Prime Numbers

6.1 The quadratic sieve factorization method 265
the power is as high as could possibly divide one of the values x 2 − n. The
primes p on which these powers are based are those for which x 2 − n ≡ 0
(mod p) is solvable, namely the prime p =2andtheoddprimesp≤Bfor which the Legendre symbol
n
p = 1. And for each such odd prime p and each
relevant power of p, there are two residue classes to sieve over. Let K be the
number of primes up to B that over which we sieve. Then, heuristically, K is
about 1π(B).
We will be assured of a linear dependency among our exponent
2
vectors once we have assembled K + 1 of them.
If the probability of a value of x leading to a B-smooth is u−u , then the
expected number of values of x to get one success is uu , and the expected
number of values to get K + 1 successes is uu (K + 1). We multiply this
expectation by ln ln B, the amount of work on average to deal with each value
of x. So let us assume that this all works out, and take the expression
T (B) =u u (K +1)lnlnB, where u =
ln n
2lnB .
We now attempt to find B as a function of n so as to minimize T (B). Since
K ≈ 1
2π(B) is of order of magnitude B/ln B (see Theorem 1.1.4), we have
that ln T (B) ∼ S(B), where S(B) =u ln u +lnB. Putting in what u is we
have that the derivative is given by
dS − ln n
=
dB 2B ln 2 1
(ln ln n − ln ln B − ln 2 + 1) +
B B .
Setting this equal to zero, we find that ln B is somewhere between a constant
times √ ln n and a constant times √ ln n ln ln n,sothatlnlnB∼ 1
2 ln ln n.Thus
we find that the critical B and other entities behave as
ln B ∼ 1√
√
ln n ln ln n, u ∼ ln n/ ln ln n, S(B) ∼ ln n ln ln n.
2
We conclude that an optimal choice of the smoothness bound B is about
√
exp ln n ln ln n , and that the running time with this choice of B is about
1
2
B2 , that is, the running time for the above scheme to factor n should be about
√ln
exp n ln ln n .
We shall abbreviate this last function of n as follows:
√
ln n ln ln
L(n) =e
n.
(6.1)
The above argument ignores the complexity of the linear algebra step, but
it can be shown that this, too, is about B 2 ; see Section 6.1.3. Assuming the
validity of all the heuristic leaps made, we have described a deterministic
algorithm for factoring an odd composite n that is not a power. The running
time is L(n) 1+o(1) . This function of n is subexponential; that is, it is of the
form n o(1) , and as such, it is a smaller-growing function of n than any of the
complexity estimates for the factoring algorithms described in Chapter 5.