Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

278 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS As the number b grows in absolute value, y(b) is dominated by the term −4b 3 m. It is not unreasonable to expect that b will grow as large as 2 40 , in which case the size of |y(b)| will be near 2 323 . This does not compare favorably with the quadratic sieve with multiple polynomials, where the size of the numbers we sieve for smooths would be about 2 20√ n ≈ 2 301 .(This assumes a sieving interval of about 2 20 per polynomial.) However, we can also use multiple polynomials with the special quadratic sieve. For example, for the above number n0, take b0 = −2u 2 , b1 =2uv, b2 = v 2 . This then implies that we may take x(u, v) =v 2 m 2 +2uvm − 2u 2 , y(u, v) =(4v 4 − 8u 3 v)m +16uv 3 +4u 4 , and let u, v range over small, coprime integers. (It is important to take u, v coprime, since otherwise, we shall get redundant relations.) If u, v are allowed to range over numbers with absolute value up to 220 , we get about the same number of pairs as choices for b above, but the size of |y(u, v)| is now about 2283 , a savings over the ordinary quadratic sieve. (There is a small additional savings, since we may actually consider the pair n−1 1 2 x(u, v), 4y(u, v).) It is perhaps not clear why the introduction of u, v may be considered as “multiple polynomials.” The idea is that we may fix one of these letters, and sieve over the other. Each choice of the first letter gives a new polynomial in the second letter. The assumption in the above analysis of a sieve of length 240 is probably on the small side for a number the size of n0. A larger sieve length will make SQSlookpoorerincomparisonwithordinaryQS. It is not clear whether the special quadratic sieve, as described above, will be a useful factoring algorithm (as of this writing, it has not actually been tried out in significant settings). If the number n is not too large, the growth of the coefficient of m in y(b) ory(u, v) will dominate and make the comparison with the ordinary quadratic sieve poor. If the number n is somewhat larger, so that the special quadratic sieve starts to look better, as in the above example, there is actually another algorithm that may come into play and again majorize the special quadratic sieve. This is the number field sieve, something we shall discuss in the next section. 6.2 Number field sieve We have encountered some of the inventive ideas of J. Pollard in Chapter 5. In 1988 (see [Lenstra and Lenstra 1993]) Pollard suggested a factoring method that was very well suited for numbers, such as Fermat numbers, that are close to a high power. Before long, this method had been generalized so that it could be used for general composites. Today, the number field sieve (NFS) stands as the asymptotically fastest heuristic factoring algorithm we know for “worst-case” composite numbers.

6.2 Number field sieve 279 6.2.1 Basic NFS: Strategy The quadratic sieve factorization method is fast because it produces small quadratic residues modulo the number we are trying to factor, and because we can use a sieve to quickly recognize which of these quadratic residues are smooth. The QS method would be faster still if the quadratic residues it produces could be arranged to be smaller, since then they would be more likely to be smooth, and so we would not have to sift through as many of them. An interesting thought in this regard is that it is not necessary that they be quadratic residues, only small! We have a technique through linear algebra of multiplying subsets of smooth numbers so as to obtain squares. In the quadratic sieve, we had only to worry about one side of the congruence, since the other side was already a square. In the number field sieve we use the linear algebra method on both sides of the key congruence. However, our congruences will not start with two integers being congruent mod n. Rather, they will start with pairs θ, φ(θ), where θ lies in a particular algebraic number ring, and φ is a homomorphism from the ring to Zn. (These concepts will be described concretely, in a moment.) Suppose we have k such pairs θ1,φ(θ1),...,θk,φ(θk), such that the product θ1 ···θk is a square in the number ring, say γ 2 , and there is an integer square, say v 2 , such that φ(θ1) ···φ(θk) ≡ v 2 (mod n). Then if φ(γ) ≡ u (mod n) for an integer u, we have u 2 ≡ φ(γ) 2 ≡ φ(γ 2 ) ≡ φ(θ1 ···θk) ≡ φ(θ1) ···φ(θk) ≡ v 2 (mod n). That is, stripping away all of the interior expressions, we have the congruence u 2 ≡ v 2 (mod n), and so could try to factor n via gcd(u − v, n). The above ideas constitute the strategy of NFS. We now discuss the basic setup that introduces the number ring and the homomorphism φ. Suppose we are trying to factor the number n, which is odd, composite, and not a power. Let f(x) =x d + cd−1x d−1 + ···+ c0 be an irreducible polynomial in Z[x], and let α be a complex number that is a root of f. We do not need to numerically approximate α; we just use the symbol “α” to stand for one of the roots of f. Our number ring will be Z[α]. This is computationally thought of as the set of ordered d-tuples (a0,a1,...,ad−1) of integers, where we “picture” such a d-tuple as the element a0 + a1α + ···ad−1α d−1 . We add two such expressions coordinatewise, and we multiply via the normal polynomial product, but then reduce to a d-tuple via the identity f(α) = 0. Another, equivalent way of thinking of the number ring Z[α] istorealizeitasZ[x]/(f(x)), that is, involving polynomial arithmetic modulo f(x). The connection to the number n we are factoring comes via an integer m with the property that f(m) ≡ 0(modn). We do need to know what the integer m is. We remark that there is a very simple method of coming up with an acceptable choice of f(x) and

6.2 Number field sieve 279<br />

6.2.1 Basic NFS: Strategy<br />

The quadratic sieve factorization method is fast because it produces small<br />

quadratic residues modulo the number we are trying to factor, and because<br />

we can use a sieve to quickly recognize which of these quadratic residues<br />

are smooth. The QS method would be faster still if the quadratic residues<br />

it produces could be arranged to be smaller, since then they would be more<br />

likely to be smooth, and so we would not have to sift through as many of<br />

them. An interesting thought in this regard is that it is not necessary that<br />

they be quadratic residues, only small! We have a technique through linear<br />

algebra of multiplying subsets of smooth numbers so as to obtain squares. In<br />

the quadratic sieve, we had only to worry about one side of the congruence,<br />

since the other side was already a square. In the number field sieve we use the<br />

linear algebra method on both sides of the key congruence.<br />

However, our congruences will not start with two integers being congruent<br />

mod n. Rather, they will start with pairs θ, φ(θ), where θ lies in a particular<br />

algebraic number ring, and φ is a homomorphism from the ring to Zn. (These<br />

concepts will be described concretely, in a moment.) Suppose we have k such<br />

pairs θ1,φ(θ1),...,θk,φ(θk), such that the product θ1 ···θk is a square in<br />

the number ring, say γ 2 , and there is an integer square, say v 2 , such that<br />

φ(θ1) ···φ(θk) ≡ v 2 (mod n). Then if φ(γ) ≡ u (mod n) for an integer u, we<br />

have<br />

u 2 ≡ φ(γ) 2 ≡ φ(γ 2 ) ≡ φ(θ1 ···θk) ≡ φ(θ1) ···φ(θk) ≡ v 2 (mod n).<br />

That is, stripping away all of the interior expressions, we have the congruence<br />

u 2 ≡ v 2 (mod n), and so could try to factor n via gcd(u − v, n).<br />

The above ideas constitute the strategy of NFS. We now discuss the basic<br />

setup that introduces the number ring and the homomorphism φ. Suppose we<br />

are trying to factor the number n, which is odd, composite, and not a power.<br />

Let<br />

f(x) =x d + cd−1x d−1 + ···+ c0<br />

be an irreducible polynomial in Z[x], and let α be a complex number that<br />

is a root of f. We do not need to numerically approximate α; we just use<br />

the symbol “α” to stand for one of the roots of f. Our number ring will<br />

be Z[α]. This is computationally thought of as the set of ordered d-tuples<br />

(a0,a1,...,ad−1) of integers, where we “picture” such a d-tuple as the element<br />

a0 + a1α + ···ad−1α d−1 . We add two such expressions coordinatewise, and we<br />

multiply via the normal polynomial product, but then reduce to a d-tuple via<br />

the identity f(α) = 0. Another, equivalent way of thinking of the number ring<br />

Z[α] istorealizeitasZ[x]/(f(x)), that is, involving polynomial arithmetic<br />

modulo f(x).<br />

The connection to the number n we are factoring comes via an integer m<br />

with the property that<br />

f(m) ≡ 0(modn).<br />

We do need to know what the integer m is. We remark that there is a<br />

very simple method of coming up with an acceptable choice of f(x) and

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!