Prime Numbers

286 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS
use here the notation of (6.1).) This heuristic upper bound can actually be
rigorously proved as a two-sided estimate via the following theorem.
Theorem 6.2.2 (Pomerance 1996a). Suppose m1,m2,... is a sequence of
integers in [1,X], each chosen independently and with uniform distribution.
Let N be the least integer such that a nonempty subsequence from
m1,m2,...,mN has product being a square. Then the expected value for N
is L(X) √ 2+o(1) . The same expectation holds if we also insist that each mj
used in the product be B-smooth, with B = L(X) 1/√ 2 .
Thus, in some sense, smooth numbers are forced upon us, and are not merely
an artifact. Interestingly, there is an identical theorem for the random variable
N ′ , being the least integer such that m1,m2,...,mN ′ are “multiplicatively
dependent”, which means that there are integers a1,a2,...,aN ′, not all zero,
such that m aj
j = 1. (Equivalently, the numbers ln m1, ln m2,...,ln mN ′ are
linearly dependent over Q.)
In the QS analysis, the bound X is n1/2+o(1) , and this is where we get
the complexity L(n) 1+o(1) for QS. This complexity estimate is not a theorem,
since the numbers we are looking at to form squares are not random—we just
assume they are random for convenience in the analysis.
This approach, then, seems like a relatively painless way to do a complexity
analysis. Just find the bound X for the numbers that we are trying to
combine to make squares. The lower X is, the lower the complexity of the
algorithm. In NFS the integers that we deal with are the values of the
polynomial F (x, y)G(x, y), where F (x, y) = xd + cd−1xd−1y + ··· + c0yd and G(x, y) = x − my. We will ignore the fact that integers of the form
F (a, b)G(a, b) are already factored into the product of two numbers, and
so may be more likely to be smooth than random numbers of the same
magnitude, since this property has little effect on the asymptotic complexity.
Let us assume that the integer m in NFS is bounded by n1/d , the
coefficients cj of the polynomial f(x) are also bounded by n1/d , and that
we investigate values of a, b with |a|, |b| ≤M. Then a bound for the numbers
|F (a, b)G(a, b)| is 2(d +1)n2/dM d+1 .IfwecallthisnumberX, thenfrom
Theorem 6.2.2, we might expect to have to look at L(X) √ 2+o(1) pairs a, b
to find enough to be used to complete the algorithm. Thus, M should
satisfy the constraint M 2 = L(X) √ 2+o(1) . Putting this into the equation
X =2(d +1)n2/dM d+1 and taking the logarithm of both sides, we have
ln X ∼ ln(2(d + 1)) + 2
1
ln n +(d +1) ln X ln ln X. (6.8)
d 2
It is clear that the first term on the right is negligible compared to the
third term. Suppose first that d is fixed; that is, we are going to analyze
the complexity of NFS when we fix the degree of the polynomial f(x), and
assume that n →∞. Then the last term on the right of (6.8) is small compared