis have to make it easy? How do its properties related to easy of solution?

We enforced two conditions: orthogonality and shortness. Actually, we even required something stronger than orthogonality: that the good basis was basically a stretched version of the canonical one – i.e. had only one non-zero entry.

Let’s think for a second in terms of canonical basis \{e_i = (0, ..., 0, 1, 0, ... 0)\}. This is what makes the minimum problems independent and allows for easy resolution of the BDD problem. However, when dealing with cryptography matters, we cannot always use the same basis, we need some randomness. That is why we required to use a set of independent vectors each having only one non-zero coordinate: it is the main feature that makes the problem easy (at least for the party having the good basis).

We also asked for shortness. This does not give immediate advantage to who holds the good basis, but makes it harder to solve the problem for those holding the bad one. The idea is that, given a challenge point x \in \mathbb{R}^n, if we have short basis vectors, we can take small steps from it and look around us for nearby points. It may take some time to find the best one, but we are still not looking totally astray. Instead, if we have long vectors, every time we use one we have to make a big leap in one direction. In other words, who has the good basis knows the step size of the lattice, and thus can take steps of considerate size. slowly poking around; who has the bad basis takes huge jumps and may have a hard time pinpointing the right point.

It is true, though, that the features of a good basis usually only include shortness and orthogonality, and not the “rescaling of the canonical basis” we assumed in the first place. So, let’s consider a basis of that kind, like \{v_1 = (\frac{\sqrt{3}}{2}, \frac{1}{2}), v_2 = (\frac{1}{2}, \frac{\sqrt{3}}{2})\}. If we wrote down the minimum problem we would have to solve given a challenge point, it would be pretty similar to the one with the bad basis, with the equations not being independent. Looks like bad luck, uh?

However, not all hope is lost! In fact, we can look for the rotation matrix that will turn that basis into a stretching of the canonical one, finding v_1', v_2'! Then we can rotate the challenge point x as well, and solve the problem with respect to those new basis vectors. Of course that is not going to be the solution to the problem, but we can easily rotate it back to find the real solution!

However, given that using a basis of this kind does not make the opponent job any harder, but only increases the computational cost for the honest party, I do not see why this should ever be used. Instead, I guess the best choices for good basis are the stretched canonical ones.

(This may be obvious, but having a generic orthogonal basis is not enough for an opponent to break the problem. If it is orthogonal, but its vectors are long, bad luck!)

The post But WHY is the Lattices Bounded Distance Decoding Problem difficult? appeared first on Quick Math Intuitions.

]]> https://quickmathintuitions.org/why-lattices-bounded-distance-decoding-problem-difficult/feed/ 0 Relationship between reduced rings, radical ideals and nilpotent elements https://quickmathintuitions.org/relationship-between-reduced-rings-radical-ideals-and-nilpotent-elements/?pk_campaign=&pk_source= https://quickmathintuitions.org/relationship-between-reduced-rings-radical-ideals-and-nilpotent-elements/#respond Sat, 17 Sep 2016 16:06:53 +0000 http://quickmathintuitions.org/?p=87 This post aims at providing some intuition and meaning for the following algebra relationship: Reduced ring – Radical ideal – Nilpotent Reduced ring – Radical ideal – Nilpotent A basic…

The post Relationship between reduced rings, radical ideals and nilpotent elements appeared first on Quick Math Intuitions.

]]> This post aims at providing some intuition and meaning for the following algebra relationship:

Reduced ring – Radical ideal – Nilpotent

Reduced ring – Radical ideal – Nilpotent

A basic fact of ring theory is that if you take a ring A and quotient it for a (double-sided) radical ideal I you get a reduced ring. Let us suppose A is a commutative ring and understand why this fact is true.

Nilpotent element
Def. a \in A is nilpotent \Leftrightarrow \exists n \in \mathbb{N} : a^n = 0

Informally, a nilpotent element is like a road ending in the middle of nowhere, collapsing in the depth of an abyss. You are driving on it, following the powers of a, and then all of a sudden, with no explanation, your road ends in a big black hole. Indeed, the zero really acts as some kind of black hole, attracting nilpotent-made roads at some point or another: we can think of nilpotent roads as spiraling into the zero.

Reduced ring
Def. A is a reduced ring if the only nilpotent is 0.

With the road-analogy, we can think of a reduced ring as a city where all roads lead somewhere and never end in a giant hole. We can see how desirable it is to have a reduced ring rather than a non-reduced one, because it is not nice to pick a road and end up in the rabbit hole unexpectedly. However, it is worth noting that there still is one hole corresponding to the zero element, but this is not exactly a road since it does not even start, let alone have the intention to bring you anywhere.

The way I imagine a reduced ring is like a big hole in the middle of a city, with roads going around in circles or in straight lines crossing the city, but never getting through the big hole in the center.

spiral

Given the premises, we now ask two questions:

  1. Given a quotient ring, is there any way can we say it is reduced?
  2. Given a ring, is there any way we can get rid of its nilpotents? If yes, what’s the best way to do that?

1. Reduced property for quotient rings

To inspect whether a quotient ring is reduced or not, it is possible to inspect the ideal that was used to form the quotient [1]. This is useful when dealing with a quotient which you know the genesis of: if you know what ideal was used to quotient what ring, then it’s easier to inspect the ideal properties rather than the quotient ones, which are usually difficult to deal with.

Now, the proof of the theorem stating that a radical ideal gives rise to a reduced ring is quite straightforward, but the intuitive reason why it happened eluded me at first. Let me share my intuitions.

Radical ideal
Def. I is a radical ideal \Leftrightarrow a \in A, \exists n \in \mathbb{N} : a^n \in I \Rightarrow a \in I

Or, in words, if, taken an element in A, the presence of some power of the element in I guarantees its presence in I. You could also see a radical ideal as containing the root of all its elements.

The reason why using a radical ideal to form a quotient gives a reduced ring as result is actually quite straightforward to the point that it is wonderful. As Hamed points out, every ideal contains zero! But zero is a power of any nilpotent element (look again at the definition, there must be a power of a for which a^n is zero), so indeed there always is at least a power of each nilpotent element in a radical ideal, because all nilpotent elements turn to zero at some point. But thanks to the radical ideal definition, we know that if some power of an element is in the ideal, so does its base!

So we have an ideal which, for sure, contains at least all nilpotent elements. Thus, when we form a quotient with that ideal, we are identifying all its elements with zero. That’s why nilpotents vanish with a radical ideal, and I find it amazing that it all comes from the fact that all ideals contain zero and, of course, from the definition of radical ideal.

The question one may ask is: right, but are we getting rid of nilpotents only? Isn’t there the risk of affecting non-nilpotent elements? And indeed, it is true than being a radical ideal guarantees that the quotient is reduced, but it doesn’t guarantee that we have got rid of the nilpotent elements only, and some innocent element of ring has not been destroyed in our zeal of building the perfect city. In other words, we may be using a bazooka to shoot a fly! Let’s see if we can refine our doings and come up with a good way of doing this.

2. Build a reduced ring from an ordinary one

We have got to our second question: given an ordinary ideal A, are we capable of building another ideal \widetilde{A} that is reduced and yet as similar as possible to A (i.e. doing the smallest damage possible to A)?

Yes we can, and, surprisingly, we already have roughly all ne need. Only thing we are lacking is the definition of the radical of an ideal.

Radical of an ideal
Def. Given I an ideal, then its radical is
\sqrt{I} = \{a \in A \mid a^n \in I\ \hbox{for some positive integer}\ n\}

From what we have said earlier, we will need an ideal which (at least) contains all nilpotents. It turns out that taking the radical of the (0) ideal does the job!

In fact, \widetilde{A} = A / \sqrt{(0)} is exactly what we are looking for! \widetilde{A} is a ring which is as close to A as we can get, and yet does not have any nilpotent elements!

Getting back to the city-road-holes analogy, it seems like we are able to make the nilpotent spiral-made roads collapse into the zero, thus destroying that fake road!

Going farther: null-divisors – reduced ideal – domain and non-invertible – maximal ideal – field

I’ve detailed the intuitions on the reasons why a ring modulo a reduced ideal gives a domain[2] and (some bit) why a ring modulo a maximal ideal gives a field on math.stackexchange.com.

Footnotes

1. Inspecting a quotient properties by looking at the ideal used to quotient doesn’t seem very interesting to me, as I can’t see a valid real-world reason to inspect the properties of a quotient (and even if there were, I don’t believe the ideal used to quotient would be known explicitly). I don’t know, it all seems done just to create exercises to solve in exams, so the second question looks much more interesting for me.
2. It’s worth noting that in this case, there is not a unique, best choice for the ideal that will build the domain ring. For example, in \mathbb{Z}_{6}, both (2) and (3) are good choices (in fact, equivalent choices).

The post Relationship between reduced rings, radical ideals and nilpotent elements appeared first on Quick Math Intuitions.

]]> https://quickmathintuitions.org/relationship-between-reduced-rings-radical-ideals-and-nilpotent-elements/feed/ 0