Prime Numbers

5.7 Exercises 251
is completely rigorous, depending on no unproved hypotheses. Her method
also computes the class number and group structure in the expected time
O |D| 1/5+ɛ . However, unlike with factoring, which may be easily checked for
correctness, there is no simple way to see whether Srinivasan’s computation
of the class number is correct, though it almost certainly is. As we shall see in
the next chapter, there are faster, completely rigorous, probabilistic factoring
algorithms. The Srinivasan method, though, stands as the fastest known
completely rigorous probabilistic method for computing the class number
C(D). ([Hafner and McCurley 1989] have a subexponential probabilistic
method, but its analysis depends on the ERH.)
5.7 Exercises
5.1. Starting with Lenstra’s Algorithm 4.2.11, develop a deterministic
factoring method that takes at most n 1/3+o(1) operations to factor n.
5.2. Suppose one models the iteration of x2 + a mod p in the Pollard-rho
method as a random function f from {0, 1,...,p−1} to {0, 1,...,p−1}. The
function f describes a directed graph on the residues modulo p where a residue
i has a unique out-arrow pointing to f(i). Show that the expected length of
the longest path r1,r2,...,rk of distinct residues is of order of magnitude √ p.
Here is a possible strategy: If s1,s2,...,sj is a path of distinct residues, then
the probability that f(sj) ∈ {s1,...,sj} is (p − j)/p. Thus the probability
that a path starting from s hits distinct points for at least j steps is the
product of (p − i)/p for i = 1, 2,...,j. The expectation asked for is thus
p−1 j j=0 i=1 (p − i)/p. See [Purdom and Williams 1968].
Next investigate the situation that is more relevant to the Pollard-rho
factorization method, where one assumes the random function f is 2 : 1, or
more generally 2K : 1 (see Exercise 5.24). In this regard see [Brent and Pollard
1981] and [Arney and Bender 1982].
5.3. One fact used in the analysis of the Pollard rho method is that the
function f(x) =x 2 + a on Zn to Zn has the property that for each divisor
d of n we have that u ≡ v (mod d) implies that f(u) ≡ f(v) (modd). It is
easy to see that any polynomial f(x) inZn[x] has this property. Show the
converse. That is, if f is any function from Zn to Zn with the property that
f(u) ≡ f(v) (modd) whenever d|n and u ≡ v (mod d), then f(x) mustbe
a polynomial in Zn[x]. (Hint: First show this for n aprime,thenextendto
prime powers, and conclude with the Chinese remainder theorem.)
5.4. Let G be a cyclic group of order n with generator g, and element t. Say
our goal is to solve for the discrete logarithm l of t; that is, an integer l with
g l = t. Assume that we somehow discover an instance g b = t a . Show that the
desired logarithm is then given by
l =((bu + kn)/d) modn,