Prime Numbers

Note that the infinite sum L(1, χD) that is in the class number formula (5.3) can be written, too, as an infinite product:

L(1, χD) = 1 − χD(p) −1 , p

p

where the product is over all primes. It is shown in [Shanks 1971], [Schoof 1982] that if the ERH is assumed (see Conjecture 1.4.2), and if

Then the Shanks baby-steps, giant-steps method discussed in Section 7.5 and Section 5.3 can then be used to find a multiple of the order of any given

steps, we can then achieve a factorization of n, given an appropriate f , in O(n1/5 ln n) operations with integers the size of n.

If one is willing to assume the ERH, which seems a fair enough gamble in a factoring algorithm (if the method fails to factor your number, you have for your e ort a disproof of the ERH, presumably something of far greater interest than the factorization you were attempting), one might ask what other information the ERH might give, other than the predictable convergence of the infinite product for L(1, χD). In fact, it can help in a second way. Assuming the ERH, there is a computable number c such that the classes of the primitive reduced forms (a, b, c) of discriminant D, with a ≤ c ln2 |D|), generate the full class group C(D) (see [Schoof 1982]). Thus, there need be no uncertainty on the choice of f in the above scenario. Namely, just make all choices for f with a representative (a, b, c) with a ≤ c ln2 |D|.

Assembling these ingredients, we have, then, a deterministic factoring algorithm with a complexity of O n1/5 ln3 n operations with integers the algorithm depends on the so-far

size of n. The proof of correctness for this unproved ERH.

Shanks goes further, and shows that on assumption of the ERH, one can actually compute the class number h, and the group structure for C(D), and in time O |D|1/5+ .

It was shown in [Srinivasan 1995] that there is a probabilistic algorithm to approximate L that is expected to give enough precision to approximate h again with an error of O |D|2/5+ , after which the Shanks baby-steps, giantsteps method may take over. The Srinivasan probabilistic method gets the approximation in expected time O |D|1/5+ , and so becomes a probabilistic factoring algorithm with expected running time O n1/5+ . This algorithm

252 Chapter 5 EXPONENTIAL FACTORING ALGORITHMS

for some integer k [0, d − 1], where d = gcd(a, n) and u is a solution to the extended-Euclid relation au + nv = d.

This exercise shows that finding a logarithm for a nontrivial power of t is, if d is not too large, essentially equivalent to the original DL problem.

5.5. Suppose G is a finite cyclic group, you know the group order n, and you know the prime factorization of n. Show how the Shanks baby-steps, giant-steps method of Section 5.3 can be used to solve discrete logs in G in O √p ln n operations, where p is the largest prime factor of n. Give a similar bound for the space required.

5.6. As we have seen in the chapter, the basic Shanks baby-steps, giantsteps procedure can be summarized thus: Make respective lists for baby steps and giant steps, sort one list, then find a match by sequentially searching through the other list. As we know, solving gl = t (where g is a generator of the cyclic group of order n and t is an element) can be e ected in this way in O(n1/2 ln n) operations (comparisons). But there is a so-called hash-table construction that heuristically alters this complexity (albeit slightly) and in practice works quite e ciently. A summary of such a method runs as follows:

(1)Construct the baby-step list, but in hash-table form.

(2)On each successive giant step look up (rapidly) the corresponding hashtable entry, seeking a match.

The present exercise is to work through—by machine—the following example of an actual DL solution. This example, unlike the fundamental Algorithm 5.3.1, uses some tricks that exploit the way machines tend to function, e ectively reducing complexity in this way. For the prime p = 231 − 1 and an explicitly posed DL problem, say to solve

gl ≡ t (mod p),

we proceed as follows. Reminiscent of Algorithm 5.3.1 set b = √p , but in addition choose a special parameter β = 212 to create a baby-steps “hash table” whose r-th row, for r [0, β −1], consists of all those residues gj mod p, for j [0, b − 1], that have r = (gj mod p) mod β. That is, the row of the hash table into which a power gj mod p is inserted depends only on that modular power’s low lg β bits. Thus, in about √p multiplies (successively, by g) we construct a hash table of β rows. As a check on the programming e ort, for a specific choice g = 7 the (r = 1271)-th row should appear as

((704148727, 507), (219280631, 3371), (896259319, 4844) . . .),

meaning, for example,

7507 mod p = 704148727 = (. . . 010011110111)2, 73371 mod p = 219280631 = (. . . 010011110111)2,

and so on. After the baby-steps hash table is constructed, you can run through giant-step terms tg−ib for i [0, b − 1] and, by inspecting only the low 12 bits

of each of these terms, index directly into the table to discover a collision. For the example t = 31, this leads immediately to the DL solution

7723739097 ≡ 31 (mod 231 − 1).

This exercise is a good start for working out out a general DL solver, which takes arbitrary input of p, g, l, t, then selects optimal parameters such as β. Incidentally, hash-table approaches such as this one have the interesting feature that the storage is essentially that of one list, not two lists. Moreover, if the hash-table indexing is thought of as one fundamental operation, the algorithm has operation complexity O(p1/2); i.e., the ln p factor is removed. Note also one other convenience, which is that the hash table, once constructed, can be reused for another DL calculation (as long as g remains fixed).

5.7. [E. Teske] Let g be a generator of the finite cyclic group G, and let h G. Suppose #G = 2m · n with m ≥ 0 and n odd. Consider the following

walk:

h0 = g h, hk+1 = hk2.

The terms hk are computed until hk = hj for some j < k, or hk = 1. Let us investigate whether this is a good walk for computing discrete logarithms.

(1)Let (αk) and (βk) be the sequences of exponents for g and h, respectively. That is, hk = gαk hβk for each k. Determine closed formulae for αk and

βk.

(2)Determine all possible group elements h for which it can happen that hk = 1 for some k. Determine the largest possible value of k for which this can happen.

(3)Determine the period λ of the sequence (hk) under the assumption that

#G is prime.

(4)Would you recommend this walk to use for discrete logarithm computation? If yes, why? If no, why not?

5.8. Here are tasks that allow practical testing of any implementation of the p − 1 method, Algorithm 5.4.1.

(1)Use the basic algorithm with search bound B = 1000 to achieve the factorization

n = 67030883744037259 = 179424673 · 373587883.

(2)Explain why, in view of the factorization of 373587882, your value of B worked.

(3)Again in view of the factorization of 373587882, write a second-stage

version of the algorithm, this time finding the factor with B = 100 but second-stage bound B = 1000. This program should be faster than the first instance, of course.

(4)Find a nontrivial factor of M67 = 267 − 1 using B = 100, B = 2000.

5.9. Here we describe an interesting way to e ect a second stage, and end up asking an also interesting computational question. We have seen that a second stage makes sense if a hidden prime factor p of n has the form p = zq +1 where z is B-smooth and q (B, B ] is a single outlying prime. One novel approach ([Montgomery 1992a], [Crandall 1996a]) to a second-stage implementation is this: After a stage-one calculation of b = aM (B) mod n as described in the text, one can as a second stage accumulate some product (here, g, h run over some fixed range, or respective sets) like this one:

and take gcd(n, c), hoping for a nontrivial factor. The theoretical task here is to explain why this method works to uncover that outlying prime q, indicating a rough probability (based on q, K, and the range of g, h) of uncovering a factor because of a lucky instance gK ≡ hK (mod q).

An interesting computational question arising from this “gK ” method is, how does one compute rapidly the chain

b1K , b2K , b3K , . . . , bAK ,

where each term is, as usual, obtained modulo n? Find an algorithm that in fact generates the indicated “hyperpower” chain, for fixed K, in only O(A) operations in ZN .

5.10.Show that equivalence of quadratic forms is an equivalence relation.

5.11.If two quadratic forms ax2 + bxy + cy2 and a x2 + b xy + c y2 have the same range, must the coe cients (a , b , c ) be related to the coe cients (a, b, c) as in (5.1) where α, β, γ, δ are integers and αδ − βγ = ±1?

5.12.Show that equivalent quadratic forms have the same discriminant.

5.13.Show that the quadratic form that is the output of Algorithm 5.6.2 is equivalent to the quadratic form that is the input.

5.14.Show that if (a, b, c) is a reduced quadratic form of discriminant D < 0,

then a ≤ |D|/3.

5.15.Show that for input (A, B, C), the operation complexity of Algorithm 5.6.2 is O(1 + ln(min{A, C})), with operations involving integers no larger than 4AC.

5.16.Show that a positive integer n is a sum of two squares if and only if there is no prime p ≡ 3 (mod 4) that divides n to an odd exponent. Using the fact that the sum of the reciprocals of the primes that are congruent to 3 (mod 4) diverges (Theorem 1.1.5), prove that the set of natural numbers that are representable as a sum of two squares has asymptotic density 0. (See Exercises 1.10, 1.91, and 3.17.)

5.17. Show that if p is a prime and p ≡ 1 (mod 4), then there is a probabilistic algorithm to write p as a sum of two squares that is expected to succeed in polynomial time. In the case that p ≡ 5 (mod 8), show how the algorithm can be made deterministic. Using the deterministic polynomial-time method in [Schoof 1985] for taking the square root of −1 modulo p, show how in the general case the algorithm can be made deterministic, and still run in polynomial time.

5.18. Suppose that (a, b, c), (a , b , c ) are equivalent quadratic forms, n is

a positive integer, ax2 + bxy + cy2 = n, and under the equivalence, x, y gets taken to x , y . Let u = 2ax + by, u = 2a x + b y . Show that uy ≡ u y

(mod 2n).

5.19.Show that if (a, b, c) is a quadratic form, then for each integer b ≡ b (mod 2a), there is an integer c such that (a, b, c) is equivalent to (a, b , c ).

5.20.Suppose a, b, c C(D). Prove that a, b, c is the identity 1D in C(D) if and only if (a, b, c) represents 1. Conclude that a, b, c c, b, a = 1D.

5.21.Study, and implement the McKee O(n1/4+ ) factoring algorithm as described in [McKee 1999]. The method is probabilistic, and is a kind of optimization of the celebrated Fermat method.

5.22.On the basis of the Dirichlet class number formula (5.3), derive the following formulae for π:

From the mere fact that these formulae are well-defined, prove that there exist infinitely many primes of each of the forms p = 4k + 1 and p = 4k + 3. (Compare with Exercise 1.7.) As a computational matter, about how many primes would you need to attain a reliable value for π to a given number of decimal places?

5.8Research problems

5.23. Show that for p = 257, the rho iteration x = x2 − 1 mod p has only three possible cycle lengths, namely 2, 7, 12. For p = 7001, show the iteration x = x2 + 3 mod p has only the 8 cycle lengths 3, 4, 6, 7, 19, 28, 36, 67. Find too the number of distinct connected components in the cycle graphs of these two iterations. Is it true that the number of distinct cycle lengths, as well as the number of connected components (which always is at least as large) is O(ln p)? A similar result has been proved in the case of a random function; see [Flajolet and Odlyzko 1990].

5.24.If a Pollard-rho iteration be taken not as x = x2 + a mod N but as x = x2K + a mod N,

it is an established heuristic that the expected number of iterations to uncover a hidden prime factor p of N is reduced from c√p to

c√p

. gcd(p − 1, 2K) − 1

For research involving this complexity reduction, it may be helpful first to work through this heuristic and explore some possible implementations based on the gcd reduction [Brent and Pollard 1981], [Montgomery 1987], [Crandall 1999d]. Note that when we know something about K the speedup is tangible, as in the application of Pollard-rho methods to Fermat or Mersenne numbers. (If K is small, it may be counterproductive to use an iteration x = x2K + a, even if we know that p ≡ 1 (mod 2K), since the cost per iteration may not be outweighed by the gain of a shorter cycle.) However, it is when we do not know anything about K that really tough complexity issues arise.

So an interesting open issue is this: Given M machines each doing Pollard rho, and no special foreknowledge of K, what is the optimal way to assign respective values {Km : m [1, . . . , M ]} to said machines? Perhaps the answer is just Km = 1 for each machine, or maybe the Km values should be just small distinct primes. It is also unclear how the K values should be altered—if at all—as one moves from an “independent machines” paradigm into a “parallel” paradigm, the latter discussed in Exercise 5.25. An intuitive glimpse of what is intended here goes like so: The McIntosh–Tardif factor of F18, namely

81274690703860512587777 = 1 + 223 · 29 · 293 · 1259 · 905678539

(which was found via ECM) could have been found via Pollard rho, especially if some “lucky” machine were iterating according to

x = x223·29 + a mod F18.

In any complexity analysis, make sure to take into account the problem that the number of operations per iteration grows as O(ln Km), the operation complexity of a powering ladder.

5.25. Analyze a particular idea for parallelization of the Pollard rho factoring method (not the parallelization method for discrete logarithms as discussed in the text) along the following lines. Say the j-th of M machines computes a Pollard sequence, from iteration x = x2 + a mod N , with common parameter a but machine-dependent initial x(1j) seed, as

&'

so we have such a whole length-n sequence for each j [1, M ]. Argue that if we can calculate the product

modulo the N to be factored, then the full product has about n2M 2 algebraic factors, implying, in turn, about p1/2/M parallel iterations for discovering a hidden factor p. So the question comes down to this: Can one parallelize the indicated product, using some sort of fast polynomial evaluation scheme? The answer is yes, subject to some heuristic controversies, with details in [Crandall 1999d], where it is argued that with M machines one should be able to find a

hidden factor p in

O √p ln2 M M

parallel operations.

5.26. Recall that the Pollard-rho approach to DL solving has the feature that very little memory is required. What is more, variants of the basic rho approach are pleasantly varied. The present exercise is to work through a very simple such variant (that is not computationally optimized), with a view to solving the specific DL relation

gl ≡ t (mod p),

where t and primitive root g are given as usual. First define a pseudorandom function on residues z mod p, for example,

f (z) = 2 + 3θ(z − p/2),

that is, f (z) = 2 for z < p/2, and f (z) = 5 otherwise. Now define a sequence

x1 = t, x2, x3, . . . with

xn+1 = gf (xn )xnt

for n ≥ 1. The beautiful thing is that we can use two sequences (wn = x2n), (xn) just as in Algorithm 5.2.1, with one sequence forging ahead of the other via twofold acceleration. We perform, then, these iterations and hope for a collision

x2n ≡ xn (mod p),

the point being that such a collision signals a relation

ta ≡ gb (mod p),

and we can use the result of Exercise 5.4 to infer the desired DL solution. In this way, using the explicit form for the pseudorandom f given above, solve by machine for the logarithm in such test cases as

11495011427 ≡ 3 (mod 231 − 1),

171629 ≡ 3 (mod 217 − 1).

An interesting research question is this: Just how varied are the Pollardrho possibilities? We have now seen more than one way of creating Pollard sequences as mixtures of powers of x and g, but one can even consider

fractional powers. For example, if a root chain can be established in Pollardrho fashion

where the powers en are random (except always chosen so that a square root along the chain can indeed be taken), then each side of the collision can be formally squared often enough to get a mixed relation in g, t as before. Though square-rooting is not inexpensive, this approach would be of interest if statistically short cycles for the root chains could somehow be generated.

5.27.In connection with the Pollard p − 1 method, show that if n is composite and not a power, and if you are in possession of an integer m < n2 such that p − 1|m for some prime p|n, then you can use this number m in a probabilistic algorithm to get a nontrivial factorization of n. Argue that the algorithm is expected to succeed in polynomial time (the number of arithmetic steps with integers the size of n is bounded by a power of ln n).

5.28.Here we investigate the “circle group,” defined for odd prime p as the

set

Cp = {(x, y) : x, y [0, p − 1]; x2 + y2 ≡ 1 (mod p)}, together with an operation “ ” defined by

(x, y) (x , y ) = (xx − yy , xy + yx ) mod p.

Show that the order of the circle group is

Prove the corollary that this order is always divisible by 4. Explain how the operation is equivalent to complex multiplication (for Gaussian integers) and discuss any algebraic connection between the circle group and the field Fp2 .

Next, describe a factoring algorithm—which could be called a “p ± 1” method—based on the circle group. One would start with an initial point P0 = (x0.y0), and evaluate multiples [n]P0 in much the same style as we do in ECM. How does one even find an initial point? (In this connection see Exercise 5.16.) How e cient is your method, as compared to the standard p − 1 method? In assessing e ciency, observe that a point may be doubled in only two field multiplies. How many multiplies does it take to add two arbitrary points?

Then, analyze whether a “hyperspherical” group factoring method makes sense. The group would be

Hp = (x, y, z, w) : x, y, z, w [0, p − 1]; x2 + y2 + w2 + z2 ≡ 1 (mod p) ,

and the group operation would be quaternion hypercomplex multiplication. Show that the order of the group is

#Hp = p3 − p.

In judging the e cacy of such a factoring method, one should address at least the following questions. How, in this case, do we find an initial point (x0, y0, w0, z0) in the group? How many field operations are required for point doubling, and for arbitrary point addition?

Explore any algebraic connections of the circle and hyperspherical groups (and perhaps further relatives of these) with groups of matrices (mod p). For example, all n × n matrices having determinant 1 modulo p form a group that can for better or worse be used to forge some kind of factoring algorithm. These relations are well known, including yet more relations with so-called cyclotomic factoring. But an interesting line of research is based on this question: How do we design e cient factoring algorithms, if any, using these group/matrix ideas? We already know that complex multiplication, for example, can be done in three multiplies instead of four, and large-matrix multiplication can be endowed with its own special speedups, such as Strassen recursion [Crandall 1994b] and number-theoretical transform acceleration [Yagle 1995]; see Exercise 9.84.

5.29. Investigate the possibility of modifying the polynomial evaluation method of Pollard and Strassen for application to the factorization of Fermat numbers Fn = 22n + 1. Since we may restrict factor searches to primes of the form p = k2n+2 + 1, consider the following approach. Form a product

P = ki2n+2 + 1

i

(all modulo Fn), where the {ki} constitute some set of cleverly chosen integers, with a view to eventual taking of gcd(Fn, P ). The Pollard–Strassen notion of evaluating products of consecutive integers is to be altered: Now we wish to form the product over a special multiplier set. So investigate possible means for e cient creation of P . There is the interesting consideration that we should be able somehow to presieve the {ki}, or even to alter the exponents n + 2 in some i-dependent manner. Does it make sense to describe the multiplier set {ki} as a union of disjoint arithmetic progressions (as would result from a presieving operation)? One practical matter that would be valuable to settle is this: Does a Pollard–Strassen variant of this type have any hope of exceeding the performance of direct, conventional sieving (in which one simply checks 22n (mod p) for various p = k2n+2 + 1)? The problem is not without merit, since beyond F20 or thereabouts, direct sieving has been the only recourse to date for discovering factors of the mighty Fn.