Primality - Factorization

Christophe Ritzenthaler

February 8, 2016

1 Primality

Deﬁnition 1.1. An integer p > 1 is called a prime number if it has only 1 and p as divisors.

Example 1. There are inﬁnitely many prime numbers. The biggest generic one has 29,271 decimal digits and the proof was built using fastECPP on several networks of workstations (Jan. 2015). The largest known prime (January 2016) is a 22 millions digits Mersenne prime 274207281 − 1 (see tutorial) .

We will write P the set of prime numbers.

The simplest algorithm to test primality is based on the following result.

Proposition 1.1. n is a composite number if and only if it has a divisor d such that √ d ≤ n. √ Proof. Since n is composite, n = ab and either a or b is smaller than n.

This leads to an exponential test in log n. In the following we will explore some polynomial tests.

Remark 1. Adleman, Pomerance, Rumely, Cohen and Lenstra have given an algorithm (APRCL) which is not polynomial but is feasible on numbers of 1000 digits (it runs in O(log nC log log log n)).

1.1 Probabilistic compositeness tests 1.1.1 Fermat test and Carmichael numbers By Fermat little theorem, one knows that if n is a prime number then an−1 ≡ 1 (mod n) for all a ∈ Z coprime with n. If the theorem was an equivalence, we would have an easy polynomial algorithm to test if a number is a prime. Unfortunately

Example 2. Consider n = 341 = 11 · 31. One has 2340 ≡ 1 (mod 341). Such a number is called pseudo-prime in base 2. We can prove that there are inﬁnitely many pseudo-primes in base 2 by showing that if

1 n is such a number then 2n − 1 also. Indeed because n is a pseudo-prime in base 2 one has n|2n−1 − 1, i.e. there is c such that nc = 2n−1 − 1. Now

n n−1 22 −1−1 − 1 = 22(2 −1) − 1 = 22nc − 1. The last expression is divisible by 2n − 1 so n 22 −1−1 ≡ 1 (mod 2n − 1). To finish the proof, one has to show that 2n − 1 is not a prime. Since n = ab, 2n − 1 is divisible by 2a − 1. An idea is then to change the value of a : for instance 3340 ≡ 56 (mod 341). Un- fortunately, there are numbers that are pseudo-prime in any base. Such numbers are called Carmichael numbers (for instance 561 = 3 · 11 · 17). It has been shown by Alford, Granville and Pomerance in 1994 that there are infinitely many Carmichael numbers so Fermat test cannot be completely sure. Let us show some properties of these numbers. Proposition 1.2. An (odd) composite number n ≥ 3 is a Carmichael number if and only if it is square free and for each prime divisor p of n, p − 1 divides n − 1. Proof. First it is easy to see that a Carmichael number is odd : indeed (−1)n−1 ≡ 1 (mod n) if and only if n is odd. Let a be a Carmichael number, for any a prime to n one has an−1 ≡ 1 (mod n). Let p be a prime divisor of n. There exists a primitive element modulo p that is prime to n. Indeed, let a a primitive element modulo p and n = pr · m with m coprime to r p. There exists an element (still denoted a) in Z/p Z lifting the initial a (because the r morphism Z/p Z → Z/pZ est surjectif). We find s ∈ Z/mZ coprime to m and since r Z/nZ ' Z/p Z × Z/mZ we construct the element a ∈ Z/nZ image of (a, s). Such an element satisfies the properties for a. Now, one has of course an−1 ≡ 1 (mod p) but as a is primitive p − 1 divides n − 1. Now suppose that n = p2m and write a = 1 + pm. One has ap ≡ 1 + p2m + ... ≡ 1 (mod n) So the order of a is p. But p does not divide n − 1 (p|n) so we get a contradiction. Conversely, let n be a square-free integer such that p − 1 divides n − 1 for all prime divisors p of n. Let a be prime to n one has ap−1 ≡ 1 (mod p) and because n − 1 is a multiple of p − 1, an−1 ≡ 1 (mod p). Using the Chinese Remainder theorem for all the factors p, one gets an−1 ≡ 1 (mod n).

2 Corollary 1.1. Any Carmichael number is the product of at least 3 distinct odd primes.

Proof. Because a Carmichael number is without square factor and is not prime it has at least two prime factors. Let us assume that n = pq with p < q. Then q − 1 divides pq − 1 = p(q − 1) + p − 1 so q − 1 divides p − 1. Absurd.

Example 3. Show that if 6m + 1, 12m + 1 and 18m + 1 are primes then n = (6m + 1)(12m+1)(18m+1) is a Carmichael number. First by the Chinese Remainder theorem, one can see that if n = ab with a, b coprime then for any x prime to n one has

xlcm(φ(a),φ(b)) ≡ 1 (mod n).

Now lcm(φ(6m + 1), φ(12m + 1), φ(18m + 1)) = 36m and also 36m|n − 1. One can check that 1729 is such a number.

1.1.2 Lucas test Let n > 1 be an integer. We will show that if there exists an a such that an−1 ≡ 1 (mod n) and aq 6≡ 1 (mod n) for all q|n − 1, q 6= n − 1, then n is prime. This is a 2m very good test for Fermat numbers Fm, i.e. numbers of the form n = 2 + 1 (For m = 0 ... 32 only the ﬁrst ﬁve are prime. F33 is so big that it may be many years before we can decide its nature). But obviously this test is not good for a generic prime since we must know the factorization of n − 1. ∗ n−1 Let assume that such an a exists and let d be the order of a in (Z/nZ) . Since a ≡ 1 (mod n), d|(n − 1). More exactly as no proper divisor of n − 1 is the order of a, one has d = n − 1. Now n − 1 = d|φ(n). This is possible only if n is prime.

1.1.3 Rabin-Miller test Contrary to the Fermat test, the Miller-Rabin test can prove the compositeness of any composite number (i.e. there is no analog of Carmichael numbers for this test). But Rabin-Miller test is a Monte-Carlo algorithm : it always stops ; if it answers yes, the number is composite and if it answers no then the answer is correct with a probability greater than 3/4. r s Let n be an odd positive integer and s = max{r ∈ N, 2 |n − 1}. Let d = (n − 1)/2 .

Lemma 1.1 (Miller). If n is a prime and if a is an integer prime to n then we have either ad ≡ 1 (mod n) or there exists r ∈ {0, . . . , s − 1} such that a2rd ≡ −1 (mod n).

Proof. The order of a is a divisor of n − 1. It can be d and then ad ≡ 1 (mod n). If it is not then its order divides 2rd for r ∈ {1, . . . , s} that we choose minimal. So a2rd ≡ 1 (mod n) and a2r−1d is a non-trivial square root of 1 so a2r−1d ≡ −1 (mod n).

If we ﬁnd an a which is prime to n and that satisﬁes neither of the conditions, then n is composite. Such an integer a is called a witness for the compositeness of n.

3 Example 4. Let n = 561. a = 2 is a witness for n. Indeed here s = 4, d = 35 and 235 ≡ 263 (mod 561), 22·35 ≡ 166 (mod 561), 24·35 ≡ 67 (mod 561), 28·35 ≡ 1 (mod 561).

For the eﬃciency of the Rabin-Miller test, it is important that there are suﬃciently many witnesses for the compositeness of a composite number.

Theorem 1.1 (Rabin). If n ≥ 3 is an odd composite number, then the set {1, . . . , n−1} contains at most (n − 1)/4 numbers that are prime to n and not witnesses for the compositeness of n.

∗ Proof. Let k be the largest integer ≤ s−1 such that there exists at least one b ∈ (Z/nZ) with b2k ≡ −1 (mod n) (such a k exists since b = −1 and k = 0 works). Let m = 2kd Qj ej and n = i=1 pi be the prime factorization of n. Let

∗ n−1 J = {a ∈ (Z/nZ) , a ≡ 1 (mod n)} ∗ m ei K = {a ∈ (Z/nZ) , a ≡ ±1 (mod pi ) for all i} ∗ m L = {a ∈ (Z/nZ) , a ≡ ±1 (mod n)} ∗ m M = {a ∈ (Z/nZ) , a ≡ 1 (mod n)}.

∗ We have M ⊂ L ⊂ K ⊂ J ⊂ (Z/nZ) as subgroups. Each a which is not a witness for the compositeness of n belongs to L. Indeed, if ad ≡ 1 (mod n) then a ∈ L and if a2td ≡ −1 (mod n), then by the maximality of k, t ≤ k. We will prove that the index ∗ of L in (Z/nZ) is at least four. ∗ ei Let G = {a ∈ (Z/nZ) , a ≡ ±1 (mod pi ) for all i}. Every element of G is a m-th power. Indeed, we have bm ≡ −1 (mod n). Hence, using the CRT, we can write each a ∈ G, component by component, either like bm or (b2)m. It is well known also that #G = 2j. Now let us consider the map

∗ ∗ ∗ ψ :(Z/nZ) → (Z/nZ) → (Z/nZ) /G where the ﬁrst map φ is x → xm and the second one is the projection. The kernel of ψ are the elements such that am ∈ G which is K. We have ker φ ⊂ ker ψ, hence ψ ∗ ∗ factors through ψ˜ :(Z/nZ) / ker φ ' Im(φ) → (Z/nZ) /G and ker ψ/ ker φ ' ker ψ˜ = Im(φ)∩G = G because of what we proved. Therefore #K/#M = #G = 2j. In a similar ∗ way (replacing G by {a ∈ (Z/nZ) , a ≡ ±1 (mod n)} we prove that [L : M] = 2. Hence [K : L] = 2j−1. If j > 2 we are done. If j = 2 (i.e. [L : K] = 2) then n has two prime divisors. It follows from Cor. 1.1 that n ∗ is not a Carmichael number. This implies that J is a proper subgroup of (Z/nZ) and ∗ ∗ the index of J in (Z/nZ) is at least 2. Therefore the index of L in (Z/nZ) is at least 4. e ∗ Finally, let j = 1. Then n is a prime power, say n = p with e > 1. But φ :(Z/nZ) → e−1 n−1 Z/(p − 1)Z × Z/p Z is an isomorphism. As n − 1 is prime to p a ≡ 1 (mod n) if ∗ e−1 e−1 and only if φ(a) = (µ, 0). So [(Z/nZ) : J] = #Z/p Z = p . This is bigger than 4 except for n = 9 which can be checked by hand.

4 To apply the Rabin-Miller test, we choose a random number a ∈ {2, . . . , n − 1}. If gcd(a, n) > 1 then n is composite. Otherwise we compute ad, a2d, . . . , a2s−1d. If we ﬁnd a witness for the compositeness of n, then we have proved that n is composite. By Th. 1.1, the probability that n is composite and that a is not a witness is less than 1/4. So if we repeat the test t times we can make this probability less than (1/4)t. For t = 10 this probability is less than 10−6.

Remark 2. Under the Generalized Riemann hypothesis (which is conjectural but believed true), it can be proved that there is always a witness for the compositeness of n in the Miller-Rabin with a ≤ O((log n)2).

1.2 Absolute tests By ‘absolute’, I mean that we are sure that the number is prime (or not) at the end of the test. However the algorithm can be probabilistic : this is the case of ECPP whereas AKS is deterministic but not fast enough.

1.2.1 AKS For a very complete and elementary proof of AKS en O˜(log(n)10.5), see http://www. trigofacile.com/maths/curiosite/primarite/aks/index.htm.

In the first version of the paper, the authors proved the asymptotic time complexity of the algorithm to be O˜(log12(n)). However, the upper bound proved in the paper was rather loose; indeed, a widely held conjecture about the distribution of the Sophie Germain primes would, if true, immediately cut the worst case down to O˜(log6(n)). In the months following the discovery, new variants appeared (Lenstra 2002, Pomer- ance 2002, Berrizbeitia 2003, Cheng 2003, Bernstein 2003a/b, Lenstra and Pomerance 2003), which improved the speed of computation by orders of magnitude. Due to the existence of the many variants, Crandall and Papadopoulos refer to the ”AKS-class” of algorithms in their scientific paper ”On the implementation of AKS-class primality tests”, published in March 2003. In response to some of these variants, and to other feedback, the paper ”PRIMES is in P” was updated with a new formulation of the AKS algorithm and of its proof of correctness. (This version was eventually published in Annals of Mathematics.) While the basic idea remained the same, r was chosen in a new manner, and the proof of correctness was more coherently organized. While the previous proof had relied on many different methods, the new version relied almost exclusively on the behavior of cyclotomic polynomials over finite fields. The new version also allowed for an improved bound on the time complexity, which can now be shown by simple methods (as we have seen) to be O˜(log10.5(n)). Using additional results from sieve theory, this can be further reduced to O˜(log7.5(n)). In 2005, Carl Pomerance and H. W. Lenstra, Jr. demonstrated a variant of AKS that runs in O˜(log6(n)) operations. Agrawal, Kayal and Saxena suggest a variant of their algorithm which would run in O˜(log3(n)) if a certain conjecture made by Bhattacharjee and Pandey in 2001 is true

5 (Agrawal’s conjecture1); however, a heuristic argument by Hendrik Lenstra and Carl Pomerance suggests that it is probably false.

1.2.2 ECPP

Let n ≥ 0 be an integer coprime to 6. An elliptic curve over Z/nZ is a Weierstrass equation

2 3 2 3 3 2 ∗ E : y z = x + axz + bz , a, b ∈ Z/nZ, 4a + 27b ∈ (Z/nZ) .

This deﬁnes a ‘non singular curve’ in

2 3 P (Z/nZ) = {(x : y : z} = {(x, y, z) ∈ (Z/nZ) , gcd(x, y, z, n) = 1}/mult. by invertible elts.

If n is a prime, then we know that E( /n ) is a commutative group which has at most Z Z √ two cyclic components and Hasse’s bound can be written as ( n − 1)2 < #E( /n ) < √ Z Z ( n + 1)2. If n is not prime then E(Z/nZ) is not a group but we may still try to add points applying the same formulae. The worst could be that we encounter d ∈ (Z/nZ) \{0} which is not invertible. In this case gcd(d, n) is a non trivial factor and we are done anyway. So we can assume that all additions of points succeed. If p is a prime dividing n and π : Z/nZ → Z/pZ the canonical projection, then it ex- tends to a projection π for points on E(Z/nZ) to E(Z/pZ) and respect the addition law.

Theorem 1.2. Let P ∈ E(Z/nZ) and m be an integer such that • There exists a prime divisor q of m with q ≥ (n1/4 + 1)2,

• mP = O but (m/q)P = (x : y : z) with (z, n) = 1.

Then n is prime. √ Proof. Assume n is composite and let p ≤ n be the smallest prime divisor of n. The order r of π(P ) divides m but not m/q and hence q|r. On the other hand Hasse’s bound

1/2 2 1/4 2 r ≤ #E(Z/pZ) < (p + 1) ≤ (n + 1) hence q < (n1/4 + 1)2, a contradiction.

It is natural to try m = #E(Z/nZ) and try random points on the curve. The biggest issue is to compute m. Using SEA, it is not possible to prove primality for 10000 digits numbers. Atkin’s idea was to use complex multiplication to construct a curve with a given m. The other issue is to be sure that the factor q is really a prime. This can be achieved by using the algorithm recursively. FastECPP (Elliptic

1Let n, r such that r is a prime which does not divide n and such that n2 6≡ 1 (mod r). If (X −1)n ≡ Xn − 1 (mod Xr − 1, n) then n is prime.

6 curve primality proving), which is the name of this algorithm, runs in randomized time O˜(log4 n) conjecturally. It produces a certiﬁcate (E, m, q, P and a certiﬁcate for q) which allows to check that n is indeed prime. Adleman and Huang were able to do the same with higher genera curves, without any conjecture, but the algorithm is prohibitively slow in practice.

2 Factorization

Now given an n that is known to be composite, how can we ﬁnd its decomposition in prime factors ? We are going to present algorithms to obtain a non-trivial factor. By repeating inductively the algorithm, we can then factorize the number. For a generic number, the current record (end of 2013) is RSA768 which has 232 digits. It was factored using a general number ﬁeld sieve algorithm. The largest factor found by the elliptic curve method has 83 digits (2013). Using special number sieve (see tutorial), the record is 320 digits with 21061 − 1 factored in 2012.

What is the factorization of a random number? If N = N1 ··· Nr with Ni prime and 0.62 Ni ≥ Ni+1. We have r ≤ log2 N and it can be proved that on average N1 ≈ N ,N2 ≈ 0.21 0.09 N and N3 ≈ N . Hence a random integer has one large factor, a medium size one and a lot of small ones.

We will use the sub-exponential notation ν 1−ν Lx(ν, λ) = exp(λ log x log log x ).

2.1 Basic methods 2.1.1 Trial division To ﬁnd small prime factors of n, a precomputed table of all prime numbers below a ﬁxed bound B is computed. This can be done using the sieve of Eratosthenes. A typical bound is B = 106. Example 5. We want to factor n = 321 + 1. Trial division with primes less than 50 yields the factors 22, 72, 43. If we divide n by those factors, we obtain m = 1241143. Since 2m−1 ≡ 793958 (mod m), this number is still composite.

2.1.2 Pollard p − 1 method This algorithm is eﬃcient when n has a prime factor p such that p − 1 has only small prime divisors. Indeed, by Fermat’s little theorem, one has ak ≡ 1 (mod p) for all multiple k of p − 1. If p − 1 has only small prime divisors, one can try Y k = qe q∈P,qe≤B

7 where B is a given bound. Now if ak − 1 is not divisible by n, then gcd(ak − 1, n) is a non-trivial factor of n. Example 6. Let n = 1241143 of the previous example. We set B = 13. Then k = 8 · 9 · 5 · 7 · 11 · 13 and gcd(2k − 1, n) = 547. So n = 547 · 2269 which are both prime numbers.

2.2 Elliptic curve method: ECM This is from the wikipedia page. The Lenstra elliptic curve factorization or the elliptic curve factorization method (ECM) is a fast, sub-exponential running time algorithm for integer factorization which employs elliptic curves. For general purpose factoring, ECM is the third-fastest known factoring method. The second fastest is the multiple polynomial quadratic sieve and the fastest is the general number ﬁeld sieve. The Lenstra elliptic curve factorization is named after Hendrik Lenstra. Practically speaking, ECM is considered a special purpose factoring algorithm as it is most suitable for ﬁnding small factors. Currently, it is still the best algorithm for divisors not greatly exceeding 20 to 25 digits (64 to 83 bits or so), as its running time is dominated by the size of the smallest factor p rather than by the size of the number n to be factored. Frequently, ECM is used to remove small factors from a very large integer with many factors; if the remaining integer is still composite, then it has only large factors and is factored using general purpose techniques. The largest factor found using ECM so far has 83 digits and was discovered on 7 September 2013 by R. Propper.

The Lenstra elliptic curve factorization method to find a factor of the given natural number n works as follows: 2 3 1. Pick a random elliptic curve over Z/nZ, with equation of the form y = x +ax+b (mod n) together with a non-trivial point P (x0, y0) on it. This can be done by 2 3 first picking random x0, y0, a ∈ Z/nZ, and then calculating b = y0 − x0 − ax0 (mod n). 2. Add points with the usual formulas. As for ECPP, if the addition is not well defined, we have found a factor. 3. Compute eP on the elliptic curve (mod n), where e is product of many small numbers: say, a product of small primes raised to small powers, as in the p − 1 algorithm. 4. If we were able to finish all the calculations above without encountering non- invertible elements (mod n), then we need to try again with some other curve and starting point. 5. If at some stage we found kP = O (infinity on the elliptic curve), we should start over with a new curve and starting point, since this point O is the group identity element, so is unchanged under any further addition operations.

8 6. If we encountered a forbidden operation (i.e. an element that cannot be inverted) then we are done: it is a non-trivial factor of n.

The time√ complexity depends on the size of the factor and can be represented by 1 Lp 2 , 2 where p is the smallest factor of n.

Why does it work? If p and q are two prime divisors of n, then y2 = x3 + ax + b (mod n) implies the same equation also modulo p and modulo q. These two smaller elliptic curves are now genuine groups. If these groups have Np and Nq elements, respectively, then for any point P on the original curve, by Lagrange’s theorem, k > 0 is minimal such that kP = O on the curve modulo p implies that k divides Np; moreover, NpP = O. The analogous statement holds for the curve modulo q. When the elliptic curve is chosen randomly, then Np and Nq are random numbers close to p + 1 and q + 1, respectively (see below). Hence it is unlikely that most of the prime factors of Np and Nq are the same, and it is quite likely that while computing eP , we will encounter some kP that is O modulo p but not modulo q, or vice versa. When this is the case, kP does not exist on the original curve, and in the computations we found some a non-trivial factor of n.

ECM is at its core an improvement of the older p − 1 algorithm. However, the latter algorithm fails when p − 1 has large prime factors. ECM gets around this obstacle by considering the group of a random elliptic curve over the finite field, rather than considering the multiplicative group of /p which always has order p − 1. The order Z Z √ of the group of an elliptic curve over /p varies (quite randomly) between p + 1 − 2 p √ Z Z and p + 1 + 2 p by Hasse’s theorem, and is likely to be smooth for some elliptic curves. Although there is no proof that a smooth group order will be found in the Hasse-interval, by using heuristic probabilistic methods, the Canfield-Erdös-Pomerance√ theorem 2.1 with suitably optimized parameter choices, we can expect to try Ln(1/2, 2/2) curves before getting a smooth group order. This heuristic estimate is very reliable in practice.

2.3 Modern sieves The modern sieves ﬁnd integers x, y such that

x2 ≡ y2 (mod n) and x 6≡ ±y (mod n). Then n is a divisor of x2 − y2 = (x − y)(x + y) but of neither x − y or x + y. Hence g = gcd(x − y, n) is a proper divisor of n.

Example 7. Let n = 7429, x = 227, y = 210. Then x2 − y2 = n, x − y = 17 so 17|n.

We are presenting three sieves below. The main diﬀerence between them is the way to generate the quadratic relations.

9 2.3.1 The linear sieve See tutorial.

2.3.2 Quadratic sieve See also tutorial for another example.

Determination of x and y. The idea from the previous section is also used in other factoring algorithms, such as the number field sieve (NFS), but those algorithms have different ways of finding x, y. We describe how x, y are found in the quadratic sieve. √ Let m = b nc and f(X) = (X + m)2 − n. We first explain the procedure on an example.

Example 8. Let n = 7429. Then m = 86. One has

f(−3) = 832 − 7429 = −540 = −1 · 22 · 33 · 5, f(1) = 872 − 7429 = 140 = 22 · 5 · 7, f(2) = 882 − 7429 = 315 = 32 · 5 · 7.

This implies

832 ≡ −1 · 22 · 33 · 5 (mod 7429), 872 ≡ 22 · 5 · 7 (mod 7429), 882 ≡ 32 · 5 · 7 (mod 7429).

If the last two congruences are multiplied then we obtain

(87 · 88)2 ≡ (2 · 3 · 5 · 7)2 (mod n).

Therefore we can set x ≡ 87 · 88 (mod n) ≡ 227 and y ≡ 2 · 3 · 5 · 7 (mod n) ≡ 210.

In the example we have presented number s for which the value f(s) has only small prime factors. Then we use the congruence

(s + m)2 ≡ f(s) (mod n).

From those congruences, we select a subset whose products yields squares on the left- and the right-hand sides. The left-hand side of each congruence is a square anyway. Also we know the prime factorization of each right-hand side. The product of a number of right-hand sides is a square if the exponents −1 and all prime factors are even. In the next section, we explain how an appropriate subset of congruences is chosen.

10 Choosing appropriate congruences. The selection process is controlled by co- eﬃcients λi ∈ {0, 1}. If λi = 1 the congruence i is chosen; otherwise it is not. The product of the right hand sides of the chosen congruences is

(−1 · 22 · 33 · 5)λ1 · (22 · 5 · 7)λ2 · (32 · 5 · 7)λ3 = (−1)λ1 · 22λ1+2λ2 · 33λ1+2λ3 · 5λ1+λ2+λ3 · 7λ2+λ3 . We want this number to be a square, so we have to solve the following linear system:

λ1 ≡ 0 (mod 2)

2λ1 + 2λ2 ≡ 0 (mod 2)

3λ1 + 2λ3 ≡ 0 (mod 2)

λ1 + λ2 + λ3 ≡ 0 (mod 2)

λ2 + λ3 ≡ 0 (mod 2).

A solution is λ1 = 0, λ2 = λ3 = 1. In general we choose a positive integer B. Then we look for integers s such that f(s) has only prime factors that belong to the factor base

F (B) = {p ∈ P, p ≤ B} ∪ {−1}. Such values f(s) are called B-smooth. If we have found as many values for s as the factor base has elements, then we try to solve the corresponding linear system over Z/2Z.

Sieving. It remains to be shown how the values of s are found for which f(s) is B-smooth. One possibility is to compute the value f(s) for s = 0, ±1, ±2,... and to test by trial division whether f(s) is B-smooth. Unfortunately, those values typically are not B-smooth. This is very inefficient as the factor base is large for large n (see Tab. 1). A more efficient method is to use sieving techniques, which are described as follows. We explain a simplified version that shows the main idea. We fix a sieving interval S = {−C, −C + 1,..., 0, 1,...,C}. We want to find all s ∈ S such that f(s) is B- smooth. To find out which of the values f(s) is divisible by a prime number p in the factor base, we start from the end. We fix a prime p. The equation f(s) ≡ 0 (mod p) has two solutions si,p which can be computed quickly. Then we try to find values si,p + kp ∈ S. After each step, we divide the corresponding f(s) by p. Prime powers can be treated similarly. Example 9. Let n = 7429, m = 86. The factor base is the set {2, 3, 5, 7} ∪ {−1}. As sieve interval, we use the set S = {−3,..., 3}. s −3 −2 −1 0 1 2 3 (s + m)2 − n −540 −373 −204 −33 140 315 492 Sieve with 2 −135 −51 35 123 Sieve with 3 −5 −17 −11 35 41 Sieve with 5 −1 7 7 Sieve with 7 1 1

11 Here for instance s1,3 = 0, s2,3 = 2, s1,5 = 1, s2,5 = 2, s1,7 = 1, s2,7 = 2. Remark 3. These are typical sizes for B anc C. However, there are very few non-zero

Table 1: Factor base and sieving

# decimal digits of n 50 60 70 80 90 100 110 120 # factor base in thousand 3 4 7 15 30 51 120 245 # sieving interval in million .2 2 5 6 8 14 16 26 coeﬃcients for each relation. For instance for RSA-129 (129 digits), one had to use a matrix of size of order 500, 000 but this matrix had only 47 non-zero coeﬃcients on each line. To solve the linear algebra phase, one uses Wiedemann’s algorithm (see DLP chapter) which for sparse matrices is quadratic in the size. Many other tricks are used in practice (Large primes, Multiple Polynomial Quadratic Sieve (MPQS), Self-initializing quadratic sieve (SIQS)). See the wikipedia pages.

2.3.3 Special number sieve See tutorial.

2.3.4 Complexity analysis Let us recall that ν 1−ν Lx(ν, λ) = exp(λ(log(x) (log log x) )) is the notation for the subexponential function. For asymptotic estimates, we write that Lx(ν, λ) = Lx(ν, λ + o(1)) and we also denote Lx(ν) = Lx(ν, λ) for any λ 6= 0. Note that we can then write Lx(ν1)Lx(ν2) = Lx(max(ν1, ν2)) and Lx(ν, λ1)Lx(ν, λ2) = Lx(ν, λ1 + λ2). We need one important result (Candﬁeld, Erd¨os,Pomerance).

Theorem 2.1. Let 0 < ω < ν ≤ 1 and λ > 0, µ > 0. The probability that a number ≤ Lx(ν, λ) is Lx(ω, µ)-smooth is

Lx(ν − ω, −λ(ν − ω)/µ + o(1)).

Let us analyze the complexity of the quadratic sieve. Let n be an integer and B = L (ω, µ) a bound for smoothness. We are looking at smooth numbers f(x) ≡ y2 n √ (mod n) with f(x) ≈ n = Ln(1, 1/2). We want to ﬁnd π(B) relations (where π(B) is the number of primes smaller than B which is equivalent to B/ log(B) and we identify it with B).

12 We ﬁrst look for the value of ω. The probability for an integer Ln(1) to be B-smooth r is P = Ln(1−ω). If we try r times we ﬁnd one with probability 1−(1−P ) ∼ rP hence we need to take r = P −1. As we want at least B relations (to have a square matrix for the linear system), we will need to try rB (which is the parameter C above) relations hence the complexity is

−1 T = P B = Ln(1 − ω)Ln(ω) = Ln(max(1 − ω, ω)).

This is minimal for 1 − ω = ω = 1/2.

We now determine µ. The probability for an integer Ln(1, 1/2) to be B-smooth is P = Ln(1/2, −1/(4µ)). and we still need to find T1 = B/P = Ln(1/2, µ + 1/(4µ)) relations, which is also the time we are going to spend on this part of the algorithm. Now we need also to care about the linear algebra part of the algorithm. For sparse matrices, compute the inverse of a matrix of size B can be done in B2 operations. 2 So we have T2 = B = Ln(1/2, 2µ). and we need to find µ to minimize T1 + T2 ≤ Ln(1/2, max(µ + 1/(4µ), 2µ)). One sees that we can take µ = 1/2. We find that B = Ln(1/2, 1/2) and that T = Ln(1/2, 1).

1/3 Remark 4. For NFS, the heuristic running time is Ln(1/3, (64/9) ).