Prime Numbers

264 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS
So we seem to have solved the “obvious problem” stated above for ramping
up the 1649 example to larger numbers. We have a way of systematically
handling our residues x2 mod n, atheoremtotelluswhenwehaveenoughof
them, and an algorithm to find a subset of them with product being a square.
We have not, however, specified how the smoothness bound B is to be
chosen, and actually, the above discussion really does not suggest that this
scheme will be any faster than the method of Fermat.
If we choose B small, we have the advantage that we do not need many
B-smooth residues to find a subset product that is a square. But if B is too
small, the property of being B-smooth is so special that we may not find any
B-smooth numbers. So we need to balance the two forces operating on the
smoothness bound B: The bound should be small enough that we do not need
too many B-smooth numbers to be successful, yet B should be large enough
that the B-smooth numbers are arriving with sufficient frequency.
To try to solve this problem, we should compute what the frequency of
B-smooth numbers will be as a function of B and n. Perhaps we can try to
use (1.44), and assume that the “probability” that x2 mod n is B-smooth is
about u−u ,whereu =lnn/ ln B.
There are two thoughts about this approach. First, (1.44) applies only to
a total population of all numbers up to a certain bound, not a special subset.
Are we so sure that members of our subset are just as likely to be smooth as
is a typical number? Second, what exactly is the size of the numbers in our
subset? In the above paragraph we just used the bound n when we formed
the number u.
We shall overlook the first of these difficulties, since we are designing a
heuristic factorization method. If the method works, our “conjecture” that our
special numbers are just like typical numbers, as far as smoothness goes, gains
some validity. The second of the difficulties, after a little thought, actually can
be resolved in our favor. That is, we are wrong about the size of the residues
x2 mod n, they are actually smaller than n, much smaller.
Recall that we have suggested starting with x = ⌈ √ n⌉ and running up
from that point. But until we get to √ 2n , the residue x2 mod n is given
bythesimpleformulax2−n. Andif √ n0is
small, then x2 − n is of order of magnitude n1/2+ɛ . Thus, we should revise
our heuristic estimate on the likelihood of x leading to a B-smooth number
to u−u with u now about 1
2 ln n/ ln B.
There is one further consideration before we try to use the u−u estimate
to pick out an optimal B and estimate the number of x’s needed. That is, how
long do we need to spend with a particular number x to see whether x2 − n
is B-smooth? One might first think that the answer is about π(B), since trial
division with the primes up to B is certainly an obvious way to see whether
a number is B-smooth. But in fact, there is a much better way to do this, a
way that makes a big difference. We can use the sieving methods of Section
3.2.5 and Section 3.2.6 so that the average number of arithmetic operations
spent per value of x is only about ln ln B, a very small bound indeed. These
sieving methods require us to sieve by primes and powers of primes where