John D. Cook's Avatar

John D. Cook

@johndcook.mathstodon.xyz.ap.brid.gy

Consultant in applied mathematics and data privacy https://www.johndcook.com [bridged from https://mathstodon.xyz/@johndcook on the fediverse by https://fed.brid.gy/ ]

148 Followers  |  0 Following  |  306 Posts  |  Joined: 18.11.2024  |  1.7212

Latest posts by johndcook.mathstodon.xyz.ap.brid.gy on Bluesky

Post image

New post: The Smith chart

https://www.johndcook.com/blog/2025/10/23/smith-chart/

23.10.2025 14:23 — 👍 2    🔁 1    💬 0    📌 0
Post image

Randomly generating points in Colorado

https://www.johndcook.com/blog/2025/10/22/generating-random-points-in-colorado/

22.10.2025 13:06 — 👍 0    🔁 0    💬 0    📌 0
Random spherical coordinates The topic of generating random points on a unit sphere has come up several times here. The standard method using normal random samples generates points (_x_ , _y_ , _z_) in Cartesian coordinates. If you wanted points in spherical coordinates, you could first generate points in Cartesian coordinates, then convert the points to spherical coordinates. But it would seem more natural, and possibly more efficient, to directly generate spherical coordinates (ρ, θ, ϕ). That’s what we’ll do in this post. Unfortunately there are several conventions for spherical coordinates, as described here, so we should start by saying we’re using the math convention that (ρ, θ, ϕ) means (radius, longitude, polar angle). The polar angle ϕ is 0 at the north pole and π at the south pole. Generating the first two spherical coordinate components is trivial. On a unit sphere, ρ = 1, and θ we generate uniformly on [0, 2φ]. The polar angle ϕ requires more thought. If we simply generated φ uniformly from [0, π] we’d put too many points near the poles and too few points near the equator. As I wrote about a few days ago, the _x_ , _y_ , and _z_ coordinates of points on a sphere are uniformly distributed. In particular, the _z_ coordinate is uniformly distributed, and so we need cos ϕ to be uniformly distributed, not ϕ itself. We can accomplish this by generating uniform points from [−1, 1] and taking the inverse cosine. Here’s Python code summarizing the algorithm for generating random points on a sphere in spherical coordinates. from numpy import random, pi, arccos def random_pt() # in spherical coordinates rho = 1 theta = 2*pi*random.random() phi = arccos(1 - 2*random.random()) return (rho, theta, phi) See the next post for a demonstration.

Randomly generating spherical coordinates

https://www.johndcook.com/blog/2025/10/22/random-spherical-coordinates/

22.10.2025 13:04 — 👍 0    🔁 0    💬 0    📌 0
Post image

Distribution of the correlation coefficient

https://www.johndcook.com/blog/2025/10/20/distribution-of-correlation/

20.10.2025 12:14 — 👍 0    🔁 0    💬 1    📌 0
Post image

Converting between nines and sigmas

https://www.johndcook.com/blog/2025/10/18/quality-metrics/

18.10.2025 19:55 — 👍 0    🔁 0    💬 0    📌 0
Post image

Turning trig identities into Fibonacci identities

https://www.johndcook.com/blog/2025/10/17/trig-fibonacci/

17.10.2025 12:07 — 👍 1    🔁 1    💬 0    📌 0
Ethereum branded hero image

Ethereum branded hero image

Ethereum’s consensus layer elliptic curve: BLS12-381

https://www.johndcook.com/blog/2025/10/13/ethereum-bls12-381/

13.10.2025 13:43 — 👍 0    🔁 0    💬 0    📌 0
Post image

A different graphic for introducing my latest blog post.

13.10.2025 10:41 — 👍 2    🔁 0    💬 0    📌 0
Post image

The connection between Möbius transformations and 2 x 2 matrices.

https://www.johndcook.com/blog/2025/10/12/invert-mobius/

12.10.2025 17:45 — 👍 0    🔁 0    💬 0    📌 0
Generate random points inside a sphere For reasons I don’t understand, it’s more common, at least in my experience, to see references on how to generate points **on** a sphere than **in** a sphere. But the latter is easily obtained from the former. The customary way to generate points **on** a sphere in _n_ dimensions is to generate points from an _n_ -dimensional normal (Gaussian) distribution and normalize by dividing by the length. And the way to generate samples from an _n_ -dimensional normal is simply to generate a list of _n_ one-dimensional normals [1]. The way to generate points **in** a sphere is to generate a point _S_ on the sphere then randomly adjust its radius _r_. If you generate a uniform random point in [0, 1] and set _r_ = _u_ then you’ll over-sample points near the origin. Instead, the thing to do is to set _r_ = _u_ 1/_n_ That’s because volume is proportional to _r_ _n_. Taking the _n_ th root of _u_ mades the volume inside a sphere of radius _r_ uniformly distributed. Note: for the special case of _n_ = 2, it’s simpler and more efficient to simply generate θ uniformly from [0, 2π]. ## Demonstration To illustrate this, I’ll use the same technique as the post on sampling from a tetrahedron: generate random points in a sphere and see whether the right proportion fall inside a (hyper)cube inside the sphere. We’ll work in _n_ = 4 dimensions and use a sphere of radius _R_ = 5. Our test cube will be the cube with all vertex coordinates equal to 1 or 2. We’ll have to use a lot of sample points. (This is why naive Monte Carlo breaks down in high dimensions: it may be that few if any points land in the region of interest.) Here’s the code to do the sampling. import numpy as np from scipy.stats import norm def incube(v): retval = True for x in v: retval = retval and 1 <= x <= 2 return retval def sample(R, n): x = norm.rvs(size=n) x /= np.linalg.norm(x) u = np.random.random() x *= R*u**(1/n) return x R = 5 n = 4 N = 100_000_000 V = R**n * np.pi**(n/2) / gamma(n/2 + 1) print(V) count = 0 for _ in range(N): v = sample(R, n) if incube(v): count += 1 print(count/N, 1/V) This prints 0.0003252 0.000324 The two results agree to four decimal places, which is about what we’d expect given 1/√ _N_ = 0.0001. [1] If you’re porting the sampler above to an environment where you don’t have a function like `norm.rvs` for generating normal random samples, you can roll your own using the Box-Muller transformation. For example, here is a C++ implementation from scratch.

New post: Generate random points inside a sphere (of any dimension)

https://www.johndcook.com/blog/2025/10/11/ball-rng/

11.10.2025 22:23 — 👍 1    🔁 0    💬 0    📌 0
GPT-5 for AI-assisted discovery Many hope that AI will be “smart enough” to make breakthrough scientific discoveries in the near future, such as find a cure for cancer. Some research efforts have sought to create an “AI Scientist” that can make discoveries in an automated or semi-automated way; for a recent example, see [1]. Others [2] have called out the methodological pitfalls of some of these attempts. Still others question whether a truly original discovery is even possible at all for an AI. OpenAI released GPT-5 on August 7. Some thought it lackluster and falling behind compared to expectations. Others however found performance in some areas to be much advanced compared to its predecessor. Two recent reports show the new model’s utility. Scott Aaronson published a paper last month [3], [4] in which “a key technical step in the proof of the main result came from AI.” Also, Terence Tao reported earlier this month [5] his use of ChatGPT to find a first counterexample to an unsolved mathematics problem. I’m sure this resonates with the experience of other researchers using the tool. Recently, in the course of a discussion I had with ChatGPT, it came up with a new algorithmic recipe for something I was working on, based on ideas combined from several papers but in itself apparently original. That was a very simple case—but on a grander scale, connecting two ideas together in a novel way can lead to a real breakthrough. For example, Faltings’ proof of the Mordell Conjecture in 1983 was based on recognizing a subtle internal connection among some already existing theorems. There is always the specter of concern that an idea “maybe was already in the training data.” It can be difficult to prove otherwise. But deep domain experts like Scott Aaronson and Terence Tao are likely to know with high likelihood whether the idea is truly an original never-before-published result or not. If past is prologue, we can hope for more powerful models in the future that can solve increasingly hard problems. #### Notes [1] Yixuan Weng, Minjun Zhu, Qiujie Xie, Qiyao Sun, Zhen Lin, Sifan Liu, Yue Zhang, “DeepScientist: Advancing Frontier-Pushing Scientific Findings Progressively.” https://arxiv.org/abs/2509.26603. [2] Ziming Luo, Atoosa Kasirzadeh, Nihar B. Shah, “The More You Automate, the Less You See: Hidden Pitfalls of AI Scientist Systems.” https://arxiv.org/abs/2509.08713. [3] “The QMA Singularity.” https://scottaaronson.blog/?p=9183 [4] Scott Aaronson, Freek Witteveen, “Limits to black-box amplification in QMA.” https://arxiv.org/abs/2509.21131. [5] https://mathstodon.xyz/@tao/115306424727150237

GPT-5 for AI-assisted discovery

https://www.johndcook.com/blog/2025/10/10/gpt-5-for-ai-assisted-discovery/

10.10.2025 14:30 — 👍 0    🔁 0    💬 0    📌 0
More on Carmichael This morning I took an old blog post and turned it into an X thread. I think the thread is easier to read. More expository and less rigorous. The post and thread look at generalizations of the fact that every integer and its fifth power end in the same digit. The conclusion is that _n_ and _n_ _k_ end in the same digit base _b_ if _b_ is square-free and _k_ = φ(_b_) + 1. So, for example, 10 is square-free (i.e. not divisible by a non-trivial square) and φ(10) + 1 = 5. Benjamin Clark replied suggesting looking at λ(_b_) + 1 in addition to φ(_n_) + 1. ## Euler and Carmichael To back up a bit, φ(_n_) is Euler’s totient function, the number of positive integers less than and relatively prime to _n_. Robert Carmichael’s totient function λ(_n_) is a closely related function, one that replaced Euler’s function in implementations of RSA encryption—more specifically in RSA _de_ cryption—something I wrote about earlier this week. Euler’s generalization of Fermat’s little theorem says if _a_ is relatively prime to _m_ , then _a_ φ(_n_) = 1 (mod _n_). Carmichael’s totient λ(_n_) is the smallest number such that _a_ λ(_n_) = 1 (mod _n_) when _a_ is relatively prime to _n_. Sometimes φ(_n_) = λ(_n_), namely for _n_ = 1, 2, 4, and every odd prime power. Otherwise λ(_n_) is a proper divisor of φ(_n_). ## Carmichael’s conjecture Carmichael conjectured that for every _n_ there is at least one other integer _m_ ≠ _n_ such that _φ_(_m_) = _φ_(_n_). He proved that this is true at least for _n_ less than 1037. The conjecture is now known to be true for _n_ less than 101010.

More on Carmichael and totient functions

https://www.johndcook.com/blog/2025/10/09/more-on-carmichael/

09.10.2025 13:59 — 👍 0    🔁 1    💬 0    📌 0
Post image

Differential equation on a donut

https://www.johndcook.com/blog/2025/10/08/diffeq-donut/

09.10.2025 00:49 — 👍 1    🔁 1    💬 0    📌 0
RSA with multiple primes Typically RSA public keys are the product of two large primes, _n_ = _pq_. But there’s no reason they couldn’t be the product of say three primes, _n_ = _pqr_ , or more primes, as long as φ(_n_), or λ(_n_), is calculated correctly. Encryption is done the same way. Decryption _could_ be done the same way, except there is the opportunity for it to be more efficient. The trick is to use the CRT (Chinese Remainder Theorem) in a way similar to Garner’s algorithm. This is why RSA with multiple primes is sometimes used for digital signatures. The difficulty of factoring _n_ using the GNFS algorithm doesn’t change depending on the number of factors _n_ has, as long as all the factors are sufficiently large, far too large to find using trial division. Daniel Bernstein’s post-quantum RSA paper was based on keys that are the product of a large number of 4096-bit primes. This way all the arithmetic is carried out modulo 4096-bit primes, not modulo terabyte primes.

RSA encryption with multiple primes

https://www.johndcook.com/blog/2025/10/07/rsa-with-multiple-primes/

07.10.2025 15:01 — 👍 0    🔁 1    💬 1    📌 0
True growth rate accounting for inflation In an inflationary economy, the purchasing power of your currency continually deteriorates. If you have an investment that grows slower than your purchasing power shrinks, you’re actually losing value over time. The true rate of growth is the rate of change in the purchasing power of your investiment. If the inflation rate is _r_ and the rate of growth from your investment is _i_ , then intuitively the **true rate of growth** is _g = i_ − _r_. But is it? That depends on whether your investment and inflation compound periodically or continuously [1]. ## Periodic compounding If you start with an investment _P,_ the amount of currency in the investment after compounding _n_ times will be _P_(1 + _i_)_n_. But the purchasing power of that amount will be _P_(1 + _i_)_n_ (1 + _r_)− _n_. If the principle were invested at the true rate of growth, its value at the end of _n_ periods would be _P_(1 + _g_)_n_. So setting _P_(1 + _i_)_n_ (1 + _r_)− _n_ = _P_(1 + _g_)_n_ gives us _g_ = (_i_ − _r_) / (1 + _r_). The true rate of growth is **less** than what intuition would suggest. ## Continuous compounding With continuous compounding, an invent of _P_ for time _T_ becomes _P_ exp(_iT_) and has purchasing power _P_ exp(_iT_) _P_ exp(− _rT_). If _P_ exp(_iT_) _P_ exp(− _rT_) = _P_ exp(_gT_) then _g_ =_i_ − _r_ as expected. ## Related posts * Hyperinflation changes everything * Taylor series and the Argentine peso [1] Robert C. Thompson. The True Growth Rate and the Inflation Balancing Principle. The American Mathematical Monthly, Vol. 90, No. 3 (Mar., 1983), pp. 207–210

Say you have an investment compounding periodically at a rate i while inflation is compounding periodically at a rate r. Then the true growth rate is NOT

( i − r)

but rather

( i − r) / (1 + r).

https://www.johndcook.com/blog/2025/10/06/true-growth-rate/

06.10.2025 18:50 — 👍 0    🔁 0    💬 0    📌 0
Post image

"Mathematicians love ... [to] take a familiar concept, relax one of its assumptions, and then torture it until it squeals."

https://www.thepsmiths.com/p/briefly-noted-summer-reading

06.10.2025 15:08 — 👍 0    🔁 1    💬 0    📌 0
Fermat primes and tangent numbers ## Fermat numbers The _n_ th Fermat number is defined by Pierre Fermat conjectured that the _F_(_n_) were prime for all _n_ , and they are for _n_ = 0, 1, 2, 3, and 4, but Leonard Euler factored _F_(5), showing that it is not prime. ## Tangent numbers The _n_ th tangent number is defined by the Taylor series for tangent: Another way to put it is that the exponential generating function for _T_(_n_) is tan(_z_). ## Fermat primes and tangent numbers Here’s a remarkable connection between Fermat numbers and tangent numbers, discovered by Richard McIntosh as an undergraduate [1]: _F_(_n_) is prime if and only if _F_(_n_) does not divide _T_(_F_(_n_) − 2). That is, the _n_ th Fermat number is prime if and only if it does not divide the (_F_(_n_) − 2)th tangent number. We could duplicate Euler’s assessment that _F_(5) is not prime by showing that 4294967297 does not divide the 4294967295th tangent number. That doesn’t sound very practical, but it’s interesting. [1] Richard McIntosh. A Necessary and Sufficient Condition for the Primality of Fermat Numbers. The American Mathematical Monthly, Vol. 90, No. 2 (Feb., 1983), pp. 98–99

Fermat primes and tangent numbers

https://www.johndcook.com/blog/2025/10/05/fermat-primes-tangent/

05.10.2025 22:44 — 👍 0    🔁 1    💬 0    📌 0
Time needed to factor large integers The optimal choice of factoring algorithm depends on the size of the number you want to factor. For numbers larger than a googol (10100) the GNFS (general number field sieve) algorithm is the fastest known factoring algorithm, making GNFS the algorithm of choice for trying to factor public keys for RSA encryption The expected time required to factor a number _n_ using the GNFS is proportional to exp( _f_(_n_) _g_(_n_) ) where _f_(_n_) is relatively constant and _g_(_n_) varies more strongly with _n_. More specifically _f_(_n_) = (64/9)1/3 + _o_(1) and _g_(_n_) = (log _n_)1/3 (log log _n_)2/3. The notation _o_(1) means a term that goes to zero as _n_ increases. Very often in practice you can ignore _o_(1) terms when your value of _n_ is large. In cryptographic applications _n_ is certainly large, at least 21024, and yet the _o_(1) term is still significant for values of _n_ seen in practice. I’ve seen one source say that for keys used in practice the _o_(1) term is around 0.27. ## Security levels It is widely stated that factoring a 1024-bit private key is comparable in difficulty to breaking an 80-bit symmetric encryption key, i.e. that 1024-bit keys provide 80-bit security. To find the security level of a 1024-bit RSA key, the size of the _o_(1) term matters. But given this, if we want to find the security level of more RSA key sizes, it doesn’t matter how big the _o_(1) term is. It only that the term is roughly constant over the range of key sizes we are interested in. If _f_(_n_) is relatively constant, then the log of the time to factor _n_ is proportional to _g_(_n_), and the log of the time to break an encryption with security level _k_ is proportional to _k_. So the security level of a key _n_ should be proportional to _g_(_n_). Let’s see if that’s the case, using the reported security levels of various key sizes. import numpy as np # RSA key sizes and security levels data = { 1024 : 80, 2048 : 112, 3072 : 128, 4096 : 140, 7680 : 192, } for d in data: x = d*np.log(2) # natural log of 2^d y = x**(1/3)*(np.log(x)**(2/3)) print(data[d]/y) This prints the following: 2.5580 2.6584 2.5596 2.4819 2.6237 So the ratio is fairly constant, as expected. All the reported security levels are multiples of 4, which suggests there was some rounding done before reporting them. This would account for some of the variation above. The output above suggests that the security level of an RSA key with _b_ bits is roughly 2.55 _x_ 1/3 log(_x_)2/3 where _x_ = log(2) _b_. ## Aside on RSA security RSA encryption is not broken by factoring keys but by exploiting implementation flaws. Factoring a 2048-bit RSA key would require more energy than the world produces in a year, as explained here.

Time required to factor large integers

https://www.johndcook.com/blog/2025/09/30/time-needed-to-factor-large-integers/

30.09.2025 15:00 — 👍 1    🔁 0    💬 0    📌 0
Post image

The ratio of logs to different bases is constant.

What can you say about the ratio of iterated logs to different bases?

https://www.johndcook.com/blog/2025/09/29/log-log-x/

30.09.2025 01:12 — 👍 2    🔁 1    💬 0    📌 0
Post image

Extrapolating quantum factoring

https://www.johndcook.com/blog/2025/09/28/extrapolating-quantum-factoring/

28.09.2025 19:12 — 👍 0    🔁 0    💬 0    📌 0
Post-quantum RSA with gargantuan keys If and when practical scalable quantum computers become available, RSA encryption would be broken, at least for key sizes currently in use. A quantum computer could use Shor’s algorithm factor _n_ -bit numbers in time on the order of _n_ ². The phrase “quantum leap” is misused and overused, but this would legitimately be a quantum leap. That said, Shor’s method isn’t instantaneous, even on a hypothetical machine that does not yet exist and may never exist. Daniel Bernstein estimates that RSA encryption with **terabyte** public keys would be secure even in a post-quantum world. Bernstein said on a recent podcast that he isn’t seriously suggesting using RSA with terabyte keys. Computing the necessary key size is an indirect way of illustrating how impractical post-quantum RSA would be. ## Related posts * Between now and quantum * El Salvador’s Bitcoin and quantum computing * Mixing error-correcting codes and cryptography

Post-quantum RSA with gargantuan keys

https://www.johndcook.com/blog/2025/09/26/post-quantum-rsa/

26.09.2025 22:27 — 👍 1    🔁 0    💬 0    📌 0
Post image

New post: Conway's pinwheel tiling

https://www.johndcook.com/blog/2025/09/25/conways-pinwheel-tiling/

26.09.2025 03:14 — 👍 1    🔁 0    💬 0    📌 0
Silent Payments Bitcoin transactions appear to be private because names are not attached to accounts. But that is not sufficient to ensure privacy; if it were, much of my work in data privacy would be unnecessary. It’s quite possible to identify people in data that does not contain any direct identifiers. I hesitate to use the term pseudonymization because people define it multiple ways, but I’d say Bitcoin addresses provide pseudonymization but not necessarily deidentification. Privacy and public ledgers are in tension. The Bitcoin ledger is superficially private because it does not contain user information, only addresses [1]. However, transaction details are publicly recorded on the blockchain. To add some privacy to Bitcoin, addresses are typically used only once. Wallet software generates new addresses for each transaction, and so it’s not trivial to track all the money flowing between two people. But it’s not impossible either. Forensic tools make it possible to identify parties behind blockchain transactions via metadata and correlating information on the blockchain with information available off-chain. ## Silent Payments Suppose you want to take donations via Bitcoin. If you put a Bitcoin address on your site, that address has to be permanent, and it’s publicly associated with you. It would be trivial to identify (the addresses of) everyone who sends you a donation. Silent payments provide a way to work around this problem. Alice could send donations to Bob repeatedly without it being obvious who either party is, and Bob would not have to change his site. To be clear, there would be no way to tell _from the addresses_ that funds are moving between Alice and Bob. The metadata vulnerabilities remain. Silent payments are not implemented in Bitcoin Core, but there are partial implementations out there. See BIP 352. The silent payment proposal depends on ECDH (elliptic curve Diffie-Hellman) key exchange, so I’ll do a digression on ECDH before returning to silent payments per se. ## ECDH The first thing to know about elliptic curves, as far as cryptography is concerned, is that there is a way to add two points on an elliptic curve and obtain a third point. This turns the curve into an Abelian group. You can bootstrap this addition to create a multiplication operation: given a point _g_ on an elliptic curve and an integer _n_ , _ng_ means add _g_ to itself _n_ times. Multiplication can be implemented efficiently even when _n_ is an enormous number. However, and this is key, multiplication cannot be undone efficiently. Given _g_ and _n_ , you can compute _ng_ quickly, but it’s practically impossible to start with knowledge of _ng_ and _g_ and recover _n_. To put it another way, multiplication is efficient but division is practically impossible [2]. Suppose Alice and Bob both agree on an elliptic curve and a point _g_ on the curve. This information can be public. ECDH lets Alice and Bob share a secret as follows. Alice generates a large random integer _a_ , her private key, and computes a public key _A_ = _ag_. Similarly, Bob generates a large random integer _b_ and computes a public key _B_ = _bg_. They’re shared secret is _aB_ = _bA._ Alice can compute _aB_ because she (alone) knows _a_ and _B_ is public information. Similarly Bob can compute _bA_. The two points on the curve _aB_ and _bA_ are the same because _aB_ = _abg_ = _bag_ = _bA._ ## Back to slient payments ECDH lets Alice and Bob share a secret, a point on a (very large) elliptic curve. This is the heart of silent payments. In its simplest form, Alice can send Bob funds using the address _P_ = _B_ + hash(_aB_) _g_. A slightly more complicated form lets Alice send Bob funds multiple times. The _k_ th time she sends money to Bob she uses the address _P_ = _B_ + hash(_aB_ || _k_) _g_ where || denotes concatenation. But how do you know _k_? You have to search the blockchain to determine _k_ , much like the way hierarchical wallets search the blockchain. Is the address corresponding to _k_ = 0 on the blockchain? Then try again with _k_ = 1. Keep doing this until you find the first unused _k_. Making this process more efficient is one of the things that is being worked on to fully implement silent payments. Note that Bob needs to make _B_ public, but _B_ is not a Bitcoin address _per se_ ; it’s information needed to _generate_ addresses via the process described above. Actual addresses are never reused. ## Related posts * Diffie Hellman problems * Vanity addresses * Probability of typing a wrong address [1] Though if you obtain your Bitcoin through an exchange, KYC laws require them to save a _lot_ of private information. [2] Recovering _n_ from _ng_ is known as the discrete logarithm problem. It would be more logical to call it the discrete division problem, but if you write the group operation on an elliptic curve as multiplication rather than addition, then it’s a discrete logarithm, i.e. trying to solve for an unknown exponent. If and when a large-scale quantum computer exists, the discrete logarithm problem will be practical to solve, but presumably not until then.

New post: Silent Payments

https://www.johndcook.com/blog/2025/09/25/silent-payments/

25.09.2025 17:27 — 👍 0    🔁 0    💬 0    📌 0
An inverse problem for the quadratic equation In elementary algebra we learn how to solve ax2 + bx + c = 0 for roots r = r1, r2. But how about the inverse problem: given a real-valued r, find _integer_ coefficients a, b and c such that r is a root of the corresponding quadratic equation. A simple approximation can be found by setting b=0, so r2 = – c/a. By appropriately choosing large values of a and c, one can approximate the solution to this inverse problem to arbitrary accuracy. Are there any other solutions (possibly taking advantage of b for a better approximation)? Two families of algorithms are available: PSLQ [1-3] and LLL [4-5]. The underlying problem formulation behind these algorithms can be understood geometrically. For fixed x, L(a, b, c) = ax2 + bx + c is a linear function of (a, b, c), here considering a, b and c as real-valued. Thus, for such x, the equation L(a, b, c) = 0 defines a known plane in 3-D space. However, we seek a, b, c that are integers. The problem then is to find a lattice point (a, b, c) with a, b, c integers that is “near” to this plane (for example, close to the plane within tolerance τ, which means a 2-D thin “slab” of thickness 2τ surrounding this plane hits a lattice point). We would also prefer if the magnitude of a, b and c is “small” (e.g., bounded by a constant H). Given this formulation, the PSLQ algorithm attempts to find an exact solution, and gives up if it can’t find one. The LLL algorithm on the other hand finds approximate solutions within a tolerance. Python has the mpmath package, which contains mpmath.pslq for the PSLQ algorithm. The Python sypy package has Matrix.LLL() for the LLL reduction. A colleague of mine was previously submitting overnight runs to compute solutions using brute force search. More recently, using a Python code for the LLL algorithm, he is able to solve a large problem in seconds, with answers that exactly reproduce the brute force solution. #### References [1] Ferguson, Helaman R. P.; Bailey, David H. (1992). A Polynomial Time, Numerically Stable Integer Relation Algorithm. RNR Technical Report RNR-91-032, NASA Ames Research Center. URL: https://www.davidhbailey.com/dhbpapers/pslq.pdf [2] Ferguson, Helaman R. P.; Bailey, David H.; Arno, Steve (1999). Analysis of PSLQ, an integer relation finding algorithm. Mathematics of Computation 68(225): 351–369. URL (AMS PDF): https://www.ams.org/mcom/1999-68-225/S0025-5718-99-00995-3/S0025-5718-99-00995-3.pdf [3] Bailey, David H. (2020). PSLQ: An Algorithm to Discover Integer Relations. (Expository overview.) URL: https://www.davidhbailey.com/dhbpapers/pslq-comp-alg.pdf [4] Lenstra, Arjen K.; Lenstra, Hendrik W., Jr.; Lovász, László (1982). Factoring Polynomials with Rational Coefficients. Mathematische Annalen 261: 515–534. DOI: https://doi.org/10.1007/BF01457454 (Springer page: https://link.springer.com/article/10.1007/BF01457454 (cf. https://www.math.ucdavis.edu/~deloera/MISC/LA-BIBLIO/trunk/Lovasz/LovaszLenstraLenstrafactor.pdf) [5] Nguyen, Phong Q.; Vallée, Brigitte (eds.) (2010). The LLL Algorithm: Survey and Applications. Springer. URL: https://link.springer.com/book/10.1007/978-3-642-02295-1

An inverse problem for the quadratic equation

https://www.johndcook.com/blog/2025/09/24/an-inverse-problem-for-the-quadratic-equation/

24.09.2025 17:38 — 👍 0    🔁 0    💬 0    📌 0
Mollweide projection map

Mollweide projection map

Mollweide map projection and Newton’s method

https://www.johndcook.com/blog/2025/09/21/mollweide-newton/

21.09.2025 13:04 — 👍 1    🔁 0    💬 0    📌 0
Pioneer probe plaque

Pioneer probe plaque

Pioneer, Voyager, and the Wow! signal

https://www.johndcook.com/blog/2025/09/18/1420-mhz/

19.09.2025 00:14 — 👍 1    🔁 0    💬 1    📌 0
Album cover for "In the year 2525"

Album cover for "In the year 2525"

New post: Day of the week centuries from now

https://www.johndcook.com/blog/2025/09/18/day-of-the-week-centuries-from-now/

18.09.2025 12:13 — 👍 0    🔁 0    💬 0    📌 0
Mental math posts I’ve written quite a few posts on mental math over the years. I think mental math is important/interesting for a couple reasons. First, there is some utility in being able to carry out small calculations with rough accuracy without having stop and open up a calculator. Second, the constraints imposed by mental calculation make you look at a problem differently, often in interesting ways. An approximate mental calculation often requires more understanding that a precise machine calculation. ## Divisibility and factoring * Divisibility by 2, 3, 4, …, 13 * Divisibility by base minus 1 * Divisibility by base plus 1 * John Conway’s factoring tricks * Divisibility by any prime * Fermat’s factoring trick ## Day of the week * Day of the week * Year share ## Transcendental functions This page outlines how to calculate logarithms base 2, _e_ , and 10, and their inverses, linking to other posts for details. It also outlines computing trig functions, roots, and the gamma function. See the links below for more accurate ways to compute logarithms. Incidentally, when I’ve posted about these approximations before, inevitably someone will say these are just Taylor approximations. No, they aren’t. ## Logarithms * Bidder’s logarithms * Dorfler’s logarithms ## Miscellaneous * Radix conversion * Squares * Approximate factorials * Mentally multiply by π * Numbers worth remembering

Outline of some of the mental math posts I've written over the years

https://www.johndcook.com/blog/2025/09/17/mental-math-posts/

17.09.2025 19:07 — 👍 0    🔁 0    💬 0    📌 0
Morse code beyond the solar system The two Voyager probes, launched in 1977, are now in interstellar space beyond our solar system. Each carries a Golden Record, a recording of sounds and encoded images meant to represent Earth and human civilization. I’ve long intended to listen to the record and yesterday I did. One of the cuts is a 12-minute collage of sounds from our planet. It starts with natural sounds—thunder, crickets, frogs, birds, etc.—and progresses human sounds—a heartbeat, speech, tool use, etc. The sounds appear in roughly historical order, with the sound of a rocket launch toward the end. At 7:49 there is Morse code on top of other sounds. I was curious what the message was, so I transcribed it: it’s “ad astra per aspera” played twice. This is Latin for “To the stars through hardships.”

New post: Morse code beyond the solar system

https://www.johndcook.com/blog/2025/09/17/morse-code-beyond-the-solar-system/

17.09.2025 16:13 — 👍 1    🔁 0    💬 0    📌 0
Post image

New post: Monero’s seed phrase words

https://www.johndcook.com/blog/2025/09/16/monero-seed-words/

16.09.2025 11:30 — 👍 0    🔁 0    💬 0    📌 0