 Okay, let me just introduce our speaker today. So we're very happy that Hendrik Lenstra will be giving our course, polynomial time algorithms and algebraic number theory. And Hendrik has made many wonderful contributions to the subject, the LLL algorithm, elliptic curve factorization, the Cohen-Lenstra heuristics, and he's also an excellent lecturer. And he tells very good jokes. Okay, so please let's all enjoy his lecture. Thank you. Okay, well thank you very much. It is a great pleasure and a great honor for me to ask to give a course on algorithms and algebraic number theory. The actual course is expected to actually only take place a year from now rather than a year ago. This week I will spend mostly on some preparations that will be useful to be used next year. You may see already that I have been restricting my subjects on what I added this prefix polynomial time because otherwise there is just too much to say. If you restrict to polynomial time algorithm I will tell you more about what they really are, then you really cut out already a lot from the whole area. If you know any algebraic number theory at all, then you may know that some of the most mysterious objects in the area they are class groups. Those computations are very complicated and often also very rigorous and they will only very superficially to touch upon them. It is mostly cut out when you restrict to polynomial time. It is good to know that there is another restriction I will make I will talk about the theory rather than about the algorithm so I will not teach of course on how to use software packages that do computations and algebraic number theory. I will talk not about pressing buttons, but I will talk about what is below the buttons the mathematics behind it, and I will concentrate on actually proven theorems concerning the performance and the efficiency of algorithms in algebraic number theory. I will just be clear about what I intend to do this week today I just want to give a brief introduction on the sort of things that I will concentrate upon in these lectures. And then on Tuesday, I will start explaining some auxiliary algorithms and the first one to be considered is actually the LLL algorithm that was just mentioned in the much appreciated introduction I just received. On Tuesday, I will talk about algorithms for finite degenerate the medium group there are lots of finite degenerate the medium group that you encounter in algebraic number theory such as the additive groups of the brains and the ideals and the residue classrooms that we encounter. I want you to know how one deals with those objects and Friday night if they are still alive by then late in the evening here in Europe, I will give an actual algorithm in algebraic number theory that uses much of what I will have been talking about in the earlier part of the week. In between there are also problem sessions and those are run by my teaching assistant down from hand maybe down you should make yourself visible to the camera this is done, and you will get to see more of guns and for the rest of the week he has been helping me a lot by writing the notes and by controlling these electronics and I suppose that he will be just as useful to you. So, let me then first mention some of the basics. We are going to do mathematics rather than computer science or most of the objects we will treat our actual theorems and it is good to know that the word algorithm does have a rigorous meaning. You can borrow that from any book on theoretical computer science it is good enough for us to just define algorithm as a theory machine in and it is not really necessary to know the precise definition of those it is reassuring to know that such definition exists but we will not really use it we will just depend on your understanding of what an algorithm is, and what the number of steps that is executed by an algorithm upon a certain input, how that is defined and that can be defined that can be made precise using curing machines. But rather than computer science we want to be doing number theory and algebra and what we will, in particular, consider I mentioned already the class groups algebraic number theory, but you will agree with me that all of the main purposes of algebraic number theory is to control the multiplicative structure that ideal theory in algebraic number fields, and that is what I will concentrate upon in these lectures mostly maybe next year. So, in order to illustrate this type of question I would like to start with the easiest number field of all which is the field of rational numbers in this case. Here the multiplicative structure of the field of rational numbers is well controlled through unique prime factorization, but when you view unique prime factorization from the angle of algorithms that you run already into a serious problem because there is not any known polynomial type algorithm that given an integer you'll factor it for you into prime numbers. And that is rise to the following theorem, not being completely obvious, and I want to treat this in some detail the theory that I am about to formulate, because it illustrates several points, and it is a theory that looks very easy, and it isn't in fact too deep, but let me just formulate it. So there is a, let me just call it PTA, PTA that means a polynomial time algorithm and all my algorithms will be deterministic, so I will not add this prefix, probabilistic algorithms are certainly of exceeding importance, especially in practical situations, but deterministic algorithms that is what will really, what will be after impure mathematics having a deterministic algorithm or something, a polynomial time algorithm is so to speak next best to simply having a formula for it. There is a polynomial time algorithm, and what does it do that, well it receives a certain input, and the input is a sequence of no zero threshold, so the length of the sequence is a number T, and these numbers are represented typically in binary, and then there is a sequence of T no zero threshold numbers, and these rational numbers, you may specify them by the sign as well as a numerator and then we have some exponents and one through Nt and other sequence, and they are integers, and this is the input, and the output is a single bit, it decides whether or not this power product, the product from one to T of qi to the ni is equal to one, so that is a theorem that I want to explain to you in order to illustrate what the sort of difficulties are, that you encounter, then you want to decide polynomial time algorithms in number and then one of our purposes will be to have a similar theorem, not just for the rational numbers, but also for finite extensions of them, and that is, as it turns out quite a bit of work, and I think it is not far from the truth that a theorem like this for the algebraic number fields is about the hardest problem for which polynomial time algorithm actually is known to exist in algebraic number fields. So this is the problem of course you can, you can rephrase it a bit, so the first thing that you do is that you check whether this number is positive, that is too easy to merit much comment at this point, so let me forgo this and assume that at least the sign is what should be, and then you can write the qi as a numerator, divided by a denominator, both of them being positive, and if I call those ai, then the question is whether the product of the ai is equal to the same product of the bi, the bi being the denominator, so here all these things ai and bi, they are, they are positive integers, the ni they may still be negative but you can shuffle a little bit and make them positive and then maybe you get different exponents, let me write an mi here, and the question is how do I decide whether two power products of positive integers are equal to each other, and let me just tell you a few possible approaches to the proof of this theory, in other words to a description of an algorithm that would do such a thing, and the first is, so from method one, compute simply by ordinary arithmetic, both of these integers compute the left hand side and the right hand side just explicitly in binary, and then you can easily tell whether these things are equal, but there is one big problem, and that is this polynomial time, because polynomial time, that means that the number of steps that you are allowed to spend in your algorithm should be no more than a constant power of the total length of the input, and constant power, that means that that constant should not be dependent upon the input to your algorithm, it should be the same constant for all different inputs. And the length of the input will be counted in base, so if you write down the AI and the NI and the PI and MI, then you just have to take essentially the logarithms to the base two, and if you add it up over all of these numbers, then certain power of it is the number of time, the amount of time that you are allowed to spend, and if you compute a number like this explicitly, for example, if you look at if one of these a's is equal to two and some number of these, these exponents is very large for the capital N, and just writing down this output, or maybe in binary, let's just replace it by 13, 13 to the power, and if you write it down in binary, then the number of binary digits will be approximately linear in N, so you are not able to write down that number, you are not able to compute this, so this method is certainly valid and correct, but it is not polynomial time, because the numbers that you encounter to large, it is actually possible to compute this number with a polynomial number of operations, and by quickly, you can quickly reach this exponent N by not just doing multiplications but also squareings, once in a while, but the problem is of course that all these intermediate numbers are too large, and that is actually one of the problems that we will have to battle in obtaining algorithms also when else creating number theory that you have a certain obvious idea, but the numbers that it leads to are simply out of control. There is something, for example, a question that you have to consider also where you want to compute determinants of matrices, in that case there is fortunately a good solution, but with these high powers, there is nothing that you can really be safe. This method one, method one, it is not fast but it does have another, it does have an advantage, which I do not know how to do in polynomial time, and that is if the numbers are different, the method will also tell you which of the two is large, and deciding which of the two is larger, I do not know whether that can be done in polynomial time. Here you see one of the problems that you encounter and that we will have to fight. The other problem I already mentioned, and that is method two, that is, you compute the prime factorization, because two numbers are equal, even only if the prime factorizations are equal. And there you see that we run into a complementary problem, it is not the NIs that are bothering you, because once you have the prime factorization of the basis, the A's and the B's, then you can easily compute the prime factorization of the power product. And that is, that if this AI is not like the number 13 that I just wrote down, but itself a sizable number, then nobody knows how you can find the prime factorization of the A's and the B's in polynomial time. And that is one of the other major problems that we will also encounter in our algorithms, namely prime factorization and localization techniques in general are very much exploited in the theory of algebraic numbers and the proof of the adherence, but if you want to design your algorithms simply by mimicking the proofs in algebraic numbers here, which are quite often constructive enough, then you will run into a problem, then you want to factor your algebraic numbers into prime ideas. And that is mostly due, well, maybe I would say is exclusion to the fact that you cannot do it over the integers itself, once you have a good algorithm to see, it will not be difficult to transpose it to algebraic numbers as well. So here you see two non proofs of the theorem, and the way the theorem is actually correctly proved is that you go for what you could call a partial factorization of the AI and the DI. Something that is known as the code prime base algorithm, which I want to tell you something about the code prime base algorithm. So this is an algorithm that has the following properties. It has as input. Well, let me take for convenience just positive integers. So again, it is a finite sequence of length t, and then saying that I just take a one through 18, you can make it twice as long for this application So those are positive integers. And the output. That is another number. Let's call it you also have no negative integer. The set of integers q one q you and I choose a notation q for them, which is not quite like P, because well if I had told them P, you might think that they are prime numbers, but these numbers they are in the sense, almost prime they are prime enough for our purposes. That means first of all, that they have a chance of being prime they are bigger than one. They are pair wise code prime. No good property of prime numbers. So pair wise code prime that means that if I take any two indices I and J and I is different from J, then QI and QJ have GCD equal to one. Then there is also a matrix of integers, more negative integers that is for I from one to T, and for J from one to you. And that is the third property. They are prime enough for our purposes and our purposes are to factor those AI. So in terms of our mock prime number so for each I from one to T AI is the product over J of QJ to the power and I J. So that is the code prime base algorithm. The research has concluded that it is called prime. And the claim is that such an algorithm exists, and can be designed to be for the normal time. And this is for our purposes. Quite an important algorithm. I would like to explain the basic idea of how you accomplish this. And I would like to mention that if you want to know more about this, then you should look at a paper by Dan Bernstein, which is doubtless mentions in the notes that has been composing, and that should be available to you. The notes, by the way, they are not contractual to be perfect. So if you see anything in there that can be improved be sure to let Dan or myself know that you will have some better notes for later in the week and for next year. Dan Bernstein has been doing, he is a mathematician who is mostly active in cryptography is that he came up with a version of this code prime base algorithm that is not only a polynomial time, but that is almost linear in the sense that the time spent on the algorithm on a Turing machine, but on a somewhat more advanced machine model is not much higher than linear in the length of the input. So if you add up the logarithms of the AI, and you raise it to the power one perceptional, then you get an approximation for the time that is spent on the algorithm. And there will be versions of this algorithm that I may mention later in my lecture that are of crucial importance in algebraic number theory, and in that case the AI will either be elements of the big number fields, integers, maybe algebraic integers, or even ideals, and then the Q's will also not be numbers, but ideals, so to speak, the mock prime ideas. You will see from the algorithm that it allows quite some generalization to other situations and to illustrate the algorithm, I will restrict to a special case, and that is the case T equal to. And what is interesting about the case of T equal to, just two numbers, is that nevertheless the U can be quite large. I think that there is an exercise in the notes that shows that if you have two numbers A and B, A1 and A2, that if you make them large enough then the U can also tend to infinity, and it is also a question posed among those problems to see how fast the U can tend to infinity as a function of A1 and A2. So let me just stick to T equal to, because it suffices to give the idea, and what is important about the case about this algorithm that we soon know, that is that if you have two numbers A and B, let's say, then first of all, the greatest common divisor can be computed, so that is the greatest common divisor of A and B, and of course one way of expressing the greatest common divisor is by using the prime factorization of A and B, and that one is not accessible to us, so instead you use what people call the Euclidean algorithm, which dates to about 300 BC, and it proceeds by Euclidean algorithm by some inductive procedure, replacing A by its remainder upon divisor by B, and repeating that until that remainder becomes zero, in which case the previous number that you computed is GCD, and if this GCD is equal to D, then you see that the GCD of A divided by D, and B divided by D is equal to D divided by D, which is one. co-prime numbers, that is of course what we want in this algorithm, because if the A and I are co-prime to begin with, then all you do here is, well, then QI can be taken equal to the AI, and your matrix of experiments will simply be the identity matrix. Okay, so this is the basic mathematics that goes into the algorithm, and let me illustrate the algorithm by taking the number A equal to the number 4500, and that is A and B that is 5004, and these are the A and the B, and here I write my input numbers again, and they will stay there, the rest will be subjected to the forces of my eraser, but I will write these numbers as multiplicative combinations of the numbers in the top row, and this number 4500 is the first power of this number times the zero power of the other one, there you have again the identity matrix, and then what you do is that you test whether the numbers are co-prime by the Euclidean algorithm, and because if they are co-prime you're done, but the Euclidean algorithm tells you, well if I subtract this number, from that number I find 900, which happens to divide that number, so 900, that is the GCD of 4500 and 5400, and there is one thing that I should have mentioned, namely before you include this GCD to draw a line here, and the lines in my algorithm they indicate they always connect numbers that we do not yet know to be co-prime, but once we compute this number 900, and just like here we remove it from the input numbers, so the 900, if I divide it away from the 5, from the 4500, I find the 5, and here I find 5400 divided by 900 is a 6, and then my original 4500 will be the product of 5 and 900, so I get also a column vector here, which is the sum of the vectors of the numbers that I computed the GCD, so you see 5400 is 5 to the power 0 times 900 to the power 1 times 6 to the power 1, so you see that there is no theorem in the world saying that these numbers are co-prime, so I connect that with a line, and likewise there is a line here, but the original line connecting the 5 and the 6, that has disappeared, because by this theorem 4500 divided by 900, 5 and the 6, they are co-prime, so I don't need to compute the GCD again, so that is the first stage, and now you proceed as before with each line that you see, so the GCD of 5 and 900, I can compute by heart, that is 5, and then 5, I should divide away from the input to numbers, the 5 becomes the 1, and 900 divided by 5, well I think that I don't need to dance computer for this, this is just 180, and then I add up my two vectors, 1, 0 and 1, 1, that gives me 2 and 1. Okay, so that was one step, and then I see to my pleasure that one of the numbers in the top row has become a 1, and a 1 in the top row is of no use to me, I can forget about it, and also when it is connected to one of the numbers, I simply erase the connection. So just to be sure, you can now check that 4500 is 5 square times 180 times 6 to the power zero, which it is, and likewise for the bottom row. And then, well, we have a choice, let's first do this one, 6 is also a number, divisor of 180, so I can divide it out, there is a 30, that is, there is a 6, that is the GCD, and I divide it away from these numbers, a 30 and a 1. And then I add the two vectors that are the neighbors, that is a 1 and a 2, and also here do we have a 1 and a 0 that I can erase, and now you again do the same thing, you put a 5 here, you divide it away from the 5 and a 30, you add up the neighbors, and you erase the 1, and the same thing happens over here, it is a pretty symmetric situation actually, so this GCD is a 6, it gives you a 1, and it gives you a 1 here, a 2 and a 3. And if I did not make any errors, you see that if I erase the ones, also all the connecting lines are gone, and we find that the output is Q1 is 5 and Q2 is 6, and the matrix of exponents is the matrix that is still on the blackboard. Okay, so this is just an indication, in this case you get only two numbers out of it, you will see in the notes that all this can be generalized to more numbers, so that means that you have a whole graph, and you have, the vertices of the graph, there are two of them, they are labeled with A's, and you connect two vertices, any two of them, so we have a complete graph because you don't know any of those numbers to be called prime, and then, you have an edge in the graph, you compute the corresponding GCD, and then you have certain rules for which you can erase parts of the graph, and at the end you find the output, and I don't like to do this graph theoretic exercise on the blackboard, so I would like to keep that as something that you can figure out with your own, of course that will also be of interest in the sense that you have to provide this algorithm with a complexity analysis, you have to give a upper bound for the runtime, and I gave here a simplified version of the algorithm, I mentioned that Dan Woodstein has been giving an almost linear algorithm, the version that I gave here is not almost linear, but you will see for example, if your input is the number two, and a very high power of two, then you will see that you lose only one two at a time, and that takes forever so Dan Woodstein has some additional moves that you can do in the game, and you can figure it out in case you would otherwise encounter high powers. Okay, well, if you have this algorithm, then it is sort of clear that if you go back to our original question of recognizing better to power products are the same, and you can provide it with a polynomial time algorithm. Okay, as your input, well you will remove the A's and the B's that are equal to one, and then you will look at the A's and the B's together, you compute the Q's that factor all the A's and the B's, and then you have to use the fact that if you have these pairwise co-prime integers greater than one, then they are multiplicatively speaking independent, such a power product can only be one if all the exponents are zero, so in other words, if you look at the factorization of this product that you have the same and the one that you get out of this product, so that is something that you get by essentially multiplying some of these matrices with these column vectors of exponents, then the, if the outcome gives you the same column then your numbers are equal, and otherwise they are different, and in the latter case, it may be very difficult and time consuming to decide whether which of the two is actually larger. Now this largeness is not so much a concern of us, since we are in our algebraic number theory question, these numbers fields have typically no canonical ordering, and even if they have, they do not be coming up in our algorithms. For example, this is a solution to a basic problem in multiplicative number theory, for which you have an efficient algorithm available, and let me formulate a theorem that I expect to be able to present, or at least outline next year, and that is the following theorem, and that is a little more advanced than the previous one, so there is, and if I say that there is an algorithm, then in practice this always means, not just that I have shown that some abstract algorithm space is not empty, but I actually know the algorithm, and the proof that I give of the existence is perfectly constructive, so there is a polynomial time. And the input is an L-brain number field, which I will call capital K, and that already suggests the question, how you represent a number field with a finite number of bits in such a manner that you can present it to an algorithm. And certainly one of the issues that we will have to deal with, and in the case of algebraic number fields, the answer is pretty straightforward, what you may think of is that you just write down a defining polynomial for an element that generates K. And that is the most elegant way of doing it, but it is certainly good enough, and basically equivalent to other more or less obvious way, ways of specifying an algebraic number field. You just have to, essentially, if you have a basis for K as vector space over the rationales, you want to write down the product of any two basic elements expressed on that same basis. And that is only the first part of the input. And the field should be presented to you in such a manner that you also have a presentation for the elements of K in the example that I mentioned it will simply be vectors over the rationales. And I have, as before, a more negative integer, T, and I input also some elements of K to celebrate the fact that they are not just rationales but else great numbers I use Greek letters for them alpha one through alpha T, and they are sitting in K star. This is like what I did for the rationales except but then for the rationales, I also had exponents and I am now looking at some more advanced theorem in which those exponents are eliminated. And then I follow so. So what is it, this is the input and it computes the kernel of certain group homomorphism. And what is that, well, you take the three group, the three million group on T generators about generator for each of my alphas. And I met this additive group to the most effective group of K by sending the ice basis vector to the ice elements in my seat. So this goes, this is defined by sending a vector of integers to the corresponding power product of the elf. And that is clearly a group homomorphism a group homomorphism from an additive group to a group that is written in a multiplicative manner. And in interesting cases, this will be infinite. So then the question is, as before with my K, the question is, how do you actually compute kernels, and that is something that I will need to address later this week, how do you in general, specify and do with, finally generated a billion groups, and these specifications the eternal theorem so in this case, there is a theorem that if you have a subgroup of C to the T like this color. Then it will itself be C to the power something so it will be freely generated by a finite number of vectors no more than team actually. If I say compute the colonel, then what I mean is that you first of all compute the right of the colonel what it is more to see to the you first on you. And then you also need you vectors that form a basis for the current. And this is what the theorem does for. So, such a, such a vector and I, that is in the colonel, you can think of as a relation between the alpha I will pick it up. The element in the colonel, an element will be in the colonel factor, even only if this power product is equal to one. Here we are deciding whether a given factor is a relation, but we are deciding upon all of them at the same time. So, if you want to know whether a particular element of C to the team is a relation, then that comes down to deciding whether that element can be expressed on the basis for the colonel that comes out of this element. So you can see the way in which computations with fun regenerate meeting groups will be needed. So this is a theorem that is quite a bit stronger than the previous one that I formulated first of all, of course, because I allow arbitrary fields, and secondly, because I compute all released between them, rather than wondering about one particular will be released. So let me spend the last two minutes with writing down another theorem. So, this is a theorem that can be thought of as one of the analogues of the core prime base algorithm, there is a polynomial time algorithm with the same input and output. So what is the output. Well, first of all, an order in the number field are in K order and an order in the number field is by definition, suffering of the ring of interest of K that's a finite index. The ring of interest of K, that is a very difficult object to compute another rules of the game that I mentioned in polynomial class. So all of us, you can also work with, and then we have our more prime ideals, a sequence. Q one through Q with you, at least zero of ideals. The proper ideas of our previous huge bigger than one, these are not equal to our, and they are pairwise core prime so for all. Q i plus Q j is equal to the whole ring. And then you have also integers. j is one to T and j is one to you, such that for all I, if you look at the principle ideal generated by my alpha I, it is a product of, oh I forgot the word here, these ideals, basically invertible. That is because I want to be able to allow arbitrary exponents from the images in this power for in particular also negative because I want to be able to work with invertible ideas. And this is a lot of work. It can be done in polynomial time, and it is actually quite lovely algorithm and I hope to be able to say much more about it probably not this week, but next year. Okay, thank you for your attention. Okay, let's all thank Henry for that very nice lecture. Okay. Thank you. And do we have, we've had, I know we've had some discussion in the chat, do we have any questions for Hendrik now. Yeah, so I don't know. So if you have questions, please just unmute yourself now and ask. If you're free if questions come up with you later to build them to us and we can always answer them maybe even on some public chat room. I don't know how it works. Hello. Yeah. Yeah, I have a question. So in the last year and that you can you hear me. Yeah, I can hear you. Yes, so in the last year and why do you need orders. I didn't, I didn't see that. Well, I want to talk about ideals and ideals in fields are not so interesting and feel there's only two ideals. So, before I can talk about ideals, I need to ring. So it doesn't answer your question. You could have taken the ring of integers also right. No, no, no, I cannot take the ring of integer just because that is not part of the input and there's no known algorithm to compute it in terms of the input. Okay, okay. That is the problem. That is a very good question. That is an essential point. Thank you. Maybe there's one thing that I should mention. Now that you ask about this, if I take any suffering of K, then this ideal generated by alpha I, that will be principal ideal and therefore it will also be in virtual. And if you have these co-private ideals with this property, then something much stronger is true. If I take any subset whatsoever of these alphas, let's say a non-empty subset, then the ideal they generate together, so the sum of the R alpha I, the I ranges over that subset will also be invertible. And that is a property that is not true. The sum of two invertible ideals need does not need to be in world, and that is a good reason to wish that you could take for are the ring of integers because for the ring of integers, every non-zero ideal is So, what you are saying is actually about the difficulties of this algorithm. If you discover in the process of this algorithm, the non-invertible ideal, then you are forced to change your ring. Great stuff. Thank you. Okay, if there are no other questions, let's thank Hendrik one more time. Okay, thank you. Thank you.