Prime Numbers
Prime Numbers Prime Numbers
282 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS Then N(a − bα) =F (a, b). That is, N(a − bα) may be viewed quite explicitly as a polynomial in the two variables a, b. Thus, we can arrange for the product of N(a − bα) for (a, b) ∈Sto be a square by letting a, b run so that |a|, |b| ≤M, using a sieve to detect Bsmooth values of F (a, b), form the corresponding exponent vectors, and use matrix methods to find the subset S. And if we want S also to have the first property that the product of the a−bm is also a square in Z, then we alter the procedure to sieve for smooth values of F (a, b)G(a, b), this product, too, being a polynomial in the variables a, b. For the smooth values we create exponent vectors with two fields of coordinates. The first field corresponds to the prime factorization of F (a, b), and the second to the prime factorization of G(a, b). These longer exponent vectors are then collected into a matrix, and again we can do linear algebra modulo 2. Before, we needed just π(B) + 2 vectors to ensure success. Now we need 2π(B) + 3 vectors to ensure success, since each vector will have 2π(B)+2 coordinates: the first half for the prime factorization of F (a, b), and the second half for the prime factorization of G(a, b). So we need only to collect twice as many vectors, and then we can accomplish both tasks simultaneously. We return now to the question of sufficiency. That is, if N(β) isasquare in Z and β ∈ Z[α], must it be true that β is a square in Z[α]?Theanswerisa resounding no. It is perhaps instructive to look at a simple example. Consider the case f(x) =x 2 + 1, and let us denote a root by the symbol “i” (as one might have guessed). Then N(a+bi) =a 2 +b 2 .Ifa 2 +b 2 is a square in Z, then a + bi need not be a square in Z[i]. For example, if a is a positive, nonsquare integer, then it is also a nonsquare in Z[i], yet N(a) =a 2 is a square in Z. Actually, the ring Z[i], known as the ring of Gaussian integers, is a wellunderstood ring with many beautiful properties in complete analogy to the ring Z. The Gaussian integers are a unique factorization domain, as Z is. Each prime in Z[i] “lies over” an ordinary prime p in Z. If the prime p is 1 (mod 4), it can be written in the form a 2 + b 2 ,andthena + bi and a − bi are the two different primes of Z[i] that lie over p. (Each prime has 4 “associates” corresponding to multiplying by the 4 units: 1, −1,i,−i. Associated primes are considered the same prime, since the principal ideals they generate are exactly the same.) If the ordinary prime p is 3 (mod 4), then it remains prime in Z[i]. And the prime 2 has the single prime 1 + i (and its associates) lying over it. For more on the arithmetic of the Gaussian integers, see [Niven et al. 1991]. So we can see, for example, that 5i is definitely not a square in Z[i], since it has the prime factorization (2 + i)(1 + 2i), and 2 + i and 1 + 2i are different primes. (In contrast, 2i is a square, it is (1 + i) 2 .) However, N(5i) = 25, and of course, 25 is recognized as a square in Z. The problem is that the norm function smashes together the two different primes 1 + 2i and 2 + i. Wewould like then to have some way to distinguish the different primes. If our ring Z[α] in the number field sieve were actually a unique factorization domain, our challenge would be much simpler: Just form exponent vectors based on the prime factorization of the various elements
6.2 Number field sieve 283 a − bα. There is a problem with units, and if we were to take this route, we would also want to find a system of “fundamental units” and have coordinates in our exponent vectors for each of these. (In the case of Z[i] the fundamental unit is rather trivial, it is just i, and we can take for distinguished primes in each associate class the one that is in the first quadrant but not on the imaginary axis.) However, we shall see that the number field sieve can work just fine even if the ring Z[α] is far from being a unique factorization domain, and even if we have no idea about the units. For each prime p, letR(p) denote the set of integers r ∈ [0,p− 1] with f(r) ≡ 0(modp). For example, if f(x) =x 2 +1, then R(2) = {1}, R(3) = {}, and R(5) = {2, 3}. Thenifa, b are coprime integers, F (a, b) ≡ 0(modp) if and only if a ≡ br (mod p) forsomer ∈ R(p). Thus, if we discover that p|F (a, b), we also have a second piece of information, namely a number r ∈ R(p) witha ≡ br (mod p). (Actually, the sets R(p) are used in the sieve that we use to factor the numbers F (a, b). We may fix the number b and consider F (a, b) as a polynomial in the variable a. Then when sieving by the prime p, we sieve the residue classes a ≡ br (mod p) for multiples of p.) We keep track of this additional information in our exponent vectors. The field of coordinates of our exponent vectors that correspond to the factorization of F (a, b) will have entries for each pair p, r, wherep is a prime ≤ B, andr ∈ R(p). Let us again consider the polynomial f(x) = x 2 +1. If B = 5, then exponent vectors for B-smooth members of Z[i] (that is, members of Z[i] whose norms are B-smooth integers) will have three coordinates, corresponding to the three pairs: (2,1), (5,2), and (5,3). Then F (3, 1) = 10 has the exponent vector (1, 0, 1), F (2, 1) = 5 has the exponent vector (0, 1, 0), F (1, 1) = 2 has the exponent vector (1, 0, 0), F (2, −1) = 5 has the exponent vector (0, 0, 1). Although F (3, 1)F (2, 1)F (1, 1) = 100 is a square, the exponent vectors allow us to see that (3 + i)(2 + i)(1 + i) isnot a square: The sum of the three vectorsmodulo2is(0, 1, 1), which is not the zero vector. But now consider (3 + i)(2 − i)(1 + i) =8+6i. The sum of the three corresponding exponent vectorsmodulo2is(0, 0, 0), and indeed, 8 + 6i is a square in Z[i]. This method is not foolproof. For example, though i has the zero vector as its exponent vector in the above scheme, it is not a square. If this were the only problem, namely the issue of units, we could fairly directly find a solution. However, this is not the only problem. Let I denote the ring of algebraic integers in the algebraic number field Q[α]. That is, I is the set of elements of Q[α] that are the root of some monic polynomial in Z[x]. The set I is closed under multiplication and addition.
- Page 242 and 243: 5.2 Monte Carlo methods 231 It is c
- Page 244 and 245: 5.2 Monte Carlo methods 233 computi
- Page 246 and 247: 5.3 Baby-steps, giant-steps 235 cal
- Page 248 and 249: 5.4 Pollard p − 1 method 237 can
- Page 250 and 251: 5.6 Binary quadratic forms 239 f(jB
- Page 252 and 253: 5.6 Binary quadratic forms 241 so o
- Page 254 and 255: 5.6 Binary quadratic forms 243 equi
- Page 256 and 257: 5.6 Binary quadratic forms 245 is a
- Page 258 and 259: 5.6 Binary quadratic forms 247 In t
- Page 260 and 261: 5.6 Binary quadratic forms 249 of D
- Page 262 and 263: 5.7 Exercises 251 is completely rig
- Page 264 and 265: 5.7 Exercises 253 of each of these
- Page 266 and 267: 5.8 Research problems 255 5.17. Sho
- Page 268 and 269: 5.8 Research problems 257 modulo th
- Page 270 and 271: 5.8 Research problems 259 In judgin
- Page 272 and 273: 262 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 274 and 275: 264 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 276 and 277: 266 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 278 and 279: 268 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 280 and 281: 270 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 282 and 283: 272 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 284 and 285: 274 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 286 and 287: 276 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 288 and 289: 278 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 290 and 291: 280 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 294 and 295: 284 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 296 and 297: 286 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 298 and 299: 288 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 300 and 301: 290 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 302 and 303: 292 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 304 and 305: 294 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 306 and 307: 296 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 308 and 309: 298 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 310 and 311: 300 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 312 and 313: 302 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 314 and 315: 304 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 316 and 317: 306 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 318 and 319: 308 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 320 and 321: 310 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 322 and 323: 312 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 324 and 325: 314 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 326 and 327: 316 Chapter 6 SUBEXPONENTIAL FACTOR
- Page 328 and 329: Chapter 7 ELLIPTIC CURVE ARITHMETIC
- Page 330 and 331: 7.1 Elliptic curve fundamentals 321
- Page 332 and 333: 7.2 Elliptic arithmetic 323 the poi
- Page 334 and 335: 7.2 Elliptic arithmetic 325 with EC
- Page 336 and 337: 7.2 Elliptic arithmetic 327 Algorit
- Page 338 and 339: 7.2 Elliptic arithmetic 329 Before
- Page 340 and 341: 7.2 Elliptic arithmetic 331 the “
282 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS<br />
Then N(a − bα) =F (a, b). That is, N(a − bα) may be viewed quite explicitly<br />
as a polynomial in the two variables a, b.<br />
Thus, we can arrange for the product of N(a − bα) for (a, b) ∈Sto be<br />
a square by letting a, b run so that |a|, |b| ≤M, using a sieve to detect Bsmooth<br />
values of F (a, b), form the corresponding exponent vectors, and use<br />
matrix methods to find the subset S. And if we want S also to have the first<br />
property that the product of the a−bm is also a square in Z, then we alter the<br />
procedure to sieve for smooth values of F (a, b)G(a, b), this product, too, being<br />
a polynomial in the variables a, b. For the smooth values we create exponent<br />
vectors with two fields of coordinates. The first field corresponds to the prime<br />
factorization of F (a, b), and the second to the prime factorization of G(a, b).<br />
These longer exponent vectors are then collected into a matrix, and again we<br />
can do linear algebra modulo 2. Before, we needed just π(B) + 2 vectors to<br />
ensure success. Now we need 2π(B) + 3 vectors to ensure success, since each<br />
vector will have 2π(B)+2 coordinates: the first half for the prime factorization<br />
of F (a, b), and the second half for the prime factorization of G(a, b). So we<br />
need only to collect twice as many vectors, and then we can accomplish both<br />
tasks simultaneously.<br />
We return now to the question of sufficiency. That is, if N(β) isasquare<br />
in Z and β ∈ Z[α], must it be true that β is a square in Z[α]?Theanswerisa<br />
resounding no. It is perhaps instructive to look at a simple example. Consider<br />
the case f(x) =x 2 + 1, and let us denote a root by the symbol “i” (as one<br />
might have guessed). Then N(a+bi) =a 2 +b 2 .Ifa 2 +b 2 is a square in Z, then<br />
a + bi need not be a square in Z[i]. For example, if a is a positive, nonsquare<br />
integer, then it is also a nonsquare in Z[i], yet N(a) =a 2 is a square in Z.<br />
Actually, the ring Z[i], known as the ring of Gaussian integers, is a wellunderstood<br />
ring with many beautiful properties in complete analogy to the<br />
ring Z. The Gaussian integers are a unique factorization domain, as Z is.<br />
Each prime in Z[i] “lies over” an ordinary prime p in Z. If the prime p is 1<br />
(mod 4), it can be written in the form a 2 + b 2 ,andthena + bi and a − bi are<br />
the two different primes of Z[i] that lie over p. (Each prime has 4 “associates”<br />
corresponding to multiplying by the 4 units: 1, −1,i,−i. Associated primes<br />
are considered the same prime, since the principal ideals they generate are<br />
exactly the same.) If the ordinary prime p is 3 (mod 4), then it remains prime<br />
in Z[i]. And the prime 2 has the single prime 1 + i (and its associates) lying<br />
over it. For more on the arithmetic of the Gaussian integers, see [Niven et al.<br />
1991].<br />
So we can see, for example, that 5i is definitely not a square in Z[i], since<br />
it has the prime factorization (2 + i)(1 + 2i), and 2 + i and 1 + 2i are different<br />
primes. (In contrast, 2i is a square, it is (1 + i) 2 .) However, N(5i) = 25, and<br />
of course, 25 is recognized as a square in Z. The problem is that the norm<br />
function smashes together the two different primes 1 + 2i and 2 + i. Wewould<br />
like then to have some way to distinguish the different primes.<br />
If our ring Z[α] in the number field sieve were actually a unique<br />
factorization domain, our challenge would be much simpler: Just form<br />
exponent vectors based on the prime factorization of the various elements