Prime Numbers

262 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS
For example, take the case a =11andn = 15. We have a 2 ≡ 1(modn),
and gcd(a − 1,n) = 5, a nontrivial factor of 15.
Consider the following three simple tasks: Find a factor of an even number,
factor nontrivial powers, compute gcd’s. The first task needs no comment! The
second can be accomplished by extracting n 1/k and seeing whether its k-th
power is n, the root extraction being done via Newton’s method and for k
up to lg n. The third simple task is easily done via Algorithm 2.1.2. Thus, we
can “reduce” the factorization problem to finding nontrivial square roots of
1 for odd composites that are not powers. We write “reduce” in quotes since
it is not much of a reduction—the two tasks are essentially computationally
equivalent. Indeed, if we can factor n, an odd composite that is not a power,
it is easy to play with this factorization and with gcd’s to get a factorization
n = AB where A, B are greater than 1 and coprime; see the Exercises. Then
let a be the solution to the Chinese remainder theorem problem posed thus:
a ≡ 1(modA), , a ≡−1(modB).
We have thus created a nontrivial square root of 1 modulo n.
So we now set out on the task of finding a nontrivial square root of 1
modulo n, wheren is an odd composite that is not a power. This task, in
turn, is equivalent to finding a solution to x 2 ≡ y 2 (mod n), where xy is
coprime to n and x ≡ ±y (mod n). For then, xy −1 (mod n) is a nontrivial
square root of 1. However, as we have seen, any solution to x 2 ≡ y 2 (mod n)
with x ≡ ±y (mod n) can be used to split n.
The basic idea of the QS algorithm is to find congruences of the form
x 2 i ≡ ai (mod n), where ai is a square, say y 2 .Ifx = xi, thenx 2 ≡ y 2
(mod n). The extra requirement that x ≡ ±y (mod n) is basically ignored.
If this condition works out, we are happy and can factor n. Ifitdoesnot
work out, we try the method again. We shall see that we actually can
obtain many pairs of congruent squares, and assuming some kind of statistical
independence, half of them or more should lead to a nontrivial factorization of
n. It should be noted, though, right from the start, that QS is not a random
algorithm. When we talk of statistical independence we do so heuristically.
The numbers we are trying to factor don’t seem to mind our lack of rigor,
they get factored anyway.
Let us try this out on n = 1649, which is composite and not a power.
Beginning as with Fermat’s method, we take for the xi’s the numbers just
above √ n (see Section 5.1.1):
41 2 = 1681 ≡ 32 (mod 1649),
42 2 = 1764 ≡ 115 (mod 1649),
43 2 = 1849 ≡ 200 (mod 1649).
With the Fermat method we would continue this computation until we reach
57 2 , but with our new idea of combining congruences, we can stop with the
above three calculations. Indeed, 32 · 200 = 6400 = 80 2 ,sowehave
(41 · 43) 2 ≡ 80 2 (mod 1649).