Prime Numbers

longer than a trial division search for the prime factor p, since if we search

pairs other than to examine all of them. This is a orded by a fabulous

gcd(F (i)(s) − F (2i)(s), n) for i = 1, 2, . . ., and this should terminate with a nontrivial factorization of n in O(√p) steps, where p is the least prime factor of n.

Algorithm 5.2.1 (Pollard rho factorization method). We are given a composite number n. This algorithm attempts to find a nontrivial factor of n.

A pleasant feature of the Pollard rho method is that very little space is required: Only the number n that is being factored and the current values of U, V need be kept in memory.

The main loop, Step [Factor search], involves 3 modular multiplications (actually squarings) and a gcd computation. In fact, with the cost of one extra modular multiplication, one may put o the gcd calculation so that it is performed only rarely. Namely, the numbers U − V may be accumulated (multiplied all together) modulo n for k iterations, and then the gcd of this modular product is taken with n. So if k is 100, say, the amortized cost of performing a gcd is made negligible, so that one generic loop consists of 3 modular squarings and one modular multiplication.

It is certainly possible for the gcd at Step [Bad seed] to be n itself, and the chance for this is enhanced if one uses the above idea to put o performing gcd’s. However, this defect can be mitigated by storing the values U, V at the last gcd. If the next gcd is n, one can return to the stored values U, V and proceed one step at a time, performing a gcd at each step.

There are actually many choices for the function F (x). The key criterion is that the iterates of F modulo p should not have long ρ’s, or as [Guy 1976] calls them, “epacts.” The epact of a prime p with respect to a function F from Zp to Zp is the largest k for which there is an s with F (0)(s), F (1)(s), . . . , F (k)(s) all distinct. (Actually we have taken some liberty with this definition, originally Guy defined it as the number of iterates to discover the factor p.)

So a poor choice for a function F (x) is ax + b, since the epact for a prime p is the multiplicative order of a modulo p (when a ≡1 (mod p)), usually a large divisor of p − 1. (When a ≡ 1 (mod p) and b ≡0 (mod p), the epact is p.)

Even among quadratic functions x2 + b there can be poor choices, for

If we happen to know some information about the prime factors p of n, it may pay to use higher-degree polynomials. For example, since all prime factors of the Fermat number Fk are congruent to 1 (mod 2k+2) when k ≥ 2 (see Theorem 1.3.5), one might use x2k+2 + 1 for the function F when attempting to factor Fk by the Pollard rho method. One might expect the epact for

a prime factor p of F to be smaller than that of x2 + 1 by a factor of

√ k

about 2k+1. To see this consider the following probabilistic model. (Note that a more refined probabilistic model that agrees somewhat better with the available data is given in [Brent and Pollard 1981]. Also see Exercise 5.2.) Iterating x2 + 1 might be thought of as a random walk through the set of

penalty to using x2k+2 + 1, since a typical loop now involves 3(k + 2) modular squarings and one modular multiplication. For large k the benefit is evident. In this connection see Exercise 5.24. Such acceleration was used successfully in [Brent and Pollard 1981] to factor F8, historically the most spectacular factorization achieved with the Pollard rho method. The work of Brent and Pollard also discusses a somewhat faster cycle-finding method, which is to save certain iterate values and comparing future ones with those, as an alternative to the Floyd cycle-finding method.

5.2.2Pollard rho method for discrete logarithms

Pollard has also suggested a rho method for discrete logarithm computations, but it does not involve iterating x2 + 1, or any simple polynomial for that matter, [Pollard 1978]. If we are given a finite cyclic group G and a generator g of G, the discrete logarithm problem for G is to express given elements of G in the form gl, where l is an integer. The rho method can be used for any group for which it is possible to perform the group operation and for which we can assign numerical labels to the group elements. However, we shall discuss it for the specific group Zp of nonzero residues modulo p, where p is a prime greater than 3.

We view the elements of Zp as integers in {1, 2, . . . , p − 1}. Let g be a generator and let t be an arbitrary element. Our goal is to find an integer l such that gl = t; that is, t = gl mod p. Since the order of g is p − 1, it is really a residue class modulo (p − 1) that we are searching for, not a specific integer l, though of course, we might request the least nonnegative value.

Consider a sequence of pairs (ai, bi) of integers modulo (p − 1) and a sequence (xi) of integers modulo p such that xi = tai gbi mod p, and we begin with the initial values a0 = b0 = 0, x0 = 1. The rule for getting the i + 1

Since which third of the interval [0, p] an element is in has seemingly nothing to do with the group Zp, one may think of the sequence (xi)√as “random,” and so it may be that there are numbers j, k with j < k = O( p) with xj = xk. If we can find such a pair j, k, then we have taj gbj = tak gbk , so that if l is the discrete logarithm of t, we have

(aj − ak)l ≡ bk − bj (mod (p − 1)).

If aj − ak is coprime to p − 1, this congruence may be solved for the discrete logarithm l. If the gcd of aj − ak with p − 1 is d > 1, then we may solve for l modulo (p − 1)/d, say l ≡ l0 (mod (p − 1)/d). Then l = l0 + m(p − 1)/d for some m = 0, 1, . . . , d − 1, so if d is small, these various possibilities may be checked.

As with the rho method for factoring, we use the Floyd cycle-finding algorithm. Thus, at the i-th stage of the algorithm we have at hand both xi, ai, bi and x2i, a2i, b2i. If xi = x2i, then we have our cycle match. If not, we go to the (i + 1)-th stage, computing xi+1, ai+1, bi+1 from xi, ai, bi and

The usual case where this method is applied is when the order n is prime, so as long as the various random numbers r chosen at the start by each node are all distinct modulo n, then the above congruence can be easily solved for the discrete logarithm l. (This is true unless we have the misfortune that the collision occurs on one of the nodes; that is, r = r . However, if the number of nodes is large, an internodal collision is much more likely than an intranodal collision.)

It is also possible to use the pseudorandom function discussed in Section 5.2.2 in connection with the lambda method. In this case all collisions are useful: A collision occurring on one particular walk with itself can also be used to compute our discrete logarithm. That is, in this collision event, the lambda method has turned itself into the rho method. However, if one already knows that the discrete logarithm that one is searching for is in a small interval, the above method can be used, and the time spent should be about the square root of the interval length. However, the mean value of the set of integers in S needs to be smaller, so that the kangaroos are hopping only through the appropriate interval.

A central computer needs to keep track of all the sequences on all the

nodes so that collisions may be detected. By the birthday paradox, we expect

√

a collision when the number of terms of all the sequences is O( n). It is clear that as described, this method has a formidable memory requirement for the central computer. The following idea, described in [van Oorschot and Wiener 1999] (and attributed to J.-J. Quisquater and J.-P. Delescaille, who in turn acknowledge R. Rivest) greatly mitigates the memory requirement, and so renders the method practical for large problems. It is to consider so-called distinguished points. We presume that the group elements are represented by integers (or perhaps tuples of integers). A particular field of length k of binary digits will be all zero about 1/2k of the time. A random walk should pass through such a distinguished point about every 2k steps on average. If two random walks ever collide, they will coincide thereafter, and both will hit the next distinguished point together. So the idea is to send only distinguished points to the central computer, which cuts the rather substantial space requirement down by a factor of 2−k.

A notable success is the March 1998 calculation of a discrete logarithm in an elliptic-curve group whose order is a 97-bit prime n; see [Escott et al. 1998]. A group of 588 people in 16 countries used about 1200 computers over 53 days to complete the task. Roughly 2 · 1014 elliptic-curve group additions were performed, with the number of distinguished points discovered being 186364. (The value of k in the definition of distinguished point was 30, so only about one out of each billion sequence steps was reported to the main computer.) In 2002, an elliptic-curve discrete logarithm (EDL) extraction was completed with a 109-bit (= 33-decimal-digit) prime; see the remarks following Algorithm 8.1.8.

For discrete logarithms in the multiplicative group of a finite field we have subexponential methods (see Section 6.4), with significantly larger cases being handled. The current record for discrete logarithms over Fp is a 2001

calculation, by A. Joux and R. Lercier, where p is the 120-decimal-digit prime10119π + 207819. They actually found two discrete logs in this field for the generator 2, namely the DL for t = 10119e and the DL for t + 1. Their method was based on the number field sieve.

More recent advances in the world of parallel-rho methods include a cryptographic-DL treatment [van Oorschot and Wiener 1999] and an attempt at parallelization of actual Pollard-rho factoring (not DL) [Crandall 1999d]. In this latter regard, see Exercises 5.24 and 5.25. For some recent advances in the DL version of the rho method, see [Pollard 2000] and [Teske 2001]. There is also a very accessible review article on the general DL problem [Odlyzko 2000].

5.3 Baby-steps, giant-steps

Suppose G = g is a cyclic group of order not exceeding n, and suppose t G. We wish to find an integer l such that gl = t. We may restrict our search for l to the interval [0, n − 1]. Write l in base b, where b = √n . Then l = l0 + l1b, where 0 ≤ l0, l1 ≤ b − 1. Note that gl1b = tg−l0 = thl0 , where h = g−1. Thus, we can search for l0, l1 by computing the lists g0, gb, . . . , g(b−1)b and th0, th1, . . . , thb−1 and sorting them. Once they are sorted, one passes through one of the lists, finding where each element belongs in the sorted order of the second list, with a match then being readily apparent. (This idea is laid out in pseudocode in Algorithm 7.5.1.) If gib = thj , then we may take l = j + ib, and we are through.

are given a cyclic group G with generator g, an upper bound n for the order of G, and an element t G. This algorithm returns an integer l such that gl = t. (It is understood that we may represent group elements in some numerical fashion that allows a list of them to be sorted.)

Note that the hypothesis of the algorithm guarantees that the lists A, B will indeed have a common element. Note, too, that it is not necessary to sort both lists. Suppose, say, that A is generated and sorted. As the elements of

236 Chapter 5 EXPONENTIAL FACTORING ALGORITHMS

B are sequentially generated, one can look for a match in A, provided that one has rapid means for content-searching in an ordered list. After the match is found, it is not necessary to continue to generate B, so that on average a savings of 50% can be gained. √

The complexity for Step [Construct lists] is O( n) group operations, and

√

for Step [Sort and find intersection] is O( n ln n) comparisons. The space

√

required is what is needed to store O( n) group elements. If one has no idea how large the group G is, one can let n run through the sequence 2k for k = 1, 2, . . . . If no match is found with one value of k, repeat the algorithm with k + 1. Of course, the sets from the previous run should be saved and

enlarged for the next run. Thus if the group G has order m, we certainly will

√

be successful in computing the logarithm of t in operation count O( m ln m)

√

and space O( m) group elements.

A more elaborate version of this idea can be found in [Buchmann et al. 1997], [Terr 1999]. Also see [Blackburn and Teske 1999] for other baby-steps, giant-steps strategies.

We compare Algorithm 5.3.1 with the rho method for discrete logarithms

√

in Section 5.2.2. There the running time is O( m) and the space is negligible. However, the rho method is heuristic, while baby-steps, giant-steps is completely rigorous. In practice, there is no reason not to use a heuristic method for a discrete logarithm calculation just because a theoretician has not yet been clever enough to supply a proof that the method works and does so within the stated time bound. So in practice, the rho method majorizes the baby-steps, giant-steps method.

However, the simple and elegant idea behind baby-steps, giant-steps is useful in many contexts, as we shall see in Section 7.5. It also can be used for factoring, as shown in [Shanks 1971]. In fact, that paper introduced the baby-steps, giant-steps idea. The context here is the class group of binary quadratic forms with a given discriminant. We shall visit this method at the end of this chapter, in Section 5.6.4.

5.4Pollard p − 1 method

We know from Fermat’s little theorem that if p is an odd prime, then 2p−1 ≡ 1 (mod p). Further, if p − 1|M , then 2M ≡ 1 (mod p). So if p is a prime factor of an integer n, then p divides gcd(2M − 1, n). The p − 1 method of J. Pollard makes use of this idea as a tool to factor n. His idea is to choose numbers M with many divisors of the form p − 1, and so search for many primes p as possible divisors of n in one fell swoop.

Let M (k) be the least common multiple of the integers up to k. So, M (1) = 1, M (2) = 2, M (3) = 6, M (4) = 12, etc. The sequence M (1), M (2), . . . may be computed recursively as follows. Suppose M (k) has already been computed. If k+1 is not a prime or a power of a prime, then M (k+1) = M (k). If k+1 = pa, where p is prime, then M (k + 1) = pM (k). A precomputation via a sieve, see Section 3.2, can locate all the primes up to some limit, and this may be easily augmented with the powers of the primes. Thus, the sequence M (1), M (2), . . .

238 Chapter 5 EXPONENTIAL FACTORING ALGORITHMS

larger than B. After searching through the exponents M (1), M (2), . . . , M (B), we next search through the exponents QM (B), where Q runs over the

u|M (B). It is particularly easy to traverse the various exponents QM (B). Suppose the sequence of primes in (B, B ] is Q1 < Q2 < · · · . Note that 2Q1M (B) mod n may be computed from 2M (B) mod n in O(ln Q1) steps. For 2Q2M (B) mod n, we multiply 2Q1M (B) mod n by 2(Q2−Q1)M (B) mod n, then by 2(Q3−Q2)M (B) mod n to get 2Q3M (B) mod n, and so on. The di erences Qi+1 −Qi are all much smaller than the Qi’s themselves, and for various values d of these di erences, the residues 2dM (B) mod n can be precomputed. Thus, if B > 2B, say, the amortized cost of computing all of the 2Qi M (B) mod n is just one modular multiplication per Qi. If we agree to spend just as much time doing the second stage as the basic p − 1 method, then we may take B much larger than B, perhaps as big as B ln B.

There are many interesting issues pertaining to the second stage, such as means for further acceleration, birthday paradox manifestations, and so on. See [Montgomery 1987, 1992a], [Crandall 1996a], and Exercise 5.9 for some of these issues.

We shall see that the basic idea of the Pollard p−1 method is revisited with the Lenstra elliptic curve method (ECM) for factoring integers (see Section 7.4).

5.5 Polynomial evaluation method

Suppose the function F (k, n) = k! mod n were easy to evaluate. Then a great deal of factoring and primality testing would also be easy. For example, the Wilson–Lagrange theorem (Theorem 1.3.6) says that an integer n > 1 is prime if and only if F (n − 1, n) = n − 1. Alternatively, n > 1 is prime if and only if F ( √n , n) is coprime to n. Further, we could factor almost as easily: Carry out a binary search for the least positive integer k with gcd(F (k, n), n) > 1— this k, of course, will be the least prime factor of n.

As outlandish as this idea may seem, there is actually a fairly fast theoretical factoring algorithm based on it, an algorithm that stands as the fastest deterministic rigorously analyzed factoring algorithm of which we know. This is the Pollard–Strassen polynomial evaluation method; see [Pollard 1974] and [Strassen 1976].

The idea is as follows. Let B = 1n1/42 and let f (x) be the polynomial x(x − 1) · · · (x − B + 1). Then f (jB) = (jB)!/((j − 1)B)! for every positive integer j, so that the least j with gcd(f (jB), n) > 1 isolates the least prime factor of n in the interval ((j − 1)B, jB]. Once we know this, if the gcd is in the stated interval, it is the least prime factor of n, and if the gcd is larger than jB, we may sequentially try the members of the interval as divisors of n, the first divisor found being the least prime divisor of n. Clearly, this last calculation takes at most B arithmetic operations with integers the size of n; that is, it is O(n1/4). But what of the earlier steps? If we could compute each

f (jB) mod n for j = 1, 2, . . . , B, then we would be in business to check each gcd and find the first that exceeds 1.

Algorithm 9.6.7 provides the computation of f (x) as a polynomial in Zn[x] (that is, the coe cients are reduced modulo n) and the evaluation of each f (jB) modulo n for j = 1, 2, . . . , B in O B ln2 B = O n1/4 ln2 n arithmetic operations with integers the size of n. This latter big-O expression then stands as the complexity of the Pollard–Strassen polynomial evaluation method for factoring n.

5.6 Binary quadratic forms

There is a rich theory of binary quadratic forms, as developed by Lagrange, Legendre, and Gauss in the late 1700s, a theory that played, and still plays, an important role in computational number theory.

5.6.1Quadratic form fundamentals

For integers a, b, c we may consider the quadratic form ax2 + bxy + cy2. It is a polynomial in the variables x, y, but often we suppress the variables, and just refer to a quadratic form as an ordered triple (a, b, c) of integers.

We say that a quadratic form (a, b, c) represents an integer n if there are integers x, y with ax2 + bxy + cy2 = n. So attached to a quadratic form (a, b, c) is a certain subset of the integers, namely those numbers that (a, b, c) represents. We note that certain changes of variables can change the quadratic form (a, b, c) to another form (a , b , c ), but keep fixed the set of numbers that are represented. In particular, suppose

x = αX + βY, y = γX + δY,

where α, β, γ, δ are integers. Making this substitution, we have

ax2 + bxy + cy2 = a(αX + βY )2 + b(αX + βY )(γX + δY ) + c(γX + δY )2

say. Thus every number represented by the quadratic form (a , b , c ) is also represented by the quadratic form (a, b, c). We may assert the converse statement if there are integers α , β , γ , δ with

X = α x + β y, Y = γ x + δ y.

are inverses of each other. A square matrix with integer entries has an inverse with integer entries if and only if its determinant is ±1. We conclude that if the quadratic forms (a, b, c) and (a , b , c ) are related by a change of variables as in (5.1), then they represent the same set of integers if αδ − βγ = ±1.