Prime Numbers

238 Chapter 5 EXPONENTIAL FACTORING ALGORITHMS
larger than B. After searching through the exponents M(1),M(2),...,M(B),
we next search through the exponents QM(B), where Q runs over the
primes in the interval (B,B ′ ]. This then has the chance of uncovering
those primes p|n with p − 1 = Qu, where Q is a prime in (B,B ′ ] and
u|M(B). It is particularly easy to traverse the various exponents QM(B).
Suppose the sequence of primes in (B,B ′ ]isQ1 < Q2 < ··· . Note that
2 Q1M(B) mod n may be computed from 2 M(B) mod n in O(ln Q1) steps. For
2 Q2M(B) mod n, we multiply 2 Q1M(B) mod n by 2 (Q2−Q1)M(B) mod n, then
by 2 (Q3−Q2)M(B) mod n to get 2 Q3M(B) mod n, and so on. The differences
Qi+1−Qi are all much smaller than the Qi’s themselves, and for various values
d of these differences, the residues 2 dM(B) mod n can be precomputed. Thus,
if B ′ > 2B, say, the amortized cost of computing all of the 2 QiM(B) mod n
is just one modular multiplication per Qi. If we agree to spend just as much
time doing the second stage as the basic p − 1 method, then we may take B ′
much larger than B, perhaps as big as B ln B.
There are many interesting issues pertaining to the second stage, such as
means for further acceleration, birthday paradox manifestations, and so on.
See [Montgomery 1987, 1992a], [Crandall 1996a], and Exercise 5.9 for some of
these issues.
We shall see that the basic idea of the Pollard p−1 method is revisited with
the Lenstra elliptic curve method (ECM) for factoring integers (see Section
7.4).
5.5 Polynomial evaluation method
Suppose the function F (k, n) =k! modn were easy to evaluate. Then a great
deal of factoring and primality testing would also be easy. For example, the
Wilson–Lagrange theorem (Theorem 1.3.6) says that an integer n>1isprime
if and only if F (n − 1,n)=n − 1. Alternatively, n>1 is prime if and only if
F (⌈ √ n⌉ ,n) is coprime to n. Further, we could factor almost as easily: Carry
out a binary search for the least positive integer k with gcd(F (k, n),n) > 1—
this k, of course, will be the least prime factor of n.
As outlandish as this idea may seem, there is actually a fairly fast
theoretical factoring algorithm based on it, an algorithm that stands as the
fastest deterministic rigorously analyzed factoring algorithm of which we
know. This is the Pollard–Strassen polynomial evaluation method; see [Pollard
1974] and [Strassen 1976].
Theideaisasfollows.LetB = n 1/4 and let f(x) be the polynomial
x(x − 1) ···(x − B + 1). Then f(jB) =(jB)!/((j − 1)B)! for every positive
integer j, so that the least j with gcd(f(jB),n) > 1 isolates the least prime
factor of n in the interval ((j − 1)B,jB]. Once we know this, if the gcd is in
the stated interval, it is the least prime factor of n, and if the gcd is larger
than jB, we may sequentially try the members of the interval as divisors of
n, the first divisor found being the least prime divisor of n. Clearly, this last
calculation takes at most B arithmetic operations with integers the size of n;
that is, it is O(n 1/4 ). But what of the earlier steps? If we could compute each