 Ted? Is this working? I don't know. It's crazy. Well, that's my pleasure to introduce the next speaker, Ted Chinbrook. Well, I've always wanted to start a math talk by saying good morning, Vietnam. So my talk is about some work with Brett Hemmenway, Nadia Hemminger, and Zuck Scher. And it's about a tool that we hope will be useful in cryptography. Capacity theory. So the use of capacity theory came up when I heard a talk by Nadia. What it enables you to do is determine whether there's some auxiliary polynomials that you might like to use for a cryptographic application. So I'm going to give one illustration of this technique, but we're hoping that other people may have some auxiliary polynomials they're looking for, and that capacity theory will help determine whether they're there or show they're not there. So now, I hope this will work. Which do I click? Before I click at random, I wanted to know something about what I do. Great. So the example I want to use to illustrate how capacity theory is relevant is a theorem of Coppersmith that's about 20 years old. Coppersmith proved this very nice theorem. Suppose you take a monic polynomial of some degree d and some large positive integer n. And what he looked for were solutions, small integers, that are solutions of the congruence f of m convert to zero mod capital N. So what Coppersmith proved was that there was a polynomial time algorithm log n and d for finding all the integers that both do two things. They have to solve the polynomial congruence f of m convert to zero mod n, and further, they're small in the sense that their absolute value is less than n to the 1 over d. So by now, this is a fairly famous theorem. There's many, many papers about it in the literature, improving methods of showing it. And since Coppersmith first proved it, there's been a question about whether you can improve the upper bound on the size of n. So the main question was whether you can increase n to the 1 over d to something like n to the 1 over d plus epsilon for some positive epsilon. Now, it's not hard to prove that if n is a big power of a single prime, there's no way to do this improvement because there's just too many solutions, exponentially many solutions in some cases. But it was an open question of what if you have an RSA modulus? If n is a product of two distinct primes that are large, can you improve this? And Coppersmith made some speculations in his first paper about some possible methods, but it's been kind of open, I think, for 20 years, whether his method could be souped up. And the main thing we found was that actually there's no hope. So the reason that you can't improve it is the auxiliary polynomials of the shape he looks for simply don't exist. We can prove they don't exist. So one can think of this as a negative result, but I want to emphasize also that the technique I'm going to describe gives positive results. It also tells you, if I'm looking for auxiliary polynomials of a certain shape, it'll tell you if they're there or not. And then it's up to you to go find them. So let me talk about the auxiliary polynomials that Coppersmith used. So what he did was to use the LLL algorithm to find a polynomial with rational coefficients that has this shape. It's an integral combination of products of X to the i with f of X over n to the j. Now it's important to realize here that the Aij's are integers, but this polynomial will have denominators in its coefficients because you're dividing by n. You take f of X over n. Well, he found a polynomial of that shape that's not zero, but which was bounded in absolute value in a big disk. Bounded in absolute value less than one in the disk of radius n to the 1 over d. And the question is, why is this useful? How do you prove his theorem using this? If you can find that H of X quickly, well, remember what he was looking for were all of the integers m that solved the polynomial congruence that had absolute value less than n to the 1 over d. So first of all, let's look at the consequence of having f of m congruent to zero mod n. If I plug in X equals m and the formula for H of X in equation one, well, f of m over n, that's an integer. And certainly m is an integer. And so since all of the Aij's are integers, you get that the value of this polynomial at little m is an integer. Even though the things are the denominators or the coefficients. On the other hand, you're looking for an integer m that's of absolute value less than 1 over d. And we know the value of this polynomial H of z at any z in that big disk is less than 1. So the value of little h on m is an integer of absolute value less than 1. And there's not very many of those. So now you've got an auxiliary polynomial where you know all the integers are zeroes of that. And there's a quick method for finding zeroes, actual zeroes of polynomials with actual coefficients. So this was Carper-Smith's brilliant idea that you could convert the problem of finding such a polynomial into a problem of finding a small nonzero vector in a lattice. And I'm not going to review that translation, but you can imagine it's somehow not implausible you could do it. So the question for us was are there polynomials that look like this but for which equation 2 can be improved? You can get them absolute value less than 1 for all z in a slightly bigger disk. n to the 1 over d plus epsilon. That's the issue. And this is what we prove. We prove that they're not there. There's no way to do it. So if you take your monoc polynomial and you look for an auxiliary polynomial of the shape that Carper-Smith was searching for and you want it to have absolute value less than 1 for all z in a slightly bigger disk for an epsilon bigger than 0, it does not exist. And capacity theory is a really powerful tool in the sense that it can prove that things don't exist. It can also tell you when they're there. And I find the interesting thing is that the arithmetic geometers were working hard in this direction but they never thought of using LLL. So the cryptographers are simply clever. We're realizing there's another problem. Not only do these polynomials exist, how do you find them? They realized that LLL was the way to do it. So eventually I think the two directions of research are going to combine. I mean, people are going to be some new books written there. Okay, so let me talk about how capacity theory is useful. And I hope other people will think of uses. Okay. So here was the classical problem that goes back to the 19th century. If you look at a compact subset of a complex plane that closed under complex conjugation, we're interested in finding polynomials with integer coefficients that are not 0 that have super-mormless than 1 on this set. Now, capacity theory gives you a numerical criterion for finding them. And it's a very natural construction. Look at the polynomials of degree up to n. That's a real vector space of dimension n plus 1. And inside there, we've got a certain subset, namely the polynomials with real coefficients of that bounded degree whose super-morm on your compact set is less than 1. Now, that will be a convex symmetric set. Symmetric in the sense you multiply a polynomial by minus 1, which stays in there. And it's convex in the sense that the line segment between two polynomials that you get by averaging between the two polynomials, that'll be entirely contained in the set if you started with 2 in the set. So we're in a classical situation from the geometry of numbers. We have a convex symmetric subset of a big Euclidean vector space. And in the geometry of numbers, you're very interested in the volume of that. And we want to know how the volume grows as n goes off to infinity. That's what capacity theory measures. So the definition of the sectional capacity, which is gamma of E, you define it via its logarithm. And it's this limit of minus 2 times the log of the Euclidean volume of that set over n squared. So the point is here... Okay, let's go on here. I'll talk about what the main theorem is. Faketa and Zago in the 20s and 50s threw the following theorem that if you have this compact subset of the complex plane and you're looking for non-zero polynomials with integer coefficients that have supernorm less than 1 on it, the capacity determines whether those exist. At least if the capacity is less than 1 or greater than 1. If it's a capacity exactly equal to 1, that's a very interesting problem. You don't have an answer. But if the capacity is less than 1, then in some sense this volume polynomials with supernorm 1 and you can find an integer lattice point. And that's, in some sense, why you get this polynomial. Now, if the capacity, on the other hand, is big, a much deeper theorem is that there is no such polynomial. That's actually harder, and that was due to Zago, actually. The reason that people worked on this was that they were very interested in whether, given this compact set, can you find infinitely many algebraic integers that have all their conjugates in the set? If the capacity is less than 1, it means the set's small and it's hard to find algebraic integers that have all their conjugates in the set. And if its capacity is large, you can at least say every time you take an open subset of a plane that contains your set, it contains infinitely many complete sets of conjugates of algebraic integers. But what we're really after is this statement about auxiliary polynomials because that's the kind of thing that Coppersmith needed. Let's just make one little comment about the first part of the theorem. Why is this natural? That if the capacity is less than 1, there should be a nonzero polynomial with supnorm less than 1. And this is just a very nice example of Minkowski's theorem, as I mentioned. Suppose we have the capacity less than 1. Inside r to the n plus 1, I have this integer lattice of polynomials with integer coefficients. And Minkowski says that I'm going to find an element of this lattice that is in my convex symmetric set of things that have supnorm less than 1, provided the volume of that is big enough. And the volume growth now is measured by capacity. The log of the volume is approximately minus n squared over the log of the capacity. So if the capacity is less than 1, the negative of this log is positive. And so the log of the volume is growing like n squared times a positive number. And n squared times something positive is eventually going to beat a linear function of it. And so eventually Minkowski's theorem applies. So the first part of the figure I'll say is quite naive. It just is an easy Minkowski argument. The other part is deeper, much deeper actually. But I'm not going to be able to talk about those techniques. That uses a lot of real analysis in fact. Okay, so let's see what happens when we try to take this idea and apply it to Coppersmith's theorem. Okay, so in the Faketa-Zegum theorem we started, we were looking for a polynomial that was not zero that had super arm less than one on a compact set. Now Coppersmith is looking for something different. He's looking for a polynomial with rational coefficients. We want it to have absolute value less than one on a big disk. But it's, it definitely doesn't have integer coefficients. So we can't apply capacity theory directly. But there is a fact that any such polynomial has. Namely, if you look at that form in equation three, if I take a z such that z is an algebraic integer and f of z over n is also an algebraic integer, when you look at the right-hand side of equation three and you plug z in for x, the right-hand side will all be algebraic integers. So the value of h of z is an algebraic integer whenever both z and f of z over n are algebraic integers. And this is something now that we can generalize capacity theory to deal with to ask whether there are polynomials of the shape we want. And so here's our problem. When is there a non-zero polynomial with rational coefficients? It's got to have super arm less than one on some compact set, like a gigantic disk. But we want it to have the property that it's an algebraic integer whenever I substitute in a z that's an algebraic integer so that f of z is congruent to zero mod n in the ring of all algebraic integers, meaning that f of z over n is also an algebraic integer. And it turned out that Cantor, David Cantor and Bob Rumley developed a capacity theory that exactly answers that kind of question. So let me just, it's going to be, I don't want to spend too much time on the technical part, but just let me say one thing for an arithmetic geometry to say this, that if you have constraints that involve subsets of the complex plane, that's fine, but for arithmetic you think the complex numbers are just the algebraic closure of one completion of the rationals. We've got the piatic numbers in their algebraic closure. So we might as well consider piatic conditions as well as Archimedean conditions on a polynomial. So what Cantor and Rumley did was treat them equally, and they developed a capacity theory that enables you to decide when there's a polynomial of rational coefficients that's got piatic absolute value that's small on some piatic set, and which has complex absolute values small on some subset of complex numbers. It's a natural thing to do, just treat all the places equally. And if their capacity is bigger than one, there is no such rational function, and there is no such polynomial. This was a very nice development that people were just pursuing theoretically, but it turns out to be exactly what one needs. This is a little more technical, but what you need to do in the Coppersmith application is you need to pick these subsets of the algebraic closure of the piatic numbers and of the complex plane in a sensible way. In the complex plane the e sub infinity is just your big disk of some radius t is a varying parameter. And for all the primes you simply take the inverse image under your monic polynomial of degree d of a certain piatic disk. The piatic disk of radius, the absolute value then with respect to the piatic absolute value. And when you look for a polynomial that's piatically bounded on all those EPs and has absolute value less than one on e infinity it's exactly the same as looking for the kind of polynomial we wanted. One that has an algebraic integer at every n-algebraic integer so that f of z over n is algebraic integer and which has absolute value less than one on the disk of radius t. So now you use Cantor and Rumley's book and you calculate the capacity of the edelic set that has those components and you find out miraculously it's t times n to the one over d. So saying that it's less than one is exactly the same as saying that the disk that you're dealing with is radius less than n to the one over d. If the disk is bigger their theorem says there is no such polynomial. So that's why you can't improve on Kupersmith's theorem. At least not by the same auxiliary polynomial technique. Now Kupersmith made a number of suggestions about how you might improve his end of the one over d bound and one of his observations was very clever as usual. He said look we're looking for rational integers. Not algebraic integers. We're looking for rational integers that satisfy this congruence and are small. And so he looked at binomial polynomials. Now if you take a binomial polynomial it has honest denominators but every time you evaluate it at an integer you get an integer because binomial coefficients are integers. And so there's a famous theorem actually of Polian that says if you take a polynomial of rational coefficients and it takes integer values at every integer it's an integer combination of binomial polynomials. That's a useful thing to know. And so Kupersmith said well look maybe we can look for more auxiliary functions. We look for auxiliary functions that are integer combinations of a binomial polynomial of b sub i of x times the value of a binomial polynomial of b sub j on f of x over n. So that's a much bigger class of polynomials. And the natural question is can you find that type of function that's bounded by one in a large disk? And when we first thought about this we thought oh well ok we're probably going to prove they're not there. In fact they're there. You can find a polynomial that looks just like that with integer coefficients, non-zero that's got supernorm less than one on a disk of arbitrary size. But they're not useful because their degrees are too big. When we first saw this it was kind of a shock. You can actually write them down. But their degrees are too big to be useful. Let me try to explain that. This is the last theorem I'll talk about. So we're trying to find a polynomial that looks like the one Coppersmith was after which has supernorm less than one on some disk of radius n to the one over d plus epsilon. But the bottom line in this theorem is saying that if you have any polynomial that looks like that where the total degree is bounded by n to the epsilon times a factor in a sense small degree polynomial if that polynomial were to exist the integer n already has to have a small prime factor. So it's kind of like someone is tempting you saying there is this thing but if you try to reach for it because it's too big. If you could find such a thing that was useful you could have already looked for a small prime factor event. This is a much more interesting computation in capacity theory and it used some results about distribution of pranks. So I don't want to be too negative. Let me finish with a few other comments about what can do with this kind of technique. Archive paper. This is the summary of what I've been talking about. You can't use the same method as Coppersmith to improve this. But let me say a few things that we're working on now. There's a famous theorem again of Coppersmith that says that if you have an integer n that's a product of two big primes that are distinct and you know one of the say the larger of the primes to within the end of the quarter then there's a quick algorithm and we can prove now that the end of the one quarter is actually best possible. By the same method you can improve one quarter. But just the last few days we've been working on another problem. Namely suppose you know n that it's product of p and q and somebody tells you some of the digits are p maybe not the leading digits but some clumps of digits. Capacity theory will tell you exactly when you can find an auxiliary polynomial that will spot those p's depending on where the clumps are. It's a very interesting calculation. A miracle was happening in the last two days. We have to see if the miracle was stable. The other thing we're talking about here is this technique has to do with single variable polynomials. But it also applies to bivariate polynomials and people who have looked at Coppersmith's paper he has very nice results about algorithms for finding exact solutions of a polynomial in two variables equal to zero at two integers that are bounded. And capacity theory is ideally suited for that problem as well. But then when you get into more variables or solving polynomial equations in many variables in modular divisors where the solutions are not zero then you get into a new territory which is current research and capacity theory is very much involved in. It's higher dimensional capacity theories in the process of being developed and I think cryptography gives a fantastic motivation for developing it. And so I think that's all I have to say. Thank you very much. Other questions for Ted? I had to get in quick to be dirty. I was interested in where the shape of n comes into this. I couldn't really see in what you presented why you could get arguments to customize on when the n was p times q or... Well, in fact in the proofs it doesn't matter at all. But in the end it did because in this theorem here about binomial polynomials it came up. And the reason that it comes up is the method in capacity theory says I'm going to define these subsets of the algebraic closure of qp for every prime p and at infinity. And you want to have you want to show that you want to determine this capacity. Now when you write down that auxiliary collection of sets if you want to try to prove this kind of result that there does not exist a polynomial of small degree that does the job in this particular case the prime factorization of n matters because if n is the visible by is not the visible by small primes you can take a bigger set for those for all the small primes. As soon as you take a bigger set at all the small qp bars then the capacity will go up and you have more constraints on when the polynomial exists. So in other words to prove this theorem we had to take into account something about the factorization of n if there were small primes if there were no small primes then we could get a better capacity theory application. That's the bottom line. Are there any more questions? There's more questions here. It's a very naive question. I have a nice compact set of stable write conjugation. How do I go about computing its capacity? Is there a nice formula for this? Oh yes, there's lots of formulas. In fact if you look at Romley's book Spring Electronotes and Math, 1989 he's got chapters on how to do this. I mean it's a nice topic. The other thing I should say is that's a non-trivial capacity is a volume calculation. What Rappersmith did was to change the volume Minkowski argument into finding a small non-zero lattice point in a compact set. And that's a non-trivial step. So there's more to be done. Okay, I just have a question. So in your results do you use the fact that n is a product of two primes? Not at all. So it could be conceivable that indeed as you were mentioning that Rappersmith's results could be improved but without using this auxiliary polynomial. Because if n is just prime then it is possible. And he didn't talk about that. But for special n's like n equals primes there's quick ways to find zeroes. But all we prove is that there are not the auxiliary polynomials of the shape he used. There could be a very different method of solving this problem. But could capacity theory somehow be able to apply to... I don't know, have you found that you can maybe use some other kind of auxiliary polynomials not of the shape of... Yeah, you can start doing that. I mean that's a very natural question. And I think that's one of the reasons I like talking to cryptographers to give a great impetus to try to develop different techniques for finding auxiliary polynomials of different shapes. What Rumley and Cantor did was they looked at arbitrary rational functions on curves. This theory only has to do with protective line in one variable. But if you want to do bivariate polynomials you're probably going to be working on curves. So in other words, there certainly could be other types of auxiliary functions possibly in many variables that could be useful. And we need to develop the capacity theory to determine whether they're there. I don't see any further questions so please join me in thanking Ted again.