 Okay, yeah, thank you. So this is my last lecture in this series and I think the last lecture of the entire subject this year, and I'm going to talk about the computation. And this really should be understood to apply to algebraic number fields because that is where the real interest lies, but to begin with, let me remind you of the situation that you may be familiar with over the rational numbers. So suppose if I take P of prime and a integer that is not divisible by P. Then, we have the Legendre symbol, the Legendre symbol A on P, and that is defined by two properties. The first is that its value is either one or minus one. And secondly, what you know P. It is congruent to a to the power P minus one over two. If you square this right hand side, then by the most little theorem you get one regular P. So this is a square root of one and then the field will be, you have two square roots of one, and that is what the agenda symbol is. And this is also called a quadratic symbol, because if a is congruent to a square model of P, then the value is one. And if a is not congruent to a square model of P, then the value is minus one. So from its very definition, it is perfectly straightforward to see that there is a polynomial time algorithm that on input A and P computes the symbol by repeated squareings and multiplications model of P. The immediate results should also be computed more than a P to avoid getting numbers that are too large. And in fact, there is a faster algorithm, of course, still polynomial time to do this. And that relies on a generalization that is the Jacobi symbol, and the Jacobi symbol is defined for a and B. G, B is positive and odd, it is composed of such primes P and A and B are required to be called prime. And then the Jacobi symbol is the same as the Legendre symbol, if B is a prime number, and in general, you extend the definition of symbol by multiplicativity in the lower argument. So this is a product that ranges over all of primes and then you take A and B, the Legendre symbol, and you raise it to the power, the number of factors P that occur in B, which of course, for most primes will be zero. And it is good to know, and clear from the definition that this depends only on the residue class of A modulo B, because this one only depends on the value of A modulo P. If you fix B, then you can reduce A modulo B without changing the value of the symbol, you can replace A by its remainder upon division by B. Then your A is, once your A is less than B, then you can often make use of a remarkable theorem that is due to Gauss, which is the reciprocity law, which initially was stated for two prime numbers, but it is very easy to extend it to the Jacobi symbol. And that is as follows, if A and B are both positive and all, and they are still called prime, then there is a relation between the two symbols, A on B and B on A, and that relation is that they are equal, except if both A and B are three modulo four, in which case they are actually different. And this is something that you can apply by first reducing A modulo B, then A is the smaller one, if A is also odd, you can turn the symbol around, in case you are trying to compute it, you have to keep track of this sign. If A is even then there are a few special, a few special laws, the first is that two on B is equal to one, if B is plus or minus one, mod eight, and it is minus one if, in other case when B is plus or minus three modulo eight, and I did allow A to be negative here, so you also want to know what the minus one is, and that just depends on B modulo four. So here you see that you have enough material for computing the symbol, essentially by means of the Euclidean algorithm, you do have to pay a little special attention to parity issues, as I pointed out. If you look in the notes, collection notes written by Dan van Gent, you will see that those can be taken care of without very much effort, so that the computation of the symbol, even when the denominator is a prime number can be done as fast as the Euclidean algorithm, which is a bit faster than an entire differentiation. And of course, it should be pointed out that there is one way not to compute it which is from its definition, because that would require the factorization of B into prime numbers, which is typically in accessible at the current state of mathematics. What I'm going to do in this lecture is that I will tell you how this Jacobi symbol can be extended to algebraic number fields that turns out to be pretty straightforward, except that there will be a difference. There is already this A modulo B in the case of algebraic number fields, this B, so to speak the denominator, this B will not be an element, it will be an ideal of the number field. Of course it may be a principle ideal, but that is certainly not the only interesting case so there's already a certain asymmetry, and you really before you have a reciprocity law like this, then you have to restrict the principle of the number fields so that there is already something of a problem when you try to compute that generalized symbol in a similar manner. And of course there's also the problem that the Euclidean algorithm that we have been using here for integers that will in general be in applicable to rings of algebraic integers. So that is the challenge of the lecture, how to compute the Jacobi symbol in polynomial time. Let me first give you the definitions. I will start with replacing Z by a ring that I call R, which is an order in a number field. That means a subring of the ring of integers. The ring of integers itself, as I pointed out earlier this week, that is really an object that in the context of algorithms, better be avoided, because it is very hard to compute without something like factoring. It is not only difficult to compute, it is also difficult to recognize it is hard to say whether a given order is actually equal to the ring of integers of its field of fractions. If this is just surprising then I will, I should suggest to you just to think a little bit about the case that your number field is just a quadratic field of degree two over Q, already in that case, maximal orders are hard to compute. Okay, so not necessarily maximal. We have in here an ideal, and I call it be. This is the role of the be a moment ago, and I was in the case of integers I had a requirement that be was positive value is an ideal so the sign makes no difference. But it was also the oddness. So what I want is that this ideal has the property that if I look at our money will be that that is all. It will be a finite number, as long as I avoid the zero ideal. So in this ring arm of the no be the number two is inferno. And then I also take an element any in our and just as for the integers, I like a to be called prime to be. And that is to say that are a the ideal generated by a is called prime to be in the sense that together, they generate the unit idea, and that is equivalent to saying that this are a plus B contains the unit element. And that this element a, when I view it as the element in the residue class ring the coset of a mobile be actually belongs to the unit group so this last condition is equivalent to saying that a mobile be a mobile be belongs to the unit group of this finite ring. It has an inverse model B. And then this a B is defined in a perfectly similar way but you do have to be a little careful. It is. Again, either one or minus one. B is a prime number. I say prime number, but I mean, if it is a prime ideal, so that our mod B is finite field, then it should be congruent to a to the power, have the number of units of the residue class field. So that is what you know be, and that will be what you know be plus one or minus one for the same reason as before. So this is if B is prime. And then, in general, for general be this a on B is a product of the prime ideals, and these are the prime ideals of with our more P. So those are the prime ideals of it's the residue characteristic is greater than two. This symbol is a W it stands for with. And then I have here able P. And then I have to face a slight problem, because here I have to write if I want to imitate the situation or the integers I have to write here the number of factors P in B and if R is a maximal order, then you have unique factorization into prime ideals. And that makes perfect sense. But in general, I have to define what I mean by this experiment LP be it is the P length of B. And let me tell you how this P length can be defined so as to generalize the situation of the full ring of integers. And then it's done by writing down a sequence of ideals be zero be one. Until let's say BT, which is B, and these ideals. It should be a chain pair wise difference or strictly descending. But it should not be possible to refine it so that means that there is never any ideal in between to successive be ice. So what I am effectively doing here is that I write down a composition series for the R module R module B. And then if you look at one of these successive closures be I minus one model of BI, then that will be a simple module over R. It has exactly two sub modules, the zero module and the whole thing, because otherwise there would be something intermediate in my chain. So that means that for each, I, there will be a prime ideal P a maximum ideal, such that as our modules be I minus one what you know be I is isomorphic to our more P, I should have said there is a P, the unique P, which is the unilater of the such that this module is isomorphic to our more P, and then LP of B is the number of I, for which this, let's call this P PI, for which P is PI. So that is the number of times that P occurs in this chain. And that clearly generalizes the multiplicity of P and B, in case my R is indeed dedicated domain. So if I see that if B is prime, then the P length of B is equal to B is equal to one, and all for all other P that P length will be zero. So this clearly generalizes the Jacobi symbol that I defined for Z. And now the question is, can we determine this symbol in polynomial time. The answer is yes. So let me write down the theorem here, there is a polynomial time algorithm PTA, that means polynomial time algorithm that with input. The input is just all you need for making the symbol meaningful. So first you input R and inputting R, that means that you input R as an a Boolean group, as I explained yesterday. And it is just a free Boolean group, so you just have to specify the rank. And secondly, you have to specify the multiplication, which is a map from R tensor R to R, which you can specify in the way I explained yesterday, and you specify in general morphisms between finally generated B groups. And with B it is the same, B is an ideal, and you simply specify it as an additive subgroup of R, and you are doing that only for the case that B is actually an ideal. So I'm just going to satisfy my conditions non zero and an old index, and also a, all of these as before, compute the symbol a on B. We have to do this. While avoiding the problems that I pointed out the fact that the reciprocity law is less than ideal. And the fact that there is no Euclidean algorithm. And that is one of the things that you encounter more often in algorithmic algebraic number theory that you run into perfectly natural question. In this case, computing a symbol a symbol that plays a role, for example in classical theory, but all of the theorems of classical theory are not enough to provide a polynomial time algorithm. And what you have to do here is to develop your own theorems in order to make this possible. And those theorems, I will next proceed to formulate and those theorems, they are about another symbol, and that is a symbol that is defined in the following situation. Notice that B is a finite abelian group as a G means finite abelian group. And in the application to this algorithm that is going to be the additive group of our model of being different type for being. So my beta. That is the second thing that you need to know that is an automorphism will be. And then automorphism. Well, if I have this, the billion group are more be that it is actually a ring, and a is a unit in there, and multiplication by that unit gives you an additive automorphism of our mobile. And that is the way you have to think of beta. And then we have a beta comma B, that is a symbol that was surprisingly generalizes the Jacobi symbol, it takes values in one, and in minus one, and it is defined to be the sign. The of beta view. As a permutation of the underlying set of B. So in other words, you have this automorphism group of B. It consists of commutations of the underlying set. So it lies in the symmetric group of B, which has order and factorial if N is the order of B. And then you have the sign map from elementary algebra. And if you compose this, these two maps the inclusion and the sign map, then you get this symbol beta B, which already shows that if you fix capital B, then this is multiplicative in beta. So that is the case for the Jacobi symbol, which I didn't point out, but if I fix my B, then this function of a is really a group of morphism from the unit group of our will be to plus or minus one. Okay, so that is the sign. And then we have two more theorems. If this is theorem one, then we have zero to which is the one that I suggested already. That is a B that you get it. This is symbol. So here you will have the automorphism of the additive group of our will be, which is given by multiplication by a, and here you have that's right in our B plus our B plus is just the additive group of our will be. And if you compute this sign in that situation, then the theorem asserts that what you get is the Jacobi symbol that is theorem two, and I will suggest much of the proof in the present lecture. And then we have another theorem, and that is following, there is a polynomial time algorithm with input B and beta and B is specified to the algorithm in the way I explained yesterday with generators and relations. The data likewise, you just told what beta does to the generator. And the output is of course, the output is my symbol. If you combine these two theorems, then you immediately see that my first year follows because this finite a billion group is easy to compute it is a cocoon of the inclusion map from B and R. And also this map is easy to compute because we know how to do multiplication in our. So, these are the two theorems that I want to sketch the proof of in this lecture, and then our problem will be solved so that I can use this part of the backward or other purposes. Yeah, it turns out that it is best first to prove theorem three in the sense that if you have enough materials for doing that, then the proof of theorem to drops out almost immediately. And in fact, you can say that both of these theorems, ultimately follow from one important lemma. Let me make a remark about this, however, since I should admit that I am not going to prove the entire theorem, I am going to prove only the half that is of interest to us. And we will assume in the proof and in the algorithm that the cardinality of B is all the cardinality of B that is a finite integer positive. Either odd or even in our application, it is always all and therefore I will restrict what I have to say about theorem three to the case of finite a billion groups of order. The theorem is also true then be has even or, but then the algorithm is completely different. Actually, it's fair to say that it is easier, but it is of no interest to the to go be simple and you can find the details of the case that B is even the carnival B is even in the lecture notes, maybe just in the exercises. The main lemma, so suppose that I have a short exact sequence of finite a billion groups, a short exact sequence of finite a billion groups of all or and suppose that I have three automorphisms. One for each of these groups. So, and alpha beta gamma are automorphisms of a B and C respectively, such that they are compatible with each other, which means that this diagram that I am drawing in which I repeat my original sequence. Once, and here I have those alpha beta and gamma, such that this diagram is commuted. So that is really equivalent to saying that I have an automorphism beta of B as I had it before. It would be such that a man I view it as a subgroup of B is exactly mapped to itself, and that will then induce a unique map from C to itself, which will automatically be an automorphism as well. And the lemma states that this symbol that we are talking about is multiplicative in such exact sequences, and that is the key, both to what we need to prove to get the Google algorithm, and to the fact that theorem to is valid. This lemma is completely a role with auto hypothesis that the groups of order than there will be different lemmas that are valid, but there is not in all cases, the situation to express the middle sign in terms of the other data. Okay, so let me give you at least a sketch of the proof of this lemma, because it is central to everything that I will have to say. Let me draw a picture of my group here I have my group B, and here I have C, B, and there is C, and here we have the unit element of C. So the kernel that is this group that is lying here, maybe I should find some color here. So that is, that is the group A. That is a subgroup of B. What I do for the purposes of my proof is that I pick a section. So for each element of C, I pick one element in the fiber above it, but you have to keep in mind that this is only a set theoretic sex and the image well the image is this piece. The image is S of C. And if you want to leave this element you end up there as of this element is the one over there. This is good for us because now I get a coordinate system on my group B for every B in B, I can pick two coordinates in a unique way, a coordinate little a capital A and little C capital C. And then the property should be that B is, let's say, as of C plus little a. Yeah, so if be lies here. Then you map it down to see, then this SC is lying above it in the lower row, and then a will be here. So B is the sum. You have to add to bees, then you have to add two of those SCs, which is a disaster, because S is not a group of both. But now what I do is I look at to. I look at three maps from B to itself three permutations, and the first one sense this element of B which I write in my coordinates, I just apply my automorphism to a. And it goes to as of C. Plus. Yeah, I have this automorphism beta I apply it to a so that's the same as applying alpha. So that is alpha of a that is not quite what beta is doing, because I have not been touching as of C. And my second map, it does touch as of C and leave the a long and how does it touch as of C. Well, I apply my automorphism at the bottom. So I apply gamma is called gamma to see and then I take a section. I add a itself the a is left alone, and I have here this gamma of C, and it is clear so what is happening in the picture is that the first map is just on this on this first column on a is just alpha, and on each of the other columns of alpha if you just translate it so this is just as a commutation. It is just as many copies of alpha as there are elements in C. So this is a commutation and the sign that is that is the sign of alpha raised to the power to order of C because I repeat that commutation. Once for every fire. But she is all so I can cross it out. And likewise, this communication is just what gamma does in every role. So the sign here. The sign of gamma C raised to the power the cardinality of a but a has also order. So rather than crossing it out. I don't even write it down. If you now compose these maps you first do the first and then you do the second, then you do not quite get your beta. But it turns out that what you do get is something that lies in the right fiber. That differs from beta simply by translation so the last map. It sends SC plus a and now I get my piece of paper, because this is a very complicated computation and I don't want to make a mistake. So I take beta, and I applied to the S of gamma inverse C. This is what's happening. And then I still add a. So this gamma inverse C that lies somewhere in C. If I applied as to it, then I lift it so that this is an element of be that maps to gamma inverse C. If I apply beta to it, then I get see again so this actually lies in the fiber overseas. So this lies in the fiber overseas. So that means that what you are doing with this communication is that in each fiber, you translate by the difference between these two elements. In the fiber over C. This is translation by an element of a namely this element minus that element if I give this element the name star, and it is by star minus S of C. I don't really care which element it is with this element of a and you see a is a group of order. So, this element by which I translate as order. So we need fiber. This is a permutation of order and permutation of order. They are even. So this is even communication. The purpose is of computing science. It is completely irrelevant. And then you sit down as I have been doing this afternoon, and then you discover that if you apply these maps, one after the other first the top one next to middle one then the bottom one. The compose map is exactly the same as beta. That is something that anybody can check for himself and I did it three times so I'm pretty sure it is true. So the sign of this permutation beta is the product of the science. This one is even so that gives me exactly what I wanted to prove. This is at least a sketch of the proof of my main. Okay. This group of earth has to be sacrificed, however, since we are now going to use this. Remember to, well, let's first prove this theorem to so use the proof of your to the states that alpha B is the sign. This is a on the sorry sign of multiplication by a on this ring are will be. And if B is prime, if B is a primary deal. Then this arm of B is finite field. And if I, it has a unit group that a belongs to a will be belongs to the unit group and the unit group of a finite field is cyclic. So let's suppose for the moment that a generates that unit group so able be generates the multiplicative group of that field, which is the entire field without the zero. Right now all elements here as powers of a, then you see that the map multiplication by a is one long cycle of length. The originality of this group, which is the order of a, and one cycle, which is just the zero. So, in this situation, you can easily compute the sign of the map, because be as odd norm. So, this group has even order there's an element of two in there minus one. So it is a cycle of even length and therefore it is all, and therefore this multiplication by a is minus one. And if a is a generator B, then it is certainly not a square will be so that is also a on B. So in that special case that B is prime and a generates the group, we have a perfectly straightforward proof of theorem two. And if I now replace my a by powers well both of them are for fixed be our group of morphisms as a function of a, and if to group of morphisms agree on a generator of the group. So that means that the case that B is prime, the proof it. And in the general case, well we go to our composition series, and you see that you have be zero be one be two, and you end up with BT, which is being. Each of these quotients as an arm or you is isomorphic to our windows on prime PI. As we saw before, and that is isomorphism of our modules. So that means that this isomorphism carries multiplication by a to multiplication by a, and therefore multiplication by a on this quotient. There's a sign so X goes to a X on this group be I minus one B I, that will be the same as what happens on the right hand side, which is as we just proved my. A on PI. And now you simply apply the main lemma about tea times. If you know what the sign is in the first layer, and in the second layer, and you combine it in the combined two layers, and you keep going. And if you apply it every step is main lemma. So in the first case, be one will be to will be my capital a be not will be to will be my capital B, and be not what will be one will be my capital C, and then you keep going, and you discover that the sign of X goes on the entire quotient is simply the product over I, of these reshondo symbols, and that is by definition. So, so that means that this thing here X goes to a X R B is a product over I, of a PI, and that is by definition simply over the course. So that is the proof of theorem to show. So these Jacobi symbols are ultimately no more than science of permutations that is shopping, how much structure one can throw away here these permutations, the proof also may use of permutations that will not group water morphisms at all. So we are really making use of the freedom that we have. The main lemma is also going to be used in the proof of theorem three and theorem three is in a sense not really a theorem is an algorithm and it asserts the existence of an algorithm and the algorithm. So we use the beta B, then B and beta are given as input to the algorithm in the manner that I explained yesterday. And that makes use of another lemma, which follows from the main lemma and that is the following lemma. So, suppose that I have two integers, T and N, which are T is non negative and N is positive. Then what I will do in this lemma is that I will look at a particularly beautiful be, namely a be that is of exponent and it's killed by N. So it's a module over Z and Z and it will be a free module of rank T. So, then for B equal to Z and Z to the power T, and this power T that is supposed to be a repeated direct sum. So if N is a prime number, then this will be a vector space over Z and Z of dimension T, one has, well, for all beta in the automorphism group of B, there is an expression for design. And it goes as follows. If you have an endomorphism and also for endomorphism, not just automorphism, if you have an endomorphism of a free module over a commutative ring, then that one endomorphism has a determinant and that is a multiplicative function of the endomorphism. If you compose two endomorphisms, then the determinants multiply and that determinant that lies in Z model. If beta is an automorphism, then this will be a unit modulo N, because beta has an inverse and the determinant of the inverse is the inverse of the determinant. So this is a number mod N and the statement is that all you have to do to compute the sign is that you take the Jacobi symbol of the determinant over N. You can see that while previously we were determining Jacobi symbols through signs, we are now computing signs through Jacobi symbols. There is an important difference. This is not the generalized Jacobi symbol. This is just the plain classical Jacobi symbol that I started with my lecture with just for integers. If you believe this lemma, then at least for simple-minded groups of this sort, you have reduced the computation of the sign to the computation, first of all, the determinant, which is somewhere I believe in the notes in an exercise, I guess. And secondly, the computation of the Jacobi symbol for Z, and that is what I told you at the beginning, how you do it with a Euclidean algorithm and the rest of course is the law. And the determinant in my case is actually in Z model and Z star. So how, so let me briefly indicate how you prove this. First of all, you filter this group using the devices of N and that filtration you attack with the main lemma, and you discover that if you want to prove this, then by the main lemma, it reduces immediately to the case that N is a prime number, an old prime number. Oh, I forgot to say that N was old. And if N is a prime number, well, then you like to filter your vector space with a set of invariant subspaces so that you can again apply the main lemma. But not every automorphism allows such a filtration, but it is very easy to see that the betas which do allow such a filtration, generate the group so that this formula follows without any further ado. So let me take this lemma for granted. And what you now do in general is that you apply a theorem from last time to write your group as the direct sum of cyclic groups with the property that these numbers. These orders of these cyclic groups divide each other in succession. And if you then look at B modulo NMB and you do that also for the others. So here you have a filtration of the group. And one is the exponent of the group. So this is zero. Then you will see that each of the successive quotients is acted upon by my beta, my automorphism. And each of the quotients will be free of a certain rank. Here the rank is M, there is M minus one, M minus two, we go down to one over a ring of which the order C mod NZ is all here. This NM here is the quotient of the two successive ends. The last one is N1 divided by N2. So you see that you can use this lemma to roll up the entire group and multiply the signs so as to get the algorithm that theorem three loops to. Prove the theorem that I mentioned at the beginning. It is certainly not the end of the story since if you know a little more algebraic number theory, then you will know that there are also higher power residue symbols. So one more of what is happening because there are no higher signs on symmetry groups. Well, that is true. And nevertheless the whole thing generalizes. And one way to find out what you have to do there is just sign up for the summer school next year chances are that I will tell you how to do it and maybe you can even figure it out yourself in the meantime you have a whole year for it. Thank you for your attention. Thank you, Hendrik for that wonderful lecture. Are there questions. Well, Hendrik, I was going to ask about the power residue symbols but you say I have to wait till next year so I'll wait till next year. Okay, sure. Well, we can maybe communicate in private about this don't get away. Okay, I don't see any questions so let's thank Hendrik for all of his lectures this week was a great pleasure.