Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

282 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS Then N(a − bα) =F (a, b). That is, N(a − bα) may be viewed quite explicitly as a polynomial in the two variables a, b. Thus, we can arrange for the product of N(a − bα) for (a, b) ∈Sto be a square by letting a, b run so that |a|, |b| ≤M, using a sieve to detect Bsmooth values of F (a, b), form the corresponding exponent vectors, and use matrix methods to find the subset S. And if we want S also to have the first property that the product of the a−bm is also a square in Z, then we alter the procedure to sieve for smooth values of F (a, b)G(a, b), this product, too, being a polynomial in the variables a, b. For the smooth values we create exponent vectors with two fields of coordinates. The first field corresponds to the prime factorization of F (a, b), and the second to the prime factorization of G(a, b). These longer exponent vectors are then collected into a matrix, and again we can do linear algebra modulo 2. Before, we needed just π(B) + 2 vectors to ensure success. Now we need 2π(B) + 3 vectors to ensure success, since each vector will have 2π(B)+2 coordinates: the first half for the prime factorization of F (a, b), and the second half for the prime factorization of G(a, b). So we need only to collect twice as many vectors, and then we can accomplish both tasks simultaneously. We return now to the question of sufficiency. That is, if N(β) isasquare in Z and β ∈ Z[α], must it be true that β is a square in Z[α]?Theanswerisa resounding no. It is perhaps instructive to look at a simple example. Consider the case f(x) =x 2 + 1, and let us denote a root by the symbol “i” (as one might have guessed). Then N(a+bi) =a 2 +b 2 .Ifa 2 +b 2 is a square in Z, then a + bi need not be a square in Z[i]. For example, if a is a positive, nonsquare integer, then it is also a nonsquare in Z[i], yet N(a) =a 2 is a square in Z. Actually, the ring Z[i], known as the ring of Gaussian integers, is a wellunderstood ring with many beautiful properties in complete analogy to the ring Z. The Gaussian integers are a unique factorization domain, as Z is. Each prime in Z[i] “lies over” an ordinary prime p in Z. If the prime p is 1 (mod 4), it can be written in the form a 2 + b 2 ,andthena + bi and a − bi are the two different primes of Z[i] that lie over p. (Each prime has 4 “associates” corresponding to multiplying by the 4 units: 1, −1,i,−i. Associated primes are considered the same prime, since the principal ideals they generate are exactly the same.) If the ordinary prime p is 3 (mod 4), then it remains prime in Z[i]. And the prime 2 has the single prime 1 + i (and its associates) lying over it. For more on the arithmetic of the Gaussian integers, see [Niven et al. 1991]. So we can see, for example, that 5i is definitely not a square in Z[i], since it has the prime factorization (2 + i)(1 + 2i), and 2 + i and 1 + 2i are different primes. (In contrast, 2i is a square, it is (1 + i) 2 .) However, N(5i) = 25, and of course, 25 is recognized as a square in Z. The problem is that the norm function smashes together the two different primes 1 + 2i and 2 + i. Wewould like then to have some way to distinguish the different primes. If our ring Z[α] in the number field sieve were actually a unique factorization domain, our challenge would be much simpler: Just form exponent vectors based on the prime factorization of the various elements

6.2 Number field sieve 283 a − bα. There is a problem with units, and if we were to take this route, we would also want to find a system of “fundamental units” and have coordinates in our exponent vectors for each of these. (In the case of Z[i] the fundamental unit is rather trivial, it is just i, and we can take for distinguished primes in each associate class the one that is in the first quadrant but not on the imaginary axis.) However, we shall see that the number field sieve can work just fine even if the ring Z[α] is far from being a unique factorization domain, and even if we have no idea about the units. For each prime p, letR(p) denote the set of integers r ∈ [0,p− 1] with f(r) ≡ 0(modp). For example, if f(x) =x 2 +1, then R(2) = {1}, R(3) = {}, and R(5) = {2, 3}. Thenifa, b are coprime integers, F (a, b) ≡ 0(modp) if and only if a ≡ br (mod p) forsomer ∈ R(p). Thus, if we discover that p|F (a, b), we also have a second piece of information, namely a number r ∈ R(p) witha ≡ br (mod p). (Actually, the sets R(p) are used in the sieve that we use to factor the numbers F (a, b). We may fix the number b and consider F (a, b) as a polynomial in the variable a. Then when sieving by the prime p, we sieve the residue classes a ≡ br (mod p) for multiples of p.) We keep track of this additional information in our exponent vectors. The field of coordinates of our exponent vectors that correspond to the factorization of F (a, b) will have entries for each pair p, r, wherep is a prime ≤ B, andr ∈ R(p). Let us again consider the polynomial f(x) = x 2 +1. If B = 5, then exponent vectors for B-smooth members of Z[i] (that is, members of Z[i] whose norms are B-smooth integers) will have three coordinates, corresponding to the three pairs: (2,1), (5,2), and (5,3). Then F (3, 1) = 10 has the exponent vector (1, 0, 1), F (2, 1) = 5 has the exponent vector (0, 1, 0), F (1, 1) = 2 has the exponent vector (1, 0, 0), F (2, −1) = 5 has the exponent vector (0, 0, 1). Although F (3, 1)F (2, 1)F (1, 1) = 100 is a square, the exponent vectors allow us to see that (3 + i)(2 + i)(1 + i) isnot a square: The sum of the three vectorsmodulo2is(0, 1, 1), which is not the zero vector. But now consider (3 + i)(2 − i)(1 + i) =8+6i. The sum of the three corresponding exponent vectorsmodulo2is(0, 0, 0), and indeed, 8 + 6i is a square in Z[i]. This method is not foolproof. For example, though i has the zero vector as its exponent vector in the above scheme, it is not a square. If this were the only problem, namely the issue of units, we could fairly directly find a solution. However, this is not the only problem. Let I denote the ring of algebraic integers in the algebraic number field Q[α]. That is, I is the set of elements of Q[α] that are the root of some monic polynomial in Z[x]. The set I is closed under multiplication and addition.

6.2 Number field sieve 283<br />

a − bα. There is a problem with units, and if we were to take this route, we<br />

would also want to find a system of “fundamental units” and have coordinates<br />

in our exponent vectors for each of these. (In the case of Z[i] the fundamental<br />

unit is rather trivial, it is just i, and we can take for distinguished primes<br />

in each associate class the one that is in the first quadrant but not on the<br />

imaginary axis.)<br />

However, we shall see that the number field sieve can work just fine even<br />

if the ring Z[α] is far from being a unique factorization domain, and even if<br />

we have no idea about the units.<br />

For each prime p, letR(p) denote the set of integers r ∈ [0,p− 1] with<br />

f(r) ≡ 0(modp). For example, if f(x) =x 2 +1, then R(2) = {1}, R(3) = {},<br />

and R(5) = {2, 3}. Thenifa, b are coprime integers,<br />

F (a, b) ≡ 0(modp) if and only if a ≡ br (mod p) forsomer ∈ R(p).<br />

Thus, if we discover that p|F (a, b), we also have a second piece of information,<br />

namely a number r ∈ R(p) witha ≡ br (mod p). (Actually, the sets R(p) are<br />

used in the sieve that we use to factor the numbers F (a, b). We may fix<br />

the number b and consider F (a, b) as a polynomial in the variable a. Then<br />

when sieving by the prime p, we sieve the residue classes a ≡ br (mod p) for<br />

multiples of p.) We keep track of this additional information in our exponent<br />

vectors. The field of coordinates of our exponent vectors that correspond to<br />

the factorization of F (a, b) will have entries for each pair p, r, wherep is a<br />

prime ≤ B, andr ∈ R(p).<br />

Let us again consider the polynomial f(x) = x 2 +1. If B = 5,<br />

then exponent vectors for B-smooth members of Z[i] (that is, members<br />

of Z[i] whose norms are B-smooth integers) will have three coordinates,<br />

corresponding to the three pairs: (2,1), (5,2), and (5,3). Then<br />

F (3, 1) = 10 has the exponent vector (1, 0, 1),<br />

F (2, 1) = 5 has the exponent vector (0, 1, 0),<br />

F (1, 1) = 2 has the exponent vector (1, 0, 0),<br />

F (2, −1) = 5 has the exponent vector (0, 0, 1).<br />

Although F (3, 1)F (2, 1)F (1, 1) = 100 is a square, the exponent vectors allow<br />

us to see that (3 + i)(2 + i)(1 + i) isnot a square: The sum of the three<br />

vectorsmodulo2is(0, 1, 1), which is not the zero vector. But now consider<br />

(3 + i)(2 − i)(1 + i) =8+6i. The sum of the three corresponding exponent<br />

vectorsmodulo2is(0, 0, 0), and indeed, 8 + 6i is a square in Z[i].<br />

This method is not foolproof. For example, though i has the zero vector<br />

as its exponent vector in the above scheme, it is not a square. If this were<br />

the only problem, namely the issue of units, we could fairly directly find a<br />

solution. However, this is not the only problem.<br />

Let I denote the ring of algebraic integers in the algebraic number field<br />

Q[α]. That is, I is the set of elements of Q[α] that are the root of some monic<br />

polynomial in Z[x]. The set I is closed under multiplication and addition.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!