Two’s Complement and Group Theory

Before I discovered math, I was a first year undergrad computer science student taking Electrical Engineering 101. The first topic I learned was what bits and boolean gates are, and the second was the two’s complement representation of a negative n-bit integer.

At the time two’s complement seemed to me like a bizarre quirk of computer programming, with minutiae you just had to memorize. If the leading bit is 1, it’s negative, and otherwise it’s positive. To negate a number, flip the bits and add one. Except of course the number 1000 0000, which in 8-bit two’s complement is -128, because its “negative” according to this operation is also 1000 0000 = -128.

The quirky negation operation is usually explained by appealing to the “borrowing” operation from elementary school subtraction. Or an appeal to a sense of shared helplessness. That’s just the way things are in two’s complement. But it doesn’t quite explain why one can use the same boolean circuit to compute addition and multiplication of unsigned and two’s complement signed integers.

Math can provide a different, clearer explanation for the quirkiness. It’s not arbitrary, but forced. The explanation uses group theory, which I wrote a primer about a long time ago. The main ideas from group theory used here are cyclic groups, quotient groups, group isomorphisms, and group actions.

The first insight is that the signed integers are the exact same as the unsigned integers as a quotient group, just with a different equivalence class representative chosen for the arithmetic.

The set of $n$-bit unsigned integers $\mathbb{Z}/2^n\mathbb{Z} = \{ 0, 1, \dots, 2^n-1 \}$ forms a group under addition modulo $2^n$. The set of $n$-bit signed integers $\{ -2^{n-1}, \dots, -1, 0, 1, \dots, 2^{n-1} – 1 \}$ also forms a group, but it’s harder to see why. The operation is still “addition modulo $2^n$”, but you have to recall the definition of a quotient group to see why.

The elements of the quotient group $\mathbb{Z}/2^n \mathbb{Z}$ aren’t integers, but rather equivalence classes of integers. We denote $[x] \in \mathbb{Z}/2^n \mathbb{Z}$ as the equivalence class of $x \in \mathbb{Z}$. For example, the “element” $1$ is the equivalence class $[1] = \{ \dots, -2^n+1, 1, 2^n + 1, 2\cdot 2^n + 1, \dots \}$. And the whole point of defining equivalence classes is that you can choose any representative element from an equivalence class, do the arithmetic using that element, and you get the same (equivalence class) output as you would if you had used the “usual” representative. In other words, it’s guaranteed that $[x+y] = [x] + [y] = [x’] + [y’] = [x’ + y’]$, so long as $[x] = [x’]$ and $[y] = [y’]$.

Signed integers are exactly this: choosing a different representative for some of the equivalence classes. The element $[2^{n-1}] = \{ \dots, -2\cdot 2^{n-1}, -2^{n-1}, 2^{n-1}, 2\cdot 2^{n-1}, \dots \}$ is represented by $-2^{n-1}$, the element $[2^{n-1} + 1]$ is represented by $-2^{n-1} + 1$, all the way up to $2^n – 1$ being represented by $-1$. This is a formal way to say two’s complement is a “reinterpretation” of the bits of an unsigned integer. It’s not an arbitrary reinterpretation, but one that satisfies the exact same arithmetic structure as the unsigned interpretation.

So any circuit representation of an addition operation that works for unsigned integers can also be used for addition for all possible alternative choices of equivalence class representatives. Note this has nothing to do with the way these numbers are represented as bits. It’s a guarantee of the mathematics underlying modular arithmetic. It would work if the numbers were represented in ternary or base 10 (excluding the fact that there would be some extra inputs and outputs not in the set). Also note it applies equally well to multiplication, since everything said here applies equally well to the quotient ring of integers modulo $2^n$.

It also makes it clear that the choice of $-2^{n-1}$ as the smallest negative number is arbitrary, and one could equally well include $2^n-1$ as the largest positive, leaving $-2^{n-1} + 1$ as the smallest negative. I think the current standard choice ($-2^{n-1}$ as the smallest negative number) is objectively better than this alternative, because it allows one to use the leading sign bit as negativeness/overflow/underflow detector.

Now we can study the negation operation in this group. For starters, for each element $x$ except $-2^{n-1}$, the number $-x$ is already a signed $n$-bit integer. So negation is just negation (we’ll get back to how this is interpreted as bits in a second). And if we think of $-2^{n-1}$ as an equivalence class, it’s the same as $2^{n-1}$, which is its own inverse as an unsigned integer. Add it to itself and you get $2^n \equiv 0 \mod 2^n$. Since equivalence classes behave identically no matter the representative, $-2^{n-1}$ must be its own inverse, and hence $-(-2^{n-1}) = -2^{n-1}$ as signed integers.

To interpret it as bits, again lift back to unsigned integers, and notice that “negation” for an unsigned integer $x$—that is, finding the value $y$ such that $x+y \equiv 0 \mod 2^n$—is computed via $-[x] = [2^n – x]$ (subtraction inside the equivalence class is defined even though it’s being used to define $-[x]$, because inside an equivalence class the arithmetic is just arithmetic on integers). But because $2^n$ isn’t representable in concrete $n$-bit numbers (it’s just zero), to compute it entirely within $n$-bit integers, we need to break the arithmetic down further:

$$[2^n – x ] = [ 2^n – 1 – x + 1 ] = [ 2^n – 1 – x ] + [ 1 ]$$

$2^n-1$ is the string of all 1’s, hence $2^n – 1 – x$ is equivalent to flipping the bits of $x$, and adding 1 finishes the calculation.

Finally, this $-2^{n-1}$-is-its-own-inverse business. If you view the group of unsigned integers as a circle—a natural choice because addition “wraps around” like clock math—the negation operation can be seen as a reflection across the line passing through $0$ and the circle’s center. Naturally this makes the negation of $0$ equal to $0$. The other point that line of symmetry passes through is $[2^{n-1}] = [-2^{n-1}]$, and so it must also fix $-2^{n-1}$.

This is explanation enough, but the pesky question is whether it’s forced. Is there some other representation better than two’s complement for which this behavior doesn’t occur? So long as our number system has an even size and 0 is its own inverse, then simple counting shows it’s impossible. We’d have an odd number $2^n – 1$ of nonzero elements, and the inverse operation would match them up in pairs, producing an even total unless one of the “pairs” is a singleton.

Aside: The Wikipedia article on this topic had a somewhat sloppy explanation using group actions (really, Burnside’s lemma), which, while correct, is like using the Millennium Falcon to shoot a sparrow. I simplified it to the above counting argument.

Group Actions and Hashing Unordered Multisets

I learned of a neat result due to Kevin Ventullo that uses group actions to study the structure of hash functions for unordered sets and multisets. This piqued my interest because a while back a colleague asked me if I could think of any applications of “pure” group theory to practical computer programming that were not cryptographic in nature. He meant, not including rings, fields, or vector spaces whose definitions happen to be groups when you forget the extra structure. I couldn’t think of any at the time, and years later Kevin has provided me with a tidy example. I took the liberty of rephrasing his argument to be a bit simpler (I hope), but I encourage you to read Kevin’s post to see the reasoning in its original form.

Hashes are useful in programming, and occasionally one wants to hash an unordered set or multiset in such a way that the hash does not depend on the order the elements were added to the set. Since collection types are usually generic, one often has to craft a hash function for a set<T> or multiset<T> that relies on a hash function hash(t) of an unknown type T. To make things more efficient, rather than requiring one to iterate over the entire set each time a hash is computed, one might seek out a hash function that can be incrementally updated as new elements are added, and provably does not depend on the order of insertion.

For example, having a starting hash of zero, and adding hashes of elements as they are added (modulo $2^{64}$) has this incremental order-ignorant property, because addition is commutative and sums can be grouped. XOR-ing the bits of the hashes is similar. However, both of these strategies have downsides.

For example, if you adopt the XOR strategy for a multiset hash, then any element that has an even quantity in the multiset will be the same as if it were not in the set at all (or if it were in the set with some other even quantity). This is because x XOR x == 0. On the other hand, if you use the addition approach, if an element hashes to zero, its inclusion in any set has no effect on the hash. In Java the integer hash is the identity, so zero would be undetectable as a member of a multiset of ints in any quantity. Less drastically, a multiset with all even counts of elements will always hash to a multiple of 2, and this makes it easier to find hash collisions.

A natural question arises: given the constraint that the hash function is accumulative and commutative, can we avoid such degenerate situations? In principle the answer should obviously be no, just by counting. I.e., the set of all unordered sets of 64-bit integers has size $2^{2^{64}}$, while the set of 64-bit hashes has size merely $2^{64}$. You will have many many hash collisions, and would need a much longer hash to avoid them in principle.

More than just “no,” we can characterize the structure of such hash functions. They impose an abelian group structure on the set of hashes. And due to the classification theorem of finite abelian groups, up to isomorphism (and for 64-bit hashes) that structure consists of addition on blocks of bits with various power-of-2 moduli, and the blocks are XOR’ed together at the end.

To give more detail, we need to review some group theory, write down the formal properties of an accumulative hash function, and prove the structure theorem.

Group actions, a reminder

This post will assume basic familiarity with group theory as covered previously on this blog. Basically, this introductory post defining groups and actions, and this followup post describing the classification theorem for commutative (abelian) groups. But I will quickly review group actions since they take center stage today.

A group $G$ defines some abstract notion of symmetries in a way that’s invertible. But a group is really meaningless by itself. They’re only useful when they “act” upon a set. For example, a group of symmetries of the square acts upon the square to actually rotate its points. When you have multiple group structures to consider, it makes sense to more formally separate the group structure from the set.

So a group action is formally a triple of a group $G$, a set $X$, and a homomorphism $f:G \to S_X$, where $S_X$ is the permutation group (or symmetry group) of $X$, i.e., the set of all bijections $X \to X$. The permutation group of a set encompasses every possible group that can act on $X$. In other words, every group is a subgroup of a permutation group. In our case, $G$ and $f$ define a subgroup of symmetries on $X$ via the image of $f$. If $f$ is not injective, some of the structure in $G$ is lost. The homomorphism determines which parts of $G$ are kept and how they show up in the codomain. The first isomorphism theorem says how: $G / \textup{ker} f \cong \textup{im} f$.

This relates to our hashing topic because an accumulative hash—and a nicely behaved hash, as we’ll make formal shortly—creates a group action on the set of possible hash values. The image of that group action is the “group structure” imposed by the hash function, and the accumulation function defines the group operation in that setting.

Multisets as a group, and nice hash functions

An appropriate generalization of multisets whose elements come from a base set $X$ forms a group. This generalization views a multiset as a “counting function” $T: X \to \mathbb{Z}$. The empty set is the function that assigns zero to each element. A positive value of $k$ implies the entry shows up in the multiset $k$ times. And a negative value is like membership “debt,” which is how we represent inverses, or equivalently set difference operations. The inverse of a multiset $T$, denoted $-T$, is the multiset with all counts negated elementwise. Since integer-valued functions generally form a group under point-wise addition, these multisets also do. Call this group $\textup{MSet}(X)$. We will freely use the suggestive notation $T \cup \{ x \}$ to denote the addition of $T$ and the function that is 1 on $x$ and 0 elsewhere. Similarly for $T – \{ x \}$.

$\textup{MSet}(X)$ is isomorphic to the free abelian group on $X$ (because an instance of a multiset only has finitely many members). Now we can define a hash function with three pieces:

• An arbitrary base hash function $\textup{hash}: X \to \mathbb{Z} / 2^n \mathbb{Z}$.
• An arbitrary hash accumulator $\textup{h}: \mathbb{Z} / 2^n \mathbb{Z} \times \mathbb{Z} / 2^n \mathbb{Z} \to \mathbb{Z} / 2^n \mathbb{Z}$
• A seed, i.e., a choice for the hash of the empty multiset $s \in \mathbb{Z} / 2^n \mathbb{Z}$

With these three data we want to define a multiset hash function $h^*: \textup{MSet}(X) \to \mathbb{Z} / 2^n \mathbb{Z}$ recursively as

• $h^*(\left \{ \right \}) = s$
• $h^*(T \cup \left \{ x \right \}) = h(h^*(T), \textup{hash}(x))$
• $h^*(T – \left \{ x \right \}) = \dots$

In order for the second bullet to lead to a well-defined hash, we need the property that the accumulation order of individual elements does not matter. Call a hash accumulator commutative if, for all $a, b, c \in \mathbb{Z} / 2^n \mathbb{Z}$,

$\displaystyle h(h(a,b), c) = h(h(a,c), b)$

This extends naturally to being able to reorder any sequence of hashes being accumulated.

The third is a bit more complicated. We need to be able to use the accumulator to “de-accumulate” the hash of an element $x$, even when the set that gave rise to that hash didn’t have $x$ in it to start.

Call a hash accumulator invertible if for a fixed hash $z = \textup{hash}(x)$, the map $a \mapsto h(a, z)$ is a bijection. That is, accumulating the hash $z$ to two sets with different hashes under $h^*$ will not cause a hash collision. This defines the existence of an inverse map (even if it’s not easily computable). This allows us to finish the third bullet point.

• Fix $z = \textup{hash}(x)$ and let $g$ be the inverse of the map $a \mapsto h(a, z)$. Then $h^*(T – \left \{ x \right \}) = g(h^*(T))$

Though we don’t have a specific definition for the inverse above, we don’t need it because we’re just aiming to characterize the structure of this soon-to-emerge group action. Though, in all likelihood, if you implement a hash for a multiset, it should support incremental hash updates when removing elements, and that formula would apply here.

This gives us the well-definition of $h^*$. Commutativity allows us to define $h^*(T \cup S)$ by decomposing $S$ arbitrarily into its constituent elements (with multiplicity), and applying $h^*(T \cup \{ x \})$ or $h^*(T – \{ x \})$ in any order.

A group action emerges

Now we have a well-defined hash function on a free abelian group.

$\displaystyle h^*: \textup{MSet}(X) \to \mathbb{Z} / 2^n \mathbb{Z}$

However, $h^*$ is not a homomorphism. There’s no reason hash accumulation needs to mesh well with addition of hashes. Instead, the family of operations “combine a hash with the hash of some fixed set” defines a group action on the set of hashes. Let’s suppose for simplicity that $h^*$ is surjective, i.e., that every hash value can be achieved as the hash of some set. Kevin’s post gives the more nuanced case when this fails, and in that case you work within $S_{\textup{im}(h^*)}$ instead of all of $S_{\mathbb{Z} / 2^n \mathbb{Z}}$.

The group action is defined formally as a homomorphism

$\displaystyle \varphi : \textup{MSet}(X) \to S_{\mathbb{Z} / 2^n \mathbb{Z}}$

where $\varphi(T)$ is the permutation $a \mapsto h(a, h^*(T))$. Equivalently, we start from $a$, pick some set $S$ with $h^*(S) = a$, and output $h^*(T \cup S)$.

The map $\varphi$ is a homomorphism. The composition of two accumulations is order-independent because $h$ is commutative. This is how we view $h$ as “the binary operation” in $\textup{im} \varphi$, because combining two permutations $a \mapsto h(a, h^*(T))$ and $a \mapsto h(a, h^*(S))$ is the permutation $a \mapsto h(a, h^*(S \cup T))$.

And now we can apply the first isomorphism theorem, that

$\displaystyle \textup{MSet}(X) / \textup{ker} \varphi \cong \textup{im} \varphi \subset S_{\mathbb{Z} / 2^n \mathbb{Z}}$

This is significant because any quotient of an abelian group is abelian, and this quotient is finite because $S_{\mathbb{Z} / 2^n \mathbb{Z}}$ is finite. This means that the group $\textup{im} \varphi$ is isomorphic to

$\displaystyle \textup{im} \varphi \cong \bigoplus_{i=1}^k \mathbb{Z}/2^{n_i} \mathbb{Z}$

where $n = \sum_i n_i$, and where the operation in each component is the usual addition modulo $n_i$. The $i$-th summand corresponds to a block of $n_i$ bits of the hash, and within that block the operation is addition modulo $2^{n_i}$. Here the “block” structure is where XOR comes in. Each block can be viewed as a bitmask with zeros outside the block, and two members are XOR’ed together, which allows the operations to apply to each block independently.

For example, the group might be $\mathbb{Z} / 2^{4} \mathbb{Z} \times \mathbb{Z} / 2^{26} \mathbb{Z}\times \mathbb{Z} / 2^{2} \mathbb{Z}$ for a 32-bit hash. The first block corresponds to 32-bit unsigned integers whose top 4 bits may be set but all other bits are zero. Addition is done within those four bits modulo 16, leaving the other bits unchanged. Likewise, the second component has the top four bits zero and the bottom two bits zero, but the remaining 26 bits are summed mod $2^{24}$. XOR combines the bits from different blocks.

In one extreme case, you only have one block, and your group is just $\mathbb{Z} / 2^n \mathbb{Z}$ and the usual addition combines hashes. In the other extreme, each bit is its own block, your group is $(\mathbb{Z} / 2 \mathbb{Z})^n$, the operation is a bitwise XOR.

Note, if instead of $2^n$ we used a hash of some other length $m$, then in the direct sum decomposition above, $m$ would be the product of the sizes of the components. The choice $m = 2^n$ maximizes the number of different structures you can have.

Implications for hash function designers

Here’s the takeaway.

First, if you’re trying to design a hash function that avoids the degeneracies mentioned at the beginning of this article, then it will have to break one of the properties listed. This could happen, say, by maintaining additional state.

Second, if you’re resigned to use a commutative, invertible, accumulative hash, then you might as well make this forced structure explicit, and just pick the block structure you want to use in advance. Since no clever bit shifting will allow you to outrun this theorem, you might as well make it simple.

Until next time!

Elliptic Curves as Python Objects

Last time we saw a geometric version of the algorithm to add points on elliptic curves. We went quite deep into the formal setting for it (projective space $\mathbb{P}^2$), and we spent a lot of time talking about the right way to define the “zero” object in our elliptic curve so that our issues with vertical lines would disappear.

With that understanding in mind we now finally turn to code, and write classes for curves and points and implement the addition algorithm. As usual, all of the code we wrote in this post is available on this blog’s Github page.

Points and Curves

Every introductory programming student has probably written the following program in some language for a class representing a point.

class Point(object):
def __init__(self, x, y):
self.x = x
self.y = y


It’s the simplest possible nontrivial class: an x and y value initialized by a constructor (and in Python all member variables are public).

We want this class to represent a point on an elliptic curve, and overload the addition and negation operators so that we can do stuff like this:

p1 = Point(3,7)
p2 = Point(4,4)
p3 = p1 + p2


But as we’ve spent quite a while discussing, the addition operators depend on the features of the elliptic curve they’re on (we have to draw lines and intersect it with the curve). There are a few ways we could make this happen, but in order to make the code that uses these classes as simple as possible, we’ll have each point contain a reference to the curve they come from. So we need a curve class.

It’s pretty simple, actually, since the class is just a placeholder for the coefficients of the defining equation. We assume the equation is already in the Weierstrass normal form, but if it weren’t one could perform a whole bunch of algebra to get it in that form (and you can see how convoluted the process is in this short report or page 115 (pdf p. 21) of this book). To be safe, we’ll add a few extra checks to make sure the curve is smooth.

class EllipticCurve(object):
def __init__(self, a, b):
# assume we're already in the Weierstrass form
self.a = a
self.b = b

self.discriminant = -16 * (4 * a*a*a + 27 * b * b)
if not self.isSmooth():
raise Exception(&quot;The curve %s is not smooth!&quot; % self)

def isSmooth(self):
return self.discriminant != 0

def testPoint(self, x, y):
return y*y == x*x*x + self.a * x + self.b

def __str__(self):
return 'y^2 = x^3 + %Gx + %G' % (self.a, self.b)

def __eq__(self, other):
return (self.a, self.b) == (other.a, other.b)


And here’s some examples of creating curves

&gt;&gt;&gt; EllipticCurve(a=17, b=1)
y^2 = x^3 + 17x + 1
&gt;&gt;&gt; EllipticCurve(a=0, b=0)
Traceback (most recent call last):
[...]
Exception: The curve y^2 = x^3 + 0x + 0 is not smooth!


So there we have it. Now when we construct a Point, we add the curve as the extra argument and a safety-check to make sure the point being constructed is on the given elliptic curve.

class Point(object):
def __init__(self, curve, x, y):
self.curve = curve # the curve containing this point
self.x = x
self.y = y

if not curve.testPoint(x,y):
raise Exception(&quot;The point %s is not on the given curve %s&quot; % (self, curve))


Note that this last check will serve as a coarse unit test for all of our examples. If we mess up then more likely than not the “added” point won’t be on the curve at all. More precise testing is required to be bullet-proof, of course, but we leave explicit tests to the reader as an excuse to get their hands wet with equations.

Some examples:

&gt;&gt;&gt; c = EllipticCurve(a=1,b=2)
&gt;&gt;&gt; Point(c, 1, 2)
(1, 2)
&gt;&gt;&gt; Point(c, 1, 1)
Traceback (most recent call last):
[...]
Exception: The point (1, 1) is not on the given curve y^2 = x^3 + 1x + 2


Before we go ahead and implement addition and the related functions, we need to be decide how we want to represent the ideal point $[0 : 1 : 0]$. We have two options. The first is to do everything in projective coordinates and define a whole system for doing projective algebra. Considering we only have one point to worry about, this seems like overkill (but could be fun). The second option, and the one we’ll choose, is to have a special subclass of Point that represents the ideal point.

class Ideal(Point):
def __init__(self, curve):
self.curve = curve

def __str__(self):
return &quot;Ideal&quot;


Note the inheritance is denoted by the parenthetical (Point) in the first line. Each function we define on a Point will require a 1-2 line overriding function in this subclass, so we will only need a small amount of extra bookkeeping. For example, negation is quite easy.

class Point(object):
...
def __neg__(self):
return Point(self.curve, self.x, -self.y)

class Ideal(Point):
...
def __neg__(self):
return self


Note that Python allows one to override the prefix-minus operation by defining __neg__ on a custom object. There are similar functions for addition (__add__), subtraction, and pretty much every built-in python operation. And of course addition is where things get more interesting. For the ideal point it’s trivial.

class Ideal(Point):
...
return Q


Why does this make sense? Because (as we’ve said last time) the ideal point is the additive identity in the group structure of the curve. So by all of our analysis, $P + 0 = 0 + P = P$, and the code is satisfyingly short.

For distinct points we have to follow the algorithm we used last time. Remember that the trick was to form the line $L(x)$ passing through the two points being added, substitute that line for $y$ in the elliptic curve, and then figure out the coefficient of $x^2$ in the resulting polynomial. Then, using the two existing points, we could solve for the third root of the polynomial using Vieta’s formula.

In order to do that, we need to analytically solve for the coefficient of the $x^2$ term of the equation $L(x)^2 = x^3 + ax + b$. It’s tedious, but straightforward. First, write

$\displaystyle L(x) = \left ( \frac{y_2 – y_1}{x_2 – x_1} \right ) (x – x_1) + y_1$

The first step of expanding $L(x)^2$ gives us

$\displaystyle L(x)^2 = y_1^2 + 2y_1 \left ( \frac{y_2 – y_1}{x_2 – x_1} \right ) (x – x_1) + \left [ \left (\frac{y_2 – y_1}{x_2 – x_1} \right ) (x – x_1) \right ]^2$

And we notice that the only term containing an $x^2$ part is the last one. Expanding that gives us

$\displaystyle \left ( \frac{y_2 – y_1}{x_2 – x_1} \right )^2 (x^2 – 2xx_1 + x_1^2)$

And again we can discard the parts that don’t involve $x^2$. In other words, if we were to rewrite $L(x)^2 = x^3 + ax + b$ as $0 = x^3 – L(x)^2 + ax + b$, we’d expand all the terms and get something that looks like

$\displaystyle 0 = x^3 – \left ( \frac{y_2 – y_1}{x_2 – x_1} \right )^2 x^2 + C_1x + C_2$

where $C_1, C_2$ are some constants that we don’t need. Now using Vieta’s formula and calling $x_3$ the third root we seek, we know that

$\displaystyle x_1 + x_2 + x_3 = \left ( \frac{y_2 – y_1}{x_2 – x_1} \right )^2$

Which means that $x_3 = \left ( \frac{y_2 – y_1}{x_2 – x_1} \right )^2 – x_2 – x_1$. Once we have $x_3$, we can get $y_3$ from the equation of the line $y_3 = L(x_3)$.

Note that this only works if the two points we’re trying to add are different! The other two cases were if the points were the same or lying on a vertical line. These gotchas will manifest themselves as conditional branches of our add function.

class Point(object):
...
if isinstance(Q, Ideal):
return self

x_1, y_1, x_2, y_2 = self.x, self.y, Q.x, Q.y

if (x_1, y_1) == (x_2, y_2):
# use the tangent method
...
else:
if x_1 == x_2:
return Ideal(self.curve) # vertical line

# Using Vieta's formula for the sum of the roots
m = (y_2 - y_1) / (x_2 - x_1)
x_3 = m*m - x_2 - x_1
y_3 = m*(x_3 - x_1) + y_1

return Point(self.curve, x_3, -y_3)



First, we check if the two points are the same, in which case we use the tangent method (which we do next). Supposing the points are different, if their $x$ values are the same then the line is vertical and the third point is the ideal point. Otherwise, we use the formula we defined above. Note the subtle and crucial minus sign at the end! The point $(x_3, y_3)$ is the third point of intersection, but we still have to do the reflection to get the sum of the two points.

Now for the case when the points $P, Q$ are actually the same. We’ll call it $P = (x_1, y_1)$, and we’re trying to find $2P = P+P$. As per our algorithm, we compute the tangent line $J(x)$ at $P$. In order to do this we need just a tiny bit of calculus. To find the slope of the tangent line we implicitly differentiate the equation $y^2 = x^3 + ax + b$ and get

$\displaystyle \frac{dy}{dx} = \frac{3x^2 + a}{2y}$

The only time we’d get a vertical line is when the denominator is zero (you can verify this by taking limits if you wish), and so $y=0$ implies that $P+P = 0$ and we’re done. The fact that this can ever happen for a nonzero $P$ should be surprising to any reader unfamiliar with groups! But without delving into a deep conversation about the different kinds of group structures out there, we’ll have to settle for such nice surprises.

In the other case $y \neq 0$, we plug in our $x,y$ values into the derivative and read off the slope $m$ as $(3x_1^2 + a)/(2y_1)$. Then using the same point slope formula for a line, we get $J(x) = m(x-x_1) + y_1$, and we can use the same technique (and the same code!) from the first case to finish.

There is only one minor wrinkle we need to smooth out: can we be sure Vieta’s formula works? In fact, the real problem is this: how do we know that $x_1$ is a double root of the resulting cubic? Well, this falls out again from that very abstract and powerful theorem of Bezout. There is a lot of technical algebraic geometry (and a very interesting but complicated notion of dimension) hiding behind the curtain here. But for our purposes it says that our tangent line intersects the elliptic curve with multiplicity 2, and this gives us a double root of the corresponding cubic.

And so in the addition function all we need to do is change the slope we’re using. This gives us a nice and short implementation

def __add__(self, Q):
if isinstance(Q, Ideal):
return self

x_1, y_1, x_2, y_2 = self.x, self.y, Q.x, Q.y

if (x_1, y_1) == (x_2, y_2):
if y_1 == 0:
return Ideal(self.curve)

# slope of the tangent line
m = (3 * x_1 * x_1 + self.curve.a) / (2 * y_1)
else:
if x_1 == x_2:
return Ideal(self.curve)

# slope of the secant line
m = (y_2 - y_1) / (x_2 - x_1)

x_3 = m*m - x_2 - x_1
y_3 = m*(x_3 - x_1) + y_1

return Point(self.curve, x_3, -y_3)


What’s interesting is how little the data of the curve comes into the picture. Nothing depends on $b$, and only one of the two cases depends on $a$. This is one reason the Weierstrass normal form is so useful, and it may bite us in the butt later in the few cases we don’t have it (for special number fields).

Here are some examples.

&gt;&gt;&gt; C = EllipticCurve(a=-2,b=4)
&gt;&gt;&gt; P = Point(C, 3, 5)
&gt;&gt;&gt; Q = Point(C, -2, 0)
&gt;&gt;&gt; P+Q
(0.0, -2.0)
&gt;&gt;&gt; Q+P
(0.0, -2.0)
&gt;&gt;&gt; Q+Q
Ideal
&gt;&gt;&gt; P+P
(0.25, 1.875)
&gt;&gt;&gt; P+P+P
Traceback (most recent call last):
...
Exception: The point (-1.958677685950413, 0.6348610067618328) is not on the given curve y^2 = x^3 + -2x + 4!

&gt;&gt;&gt; x = -1.958677685950413
&gt;&gt;&gt; y = 0.6348610067618328
&gt;&gt;&gt; y*y - x*x*x + 2*x - 4
-3.9968028886505635e-15


And so we crash headfirst into our first floating point arithmetic issue. We’ll vanquish this monster more permanently later in this series (in fact, we’ll just scrap it entirely and define our own number system!), but for now here’s a quick fix:

&gt;&gt;&gt; import fractions
&gt;&gt;&gt; frac = fractions.Fraction
&gt;&gt;&gt; C = EllipticCurve(a = frac(-2), b = frac(4))
&gt;&gt;&gt; P = Point(C, frac(3), frac(5))
&gt;&gt;&gt; P+P+P
(Fraction(-237, 121), Fraction(845, 1331))


Now that we have addition and negation, the rest of the class is just window dressing. For example, we want to be able to use the subtraction symbol, and so we need to implement __sub__

def __sub__(self, Q):
return self + -Q


Note that because the Ideal point is a subclass of point, it inherits all of these special functions while it only needs to override __add__ and __neg__. Thank you, polymorphism! The last function we want is a scaling function, which efficiently adds a point to itself $n$ times.

class Point(object):
...
def __mul__(self, n):
if not isinstance(n, int):
raise Exception(&quot;Can't scale a point by something which isn't an int!&quot;)
else:
if n &lt; 0:
return -self * -n
if n == 0:
return Ideal(self.curve)
else:
Q = self
R = self if n &amp; 1 == 1 else Ideal(self.curve)

i = 2
while i &lt;= n:
Q = Q + Q

if n &amp; i == i:
R = Q + R

i = i &lt;&lt; 1
return R

def __rmul__(self, n):
return self * n

class Ideal(Point):
...
def __mul__(self, n):
if not isinstance(n, int):
raise Exception(&quot;Can't scale a point by something which isn't an int!&quot;)
else:
return self


The scaling function allows us to quickly compute $nP = P + P + \dots + P$ ($n$ times). Indeed, the fact that we can do this more efficiently than performing $n$ additions is what makes elliptic curve cryptography work. We’ll take a deeper look at this in the next post, but for now let’s just say what the algorithm is doing.

Given a number written in binary $n = b_kb_{k-1}\dots b_1b_0$, we can write $nP$ as

$\displaystyle b_0 P + b_1 2P + b_2 4P + \dots + b_k 2^k P$

The advantage of this is that we can compute each of the $P, 2P, 4P, \dots, 2^kP$ iteratively using only $k$ additions by multiplying by 2 (adding something to itself) $k$ times. Since the number of bits in $n$ is $k= \log(n)$, we’re getting a huge improvement over $n$ additions.

The algorithm is given above in code, but it’s a simple bit-shifting trick. Just have $i$ be some power of two, shifted by one at the end of every loop. Then start with $Q_0$ being $P$, and replace $Q_{j+1} = Q_j + Q_j$, and in typical programming fashion we drop the indices and overwrite the variable binding at each step (Q = Q+Q). Finally, we have a variable $R$ to which $Q_j$ is added when the $j$-th bit of $n$ is a 1 (and ignored when it’s 0). The rest is bookkeeping.

Note that __mul__ only allows us to write something like P * n, but the standard notation for scaling is n * P. This is what __rmul__ allows us to do.

We could add many other helper functions, such as ones to allow us to treat points as if they were lists, checking for equality of points, comparison functions to allow one to sort a list of points in lex order, or a function to transform points into more standard types like tuples and lists. We have done a few of these that you can see if you visit the code repository, but we’ll leave flushing out the class as an exercise to the reader.

Some examples:

&gt;&gt;&gt; import fractions
&gt;&gt;&gt; frac = fractions.Fraction
&gt;&gt;&gt; C = EllipticCurve(a = frac(-2), b = frac(4))
&gt;&gt;&gt; P = Point(C, frac(3), frac(5))
&gt;&gt;&gt; Q = Point(C, frac(-2), frac(0))
&gt;&gt;&gt; P-Q
(Fraction(0, 1), Fraction(-2, 1))
&gt;&gt;&gt; P+P+P+P+P
(Fraction(2312883, 1142761), Fraction(-3507297955, 1221611509))
&gt;&gt;&gt; 5*P
(Fraction(2312883, 1142761), Fraction(-3507297955, 1221611509))
&gt;&gt;&gt; Q - 3*P
(Fraction(240, 1), Fraction(3718, 1))
&gt;&gt;&gt; -20*P
(Fraction(872171688955240345797378940145384578112856996417727644408306502486841054959621893457430066791656001, 520783120481946829397143140761792686044102902921369189488390484560995418035368116532220330470490000), Fraction(-27483290931268103431471546265260141280423344817266158619907625209686954671299076160289194864753864983185162878307166869927581148168092234359162702751, 11884621345605454720092065232176302286055268099954516777276277410691669963302621761108166472206145876157873100626715793555129780028801183525093000000))


As one can see, the precision gets very large very quickly. One thing we’ll do to avoid such large numbers (but hopefully not sacrifice security) is to work in finite fields, the simplest version of which is to compute modulo some prime.

So now we have a concrete understanding of the algorithm for adding points on elliptic curves, and a working Python program to do this for rational numbers or floating point numbers (if we want to deal with precision issues). Next time we’ll continue this train of thought and upgrade our program (with very little work!) to work over other simple number fields. Then we’ll delve into the cryptographic issues, and talk about how one might encode messages on a curve and use algebraic operations to encode their messages.

Until then!

Groups — A Second Primer

The First Isomorphism Theorem

The meat of our last primer was a proof that quotient groups are well-defined. One important result that helps us compute groups is a very easy consequence of this well-definition.

Recall that if $G,H$ are groups and $\varphi: G \to H$ is a group homomorphism, then the image of $\varphi$ is a subgroup of $H$. Also the kernel of $\varphi$ is the normal subgroup of $G$ consisting of the elements which are mapped to the identity under $\varphi$. Moreover, we proved that the quotient $G / \ker \varphi$ is a well-defined group, and that every normal subgroup $N$ is the kernel of the quotient map $G \to G/N$. These ideas work together to compute groups with the following theorem. Intuitively, it tells us that the existence of a homomorphism between two groups gives us a way to relate the two groups.

Theorem: Let $\varphi: G \to H$ be a group homomorphism. Then the quotient $G/ \ker \varphi$ is isomorphic to the image of $\varphi$. That is,

$G/ \ker \varphi \cong \varphi(G)$

As a quick corollary before the proof, if $\varphi$ is surjective then $H \cong G / \ker \varphi$.

Proof. We define an explicit map $f : G/ \ker \varphi \to \varphi(G)$ and prove it is an isomorphism. Let $g \ker \varphi$ be an arbitrary coset and set $f(g \ker \varphi) = \varphi(g)$. First of all, we need to prove that this definition does not depend on the choice of a coset representative. That is, if $g \ker \varphi = g’ \ker \varphi$, then $f(g) = f(g’)$. But indeed, $f(g)^{-1}f(g’) = f(g^{-1}g’) = 1$, since for any coset $N$ we have by definition $gN = g’N$ if and only if $g^{-1}g’ \in N$.

It is similarly easy to verify that $f$ is a homomorphism:

$f((g \ker \varphi )(g’ \ker \varphi)) = \varphi(gg’) = \varphi(g)\varphi(g’) = f(g \ker \varphi) f(g’ \ker \varphi)$

It suffices now to show that $f$ is a bijection. It is trivially surjective (since anything in the image of $\varphi$ is in a coset). It is injective since if $f(g \ker \varphi) = 1$, then $\varphi(g) = 1$ and hence $g \in \ker \varphi$, so the coset $g \ker \varphi = 1 \ker \varphi$ is the identity element. So $f$ is an isomorphism. $\square$

Let’s use this theorem to compute some interesting things.

Denote by $D_{2n}$ the group of symmetries of the regular $n$-gon. That is, $D_{16}$ is the symmetry group of the regular octagon and $D_{8}$ is the symmetry group of the square (the $2n$ notation is because this group always has order $2n$). We want to relate $D_{16}$ to $D_8$. To do this, let’s define a homomorphism $f:D_{16} \to D_8$ by sending a one-eighth rotation $\rho$ of the octagon to a one-fourth rotation of the square $f(\rho) = \rho^2$, and using the same reflection for both ($f(\sigma) = \sigma$). It is easy to check that this is a surjective homomorphism, and moreover the kernel is $\left \{ 1, \rho^4 \right \}$. That is, $D_8 \cong D_{16}/ \left \{ 1, \rho^4 \right \}$.

Here is a more general example. If $G, H$ are groups of relatively prime order, then there are no nontrivial homomorphisms $G \to H$. In order to see this, note that $|G/ \ker \varphi| = |G| / |\ker \varphi|$ as a simple consequence of Lagrange’s theorem. Indeed, by the first isomorphism theorem this quantity is equal to $|\varphi(G)|$. So $|G| = | \ker \varphi| |\varphi(G)|$. That is, the order of $\varphi(G)$ divides the order of $G$. But it also divides the order of $H$ because $\varphi(G)$ is a subgroup of $H$. In other words, the order of $\varphi(G)$ is a common factor of the orders of $G$ and $H$. By hypothesis, the only such number is 1, and so $|\varphi(G)| = 1$ and $\varphi(G)$ is the trivial group.

We will use the first isomorphism theorem quite a bit on this blog. Because it is such a common tool, it is often used without explicitly stating the theorem.

Generators

One extremely useful way to describe a subgroup is via a set of generators. The simplest example is for a single element.

Definition: Let $G$ be a group and $x \in G$. Then the subgroup generated by $x$, denoted $\left \langle x \right \rangle$, is the smallest subgroup of $G$ containing $x$. More generally, if $S \subset G$ then the subgroup generated by $S$ is the smallest subgroup containing $S$.

This definition is not quite useful, but the useful version is easy to derive. On one hand, the identity element must always be in $\left \langle x \right \rangle$. Since $x \in \left \langle x \right \rangle$ and it’s a subgroup, we must have that $x^{-1} \in \left \langle x \right \rangle$. Moreover, all powers of $x$ must be in the subgroup, as must all powers of the inverse (equivalently, inverses of the powers). In fact that is all that is necessary. That is,

$\left \langle x \right \rangle = \left \{ \dots, x^{-2}, x^{-1}, 1, x, x^2, \dots \right \}$

For finite groups, this list of elements will terminate. And in fact, the inverse of $x$ will be a power of $x$ as well. To see this, note that if we keep taking powers of $x$, eventually one of those will be the identity element. Specifically, some power of $x$ must repeat, and if $x^n = x^m$ then $x^{n-m} = 1$. Hence $x^{-1} = x^{n-m-1}$.

For subgroups generated by more than one element, these subgroups are more difficult to write down. For example, if $x,y \in G$ then $x,y$ may have a nontrivial relationship. That is, even though all possible products involving $x$ and $y$ are  in the subgroup, it is very difficult to determine whether two such products are the same (in fact, one very general formulation of this problem is undecidable!). Often times one can find a set of generators which generates the entire group $G$. In this case, we say $G$ is generated by those elements.

A familiar example is the symmetry group of the square. As it turns out this group is generated by $\rho, \sigma$, where $\rho$ is a quarter turn and $\sigma$ is a reflection across some axis of symmetry. The relationship between the two elements is succinctly given by the equality $\rho \sigma \rho \sigma = 1$. To see this, try holding our your hand with your palm facing away; rotate your hand clockwise, flip it so your fingers are pointing left, rotate again so your fingers are pointing up, and then flip to get back to where you started; note that the two flips had the same axis of symmetry (the up-down axis). The other (obvious) relationships are that $\rho^4 = 1$ and $\sigma^2 = 1$. If we want to describe the group in a compact form, we write

$G = \left \langle \rho, \sigma | \rho^4, \sigma^2, \rho \sigma \rho \sigma \right \rangle$

This is an example of a group presentation. The left hand side is the list of generators, and the right hand side gives a list of relators, where each one is declared to be the identity element. In particular, the existence of a presentation with generators and relators implies that all possible relationships between the generators can be decuded from the list of relators (kind of like how all relationships between sine and cosine can be deduced from the fact that $\sin^2(x) + \cos^2(x) = 1$). Indeed, this is the case for the symmetry group (and all dihedral groups); there are only three distinct equations describing the behavior of rotations and reflections.

Here’s a quick definition we will often refer to in the future: a group is called cyclic if it is generated by a single element. Here are some interesting exercises for the beginning reader to puzzle over, which are considered basic facts for experienced group theorists:

• Every subgroup of a cyclic group is cyclic.
• There is only one infinite cyclic group: $\mathbb{Z}$.
• Every finite cyclic group is isomorphic to $\mathbb{Z}/n\mathbb{Z}$ for some $n$.

Finally, we will call a group finitely generated if it is generated by a finite set of elements and finitely presented if it has a presentation with finitely many generators and relators. Just to give the reader a good idea about how vast this class of groups is: many basic conjectured facts about finitely generated groups which have “only” one relator are still open problems. So trying to classify groups with two relators (or finitely many relators) is still a huge leap away from what we currently understand. As far as this author knows, this subject has been largely abandoned after a scant few results were proved.

Products and Direct Sums

Just as one does in every field of math, in order to understand groups better we want to decompose them into smaller pieces which are easier to understand. Two of the main ways to do this are via direct products and direct sums.

Definition: Let $(G, \cdot_G),(H, \cdot_H)$ be groups. The product group $G \times H$ is defined to have the underlying set $G \times H$ (pairs of elements), and the operation is defined by entrywise multiplication in the appropriate group.

$(g,h) \cdot (g’, h’) = (g \cdot_G g’, h \cdot_H h’)$

Of course, one must verify that this operation actually defines a group according to the usual definition, but this is a simple exercise. One should note that there are two canonical subgroups of the direct product. Define by $p_1 : G \times H \to G$ the projection onto the first coordinate (that is, $(a,b) \mapsto a$). This map is obviously a homomorphism, and its kernel is the subgroup of elements $(1,h), h \in H$. That is, we can identify $H$ as a subgroup of $G \times H$. Identically, we see with $p_2(a,b) = b$ that $G$ is a subgroup of $G \times H$.

Note that this allows us to make some very weird groups. For instance, by induction a single direct product allows us to define products of arbitrarily many groups. Note that reordering the terms of such a product does not change the isomorphism class of the group (e.g. $\mathbb{Z} \times D_8 \cong D_8 \times \mathbb{Z}$). Additionally, there is nothing that stops us from defining infinite product groups. The elements of such a group are sequences of elements from the corresponding multiplicands. For example, the group $\mathbb{Z} \times \mathbb{Z} \times \dots$ is the group of sequences of integers, where addition is defined termwise and the identity is the sequence of all zeroes.

Now infinite products can be particularly unwieldy, but we may still want to talk about groups constructed from infinitely many pieces. Although we have no motivation for this, one such example is the group of an elliptic curve. In order to tame the unwieldiness, we define the following construction which takes an infinite product, and allows only those elements which have finitely many non-identity terms.

Definition: Let $G_{\alpha}$ be a family of groups. Define the direct sum of the $G_{\alpha}$, denoted by $\bigoplus_{\alpha} G_{\alpha}$, to be the subgroup of $\prod_{\alpha} G_{\alpha}$ of elements $(g_0, g_1, \dots)$ where all but finitely many $g_i$ are the identity in the corresponding $G_i$.

[As a quick side note, this is mathematically incorrect: since the family of groups need not be countable, the $g_i$ may not be enumerable. One can fix this by defining the elements as functions on the index set instead of sequences, but we are too lazy to do this.]

Note that we can define a direct sum of only finitely many groups, and for example this would be denoted $G \oplus H$, but finite sums are trivially the same as finite products. In fact, in this primer and all foreseeable work on this blog, we will stick to finite direct sums of groups, and implicitly identify them with direct products.

Finally, in terms of notation we will write $G^n$ for a direct product of $G$ with itself $n$ times, and $G^{\oplus n}$ for the direct sum of $G$ with itself $n$ times. As we just mentioned, these two are identical, so we will just default to the former for simplicity of reading.

One might wonder: why do we even distinguish these two constructions? The answer is somewhat deep, and we will revisit the question when in our future series on category theory. For now, we can simply say that the distinction is in the case of infinite products and infinite sums, which we won’t discuss anyway except for in passing curiosity.

The Classification of Finitely Generated Abelian Groups

Now we have finally laid enough groundwork to state the first big classification theorem of group theory. In words, it says that any finitely generated abelian group can be written as a direct sum of things isomorphic to $\mathbb{Z}$ and $\mathbb{Z}/n\mathbb{Z}$ for various choices of $n$. Moreover, the choices of $n$ are related to each other.

In particular, the theorem is stated as follows:

Theorem: Let $G$ be a finitely generated abelian group. Then $G$ is isomorphic to a group of the form:

$\displaystyle \mathbb{Z}^m \oplus \mathbb{Z}/p_1^{n_1}\mathbb{Z} \oplus \dots \oplus \mathbb{Z}/p_k^{n_k}\mathbb{Z}$

Where $p_i$ are (not necessarily distinct) primes. Moreover, $G$ is completely determined by the choices of primes and exponents above.

In particular, we name these numbers as follows. The $\mathbb{Z}^m$ part of the equation is called the free part, the exponent $m$ is called the rank of $G$, and the numbers $p_i^{n_i}$ are called the primary factors.

The proof of this theorem is beyond the scope of this blog, but any standard algebra text will have it. All we are saying here that every finitely generated abelian group can be broken up into the part that has infinite order (the free part) and the part that has finite order (often called the torsion part), and that these parts are largely disjoint from each other. For finite groups this is a huge step forward: to classify all finite groups one now only needs to worry about nonabelian groups (although this is still a huge feat in its own).

A quick application of this theorem is as follows:

Corollary: Let $G$ be a finitely generated abelian group which has no elements of finite order. Then $G$ has no nontrivial relators except for those enforcing commutativity.

Proof. Indeed, $G \cong \mathbb{Z}^m$ for some $m$, and it has a presentation  $\left \langle x_1, x_1, \dots, x_m | x_ix_jx_i^{-1}x_j^{-1}, i \neq j \right \rangle$, which has no nontrivial relators. $\square$

Borrowing the free terminology, such groups without relators are called free abelian groups. Indeed, there are also nonabelian “free” groups, and this is the last topic we will cover in this primer.

Free Groups, and a Universal Property

Equivalently to “a group with no relators,” we can define a free group as a group which has presentation $\left \langle x_{\alpha} \right \rangle$ for some potentially infinite family of elements $x_{\alpha}$. If the number of generators is finite, say there are $n$ of them, then we call it the free group on $n$ generators.

The interesting thing here is that all possible products of the generating elements are completely distinct. For example, the free group on two generators $\left \langle a,b \right \rangle$ contains the elements $ab, aba, abab, b^3a^{-5}b^2a$, along with infinitely many others. The only way that two elements can be the same is if they can be transformed into each other by a sequence of inserting or deleting strings which are trivially the identity. For example, $abb^{-1}a = a^2$, but only because of our cancellations of $bb^{-1} = 1$, which holds in every group.

There is another way to get free groups, and that is by taking free products. In particular, the group $\mathbb{Z} = \left \langle a \right \rangle$ is the free group on a single generator. Given two copies of $\mathbb{Z}$, we’d like to combine them in some way to get $\left \langle a,b \right \rangle$. More generally, given any two groups we’d like to define their free product $G * H$ to be the group which contains all possible words using elements in $G$ or $H$, which has no nontrivial relators, except for those already existing among the elements of $G$ and $H$ before taking a product.

Rigorously, this is very easy to do with group presentations. Give presentations for $G = \left \langle x_i | r_j \right \rangle$ and $H = \left \langle y_k | s_m \right \rangle$, and define the free product by giving a presentation

$G * H = \left \langle x_i, y_k | r_j, s_m \right \rangle$

For instance, the free product $\mathbb{Z}/3\mathbb{Z} * \mathbb{Z}/4\mathbb{Z}$ has presentation $\left \langle a,b | a^3, b^4 \right \rangle$. One interesting fact is that even if $G,H$ are finite, as long as one is nontrivial then the free product will be an infinite group. Another interesting fact, which we’ll explore in future posts on category theory, is that the free product of groups is “the same thing” as the disjoint union of sets. That is, these two operations play the same role in their respective categories.

This “role” is called the universal property of the free product. We will use this directly in our post on the fundamental group, and in general it just says that homomorphisms provided on the two pieces of the free product extend uniquely to a homomorphism of the product. The simpler form is the universal property of the free group, which says that the free group is the “most general possible” group which is generated by these generators.

Theorem (Universal Property of the Free Group): Let $S$ be a set of elements, and let $F(S)$ be the free group generated by the elements of $S$. Then any set-function $S \to G$ where $G$ is a group extends uniquely to a group homomorphism $F(S) \to G$.

That is, deciding where the generators should go in $G$ carries with it all of the information needed to define a homomorphism $F(S) \to G$, and it is uniquely determined in this way. To see this, simply see that once $f(a), f(b)$ are determined, so are $f(a^{-1}) = f(a)^{-1}, f(ab) = f(a)f(b), \dots$

Theorem (Universal Property of the Free Product): Let $G_{\alpha}$ be groups, and let $f_{\alpha}: G_{\alpha} \to H$ be group homomorphisms. Then there is a unique group homomorphism from the free product of the $G_{\alpha}$ to $H$, i.e. $\ast_{\alpha} G_{\alpha} \to H$.
The idea is the same as for the first universal property: the free product is the most general group containing the $G_{\alpha}$ as subgroups, and so any group homomorphism from the product to another group is completely determined by what happens to each of the multiplicand groups.