Totally Symmetric and Medial Quasigroups and Their Applications

Home , Cayley table, Quasigroup

TOTALLY SYMMETRIC AND MEDIAL

QUASIGROUPS AND THEIR APPLICATIONS

BENJAMIN YOUNG

Submitted in partial fulﬁllment of the requirements

for the degree of Master of Science

Department of Computing and Information Science

CASE WESTERN RESERVE UNIVERSITY

May, 2021 CASE WESTERN RESERVE UNIVERSITY

SCHOOL OF GRADUATE STUDIES

We hereby approve the Thesis of Benjamin Young

candidate for the degree of Master of Science*.

Committee Chair Dr. Harold Connamacher

Committee Member Dr. David Singer

Committee Member Dr. Shuai Xu

Date of Defense

March 25, 2021

*We also certify that written approval has been obtained

for any proprietary material contained therein. Contents

List of Tables iii

List of Figures iv

Abstract vi

1 Introduction 1 1.1 Overview ...... 2 1.2 Basic Deﬁnitions ...... 4 1.3 Totally Symmetric and Medial Quasigroups ...... 8 1.4 Prior Work Counting Quasigroups ...... 14

2 n-ary TSM Quasigroups and Trees 17 2.1 n-ary Product Trees ...... 18 2.2 Generalizing Etherington’s Symmetry Results ...... 22

3 Counting Labeled Binary and n-ary TSM Quasigroups and Abelian Groups 32 3.1 Abelian Groups and Totally Symmetric Medial Quasigroups . . . . . 33 3.2 Binary and n-ary Abelian Groups ...... 40 3.3 Binary and n-ary TSM Quasigroups ...... 46 3.4 n-ary Abelian Groups and TSM Quasigroups ...... 51

i 3.5 The Number of Labeled Binary and n-ary TSM Quasigroups and Abelian Groups ...... 56

4 Applications of Quasigroups 58 4.1 Quasigroups in Cryptology ...... 59 4.1.1 Survey of Quasigroups in Cryptology ...... 59 4.1.2 Generating TSM Quasigroups ...... 66 4.2 TSM Quasigroups and Cubic Curves ...... 68 4.2.1 The Chord and Tangent Construction ...... 68 4.2.2 Elliptic Curves and Diﬃe-Hellman ...... 74 4.2.3 Iterated Tangents ...... 76

ii List of Tables

2.1 Demonstrating that τλ1,λ2 = τλ1,µτµ,λ2 τλ1,µ...... 28

3.1 Number of labeled TSM quasigroups versus number of all labeled quasigroups over k elements ...... 57

4.1 Example of Vigen`erecipher ...... 60

iii List of Figures

1.1 Cayley table of integers mod 3 ...... 4 1.2 Demonstrating ab = ba in a totally symmetric quasigroup ...... 9 1.3 Demonstrating a(ab) = b in a totally symmetric quasigroup ...... 10 1.4 Demonstrating (ab)(bc) = (ac)(bd) in a medial quasigroup ...... 10 1.5 Example of equation tree ...... 12 1.6 Diagram of bijections between binary and n-ary TSM quasigroups and abelian groups ...... 14

2.1 Example of n-ary product tree ...... 19 2.2 Example of a full tree ...... 19 2.3 Product tree illustrating the induction step in Theorem 2 ...... 24

2.4 Product tree after swapping sij and sk1 ...... 25

0 2.5 Product tree after swapping u and v and sij with sk1 ...... 26

n n−1 n−1 2.6 Product tree for f f f(x1 ), y1 , z1 ...... 28

n 2.7 Equation tree for f(s1 ) = x ...... 29

n n 2.8 Equation tree for f(s1 ) = f(t1 )...... 30

i0−1 n n 2.9 Equation tree for f s1 , f(t1 ), si0+1 = si0 ...... 30

3.1 Diagram of bijections between binary and n-ary TSM quasigroups and abelian groups ...... 33 3.2 Bijection between TSM quasigroups and abelian groups ...... 34

iv 3.3 Bijection between binary and n-ary abelian groups ...... 40 3.4 Bijection between binary and n-ary TSM quasigroups ...... 46

n−2 n−1 n−1 3.5 Product tree for f 0 , gn, f 0 , f(0, g1 ) ...... 47

n−3 n−2 n−1 3.6 Product tree for h 0 , gn, h 0 , h(g1 ) ...... 48 3.7 Bijection between n-ary TSM quasigroups and n-ary abelian groups . 51

4.1 The tabula recta ...... 60 4.2 Example of chord and tangent multiplication on a cubic curve . . . . 70 4.3 Example of mediality on a cubic curve ...... 72

v Totally Symmetric and Medial Quasigroups and their Applications

Abstract by BENJAMIN YOUNG

We prove some new results regarding binary and n-ary totally symmetric and medial (TSM) quasigroups and explore their applications to cubic curves and cryptography. We first generalize to the n-ary case Etherington’s result that a product in binary TSM quasigroup is symmetric in factors whose depths differ by a multiple of 2 in the corresponding product tree. We then demonstrate that there are an equal number of the four following labeled structures over any finite set: abelian groups, n-ary abelian groups, TSM quasigroups, and n-ary TSM quasigroups. Next we explore applications of quasigroups in cryptography and discuss how our maps between abelian groups, TSM quasigroups, and n-ary TSM quasigroups can be used to generate and easily calculate products in quasigroups for use in cryptosystems. Finally, we discuss the TSM quasigroup of points on a cubic curve and prove some properties of iterated squaring in prime-order TSM quasigroups.

vi Chapter 1

Introduction

1 1.1 Overview

In this thesis we prove several new results about binary and n-ary totally symmetric and medial (TSM) quasigroups and discuss these results’ implications in two primary applications of quasigroups: cryptology and cubic curves. We begin Chapter 1 by presenting definitions of TSM quasigroups, abelian groups, and the n-ary variants of both. We also introduce the concept of product trees for binary groupoids. In Section 1.4, as a preface to our work in Chapter 3, we review prior work counting quasigroups and n-ary quasigroups. In Chapter 2, generalizing a result from Ether- ington, we prove that a product in an n-ary TSM quasigroup is symmetric in factors whose depths in the product’s tree representation differ by a multiple of 2 - that is, we can permute those factors without changing the value of the product. In Chapter 3 we demonstrate that there are an equal number of the four following labeled structures over any finite set: abelian groups, n-ary abelian groups, TSM quasigroups, and n-ary TSM quasigroups. Each of Chapter 3’s sections focuses on finding a bijection between two sets of algebraic constructions over a finite set G. Three of these bijections were unknown prior to this thesis. In Section 3.1 we demonstrate several bijections between the sets of binary abelian groups and binary TSM quasigroups. In Section 3.2 we give a bijection from the set of binary abelian groups to the set of n-ary abelian groups for any n. In Section 3.3 we use the theory developed in Chapter 2 to reproduce Hacker’s proof of a bijection between (n−1)-ary and n-ary TSM quasigroups for every n ≥ 3, giving a bijection between binary TSM quasigroups and n-ary TSM quasigroups for any n. Finally in Section 3.4 we use the results of the previous sections to derive a bijection between n-ary abelian groups and n-ary TSM quasigroups. In Chapter 4 we discuss the significance of our results to two areas of applications of TSM quasigroups. In Section 4.1 we review previous applications of quasigroups to cryptology. We discuss how the maps between abelian groups, TSM quasigroups, and

2 n-ary TSM quasigroups discussed in Chapter 3 let us easily generate binary and n- ary TSM quasigroups for use in cryptosystems, and let us calculate products in those quasigroups without having to store their Cayley tables. In Section 4.2 we define cubic plane curves and relay Etherington’s proof that the points on a cubic plane curve form a TSM quasigroup under the chord and tangent construction. Finally, we discuss elliptic curve cryptography and the Diffie-Hellman key exchange, prove some results about iterated squaring in a prime-order TSM quasigroup, or equivalently iterated tangents in a cubic curve, and discuss the merits of iterated squaring as a possible operation for a Diffie-Hellman variant.

3 1.2 Basic Deﬁnitions

Let G be a set with n elements, which we will usually denote by 0, 1, . . . , n − 1. If f is any operation that takes elements of G as arguments and returns an element of G, write (G, f) to mean G equipped with the operation f. If

f : Gn = G × G × ... × G → G | {z } n

(f takes a list of n elements on G and returns an element of G), we say f is an n-ary operation. We usually denote 2-ary (binary) operations by symbols - typically +, ·, ∗, or ◦ - and frequently leave out the · and write a · b = ab. We denote n-ary operations for n > 3 as letters and use function notation, for example f(a, b, c). If (G, ·) is a set equipped with a binary operation (a magma), then the Cayley Table of (G, ·) is analogous to its multiplication table. For example, if G = {0, 1, 2}

and a +3 b := a + b mod 3 then (G, +3) has the following Cayley table: 0 1 2 0 0 1 2 1 1 2 0 2 2 0 1

Figure 1.1: Cayley table of (G, +3)

(G, ·) is a quasigroup if for any a, b ∈ G, the equations a · x = b and y · a = b have unique solutions for x and y, respectively. The former means that if we are searching for a b in row a of (G, ·)’s Cayley table, we will ﬁnd it exactly once: in column x. Similarly, the latter means that if we are searching for a b in column a we will ﬁnd it exactly once: in row y. Thus every row and every column of (G, ·)’s Cayley table is a permutation of the elements of G. In other words, the Cayley table of any quasigroup (G, ·) is a Latin square. Similarly, every Latin square L with entries G is the Cayley

table of a quasigroup (G, ·) deﬁned by a · b = Lab, where Lab is the entry in L in the row indexed by a and the column indexed by b. For example, the Cayley table in

4 Figure 1.1 has some permutation of {0, 1, 2} in every row and every column. Thus

(G, +3) is a quasigroup.

(G, +3) is also a simple example of a group. A group (G, +) must satisfy the following properties:

∀a, b, c ∈ G :(a + b) + c = a + (b + c) (associativity)

∃0 ∈ G : ∀a ∈ G : a + 0 = 0 + a = a (0 is the identity element)

∀a ∈ G : ∃ − a ∈ G : a + (−a) = 0 (−a is the inverse of a)

All groups discussed here are abelian (or commutative), meaning they satisfy the additional axiom ∀a, b ∈ G : a + b = b + a.

Abelian groups’ properties mimic those of arithmetic. ({0, 1, 2}, +3) is an abelian group because usual addition is associative and commutative, 0 is the identity element, and every a ∈ Z has additive inverse −a = 3 − a. Quasigroups are a generalization of groups, as the following proposition shows.

Proposition 1. Every group is a quasigroup.

Proof. Let (G, +) be a group. Then a + x = b =⇒ (−a) + a + x = (−a) + b =⇒ 0 + x = (−a) + b =⇒ x = (−a) + b so the equation has unique solution x = (−a) + b. Similarly, x + a = b has unique solution x = b + (−a), so (G, +) is a quasigroup.

However, not all quasigroups are groups, as nothing stipulates that a quasigroup must be associative, commutative, or have an identity element. In particular, the lack of associativity a(bc) 6= (ab)c makes algebraic manipulation of quasigroups seem

5 foreign when one is used to associative algebra such as traditional arithmetic. Two quasigroups (G, ∗), (G, ◦) are isotopic if there are permutations ϕ, ψ, θ of G such that ϕ(a) ◦ θ(b) = ψ(a ∗ b) for all a, b ∈ G. We also say that the Latin squares serving as (G, ∗) and (G, ◦)’s Cayley tables are isotopic, and we may obtain the Cayley table of (G, ◦) from the Cayley table of (G, ∗) by permuting the rows by ϕ, the columns by θ, and ﬁnally the entries themselves by ψ. For example, the Latin squares

0 1 2 3 0 1 2 3 0 0 1 3 2 0 1 2 0 3 L1 = 1 1 2 0 3 and L2 = 1 0 3 1 2 2 3 0 2 1 2 3 1 2 0 3 2 3 1 0 3 2 0 3 1

are isotopic using ϕ = (1032), θ = (1203), ψ = (1320) (where the cycle notation ϕ = (1032) means ϕ(1) = 0, ϕ(0) = 3, ϕ(3) = 2, and ϕ(2) = 1, for example). To show this, we ﬁrst reorder the ﬁrst square’s rows using ϕ (send row 1 to row 0, row 0 to row 3, row 3 to row 2, and row 2 to row 1) to obtain

0 1 2 3 0 1 2 0 3 L3 = 1 3 0 2 1 , 2 2 3 1 0 3 0 1 3 2

then reorder this L3’s columns using θ to obtain 0 1 2 3 0 0 3 2 1 L4 = 1 2 1 0 3 . 2 1 0 3 2 3 3 2 1 0

Finally apply ψ by running through L4’s entries and replacing every 1 with a 3, every

6 3 with a 2, every 2 with a 0, and every 0 with a 1 to reproduce L2. The isotopes of quasigroups are always quasigroups and isotopy is an equivalence relation of quasigroups [Keedwell and D´enes,2015]. This means that a quasigroup is isotopic to itself, if (G, ∗) is isotopic to (G, ◦) then (G, ◦) is isotopic to (G, ∗), and if (G, ∗) is isotopic to (G, ◦) and (G, ◦) is isotopic to (G, ·) then (G, ∗) is isotopic to (G, ·). If (G, ∗) and (G, ◦) are isotopic via (ϕ, θ, ψ) and ϕ = θ = ψ then we have

∀a, b ∈ G : ψ(a) ◦ ψ(b) = ψ(a ∗ b) and we say (G, ∗), (G, ◦) are isomorphic.(G, ∗) and (G, ◦) have all the same properties and structure, as we have simply relabeled each a to ψ(a) to create (G, ◦). Isomorphism is also an equivalence relation of quasigroups Notation for n-ary operations can be messy, so to simplify it we use the following

j shorthands. First, we use gi to mean gi, gi+1, . . . , gj (following [Dudek and G lazek,2008], jk [Petrescu, 2007] and others) and gik to mean gik, g(i+1)k, g(i+2)k, . . . , gjk. More generally, If f(i) is an expression containing index i, write

n [f(i)]i=m := f(m), f(m + 1), . . . , f(n).

We also write [n] to mean {1, . . . , n}. Finally, in the proper contexts (e.g. in the argument list of a n-ary operator), we write xn to mean x, x, . . . , x. | {z } n An algebra (G, f) with n-ary operation f : Gn → G is a n-ary quasigroup if for

i−1 n any i ∈ [n] and any g1 , gi+1, y ∈ G, the equation

i−1 n f(g1 , xi, gi+1) = y

has a unique solution for xi. Hence for any g ∈ G there is a unique element g ∈ G

7 such that f(gn−1, g) = g.

We say g is skew to g [Dudek, 2001].

2n−1 An n-ary quasigroup (G, f) is an n-ary group if for any i ∈ [n] and g1 ∈ G it satisﬁes the generalized associative rule

n 2n−1 i−1 i+n−1 2n−1 f(f(g1 ), gn+1 ) = f(g1 , f(gi ), gi+n ).

n n-ary group (G, f) is abelian or commutative if the value of f(g1 ) is preserved under

n permutation of g1 - that is for any σ ∈ Sn,

f(g1, . . . , gn) = f(gσ(1), . . . , gσ(n))

(see [Shchuchkin, 2015]).

1.3 Totally Symmetric and Medial Quasigroups

This report deals primarily with quasigroups that are medial and totally symmetric. A quasigroup (G, ·) is totally symmetric if for any a, b, c ∈ G with ab = c, the equality holds under any permutation of a, b, c. In particular,

ba = c and ac = b.

One can also write these identities as

∀a, b ∈ G : a(ab) = b and ab = ba.

8 A quasigroup is medial if for any a, b, c, d ∈ G the identity

(ab)(cd) = (ac)(bd) is satisﬁed. Medial quasigroups have alternatively been called abelian in the fundamental papers of Bruck [Bruck, 1944] and Murdoch [Murdoch, 1941] and entropic by Etherington [Etherington, 1965]. The term abelian has also been used by Schwenk [Schwenk, 1995] for quasigroups that are both totally symmetric and medial. Here we denote such quasigroups as TSM quasigroups. For a more visual representation of total symmetry and mediality, we can examine TSM quasigroups’ Cayley tables:

0 1 2 3

0 1 0 3 2

1 0 1 2 3

2 3 2 1 0

3 2 3 0 1

Figure 1.2: Demonstrating ab = ba in a totally symmetric quasigroup ab = ba implies the Cayley table is symmetric across its main diagonal, as can be observed in Figure 1.2. The effect of a(ab) = b is that every row a of a totally symmetric quasigroup is composed of a number of ‘fixed’ elements b such that ab = b and the remaining elements are paired off in swapped positions, as ac1 = c2 ⇐⇒ ac2 = c1. Since the Cayley table of a totally symmetric quasigroup is symmetric across its main diagonal, the Cayley table’s columns are also composed of fixed elements and swaps (i.e. (ab)a = b).

9 0 1 2 3

0 1 0 3 2

1 0 1 2 3

2 3 2 1 0

3 2 3 0 1

0 · 2 = 3 ⇐⇒ 3 · 2 = 0 0 · 0 = 1 ⇐⇒ 0 · 1 = 0

Figure 1.3: Demonstrating a(ab) = b in a totally symmetric quasigroup

Mediality has a slightly more complex visual interpretation, as shown in Figure 1.4.

0 1 2 3

0 1 0 3 2

1 0 1 2 3

2 3 2 1 0

3 2 3 0 1 (00)(23) = (02)(23) =⇒ 10= 32=0

Figure 1.4: Demonstrating (ab)(bc) = (ac)(bd) in a medial quasigroup

The elements ab, bc, ac, and bd are arranged in a rectangle in the Cayley table. Me- diality says the products of elements in opposite corners of this rectangle are equal. Note that, due to associativity and commutativity, every abelian group is a medial quasigroup. However, most groups (G, +) are not totally symmetric, as they fail to satisfy a + (a + b) = b. Much as we deﬁned n-ary abelian groups as a generalization of abelian groups, we may deﬁne n-ary TSM quasigroups as a generalization of TSM quasigroups. An n-ary quasigroup (G, f) is totally symmetric if for any g1, . . . , gn+1 ∈ G such that

10 n f(g1 ) = gn+1, the equation

f(gσ(1), . . . , gσ(n)) = gσ(n+1)

is satisﬁed for any σ ∈ Sn+1 (σ is a permutation of {1, 2, . . . , n + 1}). In particular, totally symmetric n-ary quasigroups are commutative (in the sense of n-ary groups) and for all i ∈ [n] satisfy

i−1 n n f g1 , f(g1 ), gi+1 = gi. (1.1)

If we deﬁne gk := g, . . . , g | {z } k then (1.1) implies that for any element g,

g = f(gn), (1.2)

where g is the skew of g as deﬁned above. (G, f) is medial if it satisﬁes the identity

1n 2n nn n1 n2 nn f f(g11 ), f(g21 ), . . . , f(gn1 ) = f f(g11 ), f(g12 ), . . . , f(g1n ) .

1n nn [Dudek, 2001]. Visually, if we arrange the elements X11 ,...,Xn1 as indexed in an

1n nn n × n matrix X and deﬁne f(X) := f(X11 ,...,Xn1 ) then mediality says f(X) = f(XT ). Etherington [Etherington, 1963] introduced some elegant notation and visualiza- tions for complicated expressions in binary quasigroups. To avoid excessive parentheses, one can use a dot to indicate a delayed multiplication. For example, we can write (ab)(cd)e (fg) = (ab.cd)e.fg.

Etherington also introduced the idea of trees to represent products and equations

11 in quasigroups. A product tree represents a product in (G, ·), which is any valid expression consisting of variables, parentheses, and · operators. Each node non-leaf node PQ has two child nodes P and Q and the root of the tree represents the entire expression. The leaf nodes contain single variables. An equation tree for P = Q (where P and Q could be products) consists of P and Q’s product trees joined at the roots by a horizontal line. To be consistent with the similar trees introduced by Cho [Cho, 1988] for n-ary operations (see Section 2.1), we invert Etherington’s trees and place the root on the top. As an example, consider the tree for (ab.cd).e = fg.h shown in Figure 1.5

(ab.cd)e fg.h

ab.cd e fg h

ab cd f g

a b c d

Figure 1.5: Equation tree for (ab.cd)e = fg.h

Etherington proves the following two facts about trees of TSM quasigroups.

Theorem 1 ([Etherington, 1963, Etherington, 1965]). The following hold in a TSM quasigroup:

1. Any product is symmetric in factors which appear at the same depth in its product tree, meaning we can permute them without changing the value of the product. And more generally,

2. Any product or equation is symmetric in factors which are separated by an even number of branches in the tree. Hence a product is symmetric in factors whose depths diﬀer by an even number, and any equality is symmetric in factors on

12 opposite sides of the equality whose depth diﬀers by an odd number, as we must count the branch between the roots of two associated trees.

As an example of statement 1, (ab.cd)e is symmetric in a, b, c, d so (ab.cd)e = (bc.da)e. Statement 2 states that, for example, (ab.cd)e = fg.h is symmetric in a, b, c, d, e, f, g and in ab, cd, fg, h. We will prove more general versions of both of these results for n-ary TSM quasigroups in Section 2.2.

13 1.4 Prior Work Counting Quasigroups

Deﬁnition 1 (G, Gn, Q, Qn). Let G be a ﬁnite set.

• Deﬁne G(G) to be the set of labeled abelian groups over G.

• Deﬁne Gn(G) to be the set of labeled n-ary abelian groups over G.

• Deﬁne Q(G) to be the set of labeled TSM quasigroups over G.

• Deﬁne Qn(G) to be the set of labeled n-ary TSM quasigroups over G.

In Chapter 3 we demonstrate that, for any n,

|G(G)| = |Gn(G)| = |Q(G)| = |Qn(G)|.

This is achieved by demonstrating bijections between the following pairs of sets: G(G)

and Q(G) (Section 3.1), G(G) and Gn(G) (Section 3.2), and Q(G) and Qn(G) (Sec- tion 3.3, following [Hacker, 2016]). We also demonstrate a direct bijection between

Gn(G) and Qn(G) in Section 3.4.

n−2 n κ(c1 ; d1 ) (3.14) Qn(G) Gn(G)

ζ (3.12) η (3.9)

G(−, xy) (3.5) Q(G) G(G) Q(−, xy),Q(−, k4) (3.2)

Figure 1.6: The bijections deﬁned chapter 3.

Recall from Section 1.2 that two quasigroups (G, ·) and (G, ◦) are isomorphic if they are relabelings of each other - that is there is some permutation ψ of G that

14 relabels the elements of G such that each a ∈ G behaves the same under the operation · as ψ(a) does under ◦. Most classification and enumeration results in the study of groups and quasigroups are done up to isomorphism, meaning isomorphic quasigroups are considered to be the same quasigroup and are not counted twice. In Chapter 3 we fill some of the void in counting labeled n-ary groups and quasigroups, whereby n-ary groups and quasigroups are considered different if their Cayley tables differ in any way, even if they are isomorphic. We now give an overview of previous results counting quasigroups, Latin squares, and n-ary quasigroups. Murdoch [Murdoch, 1939], [Murdoch, 1941] and Bruck [Bruck, 1944] carried out early studies of medial quasigroups and found a close connection between medial quasigroups and abelian groups: namely that every medial quasigroup (G, ·) is isomorphic to a quasigroup generated from some abelian group (G, +) using the formula a·b = φ(a)+ψ(b)+c where φ and ψ are commuting automorphisms of (G, +). Bruck also discusses totally symmetric quasigroups but not quasigroups that are both totally symmetric and medial. Etherington [Etherington, 1965] explores TSM quasigroups in detail and refines the above formula to state that every TSM quasigroup can be generated from some (G, +) as a·b = −a−b+c. Etherington also explores the connections between TSM quasigroups and cubic curves and triple systems. Much later, Schwenk [Schwenk, 1995] classified TSM quasigroups up to isomorphism by exploiting their connection with extended triple systems. Some work has been done recently in counting quasigroups, n-ary quasigroups, and Latin rectangles. Stanovskýand Vojt˘echovksý[Stanovskýand Vojtˇechovský,2015] enumerate all medial and all central quasigroups up to order 128 up to isomorphism. Stones [Stones, 2010] provides an overview of many approaches to counting all labeled Latin rectangles, as well as normalized and reduced rectangles where the first row or first row and first column, respectively, are fixed. McKay and Wan- less [McKay and Wanless, 2005] count all reduced Latin squares of order 11. Others,

15 including [McKay et al., 2007], [Khan et al., 2015], and [Hulpke et al., 2011] count isotopy and isomorphism classes of Latin squares of small orders. Some work focuses on counting of quasigroups satisfying particular properties. Vatutin et al. [Vatutin et al., 2019] count isotopy classes of diagonal Latin squares of small orders. Jedliˇcka, Stanovskýand Vojt˘echovksý[Jedliˇcka et al., 2017] count isomorphism classes of trimedial, distributive, and Mendelsohn non-medial quasigroups of order 243. Egan and Wanless [Egan and Wanless, 2016] count mutually orthogonal Latin squares (MOLS) of order up to 9. Less work seems to have been done counting n-ary structures. Safari et al. [Safari et al., 2015] classify n-hypergroups over small sets of elements. Popotov and Krotov [Potapov and Krotov, 2011] place bounds on the number of all labeled n- ary quasigroups of finite order and derive a formula for the number of n-ary quasigroups of order 4. Krotov [Krotov, 2008b] [Krotov, 2008a] explores the reducibility of n-ary quasigroups into quasigroups of smaller arity, which inspired some of our work in Section 3.3. Regarding n-ary abelian groups in particular, Shchuchkin [Shchuchkin, 2013, Shchuchkin, 2015] describes the automorphisms of finite abelian n-ary groups using their associated binary retracts and describes the structure of finite n-ary abelian groups up to isomorphism as direct products of smaller-order primary abelian semicyclic n-ary groups. None of these works count labeled TSM quasigroups or labeled n-ary abelian groups. The number of labeled binary abelian groups over a set with k elements is known and is listed as sequence A034382 in the OEIS. As of the time of this thesis’ writing sequence A034382 only counts labeled binary abelian groups. Chapter 3 demonstrates that A034382 also counts labeled binary TSM quasigroups and n-ary abelian groups and TSM quasigroups for any n ≥ 3.

16 Chapter 2 n-ary TSM Quasigroups and Trees

17 The goal of this chapter is to generalize Etherington’s results about product trees of TSM quasigroups as discussed in Section 1.3 to n-ary TSM quasigroups. Hacker [Hacker, 2016] introduces the idea of such generalizations by using special cases of the following Theorems 2 and 3 to prove that the number of labeled binary TSM quasigroups equals the number of labeled n-ary TSM quasigroups over any set for any n. We reproduce Hacker’s work using the language of this chapter in Section 3.3.

2.1 n-ary Product Trees

We ﬁrst introduce an extension of binary product trees to n-ary product trees. Cho [Cho, 1988] uses trees analogous to Etherington’s to represent products (which we

n will also call words) and equations in an n-ary quasigroup (G, f). Each node f(x1 )

n in an n-ary product or equation tree has n children x1 . The edges to the children of a node are numbered 1, . . . , n from left to right. For example, the tree for the expression f f(a, b, c), w, fx, y, f(p, q, r) can be found in Figure 2.1. We refer to non-root nodes and their associated labels (for example f(a, b, c) in Figure 2.1) as factors or subwords The address of a node is the sequence of labels of the edges of the path from the root to the node. For example, node p in Figure 2.1 has address 331. If λ and µ are addresses we define λµ to be the concatenation of λ and µ (e.g. if λ = 21 and µ = 234 then λµ = 21234) and λd to be the concatenation of address λ and digit d (e.g. if λ = 21 then λ1 = 211). Cho defines the depth of a tree node to be the number of edges separating it from the root and the depth of a word to be the depth of its product tree. He also defines a full tree to be a tree whose leaf nodes all have the same depth, and a full word to be an expression whose tree is full. The tree in Figure 2.1 is not full because, for example, a has depth 2 and p has depth 3, but the

18 f f(a, b, c), w, fx, y, f(p, q, r)

1 2 3

f(a, b, c) w fx, y, f(p, q, r)

1 2 3 1 2 3

a b c x y f(p, q, r)

1 2 3

p q r Figure 2.1: Product tree for f f(a, b, c), w, fx, f(p, q, r), z tree in Figure 2.2 is, as all leaves have depth 3. Cho notes that the following holds for

3 f f(xi1, xi2, xi3) i=1

1 2 3

f(x11, x12, x13) f(x21, x22, x23) f(x31, x32, x33)

1 2 3 1 2 3 1 2 3

x11 x12 x13 x21 x22 x23 x31 x32 x33

Figure 2.2: Example of a full tree any idempotent n-ary quasigroup, though it in fact holds for any n-ary quasigroup

Lemma 1 ([Cho, 1988]). Let s be a word in an n-ary quasigroup and let m be an integer no less than the depth of s. Then there is a full word t of depth m such that s = t.

To construct such a full word, we note that increase the depth of a branch with depth less than m by expanding the branch’s leaf x into a node with with n children

19 using x = f(xn−1, x)

(or equivalently x = f(xn) if the quasigroup is idempotent). We can repeat this process until every branch has depth m without changing the word’s value. For example, to convert the tree in Figure 2.1 to a full tree, replace a, b, c, x, y, and w with f(a, a, a), f(b, b, b), f(c, c, c), f(x, x, x), f(y, y, y), and

f(w, w, w) = ff(w, w, w), f(w, w, w), f(w, w, w),

respectively. Cho also provides the following useful deﬁnitions.

Deﬁnition 2 (S). For any m ∈ N and word t, let Sm(t) be the set of all addresses of subwords of t at depth m.

Deﬁnition 3 (τ). For addresses λ and µ of word t, let τλ,µ(t) be the word resulting from interchanging the subwords of t at λ and µ.

For example, in the tree in Figure 2.1, the subword at address 2 is w and the subword at address 33 is f(p, q, r) so

τ2,33 f f(a, b, c), w, f x, y, f(p, q, r) = f f(a, b, c), f(p, q, r), f x, y, w

We now deﬁne two metrics that will be useful in proving the next section’s theorems.

Deﬁnition 4 (sep). Let λ and µ be addresses in a tree t. Deﬁne sep(λ, µ) to be the number of edges of t on the path between λ and µ.

Note that both product trees and equation trees (in the sense of Section 1.3, where the tree for s = t is the trees of s and t joined by an edge between the two roots) are trees in the graph theoretic sense, meaning there is exactly one path between each

20 pair of nodes, so sep is well deﬁned. In a product tree, the path joining λ and µ must travel through the lowest common ancestor (LCA) of λ and µ, which is the node farthest from the root having both λ and µ as descendants. Thus for a product tree

sep(λ, µ) = sep(λ, α) + sep(µ, α),

where α is the lowest common ancestor (LCA) of λ and µ.

Deﬁnition 5 (dLCA). Let λ, µ ∈ Sm(t). Deﬁne

1 dLCA(λ, µ) := sep(λ, µ). 2

Since λ and µ have the same depth, we must have sep(λ, α) = sep(µ, α) where α = LCA(λ, µ) so dLCA(λ, µ) = sep(λ, α) = sep(µ, α).

Equivalently, dLCA(λ, µ) is the length in digits of λ and µ minus the number of leading digits λ and µ have in common. For example, in the tree in Figure 2.2, dLCA(11, 33) = 2 and dLCA(21, 22) = 1. If dLCA(λ, µ) = 1 then we say λ and µ are siblings, as they have a common parent, and if dLCA(λ, µ) = 2 we say λ and µ are cousins, as they have a common grandparent. Cho proves the following lemma that can greatly simplify proofs involving medial n-ary quasigroups.

Lemma 2 ([Cho, 1988]). Let t be a word in a medial n-ary quasigroup and suppose

λ, µ ∈ Sm(t) contain the same number of i’s for each i = 1, 2, . . . , m. Then τλ,µ(t) = t.

For example, we may swap x12 and x21 in Figure 2.2 without changing the value 3 of f f(xi1, xi2, xi3) i=1 because x12’s address 12 and x21’s address 21 both have one ‘1’ and one ‘2’.

21 2.2 Generalizing Etherington’s Symmetry Results

Adding commutativity to Lemma 2 lets us prove a stronger result analogous to part 1 of Theorem 1. The following theorem states that we can swap any two subwords at the same level of the tree of a product in a commutative medial n-ary quasigroup.

Theorem 2. Let (G, f) be a commutative medial n-ary quasigroup. If t is a word of

(G, f) with maximum depth d, m ≤ d and λ, µ ∈ Sm(t), then τλ,µ(t) = t.

Proof. First apply Lemma 1 to create a t0 = t with a corresponding tree full up to depth m, so that we may apply mediality at depth up to m. Let u and v be the subwords of t0 at addresses λ and µ, respectively. We now proceed by induction on dLCA(λ, µ). If dLCA(λ, µ) = 1 then we may simply swap u and v using commutativity. If dLCA(λ, µ) = 2 then without loss of generality we can say u = xij, v = xkl

in n with i, j, k, l ∈ [n] and i < j < k < l in the subword f f(xi1 ) i=1 and we must in n in n swap xij and xkl without changing the value of f f(xi1 ) i=1 . Let f f(xi1 ) i=1

have address λ so that xij has address λij and xkl has address λkl. We ﬁrst swap xij

with xik and xkl with xki using commutativity:

in n in n f f(xi1 ) i=1 = τλkl,λkiτλij,λik f f(xi1 ) i=1

1n nn = τλkl,λkiτλij,λik f f(x11 ), . . . , f(xn1 )

i(j−1) i(k−1) in = τλkl,λkiτλij,λik f . . . , f(xi1 , xij, xi(j+1) , xik, xi(k+1)),...,

k(i−1) k(l−1) kn f(xk1 , xki, xk(i+1), xkl, xk(l+1)),... .

i(j−1) i(k−1) in = τλkl,λki f . . . , f(xi1 , xik, xi(j+1) , xij, xi(k+1)),...,

k(i−1) k(l−1) kn f(xk1 , xki, xk(i+1), xkl, xk(l+1)),...

i(j−1) i(k−1) in =f . . . , f(xi1 , xik, xi(j+1) , xij, xi(k+1)),...,

k(i−1) k(l−1) kn f(xk1 , xkl, xk(i+1), xki, xk(l+1)),... .

22 Note that xij now has address λik and xkl has address λki so by Lemma 2 we can swap xij and xkl, giving

i(j−1) i(k−1) in f . . . , f(xi1 , xik, xi(j+1) , xkl, xi(k+1)),...,

k(i−1) k(l−1) kn f(xk1 , xij, xk(i+1), xki, xk(l+1)),... .

Now we can use commutativity to swap xkl with xik and xij with xki, giving

i(j−1) i(k−1) in f . . . , f(xi1 , xkl, xi(j+1) , xik, xi(k+1)),...,

k(i−1) k(l−1) kn f(xk1 , xki, xk(i+1), xij, xk(l+1)),...

in n = τλij,λkl f f(xi1 ) i=1 .

Thus we have shown

in n in n τλij,λkl f f(xi1 ) i=1 = f f(xi1 ) i=1

so the theorem holds for dLCA(λ, µ) = 2.

0 0 Now suppose inductively that τλ0,µ0 (t) = t for any λ , µ ∈ Sr for any r ≤ d and dLCA(λ0, µ0) = c − 1. We will show we can swap the subwords u and v at any pair

in n of addresses λ, µ ∈ Sm with dLCA(λ, µ) = c. Let the subword f f(si1 ) i=1 at

address θ be the lowest common ancestor of u and v, where each sij is a product, not necessarily just a variable. Suppose without loss of generality that u is a subword

of sij and v is a subword of skl with i, j, k, l ∈ [n] and i < j < k < l. Thus we can

‘factor’ λ into λ = θijλs, where λs is the address of u in the subtree with root sij.

Similarly we may factor µ = θklµs (see Figure 2.3).

If sij = u and skl = v then dLCA(λ, µ) = 2 so we can apply the above argument to

in n swap u and v. Otherwise, since sij and sk1 have the same grandparent f f(si1 ) i=1

23 . .

in n f f(si1 ) i=1

1 i k n

1n ... in ... kn ... nn f(s11 ) f(si1 ) f(sk1 ) f(sn1 )

1 j n 1 l n

si1 ... sij ... sin sk1 ... skl ... skn

λs µs

u v

Figure 2.3: u is a subword of sij and v is a subword of skl

their dLCA is 2 so we can swap sij and sk1 to obtain

i(j−1) in f . . . , f(si1 , sk1, si(j+1)),...,

k(l−1) kn f(sij, sk2 , skl, sk(l+1)),...

(see Figure 2.4).

u now has address θk1λs, which has exactly one more leading digit (k) in common with v’s address µ = θklµs than u’s previous address λ = θijλs did, so

dLCA(θk1λs, µ) = dLCA(λ, µ) − 1 = c − 1 < c so we may apply the induction hypothesis to swap u and v. Now u is a subword of

24 . .

in n f f(si1 ) i=1

1 i k n

1n ... in ... kn ... nn f(s11 ) f(si1 ) f(sk1 ) f(sn1 )

1 j n 1 l n

si1 ... sk1 ... sin sij ... skl ... skn

λs µs

u v

Figure 2.4: Product tree after swapping sij and sk1

0 0 sij and v is a subword of skl in

i(j−1) in f . . . , f(si1 , sk1, si(j+1)),...,

0 k(l−1) 0 kn f(sij, sk2 , skl, sk(l+1)),...

0 0 (where sij is identical to sij but with u replaced with v and skl is identical to skl but

0 with v replaced with u) and when we swap sij back with sk1 we have successfully

in n 0 swapped u and v in f f(si1 ) i=1 , and hence in t (see Figure 2.5).

Since swapping subwords at depth m lets us permute the subwords at depth m arbitrarily and every commutative medial quasigroup is a TSM quasigroup, we obtain a proper n-ary analog to part 1 of Theorem 1

Corollary 1. If t is a word in a n-ary TSM quasigroup, then t is symmetric in factors which appear at the same depth in its product tree.

25 . .

in n f f(si1 ) i=1

1 i k n

1n ... in ... kn ... nn f(s11 ) f(si1 ) f(sk1 ) f(sn1 )

1 j n 1 l n

... 0 ...... 0 ... si1 sij sin sk1 skl skn

λs µs

v u

0 Figure 2.5: Product tree after swapping u and v and sij with sk1

Now we use a similar technique to prove the n-ary analog to part 2 of Theorem 1, starting with the following theorem, which states that we can swap any two subwords in a whose depths in the tree of a product in an n-ary TSM quasigroup diﬀer by a multiple of two.

Theorem 3. Let (G, f) be an n-ary TSM quasigroup. If t is a word of (G, f) with

maximum depth d, λ1 ∈ Sm1 (t), λ2 ∈ Sm2 (t), m1 ≤ m2 ≤ d, m1 ≡ m2 mod 2, and

λ1 is not an ancestor of λ2 or vice-versa, then τλ1,λ2 (t) = t.

Proof. Following Etherington’s reasoning in [Etherington, 1965], we ﬁrst prove the n-ary equivalent to the fact that (ab.c).d is symmetric in a, b, and d in a binary TSM quasigroup (G, ·). That is, that the product

n n−1 n−1 f f f(x1 ), y1 , z1 (2.1)

26 n n is symmetric in every element of x1 and z1 . First, we show the equation

in n n f f(yi1 ) i=1 = f(z1 ) (2.2)

is symmetric in all variables. It is symmetric in every yij by Theorem 2 and it is

symmetric in yij and zk because total symmetry (1.1) lets us rewrite (2.2) as, say,

in n−1 n nn f f(yi1 ) i=1 , f(z1 ) = f(yn1 )

and now we may use Theorem 2 to interchange the yijs and zks however we like. Now we may use total symmetry again to rewrite (2.2) as

in n n−1 zn = f f f(yi1 ) i=1 , z1 . (2.3)

Since (2.2) is symmetric in all variables, the right side of (2.3) is symmetric in all

nn n n−1 variables, and, by substituting yn1 = x1 and yi = f (yi) , yi for i = 1, . . . , n − 1, we can rewrite (2.1) as

n n−1 n−1 n−1 f f f(x1 ), f((yi) , yi) i=1 , z1 , (2.4)

1n n i(n−1) n−1 in which is in the same form as (2.3) with y11 = x1 and yi1 = (yi) , yi1 = yi for

n n i > 1. Thus (2.4), and hence (2.1), is symmetric in every x1 and z1 .

n n−1 n−1 We can treat x1 , y1 , and z1 as arbitrary subwords (not necessarily leaf nodes)

n n−1 so the product’s symmetry in each x1 and z1 is suﬃciently general to prove the statement of the theorem for m2 − m1 = 2 (see Figure 2.6 - the situation in (2.1)

n n−1 represents any x1 and z1 whose depths diﬀer by 2). We now formalize via induction on m2 − m1 that we can simply repeat this process to interchange any two elements

0 0 whose depths diﬀer by a multiple of 2. Suppose that the theorem holds for any m1, m2

27 f f f(x1, x2, x3), y1, y2 , z1, z2

1 2 3 f f(x1, x2, x3), y1, y2 z1 z2

1 2 3

f(x1, x2, x3) y1 y2

1 2 3

x1 x2 x3

n n−1 n−1 Figure 2.6: Product tree for f f f(x1 ), y1 , z1 for n = 3

0 0 with m2 − m1 = 2(k − 1) where k > 1 and we would like to show that τλ1,λ2 (t) = t for

λ1 ∈ Sm1 (t), λ2 ∈ Sm2 (t), and m2 − m1 = 2k. There is some µ ∈ Sm1+2(t) that is not

λ1’s direct ancestor (µ is a sibling of λ1’s grandparent), so since (m1 + 2) − m1 = 2,

we have τλ1,µ(t) = t. Now m2 − (m1 + 2) = (m2 − m1) − 2 = 2k − 2 = 2(k − 1) so we apply the induction hypothesis to obtain τµ,λ2 (t) = t. Thus, since swapping the subwords at λ1 and µ, then at µ and λ2, then at µ and λ1 has the eﬀect of just swapping the subwords at λ1 and λ2 (see Table 2.1), we have

τλ1,λ2 = τλ1,µτµ,λ2 τλ1,µ(t) = t,

as desired.

Swap λ1 µ λ2 None u v w

τλ1,µ v u w

τµ,λ2 v w u

τλ1,µ w v u

Table 2.1: Eﬀect of successively applying τλ1,µ, τµ,λ2 , τλ1,µ to elements u, v, w starting at addresses λ1, µ, λ2, respectively.

28 Now we may complete the proof of our n-ary version of part 2 of Theorem 1.

Corollary 2. Any product or equation in an n-ary TSM quasigroup (G, f) is symmetric in factors which are separated by an even number of branches in the corresponding tree.

Proof. Let λ and µ be addresses in the tree of a product t with sep(λ, µ) even and let α be the address of the lowest common ancestor of λ and µ. We know sep(λ, µ) = sep(λ, α) + sep(µ, α) so sep(λ, α) and sep(µ, α) have the same parity. sep(λ, α) is the depth of λ with respect to α and sep(µ, α) is the depth of µ with respect to α so | sep(λ, α) − sep(µ, α)|, which is even, is the diﬀerence between the depths of λ and µ. Thus by Theorem 3 we may swap the factors at λ and µ. Thus we may freely permute factors in a single product that are separated by an even number of branches. It remains to show the statement holds for factors on opposite sides of an equation. Consider the equation s = t, where s and t are products in (G, f). If s and t are both single variables then the equation has no factors separated by an even number

n n of branches. If t = x is a single variable and s = f(s1 ) for subwords s1 then s = t

n becomes f(s1 ) = x, whose product tree is shown in Figure 2.7.

n f(s1 ) x

1 2 n

s1 s2 ... sn

n Figure 2.7: Abridged equation tree for f(s1 ) = x

n Suppose subword u of f(s1 ) has sep(u, x) = 2k for k ∈ N (since we haven’t deﬁned addresses for equation trees, we will abuse the sep notation by applying it to the factors directly, not their addresses). If u = si for some i then we map swap x and u directly via total symmetry. Otherwise, u is a subword of some si. sep(si, x) = 2, so sep(u, si) = 2k − 2. By total symmetry we may swap x with some sj, j 6= i, so x and

29 u are now part of the same product and are separated by 2k − 2 + 2 = 2k branches

n (the path between u and si, plus the length-2 path between si and x through f(s1 )).

Thus we may swap x and u, then use total symmetry to swap u with sj (which is now on the left side of the =) and we have successfully swapped u and x.

n n n n Finally, suppose s = f(s1 ) and t = f(t1 ), so s = t becomes f(s1 ) = f(t1 ),

and suppose u is a subword of si and v is a subword of tj for some i, j, and that sep(u, v) = 2k.

n n f(s1 ) f(t1 )

1 2 n 1 2 n

s1 s2 ... sn t1 t2 ... tn

n n Figure 2.8: Abridged equation tree for f(s1 ) = f(t1 )

Pick some i0 6= i. Total symmetry gives

i0−1 n n f s1 , f(t1 ), si0+1 = si0 ,

as shown in Figure 2.9

i0−1 n n s 0 f s1 , f(t1 ), si0+1 i

1 2 n

... n ... s1 f(t1 ) sn

1 2 n

t1 t2 ... tn

i0−1 n n Figure 2.9: Abridged equation tree for f s1 , f(t1 ), si0+1 = si0

n n In the original f(s1 ) = f(t1 ) tree we had

sep(u, v) = sep(u, si) + sep(si, tj) + sep(tj, v) = sep(u, si) + sep(tj, v) + 3.

30 and sep(u, v) was assumed to be even, so sep(u, si) + sep(tj, v) must be odd. In the tree in Figure 2.9, since we haven’t moved u and v relative to their respective ancestors si and tj, sep(u, si) and sep(tj, v) haven’t changed. Additionally, the path

i0−1 n n n from si to tj still goes through f s1 , f(t1 ), si0+1 and f(t1 ) so sep(si, tj) = 3 still. Hence

sep(u, v) = sep(u, si) + sep(si, tj) + sep(tj, v) = sep(u, si) + sep(tj, v) + 3

is even. Thus, since u and v are now in the same product, we may swap u and v,

n then use total symmetry to unswap si0 and subword that used to be f(t1 ), and we

n n have successfully swapped u and v in f(s1 ) = f(t1 ).

31 Chapter 3

Counting Labeled Binary and n-ary TSM Quasigroups and Abelian Groups

32 In this chapter we derive bijections between the sets Q(G), G(G), Qn(G), Gn(G) (which recall from Section 1.4 denote the set of labeled abelian groups, labeled TSM quasigroups, labeled n-ary abelian groups, and labeled n-ary TSM quasigroups over G, respectively) for any ﬁnite set G.

n−2 n κ(c1 ; d1 ) (3.14) Qn(G) Gn(G)

ζ (3.12) η (3.9)

G(−, xy) (3.5) Q(G) G(G) Q(−, xy),Q(−, k4) (3.2)

Figure 3.1: The bijections deﬁned in this chapter

Each of the following four sections is devoted to one side of this square. Which side a section is devoted to is drawn in blue on a copy of the square at the beginning of the section.

3.1 Abelian Groups and Totally Symmetric Me-

dial Quasigroups

The Bruck-Toyuda Theorem [Bruck, 1944] states that every medial quasigroup (G, ·) is isomorphic to a central quasigroup (G, ∗) deﬁned over an abelian group (G, +) as

a ∗ b = φ(a) + ψ(b) + c where φ and ψ are commuting automorphisms of (G, +) and c ∈ G. In particular, every TSM quasigroup (G, ·) can be constructed from some abelian group (G, +)

33 Qn(G) Gn(G)

G(−, xy) Q(G) G(G) Q(−, xy),Q(−, k4)

Figure 3.2: Q(−, xy),Q(−, k4): G(G) → Q(G) and G(−, xy): Q(G) → G(G) are bijections using the formula a · b = c − a − b (3.1) for c ∈ G [Etherington, 1965]. If (G, ·) is constructed from (G, +) in this manner, write (G, ·) = Q((G, +), c). (3.2)

(G, +) and Q((G, +), c) are isotopic and if Q((G, +1), c1) and Q((G, +2), c2) are isotopic then (G, +1) and (G, +2) are isotopic and hence isomorphic. Thus the isotopy classes of TSM quasigroups are in bijection with the isomorphism classes of abelian groups [Stanovsk´yand Vojtˇechovsk´y,2015].

Deﬁnition 6 (lab). Let (G, +) be an abelian group. Deﬁne lab(G, +) to be the set of all labelings of (G, +).

Deﬁnition 7 (tsm). Let (G, +) be an abelian group. Deﬁne tsm(G, +) to be the set of all labeled TSM quasigroups isotopic to (G, +).

Note that lab(G, +) is the set of all groups over G isomorphic to (G, +) and

tsm(G, +) = {Q((G, ∗), c) | (G, ∗) ∈ lab(G, +) and c ∈ G} (3.3)

34 because every TSM quasigroup can be generated from its unique (up to isomorphism) isotopic abelian group (G, +) using (3.1). For every TSM quasigroup (G, ·) and any ﬁxed o ∈ G we can deﬁne an abelian group (G, +) by a + b = (a · b) · o (3.4) with identity o and −a = ao2. In this case write

(G, +) = G((G, ·), o). (3.5)

For any (G, ·) ∈ tsm(G, +), the identity

(G, ·) = Q(G((G, ·), o), o2) holds, where o2 is a multplication in (G, ·) [Schwenk, 1995]. Since the value of o2 is dependent on (G, ·) instead of G((G, ·), o), this does not necessarily establish G(−, o): tsm(G, +) → lab(G, +) as an injective map. It is in fact not injective in many cases, including when (G, +) = Z/3Z, where all 3 labeled TSM quasigroups are mapped to the labeled Z/3Z with identity o. Similarly, one can easily see that for any (G, ∗) ∈ lab(G, +) and k ∈ G,

(G, ∗) = G(Q((G, ∗), k), id∗),

although the dependence of id∗ on (G, ∗) does not necessarily establish Q(−, k): lab(G, +) → tsm(G, +) as injection, and this map is not injective for example when

(G, +) = Z/2Z. We have seen that the isotopy classes of TSM quasigroups are in bijection with the isomorphism classes of abelian groups. We now show that there are bijections between the elements of these equivalence classes as well - that is, the isomorphic

35 relabelings of an abelian group G are in bijection with the labeled quasigroups in the corresponding isotopy class. First we deﬁne some more notation.

Definition 8 (id∗, I∗). Let (G, ∗) be a group. Define id∗ ∈ G to be the identity element of (G, ∗) and for a ∈ G define I∗(a): G → G to be the inverse of a with respect to ∗:

a ∗ I∗(a) = id∗

Theorem 4. Let (G, +) be an abelian group. Then

|lab(G, +)| = |tsm(G, +)|

Proof. Fix x, y ∈ G and consider Q(−, xy) : lab(G, +) → tsm(G, +) where xy is an operation in the group passed as Q(−, xy)’s argument. We will show that Q(−, xy) is injective. Assume (G, ◦), (G, ∗) ∈ lab(G, +) with (G, ∗) 6= (G, ◦) but Q((G, ∗), x ∗ y) = Q((G, ◦), x ◦ y). Then for all a, b ∈ G,

x ∗ y ∗ I∗(a) ∗ I∗(b) = x ◦ y ◦ I◦(a) ◦ I◦(b) (3.6)

Let a = x and b = y in (3.6), giving

id∗ = id◦ = id .

Now let a = b = id in (3.6), giving

x ∗ y = x ◦ y = z.

36 Letting a = z in (3.6) gives I∗(b) = I◦(b) for all b so

I∗ = I◦ = I .

(G, ∗) 6= (G, ◦) so there are some p, q such that p ∗ q 6= p ◦ q and hence

I(p) ∗ I(q) 6= I(p) ◦ I(q). (3.7)

Consider two cases:

1. z ∗ p = z ◦ p: In this case letting m = z ∗ p = z ◦ p and n = q gives, via (3.7),

z ∗ I(m) ∗ I(n) = I(p) ∗ I(q) 6= I(p) ◦ (q) = z ◦ I(m) ◦ I(n)

2. z ∗ p 6= z ◦ p: In this case, let m = id and n = I(p), giving

z ∗ I(m) ∗ I(n) = z ∗ p 6= z ◦ p = z ◦ I(m) ∗ I(n)

In either case, we conclude

∃m, n ∈ G : x ∗ y ∗ I∗(m) ∗ I∗(n) = z ∗ I(m) ∗ I(n)

6= z ◦ I(m) ◦ I(n) = x ◦ y ◦ I◦(m) ◦ I◦(n), contradicting Q((G, ∗), x∗y) = Q((G, ◦), x◦y). Thus Q(−, xy) is injective so |lab(G, +)| ≤ |tsm(G, +)|. Now ﬁx k ∈ G and consider the map Q(−, k4) : lab(G, +) → tsm(G, +). We will

37 show that Q(−, k4) is surjective. Pick any (G, ·) ∈ tsm(G, +), which we can write as

(G, ·) = Q((G, ∗), c)

for some (G, ∗) ∈ lab(G, +) and c ∈ G. Given (G, ∗) we can deﬁne a new group (G, ◦) by a ◦ b := x ∗ a ∗ b

4 for x = I∗(k ) ∗ c where

id◦ = I∗(x) and

2 I◦(g) = I∗(x) ∗ I∗(g)

for any g ∈ G. Left multiplication by x in (G, ∗) is a permutation of G so (G, ◦) is isotopic to (G, ∗). Isotopic groups are isomorphic [Keedwell and D´enes,2015] so (G, ◦) ∈ lab(G, +). Now

4 2 2 k ◦ I◦(a) ◦ I◦(b) = k ◦ k ◦ k ◦ k ◦ (I∗(x) ∗ I∗(a)) ◦ (I∗(x) ∗ I∗(b))

4 2 2 = x ∗ k ∗ k ∗ k ∗ k ∗ x ∗ (I∗(x) ∗ I∗(a)) ∗ (I∗(x) ∗ I∗(b))

4 = k ∗ x ∗ I∗(a) ∗ I∗(b)

= c ∗ I∗(a) ∗ I∗(b)

so Q((G, ◦), k4) = Q((G, ∗), c) = (G, ·). Therefore Q(−, k4) is surjective so |lab(G, +)| ≥ |tsm(G, +)|.

Corollary 3. Q(−, xy),Q(−, k4) : lab(G, +) → tsm(G, +) are bijections for any x, y, k ∈ G.

38 We will show in Section 3.4 that the map

G(−, xy) : tsm(G, +) → lab(G, +) is also a bijection (though it is not the inverse of Q(−, xy)).

Corollary 4. |G(G)| = |Q(G)|.

Proof. By Theorem 4, up to isomorphism, every abelian group has exactly one isotopic TSM quasigroup associated with each of its labelings. Since each TSM quasigroup is isotopic to exactly one abelian group up to isomorphism, the corollary follows.

39 3.2 Binary and n-ary Abelian Groups

Qn(G) Gn(G)

Q(G) G(G)

Figure 3.3: η : G(G) → Gn(G) is a bijection

For any n-ary abelian group (G, f) and any c ∈ G we can deﬁne a binary abelian group (G, +)c = retc(G, f) by

a + b := f(a, c, . . . , c, c, b), | {z } n−3

with identity c, called a retract of (G, f). Conversely, given a binary abelian group

(G, +) and d ∈ G we can deﬁne an n-ary abelian group (G, f)d = derd(G, +) by

n n X f(g1 ) = d + gi. i=1

(G, f) is d-derived from (G, +). If 0 is the identity element of (G, +) then

(G, +) = ret0derd(G, +)

and if d = f(c, . . . , c) then

(G, f) = derdretc(G, f) (3.8)

(see [Shchuchkin, 2013, Shchuchkin, 2015]). However, since 0 is a property of (G, +)

40 in the ﬁrst case and d depends on f in the second case, these equations alone do not give any immediate information about the relative number of labeled binary and n-ary abelian groups. We can, however, use the fact that every n-ary abelian group can be derived from some binary abelian group to prove the following theorem.

Theorem 5. |Gn(G)| = |G(G)| for every n ≥ 2.

Proof. We will demonstrate a bijection η : G(G) → Gn(G). Fix any k ∈ G and deﬁne η(G, ◦) := (G, f) where

n n−2 f(x1 ) = x1 ◦ ... ◦ xn ◦ I◦(k) . (3.9)

We ﬁrst show η is injective. If η(G, ∗) = η(G, ◦) then letting x3 = x4 = ... = xn = k gives

x1 ∗ x2 = x1 ◦ x2

for all x1, x2 ∈ G so (G, ∗) = (G, ◦).

We now show η is surjective. From (3.8), any (G, f) ∈ Gn(G) can be deﬁned from some (G, ∗) ∈ G(G) (in particular retc(G, f)) as

n f(x1 ) := x1 ∗ ... ∗ xn ∗ d for d = f(c, . . . , c) ∈ G. Given (G, f) we need to ﬁnd a (G, ◦) ∈ G(G) such that

n n−2 f(x1 ) = x1 ∗ ... ∗ xn ∗ d = x1 ◦ ... ◦ xn ◦ I◦(k) .

Deﬁne a ◦ b := x ∗ a ∗ b where x = d ∗ kn−2.

As in the previous section, this deﬁnes an abelian group (G, ◦) with id◦ = I∗(x) and

2 n−2 I◦(g) = I∗(x) ∗ I∗(g). Now, since the product x1 ◦ ... ◦ xn ◦ I◦(k) contains 2n − 2

41 terms and thus 2n − 3 applications of ◦,

n−2 2n−3 n−2 x1 ◦ ... ◦ xn ◦ I◦(k) = x ∗ I◦(k) ∗ x1 ∗ ... ∗ xn

2n−3 2 n−2 = x ∗ I∗(x) I∗(k) ∗ x1 ∗ ... ∗ xn

n−2 = x I∗(k) ∗ x1 ∗ ... ∗ xn

= d ∗ x1 ∗ ... ∗ xn

n = f(x1 )

In general, we can ask for which exponents e the map ηe : G(G) → Gn(G) with

ηe(G, ◦) := (G, f) with

n e f(x1 ) = x1 ◦ ... ◦ xn ◦ I◦(k) is a bijection. We showed in the proof of Theorem 5 that it is for e = n − 2. It’s

n not hard to show that it also is for e = n: We can write any (G, f) as f(x1 ) := x1 ∗ ... ∗ xn ∗ d. Deﬁne a ◦ b := x ∗ a ∗ b where

n x = I∗(d) ∗ I∗(k) .

n Now the product x1 ◦ ... ◦ xn ◦ I◦(k) has 2n − 1 applications of ◦ so

n 2n−1 n x1 ◦ ... ◦ xn ◦ I◦(k) = x ∗ I◦(k) ∗ x1 ∗ ... ∗ xn

2n−1 2 n = x ∗ I∗(x) ∗ I∗(k) ∗ x1 ∗ ... ∗ xn

n = I∗(x) ∗ I∗(k) ∗ x1 ∗ ... ∗ xn

= d ∗ x1 ∗ ... ∗ xn

so ηe is always a surjection (and hence a bijection, since |G(G)| = Gn(G)) when e = n.

On the other hand we now show ηe is never a bijection when e = n − 1, as it is not

42 injective. Let (G, ∗) ∈ G(G) be a group such that k 6= id∗. Consider (G, ◦) ∈ G(G) deﬁned by a ◦ b := k ∗ a ∗ b. Then id◦ = I∗(k) 6= id∗ (as I∗(k) = id∗ ⇐⇒ k = id∗) so (G, ◦) 6= (G, ∗). But

n−1 n−2 2 n−1 x1 ◦ ... ◦ xn ◦ I◦(k) = k ∗ x1 ∗ ... ∗ xn ∗ I∗(k) ∗ I∗(k)

2n−2 3n−3 = k ∗ x1 ∗ ... ∗ xn ∗ I∗(k)

n−1 = I∗(k) ∗ x1 ∗ ... ∗ xn

so ηe(G, ◦) = ηe(G, ∗). Hence ηe is not injective. For any group (G, ◦) and any k ∈ G it is a basic fact in group theory that

|G| k = id◦. Thus

n+m|G| n m|G| n m |G| n I◦(k) = I◦(k) I◦(k) = I◦(k) (I◦(k) ) = I◦(k) for any m ∈ Z and similarly

n−2+m|G| I◦(k) = I◦ and

n−1+m|G| I◦(k) = I◦.

Hence ηe is also a bijection if e ≡ n mod |G| or e ≡ n − 2 mod |G| and is never a bijection if e ≡ n − 1 mod |G|.

For other values of e, ηe’s status as a bijection depends on the prime factorization of |G|. Let p1, p2 . . . , pj be the prime factors of |G| and suppose e ≡ n − 1 mod pi for some pi. Cauchy’s theorem of classical group theory states that every (G, ∗) ∈ G(G) contains an element with order pi for each prime factor pi of |G|. Thus, since G(G) contains all labelings of each abelian group over G, there must be some (G, ∗) ∈ G(G)

43 where k is the label of an element with order pi. Then

e n−1+mpi n−1 pi m n−1 m n−1 I∗(k) = I∗(k) = I∗(k) I∗(k ) = I∗(k) I∗(id∗) = I∗(k) .

Furthermore, |k| = pi > 1 =⇒ k 6= id∗ so if we deﬁne (G, ◦): a ◦ b := k ∗ a ∗ b will again have (G, ◦) 6= (G, ∗) but ηe(G, ◦) = ηe(G, ∗) exactly as in the e ≡ n − 1 mod |G| above, so ηe is not injective.

Conversely, suppose that for every pi in |G|’s prime factorization, e 6≡ n − 1 mod pi. Deﬁne (G, ◦) with a ◦ b = x ∗ a ∗ b for an undetermined x. Then

e n+e−1 2 e x1 ◦ ... ◦ xn ◦ I◦(k) = x ∗ I∗(x) ∗ I∗(k) ∗ x1 ∗ ... ∗ xn

n−e−1 e = x ∗ I∗(k) ∗ x1 ∗ ... ∗ xn.

If we can choose x such that the ﬁnal line equals d ∗ x1 ∗ ... ∗ xn, then ηe is surjective.

n−e−1 e Thus we need to ﬁnd an x such that d = x ∗ I∗(k) , or equivalently

e+1−n e x = I∗(d)I∗(k) . (3.10)

Write e = n − m for some m, so e 6≡ n − 1 mod pi becomes m 6≡ 1 mod pi, or equivalently m − 1 6≡ 0 mod pi. Since this holds for each of |G|’s prime factors, we have gcd(m − 1, |G|) = 1. With e = n − m, (3.10) becomes

m−1 e x = I∗(d)I∗(k) (3.11)

e We will now show that every element of (G, ∗), including I∗(d)I∗(k) , has a (m − 1)th

m−1 m−1 −1m−1 −1 root. Suppose that for a, b ∈ (G, ∗), a = b . Then ab = id∗, so |ab | divides m − 1. Lagrange’s theorem, another classical theorem of group theory, states that the order of any element of (G, ∗) must divide |G|. But gcd(m−1, |G|) = 1, so we

44 −1 must have ab = id∗, and hence a = b. Therefore taking the (m − 1)th power of all elements of (G, ∗) simply permutes them, so every element of (G, ∗) has a (m − 1)th root. Thus we can always satisfy (3.11) by choosing x to be the (m − 1)th root of

e I∗(d)I∗(k) , so ηn is surjective.

q1 qj Thus we obtain that ηe is a bijection if |G| = p1 . . . pj and ∀pi : e 6≡ n − 1

mod pi. Therefore we have proved the following proposition.

q1 qj Proposition 2. Let k ∈ G and suppose |G| = p1 . . . pj . Then ηe : G(G) → Gn(G)

n e deﬁned by ηe(G, ◦) = (G, f) with f(x1 ) = x1 ◦ ... ◦ xn ◦ I◦(k) is a bijection if and

only if ∀pi : e 6≡ n − 1 mod pi.

The earlier cases e = n, n − 1, n − 2 above are special cases of this result, as

e = n =⇒ e ≡ n mod |G| =⇒ ∀pi : e ≡ n 6≡ n − 1 mod pi and

e = n − 2 =⇒ e ≡ n − 2 mod |G| =⇒ ∀pi : e ≡ n − 2 6≡ n − 1 mod pi.

and if e = n − 1 then ∀pi : e ≡ n − 1 mod pi.

45 3.3 Binary and n-ary TSM Quasigroups

Qn(G) Gn(G)

Q(G) G(G)

Figure 3.4: ζ : Q(G) → Qn(G) is a bijection

In this section we prove |Q(G)| = |Qn(G)| for any n. Every result in this section is due to Hacker [Hacker, 2016]. We present simpliﬁed versions of Hacker’s proofs using the n-ary tree constructions of Section 2.2, demonstrating the power of Corollary 2. The following lemma is the key ingredient of our proof of this section’s main theorem.

n Lemma 3. For any TSM n-ary quasigroup (G, f) and 0, g1 ∈ G,

n−2 n−1 n−1 n f 0 , gn, f 0 , f(0, g1 ) = f(g1 ).

Proof. Since gn is at depth 1 and the 0 at address nn1 (see Figure 3.5) is at depth 3, we may apply Corollary 2 to swap these two factors, giving

n−2 n−1 n−1 n−1 n−1 n n f 0 , 0, f 0 , f(gn, g1 ) = f 0 , f 0 , f(g1 ) = f(g1 ) by total symmetry.

46 n−2 n−1 n−1 f 0 , gn, f 0 , f(0, g1 )

1 n n − 2 n − 1 ... n−1 n−1 0 0 gn f 0 , f(0, g1 )

1 n − 1 n

... n−1 0 0 f(0, g1 )

1 2 n

0 g1 ... gn−1

n−2 n−1 n−1 Figure 3.5: Product tree for f 0 , gn, f 0 , f(0, g1 )

Theorem 6. For any n ≥ 3, given a n − 1-ary TSM quasigroup (G, h) and element 0 ∈ G there exists a unique n-ary TSM quasigroup ζ(G, h) = (G, f) such that

n−1 n−1 f(0, g1 ) = h(g1 ) (3.12)

n Proof. We must ﬁrst deﬁne f(g1 ) when g1 6= 0. If (G, f) is an n-ary TSM quasigroup satisfying (3.12) then Lemma 3 would force

n n−2 n−1 n−1 n−3 n−2 n−1 f(g1 ) = f 0 , gn, f 0 , f(0, g1 ) = h 0 , gn, h 0 , h(g1 ) , a unique definition for f in terms of h. It remains to show that (G, f) defined this way is in fact a TSM quasigroup. Since (G, h) is a quasigroup it is clear that (G, f) is a quasigroup. We now show that (G, f) is totally symmetric. It suffices to show that we can swap any gi, gj for 1 ≤ j < i ≤ n + 1 in

n n−3 n−2 n−1 f(g1 ) = h 0 , gn, h 0 , h(g1 ) = gn+1

47 n−3 n−2 n−1 h 0 , gn, h 0 , h(g1 )

1 n − 1 n − 3 n − 2 ... n−2 n−1 0 0 gn h 0 , h(g1 )

1 n − 2 n − 1

... n−1 0 0 h(g1 )

1 n − 1

g1 ... gn−1

n−3 n−2 n−1 Figure 3.6: Product tree for h 0 , gn, h 0 , h(g1 ) while preserving equality. If 1 ≤ i, j ≤ n − 1 or i = n + 1, j = n then this is a simple application of the total symmetry of h. If i = n, j < n then, since gi is at depth 3 and gn is at depth 1 (see Figure 3.6), we may apply Corollary 2.

Finally if i = n + 1, j < n then use h’s total symmetry to swap gn with gn+1 and apply the reasoning of the previous case to obtain

n−3 n−2 j−1 n−1 h 0 , gj, h 0 , h(g1 , gn+1, gj+1 ) = gn

and use h’s total symmetry again to swap gj and gn.

48 It remains to show (G, f) is medial.

n 1n nn h ini f f g11 , . . . , f gn1 = f f gi1 i=1 n h n−3 n−2 i(n−1) i = f h 0 , gin, h(0 , h(gi1 )) i=1 n−3 n−3 n−2 n(n−1) = h 0 , h 0 , gnn, h 0 , h(gn1 ) ,

n−2 n−3 n−2 i(n−1) n−1 h 0 , h h 0 , gin, h(0 , h(gi1 )) i=1

n−3 n−2 = h 0 , h 0 , gnn ,

n−3 n−2 n(n−1) h 0 , h 0 , h(gn1 ) ,

n−3 n−2 i(n−1) n−1 h h 0 , gin, h(0 , h(gi1 )) i=1 . (3.13)

n(n−1) i(n−1) The gn1 ’s in (3.13) are at depth 4 (inside 4 nested h’s) and the gi1 ’s for i < n are at depth 6, so by Corollary 2 we may permute them such that (3.13) reads

n−3 n−2 h 0 , h 0 , gnn ,

n−3 n−2 (n−1)n h 0 , h 0 , h(g1n ) ,

n−3 n−2 (n−1)i n−1 h h 0 , gin, h(0 , h(g1i )) i=1 .

Now upon reversing the 4 steps leading to (3.13) we obtain

n1 nn f f g11 , . . . , f g1n

so (G, f) is medial.

Corollary 5. |Qn(G)| = |Q(G)| for every n ≥ 2.

Proof. For any (G, h) ∈ Qn−1(G) consider ζ(G, h) ∈ Qn(G), the unique (G, f) speci-

n ﬁed in (3.12). Since f(g1 ) is deﬁned solely in terms of h, ζ is injective. If (G, f) ∈ Qn

49 then deﬁne (G, h) by

n−1 n−1 h(g1 ) := f(0, g1 ).

(G, h) obviously inherits (G, f)’s quasigroup and commutativity properties. Addi- tionally,

n−2 n−1 n−2 n−1 h g1 , h(g1 ) = f 0, g1 , f(0, g1 ) = gn−1

by total symmetry of (G, f) so (G, h) is totally symmetric. Finally, using mediality of (G, f),

n−1 n−1 h i(n−1)i h i(n−1)i h h gi1 =f 0, f 0, gi1 i=1 i=1 n−1 h (n−1)ii =f 0, f 0, g1i (Corollary 1) i=1 n−1 h (n−1)ii =h h g1i i=1

so (G, h) is medial. Thus (G, h) ∈ Qn−1(G). We have clearly deﬁned (G, h) such that ζ(G, h) = (G, f) so ζ is surjective. Hence for any n > 2 we have

|Qn(G)| = |Qn−1(G)| and the corollary follows inductively.

50 3.4 n-ary Abelian Groups and TSM Quasigroups

n−2 n κ(c1 ; d1 ) Qn(G) Gn(G)

Q(G) G(G)

n−2 n Figure 3.7: κ(c1 ; d1 ): Qn(G) → Gn(G) is a bijection

For any n and ﬁnite set G, Corollary 4, Theorem 5, and Corollary 5 together give

|Gn(G)| = |G(G)| = |Q(G)| = |Qn(G)|, inducing

Corollary 6. |Gn(G)| = |Qn(G)| for all n.

One can ﬁnd a bijection from Qn(G) to Gn(G) by composing the intermediate bijections from earlier sections, but we give here a simpler Qn(G) → Gn(G) bijection that is a generalization of the n = 2 case in (3.4)

n−1 Proposition 3. If (G, q) is an n-ary TSM quasigroup then for any c1 ∈ G the

n−1 n-ary groupoid (G, f) = κ(c1 )(G, q) deﬁned by

n n−1 n f(g1 ) := q c1 , q(g1 ) is an abelian n-ary group.

Proof. (G, f) is clearly an abelian quasigroup. It remains to show that, for all i =

51 1, . . . , n,

n 2n−1 n−1 n−1 n 2n−1 f f(g1 ), gn+1 = q c1 , q q(c1 , q(g1 )), gn+1

n−1 i−1 n−1 n+i−1 2n−1 = q c1 , q g1 , q c1 , q(gi ) , gn+i

i−1 n+i−1 2n−1 = f g1 , f(gi ), gn+i .

We need the second equality. Total symmetry gives

n−1 n−1 n 2n−1 q c1 , q q c1 , q(g1 ) , gn+1

n−1 n−1 n j+n−1 j+n n−1 =q c1 , q q c1 , q(g1 ) , q gj+1 , q(gj+1 ) j=1 .

n−1 j+n−1 Each c1 and gj+1 is at depth 3 so apply Corollary 1 as follows: for each j = n+j−1 j+n−1 j+n 1, . . . , i − 1 move the gj+1 from q gj+1 , q(gj+1 ) to the preceding q clause. Also n−1 i+n−2 i+n−1 n+i−2 move the c1 to q gi , q(gi ) to replace gi . The result is

n−1 n+j−1 n+j−1i−1 q c1 , q q q(gj ), gj+1 j=1,

n−1 n+i−1 q c1 , q(gi ) ,

j+n−1 j+n n−1 q gj+1 , q(gj+1 ) j=i

n−1 i−1 n−1 n+i−1 2n−1 = q c1 , q g1 , q c1 , q(gi ) , gn+i by total symmetry.

Now we show that one particular class of such maps κ are bijections.

n−2 n Proposition 4. The map κ c1 ; d1 : Qn(G) → Gn(G) given by

n−2 n n n−2 n n κ(c1 ; d1 )(G, q)(g1 ) := q c1 , q(d1 ), q(g1 ) (3.14)

n−2 n is a bijection for any n and any c1 , d1 ∈ G.

52 Proof. We proceed by induction on n. First consider the case n = 2. It suﬃces to show

2 0 2 2 that κ(∅; d1)(∅ representing c1) is injective. Suppose κ(∅; d1)(G, ◦) = κ(∅; d1)(G, ·) - that is,

(d1 · a) · (d2 · b) = (d1 ◦ a) ◦ (d2 ◦ b) (3.15)

for any a, b ∈ G. Fix any x ∈ G. Choosing a = d1 · x and b = d1 ◦ a gives

(d1 · (d1 · x)) · (d2 · (d1 ◦ a)) = (d1 ◦ a) ◦ (d2 ◦ (d1 ◦ a))

=⇒ x · (d2 · (d1 ◦ (d1 · x))) = d2

=⇒ d2 · (d2 · (d1 ◦ (d1 · x))) = x

=⇒ d1 ◦ (d1 · x) = x

=⇒ d1 · x = d1 ◦ x.

Similarly d2 · x = d2 ◦ x. Now for any x, y ∈ G setting a = d1 · x = d1 ◦ x and b = d2 · y = d2 ◦ y in (3.15) gives

x · y = x ◦ y.

Therefore (G, ·) = (G, ◦).

n−2 n n−2 n n Now suppose κ(c1 ; d1 )(G, q) = κ(c1 ; d1 )(G, r), or for any g1 ,

n−2 n n n−2 n n q c1 , q(d1 ), q(g1 ) = r c1 , r(d1 ), r(g1 ) . (3.16)

0 0 Fix x ∈ G and by (6) there are unique TSM quasigroups (G, q ), (G, r ) ∈ Qn−1(G) with

0 n n 0 n n q (g2 ) = q(x, g2 ) r (g2 ) = r(x, g2 )

53 and

n 0 n−3 0 n−2 0 n−1 q(g1 ) = q x , gn, q x , q (g1 ) ,

n 0 n−3 0 n−2 0 n−1 r(g1 ) = r x , gn, r x , r (g1 ) .

Substituting into (3.16) with g1 = x we obtain

0 n−3 0 n−2 0 n−2 n 0 n q x , q x , q c1 , q(d1 ) , q (g2 ) (3.17) 0 n−3 0 n−2 0 n−2 n 0 n =r x , r x , r c1 , r(d1 ) , r (g2 ) .

0 n−2 n 0 n−2 n Note that if q c1 , q(d1 ) = r c1 , r(d1 ) then (3.17) takes the form

0 n−3 0 n−1 0 0 n−3 0 n−1 0 κ (c )1 ;(d )1 (G, q ) = κ (c )1 ;(d )1 (G, r ) (3.18)

0 n−3 0 n−1 where κ (c )1 ;(d )1 : Qn−1(G) → Gn−1(G) and

0 n−3 n−3 0 n−2 n−2 0 0 n−2 n 0 n−2 n (c )1 = x , (d )1 = x , (d )n−1 = r c1 , r(d1 ) = q c1 , q(d1 ) .

0 n−2 n 0 n−2 n Thus we now show q c1 , q(d1 ) = r c1 , r(d1 ) . For any y ∈ G, setting gn = y,

54 n−1 n−2 n−2 gn−1 = r(d1 , y) and g1 = c1 in (3.16) gives

n−2 n n−2 n−1 q c1 , q d1 , q c1 , r(d1 , y), y

n−2 n n−2 n−1 = r c1 , r d1 , r c1 , r(d1 , y), y

n−2 n−1 n−2 n−1 =⇒ q c1 , q d1 , y , q c1 , r(d1 , y), dn

n−2 n−1 n−2 n−1 = r c1 , r d1 , y , r c1 , r(d1 , y), dn

n−2 n−1 n−2 n−1 =⇒ q c1 , q d1 , y , q c1 , r(d1 , y), dn = dn

n−2 n−2 n−1 n−1 =⇒ q c1 , dn, q c1 , r(d1 , y), dn = q d1 , y

n−1 n−1 =⇒ r d1 , y) = q d1 , y .

In particular, there must exist some yx such that

n−1 n−1 r d1 , yx = q d1 , yx = x.

n−1 n−1 Now setting g1 = d1 and gn = yx in (3.16) gives

0 n−2 n n−2 n n−2 n 0 n−2 n q c1 , q(d1 ) = q c1 , q(d1 ), x = r c1 , r(d1 ), x = r c1 , r(d1 ) .

Therefore (3.18) holds, so the inductive assumption gives (G, q0) = (G, r0), so for all

n−1 g1 ∈ G,

n−1 0 n−1 0 n−1 n−1 q(x, g1 ) = q (g1 ) = r (g1 ) = r(x, g1 ).

Our choice of x was arbitrary, so from this we conclude (G, q) = (G, r).

55 3.5 The Number of Labeled Binary and n-ary TSM

Quasigroups and Abelian Groups

If G has k elements then

X k! |G (G)| = |Q(G)| = |Q (G)| = |G(G)| = . (3.19) n n | Aut(A)| A where A ranges over all abelian groups (up to isomorphism) of order k. All four quantities follow sequence A034382 in the OEIS. For any finite abelian group A there is an explicit formula for the size | Aut(A)| of the the automorphism group of A given in [Hillar and Rhea, 2007]. Hiller and Rhea’s formula for | Aut(A)| is based off the fundamental theorem of finite abelian groups, which states that any finite A is isomorphic to a product of groups of the form

e1 e2 en Ap = Z /p × Z /p × ... × Z /p , (3.20) where Z /x is the cyclic group of order x. They show that each

n n n Y dk k−1 Y ej n−dj Y ei n−ei+1 | Aut(Ap)| = p − p (p ) (p − 1) k=1 j=1 i=1 where

dk = max{l : el = ek} and ck = min{l : el = ek},

and that if A = Ap1 × Ap2 × ... × Apm then

m Y | Aut(A)| = | Aut(Ai)|. i=1

If Gk = {0, 1, . . . , k − 1} then (3.19) gives a formula for |Q(Gk)| (and hence also for

|Gn(Gk)|, |G(Gk)|, and |Qn(Gk)|) as a function of k. Table 3.1 shows the rapid growth

56 of |Q(Gk)| for small values of k, along with the much more rapid growth of |T (Gk)|, the total number of labeled quasigroups (not just TSM) over Gk, which is given by sequence A002860 in the OEIS.

k |Q(Gk)| |T (Gk)| 1 1 1 2 2 2 3 3 12 4 16 576 5 30 161280 6 360 812851200 7 840 61479419904000 8 15360 108776032459082956800 9 68040 5524751496156892842531225600 10 907200 9982437658213039871725064756920320000 11 3991680 776966836171770144107444346734230682311065600000 Table 3.1: Number of labeled TSM quasigroups versus number of all labeled quasigroups over k elements

57 Chapter 4

Applications of Quasigroups

58 4.1 Quasigroups in Cryptology

This section explores the close relationships between quasigroups and modern cryptography. Section 4.1.1 surveys recent applications of quasigroups, including binary and n-ary totally symmetric quasigroups, to constructing cryptosystems. In Sec- tion 4.1.2 we explore applications of the bijections discussed in Chapter 3 to generating binary and n-ary TSM quasigroups for use in cryptosystems and calculating products in these quasigroups without having to store their Cayley tables.

4.1.1 Survey of Quasigroups in Cryptology

Quasigroups and n-ary quasigroups and Latin squares have seen extensive use in various areas of cryptography, including secret sharing schemes, stream ciphers, block ciphers, secure hash functions, and zero knowledge proofs. See [Shcherbacov, 2009] for a survey of recent applications. Most cryptosystems are based on associative algebras such as ﬁnite ﬁelds and elliptic curve arithmetic. [Golomb et al., 2007] notes that using a nonassociative structure like a quasigroup grants additional security from serial or sequential encryptions, where cryptosystems based on associative structures do not. For example, if we encrypt a message m by multiplying by key k, applying two keys k1 and k2 sequentially in an associative algebra (G, ·) gives k2·(k1·m) = (k2·k1)·m,

which is equivalent to encrypting using the single key k2 · k1. But if (G, ·) is not

associative k2 · (k1 · m) 6= (k2 · k1) · m, so applying k1 and k2 sequentially does apply an extra ‘layer’ of security. Many of the quasigroup-based cryptosystems discussed in this section, especially stream ciphers, exploit this feature of nonassoiativity. As an early example of a quasigroup in cryptography, Shcherbacov discusses the tabula recta used in the Vigen`erecipher. The tabula recta (T, ·) is a 26×26 quasigroup consists of the English alphabet shifted by i places in each row i. To encrypt a plaintext m of length |m| = L using keyword k, one creates a key k0 by repeatedly

59 Figure 4.1: The tabula recta, a quasigroup used for encryption and decryption in the Vigen`erecipher

concatenating k (including potentially a preﬁx of k as the ﬁnal concatenation) such that k0 has length L. Then the ciphertext c is the concatenation

0 0 0 (k1 · m1)(k2 · m2) ... (kL · mL).

For example, if m = ‘SECRETMESSAGE’ and k = ‘KEY’ then k0 = ‘KEYKEYKEYKEYK’ and the ciphertext is c = CIABIRWIOCEEO (see Ta- ble 4.1)

m SECRETMESSAGE k’ KEYKEYKEYKEYK c CIABIRWIOCEEO Table 4.1: Enciphering SECRETMESSAGE with key KEY in the Vigen`erecipher.

To decrypt c we take advantage of the fact that (T, ·) is a quasigroup. Assuming

60 0 we know k, generate k to length |c| = |m| = L. Now for each character ci of c, since

0 (T, ·) is a quasigroup, there is a unique mi such that ki · mi = ci. This mi must be the ith character of the original message m. Repeating for each character of c, we recover all of m. Shcherbacov presents a basic example of a stream cipher, a similar version of which was presented in [Pal and Sumitra, 2009], that makes more direct use of quasigroups. A stream cipher adaptively encrypts the message one character at a time using a keystream, which is not a fixed key but depends on the current state of the system. A stream cipher stands in contrast to a block cipher such as the Vigenèrecipher that encrypts text in larger blocks using a fixed key. The basic quasigroup stream cipher uses the concept of left inverse inverse quasigroups. Given a quasigroup (G, ·) we define its left inverse quasigroup to be the quasigroup (G, \) such that

x\(x · y) = y (4.1)

for all x, y ∈ G.(G, \) is the unique quasigroup with this property, as for ﬁxed x, when we vary y over all elements of G,(x·y) takes all values in G (as row x in (G, ·)’s Cayley table is a permutation of G), so (4.1) determines row x in (G, \)’s Cayley table. Repeating for x completely determines (G, \)’s Cayley table. Also note that, if (G, ·) is totally symmetric, x · (x · y) = y so (G, ·) is its own left inverse. The basic

stream cipher operates as follows. Let m = m1m2 . . . mL be a message. We begin

with a ﬁxed l ∈ G (a leader) and deﬁne c1 = l · m1. Then for i = 2,...,L, calculate

ci = ci−1 · mi. (4.2)

Then c1c2 . . . cL is the ciphertext. To decrypt c, calculate

l\c1 = l\(l · m1) = m1

61 and subsequently, for i = 2,...,L,

ci−1\ci = ci−1\(ci−1 · mi) = mi. (4.3)

We will call this cryptosystem, with encryption given by (4.2) and decryption given by (4.3), the Basic Quasigroup Stream Cipher (BQSC). The BQSC is easy to implement but its simplicity also introduces vulnerabilities. [Pal and Sumitra, 2009] notes that if m is a repetition of the same character, for example m = 11111 ... 1, then c will be periodic with period at most |G|, because as soon as ci · 1 = cj for some j < i, the remaining ciphertext will simply be repetitions of cjcj+1 . . . ci. Such patterns in c make this system vulnerable to a chosen plaintext attack, where an adversary who has access to c on any input m may choose m = 11111 ... 1, view the repetitive c, and use the pattern to gain information about l or (G, ·), which must be kept secret if the system is to remain secure. Several authors have proposed variations and extensions of the BQSC which aim to improve its security. To address the chosen plaintext vulnerability, [Pal and Sumitra, 2009] propose applying random shifts to the rows and columns of (G, ·) during the encryption progress to produce more random ciphertexts. [Hassinen and Markovski, 2003] presents an SMS encryption scheme via a different modification of the BQSC, which improves the basic scheme’s security by applying the encryption algorithm several times in succession, using a different leader each time. [Xu, 2011] introduces a variation that uses post-commutative quasigroups, which are a type of non-commutative totally symmetric quasigroup that is only required to satisfy the identity a · b = c ⇐⇒ a · c = b, and proves the variant is resistant against known plaintext and statistical attacks. [Petrescu, 2007] presents another variation of the BQSC using an n-ary structure similar to totally symmetric n-ary quasigroups. Instead of one n-ary operation f,

62 Petrescu’s system has n + 1 n-ary operations α, α1, . . . , αn that satisfy

i−1 n n α(x1 , αi(x1 ), xi+1) = xi

i−1 n n αi(x1 , α(x1 ), xi+1) = xi for all i ∈ [n]. Petrescu also deﬁnes an analog of isotopy for n-ary operations, where

n+1 if α is an n-ary operation and f1 are permutations of G we may construct an n-ary operation β isotopic to α as

n −1 n β(x1 ) = fn+1 α fi (xi) i=1 (4.4)

Petrescu presents a cryptosystem using the 3-ary (ternary) instance of these construc-

tions. The leader now consists of four elements l1, l2, l3, l4 of G, which correspond to

permutations f1, f2, f3, f4 of G. With β deﬁned as in (4.4), we encrypt m to c as

c1 = β(m1, l1, l2)

c2 = β(m2, l3, l4), and

cj = β(mj, cj−2, cj−1)

for j = 2,...,L. Decrypt c using

β(c1, l1, l2) = β β(m1, l1, l2), l1, l2 = m1 β(c2, l3, l4) = β β(m2, l3, l4), l3, l4 = m2, and β(cj, cj−2, cj−1) = β β(mj, cj−2, cj−1), cj−2, cj−1 = mj

for j = 2,...,L. Petrescu’s system may also be implemented using a totally symmetric quasigroup (G, β) directly. Quasigroups have also seen use constructing block and public-key cryptosystems.

63 In a public-key cryptosystem, contrary to the examples above, which are all symmetric- key cryptosystems, every user has a public and a private key. If Alice wants to send a message m to Bob, she encrypts m using Bob’s public key, and the encrypted message c can only be decrypted by Bob’s private key, which only he knows. The security of such a cryptosystem depends on the security of a one-way function, which is easy to calculate to encrypt m using Bob’s public key, but is hard to invert (which is required to recover m from c) without access to Bob’s private key. [Golomb et al., 2007] uses crossed-inverse quasigroups to construct a one-way function. (G, ·) is a crossed-inverse quasigroup if for any a ∈ G, there is an a0 ∈ G such that

a0 · (x · a) = x for all x ∈ G. Totally symmetric quasigroups are crossed-inverse quasigroups with a0 = a. The cryptosystem’s public key is a crossed-inverse quasigroup (G, ◦). In general, cryptosystems requires extremely large quasigroups to be secure against brute- force attacks (for example, guessing all possible keys), meaning it is infeasible to store (G, ◦)’s entire Cayley table. Instead, the public key will be an algorithm used to calculate a ◦ b for any two elements a, b ∈ G. Golobm et al note that if (G, +) is an abelian group then (G, ◦) deﬁned by a ◦ b = ra + sb where r + s = |G| + 1 is a crossed-inverse quasigroup, and proposes calculating (G, ◦) using the operations in (G, +). The private key corresponding to (G, ◦) is the ci-permutation π mapping every element to its crossed-inverse: π(a) = a0.(G, ◦) is assumed to be large enough that calculating π by brute force is infeasible. To send a message to Bob, Alice gen- erates a temporary session key e and calculates c = m ◦ e character-wise. To decrypt c, Bob calculates π(e) ◦ c = e0 ◦ (m ◦ e) = m element-wise. If an attacker intercepts c and e they still have to solve c = me to uncover m, which is as hard as determining π.

64 [Gligoroski et al., 2008] create another public-key cryptosystem using a encryption scheme similar to that of the basic stream cipher in (4.2) with Multivariate Quadratic Quasigroups (MQQs), whose products are defined using vector-valued boolean functions. Quasigroups have also been used to construct secret sharing schemes, which are methods of distributing pieces of a key (shares) among participants such that if enough participants cooperate, they can reconstruct the key and recover the shared secret. [Stones et al., 2016] introduces a secret sharing scheme where the shared secret is a Latin square autotopism used to reconstruct a Latin square from a partial Latin square. [Falcón,2006] constructs a similar scheme using Latin square critical sets. [Laywine and Mullen, 1998] describe a basic secret sharing scheme based on Mutu- ally Orthogonal Latin Squares (MOLS) in section 14.3. [Belyavskaya, 2009] presents another scheme that makes use of orthogonal systems of n-ary operations, the n-ary analog of MOLS. Several authors have proposed cryptographic hash functions based on quasigroups. A cryptographic hash function h maps inputs x of any length to a fixed-length output such that it is easy to compute h(x) but given a y in the range of h hard to find an x such that h(x) = y. [Snasel et al., 2009] proposes a scheme that defines a n-ary hash function HQ over binary quasigroup (Q, ∗) as

HQ(x1, x2, . . . , xn) := ((... (a ∗ x1) ∗ x2 ∗ ...) ∗ xn

where x1x2 . . . xn is the input string (or digest). To avoid storing (Q, ∗)’s Cayley table, Snasel et al. construct permutations π, ρ, ω of Q = [n] (which require only O(n) space to store, as opposed to O(n2) for the Cayley table) and calculate

a ∗ b = π((ω(a) + n − ρ(b)) mod n).

65 [Gligoroski et al., 2009] construct Edon-R, a family of hash functions that use iterated applications of the BQSC in a shapeless quasigroup.

4.1.2 Generating TSM Quasigroups

A theme common to many of the above schemes is the need to generate large quasigroups while avoiding storing their Cayley tables in favor of calculating products algorithmically. For example, the crossed-inverse quasigroup cryptosystem presented in [Golomb et al., 2007] requires quasigroups with order around 1010 to be secure. Looking up products in such a quasigroup would require a 1010 × 1010 Cayley table. Several authors have addressed this issue by designing algorithms to construct and compute products in large quasigroups. [Ko´scielny, 2002] uses the mathematical software Maple to generate quasigroups from cyclic groups and finite fields and create new quasigroups from existing ones via isotopisms and products. [Nosov and Pankratiev, 2008] classifies functions on finite abelian groups that can be used to calculate quasigroup products suitable for cryptographic applications without having to store Cayley tables. [Snasel et al., 2010] use genetic algorithms to generate quasigroups with desir- able properties for use in hash functions whose products are calculated analytically instead of via a Cayley table. Our work in Chapter 3 provides a method to easily generate all binary and n-ary TSM quasigroups, which are applicable to several of the cryptosystems described above, without having to store their Cayley tables. The maps we derive between abelian groups, n-ary abelian groups, TSM quasigroups, and n-ary TSM quasigroups let us generate binary and n-ary TSM quasigroups from abelian groups, which themselves can easily be generated using the fundamental theorem of finite abelian groups (see Section 3.5). For example, to randomly generate a large ternary quasigroups for the cryptosystem in [Petrescu, 2007] discussed above, we can choose random primes {pi} and random exponents e1ni for each i to construct an abelian group A as in (3.20). We never have to store A’s Cayley table as we can

66 calculate its products element-wise on the ﬂy - for example if A = Z /23 ×Z /32 ×Z /52 and (a1, b1, c1), (a2, b2, c2) ∈ A then

(a1, b1, c1) + (a2, b2, c2) = (a1 + a2 mod 8, b1 + b2 mod 9, c1 + c2 mod 25).

Then we can choose random x, y and apply Q(−, xy) (see Section 3.1) to convert A into a TSM quasigroup Q(A, xy). Then apply ζ (see Section 3.3) to convert Q(A, xy) into a ternary TSM quasigroup. Note that neither Q(−, xy) nor ζ force us to calculate the entire Cayley table of any structure - they just give formulas for calculating products. Thus we have an algorithm for calculating products in a randomly generated ternary quasigroup without having to store its entire Cayley table (or Cayley cube, in this case).

67 4.2 TSM Quasigroups and Cubic Curves

In this section we discuss TSM quasigroups’ intimate relation with sets of points on plane cubic curves. We give only a very brief overview of a few areas of the extensive theory of the algebra of points on cubic curves. For a more thorough introduction to the subject, see [Silverman and Tate, 1994]. In Section 4.2.1 we introduce cubic curves, present Etherington’s proof that the chord and tangent construction creates a TSM quasigroup from points on any cubic curve, and survey other literature relating quasigroups and cubic curves. In Section 4.2.2 we discuss elliptic curves, a special kind of cubic curve, and describe the elliptic curve Diffie-Hellman protocol. Finally, in Section 4.2.3 we discuss the iterated squaring/iterated tangent process and its potential for use in an efficient Diffie-Hellman scheme based directly on TSM quasigroups. We determine the iterated squaring order of every element in a prime-order TSM quasigroup and use the formula for the number of labeled TSM quasigroups established in Section 3.5 to count how many labeled quasigroups correspond to each squaring map x → x2.

4.2.1 The Chord and Tangent Construction

Plane cubic curves are defined using homogeneous coordinates over the projective plane, an extension of the familiar Euclidean plane that adds points at infinity. To define the projective plane, consider the equivalence relation (x, y, z) ∼ (λx, λy, λz) for all λ ∈ R on the set

3 P = {(x, y, z) ∈ R | (x, y, z) 6= (0, 0, 0)} (4.5)

(each equivalence class contains all points except (0, 0, 0) on a line through (0, 0, 0)

3 x y x y 2 in R ). If z 6= 0 then any (x, y, z) ∼ z , z , 1 so, as z , z can take any value in R ,

68 the subset

3 {(x, y, z) ∈ R | z 6= 0} ⊆ P

forms the familiar structure of the Euclidean plane. If z = 0 then since (x, y, z) 6= (0, 0, 0), one of x and y is nonzero. If x = 0 then we’re left with (0, y, 0), which is

0 y 0 equivalent to y , y , y = (0, 1, 0). We call (0, 1, 0) the point at infinity. If x 6= 0 then x y 0 y y (x, y, 0) ∼ x , x , x = 1, x , 0 . x can take any value in R so all points with z = 0 and x 6= 0 are of the form (1, s, 0) for s ∈ R. We call these points the line at infinity. We can think of the point at infinity being at the ‘end’ of all parallel vertical lines in the Euclidean plane, and the point (1, s, 0) on the line at infinity being at the ‘end’ of the parallel lines in the Euclidean plane with slope s. A cubic plane curve is a curve in the projective plane of the form

3 3 2 2 2 2 2 2 3 a1x +a2y +a3x y +a4xy +a5x z +a6y z +a7xyz +a8xz +a9yz +a10z = 0. (4.6)

We call such a polynomial homogeneous because each of its terms has degree 3. In the part of the projective plane analogous to the Euclidean plane we have z = 1 so (4.6) becomes

3 3 2 2 2 2 a1x + a2y + a3x y + a4xy + a5x + a6y + a7xy + a8x + a9y + a10 = 0. (4.7)

For most applications in this chapter we will consider cubic curves in the Euclidean plane in the form (4.7). A point (x, y) is ‘on’ a cubic curve C whose equation is given by (4.7) if (x, y) satisﬁes (4.7). A point (x, y) on C is singular if, roughly speaking, the tangent line to C at (x, y) is not deﬁned. C is singular if it has a singular point and nonsingular otherwise. In this chapter we consider only nonsingular cubic curves. From this point on, for ease of notation, we denote points on a cubic curve by single letters as opposed to specifying their coordinates (x, y) in the plane.

69 Let a, b be two points on a cubic curve C. A line through a and b must intersect C a third time (counting multiplicities) at a point we will call ab. Note that we could have ab = a or ab = b if there is a double root at a or b. Similarly, the tangent at a point c on C must intersect C at a second point, which we will call c2. It is possible that c2 = c, in which case c is an inﬂection point or ﬂex of C. We call these two operations the chord and tangent processes, respectively. See Figure 4.2 for an example on the cubic curve y3 + 2xy2 − 2x2y + x3 + 5y2 + 4xy − 4 = 0.

Figure 4.2: Example of chord and tangent multiplication on y3 + 2xy2 − 2x2y + x3 + 5y2 + 4xy − 4 = 0

If G is a set of points on C which is closed under the chord and tangent processes, we may deﬁne a magma (G, ·) by a · b := ab (the chord process) and a · a := a2 (the

70 tangent process). (G, ·) is clearly totally symmetric, as if a and b are collinear with ab, b and a are collinear with ab, giving ba = ab, and a and ab are collinear with b, giving a(ab) = b.(G, ·) is also clearly a quasigroup because the unique point on C collinear with a and ab is b. Etherington [Etherington, 1965] was the ﬁrst to observe that (G, ·) is also medial. He gives the following proof that makes use of B`ezout’s classic theorem of algebraic geometry, which implies that, if two cubics intersect at eight points, they must also intersect at a ninth point. Let a, b, c, d be four points on cubic C and let

a1x + b1y + c1 = 0, a2x + b2y + c2 = 0, and a3x + b3y − c3 = 0

be the equations of the lines through a, b, ab; c, d, cd; and ac, bd, (ac)(bd), respectively. Similarly, let

a4x + b4y + c4 = 0, a5x + b5y + c5 = 0, and a6x + b6y − c6 = 0

be the equations of the lines through a, c, ac; b, d, bd; and ab, cd, (ab)(cd), respectively. Now

(a1x + b1y + c1)(a2x + b2y + c2)(a3x + b3y − c3) = 0

and

(a4x + b4y + c4)(a5x + b5y + c5)(a6x + b6y − c6) = 0

are both cubics passing through the eight points a, b, c, d, ab, ac, cd, bd. Thus they must intersect C and each other at a ninth point common to all three, which must simultaneously be (ab)(cd) and (ac)(bd). Hence (ab)(cd) = (ac)(bd), giving the medial law. See Figure 4.3 for an example. If a, b, c, d are not all distinct, the proof reduces to special cases of B`ezout’stheorem.

71 Figure 4.3: Example of mediality on y3 + 2xy2 − 2x2y + x3 + 5y2 + 4xy − 4 = 0

Etherington uses the fact that (G, ·) forms a TSM quasigroup to prove several geometric facts about cubic curves using algebraic reasoning in TSM quasigroups, including Steiner’s theorem on inscribing quadrilaterals inside cubic curves and the

6 facts that a cubic curve has 1,3, or 9 ﬂexes and that if six points a1 of C also lie on

2 2 a conic curve, their tangential points a1, . . . , a6 must as well. Several other authors have followed in Etherington’s footsteps exploring the properties of TSM quasigroups on cubic curves. Beneteau [Beneteau, 1988] shows that an operation analogous to the chord and tangent process on cubic hypersurfaces (generalizations of cubic curves to higher dimensions) yields totally symmetric cubic

72 quasigroups, which satisfy a slightly weaker form

(ax)(ay) = (aa)(xy). of the medial law. Volenec et al. [Volenec et al., 2017, Volenec et al., 2020] give additional geometric examples of TSM quasigroups arising via intersections on cubics and conics and explore the properties of iterated tangentials on cubic curves (corresponding to iterated squaring of an element in a TSM quasigroup). Padmanabhan, in several series of papers with various coauthors, explores algebraic constructions on cubic curves through the lenses of equational logic, universal algebra, and algebraic geometry. [Padmanabhan, 1982, Mendelsohn et al., 1987, Padmanabhan and McCune, 1995a] use the rigidity lemma of algebraic geometry to provide an alternative proof of mediality of the chord and tangent construction, and more generally shows that the total symmetry law along with the rigidity lemma are sufficient to deduce any identity valid in a TSM quasigroup (G, ·) defined via the chord and tangent process on any irreducible plane cubic curve defined over an algebraically closed field. From this he concludes that the identities (xy)x = y and ((xy)z)(tx) = y(zt) can be used to derive any identity valid in (G, ·). [McCune and Padmanabhan, 1995b, Padmanabhan and McCune, 1995b, Padmanabhan and McCune, 2006] explore the properties of n-ary Steiner laws on cubic curves, which are totally symmetric n-ary operations on the curve’s points (the chord and tangent construction is a binary Steiner law). In [Padmanabhan and McCune, 1995b], Padmanabhan and McCune prove that

5 the 5-ary Steiner law deﬁned by the conic process, where f(x1) is the sixth point of

5 intersection of a conic that intersects cubic C at x1, is the unique 5-ary Steiner law on a cubic that is idempotent (f(e, e, e, e, e) = e) at inflection points. They also prove the uniqueness of the group law on an elliptic defined below: if x +1 y, x +2 y are two group laws on an elliptic curve and e +1 e = e +2 e for some inflection point e then

73 x+1y = x+2y for all points x, y on the curve. See [McCune and Padmanabhan, 1995a] for a compilation of Padmanabhan and McCune’s work in the papers listed above.

4.2.2 Elliptic Curves and Diﬃe-Hellman

Consider the set of equivalence classes (x, y, z) in the projective plane given by

2 3 2 2 3 y z = x + a1x z + a2xz + a3z . (4.8)

In the Euclidean plane, we have z = 1 in (4.8), giving

2 3 2 y = x + a1x + a2x + a3. (4.9)

If this curve in (4.9) is nonsingular, we call it an elliptic curve and denote it by E.A projective curve given by (4.8) intersects the line at infinity when z = 0. Substituting gives x3 = 0 =⇒ x = 0, so E intersects the line at infinity at (0, y, 0) ∼ (0, 1, 0), the point at infinity, which we will denote by O. In other words, E approaches infinity along only vertical lines. We consider O to be a point ‘on’ E in the chord and tangent construction define O·O = O and O· a to be the second point of intersection of E and the vertical line through a. Note that since we can rewrite (4.9) as

p 3 2 y = ± x + a1x + a2x + a3, the vertical line through a intersects E at at most one other point, which is its reflection across the x-axis. For any set of points G and fixed point o ∈ G on cubic curve C with chord and tangent quasigroup (G, ·), recall we may use (3.5) to define an abelian group

74 (G, +) = G((G, ·), o) given by

a + b = (a · b) · o.

When we construct this group on an elliptic curve E, we often choose o = O, so that a + b is found by calculating a · b, then reflecting the result across the x-axis. Readers with knowledge of elliptic curves are probably more familiar with (G, +) than with (G, ·), likely due to the former’s use in elliptic curve cryptography. Again, we give only a very brief, non-rigorous overview of this topic - for a more detailed overview of elliptic curve cryptography and the theory of points on elliptic curves, see [Bruen et al., 2011]. Here we consider elliptic curves in only one cryptographic construction (though they are used in many more), the Diffie-Hellman key exchange. Suppose Alice and Bob want to establish a shared key for a symmetric key cryptosystem such as the Vigenèrecipher described in Section 4.1. Sending the key without encrypting it is dangerous, as anyone who intercepts the unencrypted key can easily break any cryptosystem based on it, but Alice and Bob can’t encrypt anything without the shared key. The Diffie-Hellman key exchange solves this chicken-and-egg problem. Alice and Bob choose secret elements a, b from a cyclic G, for example the group

(Z /n)×, the group of integers mod n under multiplication. Given some public g ∈ (Z /n)×, Alice calculates ga and sends this value to Bob. Similarly, Bob sends gb to Alice. Then Alice computes (ga)b and Bob computes (gb)a, and since

(ga)b = gab = gba = (gb)a,

Alice and Bob have established a shared key gab. The security of the protocol depends on the hardness of the discrete log problem: given g and gx, it must be infeasible for

an attacker to determine x. Instead of multiplication in (Z /n)×, one can implement

75 the Diﬃe-Hellman protocol using addition of points in (G, +) on an elliptic curve E

over an order-q finite field Fq. The number of points N on E is now finite and is bounded by Hasse’s theorem as

√ √ q + 1 − 2 q ≤ N ≤ q + 1 + 2 q

(see [Bruen et al., 2011]). Consider (G, +), where G is composed of the N − 1 points

on the curve from Fq and O. Given a point P ∈ G, Alice has secret integer a and computes aP = P + P + ... + P . Bob has secret integer b and computes bP and the | {z } a shared key is (ab)P . This scheme’s security depends on the hardness of the elliptic curve discrete log problem: Given P and the point aP , it is hard to discover a.

4.2.3 Iterated Tangents

One benefit of using (G, +) instead of (G, ·) in the elliptic curve Diffie-Hellman scheme is that associativity of (G, +) allows for easier calculation of nP , which is important when n is very large. Instead of adding P + P + ... + P , which requires a additions, | {z } a we can apply iterated doubling. 2P = P + P , 2(2P ) = 4P , 2(4P ) = 8P and so on until we approach aP . This method requires only O(log(a)) doublings, a significant time save. Since (G, ·) is not associative, however, we cannot perform the same trick. For example, (p2)2 = p2p2 6= p4 = p(p(pp)). The same nonassociativity, however, can strengthen cryptosystems by granting additional security from sequential encryptions (see the beginning of Section 4.1). Partala [Partala, 2018], in writing about algebraic generalizations of Diffie-Hellman, notes that squaring is an endomorphism of any medial quasigroup (G, ·), since mediality gives (ab)2 = (ab)(ab) = (aa)(bb) = a2b2. Additionally, if we let x(t) represent t iterated squares of x ∈ (Q, ·) - e.g.

!2 2 x(t) = x22 ... , |{z} t

76 then (x(t))(s) = x(t+s) = x(s+t) = (x(s))(t),

so iterated squaring over (G, ·) could be used as a Diﬃe-Hellman operation with public key x and private keys t and s. If (G, ·) is the TSM quasigroup of points on an elliptic curve, x(t) corresponds to iteratively applying the tangent process t times, so we call the iterated squaring process on a TSM quasigroup of points on a cubic curve the iterated tangent process. The properties of iterated squaring and squares in TSM quasigroups have been studied by Etherington [Etherington, 1965] and by Volenec et al. [Volenec et al., 2020]. Etherington showed that in a TSM quasigroup every element with at least one sqare root has the same number of square roots, the number of square roots of every element is a power of 2, that every element in an odd-order TSM quasigroup has exactly one square root, and that every TSM quasigroup whose order isn’t a multiple of 3 has exactly one idempotent (element a for which a2 = a). Inspired by Etherington’s results, we introduce the following deﬁnition.

Deﬁnition 9 (|x|). Let (G, ·) be a TSM quasigroup with |G| odd and let x ∈ G. Deﬁne the iterated squaring order |x| of x to be the smallest integer t such that x(t) = x.

Not every element x in a TSM quasigroup whose order is even has an iterated squaring order, as the iterated squaring process could get stuck in a cycle that doesn’t include x. However, as we now show, every element in a TSM quasigroup whose order is odd does have an iterated squaring order.

Proposition 5. Let (G, ·) be a TSM quasigroup with |G| odd. Then every x ∈ G has an iterated squaring order |x| and if x is not idempotent then |x| ≥ 3.

Proof. Since |G| is odd, every x ∈ G has a unique square root, meaning the map x 7→ x2 is a permutation of G. Since G is ﬁnite, if x(t) 6= x for all t then there is

77 (t1) (t2) a smallest integer t1 and a t2 > t1 such that x = x 6= x. But every element

(t1−1) (t2−1) has exactly one square root so x = x and we assumed t1 was the smallest

(t1) (t2) integer such that x = x for some t2 > t1, a contradiction. Thus there is a smallest integer |x| such that x(|x|) = x. If a 6= b, a2 = b, and b2 = a then ab = b and ab = a, which is impossible, so every element has iterated squaring order > 2.

We next prove this section’s central proposition. First we introduce a new deﬁni- tion that will be useful in the proof.

Deﬁnition 10 (O2(x)). If x ∈ (G, ·), an odd-order TSM quasigroup, deﬁne O2(x) = {x, x(1), . . . , x(|x|−1)} be the orbit of x of under iterated squaring.

Proposition 6. Let p > 3 be prime, let m be the order of −2 in the group (Z /p)× and let (G, ·) be a TSM quasigroup of order p. Every x ∈ G has iterated squaring order m except for the one idempotent a ∈ G with iterated squaring order 1, and every square map x 7→ x2 satisfying these constraints appears in exactly

p−1 Ym (p − im − 1) i=1 labeled TSM quasigroups. In particular, if −2 is a primitive root mod p, then no two labeled TSM quasigroups of order p share the same square map.

Proof. Let p > 2 be prime and consider the TSM quasigroup (G, ·) deﬁned from Z /p as ab := −a − b using (3.1) with c = 0. Successively squaring an non-idempotent

78 element x ∈ (G, ·) gives

x(1) = x2 = −x − x = −2x

2 x(2) = x(1) = 2x + 2x = 4x

2 x(3) = x(2) = −4x − 4x = −8x . .

x(i) = (−2)ix.

From this we conclude that the iterated squaring order of every non-idempotent element in (G, ·) is the smallest i ∈ N \{0} such that (−2)i ≡ 1 (mod p). This is the order of −2 in (Z /p)×, the group of integers mod n under multiplication. Schwenk [Schwenk, 1995] showed that if 3 does not divide |G| (which is the case here because |G| = p > 3 is prime) then there is only one TSM quasigroup up to isomorphism isotopic to G. Since Z /p is the only group of order p, every TSM quasigroup (G, ∗) of order p is isomorphic to (G, ·) and thus (G, ∗)’s elements have the same iterated squaring orders as (G, ·)’s. So for every non-idempotent element x of every TSM quasigroup of order p, |x| is the order | − 2| of −2 in (Z /p)×. Fermat’s little theorem of number theory implies that | − 2| divides p − 1. If −2 is a primitive root mod p (| − 2| = p − 1) then |x| = p − 1 for every non- idempotent x of (G, ·). There are p choices for (G, ·)’s one idempotent and for any non-idempotent x there are p − 2 ways to choose x(1), p − 3 ways to choose x(2),..., 2 ways to choose x(p−3), and 1 way to choose x(p−2) (the only remaining element aside from x and the idempotent). Thus there are p · (p − 2)! distinct diagonals (the map x 7→ x2 determines the diagonal of the TSM quasigroup’s corresponding Latin Square) of this type. The number of labeled TSM quasigroups of order p is given by p! = p! = p · (p − 2)! as well so we conclude the diagonal uniquely determines a Aut Zp p−1 (labeled) TSM quasigroup of order p.

79 More generally if | − 2| = m in (Z /p)× then (G, ·)’s diagonal consists of one p−1 idempotent and m orbits of elements with iterated squaring order m. There are p

ways to choose the idempotent and for any non-idempotent x1 there are p−2 ways to

(1) (2) (m−1) choose x1 , p − 3 ways to choose x1 ··· , p − m ways to choose x1 . Then for any (1) non-idempotent x2 6∈ O2(x1) there are p − m − 2 ways to choose x2 (you can chose any element other than x2, the idempotent, and the m elements of O2(x1). Then

(2) (m−1) there are p − m − 3 ways to choose x2 , . . . , p − 2m ways to choose x2 . Repeat p−1 for each of the m orbits to obtain

 p−1 −1 Ym p!  (p − im − 1) i=0 possible diagonals. Since there are p!(p−1)−1 total labeled TSM quasigroups of order p,we have proved the proposition.

Since iterated squaring in the TSM quasigroup (G, ·) of points on a cubic curve C is equivalent to taking iterated tangents on C, we obtain the following corollary.

Corollary 7. If G is the set of points on an elliptic curve E over a finite field and |G| = p, then the iterated tangent process starting at any non-flex point x will return to x after m steps, where m = | − 2| in (Z /p)×.

Our ﬁnal proposition provides a shortcut for calculating iterated squares under certain conditions.

Proposition 7. Let |G| be odd and let a be an idempotent in TSM quasigroup (G, ·). Then for any non-idempotent x ∈ G with |x| even,

( |x| ) xa ∈ O2(x) =⇒ xa = x 2 .

80 Proof. Let |x| = m. If xa = x(i) for some i < m then

(m−i) x(m−i)a = x(m−i)a(m−i) = (xa)(m−i) = x(i) = x(m) = x

=⇒ xa = x(m−i) =⇒ x(i) = x(m−i).

m This only holds if i = m − i, implying m is even and i = 2 . So if |x| is even, ( |x| ) xa ∈ O2(x) =⇒ xa = x 2 .

If |x| is odd then xa 6∈ O2(x), but xa 6= a so |xa| = |x| still. If |x| is even, the equation

|x| xa = x( 2 )

|x| |x| ( 2 ) lets us calculate x via just one operation, instead of squaring x 2 times. This could prove a useful shortcut in a Diffie-Hellman scheme based on iterated squaring in odd-order TSM quasigroups, or equivalently iterated tangents on cubic curves over finite fields. We leave further exploration of such schemes for future research.

81 Bibliography

[Belyavskaya, 2009] Belyavskaya, G. (2009). Secret-sharing schemes and orthogonal systems of k-ary operations. Quasigroups and Related Systems, 17.

[Beneteau, 1988] Beneteau, L. (1988). Quasigroups and groups arising from cubic surfaces. Annals of Discrete Mathematics, 37:21–30.

[Bruck, 1944] Bruck, R. H. (1944). Some results in the theory of quasigroups. Trans- actions of the American Mathematical Society, 55:19–52.

[Bruen et al., 2011] Bruen, A., Hirschfeld, J., and Wehlau, D. (2011). Cubic curves, ﬁnite geometry and cryptography. Acta Applicandae Mathematicae - ACTA APPL MATH, 115.

[Cho, 1988] Cho, J. (1988). Idempotent medial n-groupoids deﬁned on ﬁelds. Algebra Universalis, 25(1):235–246.

[Dudek, 2001] Dudek, W. A. (2001). On some old and new problems in n-ary groups. Quasigroups and Related Systems, 8:15–36.

[Dudek and Glazek, 2008] Dudek, W. A. and G lazek, K. (2008). Around the hossz´u–gluskintheorem for n-ary groups. Discrete Mathematics, 308(21):4861 – 4876. Chongqing 2004.

[Egan and Wanless, 2016] Egan, J. and Wanless, I. M. (2016). Enumeration of mols of small order. Math. Comput., 85:799–824.

82 [Etherington, 1963] Etherington, I. M. H. (1963). Note on quasigroups and trees. Proceedings of the Edinburgh Mathematical Society, 13(3):219–222.

[Etherington, 1965] Etherington, I. M. H. (1965). Quasigroups and cubic curves. Proceedings of the Edinburgh Mathematical Society, 14(4):273–291.

[Falc´on,2006] Falc´on,R. (2006). Latin squares associated to principal autotopisms of long cycles. applications in cryptography. In Proceedings of Transgressive Com- puting, pages 213–230.

[Gligoroski et al., 2008] Gligoroski, D., Markovski, S., and Knapskog, S. J. (2008). A Public Key Block Cipher Based on Multivariate Quadratic Quasigroups. arXiv e-prints, page arXiv:0808.0247.

[Gligoroski et al., 2009] Gligoroski, D., Markovski, S., and Kocarev, L. (2009). Edon- r, an inﬁnite family of cryptographic hash functions. International Journal of Network Security, 8(3):293–300.

[Golomb et al., 2007] Golomb, S. W., Welch, L. R., and Denes, J. (2007). Encryption system based on crossed inverse quasigroups. U.S. Patent 7280663B1.

[Hacker, 2016] Hacker, A. (Case Western Reserve University Senior Project. 2016). Totally symmetric and medial quasigroups and n-quasigroups.

[Hassinen and Markovski, 2003] Hassinen, M. and Markovski, S. (2003). Secure sms messaging using quasigroup encryption and java sms api. In Proceedings of the Eighth Symposium on Programming Languages and Software Tools.

[Hillar and Rhea, 2007] Hillar, C. J. and Rhea, D. L. (2007). Automorphisms of ﬁnite abelian groups. The American Mathematical Monthly, 114(10):917–923.

83 [Hulpke et al., 2011] Hulpke, A., Kaski, P., and Osterg˚ard,P.¨ R. J. (2011). The number of latin squares of order 11. Mathematics of Computation, 80(274):1197– 1219.

[Jedliˇcka et al., 2017] Jedliˇcka, P., Stanovsk´y,D., and Vojtˇechovsk´y,P. (2017). Dis- tributive and trimedial quasigroups of order 243. Discrete Mathematics, 340(3):404 – 415.

[Keedwell and Dénes,2015] Keedwell, A. D. and Dénes,J. (2015). Chapter 1 - ele- mentary properties. In Keedwell, A. D. and Dénes,J., editors, Latin Squares and their Applications (Second Edition), pages 1–36. North-Holland, Boston, second edition edition.

[Khan et al., 2015] Khan, M. A., Mohammad, N., Muhammad, S., and Ali, A. (2015). A mining based approach for eﬃcient enumeration of algebraic structures. In 2015 IEEE International Conference on Data Science and Advanced Analytics (DSAA), pages 1–6.

[Ko´scielny, 2002] Ko´scielny, C. (2002). Generating quasigroups for cryptographic applications. Int. J. Appl. Math. Comput. Sci, 12:559–569.

[Krotov, 2008a] Krotov, D. (2008a). On irreducible n-ary quasigroups with reducible retracts. European Journal of Combinatorics, 29(2):507 – 513.

[Krotov, 2008b] Krotov, D. S. (2008b). On reducibility of n-ary quasigroups. Discrete Mathematics, 308(22):5289 – 5297.

[Laywine and Mullen, 1998] Laywine, C. and Mullen, G. (1998). Discrete Mathemat- ics Using Latin Squares. 1484 Series. Wiley.

[McCune and Padmanabhan, 1995a] McCune, W. and Padmanabhan, R. (1995a). Automated equational deduction with otter.

84 [McCune and Padmanabhan, 1995b] McCune, W. and Padmanabhan, R. (1995b). Uniqueness of certain algebraic laws on cubic curves.

[McKay et al., 2007] McKay, B. D., Meynert, A., and Myrvold, W. (2007). Small latin squares, quasigroups, and loops. Journal of Combinatorial Designs, 15(2):98– 119.

[McKay and Wanless, 2005] McKay, B. D. and Wanless, I. M. (2005). On the number of Latin squares. Annals of Combinatorics, 9:335–344.

[Mendelsohn et al., 1987] Mendelsohn, N., Padmanabhan, R., and Wolk, B. (1987). Planar projective conﬁgurations. ii: Designs embeddable in a plane cubic curve. Note di Matematica, 7.

[Murdoch, 1939] Murdoch, D. C. (1939). Quasi-groups which satisfy certain generalized associative laws. American Journal of Mathematics, 61(2):509–522.

[Murdoch, 1941] Murdoch, D. C. (1941). Structure of abelian quasi-groups. Trans- actions of the American Mathematical Society, 49(3):392–409.

[Nosov and Pankratiev, 2008] Nosov, V. and Pankratiev, A. (2008). Latin squares over abelian groups. Journal of Mathematical Sciences, 149:1230–1234.

[Padmanabhan, 1982] Padmanabhan, R. (1982). Logic of equality in geometry. North-Holland Mathematics Studies, 65:319–331.

[Padmanabhan and McCune, 1995a] Padmanabhan, R. and McCune, W. (1995a). Automated reasoning about cubic curves. Computers and Mathematics with Ap- plications, 29(2):17–26.

[Padmanabhan and McCune, 1995b] Padmanabhan, R. and McCune, W. (1995b). An equational characterization of the conic construction on cubic curves.

85 [Padmanabhan and McCune, 2006] Padmanabhan, R. and McCune, W. (2006). Uniqueness of steiner laws on cubic curves. Beitr¨agezur Algebra und Geometrie, 47(2).

[Pal and Sumitra, 2009] Pal, S. K. and Sumitra (2009). Development of eﬃcient algorithms for quasigroup generation and encryption. In 2009 IEEE International Advance Computing Conference, pages 940–945.

[Partala, 2018] Partala, J. (2018). Algebraic generalization of diﬃe–hellman key exchange. Journal of Mathematical Cryptology, 12(1):1–21.

[Petrescu, 2007] Petrescu, A. (2007). Applications of quasigroups in cryptography. Interdisciplinarity in Engineering Scientiﬁc International Conference.

[Potapov and Krotov, 2011] Potapov, V. and Krotov, D. (2011). On the number of n-ary quasigroups of ﬁnite order. Discrete Mathematics and Applications, 21:575– 585.

[Safari et al., 2015] Safari, M., Davvaz, B., and Leoreanu-Fotea, V. (2015). Enumer- ation of 3- and 4-hypergroups on sets with two elements. European Journal of Combinatorics, 44:298 – 306. Recent Researches in Hyperstructures.

[Schwenk, 1995] Schwenk, J. (1995). A classiﬁcation of abelian quasigroups. Rendi- conti di Matematica e delle sue Applicazioni. Serie VII, 15.

[Shcherbacov, 2009] Shcherbacov, V. (2009). Quasigroups in cryptology. Computer Science Journal of Moldova, 17(2):193–228.

[Shchuchkin, 2015] Shchuchkin, N. (01 Feb. 2015). The structure of ﬁnite abelian n-ary groups. Discrete Mathematics and Applications, 25(1):47 – 58.

[Shchuchkin, 2013] Shchuchkin, N. (2013). Automorphisms of abelian n-ary groups. Quasigroups and Related Systems, 21.

86 [Silverman and Tate, 1994] Silverman, J. and Tate, J. (1994). Rational Points on Elliptic Curves. Undergraduate Texts in Mathematics. Springer New York.

[Snasel et al., 2009] Snasel, V., Abraham, A., Dvorsk´y,J., Kr¨omer,P., and Platos, J. (2009). Hash functions based on large quasigroups. In Proceedings of the 9th International Conference on Computational Science, pages 521–529.

[Snasel et al., 2010] Snasel, V., Abraham, A., Dvorsk´y,J., Ochodkova, E., Platos, J., and Kromer, P. (2010). Searching for quasigroups for hash functions with genetic algorithms. In Proceedings of the World Congress on Nature and Biologically Inspired Computing, pages 367 – 372.

[Stanovskýand Vojtˇechovský,2015] Stanovský, D. and Vojtˇechovský, P. (2015). Central and medial quasigroups of small order. Buletinul Academiei de S¸tiint¸e a Republicii Moldova : Matematica, 80.

[Stones, 2010] Stones, D. (2010). The many formulae for the number of latin rectangles. Electr. J. Comb., 17.

[Stones et al., 2016] Stones, R., Su, M., Xiauguang, L., Wang, G., and Sheng, L. (2016). A latin square autotopism secret sharing scheme. Designs, Codes, and Cryptography, 80:835–850.

[Vatutin et al., 2019] Vatutin, E., Belyshev, A., Kochemazov, S., Zaikin, O., and Nikitina, N. (2019). Enumeration of isotopy classes of diagonal latin squares of small order using volunteer computing. In Voevodin, V. and Sobolev, S., editors, Supercomputing, pages 578–586, Cham. Springer International Publishing.

[Volenec et al., 2017] Volenec, V., Kolar-Begovi´c,Z., and Kolar-Super,ˇ R. (2017). Cubic structure. Glasnik matematiˇcki, 52(2):247–256.

87 [Volenec et al., 2020] Volenec, V., Kolar-Begovi´c,Z., and Kolar-Super,ˇ R. (2020). Tangentials in cubic structures. Glasnik matemati v c ki, 55(2):337–349.

[Xu, 2011] Xu, Y. (2011). Stream cipher based on post-commutative quasigroups. In Proceedings of the 2nd International Conference on Information Science and Engineering, pages 2387 – 2390.