The BWAIN

When poets attack

2008-07-04T00:41:42Z

This is one of the cleverest things I've seen in a while. The back story is that the assistant head of English at Park Hall needed the red hand truck (that's a "porter's trolley", for those who don't get the American dialect), and asked for its return:

We're looking for an errant red hand truck. Anybody borrowed it or seen it? Thanks. --Mike

The word "errant" sparked a flood of responses spoofing famous poems. I can't resist, and I apologise in advance to the memory of Ogden Nash.

Lost hand truck
Is bad luck
But mimic
Is comic.

There once was a man from...

2008-05-21T03:41:16Z

Moving house saps time and energy for blogging, not that I'm much of a high-energy blogger, but still. Figure I should say something. Chuck Jones once related this story:

A young man was once sent fresh from Columbia University with a mutual friend's introduction to Robert Frost. Frost scanned the young man's writings, then looking quizzically up through his craggy white brows he asked, "What do you do, son?" The young man drew himself up proudly; he was, after all, one with the great Frost. "I am a poet," he said. Frost gently answered, "The term 'poet' is a gift word, son; you cannot give it to yourself."

Those days are long gone. But even if they weren't, I've officially been called a poet by another poet. So I guess I'm a poet. Even more than that, I've now actually been paid for a poem. But for the full story, you'll have to wait.

Beware, already!

2008-03-15T06:13:56Z

The day after Pi Day is the Ides of March. In honour of the day, some classic Wayne and Shuster. As first-generation television comedians go, these guys are a couple of my favourites. Their TV show was a fairly typical "acted out radio play" format, but what made Wayne and Shuster different was that their comedy was extremely literate. This episode is an extended version of a sketch that they performed on their first appearance on The Ed Sullivan Show, and it's probably still their most famous. Some trivia: Frank Shuster was the cousin of Joe Shuster (the co-creater of Superman) and father-in-law of Lorne Michaels. Actual show is after the jump. Part 2: And part 3: ]]>

Happy Pi Day!

2008-03-14T05:26:52Z

For those who put the month before the day (why?), today is 3/14: Pi day. So happy Pi day! Have some pi: let p d = take d(fix(\i y h->let(z,x)=fix(\f xs->case xs of{((n,d,c):y)->let{(z,k)=f y;(q,r)=(c*10+k)`divMod`d}in((n,d,r):z,n*q);_->([],0)})y in case x of{9->i z(h++[9]) 10->i z(map(\x->(x+1)`mod`10)h++[0]);_->h++i z[x]})((1,10,2):[(i,2*i+1,2) |i<-[1..(10*d)`div`3]])[])in p 100 Feel free to change the "100" at the end to however much precision you need.

Whose type system is it anyway?

2008-01-27T12:03:46Z

Real World Haskell book, but I thought it deserved a wider airing. In what follows "Algol's type system" refers to the type systems of Algol-esque languages, such as C and Java. Essentially, if it's a pre-Hindley-Milner static type system, it's probably Algol. Unless it's really ancient, like Fortran. (Fortran has the notion of a type, but it defaults to floating-point numbers. It has been said that in Fortran, God is REAL unless explicitly declared INTEGER.) Read on after the jump.]]> A complaint that I used to hear from programmers who prefer dynamically-typed languages is that typing is "satisfying the whims of the compiler", or words to that effect. Haskell programmers (or, in general, those who use Hindley-Milner-esque type systems; O'Caml programmers probably know the Zen) know that this isn't true. What seems like satisfying the compiler is, in fact, debugging. Moreover, it's removing bugs that the compiler finds for you. What's not to like about that? But it occured to me recently that if you're not using a Hindley-Milner-like type system (say, an Algol-like type system), then this accusation is entirely correct. In HM systems, you don't have to declare the types of variables. It's been a while, but I seem to recall that this took some getting used to. Even in those rare situations when the type inference system needs some help (e.g. advanced Haskell type hackery), it usually doesn't need to know the types of any variables as such; giving a type declaration for the function as a whole, or maybe a let-binding or two, is sufficient. In retrospect, this property of HM isn't quite so remarkable. Yes, the whole type system is designed around this property of there being a single most general type for every lambda-expression. But what this strongly suggests is that all of those type declarations that you're writing in C or Java are, in a sense, superfluous. OK, maybe that's a bit strong. C gives you implicit type coercions, and Java gives you a form of polymorphism that Haskell doesn't. But still, coming from Scheme, I can see how you might think that declaring all those variables really is satisfying the whim of a compiler that is too dumb or haughty to do that routine grunt work for you. So perhaps we shouldn't be too hard on dynamic typing advocates. I don't think like them, since I'm too brainwashed into HM languages. But putting myself in their shoes, I can imagine looking at the type declarations in Algol-like languages with something akin to horror. So rather than debate static-vs-dynamic, typeful programmers should be concentrating static-vs-static. Who was your type system designed for? For you, the programmer, or for the compiler writer? Does it serve you, or does it make you hold the hand of you insufficiently smart compiler?

Zeitgeist

2008-01-09T06:35:19Z

This op-ed from The Age is a very interesting read. It mentions two themes from the modern world: a decline in organised religion, and a view that death is unnatural. The mix results in a rise in the supernatural in our fiction, particularly with that part that deals with death.

Season's Greetings

2007-12-25T11:29:34Z

Has anyone ever said "Season's Greetings" to you? I know it's on cards everywhere, on multiple continents. But has anyone actually said it to you? In my case, it's happened once. Probably about 25 years ago. But that's not what I wanted to talk about.]]> Jingle Bells isn't really about Christmas (it's just a winter song), which makes it, arguably, doubly silly in the middle of Summer. To add insult to injury, previous generations of Australians have had a real bug about what it means to be Australian. There's a mix of cultural cringe, a national inferiority complex about being Australian, mixed with a backlash where it doesn't matter if it's crap so long as it's Australian. The result of this is, naturally, that people have written a bunch of Australian Christmas Carols. Some of these are quite old, and grow out of the Federation nationalism of the late 19th and early 20th century. However, a number of them came later. I have a theory that many of those who went to university in the 1970s in particular are members of a "cult of relevance". The main commandment is "thou shalt be relevant". This means that Carols should not mention cold, but should mention heat. At every opportunity. See for yourself. In fact, if you're not familiar with any Australian Christmas Carols, please skim them before continuing, or you will have no hope of understanding what follows. Just familiarise yourself with the general idea, then read on. OK, fast forward to Christmas 1999. I was subjected too many times to one particular song (written, I might add, by a member of my own extended family). Now for those who are unaware, 85% of Australians live in one of about 12 cities. Indeed, 65% live in one of the top five. I've been to more places in Australia than most, and I don't think I've ever seen a bandicoot. Yet this is, apparently, deemed a more "relevant" Christmas image than snow. \What follows is, more or less, what I wrote in response. It doesn't have a tune yet, but I figure something in bouncy 6/8 that doesn't quite fit the lyrics, since that seems to be part of the pattern. I would also like to remind people that the contents of this blog is not public domain or creative commons licenced, so please don't redistribute without permission.

The Carol of the Cultural Cringe The drover rides across the plains. Westward on he leads his flock, Through bushfires, droughts and flooding rains, Past billabongs and deep red rock. At night by fire he lays his head, The Southern Cross shines overhead... Oh, by the way, it's Christmas. Deep in the bush, the wombats play, While serenaded by the crow. The kangaroos, they hop all day. I emphasise: There is no snow! The ground is parched; the Sun' harsh rays Have beaten down for days and days... And, by the way, it's Christmas. While here in town, we gather 'round The barbecue and burn some meat. In laundry tub the salad's found, We swat at blowflies as we eat Together, the Australian way... And almost I forgot to say That, by the way, it's Christmas. Copyright 1999 Andrew Bromage

Merry Christmas!

Phosphorescent phelines

2007-12-12T22:37:28Z

Scientists create glow-in-the-dark cats. I find this just a little bit creepy. See after the jump as to why. ]]>

Dewey Defeats Truman

2007-11-22T23:58:58Z

Tomorrow is Saturday, but I'm working. Australia is holding its federal election, and I'm a polling official. Obviously, as a polling official, I cannot and will not discuss party politics on this blog. However, I can talk about how it works behind the scenes. Read on for more. Background For the non-Australians present, I need to briefly explain how the system works so we can get to my observations so far. Like the UK, we have a Westminster-style Parliament, with two houses, and the executive branch is chosen from the legislative branch. Essentially, the party or coalition with the majority in the "lower house" (what in the UK would be called the House of Commons and in the US and Australia would be called the House of Representatives) is the government, and the leader in the House gets to be the Prime Minister. He or she then picks the Cabinet. Unlike the UK, and like the US, instead of a House of Lords (or, in the case of Canada, a bastardised substitute), we have an elected Senate. Like the UK, members of the lower house are referred to as "Members of Parliament" or "MPs". Like the US, members of the upper house are referred to as "Senators". One MP is elected per local electorate, using the IRV voting system . Ten senators are elected per state (and two per territory), using the STV system (though we do allow a simplified Senate vote for those who wish to do it that way). It's all done on paper, so the "ballot" is a physical piece of paper that can be counted, bundled and stored.

Back to me

I've done an election (state) before, so I know basically what's involved. Nonetheless, here are a few thoughts. When you have preferential voting, the rules for whether a vote is valid (or "formal") are necessarily more complicated than simply "look for the tick or cross". In a "tick the box"-style election, two ticks would make a vote informal. In our system, not numbering every box, or using non-consecutive numbers, or repeating a number, all make the vote invalid. (The story of Albert Langer comes to mind here.) The rules for this federal election are significantly more complicated and fixed than the previous state election that I worked on. They even tell you how to lay out the room to do vote counting! More rules to follow and enforce, and they pay less than the state election. Something's not right here. One other thing that may not occur to people who haven't worked behind the scenes is that because a vote is a physical piece of paper, there is a strict auditing system so that all pieces of paper are accounted for. By the end of the day, we know exactly how many ballot papers were thrown in the rubbish or removed. Last state election, it was two out of 4,000 or so votes cast in our polling centre. That's apparently a pretty good success rate.

Tomorrow

So tomorrow will be a long day for me. I have to show up at the polling centre at 7:30am, and I don't get to leave the premises until counting finishes (which could be any time from 8pm to 11pm), and we bundle up everything and bump out. If anything interesting happens, you'll be the first to know. Update: Apparently the electorate that I'll be working in is a "battleground". That doesn't sound safe. I think I'll check with OH&S.]]>

An interesting combinatorial relation

2007-11-17T05:48:25Z

The proof is left as an exercise.

Coincidence, Colussus and Fish

2007-11-15T22:38:33Z

The BBC reports that a rebuilt Colossus is cracking codes again at Bletchley Park.

COLOSSUS was the world's first programmable electronic computer, so this is considered something of an achievement. However, COLOSSUS was really only built to do one job.

Read on for details.

]]> Message integrity The BBC article notes:

Speaking to the BBC, Andy Clark, one of the founders of the Trust for the National Museum of Computing, said radio problems had stopped the challenge getting under way on time. "The radio path has not been particularly good between Germany and here," he said. "We are at a bad point in the sunspot cycle."

This highlights one of the trickier problems in information theory: ensuring that a message gets from Alice to Bob without loss. In the digital world, we use redundancy coding: Sending as small an amount of redundant information as necessary to at least detect message corruption (e.g. checksums, hashes, digests). If Bob finds an error in Alice's message, he can send an automatic repeat request (ARQ), and Alice can repeat the message. Some fancier schemes attempt to correct the error. This is useful in situations where ARQs are infeasable or otherwise undesirable. One example is real-time signals (e.g. mobile phones), where a retransmission would come too late. Another is stored media, such as CDs and DVDs. An exotic application is deep space probes: The last telemetry signal from Pioneer 10, for example, was at about 80AU. A round-trip signal would therefore take 21 hours or so, and that's assuming that the probe could even hear you at that distance. So if you're ever designing spacecraft, you really want to avoid ARQs if you can. If it's not important that you get all of the information just so long as you get enough of it, then another option is to use synchronising codes. If a symbol does not depend on the symbol before it, then you can drop symbols (and timing can tell you that they've been dropped), and you'll get at least some of the message. So while you may not (deleted) everything, the (deleted) can be often be (deleted) from the context.

Old-School Cryptography

The same thinking applied to cryptosystems, in the era of World War II. As the BBC article indicates, radio was a notoriously unreliable transmission medium. It was therefore very important that some kind of protocol was established for messages that didn't entirely make it. And this was before portable automatic computation devices, so it was only operators who could tell if a message made it or not. If a message was broadcast (single transmitter, multiple receivers), then one sensible approach was retransmission: send the message more than once, to make sure that everyone got it. If it was point-to-point (Alice to Bob), then ARQs were possible. However, cryptographers also designed ciphers in such a way that if certain letters were corrupted, only that letter would be corrupt in the decoded message. Sijgle lettzr errqrs are anpoying, bwt mesxages ara ofken stivl legidle. There's also a deep mathematical sense in which more true of German than English. But we'll get to that in a moment. The most sophisticated World War II-era ciphers were polyalphabetic stream ciphers. Essentially, you had a pseudo-random stream of substitution alphabets, which didn't depend on the message to be encoded in any way. You then used the substitution alphabets to encode the message. There were some messy details related to key negotiation (which is still messy, even in modern cryptography), but that's the general idea. Probably the most famous example is ENIGMA. It used stepping rotors, reflectors and plugs to form what was, essentially, a simple substitution cipher, where the substitution alphabet changed for every letter. The sequence of alphabets did not depend on the message, so if a letter was misheard, only that letter would be corrupt in the final message. These stream ciphers suffer from one gaping security hole: Reusing a key sequence for two different messages breaks the system wide open.

Coincidence Counting

OK, now for some maths. Suppose, for simplicity, that you have a 26-symbol alphabet, [tex dpi=72]\{ A \ldots Z \}[/tex]. Suppose that the probability of symbol [tex dpi=72]Q[/tex] appearing is fixed, and we'll call it [tex dpi=72]p_Q[/tex]. Naturally, the probabilities sum to one: Consider the following problem: What is the probability that any two symbols chosen at random are the same? A moment's thought shows that it's just this: We call this quantity the index of coincidence (or IC) for the probability distribution. You can estimate the IC for a distribution by looking at a stream of symbols that follows the distribution. Consider, for example, the following text:

YOUCA NESTI MATET HEICF ORADI STRIB UTION BYLOO
KINGA TASTR EAMOF SYMBO LSTHA TFOLL OWSTH EDIST
RIBUT IONCO NSIDE RFORE XAMPL ETHEF OLLOW INGTE
XT

The message contains 8 A's, 4 B's, 3 C's and so on. Denote the number of instances of A as [tex dpi=72]n_A[/tex], and the length of the message as [tex dpi=72]n[/tex]. The number of pairs of symbols in the message is given by [tex dpi=72]n(n-1)/2[/tex]. Similarly, the number of pairs of A's is [tex dpi=72]n_A(n_A-1)/2[/tex]. It follows that the IC for the message as a whole is: Which comes out at approximately 6% for this message. The reason why the IC is interesting for cryptographers is that it is invariant under a number of common transformations. If you apply a simple substitution cipher to a message, for example, or permute the symbols arbitrarily, the measured IC of the message is the same. It's also approximately the same if you take a random sample of the symbols from the message. Moreover, the IC is approximately constant for a given language. English messages have an IC of around 6.6%, and German messages have an IC of around 7.8%. Compare this with the IC for a 26-symbol alphabet where the probabilities are equal (i.e. random noise), which is 1/26 or 3.8%. Friedman's Law states that for natural Roman alphabet-based languages, the ratio of the IC for the language to the IC for a flat frequency distribution is approximately 2. (For English it's 1.73, and for German it's 2.05.) One particularly interesting property of this is that you can often tell if you've "almost" cracked a cipher by looking at the IC. If it's close to 3.8%, you're not there yet. If it's close to 6.6%, then you might still need to undo a permutation and substitution, but you know the message is probably in English. Indeed, it's sometimes easier to tell what language some cipher is written in than to decode the message. Stream ciphers have the property that given the same position in the same stream, two plaintext symbols are encrypted to the same ciphertext symbol. It follows that if you take two different messages, written in the same language, encrypted using the same key sequence, then the proportion of symbols which match at the same positions should be roughly the same as the IC for the language. Here's an example. Two messages encrypted using the same stream cipher using the same key sequence. Message 1:

MUAOQ OPOAY GQTSS YDJEL QQNLS 
ZPZVS XGTOI YLCYN BKBKU CJNAT 
IQXPE LMSKM KPRJF GDWBA WCRYZ

and message 2:

XYPND HJMSM MGKSP NZYTC WDUUW 
VTGVV XRJSK FSYJR BNFUB IQGBH 
OCPIV MIUBD QHOSZ JTEFF HFUJX

The measured IC of message 1 is 3.3%, and of message 2 is 3.4%: both close to what you'd expect from a flat distribution. But if you line them up against each other, and look for places where the ciphertext letters are identical:

MUAOQOPOAYGQTSSYDJELQQNLSZPZVSXGTOIYLCYNBKBKUCJNATIQXPELMSKMKPRJFGDWBAWCRYZ
XYPNDHJMSMMGKSPNZYTCWDUUWVTGVVXRJSKFSYJRBNFUBIQGBHOCPIVMIUBDQHOSZJTEFFHFUJX
             ^              ^ ^         ^

The messages are 75 symbols long, and there are 4 coincidences. That gives an estimated IC of 4/75 = 5.3%. That's not a great result because the message is so short, but it's certainly closer to a natural language than to random text, so this is good evidence that the two messages were encrypted with the same stream cipher. If you're curious, I encrypted them with an ENIGMA emulator. In the very early 1930s, mathematicians at the Polish Cipher Bureau noticed that if you took two German ENIGMA messages, intercepted on the same day, which began with the same six letters, the IC of the rest of the messages (i.e. after the first six letters) was very close to that of German. They concluded that the first six letters specified the key, and the rest was a polyalphabetic stream cipher. This was the first break in ENIGMA. But that's another story. We're more interested in TUNNY.

TUNNY

While the German millitary used ENIGMA for field traffic (e.g. to and from U-boats), high-level traffic (e.g. between command centres) was typically sent by teleprinter. The German teleprinters used a 5-bit binary code called Baudot code (which was also famously used on the cover of a Coldplay album, X&Y). Interestingly, modern PC serial ports can still be configured to handle 5-bit teleprinter-compatible messages, if you ever feel the need to communicate in Baudot. The message was encrypted with two machines: The Siemens und Halske T52, and the Lorenz SZ 40 (later replaced with the SZ 42). The Bletchley Park operators referred to the teleprinter traffic as "FISH" and the Lorenz-encrypted messages in particular as "TUNNY". In August 1941, a German operator made a serious error. A 4000-character message was sent from Vienna to Athens. The recipient sent an unencrypted ARQ (this let the eavesdroppers knew what was going on). The first operator re-sent the message using the same key sequence (which was absolutely forbidden, but he did it), but instead of starting the message with "SPRUCHNUMMER" ("message number"), he keyed in "SPRUCHNR" (there were other differences; the retransmission contained less word spacing and punctuation than the first). The cryptanalysts now had two almost identical messages which they knew were encrypted with the same key sequence. From this break alone, John Tiltman managed to separate the message from the key stream, and W.T. Tutte managed to reconstruct the entire machine.

HEATH ROBINSON and COLUSSUS

Tutte noticed a pecuiliarity of the Lorenz machines, that taking the exclusive or of consecutive symbols left statistical regularities in the bit patterns, which could be discovered using the IC on the bit stream. The prototype machines used to compute this were called HEATH ROBINSON, after the British cartoonist, and the final machines were called COLOSSUS. [As an aside, W. Heath Robinson's cartoons of machinery are as famous in Britian as Rube Goldberg's are in the US, and engineers use the names to refer to any machine design which is bad in an amusing way. The main difference is that a Rube Goldberg machine is unnecessarily complex, whereas a Heath Robinson machine is cobbled together from junk.] Bletchley Park received TUNNY intercepts punched onto paper tape, which was formed into a loop. Loops of "key tape" were also pre-prepared, which emulated some aspect of the Lorenz key streams. The two tapes were then run against each other, and COLOSSUS did an IC measurement to determine how alike the message was compared with the key tape. The key tape was then "stepped" by one position compared to the message, and the process repeated. The position with the greatest IC was then determined to be the likely wheel setting corresponding to that key tape. You can think of it by analogy to phase-locked loop. You want to find where in the key stream the message falls, so you vary the relative phase of the message and the key stream until you find the most agreement (i.e. the greatest IC). At that point, you've locked onto the phase, and you can decrypt the message.

The challenge

COLUSSUS was designed, as I mentioned, to do one job. It was designed to do its computations in an embarrassingly parallel manner, and as a result, it was extremely fast, even by modern standards. With the tape moving at full speed, it could handle about 25kbps of I/O (which is only about half the speed of an ISDN line), and process it at the same rate. That's an amazing achievement, when you think about it, especially when you consider that it was really only the third genuinely new electrical computer in the world. The closest that Germany had at the time, the Zuse Z3, only had a clock speed of 5-10Hz. But then, the Z3 was Turing-complete. As such, it will be interesting to see who wins the challenge: the rebuilt Colossus or the team using modern PCs. My money is on the PC team, but unusually for a first-generation computer, it's a fair fight.

Time Piece

2007-11-15T06:00:38Z

An experimental film from 1965. Written, directed and starring Jim Henson. (h/t Ze Frank)

In which I participate in a meme

2007-11-07T04:20:09Z

Lambdacats is the Haskell rendering of an Internet meme, lolcats. I did a few of them, but several didn't make it to arcanux, on the grounds that they're too much of an in-joke. I can respect that.

This one isn't Haskell-specific, but it is based on a perennial Haskell discussion: The efficient computation of Fibonacci numbers.

So without further ado...

Original photograph by MyRabbits

Shamir's secret sharing

2007-11-03T13:32:02Z

Over at Lard Bucket, Andy Schmitz looks at Adi Shamir's secret sharing method. He identifies what he considers a possible flaw in the method, using an example from the Wikipedia entry, and invites readers to critique his reasoning.

The executive summary: Andy's reasoning is 100% correct, and so is Shamir's assertion (in the paper) that the method does not leak information.

Read on for details.

]]> First off, if you haven't read the paper, please do it. It's extremely short, and quite readable. You'll also need to have read Andy's article before reading further.

The secret sharing method

Essentially, the problem is this: You have a secret number, [tex dpi=72]A_0[/tex], that you want to share. You want to split it into [tex dpi=72]n[/tex] pieces such that you need at least [tex dpi=72]k[/tex] of those pieces to reconstruct [tex dpi=72]A_0[/tex]. If you only have [tex dpi=72]k-1[/tex] pieces, you can discover nothing at all about [tex dpi=72]A_0[/tex].

Shamir's method solves this problem by generating random numbers [tex dpi=72]A_1 \ldots A_{k-1}[/tex] and forming a polynomial:

The "pieces" are [tex dpi=72]n[/tex] distinct points on this curve, but not zero. Given [text dpi=72]k[/tex] points, you can reconstruct the polynomial and hence determine [tex dpi=72]A_0[/tex].

So far, so good. However, does this method guarantee that given fewer than [tex dpi=72]k[/tex] points, you can't determine anything about [tex dpi=72]A_0[/tex]?

Andy points out that using the example on the Wikipedia entry, you can find out something about it.

Andy is right. If anything, it's the Wikipedia page that's misleading.

The example

Here's the relevant part of the Wikipedia example, which has a problem in it:

Suppose that our secret is our ATM code: 1234 (S=1234) [ed: that's [tex dpi=72]A_0=1234[/tex] in our notation]. We wish to divide the secret into 6 parts (n=6), where any subset of 3 parts (k=3) is sufficient to reconstruct the secret. At random we obtain 2 numbers: 166, 94.

Did you spot the problem?

No? Here's that last sentence again:

At random we obtain 2 numbers: 166, 94.

This is an instance of the famous two envelopes problem. Essentially, the problem here is that for Shamir's system to be secure, you need to pick two positive integers completely at random. The problem is that it's not possible to pick two arbitrary positive integers in such a way that every integer is equally likely to be chosen.

The reasoning is simple: Suppose I pick x and y completely at random, and each positive integer has an equal probability of being chosen. There are a finite number of positive integers less than or equal to x, and an infinite number greater than it. So with probability 1, y is greater than x.

But by analogous reasoning, with probability 1, x is greater than y. This is a contradiction, so the assumption that it's possible to choose integers in such a manner is false.

Finite fields

The Wikipedia page misses a very important point in the paper:

To make this claim more precise, we use modular arithmetic instead of real arithmetic. The set of integers modulo a prime number p forms a field in which interpolation is possible.

In fact, this condition is overly-restrictive and, in fact, impractical. If the secret is a number between 0 and N, then we need to find a prime number bigger than N to use as our modulus. If N is large, then finding a prime is hard. (Probabilistic techniques exist for finding large things that look enough like primes for RSA to work, however, if you turn out to pick a non-prime, then you get a non-field, and interpolation doesn't work.) However, thanks to Galois, we can easily construct finite fields with at least as many elements as we need. In particular, you can always form a field with [tex dpi=72]2^b[/tex] elements for any [tex dpi=72]b[/tex]; for computer implementations, this is invariably the most convenient finite field to work in. (It's what they use in Diffie-Hellman key exchange, for example.)

So let's look at this again, this time using a smaller example.

Suppose that we're working modulo 5 (which is a prime), and the secret that we want to share is 2. We want to split this into three parts, such that you need two parts to reconstruct the secret.

We pick a random number between 0 and 4 (because we're working in a finite range, the two envelope paradox doesn't apply). Let's say it's 1.

So we form our polynomial:

Let's suppose that we know the value of [tex dpi=72]f(1)=3[/tex]. What do we know about [tex dpi=72]f(0)[/tex]?

The answer is: Nothing.

Why? There are five possible polynomials that satisfy [tex dpi=72]f(1)=3[/tex], all of which have different values at 0, and they're all equally likely.

Work it out and see.

The same reasoning works for any finite field, but for the moment, we'll stick with "sufficiently large prime".

Divisibility

Andy argument contains, in part:

Because [tex dpi=72]g(0)[/tex] is a positive integer, we know that [tex dpi=72]D_1 > 1000[/tex], and that [tex dpi=72]D_1[/tex] is a multiple of 2.

It should now be obvious why Andy's argument doesn't apply in arithmetic modulo a sufficiently large prime: All sufficiently large primes are odd, and when working in such a modulus, just because a number is multiplied by 2, that doesn't make it even. In our example, we used modulo 5. What's 3 times 2 modulo 5? Is it even or odd?

It gets more complicated in arbitrary fields (and I wish I had the time to go into Galois fields a bit further), but this is basically all you need to know: When working with fields, the concept of "divisibility" doesn't come up. In a field, every number can be divided by any other non-zero number. Using the most familiar example of a field, the rationals, you can see that It doesn't even make sense to ask if 2/3 is even or odd. The same thing is going on here.

Anyway, it's 2am. I hope this helped. Feel free to ask any questions.

And I expect that somebody will probably fix the Wikipedia example soonish.

The Post-Fab Four?

2007-10-17T05:50:23Z

The new video clip from the nerdiest musicians in the world. They Might Be Giants - The Mesopotamians
Ozymandias meets The Monkees.