Prime Numbers

236 Chapter 5 EXPONENTIAL FACTORING ALGORITHMS
B are sequentially generated, one can look for a match in A, provided that
one has rapid means for content-searching in an ordered list. After the match
is found, it is not necessary to continue to generate B, so that on average a
savings of 50% can be gained.
The complexity for Step [Construct lists] is O( √ n) group operations, and
for Step [Sort and find intersection] is O( √ n ln n) comparisons. The space
required is what is needed to store O( √ n) group elements. If one has no idea
how large the group G is, one can let n run through the sequence 2 k for
k =1, 2,... . If no match is found with one value of k, repeat the algorithm
with k + 1. Of course, the sets from the previous run should be saved and
enlarged for the next run. Thus if the group G has order m, wecertainlywill
be successful in computing the logarithm of t in operation count O( √ m ln m)
and space O( √ m) group elements.
A more elaborate version of this idea can be found in [Buchmann et al.
1997], [Terr 1999]. Also see [Blackburn and Teske 1999] for other baby-steps,
giant-steps strategies.
We compare Algorithm 5.3.1 with the rho method for discrete logarithms
in Section 5.2.2. There the running time is O( √ m) and the space is
negligible. However, the rho method is heuristic, while baby-steps, giant-steps
is completely rigorous. In practice, there is no reason not to use a heuristic
method for a discrete logarithm calculation just because a theoretician has
not yet been clever enough to supply a proof that the method works and does
so within the stated time bound. So in practice, the rho method majorizes
the baby-steps, giant-steps method.
However, the simple and elegant idea behind baby-steps, giant-steps is
useful in many contexts, as we shall see in Section 7.5. It also can be used
for factoring, as shown in [Shanks 1971]. In fact, that paper introduced the
baby-steps, giant-steps idea. The context here is the class group of binary
quadratic forms with a given discriminant. We shall visit this method at the
endofthischapter,inSection5.6.4.
5.4 Pollard p − 1 method
We know from Fermat’s little theorem that if p isanoddprime,then2 p−1 ≡ 1
(mod p). Further, if p − 1|M, then2 M ≡ 1(modp). So if p is a prime factor
of an integer n, thenp divides gcd(2 M − 1,n). The p − 1methodofJ.Pollard
makes use of this idea as a tool to factor n. His idea is to choose numbers
M with many divisors of the form p − 1, and so search for many primes p as
possible divisors of n in one fell swoop.
Let M(k) be the least common multiple of the integers up to k.So,M(1) =
1, M(2) = 2, M(3) = 6, M(4) = 12, etc. The sequence M(1),M(2),...may be
computed recursively as follows. Suppose M(k) has already been computed. If
k+1 is not a prime or a power of a prime, then M(k+1) = M(k). If k+1 = p a ,
where p is prime, then M(k +1)=pM(k). A precomputation via a sieve, see
Section 3.2, can locate all the primes up to some limit, and this may be easily
augmented with the powers of the primes. Thus, the sequence M(1),M(2),...