Category: featured

A cat called CEILIDH

Published January 7, 2008 by lievenlb

We will see later that the cyclic subgroup $T_6 \subset \mathbb{F}_{p^6}^* $ is a 2-dimensional torus.

Take a finite set of polynomials $f_i(x_1,\ldots,x_k) \in \mathbb{F}_p[x_1,\ldots,x_k] $ and consider for every fieldextension $\mathbb{F}_p \subset \mathbb{F}_q $ the set of all k-tuples satisfying all these polynomials and call this set

$X(\mathbb{F}_q) = { (a_1,\ldots,a_k) \in \mathbb{F}_q^k~:~f_i(a_1,\ldots,a_k) = 0~\forall i } $

Then, $T_6 $ being a 2-dimensional torus roughly means that we can find a system of polynomials such that
$T_6 = X(\mathbb{F}_p) $ and over the algebraic closure $\overline{\mathbb{F}}_p $ we have $X(\overline{\mathbb{F}}_p) = \overline{\mathbb{F}}_p^* \times \overline{\mathbb{F}}_p^* $ and $T_6 $ is a subgroup of this product group.

It is known that all 2-dimensional tori are rational. In particular, this means that we can write down maps defined by rational functions (fractions of polynomials) $f~:~T_6 \rightarrow \mathbb{F}_p \times \mathbb{F}_p $ and $j~:~\mathbb{F}_p \times \mathbb{F}_p \rightarrow T_6 $ which define a bijection between the points where f and j are defined (that is, possibly excluding zeroes of polynomials appearing in denumerators in the definition of the maps f or j). But then, we can use to map f to represent ‘most’ elements of $T_6 $ by just 2 pits, exactly as in the XTR-system.

Making the rational maps f and j explicit and checking where they are ill-defined is precisely what Karl Rubin and Alice Silverberg did in their CEILIDH-system. The acronym CEILIDH (which they like us to pronounce as ‘cayley’) stands for Compact Efficient Improves on LUC, Improves on Diffie-Hellman…

A Cailidh is a Scots Gaelic word meaning ‘visit’ and stands for a ‘traditional Scottish gathering’.

Between 1997 and 2001 the Scottish ceilidh grew in popularity again amongst youths. Since then a subculture in some Scottish cities has evolved where some people attend ceilidhs on a regular basis and at the ceilidh they find out from the other dancers when and where the next ceilidh will be.
Privately organised ceilidhs are now extremely common, where bands are hired, usually for evening entertainment for a wedding, birthday party or other celebratory event. These bands vary in size, although are commonly made up of between 2 and 6 players. The appeal of the Scottish ceilidh is by no means limited to the younger generation, and dances vary in speed and complexity in order to accommodate most age groups and levels of ability.

Anyway, let us give the details of the Rubin-Silverberg approach. Take a large prime number p congruent to 2,6,7 or 11 modulo 13 and such that $\Phi_6(p)=p^2-p+1 $ is again a prime number. Then, if $\zeta $ is a 13-th root of unity we have that $\mathbb{F}_{p^{12}} = \mathbb{F}_p(\zeta) $. Consider the elements

$\begin{cases} z = \zeta + \zeta^{-1} \\ y = \zeta+\zeta^{-1}+\zeta^5+\zeta^{-5} \end{cases} $

Then, for every $~(u,v) \in \mathbb{F}_p \times \mathbb{F}_p $ define the map $j $ to $T_6 $ by

$j(u,v) = \frac{r-s \sqrt{13}}{r+s \sqrt{13}} \in T_6 $

and one can verify that this is indeed an element of $T_6 $ provided we take

$\begin{cases} r = (3(u^2+v^2)+7uv+34u+18v+40)y^2+26uy-(21u(3+v)+9(u^2+v^2)+28v+42) \\
s = 3(u^2+v^2)+7uv+21u+18v+14 \end{cases} $

Conversely, for $t \in T_6 $ write $t=a + b \sqrt{13} $ using the basis $\mathbb{F}_{p^6} = \mathbb{F}_{p^3}1 \oplus \mathbb{F}_{p^3} \sqrt{13} $, so $a,b \in \mathbb{F}_{p^3} $ and consequently write

$\frac{1+a}{b} = w y^2 + u (y + \frac{y^2}{2}) + v $

with $u,v,w \in \mathbb{F}_p $ using the basis ${ y^2.y+\frac{y^2}{2},1 } $ of $\mathbb{F}_{p^3}/\mathbb{F}_p $. Okay, then the invers of $j $ iis the map $f~:~T_6 \rightarrow \mathbb{F}_p \times \mathbb{F}_p $ given by

$f(t) = (\frac{u}{w+1},\frac{v-3}{w+1}) $

and it takes some effort to show that f and j are indeed each other inverses, that j is defined on all points of $\mathbb{F}_p \times \mathbb{F}_p $ and that f is defined everywhere except at the two points
${ 1,-2z^5+6z^3-4z-1 } \subset T_6 $. Therefore, as long as we avoid these two points in our Diffie-Hellman key exchange, we can perform it using just $2=\phi(6) $ pits : I will send you $f(g^a) $ allowing you to compute our shared key $f(g^{ab}) $ or $g^{ab} $ from my data and your secret number b.

But, where’s the cat in all of this? Unfortunately, the cat is dead…

One Comment

ECSTR aka XTR

Published January 5, 2008 by lievenlb

The one thing that makes it hard for an outsider to get through a crypto-paper is their shared passion for using nonsensical abbreviations. ECSTR stands for “Efficient Compact Subgroup Trace Representation” and we are fortunate that Arjen Lenstra and Eric Verheul shortened it in their paper The XTR public key system to just XTR. As both of them speak Dutch, they will know why Ive chosen a magpie-picture on the left… Btw. there is a nice MSRI-talk by Lenstra, starting off with a couple of jokes on what ECSTR is NOT meant to abbreviate (one of them being ‘Elliptic Curve Systems Too Risky’… (( I may even start to share their passion… )) ).

The XTR-system uses safety of $\mathbb{F}_{p^6} $ in the Diffie-Hellman key exchange while transmitting only $2=\phi(6) $ pits. The first question one asks is : why the jump from $N=2 $ from last time to $N=6 $? Well, remember that (conjecturally) we want to use safety of $\mathbb{F}_q $ for $q=p^N $ while using only $\phi(N) $ pits. That is, we want to have $N log(p) $ large (for safety) while at the same time $\phi(N) log(p) $ small (for efficiency). Thus, the most useful N’s to consider are those in the sequence

$N=1,~2,~6=2.3,~30=2.3.5,~210=2,3,5,7,~\ldots $

that is, the products of the first so many prime numbers. The number of elements of the cyclic group $\mathbb{F}_q^* $ is equal to

$p^6-1 = (p-1)(p+1)(p^2+p+1)(p^2-p+1) $

and that the subgroup of order $p-1 $ can be embedded in $\mathbb{F}_p^* $, that of order $p+1 $ can be embedded in $\mathbb{F}_{p^2}^* $, that of order $p^2+p+1 $ can be embedded in $\mathbb{F}_{p^3}^* $, BUT that the subgroup of order $\Phi_6(p)=p^2-p+1 $ CANNOT be embedded in any $\mathbb{F}_{p^i}^* $ for $i = 1,2,3 $, or in other words, the $p^2-p+1 $ subgroup is as hard as $\mathbb{F}_{p^6}^* $. So, let us take a generator $g $ of the subgroup $T_6 $ of order $p^2-p+1 $ and do the Diffie-Hellman trick with it in a modified manner.

Galois groups of finite fields are cyclic and generated by the Frobenius $x \mapsto x^p $. In particular, the Galois group $Gal(\mathbb{F}_{p^6}/\mathbb{F}_{p^2}) = C_3 $ is cyclic of order three and consists of the auromorphisms ${ 1=id, \sigma = (x \mapsto x^{p^2}), \sigma^2 = (x \mapsto x^{p^4}) } $, so the corresponding trace map is given by

$Tr~:~\mathbb{F}_{p^6} \rightarrow \mathbb{F}_{p^2} \qquad Tr(x) = x + x^{p^2} + x^{p^4} $

So, how do we perform our key-exchange using my secret number $a $ and yours $b $? Well, I’ll send you $Tr(g^a) $ and as this is an element of the quadratic extension $\mathbb{F}_{p^2} $ I’ll need just 2 pits instead of 6 and you will send me likewise $Tr(g^b) $. I claim that the common key we (and only we) can compute is $Tr(g^{ab}) $. How does this work?

Given any element $x \in T_6 \subset \mathbb{F}_{p^6}^* $ we can compute the 3-element set $C_x = { x,\sigma(x),\sigma(x^2) } $ and hence the characteristic polynomial
$~(t-x)(t-\sigma(x))(t-\sigma^2(x)) $

$ = t^3 – (x+\sigma(x)+\sigma^2(x))t^2 + (x \sigma(x)+ x\sigma^2(x)+\sigma(x)\sigma^2(x))t – x \sigma(x)\sigma^2(x) $

The first coefficient $x+\sigma(x)+\sigma^2(x) $ is the trace $Tr(x) $ and the second and third coefficients are respectively $Tr(x \sigma(x)) $ and the norm $N(x) $. Now, if $x \in T_6 $ one can show that

$Tr(x \sigma(x)) = Tr(x)^p $ and $N(x)=1 $

That is, from knowing only $Tr(x) $ we can compute the characteristic polynomial and hence recover the 3-element set ${ h,\sigma(h),\sigma^2(h) } $!

If I give you $Tr(g^a) $ you can compute from it the 3-set ${ g^a,\sigma(g^a),\sigma^2(g^a) } $ and raise them all the the b-th power (b being your secret number) to obtain

${ g^{ab},\sigma(g^a)^b,\sigma^2(g^a)^b } = { g^{ab},\sigma(g^{ab}),\sigma^2(g^{ab}) } $

but then you also know our shared key $Tr(g^{ab}) = g^{ab}+\sigma(g^{ab})+\sigma^2(g^{ab}) $… Done!

One Comment

key-compression

Published January 4, 2008 by lievenlb

The main application of tori to cryptography is to exchange keys more efficiently while preserving the same security standards.

In the Diffie-Hellman key-exchange one interchanges elements of the finite field $\mathbb{F}_q $ where $q=p^N $ is a prime-power of a large prime number $p $. If we call an element of the prime field $\mathbb{F}_p $ a pit (similar to bit when $p=2 $) then we can measure transmssions in pits. An element $h \in \mathbb{F}_q $ requires N pits, for we can write the finite field as the quotient of ring of polynomials $\mathbb{F}_p[x] $

$\mathbb{F}_q = \frac{\mathbb{F}_p[x]}{(f(x))} $

modulo an _irreducible_ polynomial $f(x) $ of degree N. Hence, any $h \in \mathbb{F}_q $ can be written as a polynomial of degree $< N $,
$h = a_1 + a_2 x + \ldots + a_N x^{N-1} $
with all $a_i \in \mathbb{F}_p $, so we can represent $h=(a_1,a_2,\ldots,a_N) $ as N pits. Now, we are going to limit this number of pits (from $N $ to about $\phi(N) $ where $\phi $ is the Euler totient function, that is the number of integers smaller than N and coprime to it) by restricting the elements $h $ to be transfered to a subgroup of the group of units of the finite field $\mathbb{F}_q^* $ while not compromising on the security of the public key system (the large order of the basic element $g \in \mathbb{F}_q^* $ of which $h $ is a power).

To see that this is indeed possible, let us consider the easiest case (that of $N=2 $) and keep the discussion tori-free (those of you who know more will realize that Hilbert’s Satz 90 is never too far away…). If $q=p^2 $ then the order of the cyclic group $\mathbb{F}_q^* $ is $p^2-1 = (p-1)(p+1) $ so in order to get a safe system let us choose the large prime number $p $ such that also tex/2=r $ is a prime number.

Right, now define $T_2 $ to be the subgroup of $\mathbb{F}_q^* $ of order $p+1 $ and let $g $ be a generator of it that we will use in the Diffie-Hellman exchange. Can we describe the element of $T_2 $ (our torus in disguise)? Take $d \in \mathbb{F}_p^* $ a non-square element, then we can write
$\mathbb{F}_q = \mathbb{F}_p(\sqrt{d}) $ and $T_2 = { a+b\sqrt{d}~:~(a+b\sqrt{d})^{p+1}=1 } $ (here, $a,b \in \mathbb{F}_p $). But we claim that
$~(a+b\sqrt{d})^p = a -b \sqrt{d} $. Indeed, $a^p=a,b^p=b $ and from Fermat’s little theorem we deduce that

$ -1 = (\frac{d}{p}) \equiv d^{\frac{p-1}{2}}~mod(p) $

where the middle term is the Legendre symbol which is equal to -1 because d was a non-square modulo p. That is, we can then write $T_2 $ as the algebraic variety of dimension one defined over $\mathbb{F}_p $ and given by the equation

$T_2 = { a+b\sqrt{d} \in \mathbb{F}_q^*~\mid~(a,b) \in \mathbb{F}^2~:~a^2-db^2=1 } $

Because $T_2 $ is of dimension one over $\mathbb{F}_p $ we can hope that most of its elements can be represented by just one pit (instead of the two pits necessary to represent them as elements of $\mathbb{F}_q $). This is indeed the case, for we have explicit maps (in geometric terms, these maps show that $T_2 $ is a rational variety)

$j~:~\mathbb{F}_p \rightarrow T_2~\quad~j(a) = \frac{a+\sqrt{d}}{a-\sqrt{d}}=\frac{a^2+d}{a^2-d}+\frac{2a}{a^2-d}\sqrt{d} $

which has a well-defined invers on the complement of ${ 1,-1 } $

$f~:~T_2 – { 1,-1 } \rightarrow \mathbb{F}_p~\quad~f(a+b\sqrt{d}) = \frac{1+a}{b} $

From the right-hand description of $j(a) $ one deduces that indeed we have that $f(j(a))=a $. Using this we can indeed compress the Diffie-Hellman exchange by a factor 2.

Instead of giving you the element $g^a \in T_2 $ computed using my secret number a, I’ll send you (using only one pit) the number $f(g^a) \in \mathbb{F}_p $. On this number, you can apply the j-function to recover $g^a $ and then compute the common key $~(g^a)^b = g^{ab} $ using your secret number b). Still, we didnt compromise on security because we used the most difficult elements around in $\mathbb{F}_q^* $. By going to higher dimensional tori one can even improve on the efficiency rate!

3 Comments

tori & crypto : Diffie-Hellman or GCHQ?

Published January 3, 2008 by lievenlb

Boris Kunyavskii arXived the paper Algebraic tori – thirty years after dedicated to the 80th anniversary of V. E. Voskresenskii. The goal is to give an overview of results of V. E. Voskresenskii on arithmetic and birational properties of algebraic tori which culminated in his monograph “Algebraic Tori” published in Russian 30 years ago. As Ive worked on this stuff a long time ago I glanced through the paper and it contains a nice summary of the work of V.E. Voskresenskii, and later of Jean-Louis Colliot-Thelene, Jean-Jacques Sansuc and David Saltman. To my surprise I also made a guest-appearance and even seem to have a conjecture (??!!). Fortunately the ‘conjecture’ turned out to be correct as was proved by Nicole Lemire and Martin Lorenz. But a much bigger surprise (at least to me) is contained in the final section of the paper where applications of (stable) rationality of certain tori are given to primality testing and public key cryptography!

In [GPS]
the authors propose to use a similar idea of compression for using tori
in an even more recent cryptographic protocol (so-called pairing-based
cryptography). It is interesting to note that the efficiency (compression factor) of the above mentioned cryptosystems heavily depends on
rationality of tori under consideration (more precisely, on an explicit
rational parameterization of the underlying variety). As the tori used
by Rubin and Silverberg are known to be stably rational, the seemingly abstract question on rationality of a given stably rational torus
is moving to the area of applied mathematics. The first challenging
problem here is to obtain an explicit rational parameterization of the
8-dimensional torus $T_{30} $ , deïfined over a finite field k and splitting over
its cyclic extension L of degree 30.

This is a particular case of a problem posed by Voskresenskii [Vo77,
Problem 5.12] 30 years ago. Let us hope that we will not have to wait
another 30 years for answering this question on a degree 30 extension.

That’s all it takes to get me seriously side-tracked… so the last couple of hours I’ve been reading up on this connection between tori and cryptography. I will spend a couple of posts on these beautiful results. The latest seems to be that, while rationality of $T_{30} $ is still unknown, one can use an explicit stable-rationality description of it to get a better bound than the XTR-system (the system corresponding to the torus $T_{6} $) which in turn is better than the LUC-system (corresponding to $T_2 $), which is turn is twice as efficient as the Diffie-Hellman key exchange system… So let us start gently with the latter one…

Whitfield Diffie (r.) and Martin Hellman (m.) published in 1976 their public key-exchange system. Take a large prime power $q=p^N $, make it public and consider the finite field $\mathbb{F}_q $ which is known to have a cyclic group of units $\mathbb{F}^*_q $ of order $q-1 $. Now, take $g $ to be an element in it of large order (preferable a generator but that isnt necessary) and also make this element public.

Now choose a random integer $a $ (your hidden secret) and compute the element $g^a \in \mathbb{F}_q $ and publicize this element. Suppose someone else published his/her element $g^b $ constructed from his/her secret integer $b $ then both you and this other person can compute from the published data and their secret numbers the element (the shared key)

$g^{ab}=(g^b)^a = (g^a)^b $

(because you know $a $ and the published $g^b $ and your correspondent knows $b $ and the published $g^a $) but nobody else can compute it from the public-available data only because discrete logarithms cannot be feasibly computed in the group $\mathbb{F}_q^* $. Hellman suggests to call this system the Diffie-Hellman-Merkl key-exchange (via this link)

The first researchers to discover and publish the concepts of PKC were Whitfield Diffie and Martin Hellman from Stanford University, and Ralph Merkle from the University of California at Berkeley. As so often happens in the scientific world, the two groups were working independently on the same problem — Diffie and Hellman on public key cryptography and Merkle on public key distribution — when they became aware of each other’s work and realized there was synergy in their approaches. In Hellman’s words: “We each had a key part of the puzzle and while it’s true one of us first said X, and another of us first said Y, and so on, it was the combination and the back and forth between us that allowed the discovery.”

And that was the full story until 1997. In December, 1997, it was revealed that researchers at the GCHQ organization did some work in the early 1970’s in the field of “non-secret encryption”. The people involved are James Ellis, Clifford Cocks and Malcolm Williamson (r.).

Here is a note by Ellis on his recollection of the history of ‘Non-secret encryption” :

Cryptography is a most unusual science. Most professional scientists aim to be the first to publish their work,
because it is through dissemination that the work realises its value. In contrast, the fullest value of cryptography
is realised by minimising the information available to potential adversaries. Thus professional cryptographers
normally work in closed communities to provide sufficient professional interaction to ensure quality while
maintaining secrecy from outsiders. Revelation of these secrets is normally only sanctioned in the interests
of historical accuracy after it has been demonstrated clearly that no further benefit can be obtained from
continued secrecy.
In keeping with this tradition it is now appropriate to tell the story of the invention and development within
CESG of non-secret encryption (NSE) which was our original name for what is now called PKC. The task of writing
this paper has devolved on me because NSE was my idea and I can therefore describe these early developments from
personal experience. No techniques not already public knowledge, or specific applications of NSE will be mentioned…

The once secret notes of Williamson are also available. NON-SECRET ENCRYPTION USING A FINITE FIELD
by M J Williamson, 21 January 1974 and THOUGHTS ON CHEAPER NON-SECRET ENCRYPTION
M J Williamson, 10 August 1976.

2 Comments

quivers versus quilts

Published January 2, 2008 by lievenlb

We have associated to a subgroup of the modular group $PSL_2(\mathbb{Z}) $ a quiver (that is, an oriented graph). For example, one verifies that the fundamental domain of the subgroup $\Gamma_0(2) $ (an index 3 subgroup) is depicted on the right by the region between the thick lines with the identification of edges as indicated. The associated quiver is then

\[
\xymatrix{i \ar[rr]^a \ar[dd]^b & & 1 \ar@/^/[ld]^h \ar@/_/[ld]_i \\
& \rho \ar@/^/[lu]^d \ar@/_/[lu]_e \ar[rd]^f & \\
0 \ar[ru]^g & & i+1 \ar[uu]^c}
\]

The corresponding “dessin d’enfant” are the green edges in the picture. But, the red dot on the left boundary is identied with the red dot on the lower circular boundary, so the dessin of the modular subgroup $\Gamma_0(2) $ is

\[
\xymatrix{| \ar@{-}[r] & \bullet \ar@{-}@/^8ex/[r] \ar@{-}@/_8ex/[r] & -}
\]

Here, the three red dots (all of them even points in the Dedekind tessellation) give (after the identification) the two points indicated by a $\mid $ whereas the blue dot (an odd point in the tessellation) is depicted by a $\bullet $. There is another ‘quiver-like’ picture associated to this dessin, a quilt of the modular subgroup $\Gamma_0(2) $ as studied by John Conway and Tim Hsu.

On the left, a quilt-diagram copied from Hsu’s book Quilts : central extensions, braid actions, and finite groups, exercise 3.3.9. This ‘quiver’ has also 5 vertices and 7 arrows as our quiver above, so is there a connection?

A quilt is a gadget to study transitive permutation representations of the braid group $B_3 $ (rather than its quotient, the modular group $PSL_2(\mathbb{Z}) = B_3/\langle Z \rangle $ where $\langle Z \rangle $ is the cyclic center of $B_3 $. The $Z $-stabilizer subgroup of all elements in a transitive permutation representation of $B_3 $ is the same and hence of the form $\langle Z^M \rangle $ where M is called the modulus of the representation. The arrow-data of a quilt, that is the direction of certain edges and their labeling with numbers from $\mathbb{Z}/M \mathbb{Z} $ (which have to satisfy some requirements, the flow rules, but more about that another time) encode the Z-action on the permutation representation. The dimension of the representation is $M \times k $ where $k $ is the number of half-edges in the dessin. In the above example, the modulus is 5 and the dessin has 3 (half)edges, so it depicts a 15-dimensional permutation representation of $B_3 $.

If we forget the Z-action (that is, the arrow information), we get a permutation representation of the modular group (that is a dessin). So, if we delete the labels and directions on the edges we get what Hsu calls a modular quilt, that is, a picture consisting of thick edges (the dessin) together with dotted edges which are called the seams of the modular quilt. The modular quilt is merely another way to depict a fundamental domain of the corresponding subgroup of the modular group. For the above example, we have the indicated correspondences between the fundamental domain of $\Gamma_0(2) $ in the upper half-plane (on the left) and as a modular quilt (on the right)

That is, we can also get our quiver (or its opposite quiver) from the modular quilt by fixing the orientation of one 2-cell. For example, if we fix the orientation of the 2-cell $\vec{fch} $ we get our quiver back from the modular quilt

\[
\xymatrix{i \ar[rr]^a \ar[dd]^b & & 1 \ar@/^/[ld]^h \ar@/_/[ld]_i \\
& \rho \ar@/^/[lu]^d \ar@/_/[lu]_e \ar[rd]^f & \\
0 \ar[ru]^g & & i+1 \ar[uu]^c}
\]

This shows that the quiver (or its opposite) associated to a (conjugacy class of a) subgroup of $PSL_2(\mathbb{Z}) $ does not depend on the choice of embedding of the dessin (or associated cuboid tree diagram) in the upper half-plane. For, one can get the modular quilt from the dessin by adding one extra vertex for every connected component of the complement of the dessin (in the example, the two vertices corresponding to 0 and 1) and drawing a triangulation from them (the dotted lines or ‘seams’).

One Comment

mini-sudokube

Published December 29, 2007 by lievenlb

Via the Arcadian functor I learned of the existence of the Sudokube (picture on the left).

Sudokube is a variation on a Rubik’s Cube in which each face resembles one-ninth of a Sudoku grid: the numbers from one to nine. This makes solving the cube slightly more difficult than a conventional Rubik’s Cube because each number must be in the right place and the centre cubies must also be in the correct orientation.

A much more interesting Sudoku-variation of the cube was invented two weeks ago by one of my freshmen-grouptheory students and was dubbed the mini-sudokube by him. Here’s the story.

At the end of my grouptheory course I let the students write a paper to check whether they have research potential. This year the assignment was to read through the paper mini-sudokus and groups by Carlos Arcos, Gary Brookfield and Mike Krebs, and do something original with it.

Mini-Sudoku is the baby $2 \times 2 $ version of Sudoku. Below a trivial problem and its solution

Of course most of them took the safe road and explained in more detail a result of the paper. Two of them were more original. One used the mini-sudoku solutions to find solutions for 4×4 sudokus, but the most original contribution came from Ibrahim Belkadi who wanted to count all mini-sudokubes. A mini-sudokube is a cube with a mini-sudoku solution on all 6 of its sides BUT NUMBERS CARRY OVER CUBE-EDGES. That is, if we have as the mini-sudoku given by the central square below on the top-face of the cube, then on the 4 side-faces we have already one row filled in.

The problem then is to find out how many compatible solutions there are. It is pretty easy to see that top- and bottom-faces determine all squares of the cube, but clearly not all choices are permitted. For example, with the above top-face fixed there are exactly 4 solutions. Let ${ a,b } = { 1,4 } $ and ${ c,d } = { 2,3 } $ then these four solutions are given below

Putting one of these solutions (or any other) on a $4 \times 4 $-Rubik cube would make a more interesting puzzle, I think. I’ve excused Ibrahim from having to take examination on condition that he writes down what he can prove on his mini-sudokubes by that time. Looking forward to it!

One Comment

the modular group and superpotentials (2)

Published December 28, 2007 by lievenlb

Last time we have that that one can represent (the conjugacy class of) a finite index subgroup of the modular group $\Gamma = PSL_2(\mathbb{Z}) $ by a Farey symbol or by a dessin or by its fundamental domain. Today we will associate a quiver to it.

For example, the modular group itself is represented by the Farey symbol
[tex]\xymatrix{\infty \ar@{-}[r]_{\circ} & 0 \ar@{-}[r]_{\bullet} & \infty}[/tex] or by its dessin (the green circle-edge) or by its fundamental domain which is the region of the upper halfplane bounded by the red and blue vertical boundaries. Both the red and blue boundary consist of TWO edges which are identified with each other and are therefore called a and b. These edges carry a natural orientation given by circling counter-clockwise along the boundary of the marked triangle (or clockwise along the boundary of the upper unmarked triangle having $\infty $ as its third vertex). That is the edge a is oriented from $i $ to $0 $ (or from $i $ to $\infty $) and the edge b is oriented from $0 $ to $\rho $ (or from $\infty $ to $\rho $) and the green edge c (which is an inner edge so carries no identifications) from $\rho $ to $i $. That is, the fundamental region consists of two triangles, glued together along their boundary which is the oriented cycle $\vec{abc} $ consistent with the fact that the compactification of $\mathcal{H}/\Gamma $ is the 2-sphere $S^2 = \mathbb{P}^1_{\mathbb{C}} $. Under this identification the triangle-boundary abc can be seen to circle the equator whereas the top triangle gives the upper half sphere and the lower triangle the lower half sphere. Emphasizing the orientation we can depict the triangle-boundary as the quiver

[tex]\xymatrix{i \ar[rd]_a & & \rho \ar[ll]_c \\ & 0 \ar[ru]_b}[/tex]

embedded in the 2-sphere. Note that quiver is just a fancy name for an oriented graph…

Okay, let’s look at the next case, that of the unique index 2 subgroup $\Gamma_2 $ represented by the Farey symbol [tex]\xymatrix{\infty \ar@{-}[r]_{\bullet} & 0 \ar@{-}[r]_{\bullet} & \infty}[/tex] or the dessin (the two green edges) or by its fundamental domain consisting of the 4 triangles where again the left and right vertical boundaries are to be identified in parts.

That is we have 6 edges on the 2-sphere $\mathcal{H}/\Gamma_2 = S^2 $ all of them oriented by the above rule. So, for example the lower-right triangle is oriented as $\vec{cfb} $. To see how this oriented graph (the quiver) is embedded in $S^2 $ view the big lower region (cdab) as the under hemisphere and the big upper region (abcd) as the upper hemisphere. So, the two green edges together with a and b are the equator and the remaining two yellow edges form the two parts of a bigcircle connecting the north and south pole. That is, the graph are the cut-lines if we cut the sphere in 4 equal parts. The corresponding quiver-picture is

[tex]\xymatrix{& i \ar@/^/[dd]^f \ar@/_/[dd]_e & \\
\rho^2 \ar[ru]^d & & \rho \ar[lu]_c \\
& 0 \ar[lu]^a \ar[ru]_b &}[/tex]

As a mental check, verify that the index 3 subgroup determined by the Farey symbol [tex]\xymatrix{\infty \ar@{-}[r]_{\circ} & 0 \ar@{-}[r]_{\circ} & 1 \ar@{-}[r]_{\circ} & \infty}[/tex] , whose fundamental domain with identifications is given on the left, has as its associated quiver picture

[tex]\xymatrix{& & \rho \ar[lld]_d \ar[ld]^f \ar[rd]^e & \\
i \ar[rrd]_a & i+1 \ar[rd]^b & & \omega \ar[ld]^c \\
& & 0 \ar[uu]^h \ar@/^/[uu]^g \ar@/_/[uu]_i &}[/tex]

whereas the index 3 subgroup determined by the Farey symbol [tex]\xymatrix{\infty \ar@{-}[r]_{1} & 0 \ar@{-}[r]_{1} & 1 \ar@{-}[r]_{\circ} & \infty}[/tex], whose fundamental domain with identifications is depicted on the right, has as its associated quiver

[tex]\xymatrix{i \ar[rr]^a \ar[dd]^b & & 1 \ar@/^/[ld]^h \ar@/_/[ld]_i \\
& \rho \ar@/^/[lu]^d \ar@/_/[lu]_e \ar[rd]^f & \\
0 \ar[ru]^g & & i+1 \ar[uu]^c}[/tex]

Next time, we will use these quivers to define superpotentials…

2 Comments

recycled : dessins

Published December 27, 2007 by lievenlb

In a couple of days I’ll be blogging for 4 years… and I’m in the process of resurrecting about 300 posts from a database-dump made in june. For example here’s my first post ever which is rather naive. This conversion program may last for a couple of weeks and I apologize for all unwanted pingbacks it will produce.

I’ll try to convert chunks of related posts in one go, so that I can at least give them correct self-references. Today’s work consisted in rewriting the posts of my virtual course, in march of this year, on dessins d’enfants and its connection to noncommutative geometry (a precursor of what Ive been blogging about recently). These posts were available through the PDF-archive but are from now on open to the internal search-function. Here are the internal links and a short description of their contents

The best rejected proposal ever on Grothendieck’s programme and Belyi maps.
Monsieur Mathieu on the dessins of $M_{12} $ and $M_{24} $.
The cartographers’ groups 1 on the free product structure of $PSL_2(\mathbb{Z}) $ and related groups.
The cartographers’ groups 2 continuation and a simpler proof due to Alperin.
Anabelian geometry on sources of representations of the modular group.
The noncommutative manifold of a Riemann surface a mental picture to get all finite dimensional representations of the coordinate ring of a curve.
Noncommutative curves and their manifolds extension to twisted curves.
Permutation representations of monodromy groups how dessins give such representations.

Besides, I’ve added a few scattered old posts, many more to follow…

2 Comments

the modular group and superpotentials (1)

Published December 26, 2007 by lievenlb

Here I will go over the last post at a more leisurely pace, focussing on a couple of far more trivial examples. Here’s the goal : we want to assign a quiver-superpotential to any subgroup of finite index of the modular group. So fix such a subgroup $\Gamma’ $ of the modular group $\Gamma=PSL_2(\mathbb{Z}) $ and consider the associated permutation representation of $\Gamma $ on the left-cosets $\Gamma/\Gamma’ $. As $\Gamma \simeq C_2 \ast C_3 $ this representation is determined by the action of the order 2 and order 3 generators of the modular group. There are a number of combinatorial gadgets to control the subgroup $\Gamma’ $ and the associated permutation representation : (generalized) Farey symbols and dessins d’enfants.

Recall that the modular group acts on the upper-halfplane (the ‘hyperbolic plane’) by Moebius transformations, so to any subgroup $\Gamma’ $ we can associate a fundamental domain for its restricted action. The dessins and the Farey symbols give us a particular choice of these fundamental domains. Let us consider the two most trivial subgroups of all : the modular group itself (so $\Gamma/\Gamma $ is just one element and therefore the associated permutation representation is just the trivial representation) and the unique index two subgroup $\Gamma_2 $ (so there are two cosets $\Gamma/\Gamma_2 $ and the order 2 generator interchanges these two while the order 3 generator acts trivially on them). The fundamental domains of $\Gamma $ (left) and $\Gamma_2 $ (right) are depicted below

In both cases the fundamental domain is bounded by the thick black (hyperbolic) edges. The left-domain consists of two hyperbolic triangles (the upper domain has $\infty $ as the third vertex) and the right-domain has 4 triangles. In general, if the subgroup $\Gamma’ $ has index n, then its fundamental domain will consist of $2n $ hyperbolic triangles. Note that these triangles are part of the Dedekind tessellation so really depict the action of $PGL_2(\mathbb{Z} $ and any $\Gamma $-hyperbolic triangle consists of one black and one white triangle in Dedekind’s coloring. We will indicate the color of a triangle by a black circle if the corresponding triangle is black. Of course, the bounding edges of the fundamental domain need to be identified and the Farey symbol is a notation device to clarify this. The Farey symbols of the above domains are
[tex]\xymatrix{\infty \ar@{-}[r]_{\circ} & 0 \ar@{-}[r]_{\bullet} & \infty}[/tex] and [tex]\xymatrix{\infty \ar@{-}[r]_{\bullet} & 0 \ar@{-}[r]_{\bullet} & \infty}[/tex] respectively. In both cases this indicates that the two bounding edges on the left are to be identified as are the two bounding edges on the right (so, in particular, after identification $\infty $ coincides with $0 $). Hence, after identification, the $\Gamma $ domain consists of two triangles on the vertices ${ 0,i,\rho } $ (where $\rho=e^{2 \pi i}{6} $) (the blue dots) sharing all three edges, the $\Gamma_2 $ domain consists of 4 triangles on the 4 vertices ${ 0,i,\rho,\rho^2 } $ (the blue dots). In general we have three types of vertices : cusps (such as 0 or $\infty $), even vertices (such as $i $ where there are 4 hyperbolic edges in the Dedekind tessellation) and odd vertices (such as $\rho $ and $\rho^2 $ where there are 6 hyperbolic edges in the tessellation).

Another combinatorial gadget assigned to the fundamental domain is the cuboid tree diagram or dessin. It consists of all odd and even vertices on the boundary of the domain, together with all odd and even vertices in the interior. These vertices are then connected with the hyperbolic edges connecting them. If we color the even vertices red and the odds blue we have the indicated dessins for our two examples (the green pictures). An half-edge is an edge connecting a red and a blue vertex in the dessin and we number all half-edges. So, the $\Gamma $-dessin has 1 half-edge whereas the $\Gamma_2 $-dessin has two (in general, the number of these half-edges is equal to the index of the subgroup). Observe also that every triangle has exactly one half-edge as one of its three edges. The dessin gives all information to calculate the permutation representation on the coset-set $\Gamma/\Gamma’ $ : the action of the order 2 generator of $\Gamma $ is given by taking for each internal red vertex the two-cycle $~(a,b) $ where a and b are the numbers of the two half-edges connected to the red vertex and the action of the order 3 generator is given by taking for every internal blue vertex the three cycle $~(c,d,e) $ where c, d and e are the numbers of the three half-edges connected to the blue vertex in counter-clockwise ordering. Our two examples above are a bit too simplistic to view this in action. There are no internal blue vertices, so the action of the order 3 generator is trivial in both cases. For $\Gamma $ there is also no red internal vertex, whence this is indeed the trivial representation whereas for $\Gamma_2 $ there is one internal red vertex, so the action of the order 2 generator is given by $~(1,2) $, which is indeed the representation representation on $\Gamma/\Gamma_2 $. In general, if the index of the subgroup $\Gamma’ $ is n, then we call the subgroup of the symmetric group on n letters $S_n $ generated by the action-elements of the order 2 and order 3 generator the monodromy group of the permutation representation (or of the subgroup). In the trivial cases here, the monodromy groups are the trivial group (for $\Gamma $) and $C_2 $ (for $\Gamma_2 $).

As a safety-check let us work out all these concepts in the next simplest examples, those of some subgroups of index 3. Consider the Farey symbols

[tex]\xymatrix{\infty \ar@{-}[r]_{\circ} & 0 \ar@{-}[r]_{\circ} & 1 \ar@{-}[r]_{\circ} & \infty}[/tex] and
[tex]\xymatrix{\infty \ar@{-}[r]_{\circ} & 0 \ar@{-}[r]_{1} & 1 \ar@{-}[r]_{1} & \infty}[/tex]

In these cases the fundamental domain consists of 6 triangles with the indicated vertices (the blue dots). The distinction between the two is that in the first case, one identifies the two edges of the left, resp. bottom, resp. right boundary (so, in particular, 0,1 and $\infty $ are identified) whereas in the second one identifies the two edges of the left boundary and identifies the edges of the bottom with those of the right boundary (here, 0 is identified only with $\infty $ but also $1+i $ is indetified with $\frac{1}{2}+\frac{1}{2}i $).

In both cases the dessin seems to be the same (and given by the picture on the right). However, in the first case all three red vertices are distinct hence there are no internal red vertices in this case whereas in the second case we should identify the bottom and right-hand red vertex which then becomes an internal red vertex of the dessin!

Hence, if we order the three green half-edges 1,2,3 starting with the bottom one and counting counter-clockwise we see that in both cases the action of the order 3-generator of $\Gamma $ is given by the 3-cycle $~(1,2,3) $. The action of the order 2-generator is trivial in the first case, while given by the 2-cycle $~(1,2) $ in the second case. Therefore, the monodromy group is the cylic group $C_3 $ in the first case and is the symmetric group $S_3 $ in the second case.

Next time we will associate a quiver to these vertices and triangles as well as a cubic superpotential which will then allow us to define a noncommutative algebra associated to any subgroup of the modular group. The monodromy group of the situation will then reappear as a group of algebra-automorphisms of this noncommutative algebra!

One Comment

Superpotentials and Calabi-Yaus

Published December 22, 2007 by lievenlb

Yesterday, Jan Stienstra gave a talk at theARTS entitled “Quivers, superpotentials and Dimer Models”. He started off by telling that the talk was based on a paper he put on the arXiv Hypergeometric Systems in two Variables, Quivers, Dimers and Dessins d’Enfants but that he was not going to say a thing about dessins but would rather focuss on the connection with superpotentials instead…pleasing some members of the public, while driving others to utter despair.

Anyway, it gave me the opportunity to figure out for myself what dessins might have to do with dimers, whathever these beasts are. Soon enough he put on a slide containing the definition of a dimer and from that moment on I was lost in my own thoughts… realizing that a dessin d’enfant had to be a dimer for the Dedekind tessellation of its associated Riemann surface!
and a few minutes later I could slap myself on the head for not having thought of this before :

There is a natural way to associate to a Farey symbol (aka a permutation representation of the modular group) a quiver and a superpotential (aka a necklace) defining (conjecturally) a Calabi-Yau algebra! Moreover, different embeddings of the cuboid tree diagrams in the hyperbolic plane may (again conjecturally) give rise to all sorts of arty-farty fanshi-wanshi dualities…

I’ll give here the details of the simplest example I worked out during the talk and will come back to general procedure later, when I’ve done a reference check. I don’t claim any originality here and probably all of this is contained in Stienstra’s paper or in some physics-paper, so if you know of a reference, please leave a comment. Okay, remember the Dedekind tessellation ?

So, all hyperbolic triangles we will encounter below are colored black or white. Now, take a Farey symbol and consider its associated special polygon in the hyperbolic plane. If we start with the Farey symbol

[tex]\xymatrix{\infty \ar@{-}_{(1)}[r] & 0 \ar@{-}_{\bullet}[r] & 1 \ar@{-}_{(1)}[r] & \infty} [/tex]

we get the special polygonal region bounded by the thick edges, the vertical edges are identified as are the two bottom edges. Hence, this fundamental domain has 6 vertices (the 5 blue dots and the point at $i \infty $) and 8 hyperbolic triangles (4 colored black, indicated by a black dot, and 4 white ones).

Right, now let us associate a quiver to this triangulation (which embeds the quiver in the corresponding Riemann surface). The vertices of the triangulation are also the vertices of the quiver (so in our case we are going for a quiver with 6 vertices). Every hyperbolic edge in the triangulation gives one arrow in the quiver between the corresponding vertices. The orientation of the arrow is determined by the color of a triangle of which it is an edge : if the triangle is black, we run around its edges counter-clockwise and if the triangle is white we run over its edges clockwise (that is, the orientation of the arrow is independent of the choice of triangles to determine it). In our example, there is one arrows directed from the vertex at $i $ to the vertex at $0 $, whether you use the black triangle on the left to determine the orientation or the white triangle on the right. If we do this for all edges in the triangulation we arrive at the quiver below

where x,y and z are the three finite vertices on the $\frac{1}{2} $-axis from bottom to top and where I’ve used the physics-convention for double arrows, that is there are two F-arrows, two G-arrows and two H-arrows. Observe that the quiver is of Calabi-Yau type meaning that there are as much arrows coming into a vertex as there are arrows leaving the vertex.

Now that we have our quiver we determine the superpotential as follows. Fix an orientation on the Riemann surface (for example counter-clockwise) and sum over all black triangles the product of the edge-arrows counterclockwise MINUS sum over all white triangles
the product of the edge arrows counterclockwise. So, in our example we have the cubic superpotential

$IH’B+HAG+G’DF+FEC-BHI-H’G’A-GFD-CEF’ $

From this we get the associated noncommutative algebra, which is the quotient of the path algebra of the above quiver modulo the following ‘commutativity relations’

$\begin{cases} GH &=G’H’ \\ IH’ &= IH \\ FE &= F’E \\ F’G’ &= FG \\ CF &= CF’ \\ EC &= GD \\ G’D &= EC \\ HA &= DF \\ DF’ &= H’A \\ AG &= BI \\ BI &= AG’ \end{cases} $

and morally this should be a Calabi-Yau algebra (( can someone who knows more about CYs verify this? )). This concludes the walk through of the procedure. Summarizing : to every Farey-symbol one associates a Calabi-Yau quiver and superpotential, possibly giving a Calabi-Yau algebra!

6 Comments