Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

5.8 Research problems 259 In judging the efficacy of such a factoring method, one should address at least the following questions. How, in this case, do we find an initial point (x0,y0,w0,z0) in the group? How many field operations are required for point doubling, and for arbitrary point addition? Explore any algebraic connections of the circle and hyperspherical groups (and perhaps further relatives of these) with groups of matrices (mod p). For example, all n × n matrices having determinant 1 modulo p form a group that can for better or worse be used to forge some kind of factoring algorithm. These relations are well known, including yet more relations with so-called cyclotomic factoring. But an interesting line of research is based on this question: How do we design efficient factoring algorithms, if any, using these group/matrix ideas? We already know that complex multiplication, for example, can be done in three multiplies instead of four, and large-matrix multiplication can be endowed with its own special speedups, such as Strassen recursion [Crandall 1994b] and number-theoretical transform acceleration [Yagle 1995]; see Exercise 9.84. 5.29. Investigate the possibility of modifying the polynomial evaluation method of Pollard and Strassen for application to the factorization of Fermat numbers Fn =22n + 1. Since we may restrict factor searches to primes of the form p = k2n+2 + 1, consider the following approach. Form a product P = ki2 n+2 +1 i (all modulo Fn), where the {ki} constitute some set of cleverly chosen integers, with a view to eventual taking of gcd(Fn,P). The Pollard–Strassen notion of evaluating products of consecutive integers is to be altered: Now we wish to form the product over a special multiplier set. So investigate possible means for efficient creation of P . There is the interesting consideration that we should be able somehow to presieve the {ki}, or even to alter the exponents n +2 in some i-dependent manner. Does it make sense to describe the multiplier set {ki} as a union of disjoint arithmetic progressions (as would result from a presieving operation)? One practical matter that would be valuable to settle is this: Does a Pollard–Strassen variant of this type have any hope of exceeding the performance of direct, conventional sieving (in which one simply checks 22n (mod p) for various p = k2n+2 + 1)? The problem is not without merit, since beyond F20 or thereabouts, direct sieving has been the only recourse to date for discovering factors of the mighty Fn.

Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS The methods of this chapter include two of the three basic workhorses of modern factoring, the quadratic sieve (QS) and the number field sieve (NFS). (The third workhorse, the elliptic curve method (ECM), is described in Chapter 7.) The quadratic sieve and number field sieve are direct descendants of the continued fraction factoring method of Brillhart and Morrison, which was the first subexponential factoring algorithm on the scene. The continued fraction factoring method, which was introduced in the early 1970s, allowed complete factorizations of numbers of around 50 digits, when previously, about 20 digits had been the limit. The quadratic sieve and the number field sieve, each with its strengths and domain of excellence, have pushed our capability for complete factorization from 50 digits to now over 150 digits for the size of numbers to be routinely factored. By contrast, the elliptic curve method has allowed the discovery of prime factors up to 50 digits and beyond, with fortunately weak dependence on the size of number to be factored. We include in this chapter a small discussion of rigorous factorization methods that in their own way also represent the state of the art. We also discuss briefly some subexponential discrete logarithm algorithms for the multiplicative groups of finite fields. 6.1 The quadratic sieve factorization method Though first introduced in [Pomerance 1982], the quadratic sieve (QS) method owes much to prior factorization methods, including the continued-fraction method of [Morrison and Brillhart 1975]. See [Pomerance 1996b] for some of the history of the QS method and also the number field sieve. 6.1.1 Basic QS Let n be an odd number with exactly k distinct prime factors. Then there are exactly 2 k square roots of 1 modulo n. Thisiseasyinthecasek =1,andit follows in the general case from the Chinese remainder theorem; see Section 2.1.3. Two of these 2 k square roots of 1 are the old familiar ±1. All of the others are interesting in that they can be used to split n. Indeed,ifa 2 ≡ 1 (mod n) anda ≡ ±1(modn), then gcd(a − 1,n) must be a nontrivial factor of n. To see this, note that n|(a−1)(a+1), but n does not divide either factor, so part of n must divide a − 1 and part must divide a +1.

Chapter 6<br />

SUBEXPONENTIAL FACTORING ALGORITHMS<br />

The methods of this chapter include two of the three basic workhorses of<br />

modern factoring, the quadratic sieve (QS) and the number field sieve (NFS).<br />

(The third workhorse, the elliptic curve method (ECM), is described in<br />

Chapter 7.) The quadratic sieve and number field sieve are direct descendants<br />

of the continued fraction factoring method of Brillhart and Morrison, which<br />

was the first subexponential factoring algorithm on the scene. The continued<br />

fraction factoring method, which was introduced in the early 1970s, allowed<br />

complete factorizations of numbers of around 50 digits, when previously, about<br />

20 digits had been the limit. The quadratic sieve and the number field sieve,<br />

each with its strengths and domain of excellence, have pushed our capability<br />

for complete factorization from 50 digits to now over 150 digits for the size<br />

of numbers to be routinely factored. By contrast, the elliptic curve method<br />

has allowed the discovery of prime factors up to 50 digits and beyond, with<br />

fortunately weak dependence on the size of number to be factored. We include<br />

in this chapter a small discussion of rigorous factorization methods that in<br />

their own way also represent the state of the art. We also discuss briefly some<br />

subexponential discrete logarithm algorithms for the multiplicative groups of<br />

finite fields.<br />

6.1 The quadratic sieve factorization method<br />

Though first introduced in [Pomerance 1982], the quadratic sieve (QS) method<br />

owes much to prior factorization methods, including the continued-fraction<br />

method of [Morrison and Brillhart 1975]. See [Pomerance 1996b] for some of<br />

the history of the QS method and also the number field sieve.<br />

6.1.1 Basic QS<br />

Let n be an odd number with exactly k distinct prime factors. Then there are<br />

exactly 2 k square roots of 1 modulo n. Thisiseasyinthecasek =1,andit<br />

follows in the general case from the Chinese remainder theorem; see Section<br />

2.1.3. Two of these 2 k square roots of 1 are the old familiar ±1. All of the<br />

others are interesting in that they can be used to split n. Indeed,ifa 2 ≡ 1<br />

(mod n) anda ≡ ±1(modn), then gcd(a − 1,n) must be a nontrivial factor<br />

of n. To see this, note that n|(a−1)(a+1), but n does not divide either factor,<br />

so part of n must divide a − 1 and part must divide a +1.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!