![\"Order](\"https://attobop.net/posts/region-embeddings/order_cones.png\")
\n "Dog is-a Animal." This is a statement about sets: every dog is an animal, so the set of dogs is contained in the set of animals. If you want an embedding to capture this, the embedding of Dog should be inside the embedding of Animal in some geometric sense. Points have no interior, no volume, and no way to express that one concept is a subset of another — not just close, but contained. You need regions.The entire field follows from taking "is-a" literally as set containment.
\n\nNotation. Throughout this post: $m, M$ are box corners (min, max); $c, o $ are center and half-width (offset); $ d$ is the embedding dimension; $\\beta$ is the Gumbel temperature; $\\sqsubseteq$ is subsumption ("is-a"); $\\sqcap$ is concept conjunction ("and"); $P(B \\subseteq A)$ is containment probability.
\nA knowledge graph is a collection of triples $(h, r, t)$: head entity, relation, tail entity. ("Berlin", capitalOf, "Germany") or ("Dog", isA, "Animal"). These graphs are large but sparse: 93.8% of people in Freebase have no recorded birthplace, and 78.5% have no recorded nationality. The standard task is link prediction: given (Berlin, capitalOf, ?) or (?, isA, Animal), rank the missing entity.
\nThe dominant approaches since 2013 embed entities as vectors and score triples geometrically — either by treating relations as transformations (TransE, RotatE) or as bilinear forms like $h^\\top M_r t$ where $M_r$ is a learnable matrix per relation (DistMult, ComplEx).The point-embedding models discussed here are implemented in tranz — named after the Trans* family (TransE, TransR, TransH, TransD), which all model relations as geometric operations on points: translations, projections into relation-specific subspaces, or hyperplane reflections. They differ in how they handle 1-to-N and N-to-N relations, but none can represent containment. The region embeddings that follow are in subsume, named for the subsumption relation ( $\\sqsubseteq$ ) these embeddings model.
TransE (2) — short for "translating embeddings" — models each relation as a translation: score a triple $(h, r, t)$ by $\\|h + r - t\\|$ .Lower is better. The choice of L1 vs L2 norm matters less than you'd expect. If the triple is true, the head plus the relation vector should land near the tail. It is simple, scalable, and became the baseline most subsequent work is measured against, reaching competitive performance on FB15k (a standard link prediction benchmark derived from Freebase, with 15,000 entities) despite the simple scoring function.
But TransE fails structurally on certain relation types. For 1-to-N relations like (Britain, hasCity, ?), every correct tail entity must satisfy $h + r \\approx t$ , which forces London, Manchester, and Edinburgh to have nearly identical embeddings. The model can't distinguish cities that share a country. Symmetric relations are worse: if $h + r = t$ and $t + r = h$ , then $r = 0$ , which collapses the relation entirely.The "married to" relation forces every married couple to share an embedding. Not ideal.
\nRotatE (7) — "rotation embedding" — fixes the symmetry problem by working in complex space: each relation is an element-wise rotation $t = h \\circ r$ where $|r_i| = 1$ . Symmetric relations get angle $\\pi$ (rotation by 180 degrees is its own inverse). This handles symmetry, antisymmetry, inversion, and composition.
But neither TransE nor RotatE can represent containment.Distance can approximate containment, but it can never encode it. "Close to Animal" is not the same as "inside Animal." Both embed entities as points. A point has no volume, no interior, no boundary. You can measure the distance between two points, but you can't ask whether one point is inside another.
Consider the subsumption hierarchy: Dog $\\sqsubseteq$ Animal $\\sqsubseteq$ LivingThing, where $\\sqsubseteq$ (read "is subsumed by") means every instance of the left concept is also an instance of the right. In set-theoretic terms, $\\text{ext}(\\text{Dog}) \\subseteq \\text{ext}(\\text{Animal}) \\subseteq \\text{ext}(\\text{LivingThing})$ , where $\\text{ext}(C)$ is the set of individuals that fall under concept $C$ .
\nAn embedding that captures this needs three properties:
\nVolume. More general concepts (Animal) should have larger representations than specific ones (Dog). "Animal" covers more ground than "Dog."
\nContainment. The representation of Dog should be geometrically inside the representation of Animal. Not just "close to" — inside.
\nIntersection. The concepts "Animal" and "Pet" overlap (some animals are pets, some aren't). Their representations should intersect, and the intersection should itself be a valid representation — of the concept $\\text{Animal} \\sqcap \\text{Pet}$ , whether or not that conjunction has a name in the ontology.
\nPoints fail all three. They have no volume. No interior for containment. Two distinct points have empty intersection — there is no partial overlap.
\nVendrov et al. [3] had the right instinct: embed the partial order directly into the geometry. Their approach mapped concepts into the non-negative orthant $\\mathbb{R}^d_+$ (the region where all coordinates are $\\ge 0$ , the $d$ -dimensional analogue of the first quadrant) and imposed the reverse product order: $x$ is more general than $y$ if $x_i \\le y_i$ for every coordinate. The origin is the top element — the most general concept.The "entity" concept, containing everything, sits at zero. Specificity grows with coordinate magnitude. Each point defines two cones: the cone extending toward the origin (smaller coordinates) contains its ancestors (more general concepts); the cone extending away from the origin (larger coordinates) contains its descendants (more specific concepts).
\n\n This gets transitivity for free: if $x \\le y$ and $y \\le z$ coordinate-wise, then $x \\le z$ . But the representation is still points, and the cones are unbounded. Vilnis et al. [4] proved the deeper problem: for any product probability measure $p(x) = \\prod_i p_i(x_i)$ over the non-negative orthant, the covariance of the indicator functions (1 if a random point lands in the cone, 0 otherwise) of any two cones is non-negative — $\\text{Cov}(\\mathbf{1}_{C_A}, \\mathbf{1}_{C_B}) \\ge 0$ . If "Mammal" and "Reptile" are both under "Animal," their cones necessarily overlap — you cannot express that they are disjoint under any such measure. The geometry forces all concepts under a common ancestor to be positively correlated, which is wrong for siblings that should be mutually exclusive.
\nThis motivated boxes: a bounded region closed under intersection that admits a probabilistic containment score.
\n![\"Box](\"https://attobop.net/posts/region-embeddings/box_taxonomy.png\")
\n The idea of representing words as regions rather than points goes back to Erk [1], who embedded words as convex regions in vector space to model graded entailment.Erk's 2009 paper predates the deep learning era entirely. The idea of "words as regions" waited nearly a decade for the right optimization tools. Vilnis et al. [4] made this precise for knowledge graphs, proposing axis-aligned hyperrectangles — boxes — in $\\mathbb{R}^d$ . A box $B$ is parameterized by its minimum and maximum corners:
\n\n\n$$B = \\{x \\in \\mathbb{R}^d : m_i \\le x_i \\le M_i, \\; i = 1, \\ldots, d\\}$$\n\nwhere $m = (m_1, \\ldots, m_d)$ and $M = (M_1, \\ldots, M_d)$ with $m_i \\le M_i$ for each coordinate.
\nThis is the simplest region that supports all three properties. Volume is the product of side lengths:
\n\n\n$$\\text{Vol}(B) = \\prod_{i=1}^{d} (M_i - m_i)$$\n\nContainment is coordinate-wise: $A \\subseteq B$ if and only if $m^B_i \\le m^A_i$ and $M^A_i \\le M^B_i$ for all $i$ . The intersection of two boxes is a box (or empty):
\n\n\n$$(A \\cap B)_i = [\\max(m^A_i, m^B_i), \\; \\min(M^A_i, M^B_i)]$$\n\nThe intersection is non-empty when $\\max(m^A_i, m^B_i) \\le \\min(M^A_i, M^B_i)$ for every coordinate. If any coordinate has an empty interval, the boxes are disjoint. Disjoint boxes represent mutually exclusive concepts — the thing order embeddings could not express. And when boxes partially overlap, the intersection region is itself a box representing the conjunction: the box for "Animal" intersected with the box for "Pet" gives a box for "things that are both animals and pets."
\nThe axis-alignment is a deliberate restriction.Why not balls? The intersection of two balls is not a ball. Boxes are the simplest shape where "overlap" stays in the family. Rotated boxes would be more expressive, but their intersection is not necessarily a rotated box — you lose closure under intersection. Axis-aligned boxes form a lattice — a structure where any two elements have a greatest lower bound (intersection/meet) and a least upper bound (bounding box/join) — mirroring concept hierarchies in description logics (formal languages for representing ontologies; see the EL⁺⁺ section below). Each dimension contributes an independent "vote" on containment — the box analogue of diagonal covariance in Gaussian models.
\nThe natural scoring function for subsumption is the containment probability:
\n\n\n$$P(B \\subseteq A) = \\frac{\\text{Vol}(A \\cap B)}{\\text{Vol}(B)}$$\n\nConcretely: draw a point uniformly from $B$ ; this is the probability it lands in $A$ .This uniform-measure interpretation is what makes the $P(\\cdot)$ notation honest. Without it, $P(B \\subseteq A)$ applies probability notation to a deterministic set-theoretic predicate — either $B$ is inside $A$ or it isn't. The uniform draw gives it a genuine probabilistic meaning. It returns 1 if $B$ is entirely inside $A$ , 0 if they are disjoint, and a value between 0 and 1 for partial overlap. If we want to express "Dog is-a Animal," we train so that $P(\\text{Dog} \\subseteq \\text{Animal}) \\approx 1$ .
\nThe asymmetry is important: $P(B \\subseteq A) \\ne P(A \\subseteq B)$ in general, because the denominator is always the volume of the thing being tested for containment. A small box inside a large box gives $P = 1$ in one direction and $P \\ll 1$ in the other. This matches the semantics: every dog is an animal, but not every animal is a dog.
\nTake $d = 2$ . Let Animal $= [0, 10] \\times [0, 10]$ and Dog $= [2, 5] \\times [3, 7]$ .
\n\n\n$$\\text{Vol}(\\text{Animal}) = 10 \\times 10 = 100$$\n\n\n\n$$\\text{Vol}(\\text{Dog}) = 3 \\times 4 = 12$$\n\nThe intersection is Dog itself (Dog is inside Animal), so $\\text{Vol}(\\text{Animal} \\cap \\text{Dog}) = 12$ .
\n\n\n$$P(\\text{Dog} \\subseteq \\text{Animal}) = \\frac{12}{12} = 1$$\n\n\n\n$$P(\\text{Animal} \\subseteq \\text{Dog}) = \\frac{12}{100} = 0.12$$\n\nNow add Cat $= [6, 9] \\times [3, 7]$ . Dog and Cat are disjoint (no overlap in the first coordinate: Dog's $[2, 5]$ doesn't intersect Cat's $[6, 9]$), so $P(\\text{Dog} \\subseteq \\text{Cat}) = 0$ . Both are contained in Animal. The geometry directly encodes the taxonomy.
\nimport numpy as np\n\ndef containment_prob(a_min, a_max, b_min, b_max):\n """P(B subset A): fraction of B's volume inside A."""\n inter_min = np.maximum(a_min, b_min)\n inter_max = np.minimum(a_max, b_max)\n inter_sides = np.maximum(inter_max - inter_min, 0)\n b_sides = np.maximum(b_max - b_min, 1e-10)\n return np.prod(inter_sides) / np.prod(b_sides)\n\nanimal = (np.array([0, 0]), np.array([10, 10]))\ndog = (np.array([2, 3]), np.array([5, 7]))\ncat = (np.array([6, 3]), np.array([9, 7]))\n\nprint(f"P(Dog ⊆ Animal) = {containment_prob(*animal, *dog)}") # 1.0\nprint(f"P(Animal ⊆ Dog) = {containment_prob(*dog, *animal)}") # 0.12\nprint(f"P(Dog ⊆ Cat) = {containment_prob(*cat, *dog)}") # 0.0\nIn high dimensions, computing the raw volume $\\prod_i (M_i - m_i)$ numerically is unstable — floating-point underflow to zero occurs well before the full product is computed. The fix is to work in log-space: $\\log \\text{Vol}(B) = \\sum_{i=1}^{d} \\log(M_i - m_i)$ . The product becomes a sum, and everything stays tractable. All practical implementations operate on log-volumes, not volumes.
\nHard boxes have a serious training defect.This section is why the Gumbel paper exists. The gradient problem is not a minor inconvenience — it makes naive box training fail completely. Consider two disjoint boxes — say Dog $= [2, 5] \\times [3, 7]$ and Fish $= [20, 25] \\times [30, 35]$ . Their intersection volume is zero. If we move Dog slightly — say shift it by $\\epsilon$ in any direction — the intersection is still zero. The loss doesn't change. The gradient is zero.
\nThis is the local identifiability problem — the formal name for the gradient problem in box embeddings.The name comes from statistics: a parameter is locally identifiable if small perturbations change the likelihood. Here, they don't. Dasgupta et al. (2020) use "local identifiability" as the motivation for Gumbel boxes. When boxes are disjoint, the containment probability is identically zero in a neighborhood of the current parameters. The optimizer receives no signal about which direction to move to bring the boxes closer.
\nThe problem gets worse in high dimensions. In $\\mathbb{R}^d$ , two boxes are disjoint if any single coordinate has non-overlapping intervals. With $d = 200$ and random initialization, the probability that two boxes overlap in all 200 coordinates simultaneously is negligible. Almost every pair starts disjoint, and the optimizer is blind to almost every relationship it needs to learn.
\nThe intersection volume is piecewise multilinear in the box coordinates — within each combinatorial regime (fully contained, partially overlapping, disjoint), it is a product of $d$ linear terms, one per coordinate. The containment probability, as a ratio of two such products, is a piecewise rational function. At the boundaries between regimes, the function is continuous but not differentiable. And in the disjoint regime, it is flat: identically zero, with zero gradient everywhere.
\nThis is analogous to the dead ReLU problem in neural networks, but worse. A dead ReLU neuron has zero gradient for negative inputs but can recover if the bias shifts; a pair of disjoint boxes in $d$ dimensions has zero gradient across all $4d$ parameters (two boxes, each with $2d$ corner coordinates).
\n![\"Hard](\"https://attobop.net/posts/region-embeddings/gradient_landscape.png\")
\n Li et al. [6] attacked the gradient problem by convolving the hard box indicator functions with Gaussian kernels. The smoothed intersection is never exactly zero — even for disjoint boxes, the Gaussian tails overlap, providing gradient signal.
\nThe smoothed volume has a closed-form expression involving the Gaussian CDF, which is differentiable everywhere. This works: disjoint boxes now produce nonzero loss, and the optimizer can move them toward overlap.
\nSmoothing breaks the lattice.Softboxes trade one structural guarantee (closure under intersection) for another (smooth gradients). The intersection of two smoothed boxes is not itself a smoothed box. The representation is no longer closed under intersection — the lattice structure, which was one of the main reasons for choosing boxes in the first place, is lost. The smoothed model is also not idempotent (applying an operation twice gives a different result than once): $P(A \\subseteq A) \\ne 1$ in general, which is semantically wrong — every set contains itself. And in one-dimensional tree experiments (where the ground truth is recoverable), softbox Mean Reciprocal Rank (MRR, a ranking metric where 1.0 is perfect) plateaued at 0.691 compared to 0.971 for Gumbel boxes — a ceiling imposed by the smoothing's loss of lattice structure. Smoothing fixed the zero-gradient problem but introduced new ones.
\nDasgupta et al. [8] found a solution that fixes the gradient problem without breaking the lattice.
\nInstead of a deterministic box $[m_i, M_i]$ , make each endpoint a random variable drawn from a Gumbel distribution. The Gumbel distribution arises naturally as the limiting distribution of the maximum (or minimum) of many independent samples — it is to maxima what the Gaussian is to averages. It comes in two variants: Gumbel-max (right-skewed, models maxima) and Gumbel-min (left-skewed, models minima). The lower bound $m_i$ gets a Gumbel-max because box intersection takes the $\\max$ of lower bounds; the upper bound $M_i$ gets a Gumbel-min because intersection takes the $\\min$ of upper bounds.The pairing sounds backwards until you think about intersection: new lower bound = max of old lower bounds (Gumbel-max stays Gumbel-max), new upper bound = min of old upper bounds (Gumbel-min stays Gumbel-min).
\n\n\n$$m_i \\sim \\text{Gumbel}_{\\max}(\\mu^m_i, \\beta), \\qquad M_i \\sim \\text{Gumbel}_{\\min}(\\mu^M_i, \\beta)$$\n\nwhere $\\mu^m_i, \\mu^M_i$ are learnable location parameters and $\\beta > 0$ is a temperature controlling the "softness" of the boundaries. At $\\beta \\to 0$ , the Gumbel distributions collapse to point masses and we recover hard boxes.Think of $\\beta$ as wall thickness. Large $\\beta$ : fuzzy walls, easy to push through. Small $\\beta$ : sharp walls, crisp decisions.
\nWhy Gumbel specifically, and not Gaussian or logistic or any other smooth distribution? Because the Gumbel family is min-max stable: if you take the maximum of several independent Gumbel-max variables, the result is itself a Gumbel-max (and likewise, the minimum of Gumbel-min variables is Gumbel-min). No other common distribution has this property. The new location parameter is computed via LogSumExp ( $\\text{LSE}(x_1, \\ldots, x_k) = \\log \\sum_i e^{x_i}$ , a smooth approximation to max):
\n\n\n$$\\max(X_1, \\ldots, X_k) \\sim \\text{Gumbel}_{\\max}\\!\\left(\\beta \\ln \\sum_i e^{\\mu_i / \\beta}, \\; \\beta\\right)$$\n\nRecall that box intersection takes the coordinate-wise max of lower bounds and min of upper bounds. With Gumbel endpoints, the intersection of two Gumbel boxes is again a Gumbel box — computed in closed form via LogSumExp. The lattice structure that Gaussian smoothing destroyed is preserved.
\nThe expected side length of a Gumbel box along one coordinate involves a modified Bessel function $K_0$ . What matters is its behavior: $K_0$ starts at infinity for argument zero, then drops off smoothly — monotonically decreasing, convex, and asymptotically $\\sqrt{\\pi / 2z} \\, e^{-z}$ . For large positive gap $\\Delta_i$ between box endpoints (box is wide open), the expected volume is large. For $\\Delta_i \\approx 0$ (box is barely open), it is small but nonzero. For $\\Delta_i < 0$ (endpoints are "inverted," meaning the box is empty in expectation), it is tiny but still has a nonzero derivative $-K_1$ . The optimizer always has a signal — this is the property that hard boxes and softboxes lack.
\nThe formula: the expected side length is $\\mathbb{E}[\\max(M_i - m_i, 0)]$ where $M_i$ is Gumbel-min and $m_i$ is Gumbel-max. Integrating the product of a Gumbel-max PDF and a Gumbel-min survival function gives:
\n\n\n$$\\mathbb{E}[\\max(M_i - m_i, 0)] = 2\\beta \\, K_0\\!\\left(\\frac{2}{\\beta} \\, e^{-\\Delta_i / (2\\beta)}\\right)$$\n\nwhere $\\Delta_i = \\mu^M_i - \\mu^m_i$ is the gap between the location parameters. Why a Bessel function? $K_0$ arises whenever you integrate products of exponential-family distributions with a maximum operation. The Gumbel distribution is the Type I extreme value distribution, so the integral reduces directly to the standard Laplace-type representation of $K_0$ .
\nA concrete comparison in 1D: two intervals that should overlap but are currently disjoint, with a gap of 2 units.
\nGumbel boxes don't just "smooth a little better" — they fix the gradient problem while keeping the expected intersection volume well-defined and closed-form, so the loss function is coherent across all box configurations, not just the overlapping ones.
\nComputing Bessel functions in every forward pass is expensive. Dasgupta et al. [8] observed that $2\\beta K_0(\\frac{2}{\\beta} e^{-x/(2\\beta)})$ is nearly indistinguishable from a shifted softplus, and proposed:
where $\\gamma \\approx 0.5772$ is the Euler-Mascheroni constant (the mean of a standard Gumbel distribution). The $2\\gamma$ shift accounts for the difference of means of the two endpoints, each contributing $\\gamma\\beta$ to its expected value. The approximation error is bounded by $0.062\\beta$ , which is negligible in training.Numerically computed (Appendix C of Dasgupta et al., [8]), not a formal proof. Exact value: $0.0617013\\beta$ .
\nThis is what implementations actually compute: a softplus with a constant shift. It is cheap, differentiable, monotonic with respect to containment, and numerically stable. The full expected log-volume of a Gumbel box becomes a sum of $d$ softplus evaluations — the same computational complexity as a hard box, but with smooth gradients everywhere.
![\"Gumbel](\"https://attobop.net/posts/region-embeddings/gumbel_walls.png\")
\n The temperature $\\beta$ acts as a curriculum. Start with large $\\beta$ (soft, fuzzy boxes with wide gradients) and anneal toward small $\\beta$ (hard boxes with crisp boundaries). Early in training, the soft boundaries let the optimizer explore; late in training, the hard boundaries let the model make precise containment judgments.
\nWhere does the Gumbel model break? The same place boxes do: union and complement. The max of a Gumbel-max and a Gumbel-min is not Gumbel-anything — the distribution family is closed under intersection but not union. And the complement of a Gumbel box is not a Gumbel box. For negation, you still need cones or fuzzy operators. The Gumbel contribution is surgical: it fixes the gradient problem for the operations boxes already support, without pretending to solve the operations they don't.
\nWith the gradient problem solved, box embeddings can represent containment and train reliably. The next question: can boxes do more than subsumption? Ren et al. [9] introduced Query2Box — the name says it: translate a logical query into a box — applying box embeddings to multi-hop logical queries over knowledge graphs. The idea: represent a query as a box, and rank answer entities by their distance to the query box.
Consider the query: "Where did Canadian Turing Award winners graduate?"This is the running example from Ren et al. [9]. Leskovec uses it in his Stanford CS224W lectures as the canonical multi-hop box query. This decomposes into: start with TuringAward (a point), apply the "Win" relation projection to get a box of Turing winners, separately start with Canada, project via "Citizen" to get a box of Canadians, intersect the two boxes, then project via "Graduate" to get universities. Each relation projection simply translates the box center and adds to the box offset — the box can only grow, never shrink. This makes sense: following a one-to-many relation (like "cities in a country") should expand the answer set.
\n![\"Query2Box](\"https://attobop.net/posts/region-embeddings/query2box_pipeline.png\")
\n Note the asymmetry: queries are boxes, but answer entities are still embedded as points.After spending the whole post arguing against points, Query2Box puts entities back as points. The resolution: entities are answer candidates, not concepts. The box is the question, not the thing. The box represents the set of plausible answers; each candidate entity is a point that may or may not land inside it. The scoring function for a candidate answer entity $v$ (embedded as a point) relative to a query box $q$ is:
\n\n\n$$d(q, v) = d_{\\text{out}}(q, v) + \\alpha \\cdot d_{\\text{in}}(q, v)$$\n\nwhere $d_{\\text{out}}$ is the L1 distance from $v$ to the nearest point on the box boundary (zero if $v$ is inside), $d_{\\text{in}}$ is the L1 distance from $v$ to the box center (measuring how deep inside the box $v$ is), and $\\alpha \\in (0, 1)$ is a hyperparameter (set to $0.2$ in the original paper) that downweights the inside distance.
\nThe asymmetry between $d_{\\text{out}}$ and $d_{\\text{in}}$ is intentional. Outside entities should be penalized heavily (they are not answers to the query). Inside entities are all plausible answers, but we mildly prefer those closer to the center — answers nearest the box center.
\nIntersection of query boxes models conjunction: "countries that border France and have population > 50M" corresponds to intersecting two query boxes. Recall that geometric intersection is coordinate-wise max of lower bounds, min of upper bounds. This works when boxes overlap, but after multiple projection steps the boxes may not overlap at all — and an exact empty intersection gives zero volume with zero gradient (the same dead-zone problem from the previous section). Query2Box sidesteps this with a learned intersection operator: an attention mechanism over the input boxes' centers produces the new center, combined with a coordinate-wise minimum of offsets to shrink the box. This is an approximation, not a geometric intersection, but it provides gradient signal in all configurations.
\nTwo operations that boxes cannot handle:
\nUnion. The union of two boxes is generally not a box. Query2Box works around this by transforming queries into disjunctive normal form (DNF) — push all disjunctions to the last step, compute each conjunctive branch as a box, then aggregate scores across branches.DNF means rewriting the query so all ORs are at the outermost level. Each branch is a pure conjunction, representable as a single box. This is sound but adds computational cost proportional to the number of disjuncts.
\nNegation. The complement of a box in $\\mathbb{R}^d$ is an unbounded region that is not a box. Queries like "European countries that do not border France" require a different approach. This limitation motivated two lines of follow-up work: geometric alternatives (cones) and algebraic alternatives (fuzzy logic).
\nZhang et al. [12] introduced ConE — "cone embeddings" — which represents queries as Cartesian products of two-dimensional cones. The $d$ -dimensional embedding space is split into $d/2$ independent 2D planes, and in each plane the query is an angular sector emanating from the origin, parameterized by an axis direction $\\theta$ and an aperture $\\phi$ : it covers all directions within angle $\\phi$ of $\\theta$ . The full query region is the Cartesian product of these $d/2$ sectors.
The key property: within each 2D plane, the complement of an angular sector is another angular sector. If a sector covers the angular range $[\\theta - \\phi, \\theta + \\phi]$ , the remaining arc of the circle is centered at $\\theta + \\pi$ with aperture $\\pi - \\phi$ . Since each plane's complement is again a sector, the Cartesian product of complements is again a valid ConE representation. Negation stays within the representation class.
The aperture encodes concept generality: wider cones are more general, narrower cones more specific. Containment is angular: cone $A$ contains cone $B$ if $B$ 's angular extent falls entirely within $A$ 's. Intersection of two angular sectors is a contiguous arc (another cone) whenever the sectors overlap in a connected region — which the model's parameter constraints on aperture ensure.
\nConE was the first geometry-based query embedding model to handle all three propositional connectives — conjunction, disjunction, and negation — over multi-hop queries. The cost is that angular containment is a weaker form of "containment" than volumetric box inclusion — cones have no finite volume, so you lose the probabilistic interpretation that makes box embeddings attractive for subsumption. For query answering, where the goal is ranking rather than exact set membership, angular containment works. For ontology completion, where you want $P(\\text{Dog} \\subseteq \\text{Animal}) \\approx 1$ as a calibrated score, boxes remain the better tool.
\nRen and Leskovec [10] took a different route with BetaE — "Beta embeddings," named after the Beta distribution — embed queries as Beta distributions rather than geometric regions. The complement of $\\text{Beta}(\\alpha, \\beta)$ is $\\text{Beta}(\\beta, \\alpha)$ — negation is a parameter swap. Conjunction and disjunction use learned neural networks that map pairs of Beta parameters to a new Beta, keeping the output within the representation class (the product of two Betas is not a Beta, so an exact closed form doesn't exist). BetaE is the probabilistic counterpart to ConE's geometric solution.
A third line of work avoids new geometry entirely. Arakelyan et al. [11] showed that complex queries can be decomposed into atomic link prediction calls and aggregated via t-norm fuzzy logic — requiring no training on complex queries at all. T-norms are binary operations that generalize logical AND to continuous values in $[0, 1]$; common choices include the product $x \\cdot y$ and the minimum $\\min(x, y)$ . Chen et al. [13] applied this directly to box containment probabilities: t-norms for conjunction, t-conorms (the dual, generalizing OR) for disjunction, $1 - x$ for negation. The geometry handles containment; the algebra handles composition. Because the operators are fixed (not learned), a model trained on simple triples can in principle answer complex queries at test time — though performance depends on how well the embeddings support the assumed t-norm structure.
\nThe Description Logic (DL) EL⁺⁺ — a fragment of first-order logic designed for efficient automated reasoning — underpins biomedical ontologies like SNOMED CT (the standard vocabulary for electronic health records), Gene Ontology (a structured vocabulary of gene functions), and GALEN (a medical terminology system).SNOMED CT alone has over 350,000 concepts. You can't inspect this by hand — you need automated reasoning, and embedding methods extend it to plausible inferences. Its language allows concept conjunction ( $C \\sqcap D$ ), existential restriction ( $\\exists r.C$ , "things that have an $r$ -relationship to some $C$ "), and a bottom concept ( $\\bot$ ). The key inference is subsumption: given an ontology, determine whether $C \\sqsubseteq D$ holds (every instance of $C$ is an instance of $D$ ).
\nClassical reasoners (ELK, Snorocket) compute subsumption exactly by rewriting the ontology's axioms (its TBox, the terminological component that defines concept relationships) into a set of normal forms — standardized shapes like $C \\sqsubseteq D$ or $C_1 \\sqcap C_2 \\sqsubseteq D$ that decompose complex axioms into simple building blocks. This is complete but does not generalize — it cannot predict subsumptions that are plausible but not logically entailed by the axioms. Embedding methods can.
\nJackermeier et al. [16] developed Box²EL — "dual box embeddings for EL," using separate box pairs for concepts and roles — which embeds EL⁺⁺ concepts as boxes and roles as affine transformations (a linear map plus a translation, mapping one box to another by shifting its center and rescaling its half-widths). The four normal forms of EL⁺⁺ each get a geometric loss:
NF1: $C_1 \\sqcap C_2 \\sqsubseteq D$ . The intersection of the boxes for $C_1$ and $C_2$ should be contained in the box for $D$ . Loss: penalize volume of $(C_1 \\cap C_2) \\setminus D$ .
\nNF2: $C \\sqsubseteq D$ . The box for $C$ should be inside the box for $D$ . In center-offset parameterization (storing a box as its midpoint $c$ and half-widths $o$ instead of min/max corners), the boundary extends from $c - o$ to $c + o$ . The quantity $|c_C - c_D| + o_C - o_D$ measures how far $C$ 's boundary protrudes past $D$ 's boundary along each coordinate — zero means $C$ fits inside $D$ , positive means it sticks out.This is the protrusion on the worse of the two sides (left or right boundary), not the total. If $C$ sticks out equally on both sides by $\\delta/2$ , the formula gives $\\delta$ , same as one side sticking out by $\\delta$ . The loss penalizes protrusion:
\n\n\n$$\\mathcal{L}_{\\text{NF2}} = \\left\\| \\text{ReLU}\\!\\left(|c_C - c_D| + o_C - o_D - \\epsilon\\right) \\right\\|_2$$\n\nwhere $\\epsilon$ is a margin. This is zero when $C$ is inside $D$ with room to spare, and grows as $C$ protrudes.
\nNF3: $C \\sqsubseteq \\exists r.D$ . Every instance of $C$ has an $r$ -relationship to some instance of $D$ . Geometrically: applying the role transformation $r$ to the box for $C$ should land inside the box for $D$ .
\nNF4: $\\exists r.C \\sqsubseteq D$ . Everything that has an $r$ -relationship to a $C$ is a $D$ . Geometrically: the pre-image of the box for $C$ under the role transformation $r$ should be contained in the box for $D$ .
\nTraining on the GALEN medical ontology (24,353 concepts, 951 roles), Box²EL predicts subsumptions that are plausible but not explicitly stated in the ontology — a form of ontology completion that classical reasoners cannot do. On GALEN, box embeddings substantially outperform point-based methods (TransE, ELEm) because the geometry directly encodes the containment structure of the ontology.
Trained box embeddings recover a property the loss never explicitly optimizes: log-volume correlates with hierarchy position. After training on Gene Ontology, concepts near the root ("biological process," "molecular function") have large boxes, while leaf concepts ("mitotic spindle assembly checkpoint signaling") have small ones. The Spearman correlation between log-volume and depth is strongly negative.
\nThis is not enforced by an explicit loss term — it emerges from the containment constraints alone. If $C \\sqsubseteq D$ , then $\\text{Vol}(C) \\le \\text{Vol}(D)$ (a subset can't be larger than its superset). Training on thousands of such constraints pushes the model toward a volume assignment that reflects the concept hierarchy.You could add an explicit volume-depth loss term, but it would be redundant. Containment constraints already imply it.
\n| Year | \nModel | \nGeometry | \nKey contribution | \n
|---|---|---|---|
| 2009 | \nRegions (Erk) | \nConvex regions | \nFirst proposal of words as regions, not points | \n
| 2013 | \nTransE (Bordes) | \nPoint + translation | \nBaseline KGE; simple, scalable, limited | \n
| 2016 | \nOrder Emb. (Vendrov) | \nOrthant cones | \nPartial order from coordinate comparison | \n
| 2018 | \nBox Lattice (Vilnis) | \nAxis-aligned boxes | \nBoxes as lattice; containment probability | \n
| 2018 | \nEnt. Cones (Ganea) | \nHyperbolic cones | \nHierarchy in hyperbolic space | \n
| 2019 | \nSmoothing (Li) | \nSmoothed boxes | \nGaussian smoothing fixes zero gradients | \n
| 2019 | \nRotatE (Sun) | \nPoint + rotation | \nComplex-space rotation handles symmetry | \n
| 2020 | \nGumbel Box (Dasgupta) | \nProbabilistic boxes | \nMin-max stable smoothing preserves lattice | \n
| 2020 | \nQuery2Box (Ren) | \nBoxes for queries | \nMulti-hop query answering with boxes | \n
| 2020 | \nBetaE (Ren) | \nBeta distributions | \nNegation via parameter swap | \n
| 2021 | \nConE (Zhang) | \n2D angular sectors | \nNegation via complement sectors | \n
| 2021 | \nCQD (Arakelyan) | \nAny + fuzzy logic | \nDecompose queries into atomic predictions | \n
| 2022 | \nBoxEL (Xiong) | \nBoxes for EL⁺⁺ | \nFirst faithful ontology box embedding | \n
| 2024 | \nBox²EL (Jackermeier) | \nDual boxes for EL⁺⁺ | \nAffine role transformations | \n
| 2024 | \nOctagons (Charpenay) | \nOctagonal regions | \nDiagonal constraints capture cross-dim correlations | \n
| 2025 | \nTransBox (Yang) | \nBoxes for EL⁺⁺ | \nEL⁺⁺-closed: logical operations stay in representation | \n
| 2026 | \nTaxoBell (Mishra) | \nGaussian boxes | \nSelf-supervised taxonomy expansion | \n
After 2018, the box lattice foundation split into two threads: the gradient fix (Gumbel, 2020) and multi-hop query answering (Query2Box, BetaE, ConE, CQD, 2020–2021). Ontology applications followed (BoxEL, Box²EL, TransBox, 2022–2025).
| Geometry | \nContainment | \nIntersection closed? | \nNegation? | \nParameters | \n
|---|---|---|---|---|
| Boxes | \nVolumetric | \nYes | \nNo | \n$2d$ | \n
| Gumbel boxes | \nSoft volumetric | \nYes | \nNo | \n$2d + \\beta$ | \n
| Cones | \nAngular | \nYes | \nYes | \n$2d$ (2D sectors) | \n
| Octagons | \nVolumetric + diagonal | \nYes | \nNo | \n$O(d^2)$ | \n
| Gaussians | \nKL divergence | \nNo | \nNo | \n$2d$ | \n
| Entailment cones (hyperbolic) | \nGeodesic | \nYes | \nNo | \n$2d$ | \n
| Subspaces | \nSubspace inclusion | \nYes | \nNo | \n$O(d \\cdot k)$ | \n
No single geometry dominates. In my experience implementing several of these in subsume, the right choice depends on the task. For ontology completion (subsumption only, no negation), boxes or Gumbel boxes suffice. For queries requiring negation and disjunction, cones or the fuzzy approach are needed. For taxonomy expansion with uncertainty, Gaussians (Mishra et al., 21) encode uncertainty through variance parameters. Entailment cones in hyperbolic space (Ganea et al., 5) — a non-Euclidean geometry where volume grows exponentially with radius, naturally accommodating trees with high branching factor — exploit this growth for tree-like hierarchies. Octagons (Charpenay and Schockaert, 15) add diagonal constraints $x_i \\pm x_j \\le c$ to capture correlations between dimensions that axis-aligned boxes miss, at the cost of $O(d^2)$ parameters per concept. Most recently, Moreira et al. [19] proposed linear subspaces as the geometric primitive: more general concepts get higher-dimensional subspaces, and subsumption is subspace inclusion. This is closed under intersection (subspace intersection is a subspace) but trades the intuitive "volume" interpretation for algebraic structure.
\nChoose your geometry before your optimizer. The shape of the embedding space determines what relationships the model can even express.
\nFaithfulness. Box embeddings can approximate but may not perfectly represent the logical structure of an ontology. Xiong et al. [14] proved soundness for BoxEL — if the model scores a subsumption as true (zero loss), then it actually holds in the ontology. The complementary property, completeness (every true subsumption scores high), is not claimed. TransBox (Yang et al., 20) — "translation + box," combining TransE-style relation modeling with box containment — goes further, achieving "EL⁺⁺-closure" — intersections, role-filler constraints, and TBox axioms all stay within the box representation.
Leemhuis and Kutz [18] formalized what box semantics can and cannot represent, characterizing the expressiveness limits of box-based embeddings for EL⁺⁺ and extensions. A pragmatic alternative: DELE (Mashkova et al., 17) sidesteps geometric faithfulness entirely by precomputing the deductive closure — the complete set of subsumptions that logically follow from the ontology's axioms — with a classical reasoner, then training the embedding to reproduce it. No general impossibility result rules out faithful box embeddings, and no paper has achieved strong faithfulness (entailed axioms score high AND non-entailed axioms score low). Whether the gap matters in practice is unsettled.
Beyond axis-alignment. Axis-aligned boxes assume that dimensions are independent — the containment of Dog within Animal decomposes into $d$ independent interval containments. For concept hierarchies with correlated features, this is restrictive. Octagons partially address this, but only for pairs of dimensions. Full covariance (oriented boxes, ellipsoids) would be more expressive, but the intersection of oriented boxes is not an oriented box. Finding the right trade-off between expressiveness and closure is open.
\nComposition of geometries. Each geometry handles some operations well and others poorly. Can different geometries be composed? For instance, use boxes for conjunction and cones for negation within the same query. The challenge is defining a consistent scoring function across heterogeneous representations. This is related to the broader question of whether there exists a single continuous geometry of polynomial dimension that is closed under intersection, union, complement, and projection — a universal query embedding. No such geometry is currently known for continuous embeddings at practical dimensionality.
\nCalibration. The containment probability $P(B \\subseteq A) = \\text{Vol}(A \\cap B) / \\text{Vol}(B)$ is a geometric quantity, not a calibrated probability. A value of 0.7 does not mean "70% chance of subsumption" — it means "70% of $B$ 's volume overlaps with $A$ ."This matters for downstream decisions. If you threshold at 0.5, are you accepting everything with >50% overlap, or everything with >50% probability of being true? The model doesn't know. Whether these geometric scores can be calibrated to meaningful probabilities, and whether that calibration generalizes across domains, is unexplored.
\nDensity matrices. Quantum-inspired representations model concepts as positive semidefinite matrices (matrices with all eigenvalues $\\ge 0$ , used in quantum mechanics to represent probabilistic mixtures of states) on a Hilbert space. One natural analogue of containment is the Loewner order: model $A \\sqsubseteq B$ by requiring $B - A$ to be positive semidefinite (all eigenvalues of the difference are $\\ge 0$ ). This is richer than box containment — it captures arbitrary subspace relationships, not just axis-aligned intervals. The computational cost is $O(d^2)$ per concept, the intersection structure is more complex, and the connection to DL subsumption semantics is an analogy rather than a derivation. As of 2026, quantum KGE implementations exist but use quantum circuits for scoring, not density matrices for concept representation. The theoretical proposal remains unimplemented.
\nEvaluation methodology. A pervasive but underacknowledged flaw: most ontology embedding benchmarks treat logically entailed axioms as negatives during training and evaluation. DELE [17] showed this is broken — the model is penalized for predicting things that are provably true. The deductive closure must be computed first and filtered from the negative set. More broadly, no standardized benchmark suite exists for ontology embeddings; different papers use incompatible datasets and protocols, making cross-paper comparison unreliable.
Geometric vs. neural. For multi-hop query answering, the geometric approach (Query2Box, ConE, BetaE) is being superseded. Newer geometric approaches like cylinder embeddings and fully geometric methods — where all logical operations are geometric transformations, not learned neural operators — show that the "geometric" label applied to Query2Box was partially misleading: its intersection operator was a neural network. GNN-based query answering substantially outperforms all purely geometric methods on standard benchmarks. The niche where geometric methods retain a defensible advantage is ontology-specific settings with explicit DL semantics: GNN foundation models don't enforce logical closure, but TransBox and DELE do.
[1] Erk, K. (2009). "Representing Words as Regions in Vector Space." CoNLL, 57--65. ↩
\n[2] Bordes, A., Usunier, N., Garcia-Duran, A., Weston, J. & Yakhnenko, O. (2013). "Translating Embeddings for Modeling Multi-relational Data." NeurIPS, 2787--2795. ↩
\n[3] Vendrov, I., Kiros, R., Fidler, S. & Urtasun, R. (2016). "Order-Embeddings of Images and Language." ICLR. ↩
\n[4] Vilnis, L., Li, X., Murty, S. & McCallum, A. (2018). "Probabilistic Embedding of Knowledge Graphs with Box Lattice Measures." ACL, 263--272. ↩
\n[5] Ganea, O.-E., Becigneul, G. & Hofmann, T. (2018). "Hyperbolic Entailment Cones for Learning Hierarchical Embeddings." ICML. ↩
\n[6] Li, X. L., Vilnis, L., Zhang, D., Boratko, M. & McCallum, A. (2019). "Smoothing the Geometry of Probabilistic Box Embeddings." ICLR. ↩
\n[7] Sun, Z., Deng, Z.-H., Nie, J.-Y. & Tang, J. (2019). "RotatE: Knowledge Graph Embedding by Relational Rotation in Complex Space." ICLR. ↩
\n[8] Dasgupta, S. S., Boratko, M., Zhang, D., Vilnis, L., Li, X. L. & McCallum, A. (2020). "Improving Local Identifiability in Probabilistic Box Embeddings." NeurIPS. ↩
\n[9] Ren, H., Hu, W. & Leskovec, J. (2020). "Query2Box: Reasoning over Knowledge Graphs in Vector Space using Box Embeddings." ICLR. ↩
\n[10] Ren, H. & Leskovec, J. (2020). "Beta Embeddings for Multi-Hop Logical Reasoning in Knowledge Graphs." NeurIPS. ↩
\n[11] Arakelyan, E., Daza, D., Minervini, P. & Cochez, M. (2021). "Complex Query Answering with Neural Link Predictors." ICLR (Outstanding Paper). ↩
\n[12] Zhang, Z., Wang, J., Chen, J., Ji, S. & Wu, F. (2021). "ConE: Cone Embeddings for Multi-Hop Reasoning over Knowledge Graphs." NeurIPS. ↩
\n[13] Chen, X., Hu, Z. & Sun, Y. (2022). "Fuzzy Logic Based Logical Query Answering on Knowledge Graphs." AAAI. ↩
\n[14] Xiong, B., Potyka, N., Tran, T.-K., Nayyeri, M. & Staab, S. (2022). "Faithful Embeddings for EL⁺⁺ Knowledge Bases." ECML-PKDD. ↩
\n[15] Charpenay, V. & Schockaert, S. (2024). "Embedding Ontologies with Octagons." IJCAI. ↩
\n[16] Jackermeier, M., Chen, J. & Horrocks, I. (2024). "Dual Box Embeddings for the Description Logic EL⁺⁺." WWW '24. ↩
\n[17] Mashkova, O., Zhapa-Camacho, F. & Hoehndorf, R. (2024). "DELE: Deductive EL++ Embeddings for Knowledge Base Completion." arXiv:2411.01574. ↩
\n[18] Leemhuis, M. & Kutz, O. (2025). "Understanding the Expressive Capabilities of Knowledge Base Embeddings under Box Semantics." KR '25. ↩
\n[19] Moreira, G., Marinho, Z., Marques, M., Costeira, J. P. & Xiong, B. (2025). "Native Logical and Hierarchical Representations with Subspace Embeddings." arXiv:2508.16687. ↩
\n[20] Yang, H., Chen, J. & Sattler, U. (2025). "TransBox: EL⁺⁺-closed Ontology Embedding." WWW '25. ↩
\n[21] Mishra, S. et al. (2026). "TaxoBell: Gaussian Box Embeddings for Self-Supervised Taxonomy Expansion." arXiv:2601.09633. ↩
\nTransE, RotatE, ComplEx, and DistMult with GPU training via candle. The point-embedding baseline.Query2Box scoring, and fuzzy t-norm query answering.Is 341 prime? Trial division says no ( $11 \\times 31$ ). But if you check $2^{340} \\bmod 341$ , you get 1 -- exactly what a prime would give. This failure of Fermat's test, and the centuries it took to fix it, is the story of probabilistic primality testing.
\n\nA positive integer $n > 1$ is prime if its only divisors are 1 and itself. This is a clean definition but a hard computational problem: given an arbitrary $n$ , how do you decide?
\nThe stakes are not abstract. RSA key generation requires finding two large primes $p$ and $q$ , typically 1024 bits each, so that their product $n = pq$ is hard to factor. The security of RSA rests on the assumption that factoring $n$ is computationally infeasible -- but that assumption is worthless if $p$ or $q$ is not actually prime. A composite that slips through primality testing produces a key that can be factored trivially. RSA, Diffie-Hellman, and most public-key cryptography depend on reliably generating large primes.
\nThe oldest approach: to test whether $n$ is prime, try dividing it by every integer from 2 up to $\\sqrt{n}$ . If none divide evenly, $n$ is prime.
\nThis works because if $n = ab$ with $a \\le b$ , then $a \\le \\sqrt{n}$ . So we only need to check potential factors up to the square root. A standard optimization: after checking 2, only test odd divisors (or better, only test primes up to $\\sqrt{n}$ , but generating those primes is itself a sub-problem -- the Sieve of Eratosthenes handles it for moderate bounds).
\nThe complexity is $O(\\sqrt{n})$ divisions. For a 10-digit number, that is roughly 100,000 divisions -- fast on modern hardware. For a 300-digit number (a typical RSA prime), $\\sqrt{n}$ has 150 digits. There are approximately $10^{150}$ candidate divisors. At $10^{12}$ divisions per second, this would take about $10^{138}$ seconds. The universe is approximately $4 \\times 10^{17}$ seconds old.
\nThe issue is that $O(\\sqrt{n})$ is exponential in the bit-length of $n$ . If $n$ has $b$ bits, then $\\sqrt{n} = 2^{b/2}$ , and we need $2^{b/2}$ divisions. A polynomial-time algorithm would need $O(b^c)$ operations for some constant $c$ . Trial division is correct and deterministic, but for cryptographic sizes it is useless -- and this is not a constant-factor problem that faster hardware will solve. The gap is exponential.
\nThis gap -- between what we need (test 1024-bit numbers) and what deterministic methods can do in reasonable time -- motivates a radical idea: accept a test that might be wrong.
\nA probabilistic primality test gives one of two answers: "definitely composite" or "probably prime." The "probably" comes with a quantifiable error bound. If the probability of a false "probably prime" answer is less than $2^{-128}$ , that is a smaller failure probability than a cosmic ray flipping a bit in your CPU during the computation. For engineering purposes, "probably prime with error $< 2^{-128}$ " is as good as "proven prime."
\nThe challenge is building a test with: (1) an error probability that decreases exponentially with the number of iterations, and (2) no blind spots -- no class of composites that always fools the test regardless of how many iterations you run.
\nThe first condition is achievable: run the test multiple times with independent random choices, and error probabilities multiply (shrinking exponentially). The second took 340 years from Fermat to Rabin, because the natural first attempt -- the Fermat test -- has exactly the blind spot we need to avoid.
\nIn 1640, Pierre de Fermat stated a theorem that would become foundational to primality testing:
\n\n\n$$a^{p-1} \\equiv 1 \\pmod{p}$$\n\nfor any prime $p$ and integer $a$ not divisible by $p$ .
\nConsider the $p-1$ nonzero residues $\\{1, 2, \\ldots, p-1\\}$ modulo $p$ . Multiplying each by $a$ (with $\\gcd(a, p) = 1$ ) permutes this set: the map $x \\mapsto ax \\bmod p$ is a bijection on $\\{1, \\ldots, p-1\\}$ . Therefore:
\n\n\n$$\\prod_{i=1}^{p-1} (a \\cdot i) \\equiv \\prod_{i=1}^{p-1} i \\pmod{p}$$\n\nThe left side is $a^{p-1} \\cdot (p-1)!$ and the right side is $(p-1)!$ . Since $p$ is prime, $(p-1)!$ is invertible mod $p$ , giving $a^{p-1} \\equiv 1$ .
\nThe contrapositive gives us a primality test: if $a^{n-1} \\not\\equiv 1 \\pmod{n}$ for some $a$ coprime to $n$ , then $n$ is definitely composite.
\nThis observation leads to a simple probabilistic test:
\nStep 2 uses modular exponentiation by repeated squaring, which runs in $O(\\log n)$ multiplications mod $n$ , each costing $O((\\log n)^2)$ with schoolbook multiplication. Total: $O((\\log n)^3)$ . This scales with the number of digits, not the magnitude -- exactly what we need.
\nNote an asymmetry: the test can prove compositeness (if $a^{n-1} \\not\\equiv 1$ , $n$ is definitely composite) but can only suggest primality (if $a^{n-1} \\equiv 1$ , $n$ might be prime). This one-sided error structure defines probabilistic primality testing. We will never get a false "composite" answer, only a false "probably prime."
\nThe weakness: composite numbers that pass this test exist.
\nA composite number $n$ is called a Fermat pseudoprime to base $a$ if $a^{n-1} \\equiv 1 \\pmod{n}$ .
\nFor example, $341 = 11 \\times 31$ is a pseudoprime to base 2:
\n\n\n$$2^{340} \\equiv 1 \\pmod{341}$$\n\nWhy does this happen? By Fermat's theorem applied to the factors: $2^{10} \\equiv 1 \\pmod{11}$ and $2^{30} \\equiv 1 \\pmod{31}$ . Since $10 \\mid 340$ and $30 \\mid 340$ , we get $2^{340} \\equiv 1$ modulo both 11 and 31, hence modulo $341$ by the Chinese Remainder Theorem.
\nThis means the Fermat test with base 2 incorrectly identifies 341 as "probably prime."
\nThe pseudoprimes to base 2 below 1000 are just 341 and 561. They are rare -- there are only 245 base-2 pseudoprimes below $10^6$ -- but they exist, and their rarity is deceptive. It might suggest that testing multiple bases would catch all composites: if $n$ is a pseudoprime to base 2, surely it fails for base 3? Often yes. But not always.
\nIn 1885, Vaclav Simerka found several composite numbers that are pseudoprimes to every base coprime to them. He published in Casopis pro pestovani mathematiky a fysiky, a Czech-language journal with limited circulation outside Bohemia. His work went unnoticed for over a century.
\nIn 1899, Alwin Korselt characterized such numbers: a composite $n$ is a Carmichael number if and only if:
\nBut Korselt knew of no examples.
\nIn 1910, Robert D. Carmichael independently discovered the smallest such number:
\n\n\n$$561 = 3 \\times 11 \\times 17$$\n\nVerification: $561 - 1 = 560 = 2^4 \\times 5 \\times 7$ , and indeed:
\nThe Fermat test fails completely on Carmichael numbers -- no choice of base (coprime to $n$ ) will reveal their compositeness. For the Fermat test, Carmichael numbers are an unconditional blind spot. No amount of repetition helps.
\nKorselt's criterion has an intuitive interpretation: it says that $n$ "pretends" to be prime by having its prime factors' orders all divide $n - 1$ . The Chinese Remainder Theorem then forces $a^{n-1} \\equiv 1 \\pmod{n}$ for all $a$ coprime to $n$ . The deception is structural, not coincidental.
\nFor decades, mathematicians wondered whether there are infinitely many Carmichael numbers. In 1994, Alford, Granville, and Pomerance proved there are: for sufficiently large $x$ , the number of Carmichael numbers up to $x$ exceeds $x^{2/7}$ . The proof is non-constructive and the actual density appears to be much higher than this bound. Erdos conjectured the count up to $x$ is $x^{1-o(1)}$ , but this remains open.
\nIn 1977, Robert Solovay and Volker Strassen gave the first polynomial-time probabilistic primality test with a rigorously proven error bound. Their test uses the Euler criterion, which connects modular exponentiation to the Legendre symbol.
\nLemma (Euler criterion). For an odd prime $p$ and $\\gcd(a, p) = 1$ :
\n\n\n$$a^{(p-1)/2} \\equiv \\left(\\frac{a}{p}\\right) \\pmod{p}$$\n\nwhere $\\left(\\frac{a}{p}\\right)$ is the Legendre symbol ( $+1$ if $a$ is a quadratic residue mod $p$ , $-1$ otherwise).
\nProof sketch. Since $\\mathbb{F}_p^\\times$ is cyclic of order $p-1$ , we have $a^{p-1} \\equiv 1$ , so $a^{(p-1)/2}$ is a square root of 1, hence $\\pm 1$ . It equals $+1$ if and only if $a = g^{2k}$ for some generator $g$ (i.e., $a$ is a quadratic residue), because $a^{(p-1)/2} = g^{k(p-1)} = 1$ when $k$ is even and $g^{k(p-1)} = g^{(p-1)/2 \\cdot \\text{odd}} = -1$ when $k$ is odd.
\nThe Solovay-Strassen test: pick a random $a$ , compute both $a^{(n-1)/2} \\bmod n$ and the Jacobi symbol $\\left(\\frac{a}{n}\\right)$ (which can be computed in $O(\\log^2 n)$ by reciprocity, without knowing the factorization of $n$ ). If they disagree, $n$ is composite.
\nWhy this breaks the Carmichael barrier: a Carmichael number $n$ satisfies $a^{n-1} \\equiv 1 \\pmod{n}$ for all $a$ coprime to $n$ , but this does not force $a^{(n-1)/2} \\equiv \\left(\\frac{a}{n}\\right)$ . The Jacobi symbol factors multiplicatively over the prime factors of $n$ , while the power $a^{(n-1)/2}$ does not decompose the same way. Solovay and Strassen proved that for any composite $n$ , at least half of all bases $a$ in $\\{1, \\ldots, n-1\\}$ are witnesses -- the Euler criterion fails for them. This gives a $1/2$ error bound per round, worse than Miller-Rabin's $1/4$ but sufficient to bypass Carmichael numbers entirely.
\nIn 1976, Gary Miller observed that we can strengthen the Fermat test by exploiting a deeper property of primes.
\nWrite $n - 1 = 2^s \\cdot d$ where $d$ is odd. For a prime $p$ and base $a$ coprime to $p$ , one of the following must hold:
\n\n\n$$a^d \\equiv 1 \\pmod{p}$$\n\nor
\n\n\n$$a^{2^r d} \\equiv -1 \\pmod{p} \\quad \\text{for some } 0 \\le r < s$$\n\nWhy must one of these hold? Start from Fermat: $a^{p-1} = a^{2^s d} \\equiv 1 \\pmod{p}$ . Now consider the squaring chain:
\n\n\n$$a^d, \\; a^{2d}, \\; a^{4d}, \\; \\ldots, \\; a^{2^s d}$$\n\nThe last term is 1. Each term is the square of the previous. Working backwards from $a^{2^s d} \\equiv 1$ : if $a^{2^r d} \\equiv 1$ , then $a^{2^{r-1} d}$ is a square root of 1 modulo $p$ . In a field (which $\\mathbb{Z}/p\\mathbb{Z}$ is, since $p$ is prime), the polynomial $x^2 - 1$ has at most two roots: $+1$ and $-1$ . So either the previous term is also 1 (and we continue backwards) or it is $-1$ (and we stop). Eventually we either reach $a^d \\equiv 1$ or find some $a^{2^r d} \\equiv -1$ .
\nThe critical point: for a composite $n$ , $\\mathbb{Z}/n\\mathbb{Z}$ is not a field, and $x^2 \\equiv 1 \\pmod{n}$ can have more than two solutions. For example, modulo $n = 15$ , we have $4^2 = 16 \\equiv 1$ -- a "non-trivial square root of unity." This is the crack that Miller's test exploits.
\nWorked example: $n = 341$ , $a = 2$ . Recall that 341 passes the Fermat test for base 2. Write $341 - 1 = 340 = 2^2 \\times 85$ , so $s = 2$ and $d = 85$ . The squaring chain is:
\n\n\n$$2^{85} \\bmod 341 = 32, \\quad 32^2 \\bmod 341 = 1024 \\bmod 341 = 1$$\n\n![\"Squaring](\"https://attobop.net/posts/primality-testing/squaring_comparison.png\")
\n The chain went from 32 to 1 in one squaring. But $32 \\not\\equiv 1$ and $32 \\not\\equiv -1 \\pmod{341}$ (since $-1 \\equiv 340$ ). So 32 is a non-trivial square root of 1 modulo 341 -- exactly the kind of witness that cannot exist modulo a prime. Miller's test correctly identifies 341 as composite. The Fermat test missed this because it only checks the final value $2^{340} \\bmod 341 = 1$ , discarding the information in the intermediate steps.
\nA composite number that passes this stronger test for base $a$ is called a strong pseudoprime to base $a$ . Unlike the Fermat test, there are no "strong Carmichael numbers" -- no composite passes for all bases.
\nIn 1980, Michael Rabin made Miller's test probabilistic and proved a key result: for any composite $n$ , at most $1/4$ of bases $a$ in $\\{2, \\ldots, n-2\\}$ are strong liars (bases for which $n$ passes the strong test).
\nTheorem (Rabin, 1980). If $n$ is an odd composite, the number of strong liars in $\\{1, \\ldots, n-1\\}$ is at most $\\frac{n-1}{4}$ .
\nProof sketch. Write $n - 1 = 2^s d$ with $d$ odd. By the Chinese Remainder Theorem, $(\\mathbb{Z}/n\\mathbb{Z})^\\times \\cong \\prod_{i} (\\mathbb{Z}/p_i^{e_i}\\mathbb{Z})^\\times$ . A strong liar $a$ must have its squaring chain "look prime" -- either $a^d \\equiv 1$ or $a^{2^r d} \\equiv -1$ for some $r$ .
\nThe key constraint: $a^{2^r d} \\equiv -1 \\pmod{n}$ requires $a^{2^r d} \\equiv -1$ modulo every prime power factor simultaneously. But each factor has its own 2-adic structure ( $p_i - 1 = 2^{s_i} d_i$ with possibly different $s_i$ ), so the squaring chains must "synchronize" across all factors at the same step $r$ . The strong liars form a subgroup of $(\\mathbb{Z}/n\\mathbb{Z})^\\times$ . The synchronization constraint forces this subgroup to have index at least 4.
\nThe worst case is $n = pq$ with $p \\equiv q \\equiv 3 \\pmod{4}$ and $\\gcd(p-1, q-1) = 2$ , which gives exactly $\\frac{n-1}{4}$ strong liars. All other composites have fewer.
\nThis means:
\nBut most composites are caught by the first random base. Damgard, Landrock, and Pomerance (1993) showed that for random odd $k$ -bit composites, the average-case error probability after $t$ rounds drops as $\\exp(-c\\sqrt{kt})$ for a constant $c$ , much faster than the worst-case $4^{-t}$ . For 1024-bit numbers with even a single round, the average-case error probability is negligible.
\nUnlike the Fermat test, Miller-Rabin is not fooled by Carmichael numbers. For any Carmichael number $n$ , at least 75% of bases reveal its compositeness through the strong pseudoprime check. The "non-trivial square roots of unity" that exist in $\\mathbb{Z}/n\\mathbb{Z}$ (but not in $\\mathbb{Z}/p\\mathbb{Z}$ ) always provide witnesses.
\nModular exponentiation by repeated squaring makes each round efficient. Here is a complete Miller-Rabin test in Python:
\nimport random\n\ndef is_probable_prime(n, k=40):\n """Miller-Rabin with k rounds. False = composite, True = probably prime."""\n if n < 2: return False\n if n < 4: return True\n if n % 2 == 0: return False\n # Write n - 1 = 2^s * d with d odd\n d, s = n - 1, 0\n while d % 2 == 0:\n d //= 2\n s += 1\n for _ in range(k):\n a = random.randrange(2, n - 1)\n x = pow(a, d, n) # a^d mod n\n if x == 1 or x == n - 1:\n continue\n for _ in range(s - 1):\n x = pow(x, 2, n) # square mod n\n if x == n - 1:\n break\n else:\n return False # composite witness found\n return True\nPython's built-in three-argument pow(a, d, n) performs modular exponentiation by repeated squaring internally -- it does not compute $a^d$ and then reduce. This makes the implementation efficient even for thousand-bit inputs. With $k = 40$ rounds, the error probability is below $4^{-40} \\approx 10^{-24}$ , which is the typical choice for cryptographic key generation.
The for/else construct is Python-specific: the else clause executes only if the inner for loop completes without break, meaning none of the squarings produced $-1$ , so $a$ is a witness to compositeness.
Miller's original 1976 test was not probabilistic -- it was deterministic, conditional on the extended Riemann hypothesis (ERH). Under ERH, Miller proved that for any composite $n$ , there exists a witness $a < 2 (\\ln n)^2$ . This means you only need to test bases up to $O((\\log n)^2)$ , giving a deterministic polynomial-time test -- if ERH is true.
\nERH remains unproven. The conditional result ties the difficulty of deterministic primality testing to the distribution of zeros of the Riemann zeta function.
\nEven without ERH, exhaustive computation has established that specific small sets of bases suffice for bounded ranges. These results turn Miller-Rabin into a deterministic test for numbers below each bound:
\n| Bound on $n$ | \nSufficient bases | \n
|---|---|
| $< 2{,}047$ | \n$\\{2\\}$ | \n
| $< 1{,}373{,}653$ | \n$\\{2, 3\\}$ | \n
| $< 3{,}215{,}031{,}751$ | \n$\\{2, 3, 5, 7\\}$ | \n
| $< 3{,}317{,}044{,}064{,}679{,}887{,}385{,}961{,}981$ | \n$\\{2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41\\}$ | \n
The last bound is approximately $3.3 \\times 10^{24}$ . For 64-bit integers ( $< 2^{64} \\approx 1.8 \\times 10^{19}$ ), the first 12 primes as bases give a deterministic test. This is how many implementations handle "small" numbers: no randomness needed, no probability of error, and the test runs in microseconds.
\nThe smallest strong pseudoprime to base 2 is 2047 -- which is why base $\\{2\\}$ alone suffices below that threshold.
\nThe Baillie-PSW test, introduced in 1980 by Robert Baillie, Carl Pomerance, John Selfridge, and Samuel Wagstaff, combines two tests that fail on disjoint sets of composites:
\nThe idea is that a composite which is a strong pseudoprime to base 2 is unlikely to also be a strong Lucas pseudoprime, and vice versa. This is not just a hope: the number-theoretic properties that make a number a Fermat/Miller-Rabin pseudoprime (multiplicative order structure) are largely independent of those that make it a Lucas pseudoprime (quadratic residue structure).
\nThe Lucas test works in a different algebraic setting. Given parameters $P$ and $Q$ with discriminant $D = P^2 - 4Q$ , define the Lucas sequences $U_k(P,Q)$ and $V_k(P,Q)$ via the recurrence $U_{k+1} = PU_k - QU_{k-1}$ . For a prime $p$ with Jacobi symbol $(D/p) = -1$ , we have $U_{p+1} \\equiv 0 \\pmod{p}$ . The "strong" variant adds a squaring chain similar to Miller-Rabin. The parameter selection (Selfridge's Method A: choose the first $D$ in the sequence $5, -7, 9, -11, \\ldots$ such that $(D/n) = -1$ ) is designed to maximize the independence between the Miller-Rabin and Lucas tests.
\nNo BPSW counterexample has ever been found. The original 1980 paper offered a $30 reward for a counterexample (from Pomerance, Selfridge, and Wagstaff). In 2021, Baillie, Fiori, and Wagstaff offered $2,000 for a counterexample to a strengthened variant. Neither reward has been claimed. Exhaustive search has verified that no counterexample exists below $2^{64}$ .
\nBPSW requires only two tests (one modular exponentiation + one Lucas computation), making it faster than running 40 rounds of Miller-Rabin. It is the default primality test in many implementations, including Mathematica, Maple, and SageMath.
Miller-Rabin and BPSW are probabilistic (or deterministic only for bounded ranges). For some applications -- primality certificates, mathematical proofs, record-keeping -- we need tests that prove primality unconditionally.
\nIn 2002, Manindra Agrawal, Neeraj Kayal, and Nitin Saxena proved that primality is in P: there exists a deterministic polynomial-time algorithm that decides primality without any unproven hypothesis. Their test, known as AKS, was a landmark in computational number theory.
\nThe original algorithm runs in $\\tilde{O}((\\log n)^{12})$ time. Lenstra and Pomerance improved this to $\\tilde{O}((\\log n)^6)$ in 2005. The key idea starts from a classical observation: if $n$ is prime, then the polynomial identity
\n\n\n$$(x + a)^n \\equiv x^n + a \\pmod{n}$$\n\nholds in $\\mathbb{Z}_n[x]$ for all $a$ (this is essentially the Frobenius endomorphism). For composite $n$ , this identity generally fails. But checking it directly requires working with a polynomial of degree $n$ -- which is as expensive as trial division.
\nAKS's insight is to check this identity modulo a polynomial $x^r - 1$ for a suitable small $r$ : verify $(x + a)^n \\equiv x^{n \\bmod r} + a$ in $\\mathbb{Z}_n[x]/(x^r - 1)$ . Now the polynomials have degree at most $r$ , and $r$ can be chosen as $O((\\log n)^5)$ or better.
\nThe key lemma: if $(x + a)^n \\equiv x^n + a \\pmod{n, x^r - 1}$ holds for $a = 1, 2, \\ldots, \\lfloor\\sqrt{\\phi(r)} \\log n\\rfloor$ , and $n$ has no prime factor $\\le r$ , and $n$ is not a perfect power, then $n$ is prime. The proof constructs a group $G$ of residues in $(\\mathbb{Z}/n\\mathbb{Z})[x]/(x^r - 1)$ generated by $\\{x + 1, x + 2, \\ldots\\}$ and shows that $|G|$ is both large (from the many verified identities) and small (from the structure of the quotient ring), forcing $n$ to be prime. The total number of checks is polynomial in $\\log n$ .
\nAKS is not used in practice. For 64-bit numbers, BPSW is orders of magnitude faster. For larger numbers, ECPP (below) is faster and also produces a certificate. AKS is a "galactic algorithm" -- polynomial in theory, but with constants so large that Miller-Rabin with 64 rounds is faster by orders of magnitude even for 1024-bit inputs. Its significance is theoretical, settling a long-standing complexity question, not providing a practical tool.
\nElliptic Curve Primality Proving (ECPP) was developed by Shafi Goldwasser and Joe Kilian in 1986, and refined into a practical algorithm by A. O. L. Atkin and Francois Morain in 1993. It runs in $\\tilde{O}((\\log n)^4)$ heuristic time and produces a primality certificate -- a compact proof that anyone can verify much faster than it took to produce.
\nThe core idea uses elliptic curves over $\\mathbb{Z}/n\\mathbb{Z}$ . Given a point $P$ on an elliptic curve $E$ modulo $n$ , if we can show that the group order $|E(\\mathbb{Z}/n\\mathbb{Z})|$ has a large prime factor $q$ , and certain conditions hold, then either $n$ is prime or $n$ has a very small factor (which we can check by trial division). The problem then reduces to proving $q$ is prime -- a smaller instance of the same problem. This recursive structure terminates quickly.
\nThe certificate is an Atkin-Goldwasser-Kilian-Morain certificate: a chain of elliptic curves and points that witnesses primality at each recursive step. Verification runs in polynomial time and does not require trusting the prover's computation. This is the key distinction from probabilistic tests: ECPP does not say "probably prime with high confidence." It says "here is a proof; check it yourself." The certificate for a 10,000-digit prime might be a few megabytes, but verifying it takes minutes rather than the hours needed to produce it.
\nAs of 2025, ECPP holds the record for the largest proven prime with a general-purpose algorithm: $R(109297) = (10^{109297} - 1)/9$ , a repunit with 109,297 digits. (Mersenne primes are tested with the deterministic Lucas-Lehmer test, which exploits their special form.)
\n| Test | \nType | \nComplexity | \nCertainty | \nPractical use | \n
|---|---|---|---|---|
| Trial division | \nDeterministic | \n$O(\\sqrt{n})$ | \nProven | \nSmall $n$ only | \n
| Fermat | \nProbabilistic | \n$O(k \\log^3 n)$ | \nProbable (with blind spots) | \nObsolete | \n
| Solovay-Strassen | \nProbabilistic | \n$O(k \\log^3 n)$ | \nError $\\le 2^{-k}$ | \nSuperseded by Miller-Rabin | \n
| Miller-Rabin | \nProbabilistic | \n$O(k \\log^3 n)$ | \nError $\\le 4^{-k}$ | \nGeneral purpose | \n
| BPSW | \nProbabilistic | \n$O(\\log^3 n)$ | \nNo known counterexample | \nDefault in most libraries | \n
| Miller (GRH) | \nDeterministic (conditional) | \n$O(\\log^5 n)$ | \nProven if ERH holds | \nTheoretical | \n
| AKS | \nDeterministic | \n$\\tilde{O}(\\log^6 n)$ | \nProven | \nNot practical | \n
| ECPP | \nDeterministic | \n$\\tilde{O}(\\log^4 n)$ heuristic | \nProven + certificate | \nLargest proven primes | \n
| Year | \nEvent | \n
|---|---|
| 1640 | \nFermat states his "little theorem" | \n
| 1885 | \nSimerka finds first Carmichael numbers (work overlooked) | \n
| 1899 | \nKorselt gives characterization criterion | \n
| 1910 | \nCarmichael discovers 561 independently | \n
| 1976 | \nMiller introduces strong pseudoprime test (deterministic under ERH) | \n
| 1977 | \nSolovay and Strassen give first polynomial-time probabilistic test with proven $1/2$ error bound | \n
| 1980 | \nRabin proves probabilistic $1/4$ error bound | \n
| 1980 | \nBaillie, Pomerance, Selfridge, Wagstaff propose BPSW test | \n
| 1986 | \nGoldwasser and Kilian develop elliptic curve primality proving | \n
| 1993 | \nAtkin and Morain refine ECPP into a practical algorithm | \n
| 1994 | \nAlford-Granville-Pomerance prove infinitely many Carmichael numbers | \n
| 2002 | \nAgrawal-Kayal-Saxena prove primality is in P | \n
The preceding sections described what each test checks. This section explains why those checks work -- the algebraic structure that makes primes distinguishable from composites.
\nWhen $p$ is prime, the integers modulo $p$ form a finite field $\\mathbb{F}_p$ . Every nonzero element has a multiplicative inverse, and Fermat's little theorem tells us the multiplicative group $\\mathbb{F}_p^\\times$ has order $p-1$ .
\nA deeper fact: $\\mathbb{F}_p^\\times$ is cyclic. There exists a generator $g$ (called a primitive root) such that every nonzero element of $\\mathbb{F}_p$ is a power of $g$ :
\n\n\n$$\\mathbb{F}_p^\\times = \\{g^0, g^1, g^2, \\ldots, g^{p-2}\\}$$\n\nThis is not obvious. Here is the proof.
\nTheorem. For any prime $p$ , the group $\\mathbb{F}_p^\\times$ is cyclic.
\nProof. For each divisor $d$ of $p-1$ , let $\\psi(d) = |\\{a \\in \\mathbb{F}_p^\\times : \\text{ord}(a) = d\\}|$ . Every element has some order dividing $p-1$ , so $\\sum_{d \\mid (p-1)} \\psi(d) = p-1$ .
\nNow we claim $\\psi(d) \\le \\phi(d)$ . If $\\psi(d) \\ge 1$ , there exists an element $g$ of order $d$ . The $d$ elements $g^0, g^1, \\ldots, g^{d-1}$ are all roots of $x^d - 1$ . Since $\\mathbb{F}_p$ is a field, $x^d - 1$ has at most $d$ roots, so these are all the elements of order dividing $d$ . Among $g^0, \\ldots, g^{d-1}$ , exactly $\\phi(d)$ have order exactly $d$ (those $g^k$ with $\\gcd(k, d) = 1$ ). So $\\psi(d) \\in \\{0, \\phi(d)\\}$ .
\nSince $\\sum_{d \\mid (p-1)} \\psi(d) = p - 1 = \\sum_{d \\mid (p-1)} \\phi(d)$ (the latter is a standard identity), and $\\psi(d) \\le \\phi(d)$ for all $d$ , we must have $\\psi(d) = \\phi(d)$ for every $d$ . In particular, $\\psi(p-1) = \\phi(p-1) \\ge 1$ , so primitive roots exist.
\nThe cyclicity of $\\mathbb{F}_p^\\times$ is what makes the squaring chain in Miller's test work. Write every element as $g^j$ for some $j$ . Then $a = g^j$ and:
\n\n\n$$a^d = g^{jd}, \\quad a^{2d} = g^{2jd}, \\quad \\ldots, \\quad a^{2^s d} = g^{2^s jd}$$\n\nThe condition $a^{2^s d} = 1$ means $g^{2^s jd} = g^0$ , i.e., $(p-1) \\mid 2^s jd$ . Since $p - 1 = 2^s d$ , this is automatic. Now work backwards. At each step, squaring in the cyclic group means doubling the exponent mod $p-1$ . The only elements whose square is 1 are $g^0 = 1$ and $g^{(p-1)/2} = -1$ . This is exactly the "only two square roots of unity" property that Miller's test uses, and it holds because the group is cyclic of known order.
\nFor composite $n$ , the group $(\\mathbb{Z}/n\\mathbb{Z})^\\times$ is not cyclic in general (by the Chinese Remainder Theorem, it decomposes as a product of the groups for each prime power factor). This product structure creates extra square roots of unity -- elements $x$ with $x^2 \\equiv 1 \\pmod{n}$ but $x \\not\\equiv \\pm 1 \\pmod{n}$ . These non-trivial square roots are the witnesses that Miller-Rabin detects.
\nFor prime powers $q = p^k$ , there exist unique finite fields $\\mathbb{F}_q$ of each size (constructed as polynomial quotient rings, not just $\\mathbb{Z}/q\\mathbb{Z}$ ). Their multiplicative groups are also cyclic of order $q - 1$ .
\nThe connection between finite fields and primality testing runs deep. The Fermat test is really a test of multiplicative group order. Miller-Rabin refines this by probing the 2-Sylow subgroup structure. The Lucas test probes quadratic extensions $\\mathbb{F}_{p^2}$ . ECPP uses the group structure of elliptic curves over $\\mathbb{F}_p$ . Each successive test exploits more algebraic structure of finite fields to distinguish primes from composites.
\nThere are infinitely many Fermat pseudoprimes to base 2. In fact, the count of base-2 pseudoprimes up to $x$ is $x / L(x)^{1/2 + o(1)}$ where $L(x) = e^{\\log x \\cdot \\log \\log \\log x / \\log \\log x}$ -- a result of Pomerance (1981). This grows faster than any power of $\\log x$ but slower than any positive power of $x$ . In practical terms: pseudoprimes are sparse but not negligibly so.
\nFor strong pseudoprimes (the kind Miller-Rabin uses), the density is lower still. The count of base-2 strong pseudoprimes below $x$ appears to grow roughly as $x^{1/3}$ empirically, though the exact asymptotics are not fully established.
\nCarmichael numbers (pseudoprimes to all coprime bases, a much stricter condition) have a proven lower bound of $x^{2/7}$ (Alford-Granville-Pomerance 1994). Erdos conjectured the true count up to $x$ is $x^{1-o(1)}$ , but this remains open. Pinch computed the count up to $10^{18}$ as 1,401,644 -- rare compared to Fermat pseudoprimes to any single base, but not as rare as one might expect.
\nThe central open problem in practical primality testing: does a BPSW counterexample exist?
\nHeuristic arguments suggest counterexamples should exist but be astronomically rare. Pomerance has estimated that if they exist, the smallest might exceed $10^{10000}$ . Exhaustive search has checked all numbers below $2^{64}$ with no counterexample found.
\nThe $2,000 bounty (Baillie-Fiori-Wagstaff, 2021) remains unclaimed. If no counterexample exists, proving this would likely require new techniques in analytic number theory. If one exists, finding it would likely require new techniques in constructive algebra.
\nEither resolution would be significant. In the meantime, BPSW occupies a peculiar status: universally trusted in practice, with no theoretical proof of correctness, and with heuristic arguments that counterexamples should exist but haven't been found.
\nThe gap between theory and practice matters here. Real systems do not just run Miller-Rabin in a loop. The full pipeline for generating an RSA prime in OpenSSL (as of version 3.x) looks like this:
GMP's mpz_probab_prime_p function follows a similar structure: trial division, then BPSW, then optional additional Miller-Rabin rounds requested by the caller.
The FIPS 186-5 standard (the current revision for US government systems) specifies Miller-Rabin with iteration counts that depend on the required error probability and the bit length of the candidate. For 1024-bit primes (half of a 2048-bit RSA modulus), FIPS requires enough rounds to achieve an error probability below $2^{-112}$ .
\nlibsodium, used widely for NaCl-family cryptography, relies on Ed25519 (which uses a fixed curve, not generated primes) for signatures, so primality testing is not in its hot path. But for applications that do need prime generation, libsodium defers to the OS or to a constant-time Miller-Rabin implementation.
An important engineering detail: the primality test itself is rarely the bottleneck. For a 2048-bit RSA modulus, the expected number of random candidates before finding a prime is approximately $\\ln(2^{1024}) \\approx 710$ (by the prime number theorem). Each candidate undergoes trial division first, which filters out most composites in microseconds. Only the ~20% that survive trial division reach the expensive probabilistic test. End-to-end, generating both primes typically takes a few hundred milliseconds on modern hardware.
\nEvery step in this pipeline must run in constant time. If the Miller-Rabin test takes longer for primes than composites (because primes survive more squaring steps), an attacker observing timing can learn information about the generated primes. Production implementations use Montgomery multiplication with fixed iteration counts -- the same number of multiplications regardless of intermediate values. This is a first-order correctness requirement, not a performance optimization.
\nTake any sequence of integers. Subtract each term from the next. You get a new sequence. Do it again. And again. What emerges is a difference table---and it reveals far more about your sequence than you might expect.
\n\nLet's play with the triangular numbers: 1, 3, 6, 10, 15, 21, ...
\nThese are figurate numbers -- they count dots in regular geometric arrangements. The triangular numbers count dots in triangles:
\n • • •\n • • • •\n • • •\n 1 3 6\nNow build the difference table. Write the sequence, then below each pair write their difference:
\n![\"Difference](\"https://attobop.net/posts/difference-tables/triangular_diff.png\")
\n The first differences are the counting numbers. The second differences are all 1. The third differences are all 0.
\nThis is no accident. The triangular numbers are given by $T_n = \\frac{n(n+1)}{2}$ , a quadratic polynomial---and every quadratic has constant second differences.
\nThe idea of systematically differencing a sequence is old. Newton used it in the 1660s for interpolation, but the roots go back further---to James Gregory (1668) and Henry Briggs (1624), who built logarithm tables by the method of finite differences. Thomas Harriot had the essential idea even earlier, in unpublished manuscripts from the 1610s.
\nThe practical motive was always numerical tables. Briggs computed his Arithmetica Logarithmica (1624) by exploiting the fact that consecutive values of a polynomial can be computed by addition alone---no multiplication needed---if you maintain a running difference table. The same idea powered the Nautical Almanac computations for two centuries, and it's what Babbage later mechanized in his Difference Engine.
\nNewton's contribution was to see beyond the computational trick: he formulated the general interpolation formula and recognized the connection to the binomial series. In a 1676 letter to Leibniz (the Epistola Prior), Newton described how any function tabulated at integer points could be approximated by its differences, extending finite differences from a computational device to a theoretical tool.
\nThe analogy with continuous calculus is not a coincidence. Define the forward difference operator $\\Delta$ by
\n\n\n$$\\Delta f(x) = f(x+1) - f(x)$$\n\nand the shift operator $E$ by
\n\n\n$$E f(x) = f(x+1).$$\n\nThen $\\Delta = E - I$ , where $I$ is the identity operator. This is the discrete analogue of the derivative: where $\\frac{d}{dx}$ measures instantaneous rate of change, $\\Delta$ measures the change over a unit step.
\nThe parallel runs deep. In continuous calculus, $\\frac{d}{dx} x^n = n x^{n-1}$ . In discrete calculus, $\\Delta$ acts cleanly not on ordinary powers $x^n$ but on falling factorials:
\n\n\n$$x^{\\underline{n}} = x(x-1)(x-2)\\cdots(x-n+1)$$\n\nThe rule is $\\Delta x^{\\underline{n}} = n \\cdot x^{\\underline{n-1}}$ , a perfect mirror of the power rule. The falling factorial plays the role of $x^n$ in the discrete world, and the binomial coefficient $\\binom{x}{n} = \\frac{x^{\\underline{n}}}{n!}$ plays the role of $\\frac{x^n}{n!}$ .
\nThe parallel between discrete and continuous calculus is systematic:
\n| Continuous | \nDiscrete | \n
|---|---|
| Derivative $\\frac{d}{dx}$ | \nForward difference $\\Delta$ | \n
| $x^n$ | \nFalling factorial $x^{\\underline{n}}$ | \n
| $\\frac{d}{dx} x^n = n x^{n-1}$ | \n$\\Delta x^{\\underline{n}} = n \\cdot x^{\\underline{n-1}}$ | \n
| $\\int x^n dx = \\frac{x^{n+1}}{n+1} + C$ | \n$\\Delta^{-1} x^{\\underline{n}} = \\frac{x^{\\underline{n+1}}}{n+1} + C$ | \n
| Taylor series: $f(x) = \\sum \\frac{f^{(k)}(0)}{k!} x^k$ | \nNewton series: $f(n) = \\sum \\Delta^k f(0) \\cdot \\binom{n}{k}$ | \n
| $\\frac{x^n}{n!}$ | \n$\\binom{x}{n} = \\frac{x^{\\underline{n}}}{n!}$ | \n
| $e^x$ (eigenfunction of $\\frac{d}{dx}$ ) | \n$2^x$ (eigenfunction of $\\Delta$ : $\\Delta 2^x = 2^x$ ) | \n
The last row explains why powers of 2 have self-similar difference tables: $\\Delta$ acts on $2^x$ the way $\\frac{d}{dx}$ acts on $e^x$ -- it returns the function unchanged.
\nHigher-order differences compose exactly as you'd expect:
\n\n\n$$\\Delta^n f(x) = \\sum_{k=0}^{n} \\binom{n}{k} (-1)^{n-k} f(x+k)$$\n\nThis follows from expanding $\\Delta^n = (E - I)^n$ by the binomial theorem---which works because $E$ and $I$ commute. The formula says: to compute the $n$ -th difference, take an alternating weighted sum of $n+1$ consecutive values. This is exactly what building the difference table row by row computes, just expressed in closed form.
\nThe operator-theoretic viewpoint extends further. The formal relation between $\\Delta$ and the continuous derivative $D = \\frac{d}{dx}$ is $\\Delta = e^D - 1$ , since $Ef(x) = e^D f(x) = f(x+1)$ by Taylor's theorem. Inverting: $D = \\ln(1 + \\Delta) = \\Delta - \\frac{\\Delta^2}{2} + \\frac{\\Delta^3}{3} - \\cdots$ . These formal power series in operators converge when applied to polynomials (which are annihilated by sufficiently high powers of $\\Delta$ or $D$ ), and they form the basis of the operator method in combinatorics.
\nThe backward difference operator $\\nabla f(x) = f(x) - f(x-1)$ and the central difference operator $\\delta f(x) = f(x + \\tfrac{1}{2}) - f(x - \\tfrac{1}{2})$ give rise to their own families of formulas (Stirling's interpolation, Gauss's formulas), but the forward difference is the most natural starting point.
\nFor any polynomial of degree $d$ , the $d$ -th differences are constant, and the $(d+1)$ -th differences are zero.
\nTry the cubes: 1, 8, 27, 64, 125, 216...
\n1 8 27 64 125 216\n 7 19 37 61 91\n 12 18 24 30\n 6 6 6\n 0 0\nThird differences constant at 6. Fourth differences zero. The cubes are cubic polynomials---degree 3.
\nThe figurate number pattern continues: the square pyramidal numbers 1, 5, 14, 30, 55, 91 count balls stacked in a square pyramid. Each layer is a square number, so the pyramidal numbers are partial sums of squares: $P_n = \\sum_{k=1}^{n} k^2$ . Their third differences are constant at 2, confirming degree 3 -- the sum of a degree-2 sequence is degree 3, exactly as the discrete antidifference predicts.
\nThis works in reverse too. If someone hands you a mystery sequence and its third differences are constant, you know it's generated by a cubic polynomial. You can even reconstruct the formula.
\nWhy does the $d$ -th difference of a degree- $d$ polynomial come out constant? Because $\\Delta$ reduces degree by exactly 1. To see this: if $f(x) = cx^d + \\text{lower terms}$ , then $\\Delta f(x) = c[(x+1)^d - x^d] = c[dx^{d-1} + \\text{lower terms}]$ , so $\\deg(\\Delta f) = d - 1$ with leading coefficient $cd$ . Applying this $d$ times, $\\Delta^d f(x) = c \\cdot d! $ , a constant. One more application gives $\\Delta^{d+1} f(x) = 0$ . For the cubes, $f(x) = x^3$ with $c = 1$ , so $\\Delta^3 f(x) = 3! = 6$ .
\nThis gives a practical test: if the $k$ -th row of a difference table is constant, the sequence is generated by a polynomial of degree exactly $k$ . The converse holds too---non-polynomial sequences (exponentials, factorials, primes) never terminate. (For primes: the prime counting function grows as $n / \\ln n$ by the prime number theorem, which is not polynomial in the index, so no finite-degree polynomial can reproduce the prime sequence.)
\nThe calculus analogy extends to summation. Just as integration undoes differentiation, the antidifference $\\Delta^{-1}$ (also called the indefinite sum) undoes $\\Delta$ . Since $\\Delta x^{\\underline{n}} = n \\cdot x^{\\underline{n-1}}$ , we get $\\Delta^{-1} x^{\\underline{n}} = \\frac{x^{\\underline{n+1}}}{n+1} + C$ ---the discrete analogue of $\\int x^n dx = \\frac{x^{n+1}}{n+1} + C$ . This gives closed forms for discrete sums: $\\sum_{k=0}^{n-1} k^{\\underline{2}} = \\sum_{k=0}^{n-1} k(k-1) = \\frac{n(n-1)(n-2)}{3}$ , which you can verify is $\\frac{x^{\\underline{3}}}{3}\\big|_0^n$ .
\nHere is a short Python function that computes the difference table:
\ndef difference_table(seq):\n """Return the difference table as a list of rows."""\n table = [list(seq)]\n while len(table[-1]) > 1:\n row = table[-1]\n table.append([row[i+1] - row[i] for i in range(len(row) - 1)])\n return table\n\n# Triangular numbers\nfor row in difference_table([1, 3, 6, 10, 15, 21, 28]):\n print(row)\n# [1, 3, 6, 10, 15, 21, 28]\n# [2, 3, 4, 5, 6, 7]\n# [1, 1, 1, 1, 1]\n# [0, 0, 0, 0]\nAny sequence can be reconstructed from its difference table. Specifically:
\n\n\n$$a_n = \\sum_{k=0}^{n} \\binom{n}{k} \\Delta^k a_0$$\n\nwhere $\\Delta^k a_0$ is the $k$ -th entry on the left edge of the difference table.
\nThis is Newton's forward difference formula. It says: to reconstruct a sequence, take the left edge of its difference table and weight by binomial coefficients.
\nThe formula follows directly from the relation $E = I + \\Delta$ . Applying $E^n$ to $f$ at $x = 0$ :
\n\n\n$$f(n) = E^n f(0) = (I + \\Delta)^n f(0) = \\sum_{k=0}^{n} \\binom{n}{k} \\Delta^k f(0)$$\n\nThat's it. The binomial theorem for operators gives Newton's interpolation formula in one line.
\nFor the triangular numbers, the left edge is 1, 2, 1, 0, 0, ... So:
\n\n\n$$T_n = \\binom{n}{0} \\cdot 1 + \\binom{n}{1} \\cdot 2 + \\binom{n}{2} \\cdot 1 = 1 + 2n + \\frac{n(n-1)}{2}$$\n\nSimplify and you get $\\frac{n^2 + 3n + 2}{2} = \\frac{(n+1)(n+2)}{2}$ , which is indeed $T_{n+1}$ .
\nFor the cubes, the table starts at $a_0 = 1 = 1^3$ , so our sequence is really $f(n) = (n+1)^3$ . The left edge is 1, 7, 12, 6, 0, 0, ... and Newton's formula gives:
\n\n\n$$f(n) = 1 \\cdot \\binom{n}{0} + 7 \\cdot \\binom{n}{1} + 12 \\cdot \\binom{n}{2} + 6 \\cdot \\binom{n}{3}$$\n\nExpanding: $1 + 7n + 6n(n-1) + n(n-1)(n-2) = 1 + 7n + 6n^2 - 6n + n^3 - 3n^2 + 2n = n^3 + 3n^2 + 3n + 1 = (n+1)^3$ . Correct.
\nNewton's formula is an interpolation formula: given $d+1$ values of a degree- $d$ polynomial, it reconstructs the polynomial exactly. The representation is in the Newton basis $\\{\\binom{x}{0}, \\binom{x}{1}, \\binom{x}{2}, \\ldots\\}$ rather than the monomial basis $\\{1, x, x^2, \\ldots\\}$ .
\nThe Newton basis has a computational advantage: adding one more data point only requires computing one more difference, appending one more term. With the monomial basis (Vandermonde system), you'd need to re-solve the entire system. This is why Newton's formula was the workhorse of numerical tables for three centuries, from Briggs's logarithms to the Nautical Almanac.
\nThere is a subtlety: Newton's formula interpolates exactly through the given points $a_0, a_1, \\ldots, a_d$ using a polynomial of degree $d$ . But if the sequence is not polynomial, the formula still produces a value for $a_n$ at non-integer $n$ ---it just gives the unique polynomial that passes through the first $d+1$ data points. For non-polynomial sequences, the approximation degrades as $n$ moves far from the data. This is the discrete version of the Runge phenomenon in polynomial interpolation.
\nFor polynomial sequences, of course, the formula is exact for all $n$ , not just the tabulated values. This is the basis of the difference table test: if the $d$ -th differences are constant, Newton's formula with $d+1$ terms reproduces the sequence exactly and extends it to all integers (and even to non-integer arguments).
\nHere is a Python function that reconstructs a sequence from its left edge:
\nfrom math import comb\n\ndef newton_interpolate(left_edge, n):\n """Evaluate Newton's forward difference formula at n."""\n return sum(c * comb(n, k) for k, c in enumerate(left_edge))\n\n# Recover triangular numbers from left edge [1, 2, 1]\nprint([newton_interpolate([1, 2, 1], n) for n in range(7)])\n# [1, 3, 6, 10, 15, 21, 28]\nThe operation of "take all the differences and read down the left edge" has a name: the binomial transform.
\nGiven a sequence $(a_0, a_1, a_2, \\ldots)$ , its binomial transform is the sequence of values at the left edge of the difference table:
\n\n\n$$b_n = \\Delta^n a_0 = \\sum_{k=0}^{n} \\binom{n}{k} (-1)^{n-k} a_k$$\n\nThe binomial transform can be written in matrix form. Let $\\mathbf{b} = B \\mathbf{a}$ , where $B$ is the lower-triangular matrix with entries $B_{nk} = \\binom{n}{k}(-1)^{n-k}$ . The inverse is clean: to recover the original sequence, apply the unsigned binomial transform:
\n\n\n$$a_n = \\sum_{k=0}^{n} \\binom{n}{k} b_k$$\n\nThis is Newton's forward difference formula: the left edge of the difference table (the $b_k$ ) reconstructs the original sequence when weighted by binomial coefficients. The forward (signed) and inverse (unsigned) transforms are related by $B^{-1}_{nk} = \\binom{n}{k}$ . To verify the inversion, compose the two. Apply the signed transform to the unsigned:
\n\n\n$$\\sum_k \\binom{n}{k}(-1)^{n-k}\\sum_j \\binom{k}{j} c_j = \\sum_j c_j \\underbrace{\\sum_k \\binom{n}{k}\\binom{k}{j}(-1)^{n-k}}_{\\delta_{nj}}$$\n\nThe inner sum vanishes for $n \\ne j$ because $\\sum_k \\binom{n-j}{k-j}(-1)^{n-k}$ is the alternating row sum of Pascal's triangle, which is zero unless the row has length 1.
\n(Some authors define the binomial transform without the signs: $b_n = \\sum_k \\binom{n}{k} a_k$ . Under that convention, the signed version is the inverse. The two conventions are conjugates of each other, differing by whether you call the "forward" direction signed or unsigned.)
\nPowers of 2. The sequence $a_n = 2^n$ gives $b_n = \\sum_{k=0}^{n} \\binom{n}{k}(-1)^{n-k} 2^k = (2-1)^n = 1$ . So the binomial transform of $(1, 2, 4, 8, 16, \\ldots)$ is $(1, 1, 1, 1, 1, \\ldots)$ .
\nInversely, $(1, 1, 1, \\ldots)$ transforms to $(1, 2, 4, 8, \\ldots)$ . The all-ones sequence and the powers of 2 are binomial transform pairs.
\nPowers of 3. Similarly, $b_n = (3-1)^n = 2^n$ . So the transform of $(1, 3, 9, 27, \\ldots)$ is $(1, 2, 4, 8, \\ldots)$ . Chains form: all-ones $\\leftrightarrow$ powers of 2 $\\leftrightarrow$ powers of 3 $\\leftrightarrow$ ... where each application of the binomial transform subtracts 1 from the base. More generally, the binomial transform of $((a+1)^n)$ is $(a^n)$ , since $\\sum_k \\binom{n}{k}(-1)^{n-k}(a+1)^k = ((a+1)-1)^n = a^n$ .
\nBell numbers. The Bell numbers $B_n$ (1, 1, 2, 5, 15, 52, 203, ...) count the total number of set partitions of $\\lbrace 1, \\ldots, n \\rbrace$ . They satisfy $B_{n+1} = \\sum_{k=0}^{n} \\binom{n}{k} B_k$ ---the unsigned binomial transform of $(B_n)$ is the shifted sequence $(B_{n+1})$ . This recurrence says: to partition $\\lbrace 1, \\ldots, n+1 \\rbrace$ , choose which $k$ elements share a block with $n+1$ (the $\\binom{n}{k}$ factor) and partition the remaining $n-k$ elements (the $B_{n-k}$ factor, which after reindexing gives $B_k$ ).
\nCatalan numbers. The Catalan numbers $C_n = \\frac{1}{n+1}\\binom{2n}{n}$ (1, 1, 2, 5, 14, 42, ...) have a binomial transform that gives the central Delannoy numbers---which count lattice paths with diagonal steps allowed. The binomial transform acts as a "diagonalization" of the lattice path model.
\nIf $A(x) = \\sum a_n x^n$ is the ordinary generating function (OGF) of $(a_n)$ , and $(b_n)$ is its binomial transform, then
\n\n\n$$\\sum b_n x^n = \\frac{1}{1+x} A\\!\\left(\\frac{x}{1+x}\\right).$$\n\nFor exponential generating functions (EGFs), the relationship is cleaner. If $\\hat{A}(x) = \\sum a_n \\frac{x^n}{n!}$ , then
\n\n\n$$\\sum b_n \\frac{x^n}{n!} = e^{-x} \\hat{A}(x).$$\n\nMultiplication by $e^{-x}$ in the EGF world corresponds to the binomial transform in the coefficient world. This is one reason EGFs are so natural for combinatorics: many transforms that look complicated on OGFs become simple operations on EGFs.
\nThe EGF perspective makes the inversion transparent. The signed binomial transform corresponds to multiplying by $e^{-x}$ ; the unsigned inverse corresponds to multiplying by $e^{x}$ . The composition $e^{x} \\cdot e^{-x} = 1$ gives the identity, confirming the inversion. In the OGF world, the forward transform is the substitution $x \\mapsto \\frac{x}{1+x}$ combined with a factor of $\\frac{1}{1+x}$ , and the inverse substitution $x \\mapsto \\frac{x}{1-x}$ with factor $\\frac{1}{1-x}$ undoes it.
\nThe Fibonacci sequence has a peculiar difference table:
\n![\"Fibonacci](\"https://attobop.net/posts/difference-tables/fibonacci_diff.png\")
\n Look at the left edge: 0, 1, -1, 2, -3, 5, -8, 13, -21...
\nIt's the Fibonacci numbers again, with alternating signs! The binomial transform of Fibonacci is (essentially) Fibonacci.
\nWhy? The Fibonacci recurrence $F_n = F_{n-1} + F_{n-2}$ has characteristic roots $\\phi = \\frac{1+\\sqrt{5}}{2}$ and $\\psi = \\frac{1-\\sqrt{5}}{2}$ , with the closed form $F_n = \\frac{\\phi^n - \\psi^n}{\\sqrt{5}}$ . The binomial transform sends $\\alpha^n \\mapsto (\\alpha - 1)^n$ . The key step is computing $\\phi - 1 = \\frac{\\sqrt{5}-1}{2} = -\\psi$ and $\\psi - 1 = \\frac{-\\sqrt{5}-1}{2} = -\\phi$ . (Both follow from the defining property $\\phi + \\psi = 1$ .) So:
\n\n\n$$b_n = \\frac{(\\phi-1)^n - (\\psi-1)^n}{\\sqrt{5}} = \\frac{(-\\psi)^n - (-\\phi)^n}{\\sqrt{5}} = (-1)^{n+1} \\frac{\\phi^n - \\psi^n}{\\sqrt{5}} = (-1)^{n+1} F_n$$\n\nThe binomial transform of $F_n$ is $(-1)^{n+1} F_n$ . The Fibonacci sequence is an eigensequence of the binomial transform, with eigenvalue $-1$ (up to the sign shift). This algebraic self-similarity is a shadow of the golden ratio's defining property $\\phi^2 = \\phi + 1$ , which gives $\\phi - 1 = 1/\\phi$ .
\nMore precisely: any sequence whose Binet-style closed form involves roots $\\alpha$ satisfying $\\alpha(\\alpha - 1) = \\pm 1$ will be an eigensequence (or near-eigensequence) of the binomial transform. The golden ratio satisfies $\\phi(\\phi - 1) = 1$ , which is why Fibonacci works. The Lucas numbers $L_n = \\phi^n + \\psi^n$ have the same property: their binomial transform is $(-1)^n L_n$ .
\nThe On-Line Encyclopedia of Integer Sequences catalogs over 370,000 sequences. Many entries note when one sequence is the binomial transform of another.
\nOne favorite: A000079 (Powers of 2), 1, 2, 4, 8, 16, 32...
\n1 2 4 8 16 32\n 1 2 4 8 16\n 1 2 4 8\n 1 2 4\n 1 2\n 1\nEvery row is the same sequence. The difference table is self-similar because $2^n - 2^{n-1} = 2^{n-1}$ -- differencing just shifts the sequence. This is the table-level manifestation of the binomial transform pair we derived above: the all-ones sequence and the powers of 2 are transform partners.
\nThe connection between ordinary powers $x^n$ and the Newton basis $\\binom{x}{k}$ runs through the Stirling numbers.
\nThe Stirling number of the second kind, written $S(n,k)$ or $\\lbrace{n \\atop k}\\rbrace$ , counts the number of ways to partition a set of $n$ elements into exactly $k$ non-empty subsets.
\nFor example, $S(4,2) = 7$ : the set $\\lbrace a,b,c,d \\rbrace$ can be split into two non-empty parts in 7 ways ( $\\lbrace a | bcd \\rbrace$ , $\\lbrace b | acd \\rbrace$ , $\\lbrace c | abd \\rbrace$ , $\\lbrace d | abc \\rbrace$ , $\\lbrace ab | cd \\rbrace$ , $\\lbrace ac | bd \\rbrace$ , $\\lbrace ad | bc \\rbrace$ ).
\nThe connection to difference tables: applying $\\Delta^k$ to $x^n$ and evaluating at $x = 0$ gives
\n\n\n$$\\Delta^k x^n \\big|_{x=0} = \\sum_{j=0}^{k} \\binom{k}{j}(-1)^{k-j} j^n = S(n,k) \\cdot k!$$\n\nThe left side is the $k$ -th entry on the left edge of the difference table of the sequence $0^n, 1^n, 2^n, 3^n, \\ldots$ . Why does the right side equal $k! \\cdot S(n,k)$ ? Count surjections from $[n]$ to $[k]$ by inclusion-exclusion: $\\sum_{j=0}^{k} \\binom{k}{j}(-1)^{k-j} j^n$ counts functions minus those missing at least one target, plus those missing at least two, and so on. Each surjection is an ordered partition into $k$ non-empty blocks, and there are $k!$ orderings per partition. So the alternating sum equals $k! \\cdot S(n,k)$ , and the difference table of $n$ -th powers encodes Stirling numbers.
\nThis is why the change-of-basis formula works:
\n\n\n$$x^n = \\sum_{k=0}^{n} S(n,k) \\cdot k! \\cdot \\binom{x}{k} = \\sum_{k=0}^{n} S(n,k) \\cdot x^{\\underline{k}}$$\n\nTaking differences of a polynomial converts from the "power basis" to the "falling factorial basis," and the conversion coefficients are exactly the Stirling numbers of the second kind.
\nThe Stirling numbers of the first kind, written $s(n,k)$ or $\\left[{n \\atop k}\\right]$ (unsigned), perform the reverse conversion:
\n\n\n$$x^{\\underline{n}} = \\sum_{k=0}^{n} s(n,k) \\cdot (-1)^{n-k} \\cdot x^k$$\n\nTheir combinatorial meaning: $\\left[{n \\atop k}\\right]$ counts the number of permutations of $n$ elements with exactly $k$ cycles.
\nFor instance, $\\left[{4 \\atop 2}\\right] = 11$ : among the 24 permutations of $\\lbrace 1,2,3,4 \\rbrace$ , exactly 11 have two cycles. (Examples: $(1)(234)$ , $(12)(34)$ , etc.)
\nThe two kinds of Stirling numbers are inverses as change-of-basis matrices:
\n\n\n$$\\sum_{j} S(n,j) \\cdot s(j,k) \\cdot (-1)^{j-k} = \\delta_{nk}$$\n\nThis is the discrete analogue of the fact that differentiation and integration are inverse operations. The first kind converts from falling factorials to powers; the second kind converts from powers to falling factorials. Together they mediate between the two natural bases for polynomial sequences.
\nFor fixed $k$ , $S(n,k) \\sim \\frac{k^n}{k!}$ as $n \\to \\infty$ . The number of ways to partition a large set into $k$ blocks is approximately the number of surjections from $n$ to $k$ divided by $k!$ (correcting for block ordering). The Stirling numbers of the first kind have a more delicate asymptotic: $\\left[{n \\atop k}\\right] \\sim \\frac{n!}{n} \\cdot \\frac{(\\ln n)^{k-1}}{(k-1)!}$ for fixed $k$ , reflecting the logarithmic growth of the number of cycles in a random permutation.
\nThe Stirling numbers of the second kind for small $n$ , $k$ :
\nn\\k 0 1 2 3 4 5\n 0 1\n 1 0 1\n 2 0 1 1\n 3 0 1 3 1\n 4 0 1 7 6 1\n 5 0 1 15 25 10 1\nEach entry satisfies the recurrence $S(n,k) = k \\cdot S(n-1,k) + S(n-1,k-1)$ : either the $n$ -th element joins one of the $k$ existing subsets ( $k$ choices, hence the factor of $k$ ), or it starts a new subset of its own.
\nLet's verify the change-of-basis formula for $x^3$ . We need the Stirling numbers $S(3,1) = 1$ , $S(3,2) = 3$ , $S(3,3) = 1$ from the table above. The formula gives:
\n\n\n$$x^3 = S(3,1) \\cdot 1! \\cdot \\binom{x}{1} + S(3,2) \\cdot 2! \\cdot \\binom{x}{2} + S(3,3) \\cdot 3! \\cdot \\binom{x}{3}$$\n\n\n\n$$= 1 \\cdot x + 6 \\cdot \\frac{x(x-1)}{2} + 6 \\cdot \\frac{x(x-1)(x-2)}{6} = x + 3x(x-1) + x(x-1)(x-2)$$\n\nExpanding: $x + 3x^2 - 3x + x^3 - 3x^2 + 2x = x^3$ . Correct.
\nNotice that the coefficients $1! \\cdot S(3,1) = 1$ , $2! \\cdot S(3,2) = 6$ , $3! \\cdot S(3,3) = 6$ are exactly the left edge values of the difference table of $0^3, 1^3, 2^3, 3^3, \\ldots$ (which is $0, 1, 6, 6, 0, \\ldots$ starting from $a_0 = 0^3 = 0$ ). The Stirling numbers are encoded in the difference table, waiting to be read off.
\nBefore computers, mathematical tables (logarithms, trigonometric functions, actuarial tables) were computed by hand and checked by differencing. If you have a table of $\\sin(x)$ at equally spaced points and the fourth differences are nearly constant, you know the interpolation is accurate to the corresponding degree. Any entry that produces an anomalous difference is a transcription error.
\nCharles Babbage designed his Difference Engine (1822) specifically to automate this: it computed polynomial functions by repeated addition, implementing Newton's formula mechanically. The machine had no multiplication unit---it didn't need one, because the difference method reduces polynomial evaluation to addition.
\nThe method was still in active use well into the 20th century. The Handbook of Mathematical Functions (Abramowitz and Stegun, 1964) includes extensive difference tables for standard functions, and its introduction describes differencing as the primary method for verifying table accuracy. The British Nautical Almanac Office employed human "computers" who differenced tables by hand until the 1950s.
\nThe connection to error detection is worth emphasizing. A single transcription error in a table entry produces a localized spike in the difference table---the error propagates through subsequent differences but with a characteristic signature (binomial coefficients with alternating signs). An experienced table-maker could spot and localize an error by inspecting the difference columns, a technique that predates modern error-correcting codes by two centuries.
\nThe most immediate application: if you encounter a sequence and want to know whether a polynomial generates it, compute the difference table. If the $k$ -th row is constant, the sequence is a polynomial of degree $k$ and Newton's formula gives you the closed form immediately.
\nThis is not limited to pure mathematics. Physical quantities that depend polynomially on a parameter (projectile height vs. time, area vs. length) can be identified by differencing a table of measurements. The method is more numerically stable than fitting a polynomial by least squares when the data points are equally spaced, because it avoids solving a Vandermonde system.
\nA concrete use case: the sum of $k$ -th powers, $S_k(n) = 1^k + 2^k + \\cdots + n^k$ , is always a polynomial of degree $k+1$ in $n$ . You can discover this experimentally by computing $S_k(n)$ for $n = 0, 1, 2, \\ldots$ and differencing. For $k = 2$ : the sequence $0, 1, 5, 14, 30, 55, 91$ has constant third differences (equal to 2), confirming degree 3. The left edge is $0, 1, 3, 2$, giving $S_2(n) = \\binom{n}{1} + 3\\binom{n}{2} + 2\\binom{n}{3} = n + \\frac{3n(n-1)}{2} + \\frac{n(n-1)(n-2)}{3} = \\frac{n(n+1)(2n+1)}{6}$ .
\nIn competitive programming and puzzle mathematics, the "difference table test" is a standard first move when encountering an unfamiliar integer sequence.
\nThe Euler-Maclaurin formula connects discrete sums to integrals:
\n\n\n$$\\sum_{k=0}^{n} f(k) = \\int_0^n f(x)\\,dx + \\frac{f(0) + f(n)}{2} + \\sum_{j=1}^{p} \\frac{B_{2j}}{(2j)!}\\left(f^{(2j-1)}(n) - f^{(2j-1)}(0)\\right) + R_p$$\n\nwhere $B_{2j}$ are Bernoulli numbers and $R_p$ is a remainder term. The formula emerges from the operator identity
\n\n\n$$\\sum_{k=0}^{n} = \\frac{E^{n+1} - I}{E - I} = \\frac{E^{n+1} - I}{\\Delta}$$\n\nand the formal expansion of $\\Delta^{-1}$ in terms of the differential operator $D = \\frac{d}{dx}$ via $\\Delta = e^D - 1$ , giving $\\Delta^{-1} = D^{-1} - \\frac{1}{2} + \\frac{B_2}{2!}D - \\frac{B_4}{4!}D^3 + \\cdots$ . This is the operator-theoretic bridge between finite differences and continuous calculus.
\nThe formula is useful in practice. It gives the asymptotic expansion of the harmonic numbers ( $\\sum 1/k \\approx \\ln n + \\gamma + \\frac{1}{2n} - \\frac{1}{12n^2} + \\cdots$ ), Stirling's approximation for $n!$ , and sharp estimates of partial sums of $\\zeta(s)$ . The error term $R_p$ can be bounded explicitly, making Euler-Maclaurin the standard tool for converting discrete sums into integrals plus computable corrections.
\n(The following section uses contour integration from complex analysis. If that's not familiar, skip to Umbral Calculus below -- it doesn't depend on this material.)
\nMany alternating sums in combinatorics have the form
\n\n\n$$\\sum_{k=0}^{n} \\binom{n}{k} (-1)^k f(k)$$\n\nwhich is exactly $\\Delta^n f(0)$ . When $f$ is a "nice" function (meromorphic, polynomial growth), the Norlund-Rice integral gives a contour integral representation:
\n\n\n$$\\sum_{k=0}^{n} \\binom{n}{k} (-1)^k f(k) = \\frac{(-1)^n}{2\\pi i} \\oint \\frac{n!\\, f(z)}{z(z-1)\\cdots(z-n)}\\,dz$$\n\nThe contour encloses $0, 1, \\ldots, n$ . The representation converts a discrete alternating sum into a contour integral evaluable by residues, yielding closed forms or sharp asymptotics.
\nAs an example, consider $f(k) = 1/(k+1)$ . The alternating sum $\\sum_{k=0}^{n} \\binom{n}{k} \\frac{(-1)^k}{k+1}$ equals $\\frac{1}{n+1}$ . The contour integral gives this directly: the integrand is $\\frac{(-1)^n n!}{(k+1) \\cdot z(z-1)\\cdots(z-n)}$ . Besides the poles at $z = 0, 1, \\ldots, n$ (which reconstruct the sum), there is a pole at $z = -1$ from $f(z) = 1/(z+1)$ . Deforming the contour to pick up only this pole, the residue at $z = -1$ is $\\frac{(-1)^n n!}{(-1)(-2)\\cdots(-1-n)} = \\frac{(-1)^n n!}{(-1)^{n+1}(n+1)!} = \\frac{-1}{n+1}$ , which after the $(-1)^n / (2\\pi i)$ prefactor and the contour orientation gives $1/(n+1)$ .
\nFlajolet and Sedgewick use this extensively in Analytic Combinatorics for the analysis of algorithms---average-case complexity of search trees, hashing, and digital structures often reduces to alternating sums over binomial coefficients. The connection to difference tables is direct: the alternating sum $\\sum \\binom{n}{k}(-1)^k f(k)$ is nothing but $\\Delta^n f(0)$ , the $n$ -th entry on the left edge of the difference table of $(f(0), f(1), f(2), \\ldots)$ .
\nThere is a strange algebraic trick that has been making mathematicians uncomfortable since the 19th century. Write $B^n$ as a formal symbol, and impose the rule that after expanding any expression, you "lower the index": replace $B^n$ with $B_n$ , the $n$ -th Bernoulli number. Then identities like
\n\n\n$$(B+1)^n = B^n \\quad (n \\geq 2)$$\n\nhold, where both sides are evaluated by the lowering rule. This is the umbral calculus (from the Latin umbra, shadow): treat sequence indices as if they were exponents.
\nTo see the lowering rule in action, verify the identity $(B+1)^3 = B^3$ . Expand the left side by the binomial theorem: $(B+1)^3 = B^3 + 3B^2 + 3B^1 + B^0$ . Now lower indices: $B_3 + 3B_2 + 3B_1 + B_0$ . The Bernoulli numbers are $B_0 = 1$ , $B_1 = -1/2$ , $B_2 = 1/6$ , $B_3 = 0$ . So the left side becomes $0 + 3 \\cdot \\frac{1}{6} + 3 \\cdot (-\\frac{1}{2}) + 1 = \\frac{1}{2} - \\frac{3}{2} + 1 = 0 = B_3$ . It works because the Bernoulli numbers satisfy the recurrence $\\sum_{k=0}^{n} \\binom{n}{k} B_k = B_n$ for $n \\ge 2$ ---which is exactly what $(B+1)^n = B^n$ says after lowering.
\nWhy does this work systematically? Rota (1970s) observed that the lowering rule is a linear functional $L$ on polynomials defined by $L[x^n] = B_n$ . The "umbral identity" $(B+1)^n = B^n$ is really $L[(x+1)^n] = L[x^n]$ , which holds because the Bernoulli numbers are defined by exactly this shift relation. The trick generalizes: any sequence $(a_n)$ defines a linear functional $L[x^n] = a_n$ , and identities among the $a_n$ become polynomial identities under $L$ .
\nWhat does this buy us beyond a notational trick? It lets you derive identities mechanically. For instance, Faulhaber's formula for $\\sum_{k=0}^{n-1} k^p$ (sums of powers) follows in one line: write the sum as $\\Delta^{-1} x^p \\big|_0^n$ , convert $x^p$ to the falling factorial basis using Stirling numbers (which the umbral calculus handles via the "lowering" of the Bell polynomial), and read off the Bernoulli coefficients. The result:
\n\n\n$$\\sum_{k=0}^{n-1} k^p = \\frac{1}{p+1} \\sum_{j=0}^{p} \\binom{p+1}{j} B_j \\, n^{p+1-j}$$\n\nThis is what $(B + n)^{p+1} - B^{p+1} = (p+1) \\sum k^p$ says after lowering -- the entire derivation is one application of the binomial theorem followed by the lowering rule. Without the umbral calculus, deriving Faulhaber's formula requires either Euler-Maclaurin summation or induction on $p$ , both of which are longer.
\nThe connection to difference tables is direct. The forward difference operator $\\Delta$ satisfies $\\Delta x^{\\underline{n}} = n \\cdot x^{\\underline{n-1}}$ , mirroring $\\frac{d}{dx} x^n = n x^{n-1}$ . Newton's forward difference formula is the expansion of a polynomial in the basis $\\binom{x}{n} = x^{\\underline{n}}/n!$ , just as Taylor's theorem expands in the basis $x^n/n!$ . This is not a coincidence: both $\\Delta$ and $d/dx$ are examples of operators that reduce polynomial degree by 1 and commute with shifts, and any such operator produces its own "Taylor expansion" with its own natural basis. The difference table is the discrete instance of this structure.
\nHere's a sequence: 2, 5, 10, 17, 26, 37, ...
\nBuild its difference table. What degree polynomial generates it? Can you find the formula?
\n2 5 10 17 26 37\n 3 5 7 9 11\n 2 2 2 2\n 0 0 0\nSecond differences are constant, so it's quadratic.
\nLeft edge: 2, 3, 2. Using Newton's formula:
\n\n\n$$a_n = 2\\binom{n}{0} + 3\\binom{n}{1} + 2\\binom{n}{2} = 2 + 3n + n(n-1) = n^2 + 2n + 2$$\n\nCheck: $a_0 = 2$ , $a_1 = 5$ , $a_2 = 10$ . Correct.
\nMahler (1958) proved that every continuous function $f: \\mathbb{Z}_p \\to \\mathbb{Q}_p$ on the $p$ -adic integers has a unique expansion
\n\n\n$$f(x) = \\sum_{n=0}^{\\infty} \\Delta^n f(0) \\cdot \\binom{x}{n}$$\n\nand this series converges for all $x \\in \\mathbb{Z}_p$ if and only if $\\Delta^n f(0) \\to 0$ in the $p$ -adic absolute value. This is the same Newton series formula, but the convergence condition is $p$ -adic rather than archimedean.
\nA concrete example: consider $f(x) = (-1)^x$ as a function on $\\mathbb{Z}_2$ (the 2-adic integers). Its difference table has $\\Delta^n f(0) = \\sum_k \\binom{n}{k}(-1)^{n-k}(-1)^k = \\sum_k \\binom{n}{k}(-1)^n(-2)^k...$ ---more simply, $\\Delta f(0) = f(1) - f(0) = -2$ , $\\Delta^2 f(0) = f(2) - 2f(1) + f(0) = 1 + 2 + 1 = 4$ , $\\Delta^3 f(0) = -8$ , and in general $\\Delta^n f(0) = (-2)^n$ . In the real numbers, $|(-2)^n| \\to \\infty$ , so the Newton series diverges. But 2-adically, $|(-2)^n|_2 = 2^{-n} \\to 0$ , so the series converges. The function $(-1)^x$ , which makes no sense for non-integer real arguments, extends continuously to all of $\\mathbb{Z}_2$ via its difference table.
\nOver $\\mathbb{F}_p$ , Fermat's little theorem gives $a^p \\equiv a \\pmod{p}$ for all $a$ . This means $\\Delta^p f(x) = f(x+p) - \\binom{p}{1}f(x+p-1) + \\cdots + (-1)^p f(x) \\equiv f(x+p) - f(x) \\pmod{p}$ since $\\binom{p}{k} \\equiv 0 \\pmod{p}$ for $0 < k < p$ . So $\\Delta^p = E^p - I$ over $\\mathbb{F}_p$ ---the $p$ -th difference operator "wraps around" to a single shift.
\nThis periodicity means that over finite fields, difference tables are eventually periodic rather than eventually zero. Over $\\mathbb{F}_p$ , every function from $\\mathbb{F}_p$ to $\\mathbb{F}_p$ is polynomial (there are $p^p$ functions and $p^p$ polynomials of degree $< p$ , and they're all distinct). So Newton's formula works perfectly, but you only need terms up to $\\binom{x}{p-1}$ . The "degree" of a polynomial over a finite field is bounded by $p-1$ , no matter what it looks like symbolically.
\nThe theory connects to Lucas's theorem on binomial coefficients mod $p$ : $\\binom{m}{n} \\equiv \\prod_i \\binom{m_i}{n_i} \\pmod{p}$ where $m_i, n_i$ are the base- $p$ digits. This gives the fractal structure of Pascal's triangle mod $p$ (the Sierpinski triangle for $p = 2$ ) and explains the periodic structure of difference tables over finite fields.
\nThe forward difference operator $\\Delta$ diagonalizes nicely under the discrete Fourier transform. If $\\hat{f}(k) = \\sum_{j=0}^{N-1} f(j) \\omega^{-jk}$ with $\\omega = e^{2\\pi i/N}$ , then $\\widehat{\\Delta f}(k) = (\\omega^k - 1)\\hat{f}(k)$ . So $\\Delta$ is multiplication by $\\omega^k - 1$ in frequency space.
\nThis means the difference table of a sequence is intimately related to its spectral decomposition. The eigenvalues $\\omega^k - 1$ of $\\Delta$ on $\\mathbb{C}^N$ determine how quickly each Fourier mode decays under repeated differencing. The constant sequences (zero frequency) are annihilated by $\\Delta^1$ ; sequences with low-frequency content are annihilated by low-order differences; high-frequency components persist the longest.
\nFor a polynomial of degree $d$ , the Fourier coefficients decay fast enough that $\\Delta^{d+1}$ annihilates the sequence. For non-polynomial sequences, the Fourier perspective explains why the difference table doesn't terminate: the high-frequency content never vanishes under the multiplication-by- $(\\omega^k - 1)$ map.
\nA practical consequence: each application of $\\Delta$ multiplies the $k$ -th Fourier mode by $|\\omega^k - 1|$ . At the Nyquist frequency $k = N/2$ , this factor is 2. After $n$ applications of $\\Delta$ , the Nyquist component is amplified by $2^n$ . This is why differencing a noisy empirical sequence more than a few times produces garbage---and why Babbage's Difference Engine was designed for exact integer arithmetic, not floating-point approximation.
\nGraham, R.L., Knuth, D.E., and Patashnik, O. Concrete Mathematics: A Foundation for Computer Science. 2nd ed. Addison-Wesley, 1994. Chapters 2 and 5 cover difference operators, Stirling numbers, and the Newton basis systematically.
\nJordan, C. Calculus of Finite Differences. 3rd ed. Chelsea, 1965. The classical reference. Encyclopedic coverage of difference operators, interpolation, summation, and their applications.
\nRoman, S. The Umbral Calculus. Academic Press, 1984. Rota's program made rigorous. Sheffer sequences, delta operators, and the algebraic foundations of the calculus of finite differences.
\nRiordan, J. Combinatorial Identities. Wiley, 1968. The working reference for binomial transform identities and their combinatorial proofs.
\nFlajolet, P. and Sedgewick, R. Analytic Combinatorics. Cambridge University Press, 2009. Chapter III covers the Norlund-Rice integral and its applications to the analysis of algorithms.
\nKnuth, D.E. The Art of Computer Programming, Vol. 1. 3rd ed. Addison-Wesley, 1997. Section 1.2.6 covers finite differences and their use in numerical computation.
\nBoole, G. A Treatise on the Calculus of Finite Differences. 2nd ed. Macmillan, 1872. The first systematic treatment. Available on the Internet Archive.
\nMahler, K. "An interpolation series for continuous functions of a $p$ -adic variable." Journal fur die reine und angewandte Mathematik, 199:23--34, 1958.
\nStanley, R.P. Enumerative Combinatorics, Vol. 1. 2nd ed. Cambridge University Press, 2012. Chapter 1 covers Stirling numbers and their combinatorial interpretations in full generality.
\nGoldberg, S. Introduction to Difference Equations. Dover, 1986. Accessible introduction with applications to economics and population dynamics.
\nOEIS Wiki: Transforms. Living reference for binomial transforms and their relationships across the OEIS.
\nSpivey, M.Z. "The Euler-Maclaurin formula and sums of powers." Mathematics Magazine, 79(1):61--65, 2006. A clean derivation of Euler-Maclaurin via the operator formalism.
\nEvery production WiFi monitoring tool hops channels the same way it did in 2006: cycle through a fixed list, dwell for 250ms, repeat. Can we do better by treating channel selection as a learning problem?
\n\nThe 2.4 GHz band has 14 channels (11 in the US), each 22 MHz wide, spaced 5 MHz apart. Only channels 1, 6, and 11 are non-overlapping -- the rest bleed into their neighbors. This overlap is not a minor technicality; it's the central complication in any channel selection scheme.
\nThe 5 GHz band is wider and cleaner: channels are 20 MHz wide with no overlap at the base width. UNII-1 through UNII-3 give roughly 25 non-overlapping channels. DFS (Dynamic Frequency Selection) channels add another ~15 but require radar detection, which complicates monitor mode.
\nWiFi 6E and 7 opened the 6 GHz band: 59 new 20 MHz channels in the US (the full 1200 MHz from 5925 to 7125 MHz). This changes the problem's character entirely. With 14 channels, a static schedule visits each one every 3.5 seconds. With 59 channels, the same schedule takes 14.75 seconds -- long enough to miss transient devices, short-lived connections, and bursty traffic patterns.
\nA wireless NIC in monitor mode receives raw 802.11 frames without associating to any access point. The kernel exposes each frame with a radiotap header containing metadata: signal strength, data rate, channel, and flags.
\niw dev wlan0 set channel 6 # tune to channel 6\nsleep 0.25 # dwell for 250ms\niw dev wlan0 set channel 1 # hop to channel 1\nDuring each dwell, we observe some number of packets. Between dwells, the channel switch costs 15--60ms of dead time on typical hardware. USB chipsets are worse: the MT7612U averages 140ms per switch, and the RT5572 hits 450ms under load[1]. These switching costs are real -- at 250ms dwell with 100ms switching overhead, you lose 29% of observation time to transitions.
The question: which channel should we hop to next, and for how long?
\nThe multi-armed bandit (MAB) is the simplest formalization of the explore-exploit tradeoff. You face $K$ slot machines (arms), each with an unknown reward distribution. At each time step you pull one arm and observe a reward. The goal is to maximize cumulative reward, or equivalently, minimize regret: the gap between what you earned and what you would have earned always pulling the best arm.
\nLai and Robbins (1985) established the fundamental lower bound: for any consistent policy, the expected number of times a suboptimal arm $i$ is pulled must grow at least as $\\ln T / d(\\lambda_i, \\lambda^*)$ , where $d$ is the KL divergence between the suboptimal and optimal arm distributions[2]. The intuition: the KL divergence $d(\\lambda_i, \\lambda^*)$ measures how many samples you need to statistically distinguish arm $i$ from the best arm. Arms that are nearly as good as the best require many pulls before you can confidently stop pulling them, so they contribute more regret. No algorithm can do better than logarithmic regret. The algorithms below differ in how tightly they approach this bound and how they handle the practical complications of WiFi monitoring.
\nairodump-ng hops through an interleaved sequence {1, 7, 13, 2, 8, 3, 14, 9, 4, 10, 5, 11, 6, 12} with a fixed 250ms dwell. The interleaving maximizes frequency distance between consecutive hops -- channel 1 at 2412 MHz to channel 7 at 2442 MHz is a 30 MHz gap, well past the 22 MHz channel width. No adaptation.
Kismet hops at 5 Hz (200ms dwell), reasoning from the Nyquist theorem: APs beacon at ~10/sec, so 5 hops/sec captures at least one beacon per AP. It supports manual per-channel weights (channellist=1:3,6:3,11:3,2,3,4,5,7,8,9,10 to spend 3x time on the three non-overlapping 2.4 GHz channels) and splits channel lists across multiple interfaces automatically.
WiFi Explorer Pro is the only commercial tool with adaptive behavior: it halves dwell time to 60ms on channels where no 802.11 activity was detected in the last scan.
\ntshark/dumpcap does basic round-robin through a channel list with configurable dwell. No adaptation, no interleaving. The typical invocation cycles 1 through 11 sequentially.
Nobody uses a learning algorithm. The gap between what practitioners have asked for (airodump-ng issue #119, 2007: "dwell longer on channels with traffic") and what tools provide has been open for nearly two decades.
We have $K$ channels. At each time step $t$ , we pick a channel $a_t \\in \\{1, \\ldots, K\\}$ , dwell, and observe a reward $r_{a_t}^{(t)}$ -- the number of packets captured.
\nThe standard MAB goal is to minimize cumulative regret: the gap between what we earned and what we would have earned always picking the best channel.
\n\n\n$$R_T = \\sum_{t=1}^{T} r_{a^*}^{(t)} - r_{a_t}^{(t)}$$\n\nwhere $a^* = \\arg\\max_i \\mathbb{E}[r_i]$ is the channel with highest expected packet rate.
\n| MAB concept | \nWiFi monitoring | \n
|---|---|
| Arm $i$ | \nChannel $i$ (e.g., 2.4 GHz channel 6) | \n
| Pull arm $i$ | \nDwell on channel $i$ for one interval | \n
| Reward $r_i$ | \nNumber of packets captured during dwell | \n
| Reward distribution | \n$\\text{Poisson}(\\lambda_i)$ -- independent frame arrivals | \n
| Best arm $a^*$ | \nChannel with highest traffic rate | \n
| Regret | \nPackets missed by not dwelling on the best channel | \n
| Switching cost | \nDead time during channel change (15--450ms) | \n
| Non-stationarity | \nDevices join/leave, traffic shifts over hours | \n
The standard stochastic MAB assumes independent arms with stationary reward distributions. Both assumptions are violated in WiFi monitoring:
\nStationarity. Traffic is bursty. Devices join and leave the network. A channel that was quiet at 2 AM will be busy at 10 AM. The Poisson rate $\\lambda_i$ changes over time, which means an algorithm that converges to a single channel will eventually be wrong.
\nIndependence. Dwelling on channel 6 picks up packets from channels 5 and 7 due to spectral overlap. The reward from one arm depends on the true state of adjacent arms. This violates the independent-arms assumption and biases naive estimators.
\nWe address non-stationarity with sliding-window extensions (see below) and independence with a cross-channel leakage model.
\nIn practice, dwelling on channel $i$ picks up some packets from adjacent channels $j$ due to spectral overlap. If we observe counts $\\{o_{ij}\\}$ while dwelling on channel $i$ , the naive reward counts everything:
\n\n\n$$r_i^{(t)} = \\sum_j o_{ij}^{(t)}$$\n\nThis leakage means channels aren't truly independent arms. We'll return to this in the mixture model section.
\nVisit each channel in round-robin order with equal dwell time. This is what airodump-ng does (modulo the interleaving order).
If channel $a^*$ has rate $\\lambda^*$ and the average rate across channels is $\\bar{\\lambda}$ , uniform hopping incurs linear regret:
\n\n\n$$R_T = T \\cdot (\\lambda^* - \\bar{\\lambda})$$\n\nRegret grows linearly with time because we never stop exploring channels with low traffic. The advantage is coverage: every channel gets visited, so no device goes undetected.
\nThe simplest adaptive policy: with probability $\\varepsilon$ , pick a random channel (explore); otherwise, pick the channel with highest observed mean (exploit).
\n\n\n$$a_t = \\begin{cases} \\arg\\max_i \\hat{\\lambda}_i & \\text{with probability } 1-\\varepsilon \\\\ \\text{Uniform}(\\{1,\\ldots,K\\}) & \\text{with probability } \\varepsilon \\end{cases}$$\n\nWith fixed $\\varepsilon$ , regret is linear: $R_T = O(\\varepsilon T)$ since the exploration fraction never decays. With a decaying schedule $\\varepsilon_t = \\min(1, cK / (d^2 t))$ for suitable constants $c, d$, the regret becomes $O(K \\ln T)$ [3].
\nEpsilon-greedy is easy to implement and understand. Its weakness is that exploration is undirected -- it wastes pulls on channels that are clearly bad. UCB and Thompson Sampling fix this by exploring where uncertainty is highest.
Upper Confidence Bound selects the channel that maximizes the sample mean plus an exploration bonus:
\n\n\n$$a_t = \\arg\\max_i \\left[ \\hat{\\lambda}_i + \\sqrt{\\frac{2 \\ln t}{n_i}} \\right]$$\n\nwhere $\\hat{\\lambda}_i$ is the average packet count on channel $i$ and $n_i$ is the number of times we've dwelled there.
\nThe exploration term $\\sqrt{2 \\ln t / n_i}$ shrinks as a channel is visited more, so UCB1 naturally shifts from exploration to exploitation. The intuition: we're optimistic in the face of uncertainty. A channel we haven't visited much gets a large bonus, so we'll try it. Once we've seen enough to know it's bad, the bonus can't save it.
The regret bound comes from applying Hoeffding's inequality to the confidence width. For sub-Gaussian rewards (which includes bounded packet counts):
\n\n\n$$R_T \\le \\sum_{i: \\lambda_i < \\lambda^*} \\frac{8 \\ln T}{\\Delta_i} + \\left(1 + \\frac{\\pi^2}{3}\\right) \\sum_i \\Delta_i$$\n\nwhere $\\Delta_i = \\lambda^* - \\lambda_i$ is the gap between channel $i$ and the best channel[3:1].
\nFor the 14-channel simulation with $T = 10{,}000$ steps and gaps $\\Delta_i$ ranging from 5 to 40 packets/dwell, the dominant term $\\sum 8 \\ln T / \\Delta_i$ evaluates to roughly 150 -- total regret of 150 packets out of a potential 500,000 (the best channel producing ~50 packets/dwell for 10,000 steps). That is 0.03% loss from the optimal policy, compared to uniform hopping's ~40% loss.
\nWhy $\\ln T / \\Delta_i$ ? The UCB selects arm $i$ only while $\\hat{\\lambda}_i + \\sqrt{2 \\ln t / n_i} \\ge \\hat{\\lambda}^*$ , which (by Hoeffding) happens with probability $\\exp(-n_i \\Delta_i^2 / 2)$ . Setting this equal to $1/t$ and solving gives $n_i \\approx 2 \\ln t / \\Delta_i^2$ pulls before the bound tightens enough to exclude arm $i$ . Each of those pulls costs $\\Delta_i$ regret, giving total contribution $\\approx 2 \\ln T / \\Delta_i$ . This is logarithmic in $T$ -- the key improvement over uniform.
\nFor Poisson-distributed packet counts, KL-UCB gives tighter bounds by exploiting the distribution structure. It selects the channel maximizing $\\lambda$ subject to $n_i \\cdot d(\\hat{\\lambda}_i, \\lambda) \\le \\ln t$ , where $d$ is the Poisson KL divergence:
This matches the Lai-Robbins lower bound asymptotically[4]. The improvement over UCB1 is not just theoretical: when packet counts follow a Poisson distribution (a reasonable model for independent frame arrivals), KL-UCB converges to the optimal channel in fewer samples because the Poisson KL divergence is tighter than the sub-Gaussian bound that UCB1 uses.
Rather than constructing a confidence bound, Thompson Sampling maintains a posterior distribution over each channel's packet rate and samples from it.
\nModel packet counts as Poisson with unknown rate: $r_i \\sim \\text{Poisson}(\\lambda_i)$ . The conjugate prior for a Poisson rate is the Gamma distribution:
\n\n\n$$\\lambda_i \\sim \\text{Gamma}(\\alpha_i, \\beta_i)$$\n\nInitialize with a weak prior: $\\alpha_i = 1, \\beta_i = 1$ for all channels (prior mean of 1 packet per dwell).
\nAt each step:
\nThe posterior mean $\\alpha_i / \\beta_i$ converges to the true rate $\\lambda_i$ . Channels with uncertain estimates (wide posterior) are sampled from more variably, which drives exploration. Channels with well-estimated low rates rarely produce a high sample, so they're naturally avoided.
\nThe regret bound matches KL-UCB asymptotically[5]:
Why does this match the Lai-Robbins lower bound? The posterior concentrates around the true rate at rate $1/\\sqrt{n_i}$ , so the probability of sampling a rate higher than $\\lambda^*$ from a suboptimal arm decays as $\\exp(-n_i \\cdot d(\\lambda_i, \\lambda^*))$ . The expected number of pulls before this probability becomes negligible is $\\ln T / d(\\lambda_i, \\lambda^*)$ , matching the information-theoretic minimum.
\nIn empirical evaluations, Thompson Sampling matches or beats UCB1 in cumulative reward and convergence speed[4:1]. It's also simpler to implement: the update is two additions, and sampling from a Gamma distribution is a standard library call.
import numpy as np\n\nclass ThompsonChannelHopper:\n def __init__(self, K):\n self.alpha = np.ones(K) # Gamma shape\n self.beta = np.ones(K) # Gamma rate\n\n def select(self):\n samples = np.random.gamma(self.alpha, 1.0 / self.beta)\n return np.argmax(samples)\n\n def update(self, channel, packets):\n self.alpha[channel] += packets\n self.beta[channel] += 1\nPure regret minimization converges to a single channel -- the one with highest traffic. For passive monitoring, this is unacceptable: we need to see devices on all channels, not just the busiest one.
\nOne approach is an entropy-regularized reward. Define a modified objective:
\n\n\n$$r^\\star_i = (1 - \\gamma) \\frac{r_i}{\\sum_j r_j} + \\gamma H(p)$$\n\nwhere $H(p) = -\\sum_i p_i \\ln p_i$ is the entropy of the channel visit distribution and $\\gamma \\in [0, 1]$ controls the diversity-exploitation tradeoff. At $\\gamma = 0$ , this reduces to pure exploitation. At $\\gamma = 1$ , it reduces to uniform exploration.
\nThis has theoretical grounding: Zimmert and Seldin (2021) showed that Tsallis entropy regularization with $\\alpha = 1/2$ achieves $O(\\sqrt{KT})$ regret in adversarial settings and $O(\\ln T / \\Delta)$ in stochastic settings simultaneously[6]. In the WiFi context, this means the entropy bonus helps when traffic is non-stationary (devices joining and leaving) without sacrificing convergence when traffic is stable.
\nA simpler practical alternative: impose a minimum dwell floor. Visit every channel at least once per sweep (the Kismet model), then allocate remaining time proportional to learned rates. This gives coverage guarantees without modifying the reward.
\nConcretely: in each round of $K$ steps, dedicate one step per channel (the "floor"), then allocate the remaining $T - K$ steps using Thompson Sampling. The coverage guarantee is exact: every channel gets at least $T/K$ visits. The regret cost of the floor is at most $K \\cdot \\Delta_{\\max}$ per round, which is constant overhead.
\nA more principled version: minimize regret subject to a minimum visit frequency per channel. This falls under the constrained bandit framework. Define $f_i = n_i / T$ as the fraction of time spent on channel $i$ . The constraint is $f_i \\ge f_{\\min}$ for all $i$ .
\nBadanidiyuru et al. (2013) give an algorithm for bandits with knapsack constraints that achieves $O(\\sqrt{T})$ regret while satisfying the constraints[7]. The WiFi application is a special case where the constraint is a lower bound on each arm's pull frequency.
\nReal WiFi traffic is non-stationary. The Poisson rates $\\lambda_i(t)$ drift as devices join and leave, as usage patterns shift through the day, and as interference from neighboring networks changes. An algorithm that converges to a fixed channel allocation will eventually be wrong.
\nGarivier and Moulines (2011) proposed Sliding-Window UCB (SW-UCB): instead of using all historical observations, compute the sample mean and confidence bound using only the last $\\tau$ observations[8]:
where $\\hat{\\lambda}_{i,\\tau}$ and $n_{i,\\tau}$ are the mean and count using only the window $[t-\\tau, t]$ .
\nThe window size $\\tau$ controls the bias-variance tradeoff: a short window reacts quickly to changes but has high variance; a long window is stable but slow to adapt. For WiFi monitoring with traffic that shifts on the scale of minutes, $\\tau$ in the range of 100--500 steps (25--125 seconds at 250ms dwell) is reasonable.
\nAn alternative: instead of a hard window, apply exponential discounting to the Gamma posterior. Replace the update rule with:
\n\n\n$$\\alpha_{a_t} \\leftarrow \\delta \\cdot \\alpha_{a_t} + c, \\qquad \\beta_{a_t} \\leftarrow \\delta \\cdot \\beta_{a_t} + 1$$\n\nwhere $\\delta \\in (0, 1)$ is the discount factor. This exponentially down-weights old observations, making the posterior responsive to recent traffic. At $\\delta = 1$ , this reduces to standard Thompson Sampling. At $\\delta = 0.99$ with 250ms dwell, the effective memory is roughly $1/(1-\\delta) = 100$ steps or 25 seconds.
\nRaj and Kalyani (2017) proved that discounted Thompson Sampling achieves near-optimal regret in piecewise-stationary environments, with a regret bound that depends on the number of change points rather than the time horizon[9].
\nConsider three 2.4 GHz channels: 1, 6, and 11. While dwelling on channel 6, you might observe 40 packets from channel 6, 8 from channel 5, and 3 from channel 7. The "leakage" weights $w_{ij}$ capture this: $w_{6,6} \\approx 1.0$ , $w_{6,5} \\approx 0.2$ , $w_{6,7} \\approx 0.07$ . The weights decay roughly with frequency distance.
\nIn general, dwelling on channel $i$ gives us counts $o_{ij}$ from each source channel $j$ . The total reward is $r_i = \\sum_j o_{ij} = \\sum_j w_{ij} x_j$ , where $x_j \\sim \\text{Poisson}(\\lambda_j)$ is the true traffic rate on channel $j$ and $w_{ij}$ is the overlap weight.
\nThe simplest correction: if the overlap weight matrix $W$ is known (and for the 2.4 GHz band, it is approximately determined by the channel frequency layout -- 20 MHz channels spaced 5 MHz apart give a predictable overlap function), then deconvolve before updating. The observation vector $\\mathbf{o}_i = W_i \\boldsymbol{\\lambda}$ is a linear mixture; solving $\\hat{\\boldsymbol{\\lambda}} = W^{-1} \\mathbf{o}_i$ (or a regularized variant, since $W$ is ill-conditioned for closely-spaced channels) recovers estimates of the per-channel rates. In the common case where only three non-overlapping channels carry most traffic (1, 6, 11 in 2.4 GHz), $W$ is nearly diagonal and the correction reduces to simple rescaling. Update the Gamma posterior on each $\\lambda_j$ with the deconvolved count. This is cheap and effective when the geometry is stable.
\nWhen the weights are not known -- for instance, in indoor environments where multipath reflections and non-line-of-sight propagation distort the overlap pattern -- the weights themselves must be learned. This can be handled with a Bayesian model over the weight matrix (e.g., a Normal-Inverse-Wishart prior on the rows of $W$ , updated jointly with the Gamma priors on $\\lambda_j$ ). The machinery is standard conjugate Bayesian inference[10], but the convergence is slower because you are learning $K^2$ weights alongside $K$ rates. In practice, the known-geometry approximation is usually sufficient for the 2.4 GHz and 5 GHz bands.
\nThe channel hopping problem sits at an intersection of several research communities that don't talk to each other much.
\nCognitive radio and dynamic spectrum access. The CR literature has studied bandit-based channel selection extensively, but for transmitting, not monitoring. Jouini et al. (2010) applied UCB to opportunistic spectrum access where a secondary user must find unused spectrum[11]. Anandkumar et al. (2011) extended this to multi-user coordination, where multiple radios must independently select different channels without communication[12]. The monitoring problem is simpler (no coordination, no transmission constraints) but has the diversity requirement that CR work ignores.
Network measurement. The systems community has studied WiFi monitoring from a measurement perspective. Schulman et al. (2008) analyzed the statistical properties of channel scanning for network surveys[13]. The focus is on coverage metrics (fraction of APs detected) rather than sequential decision-making. Their finding -- that 30 seconds per channel suffices for 95% AP detection -- motivates the bandit approach: if most information arrives in the first few seconds, we should allocate time adaptively.
\nRestless bandits. When channels have state that evolves while unobserved (traffic arrives whether or not we're listening), the problem is formally a restless bandit. Whittle (1988) proposed an index policy for restless bandits that generalizes the Gittins index[14]. Computing the Whittle index is tractable for certain transition structures, including the binary (active/idle) channel model used in CR. Whether it applies to the Poisson traffic model in WiFi monitoring is an open question.
\n![\"Three-panel](\"https://attobop.net/posts/channel-hopping/bandit_comparison.png\")
\n In this high-rate Poisson regime, UCB1 outperforms Thompson Sampling because the Poisson variance scales with the mean -- the posterior updates for high-rate channels are noisier, causing TS to explore the top few channels longer before committing. Both achieve sublinear regret; both vastly outperform uniform.
6 GHz channel explosion. With 59 channels in 6 GHz alone (plus 14 in 2.4 GHz and ~25 in 5 GHz), the exploration budget is severe. A uniform sweep takes ~25 seconds. Contextual information (time of day, known AP locations, channel utilization reports from 802.11k/v/r) could dramatically reduce the exploration needed. This pushes toward contextual bandits, where side information informs the channel selection policy.
\nMulti-interface parallelism. Kismet already supports splitting channel lists across multiple NICs. The multi-agent bandit formulation -- where $M$ monitors must coordinate which channels to observe simultaneously -- is well-studied theoretically (Anandkumar et al. 2011) but not implemented in any monitoring tool. With USB WiFi adapters at $15 each, running 4--8 monitors in parallel is practical, and the coordination question is open: should they explore independently, or share observations?
\nNon-stationarity detection. Rather than always applying a sliding window (which adds a tuning parameter), a change-point detection algorithm could trigger re-exploration only when the traffic distribution shifts. Tartakovsky et al. (2014) give sequential change-point tests that could be layered on top of Thompson Sampling[15].
\nSwitching cost. We've treated channel switches as having a fixed time cost, but they also have an information cost: during the switch, no packets are captured on any channel. The bandit-with-switching-costs formulation (Dekel et al. 2014) penalizes frequent switches, which would favor longer dwell times and fewer hops. This is the formal version of the practitioner's intuition that "hopping too fast wastes time."
\nIntegration with active scanning. Passive monitoring can be supplemented with probe requests to solicit responses from hidden APs. The decision of when to send a probe (which temporarily makes the monitor visible) is a separate explore-exploit tradeoff layered on top of the channel selection problem.
\n| Method | \nRegret | \nDiversity | \nComplexity | \n
|---|---|---|---|
| Uniform | \n$O(T)$ -- linear | \nFull coverage | \nNone | \n
| $\\varepsilon$ -greedy (decaying) | \n$O(K \\ln T)$ | \nModerate | \nSample mean | \n
| UCB1 | \n$O(\\ln T / \\Delta)$ | \nDecreasing | \nSample mean + bonus | \n
| KL-UCB | \n$O(\\ln T / d(\\lambda, \\lambda^*))$ | \nDecreasing | \nKL optimization | \n
| Thompson Sampling | \n$O(\\ln T / d(\\lambda, \\lambda^*))$ | \nDecreasing | \nGamma posterior sampling | \n
| TS + entropy | \n$O(\\sqrt{KT})$ worst case | \nTunable via $\\gamma$ | \nGamma + entropy term | \n
| Sliding-Window UCB | \n$O(\\ln T / \\Delta)$ per segment | \nDecreasing | \nWindowed mean + bonus | \n
| Discounted TS | \n$O(\\ln T / d)$ per segment | \nDecreasing | \nDiscounted Gamma | \n
The right choice depends on the monitoring goal. For intrusion detection (must see every device), uniform or entropy-regularized TS with high $\\gamma$ preserves coverage. For traffic analysis (maximize total observed packets), pure Thompson Sampling with Gamma-Poisson conjugate is hard to beat. For environments where traffic patterns shift throughout the day, discounted TS or SW-UCB adapt without manual retuning.
Every production tool today uses the first row. The gap is open.
\nUSB-WiFi issue #376. Channel switching latency benchmarks across chipsets. github.com/morrownr/USB-WiFi ↩︎
\nLai, T. L. & Robbins, H. (1985). Asymptotically efficient adaptive allocation rules. Advances in Applied Mathematics, 6(1), 4--22. ↩︎
\nAuer, P., Cesa-Bianchi, N., & Fischer, P. (2002). Finite-time analysis of the multiarmed bandit problem. Machine Learning, 47(2), 235--256. ↩︎ ↩︎
\nGarivier, A. & Cappe, O. (2011). The KL-UCB algorithm for bounded stochastic bandits and beyond. COLT. ↩︎ ↩︎
\nAgrawal, S. & Goyal, N. (2012). Further optimal regret bounds for Thompson Sampling. arXiv:1209.3353. Finite-time Poisson-Gamma bounds in: Jin, T. et al. (2022). Finite-time regret of Thompson Sampling algorithms for exponential family multi-armed bandits. NeurIPS. ↩︎
\nZimmert, J. & Seldin, Y. (2021). Tsallis-INF: An optimal algorithm for stochastic and adversarial bandits. JMLR, 22(28), 1--28. ↩︎
\nBadanidiyuru, A., Kleinberg, R., & Slivkins, A. (2013). Bandits with knapsacks. FOCS, 207--216. ↩︎
\nGarivier, A. & Moulines, E. (2011). On upper-confidence bound policies for switching bandit problems. ALT, 174--188. ↩︎
\nRaj, V. & Kalyani, S. (2017). Taming non-stationary bandits: A Bayesian approach. arXiv:1707.09727. ↩︎
\nGelman, A., Carlin, J. B., Stern, H. S., Dunson, D. B., Vehtari, A., & Rubin, D. B. (2014). Bayesian Data Analysis (3rd ed., p. 73). Chapman & Hall/CRC. ↩︎
\nJouini, W., Ernst, D., Moy, C., & Palicot, J. (2010). Upper confidence bound based decision making strategies and dynamic spectrum access. ICC, 1--5. ↩︎
\nAnandkumar, A., Michael, N., Tang, A. K., & Swami, A. (2011). Distributed algorithms for learning and cognitive medium access with logarithmic regret. IEEE JSAC, 29(4), 731--745. ↩︎
\nSchulman, A., Levin, D., & Spring, N. (2008). On the fidelity of 802.11 packet traces. PAM, 132--141. ↩︎
\nWhittle, P. (1988). Restless bandits: Activity allocation in a changing world. Journal of Applied Probability, 25(A), 287--298. ↩︎
\nTartakovsky, A., Nikiforov, I., & Basseville, M. (2014). Sequential Analysis: Hypothesis Testing and Changepoint Detection. Chapman & Hall/CRC. ↩︎
\n