Prime Numbers
Share Embed Flag
Download ePaper

Prime Numbers

Prime Numbers Prime Numbers

thales.doa.fmph.uniba.sk
from thales.doa.fmph.uniba.sk More from this publisher
10.12.2012 Views

294 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS } Install the exponent vector v(a − bα) as the next row of the matrix; 4. [Linear algebra] By some method of linear algebra (see Section 6.1.3), find a nonempty subset S of S ′ such that (a,b)∈S v(a − bα) is the 0-vector (mod 2); 5. [Square roots] Use the known prime factorization of the integer square (a,b)∈S (a − bm) to find a residue v mod n with (a,b)∈S (a − bm) ≡ v2 (mod n); By some method, such as those of Section 6.2.5, find a square root γ in Z[α] of f ′ 2 (α) (a,b)∈S (a − bα), and, via simple replacement α → m, compute u = φ(γ) (modn); 6. [Factorization] return gcd(u − f ′ (m)v, n); If the divisor of n that is reported in Algorithm 6.2.5 is trivial, one has the option of finding more linear dependencies in the matrix and trying again. If we run out of linear dependencies, one again has the option to sieve further to find more rows for the matrix, and so have more linear dependencies. 6.2.7 NFS: Further considerations As with the basic quadratic sieve, there are many “bells and whistles” that may be added to the number field sieve to make it an even better factorization method. In this section we shall briefly discuss some of these improvements. Free relations Suppose p is a prime in the “factor base,” that is, p ≤ B. Our exponent vectors have a coordinate corresponding to p as a possible prime factor of a − bm, and#R(p) further coordinates corresponding to integers r ∈ R(p). (Recall that R(p) is the set of residues r (mod p) withf(r) ≡ 0(modp).) On average, #R(p) is1,butitcanbeaslowas0(inthecasethatf(x) hasno roots (mod p), or it can be as high as d, the degree of f(x) (in the case that f(x) splits into d distinct linear factors (mod p)). In this latter case, we have that the product of the prime ideals (p, α − r) in the full ring of algebraic integers in Q[α] is(p). Suppose p is a prime with p ≤ B, andR(p) hasdmembers. Let us throw into our matrix an extra row vector v(p), which has 1’s in the coordinates corresponding to p and to each pair p, r where r ∈ R(p). Also, in the final field of k coordinates corresponding to the quadratic characters modulo qj for j =1,...,k, put a 0 in place j of v(p) if p = 1 and put a 1 in place qj j if p = −1. Such a vector v(p) is called a free relation, since it is found qj in the precomputations, and not in the sieving stage. Now, when we find a subset of rows that sum to the zero vector mod 2, we have that the subset corresponds to a set S of coprime pairs a, b and a set F of free relations. Let w be the product of the primes p corresponding to the free relations in F.

6.2 Number field sieve 295 Then it should be that wf ′ 2 (α) (a,b)∈S wf ′ 2 (m) (a,b)∈S (a − bα) =γ 2 , for some γ ∈ Z[α], (a − bm) =v 2 , for some v ∈ Z. Then if φ(γ) =u, wehaveu 2 ≡ v 2 (mod n), as before. The advantage of free relations is that the more of them there are, the fewer relations need be uncovered in the time-consuming sieve stage. Also, the vectors v(p) are sparser than a typical exponent vector v(a, b), so including free relations allows the matrix stage to run faster. So, how many free relations do we expect to find? A free relation corresponds to a prime p that splits completely in the algebraic number field Q(α). Let g be the order of the splitting field of f(x); that is, the Galois closure of Q(α) in the complex numbers. It follows from the Chebotarev density theorem that the number of primes p up to a bound X that split completely in Q(α) is asymptotically 1 g π(X), as X →∞. That is, on average, 1 out of every g prime numbers corresponds to a free relation. Assuming that our factor base bound B is large enough so that the asymptotics are beginning to take over (this is yet another heuristic, but reasonable, assumption), we thus should expect about 1 g π(B) free relations. Now, the order g of the splitting field could be as small as d, the degree of f(x), or as high as d!. Obviously, the smaller g is, the more free relations we should expect. Unfortunately, the generic case is g = d!. That is, for most irreducible polynomials f(x) inZ[x] of degree d, the order of the splitting field of f(x) isd!. So, for example, if 1 d = 5, we should expect only about 120π(B) free relations, if we choose our polynomial f(x) according to the scheme in Step [Setup] in Algorithm 6.2.5. Since our vectors have about 2π(B) coordinates, the free relations in this case would only reduce the sieving time by less than one-half of 1 per cent. But still, it is free, so to speak, and every little bit helps. Free relations can help considerably more in the case of special polynomials f(x) with small splitting fields. For example, in the factorization of the ninth Fermat number F9, the polynomial f(x) =x5 + 8 was used. The order of the splitting field here is 20, so free relations allowed the sieving time to be reduced by about 2.5%. Partial relations As in the quadratic sieve method, sieving in the number field sieve not only reveals those pairs a, b where both of the numbers N(a−bα) =F (a, b) = b d f(a/b) anda − bm are B-smooth, but also pairs a, b where one or both of these numbers are a B-smooth number times one somewhat larger prime. If we allow relations that have such large primes, at most one each for N(a−bα) and a − bm, we then have a data structure not unlike the quadratic sieve with the double large-prime variation; see Section 6.1.4. It has also been suggested that reports can be used with N(a − bα) having two large primes and a − bm

294 Chapter 6 SUBEXPONENTIAL FACTORING ALGORITHMS<br />

}<br />

Install the exponent vector v(a − bα) as the next row of the matrix;<br />

4. [Linear algebra]<br />

By some method of linear algebra (see Section 6.1.3), find a nonempty<br />

subset S of S ′ such that <br />

(a,b)∈S v(a − bα) is the 0-vector (mod 2);<br />

5. [Square roots]<br />

Use the known prime factorization of the integer square <br />

(a,b)∈S (a − bm)<br />

to find a residue v mod n with <br />

(a,b)∈S (a − bm) ≡ v2 (mod n);<br />

By some method, such as those of Section 6.2.5, find a square root γ in<br />

Z[α] of f ′ 2 (α) (a,b)∈S (a − bα), and, via simple replacement α → m,<br />

compute u = φ(γ) (modn);<br />

6. [Factorization]<br />

return gcd(u − f ′ (m)v, n);<br />

If the divisor of n that is reported in Algorithm 6.2.5 is trivial, one has the<br />

option of finding more linear dependencies in the matrix and trying again. If<br />

we run out of linear dependencies, one again has the option to sieve further<br />

to find more rows for the matrix, and so have more linear dependencies.<br />

6.2.7 NFS: Further considerations<br />

As with the basic quadratic sieve, there are many “bells and whistles” that<br />

may be added to the number field sieve to make it an even better factorization<br />

method. In this section we shall briefly discuss some of these improvements.<br />

Free relations<br />

Suppose p is a prime in the “factor base,” that is, p ≤ B. Our exponent<br />

vectors have a coordinate corresponding to p as a possible prime factor of<br />

a − bm, and#R(p) further coordinates corresponding to integers r ∈ R(p).<br />

(Recall that R(p) is the set of residues r (mod p) withf(r) ≡ 0(modp).) On<br />

average, #R(p) is1,butitcanbeaslowas0(inthecasethatf(x) hasno<br />

roots (mod p), or it can be as high as d, the degree of f(x) (in the case that<br />

f(x) splits into d distinct linear factors (mod p)). In this latter case, we have<br />

that the product of the prime ideals (p, α − r) in the full ring of algebraic<br />

integers in Q[α] is(p).<br />

Suppose p is a prime with p ≤ B, andR(p) hasdmembers. Let us throw<br />

into our matrix an extra row vector v(p), which has 1’s in the coordinates<br />

corresponding to p and to each pair p, r where r ∈ R(p). Also, in the final<br />

field of k coordinates corresponding to the quadratic characters modulo qj<br />

for j =1,...,k, put a 0 in place j of v(p) if p<br />

= 1 and put a 1 in place<br />

qj<br />

j if p<br />

= −1. Such a vector v(p) is called a free relation, since it is found<br />

qj<br />

in the precomputations, and not in the sieving stage. Now, when we find a<br />

subset of rows that sum to the zero vector mod 2, we have that the subset<br />

corresponds to a set S of coprime pairs a, b and a set F of free relations. Let<br />

w be the product of the primes p corresponding to the free relations in F.

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!