Eli Bendersky's website » Math http://eli.thegreenplace.net Eli Bendersky's personal website Fri, 30 Jul 2010 12:30:52 +0000 http://wordpress.org/?v=2.9.2 en hourly 1 Horner’s rule: efficient evaluation of polynomials http://eli.thegreenplace.net/2010/03/30/horners-rule-efficient-evaluation-of-polynomials/ http://eli.thegreenplace.net/2010/03/30/horners-rule-efficient-evaluation-of-polynomials/#comments Tue, 30 Mar 2010 13:10:32 +0000 eliben http://eli.thegreenplace.net/?p=2140
  • Efficient integer exponentiation algorithms Did you ever think about the most efficient method to...
  • Efficient modular exponentiation algorithms Earlier this week I’ve discussed efficient algorithms for exponentiation. However,...
  • the rule of 72 Say you invest some amount of money, and you get...
    • ]]>     Here’s a general degree-n polynomial:

    p(x) = \sum_{i=0}^n a_i x^i = a_0 + a_1 x + a_2 x^2 + a_3 x^3 + \cdots + a_n x^n

    To evaluate such a polynomial using a computer program, several approaches can be employed.

    The simplest, naive method is to compute each term of the polynomial separately and then add them up. Here’s the Python code for it:

    def poly_naive(A, x):
    p = 0
    for i, a in enumerate(A):
        p += (x ** i) * a
    return p

    A is an array of coefficients, lowest first, a_0 until a_n.

    This method is quite inefficient. It requires n additions (since there are n+1 terms to be added) and (n^2 + n)/2 multiplications.

    Iterative method

    It’s obvious that there’s a lot of repetitive computations being done by raising x to successive powers. We can make things much more efficient by simply keeping the previous power of x between iterations. This is the "iterative method":

    def poly_iter(A, x):
    p = 0
    xn = 1
    for a in A:
        p += xn * a
        xn *= x
    return p

    In this code xn is the current power of x. We don’t need to raise x to a power on each iteration of the loop, a single multiplication suffices. It’s easy to see that there are 2n multiplications and n additions for each computation. The algorithm is now linear instead of quadratic.

    Horner’s rule

    It can be further improved, however. Take a look at this polynomial:

    6 x^3 + 4 x^2 + 7 x + 19

    It can be rewritten as follows:

    ((6 x + 4) x + 7) x + 19

    And in general, we can always rewrite the polynomial:

    a_0 + a_1 x + a_2 x^2 + a_3 x^3 + \cdots + a_n x^n

    As:

    a_0 + x (a_1 + x ( \cdots + x (a_{n-1} + a_n x))

    This rearrangement is usually called "Horner’s rule". We can write the code to implement it as follows:

    def poly_horner(A, x):
    p = A[-1]
    i = len(A) - 2
    while i >= 0:
        p = p * x + A[i]
        i -= 1
    return p

    Here we start by assigning a_n to p and then successively multiplying by x and adding the next coefficient. This code requires n multiplications and n additions (I’m ignoring here the modification of the loop variable i, as I ignored it in all other algorithms, where it was implicit in the Python for loop).

    While asymptotically similar to the iterative method, Horner’s method has better constants and thus is faster.

    Curiously, Horner’s rule was discovered in the early 19th century, far before the advent of computers. It’s obviously useful for manual computation of polynomials as well, for the same reason: it requires less operations.

    I’ve timed the 3 algorithms on a random polynomial of degree 500. The one using Horner’s rule is about 5 times faster than the naive approach, and 15% faster than the iterative method.

    Related posts:

    1. Efficient integer exponentiation algorithms Did you ever think about the most efficient method to...
    2. Efficient modular exponentiation algorithms Earlier this week I’ve discussed efficient algorithms for exponentiation. However,...
    3. the rule of 72 Say you invest some amount of money, and you get...

    ]]>     http://eli.thegreenplace.net/2010/03/30/horners-rule-efficient-evaluation-of-polynomials/feed/ 2     A group-theoretic proof of Euler’s theorem http://eli.thegreenplace.net/2009/08/01/a-group-theoretic-proof-of-eulers-theorem/ http://eli.thegreenplace.net/2009/08/01/a-group-theoretic-proof-of-eulers-theorem/#comments Sat, 01 Aug 2009 06:00:43 +0000 eliben http://eli.thegreenplace.net/?p=1787
  • Equivalence classes and group partitions In this post I want to show some interesting definitions...
  • The GCD and linear combinations A linear combination of a and b is some integer...
  • Pythagorean – the theorem with most proofs ? This page shows 76 different proofs of the Pythagorean theorem....
    • ]]>     A very important and useful theorem in number theory is named after Leonhard Euler:

    a^{\varphi (n)} \equiv 1 \pmod{n}

    Where \varphi (n) is Euler’s totient function – the amount of numbers smaller than n that are coprime to it.

    Here I want to present a nice proof of this theorem, based on group theory. I begin with some preliminary definitions and gradually move towards the final goal.

    (I) Congruence class: Let a and n > 0 be integers. The set of all integers that have the same remainder as a when divided by n is called the congruence class of a modulo n and is denoted by [a]_n, where:

    [a]_n=\{x\in \mathbb{Z}|x\equiv a(mod n)\}

    \mathbb{Z}_n is the set of all congruence classes modulo n.

    (II) Units of \mathbb{Z}_n: If for [a]_n we find some [b]_n such that [a]_n[b]_n=[1]_n, we call [a]_n a unit of \mathbb{Z}_n. The set of units of \mathbb{Z}_n is denoted by \mathbb{Z}^{\times}_{n}

    For example, [2]_n is a unit of \mathbb{Z}_7, because [2]_7[4]_7=[1]_7 .

    (III) The congruence class [a]_n is a unit of \mathbb{Z}_n if and only if (a,n) = 1 (the GCD of a and n is 1, in other words they’re co-prime).

    Proof: By definition of units, there exists some [b]_n such that [a]_n[b]_n=[1]_n. Therefore ab\equiv 1(mod n), which implies that for some q, ab=1+qn. Thus ab+(-q)n=1. So 1 is a linear combination of a and n. Therefore (a,n)=1.
    On the other hand, if (a,n)=1, there exist q and b such that ab+qn=1, or ab\equiv 1(mod n), so [a]_n[b]_n=[1]_n.

    (IV) By definition, since every unit of \mathbb{Z}_n is coprime to n, the amount of units of \mathbb{Z}_n (or, the number of elements of \mathbb{Z}^{\times}_{n}) is \varphi (n).

    Let’s keep this result in mind and prepare some more theorems in order to attack the proof.

    (V) Lagrange’s theorem: If H is a subgroup of the finite group G, then the order of H is a divisor of the order of G.

    Proof: Let’s first define |G|=n and |H|=m. Also, let \sim be the equivalence relation defined in example (III) of the previous post. Since it’s an equivalence relation, it partitions G into equivalence classes. Define [a] as the equivalence class of a with \sim, for any a\in G.

    To prove Lagrange’s theorem, we’re going to show that [a] has the same amount of elements as H. For this purpose, let’s define a function p_a:H\rightarrow [a] by p_a(x)=xa for all x\in H and prove that it’s an isomorphism. To do that, we’ll have to separately prove that it’s onto and one-to-one.

    But first, let’s verify that the stated codomain of p_a is correct. If h\in H then p_a(h)=ha\in [a] because (ha)a^{-1}=h\in H, so by definition of \sim we have a\sim ha. So indeed the codomain of p_a is [a].

    1. Let’s pick some y in G such that y\sim a . By definition of our \sim it means that ya^{-1}=h for some h\in H. So p_a(x)=y has a solution x=h (since ha=(ya^{-1})a=y). Therefore p_a is onto.
    2. Suppose that h,k\in H with p_a(h)=p_a(k). Then ha=hk and by cancellation in groups we have h=k, which proves that p_a is one-to-one.

    So we’ve proved that p_a is an isomorphism, which means that |[a]|=|H| (we can map each element of [a] to one and only one element of |H|).

    We’ve previously shown that the equivalence classes of \sim partition G. But now we see that the size of each equivalence class is equal to |H|. Therefore, all the equivalence classes are of the same size, and n=mt where t is the amount of equivalence classes. This proves Lagrange’s theorem.

    We’re almost there. To see how all of this relates to Euler’s theorem, let’s first define the order of an element of a group.

    (VI) Order of group element: Let a\in G. If there exists a positive integer n such that a^n=e, then a is said to have finite order and the smallest such positive integer is called the order of a, denoted by o(a).

    We’ll also define the subgroup generated by an element:

    (VII) Cyclic subgroup: \langle a \rangle =\{a^k:k\in \mathbb{Z}\} is a cyclic subgroup of G generated by a\in G. For a finite G this subgroup is also finite, and its size is: |\langle a \rangle| = o(a).

    Armed with these definitions, we’re now ready for the following corollary of Lagrange’s theorem:

    (VIII) Lagrange theorem corollary: Let G be a finite group of order n. Then:

    1. For any a\in G, o(a) divides n
    2. For any a\in G, a^n=e

    Proof: As we’ve seen, |\langle a \rangle| = o(a) and by Lagrange’s theorem |\langle a \rangle| divides n (since \langle a \rangle is a subgroup of G). Therefore (1) is proven.
    For (2), note that if a has order m, then by (1) we have n=mq for some integer q. Thus a^n=a^{mq}=(a^m)^q. But a has order m, so a^m=e and therefore (a^m)^q=e. Q.E.D.

    We now finally have all the tools required to prove Euler’s theorem.

    Proof of Euler’s theorem: Let G=\mathbb{Z}^{\times}_{n} the group of units modulo n. The order of G is \varphi (n) (by (IV)). Now, by (VIII) part (2), raising any congruence class to the power \varphi (n) must give the identity element. The statement [a]^{\varphi (n)} = [1] is equivalent to a^{\varphi (n)}\equiv 1(mod\: n)

    Q.E.D.

    Related posts:

    1. Equivalence classes and group partitions In this post I want to show some interesting definitions...
    2. The GCD and linear combinations A linear combination of a and b is some integer...
    3. Pythagorean – the theorem with most proofs ? This page shows 76 different proofs of the Pythagorean theorem....

    ]]>     http://eli.thegreenplace.net/2009/08/01/a-group-theoretic-proof-of-eulers-theorem/feed/ 0     Equivalence classes and group partitions http://eli.thegreenplace.net/2009/07/17/equivalence-classes-and-group-partitions/ http://eli.thegreenplace.net/2009/07/17/equivalence-classes-and-group-partitions/#comments Fri, 17 Jul 2009 13:47:57 +0000 eliben http://eli.thegreenplace.net/?p=1809
  • A group-theoretic proof of Euler’s theorem A very important and useful theorem in number theory is...
  • The GCD and linear combinations A linear combination of a and b is some integer...
  • The well-ordering principle The well-ordering principle states: The well-ordering principle: Any nonempty set...
    • ]]>     In this post I want to show some interesting definitions and theorems about equivalence relations & classes, and groups.

    Relations are an important topic in algebra. Conceptually, a relation is a statement aRb about two elements of a set. If the elements are integers, then a=b is a relation, and so is a\geq b.

    Here’s a formal set-theoretic definition:

    (I) Binary relation: A binary relation on a set A is a collection of ordered pairs of elements of A. In other words, it is the subset of A\times A. More generally, a binary relation between two sets A and B is a subset of A\times B.

    Note it says ordered pairs. What this means is that the order of elements in a relation is important. Intuitively, given the relation \geq and the set of integers, it’s clear that a\geq b does not generally imply b\geq a.

    An important sub-class of relations we’ll be most interested with is the equivalence relations:

    (II) Equivalence relation: A relation \sim on a set is called an equivalence relation if it’s reflexive, symmetric and transitive:

    • Reflexive: for all a in S it holds that a\sim a.
    • Symmetric: for all a and b in S it holds that if a\sim b then b\sim a.
    • Transitive: for all a, b and c in S it holds that if a\sim b and b\sim c then a\sim c.

    Examples: equality is an equivalence relation, but greater-or-equal is not, as a\geq b doesn’t imply b\geq a – the symmetric condition doesn’t hold.

    Another important equivalence relation is the congruence modulo an integer, a\equiv b\: (mod n).

    (III) Example: Let G be a group and H a subgroup of G. For a,b\in G, define a\sim b if ab^{-1}\in H. Then \sim is an equivalence relation on G.

    Proof: To prove that some relation is an equivalence relation, we have to prove the three properties of equivalence relations.

    Reflexive: aa^{-1} is the identity element e. However, since H is a subgroup of G, it means that e\in H. Therefore aa^{-1}\in H, so a\sim a.

    Symmetric: Assume that ab^{-1}\in H. Since H is a subgroup, then this element has an inverse in H: (ab^{-1})^{-1}\in H. Using the associative law of groups several times it’s possible to show that (ab^{-1})^{-1}=(b^{-1})^{-1}a^{-1}=ba^{-1}
    So, ba^{-1}\in H, hence b\sim a.

    Transitive: Given ab^{-1}\in H and bc^{-1}\in H.
    (ab^{-1})(bc^{-1})=ac^{-1} So, ac^{-1}\in H, hence a\sim c.

    Thus, we’ve proved that this \sim is an equivalence relation. Let’s see a concrete application of the result we’ve just proved:

    Consider that if G=\mathbb{Z} with the operation +, and H is the subgroup consisting of all multiples of some n>1, then ab^{-1}\in H actually means that a+(-b)=kn for some k\in \mathbb{Z}. In other words a\equiv b\: (mod n). This proves that congruence modulo n is an equivalence relation, since it’s a special case of (III).

    (IV) Equivalence class: If \sim is an equivalence relation on S, then [a], the equivalence class of a is defined by [a] = \{b\in S|b\sim a\}

    For example, let’s take the integers \mathbb{Z} and define an equivalence relation "congruent modulo 5". For instance, 1\sim 6. The congruence class of 1 modulo 5 (denoted [1]_5) is \{\mathellipsis, -9, -4, 1, 6, 11, \mathellipsis\}.

    (V) Group partition: If \sim is an equivalence relation on S, then S=\bigcup [a] for all a\in S, and [a]\ne [b] implies that [a]\cap [b]=\varnothing. In other words, \sim partitions S into disjoint equivalence classes.

    Proof: the first part is easy. Since always a\in [a], then \bigcup_{a\in S}[a]=S. To prove the second part, we’ll show that if [a]\cap [b]\ne \varnothing then [a]=[b].

    Suppose that [a]\cap [b]\ne \varnothing, and let c\in [a]\cap [b]. Therefore c\sim a and c\sim b. But \sim is an equivalence relation and thus is transitive and symmetric. So a\sim b. But this means that a and b are in the same equivalence class: [a]=[b]. Q.E.D.

    Related posts:

    1. A group-theoretic proof of Euler’s theorem A very important and useful theorem in number theory is...
    2. The GCD and linear combinations A linear combination of a and b is some integer...
    3. The well-ordering principle The well-ordering principle states: The well-ordering principle: Any nonempty set...

    ]]>     http://eli.thegreenplace.net/2009/07/17/equivalence-classes-and-group-partitions/feed/ 1     Detexify recognizes hand-written math symbols http://eli.thegreenplace.net/2009/07/13/detexify-recognizes-hand-written-math-symbols/ http://eli.thegreenplace.net/2009/07/13/detexify-recognizes-hand-written-math-symbols/#comments Mon, 13 Jul 2009 03:31:16 +0000 eliben http://eli.thegreenplace.net/?p=1800 Does it ever happen to you that you don’t remember the Latex code for some mathematical symbol? What can you do then except wading through pages of Latex symbols trying to locate the right one?

    Well, no more! Detexify is a great new service that allows you to “draw” the symbol you’re looking for:

    intg_handwriting

    … and it will suggest the Latex code.

    intg_suggestions

    Detexify is a learning OCR classifier, and can be “trained” by users to improve it’s performance.

    Kudos to the creator of Detexify for a great project. It will definitely be useful…

    No related posts.

    ]]>     http://eli.thegreenplace.net/2009/07/13/detexify-recognizes-hand-written-math-symbols/feed/ 3     Generating multi-subsets using arithmetic http://eli.thegreenplace.net/2009/07/11/generating-multi-subsets-using-arithmetic/ http://eli.thegreenplace.net/2009/07/11/generating-multi-subsets-using-arithmetic/#comments Sat, 11 Jul 2009 05:27:13 +0000 eliben http://eli.thegreenplace.net/?p=1784
  • application of combinations The text buffewring widget I’m building allows the user to...
  • Allocating multi-dimensional arrays in C++ Updated on 04.06.2010 Allocating multi-dimensional arrays in C++ (and C)...
  • Generating random sentences from a context free grammar Sometimes it’s interesting to randomly generate a large amount of...
    • ]]>     In the past I’ve written about how simple arithmetic can be employed to compute a powerset of a given set.

    Here I want to show a generalization, that uses n-nary arithmetic. But first, let’s define the problem:

    Suppose you have a set of elements and you want to select multi-subsets from it. By multi-subset in this context I mean that an element can appear more than once in it. For example, given the set {0, 1, 2, 3, 4, 5}, then {1, 1, 2} is a multi-subset. So are {5, 5, 5, 5} and {0, 1, 2, 3, 4, 5}. Suppose you want to go over all multi-subsets of a set. How can this be done?

    Note that generating a superset is a private case of this problem, restricting each element to appear either 0 or 1 times in the resulting subset.

    So the solution is a generalization of the binary-arithmetic solution for the powerset problem.

    Intuitive motivation: consider the decimal numbers, for example 25. If we use the position of each digit (starting with the units) to convey information, this leads to an interesting observation. If we have two elements to choose from, 25 may mean 5 times the 1st element, 2 times the second element. Now, going over all numbers from 0 to 99, we are actually generating all multi-subsets of two elements where each can be picked from 0 to 9 times.

    Once this is clear, the algorithm is simple. Let’s generalize to a n-ary base system, using position to point to an element and the ‘digit’ at this position to say how many times it appears in a given multi-subset. And the best part – the simple rules of addition with carry can now be used to efficiently generate all multi-subsets, given the amount of elements we have (length) and the maximal amount of times each can be picked (upto), the minimum being assumed 0.

    Here’s the code:

    def multiselects(upto, length):
  # Arithmetically, we create an array of digits
  # (each in the range 0..upto).
  # It's initialized with '1'
  #
  ar = [1] + [0] * (length - 1)

  while True:
      yield ar

      # The index we're currently trying to
      # advance
      #
      idx = 0

      # Advance the current index. If it reaches
      # the limit (upto), pefrorm a carry to the
      # next index (digits)
      #
      while idx < length:
          ar[idx] += 1
          if ar[idx] <= upto:
              break
          else:
              ar[idx] = 0
              idx += 1

      # We've reached the last number...
      #
      if idx == length:
          break

    An an example run of:

    for s in multiselects(2, 3):
    print s

    Produces:

    [1, 0, 0]
[2, 0, 0]
[0, 1, 0]
[1, 1, 0]
[2, 1, 0]
[0, 2, 0]
[1, 2, 0]
[2, 2, 0]
[0, 0, 1]
[1, 0, 1]
[2, 0, 1]
[0, 1, 1]
[1, 1, 1]
[2, 1, 1]
[0, 2, 1]
[1, 2, 1]
[2, 2, 1]
[0, 0, 2]
[1, 0, 2]
[2, 0, 2]
[0, 1, 2]
[1, 1, 2]
[2, 1, 2]
[0, 2, 2]
[1, 2, 2]
[2, 2, 2]

    Note that the solution is general, as the lists it returns are lists of indices. These can be employed with any set to generate multi-subsets.

    Background and links

    I came up with this function while working on Project Euler’s problem 77. I ended up using a different method, but visualizing the possible partitions of primes was very useful.

    Here are some interesting mathematical links related to this problem:

    Related posts:

    1. application of combinations The text buffewring widget I’m building allows the user to...
    2. Allocating multi-dimensional arrays in C++ Updated on 04.06.2010 Allocating multi-dimensional arrays in C++ (and C)...
    3. Generating random sentences from a context free grammar Sometimes it’s interesting to randomly generate a large amount of...

    ]]>     http://eli.thegreenplace.net/2009/07/11/generating-multi-subsets-using-arithmetic/feed/ 5     The GCD and linear combinations http://eli.thegreenplace.net/2009/07/10/the-gcd-and-linear-combinations/ http://eli.thegreenplace.net/2009/07/10/the-gcd-and-linear-combinations/#comments Fri, 10 Jul 2009 05:49:39 +0000 eliben http://eli.thegreenplace.net/?p=1763
  • A group-theoretic proof of Euler’s theorem A very important and useful theorem in number theory is...
  • mathematical musing This morning while washing the dishes I was contemplating a...
  • application of combinations The text buffewring widget I’m building allows the user to...
    • ]]>     A linear combination of a and b is some integer of the form ma+nb, where m,n\in \mathbb{Z}.

    There’s a very interesting theorem that gives a useful connection between linear combinations and the GCD of a and b, called Bézout’s identity:

    Bézout’s identity: (a,b) (the GCD of a and b) is the smallest positive linear combination of non-zero a and b.

    Both Bézout’s identity and its corollary I show below are very useful tools in elementary number theory, being used for the proofs of many of the most fundamental theorems. Let’s see why it’s true.

    (I) Intuition: First I’d like to explain this (surprising at first sight) theorem intuitively. By defintion, any common divisor of a and b will divide ma+nb for all m,n\in \mathbb{Z}. In particular, (a,b) also divides any ma+nb.

    Now, assume we’ve found some small x=ma+nb which isn’t the GCD. But we’ve just said that (a,b) divides all linear combinations, so it also divides x. Therefore, x can not be smaller than the GCD. In other words, the smallest positive linear combination can only be (a,b) itself.

    Corollary: An integer is a linear combination of a and b IFF it is a multiple of their GCD.

    To prove Bézout’s identity more formally, and along the way to see why the corollary is also true, let’s first prove the following:

    (III) Let I be a nonempty set of integers that is closed under addition and subtraction, and contains at least one non-zero integer. Then there exists a smallest positive element b\in I, and I consists of all multiples of b (I=b\mathbb{Z}).

    Proof: I contains at least one non-zero integer. Then it definitely contains at least one positive integer, because it is closed under addition and subtraction. Assume we have a\in I for some 0>a. Therefore a-a=0\in I and then also 0-a=-a\in I. Thus we have positive integers in I. According to the well-ordering principle, I has a smallest positive element which we’ll call b.

    Now we’ll want to show that I=b\mathbb{Z}. As usual, to prove equalities of sets, it will be shown that they contain one another.

    I\supseteq b\mathbb{Z} is obvious – since I contains b and is closed under addition and subtraction, it contains all the multiples of b.

    To prove I\subseteq b\mathbb{Z} we’ll demonstrate that any element c\in I is a multiple of b. Using the division algorithm we write c=bq+r for some integers q and 0 <= r < b. But this means that r\in I (because I contains bq and c and is closed under subtraction and addition). However, recall that b was chosen to be the smallest positive element of I, so r must be equal to 0. Therefore c is a multiple of b, and we have shown that I\subseteq b\mathbb{Z}. Q.E.D.

    Now back to Bézout’s identity. We’ll define:

    I=\{x\in \mathbb{Z}|x=ma+nb; m,n\in \mathbb{Z}\}

    This I is obviously non-empty and is closed under addition and subtraction (by its definition as a linear combination). Note, in particular, that it also contains a and b. By (III), I consists of all multiples of its smallest positive element, which we’ll call d here.

    To show that d=(a,b) we have to show that d|a, d|b and if c|a and c|b then c|d. First, by definition d is a divisor of any element in I, so it also divides a and b. If c|a and c|b, say a=cq and b=cp, then:

    d=ma+mb=m(cq)+n(cp)=c(mq+np)

    So d|c, which completes our proof that d=(a,b). Q.E.D.

    Regarding the corollary, it stems trivially from the definition of I and the proof above.

    Related posts:

    1. A group-theoretic proof of Euler’s theorem A very important and useful theorem in number theory is...
    2. mathematical musing This morning while washing the dishes I was contemplating a...
    3. application of combinations The text buffewring widget I’m building allows the user to...

    ]]>     http://eli.thegreenplace.net/2009/07/10/the-gcd-and-linear-combinations/feed/ 0     The well-ordering principle http://eli.thegreenplace.net/2009/07/09/the-well-ordering-principle/ http://eli.thegreenplace.net/2009/07/09/the-well-ordering-principle/#comments Thu, 09 Jul 2009 07:25:53 +0000 eliben http://eli.thegreenplace.net/?p=1772
  • The GCD and linear combinations A linear combination of a and b is some integer...
  • Equivalence classes and group partitions In this post I want to show some interesting definitions...
  • A group-theoretic proof of Euler’s theorem A very important and useful theorem in number theory is...
    • ]]>     The well-ordering principle states:

    The well-ordering principle: Any nonempty set of nonnegative integers has a smallest element.

    DUH, you don’t say! – seems obvious, doesn’t it? This principle is, nevertheless, a very important and fundamental tool for proving other basic principles of number theory.

    Consider, for instance, the Division Algorithm:

    The Division Algorithm: If m and n are integers with n > 0, then there exist integers q and r, with 0 <= r < n, such that m = qn + r.

    Again, this is so basic that one may doubt whether it should even be proved. But the well-ordering principle allows us, in fact, to prove the division algorithm in a rigorous manner:

    Let W=\{m-tn|t\in \mathbb{Z}\}. It is obvious that W contains nonnegative integers. Let V=\{v\in W|v \geq0\}. By the well-ordering principle, V has a smallest element, which we’ll call r. r\in V, so r = m-qn for some q and r >= 0 (by the definition of sets W and V, correspondingly).

    Now, what’s left to prove is that r < n. Let’s assume the opposite, namely that r=m-qn\geq n. Rearranging: r-n=m-(q+1)n\geq 0. By the definition of V, m-(q+1)n\in V (since it has the form m-tn for some integer t and is nonnegative). But recall that we called r the smallest element of V, and m-(q+1)n\le r, so we have a contradiction.

    Therefore, we see that r < n. This completes the proof. Q.E.D.

    Related posts:

    1. The GCD and linear combinations A linear combination of a and b is some integer...
    2. Equivalence classes and group partitions In this post I want to show some interesting definitions...
    3. A group-theoretic proof of Euler’s theorem A very important and useful theorem in number theory is...

    ]]>     http://eli.thegreenplace.net/2009/07/09/the-well-ordering-principle/feed/ 4     Project Euler problem 66 and continued fractions http://eli.thegreenplace.net/2009/06/19/project-euler-problem-66-and-continued-fractions/ http://eli.thegreenplace.net/2009/06/19/project-euler-problem-66-and-continued-fractions/#comments Fri, 19 Jun 2009 12:49:07 +0000 eliben http://eli.thegreenplace.net/?p=1740
  • Project Euler problem 69 Problem 69 is a really nice one. I looked at...
  • Project Euler problem 12 I’ve got hooked to Project Euler this week, after hearing...
  • Project Euler problem 83 – how creeps can help Problems 18, 67, 81, 82 and 83 in Project Euler...
    • ]]>     Problem 66 is one of those problems that make Project Euler lots of fun. It doesn’t have a brute-force solution, and to solve it one actually has to implement a non-trivial mathematical algorithm and get exposed to several interesting techniques.

    I will not post the solution or the full code for the problem here, just a couple of hints.

    After a very short bout of Googling, you’ll discover that the Diophantine equation:

    x^2-Dy^2=1

    Is quite famous and is called Pell’s equation. From here, further web searches and Wikipedia-reading will bring you to at least two methods for finding the fundamental solution, which is the pair of x and y with minimal x solving it.

    One of the methods involves computing the continued-fraction representation of the square root of D. This page is a must read on this topic, and will help you with other Euler problems as well.

    I want to post here a code snippet that implements the continued-fraction computation described in that link. Its steps follow the Algebraic algoritm given there:

    def CF_of_sqrt(n):
    """ Compute the continued fraction representation of the
        square root of N.

        The first element in the returned array is the whole
        part of the fraction. The others are the denominators
        up to (and not including) the point where it starts
        repeating.

        Uses the algorithm explained here:
        http://www.mcs.surrey.ac.uk/Personal/R.Knott/Fibonacci/cfINTRO.html
        In the section named: "Methods of finding continued
        fractions for square roots"
    """
    if is_square(n):
        return [int(math.sqrt(n))]

    ans = []

    step1_num = 0
    step1_denom = 1

    while True:
        nextn = int((math.floor(math.sqrt(n)) + step1_num) / step1_denom)
        ans.append(int(nextn))

        step2_num = step1_denom
        step2_denom = step1_num - step1_denom * nextn

        step3_denom = (n - step2_denom ** 2) / step2_num
        step3_num = -step2_denom

        if step3_denom == 1:
            ans.append(ans[0] * 2)
            break

        step1_num, step1_denom = step3_num, step3_denom

    return ans

    As I said, this still isn’t enough to solve the problem, but with this code in hand, the solution isn’t too far. Read some more about Pell’s equation and you’ll discover how to use this code to reach a solution.

    It took my program ~30 milliseconds to find an answer to the problem, by the way. It took less than a second to solve a 10-times larger problem (for D <= 10000), so I believe it to be a pretty good implementation.

    Related posts:

    1. Project Euler problem 69 Problem 69 is a really nice one. I looked at...
    2. Project Euler problem 12 I’ve got hooked to Project Euler this week, after hearing...
    3. Project Euler problem 83 – how creeps can help Problems 18, 67, 81, 82 and 83 in Project Euler...

    ]]>     http://eli.thegreenplace.net/2009/06/19/project-euler-problem-66-and-continued-fractions/feed/ 4     Efficient modular exponentiation algorithms http://eli.thegreenplace.net/2009/03/28/efficient-modular-exponentiation-algorithms/ http://eli.thegreenplace.net/2009/03/28/efficient-modular-exponentiation-algorithms/#comments Sat, 28 Mar 2009 07:51:29 +0000 eliben http://eli.thegreenplace.net/?p=1618
  • Efficient integer exponentiation algorithms Did you ever think about the most efficient method to...
  • Computing modular square roots in Python Consider the congruence of the form: n is a quadradic...
  • Horner’s rule: efficient evaluation of polynomials Here’s a general degree-n polynomial: To evaluate such a polynomial...
    • ]]>     Earlier this week I’ve discussed efficient algorithms for exponentiation.

    However, for real-life needs of number theoretic computations, just raising numbers to large exponents isn’t very useful, because extremely huge numbers start appearing very quickly [1], and these don’t have much use. What’s much more useful is modular exponentiation, raising integers to high powers \pmod n [2]

    Luckily, we can reuse the efficient algorithms developed in the previous article, with very few modifications to perform modular exponentiation as well. This is possible because of some convenient properties of modular arithmetic.

    Modular multiplication

    Given two numbers, a and b, their product modulo n is ab \pmod n. Consider the number x < n, such that x\equiv a\pmod n. Such a number always exists, and we usually call it the remainder of dividing a by n. Similarly, there is a y < b, such that y\equiv b\pmod n. It follows from basic rules of modular arithmetic that xy\equiv ab\pmod n [3]

    Therefore, if we want to know the product of a and b modulo n, we just have to keep their remainders when divided by n. Note: a and b may be arbitrarily large, but x and y are always smaller than n.

    A naive algorithm

    What is the most naive way you can think of for raising computing a^{b} \pmod n? Raise a to the power b, and then reduce modulo n. Right?

    Indeed, this is a very unsophisticated and slow method, because raising a to the power b can result in a really huge number that takes long to compute.

    For any useful number, this algorithm is so slow that I’m not even going to run it in the tests.

    Using the properties of modular multiplication

    As we’ve learned above, modular multiplication allows us to just keep the intermediate result \pmod n at each step. So we don’t have to ever hold numbers larger than the modulo. Here’s the implementation of a simple repeated multiplication algorithm for computing modular exponents this way:

    def modexp_mul(a, b, n):
    r = 1
    for i in xrange(b):
        r = r * a % n
    return r

    It’s much better than the naive algorithm, but as we saw in the previous article it’s quite slow, requiring b multiplications (and reductions modulo n).

    We can apply the same modular reduction rule to the more efficient exponentiation algorithms we’ve studied before.

    Modular exponentiation by squaring

    Here’s the right-to-left method with modular reductions at each step.

    def modexp_rl(a, b, n):
    r = 1
    while 1:
        if b % 2 == 1:
            r = r * a % n
        b /= 2
        if b == 0:
            break
        a = a * a % n

    return r

    We use exactly the same algorithm, but reduce every multiplication \pmod n. So the numbers we deal with here are never very large.

    Similarly, here’s the left-to-right method:

    def modexp_lr(a, b, n):
    r = 1
    for bit in reversed(_bits_of_n(b)):
        r = r * r % n
        if bit == 1:
            r = r * a % n
    return r

    With _bits_of_n being, as before:

    def _bits_of_n(n):
    """ Return the list of the bits in the binary
        representation of n, from LSB to MSB
    """
    bits = []

    while n:
        bits.append(n % 2)
        n /= 2

    return bits

    Relative performance

    As I’ve noted in the previous article, the RL method does a worse job of keeping its multiplicands low than the LR method. And indeed, for smaller n, RL is somewhat faster than LR. For larger n, RL is somewhat slower.

    What’s obvious is that now the built-in pow is superior to both hand-coded methods [4]. My tests show it’s anywhere from twice to 10 times as fast.

    Why is pow so much faster? Is it only the efficiency of C versus Python? Not really. In fact, pow uses an even more sophisticated algorithm for large exponents [5]. Indeed, for small exponents the runtime of pow is similar to the runtime of the implementations I presented above.

    The k-ary LR method

    It turns out that the LR method of repeated squaring can be generalized. Instead of breaking the exponent into bits of its base-2 representation, we can break it into larger pieces, and save some computations this way.

    I’ll present the k-ary LR method that breaks the exponent into its "digits" in base m=2^k for some integer k. The exponent can be written as:

    b=t_{i}m^{i}+t_{i-1}m^{i-1}+\cdots t_{0}m^{0}

    Where t_i are the digits of b in base m. a^b is then:

    a^{t_{i}m^{i}}\cdot a^{t_{i-1}m^{i-1}}\cdot \cdots a^{t_{0}}

    We compute this iteratively as follows [6]:

    Raise a^{t_0} to the m-th power and multiply by a^{t_1}. We get r_1 = a^{t_{0}m+t_1}. Next, raise r_1 to the m-th power and multiply by a^{t_2}, obtaining r_2 = a^{t_{0}m^{2}+t_{1}m+t_{2}}. If we continue with this, we’ll eventually get a^b.

    This translates into the following code:

    def modexp_lr_k_ary(a, b, n, k=5):
    """ Compute a ** b (mod n)

        K-ary LR method, with a customizable 'k'.
    """
    base = 2 << (k - 1)

    # Precompute the table of exponents
    table = [1] * base
    for i in xrange(1, base):
        table[i] = table[i - 1] * a % n

    # Just like the binary LR method, just with a
    # different base
    #
    r = 1
    for digit in reversed(_digits_of_n(b, base)):
        for i in xrange(k):
            r = r * r % n
        if digit:
            r = r * table[digit] % n

    return r

    Note that we save some time by pre-computing the powers of a for exponents that can be digits in base m. Also, the _digits_of_n is the following generalization of _bits_of_n:

    def _digits_of_n(n, b):
    """ Return the list of the digits in the base 'b'
        representation of n, from LSB to MSB
    """
    digits = []

    while n:
        digits.append(n % b)
        n /= b

    return digits

    Performance of the k-ary method

    In my tests, the k-ary LR method with k = 5 is about 25% faster than the binary LR method, and is within 20% of the built-in pow function.

    Experimenting with the value of k affects these results, but 5 seems to be a good value that produces the best performance in most cases. This is probably why it’s also used as the value of k in the implementation of pow.

    Python’s built-in pow

    I’ve mentioned Python’s pow function several times in this article. The Python version I’m talking about is 2.5, though I doubt this functionality has changed in 2.6 or 3.0. The pow I’m interested in is implemented in the long_pow function in objects/longobject.c in the Python source code distribution. As mentioned in [5], it uses the binary LR method for small exponents, and the k-ary LR method for large exponents.

    These implementations follow closely algorithms 14.79 and 14.82 in the excellent Handbook of Applied Cryptography, which is freely available online.

    Summary

    As we’ve seen, exponentiation and modular exponentiation are one of those applications in which an efficient algorithm is required for feasibility. Using the trivial/naive algorithms is possible only for small cases which aren’t very interesting. To process realistically large numbers (such as the ones required for cryptographic algorithms), one needs powerful methods in his toolbox.

    http://eli.thegreenplace.net/wp-content/uploads/hline.jpg
    [1] For instance, 3^{10000} is a 4772-digit number.
    [2] Modular exponentiation is essential for the RSA algorithm, for example.
    [3] To be a bit more rigorous, we start with x\equiv a\pmod n. This means that n|(a-x), so also n|(ab-xb). Similarly n|(b-y), so also n|(bx-yx). Adding these two we get n|(ab-yx), which means that xy\equiv ab\pmod n.
    [4] Using the 3-argument form of pow, you can perform modular exponentiation.
    [5] FIVEARY_CUTOFF in the code of pow is set to 8. This means that for exponents with more than 8 digits, a special 5-ary algorithm is used. For smaller exponents, the regular LR binary method is used – just like the one I presented, just coded in C.
    [6] Note that for m = 2 this is the familiar binary LR method.

    Related posts:

    1. Efficient integer exponentiation algorithms Did you ever think about the most efficient method to...
    2. Computing modular square roots in Python Consider the congruence of the form: n is a quadradic...
    3. Horner’s rule: efficient evaluation of polynomials Here’s a general degree-n polynomial: To evaluate such a polynomial...

    ]]>     http://eli.thegreenplace.net/2009/03/28/efficient-modular-exponentiation-algorithms/feed/ 0     Efficient integer exponentiation algorithms http://eli.thegreenplace.net/2009/03/21/efficient-integer-exponentiation-algorithms/ http://eli.thegreenplace.net/2009/03/21/efficient-integer-exponentiation-algorithms/#comments Sat, 21 Mar 2009 17:10:57 +0000 eliben http://eli.thegreenplace.net/?p=1581
  • Efficient modular exponentiation algorithms Earlier this week I’ve discussed efficient algorithms for exponentiation. However,...
  • Horner’s rule: efficient evaluation of polynomials Here’s a general degree-n polynomial: To evaluate such a polynomial...
  • Rabin-Miller primality test implementation Here’s a fairly efficient Python (2.5) and well-documented implementation of...
    • ]]>     Did you ever think about the most efficient method to perform integer exponentiation, that is, raising an integer a to an integer power b, when either a or b, or both, are rather large?

    Repeated multiplication

    The naive method is, of course, repeated multiplications. a^{b} is a multiplied by itself b times. Here’s how it’s coded in my pseudo-code of choice, Python:

    def expt_mul(a, b):
    r = 1
    for i in xrange(b):
        r *= a
    return r

    Is this efficient? Not really, as we require b multiplications, and as I said earlier b can be very large (think number theory algorithms). In fact, there’s a much more efficient method.

    Exponentiation by squaring

    The efficient exponentiation algorithm is based on the simple observation that for an even b, a^{b}=a^{b/2}\cdot a^{b/2}. This may not look very brilliant, but now consider the following recursive definition:

    \mbox{Power}(a,\,b)=<br /> \begin{cases} 1, & \mbox{if }b\mbox{ = 0} \\<br /> a\times\mbox{Power}(a,\,b-1), & \mbox{if }b\mbox{ is odd} \\<br /> \mbox{Power}(a,\,b/2)^2, & \mbox{if }b\mbox{ is even}<br /> \end{cases}

    The case of odd b is trivial, as it’s obvious that a^{b}=a\cdot a^{b-1}. So now we can compute a^{b} by doing only log(b) squarings and no more than log(b) multiplications, instead of b multiplications – and this is a vast improvement for a large b.

    This algorithm can be coded in a straightforward way:

    def expt_rec(a, b):
    if b == 0:
        return 1
    elif b % 2 == 1:
        return a * expt_rec(a, b - 1)
    else:
        p = expt_rec(a, b / 2)
        return p * p

    Indeed, this algorithm is about 10 times faster than the naive one for exponents in the order of a few thousands. When the exponent is about 100K, it is more than 100 times faster, and the difference keeps growing for larger exponents.

    An iterative implementation

    It will be useful to develop an iterative implementation for the fast exponentiation algorithm. For this purpose, however, we need to dive into some mathematics.

    We can represent the exponent b as:

    b=t_{i}2^{i}+t_{i-1}2^{i-1}+\cdots t_{0}2^{0}

    Where t_{i} are the bits (0 or 1) of b in base 2. a^{b} is then:

    a^{t_{i}2^{i}}\cdot a^{t_{i-1}2^{i-1}}\cdot \cdots a^{t_{0}2^{0}}

    Or, in other words:

    a^{b}=\prod_{k}a^{2^{k}} for k such that t_{k}=1

    a^{2^{k}} can be computed by repetitive squaring, and moreover, we can reuse the result from a lower k to compute a higher k. This directly translates into the following iterative algorithm:

    def expt_bin_rl(a, b):
    r = 1
    while 1:
        if b % 2 == 1:
            r *= a
        b /= 2
        if b == 0:
            break
        a *= a

    return r

    To understand how the algorithm works, try to relate it to the formula from above. Using a standard "divide by two and look at the LSB" loop, the exponent b is broken into its binary representation. The lowest bits of b are considered first. a is continually squared to hold a^{2^{k}}, and is multiplied into the result only when t_{k}=1.

    This algorithm is called right-to-left binary exponentiation, because the binary representation of the exponent is computed from right to left (from the LSB to the MSB) [1].

    A related algorithm can be developed if we prefer to look at the binary representation of the exponent from left to right.

    Left-to-right binary exponentiation

    Going over the bits of b from MSB to LSB, we get:

    def expt_bin_lr(a, b):
    r = 1
    for bit in reversed(_bits_of_n(b)):
        r *= r
        if bit == 1:
            r *= a
    return r

    Where _bits_of_n is a method returning the binary representation of its argument as an array of bits from LSB to MSB (which is then reversed, as you see):

    def _bits_of_n(n):
    """ Return the list of the bits in the binary
        representation of n, from LSB to MSB
    """
    bits = []

    while n:
        bits.append(n % 2)
        n /= 2

    return bits

    Rationale: consider how you "build" a number from its binary representation when seen from MSB to LSB. You begin with 1 for the MSB (which is always 1, by definition, for numbers > 0). For each new bit you see you double the result, and if the bit is 1, you add 1 [2].

    For example consider the binary 1101. Begin with 1 for the leftmost 1. We have another bit, so we double. That’s 2. Now, the new bit is 1, so we add 1, that’s 3. We have another bit, so again double, that’s 6. The new bit is 0, so nothing is added. And we have one more bit, so once again double, getting 12, and finally adding 1, getting 13. Indeed, 1101 is the binary representation of 13.

    Back to the exponentiation now. As you see in the code of expt_bin_lr, the binary representation of the exponent is read from MSB to LSB. Since this is the exponent, each "doubling" from the rationale above is squaring, and each "adding 1" is multiplying by the number itself. Hence, the algorithm works.

    Performance

    As I’ve mentioned, the squaring method of exponentiation is far more efficient than the naive method of repeated multiplication. In the tests I ran, the iterative left-to-right method is about the same speed as the recursive one, while the iterative right-to-left method is somewhat slower. In fact, both the recursive and the iterative left-to-right methods are so efficient they’re completely on par with Python’s built-in pow method [3].

    This is surprising, as I’d actually expect the right-to-left method to be faster, because it skips the reversing of bits when computing the binary representation of the exponent. I’d also expect the built-in pow to be faster.

    However, thinking harder for a moment, I think I can see why this happens. The RL (right-to-left) version has to multiply larger numbers at all stages, because LR sometimes multiplies by a itself, which is relatively small. Python’s bignum implementation can multiply by a small number faster, and this compensates for the need to reverse the bit list. I’ll come back to this issue when I’ll discuss modular exponentiation. But this is a topic for another article…

    http://eli.thegreenplace.net/wp-content/uploads/hline.jpg
    [1] From the looks of it (featuring the binary representation) you’d think this is a modern algorithm. Not at all! According to Knuth, it was first mentioned by the Persian mathematician Jamshīd al-Kāshī in 1427. The left-to-right method presented later in the article is even more ancient – it appeared in a Hindu book in about 200 BC.
    [2] This holds for any base, by the way. You can similarly build a number from its decimal digits by multiplying by 10 for each digit you see and adding the digit, at each step.
    [3] pow is coded in C and uses the iterative left-to-right method I described with some optimizations and complicated tricks.

    Related posts:

    1. Efficient modular exponentiation algorithms Earlier this week I’ve discussed efficient algorithms for exponentiation. However,...
    2. Horner’s rule: efficient evaluation of polynomials Here’s a general degree-n polynomial: To evaluate such a polynomial...
    3. Rabin-Miller primality test implementation Here’s a fairly efficient Python (2.5) and well-documented implementation of...

    ]]>     http://eli.thegreenplace.net/2009/03/21/efficient-integer-exponentiation-algorithms/feed/ 5