Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

274 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS for x to be precisely the interval [−M,M]. Note that the largest value of f(x) on this interval is at the endpoints, where the value is about (a 2 M 2 − n)/a, and the least value is at x = 0, being there about −n/a. Let us set the absolute values of these two expressions approximately equal to each other, giving the approximate equation a 2 M 2 ≈ 2n, sothata ≈ √ 2n/M. If a satisfies this approximate equality, then the absolute value of f(x) on the interval [−M,M] is bounded by (M/ √ 2) √ n. This should be compared with the original polynomial x 2 − n used in the basic QS method. On the interval [ √ n − M, √ n + M], the values are bounded by approximately 2M √ n. So we have saved a factor 2 √ 2 in size. But we have saved much more than that. In the basic QS method the values continue to grow, we cannot stop at a preset value M. But when we use a family of polynomials, we can continually change. Roughly, using the analysis of Section 6.1.1, we can choose M = B = L(n) 1/2 when we use multiple polynomials, but must choose M = B 2 = L(n) when we use only one polynomial. So the numbers that “would be smooth” using multiple polynomials are smaller on average by a factor B. A heuristic analysis shows that using multiple polynomials speeds up the quadratic sieve method by roughly a factor 1 √ ln n ln ln n. Whennis about 100 digits, this gives a 2 savings of about a factor 17; that is, QS with multiple polynomials runs about 17 times as fast as the basic QS method. (This “thought experiment” has not been numerically verified, though there can be no doubt that using multiple polynomials is considerably faster in practice.) However, there is one last requirement for the leading coefficient a: We need to find values of b, c to go along with it. If we can solve b2 ≡ n (mod a) for b, then we can ensure that |b| ≤a/2, and we can let c =(b2− n)/a. Note that the methods of Section 2.3.2 will allow us to solve the congruence provided that we choose a such that a is odd, we know the prime factorization of a, and for each prime p|a, wehave n p = 1. One effective way to do this is to take various primes p ≈ (2n) 1/4 /M 1/2 ,with n 2 p =1,andchoosea = p . Then such values of a meet all the criteria we have set for them: (1) We have a equal to a square times a B-smooth number. (2) We have a ≈ √ 2n/M. (3) We can efficiently solve b 2 ≡ n (mod a) forb. The congruence b 2 ≡ n (mod a) has two solutions, if we take a = p 2 as above. However, the two solutions lead to equivalent polynomials, so we use only one of the solutions, say the one with 0

6.1 The quadratic sieve factorization method 275 For numbers in the range of 50 to 150 digits, typical choices for B are in the range 10 4 to 10 7 , approximately. It turns out that sieving is so fast an operation, that if we changed polynomials every time we sieved B numbers, the overhead in making the change would be so time-consuming that overall efficiency would suffer. This overhead is principally to solve the initialization problem. That is, given a, b, c as in Section 6.1.5, for each odd prime p ≤ B with n p = 1, we have to solve the congruence ax 2 +2bx + c ≡ 0(modp) for the two roots r(p) modp and s(p) modp (we assume here that p does not divide an). Thus, we have where r(p) =(−b + t(p))a −1 mod p, s(p) =(−b − t(p))a −1 mod p, (6.3) t(p) 2 ≡ n (mod p). For each polynomial, we can use the exact same residue t(p) each time when we come to finding r(p),s(p). So the principal work in using (6.3) is in computing a −1 mod p for each p (say by Algorithm 2.1.4) and the two mod p multiplications. If there are many primes p for which this needs to be done, it is enough work that we do not want to do it too frequently. The idea of self initialization is to amortize the work in (6.3) over several polynomials with the same value of a. For each value of a, we choose b such that b 2 ≡ n (mod a)and0

6.1 The quadratic sieve factorization method 275<br />

For numbers in the range of 50 to 150 digits, typical choices for B are in<br />

the range 10 4 to 10 7 , approximately. It turns out that sieving is so fast an<br />

operation, that if we changed polynomials every time we sieved B numbers,<br />

the overhead in making the change would be so time-consuming that overall<br />

efficiency would suffer. This overhead is principally to solve the initialization<br />

problem. That is, given a, b, c as in Section 6.1.5, for each odd prime p ≤ B<br />

with <br />

n<br />

p = 1, we have to solve the congruence<br />

ax 2 +2bx + c ≡ 0(modp)<br />

for the two roots r(p) modp and s(p) modp (we assume here that p does not<br />

divide an). Thus, we have<br />

where<br />

r(p) =(−b + t(p))a −1 mod p, s(p) =(−b − t(p))a −1 mod p, (6.3)<br />

t(p) 2 ≡ n (mod p).<br />

For each polynomial, we can use the exact same residue t(p) each time when<br />

we come to finding r(p),s(p). So the principal work in using (6.3) is in<br />

computing a −1 mod p for each p (say by Algorithm 2.1.4) and the two mod p<br />

multiplications. If there are many primes p for which this needs to be done,<br />

it is enough work that we do not want to do it too frequently.<br />

The idea of self initialization is to amortize the work in (6.3) over several<br />

polynomials with the same value of a. For each value of a, we choose b such<br />

that b 2 ≡ n (mod a)and0

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!