Canonical Form of Modular Hyperbolas with an Application to Integer

arXiv:2001.09814v2 [math.NT] 15 Apr 2020 ouin o()i ml ihrsetto respect i with explained n small As odd is calculated. composite (1) precisely of to be case con solutions can the more For (1) as 4. of seen section solutions be in can shown however, as form, cations, latter The related. are a edrcl sdt ul nitgrfcoigalgorithm factoring integer an build to used directly be can Keywords— ensamdlrhproaof hyperbola modular a deﬁnes For Introduction 1 oteequation the to ntehproais hyperbola the in has Regarding 1 hoe ,tefloigrsl spoie,ta ilbe will that provided, 1. is Theorem result following the 1, Theorem [1] aoia omo oua yeblswt an with hyperbolas modular of form Canonical nuulntto,( notation, usual In ti hrfr o upiigt e httesto distance of set the that see to surprising not therefore is It h bv ento a entrlyetne ocomposite to extended naturally be can deﬁnition above The φ n ( ∈ lrsltosadtedsacsbtenpit famodular a moduli of composite points certain between for distances Furthermore, the and solutions ular utet ewe h ubro ouin and solutions of number the between quotients loih o nee atrzto sn uhsltosi solutions such using factorization integer for algorithm modulus ouin oteequation the to solutions p = ) Z o composite a For and H p n,c − plcto oitgrfactorization integer to application oua yebls nee atrzto,DohnieE Diophantine Factorization, Integer Hyperbolas, Modular Let p points. 1 c sasbe fteEcienpae h e fdsacsbetwe distances of set the plane, Euclidean the of subset a as nodpie h e fintegers of set the prime, odd an D | scluae.W sals ietrlto ihtoemod those with relation direct a establish We calculated. is p H n,p eaodpieand prime odd a be n,p n p | = = tnsfrteLgnr yblof symbol Legendre the for stands ) n 2 n ( + { C-nvriyo unsAires Buenos of ICC-University D ( n nodd an and ,y x, a n,c p − 4 ≡ unD Mauro Di Juan 1 n n [email protected] ) = b 1+( + (1 + | + modulus p xy {| − 4 1 a mod x 3 Abstract CONICET ≡ ≡ − if 1 + gcd c c n y b 1 ,b a, c n p with o eti composite certain for | | )) ( p mod ,p n, mod ,y x, If . / if 2 c 1 = ) H ∈ o dividing not c ∈ p p, c 1 naypoi oml for formula asymptotic an , with Z and , 2 0 c 2 p p then , n,c c { ∪ ≤ ≡ ≡ spoie.Fnly an Finally, provided. is } n ,b a, ,y

As previously observed, if Au is not empty then it contains at least 2 points. The Lemma below characterizes the set Au.

Lemma 1. Let Au be as above.

1. If y is a root of Y (Y − u) ≡ n mod p then (y − u, y) ∈ Au

2. If y is a root of Y (Y + u) ≡ n mod p then (y + u, y) ∈ Au

3. If (x,y) ∈ Au then y is a root of the equations in 1. or 2. Proof. The calculations are elementary and therefore omitted.

2 4n+u 2 It is immediately clear that |Au| = 4 provided that ( p ) = 1. In case 4n+u ≡ 0 2 4n+u mod p, we have |Au| = 2 and ﬁnally Au = ∅ if ( p )= −1. 2 When dividing the square [0,p − 1] into four regions R1,...,R4, according to the symmetry lines y = x and x + y = p not two points of Au belong to the same region, and that means there exists a correspondence between u and the points in one region. For simplicity, lets consider only the region

R1 = {(x,y) ∈ Hn,p | 0 ≤ x

Proof. Let ψ¯ : R¯1 → Dn,p be the application deﬁned by ψ¯(x,y)= |x − y|. If u ∈ Dn,p then there is a pair (x,y) ∈ Hn,p with |x − y| = u. If(x,y) ∈ R¯1 then ψ¯(x,y) = u. On the other hand, if (x,y) 6∈ R¯1 then f1, f2 or a composition of both ′ ′ ′ ′ carries (x,y) to a point (x ,y ) ∈ R¯1 with |x − y| = |x − y | = u. That proves the surjectivity Note that ψ¯ restricted to R1 is injective because, if (x1,y1), (x2,y2) ∈ R1 with ψ¯(x1,y1)= |x1 − y1| = ψ¯(x2,y2)= |x2 − y2| = u then

Au = {(x1,y1), (y1,x1), (p − x1,p − y1), (p − y1,p − x1)} and (x1,y1), (x2,y2) ∈ Au. But Au has only one element of R1, so it must be (x1,y1)= (x2,y2). It only remains to consider the injectivity in the points of R¯1 that are in the borders. Lets suppose ψ¯(x1,y1)= ψ¯(x2,y2). If for (x1,y1) ∈ R¯1 we have x1 = y1 then u = |x1 − y1| = |x2 − y2| = 0. Exactly one element of the set A0 = {(x1,x1), (p−x1,p−x1)} is in R¯1, so(x1,y1)=(x2,y2)= (x1,x1) Otherwise if (x1,y1) ∈ R¯1 satisﬁes y1 = p − x1, then in that case for u = |x1 − (p − x1)| = |2x1 − p| it holds Au = {(x1,p − x1), (p − x1,x1)} and exactly one point of Au is in R¯1, so (x1,y1)=(x1,p − x1)=(x2,y2).

2 2 The canonical form of a modular hyperbola

The motivation for the following deﬁnition can be found in the Fermat method to factor a composite n. In such case the factors of n can be obtained by looking at the solutions of the Diophantine equation

n + x2 = y2. (2)

If (2) is reduced modulus c for some c of modest size, the modular solutions of the equation can be obtained without much effort. It is enough (and naive) to try with 2 2 half of the elementsx ¯ ∈ Zc and keep the pairs (¯x , n +x ¯ mod c) for everyx ¯ that 2 2 ∗ ∗ ∗ satisfy n +x ¯ mod c ∈ (Zc) . Furthermore, if x ,y satisfies (2) then clearly x and y∗ must be equivalent modulus c to one pair of solutions modulo c. This very fact motivates the following definition, which is due to Scolnik [2].

Deﬁnition 1. A target for n is a triplet (a,b,c) of non-negative integers with a,b ∈ 2 (Zc) holding n + a ≡ b mod c

It will also be the case that a,b is a target for n modulus c, meaning that (a,b,c) is a target for n. In addition, if (a,b,c) is a target for n and a ≡ x∗2 mod c, then for some 0 ≤ α ≤ c − 1 with α2 ≡ a mod c there is an integer z such that

x∗2 =(α + cz)2 (3)

Let T (n, c) denote the set of targets for n modulus c, that is

2 T (n, c)= {(a,b,c) | a,b ∈ (Zc) and n + a ≡ b mod c} and let τ(n, c) be the number of elements in T (n, c). For an odd prime p that does not divide n, it is expected that τ(n, p) and | Dn,p | are equal. Although the proof can be stated by elementary means, it is more convenient to use a special case of a Jacobi sum. To do so, we write N(x2 = a) as the number of solutions of x2 ≡ a mod p with 0 ≤ a ≤ p − 1. Unless stated otherwise, from 2 now on all elements should be in Zp hence the solutions to x ≡ a mod p should be understood as the elements of Zp that satisfy the former congruence. The Lemma below is rather intuitive if one considers the canonical form of an hyperbola in the Euclidean space and the deﬁnition of Hn,p.

Lemma 3. For an integer n and an odd prime p with p ∤ n, the number of solutions to n + x2 ≡ y2 mod p is p − 1.

Proof. The number of solutions to n + x2 ≡ y2 mod p can be written as

N(n + x2 = y2)= N(x2 = a)N(y2 = b) ≡ n+a Xb mod p 2 a It is easy to see that N(x = a)=1+ p , so the previous equation becomes a b 1+ 1+ . p p ≡ n+a Xb mod p or a b a b 1+ + + . p p p p ∈Z ∈Z ∈Z ≡ aXp aXp bXp n+a Xb mod p It is well known that for a non-trivial character χ over a ﬁeld Fp the sum F∗ χ(a) a∈ p ∗ is 0. As the Legendre symbol is a character over Zp, the second and third summationsP are 0.

3 On the other hand, if we rename a = −na′ and b = nb′ we get a b −na′ nb′ = p p p p ≡ ′ ′ n+Xa b a +Xb ≡1 −n n a′ b′ = p p ′ ′ p p a +Xb ≡1 ′ ′ p−1 a b =(−1) 2 ′ ′ p p a +Xb ≡1 (the congruence is modulus p). This is a Jacobi sum J(χ,χ) with the Legendre symbol as the character χ. Furthermore, as the Legendre symbol is a character of order 2, meaning that J(χ,χ)= J(χ,χ−1), the special case

p−1 J(χ,χ−1)= −(−1) 2 holds (see Theorem 1 in chapter 8, section 3 of [4]). Finally,

p−1 p−1 N(n + x2 = y2)= p +(−1) 2 (−(−1) 2 )= p − 1

Theorem 2. Let p be an odd prime with gcd(p, n) = 1, then

p−1 n 4 +(1+( p ))/2 if p ≡ 1 mod4 τ(n, p)= p−3 ( 4 + 1 if p ≡ 3 mod4 hence τ(n, p)=| Dn,p |.

n Proof. The proof goes by stages. If p ≡ 1 mod 4 and p = −1 then there is no target (a,b,p) with a = 0 or b = 0, so every target (a,b,p) gives four solutions to the equation n + x2 ≡ y2 mod p. That is,

4τ(n, p)= p − 1. by Lemma 3. Hence, p − 1 τ(n, p)= . 4

n −n If p ≡ 1 mod 4and p = 1 then also p = 1, there is one target of the form (0,b,p) and one target of the form (a, 0,p) with a 6= 0 and b 6= 0, each one giving two solutions to n + x2 ≡ y2 mod p and the rest providing four solutions. It therefore means that 4(τ(n, p) − 2)+4= p − 1. So p − 1 τ(n, p)= + 1. 4 Finally, if p ≡ 3 mod 4 exactly one of the pairs {n, −n} is a quadratic residue modulus p, meaning there is only one target (a,b,p) of n with a = 0 or b = 0. That target gives two solutions to n + x2 ≡ y2 mod p, and each one of the rest gives four. So,

4(τ(n, p) − 1)+2= p − 1 and from that p − 3 τ(n, p)= + 1 4

4 Remark 1. If s and t are coprime, then τ(n,st) = τ(n, t)τ(n, s) following from the Chinese Remainder Theorem, so τ(n, c) is multiplicative as a function of c.

Furthermore, τ can be calculated for moduli that are powers of odd primes.

Theorem 3. Let p be an odd prime, n an integer with gcd(p, n) = 1 and k> 0. 1. If (a,b,pk) is a target for n with a 6= 0 and b 6= 0, then there are p targets (a′,b′,pk+1) of n with a ≡ a′ mod pk and b ≡ b′ mod pk. 2. If (0,b,pk) is a target for n, the number of targets (a′,b′,pk+1) for n with 0 ≡ a′ mod pk and b ≡ b′ mod pk is

2 (a) |(Zp) | for k even. (b) 1 for k odd. 3. If (a, 0,pk) is a target for n, the number of targets (a′,b′,pk+1) for n with a ≡ a′ mod pk and 0 ≡ b′ mod pk is

2 (a) |(Zp) | for k even. (b) 1 for k odd.

Proof. 1. If g 6≡ 0 mod p is a quadratic residue modulus pk, then g + tpk is a quadratic residue modulus pk+1 for 0 ≤ t ≤ p. The set

{(a + tpk,b + t′pk,pk+1) | t′ =(n + a − b)/pk + t, 0 ≤ t< 0}

is a set of targets for n. k k+1 2 2. If k is even, tp is a quadratic residue modulus p provided t ∈ (Zp). Besides, b + t′pk is quadratic residue of pk+1 for 0 ≤ t′

{(tpk,b + t′pk,pk+1) | t′ =(n − b)/pk + t, 0 ≤ t< 0}

is a set of targets for n. If k is odd, tpk is a quadratic residue of pk+1 only for t = 0. 3. Analogous to the previous case.

n −n For brevity, let sp(n)=(1+( p ))/2+(1+( p ))/2. Theorem 4. If p is an odd prime and p ∤ n, then for k> 1

k 2 k+1 [τ(n, p ) − sp(n)]p + sp(n)(|(Zp) | + 1) if k is even τ(n, p )= k ( [τ(n, p ) − sp(n)]p + sp(n) if k is odd

Proof. Follows immediately from Theorem 3

From the theorems 2, 4 and Remark 1 the number of targets for n modulus an odd composite c whose prime factors are known can be easily calculated.

5 3 Relation between targets and Dn,c

2 2 As the number of solutions to n + x ≡ y mod p and the number of points in Hn,p are the same, it can be easily seen that the targets for n modulus p and the set of distances between points of a modular hyperbola Hn,p are related.

Theorem 5. Let p be an odd prime with gcd(n, p) = 1.There is a correspondence between the elements of Tn,p and Dn,p.

Proof. There is indeed a correspondence between the elements of Tn,p and the elements of R¯1 as it can be seen by the mapping γ1 : R¯1 → Tn,p, given by

(x,y) 7→ (2−2(x − y)2, 2−2(x + y)2, c)=(a,b,c) and the mapping γ2 : Tn,p → R¯1 , given by

(a,b,c) 7→ (x,y)

2 such that Au ∩ R¯1 = {(x,y)} with u = 2α, α ≡ a mod p and α

Besides their algorithmic implications, theorems 6 and 7 provide bounds that show the asymptotic behavior of τ with respect to c for certain composite moduli. In what follows, p stands for an odd prime. The symbols O and Θ are used, as customary, to describe asymptotic bounds. A simple result (following from one of Mertens’ Theorems; see Corollary 2.10 in [3] and Theorem 5.13 in [5]) and that p+1 will become useful later is p≤B p = Θ(log B). As usual, π is used for the prime- counting function, so π(B) is the number of primes up to B. Q Theorem 6. n If c = p≤B p and for all p ≤ B with p ≡ 1 mod4 holds p = −1 then Q τ(n, c) = O(4−π(B) log B) c

Proof. By Remark 1, τ(n, c)= τ(n, p) ≤ pYB and from the deﬁnition of τ and the assumptions of the above Theorem, it follows that τ(n, p) ≤ (p + 1)/4 for all p ≤ B. Therefore,

τ(n, c)= τ(n, p) ≤ 4−π(B) p + 1. ≤ ≤ pYB pYB p+1 Dividing by c and applying p≤B p = Θ(log B) the desired result immediately follows. Q Theorem 7. If c = p≤B p then 1 Q n τ(n, p) − (1 + )/2 = O(4−π(B) log B) c p 2

n Proof. Note that τ(n, p) − (1 + p )/2 ≤ (p + 1)/4. The proof is identical as the one given above.

6 4 An application to factoring

We now want to brieﬂy sketch an algorithm for integer factorization using targets. The complexity analysis of the algorithm is extense and will be presented in a forthcoming paper; hence we exhibit here the basic idea. Although the algorithm is not of practical use nowadays, given that its running time is exponential (roughly O(n1/3)), there are many subexponential algorithms that were born from previous exponential ones, and besides that, it shows one possible way for using the elements in Dn,c to factor n. Let n = pq be composite with p, q primes with |p − q| not too big, so that if x∗,y∗ are solutions to n + x2 = y2 then |x∗| < n1/2. ′ As it was suggested by theorems 6 and 7, the idea is to let c · c = p1 ...pm be ′ the product of the ﬁrst consecutive odd primes (with c = p1 ...pr, 0

x∗2 = a + tc = a′ + uc′ for integers t, u. Clearly then, if (a,b,c) is a right target for n for some α square root of a modulus c, then there is an integer z bounded by |z| < n1/2/c such that

x∗2 =(α + cz)2.

2 ′ ′ But also note that (α + cz) ≡ a mod c , hence if z1,...,zl are the solutions of 2 ′ ′ ′ (α + cz) ≡ a mod c with 0 ≤ zi ≤ c , in which case

∗2 ′ 2 x =(α + czi + c · c · k) for some i = 1,...,l, with k an integer bounded by |k| ≤ ⌈n1/2/(c′ · c)⌉. The search is conducted over k, and as m grows the bound gets narrowed. An appropriate choice is to take r = ⌊m/2⌋ and c · c′ as the maximum product of consecutive odd primes that satisfy n1/2/(c′ · c) ≥ 1 The complete procedure is detailed as Algorithm 1.

7 Algorithm 1 Factoring integers using targets

Require: n, a composite to factor. m a positive integer such that p1 ...pm is 1/2 the maximum product of odd primes with n /(p1 ...pm) ≥ 1. ′ 1: Choose 0

The algorithm was implemented in Python. After conducting several tests with small numbers (up to 30 digits) it became evident that the number of iterations is near 1/3 O(log pmn ) (all the operations can be bounded by the cost of multiplying integers of size at most log n and taking the integer square root in line 28).

References

[1] I. E. Shparlinski, A. Winterhof, On the number of distances between the coordi- nates of points on modular hyperbolas, Journal of Number Theory, 128 (2008), pp 1224-1230

8 [2] H. Scolnik, Nuevos algoritmos de factorizacion de enteros para atacar RSA, Actas X Reunión Española sobre Criptolog´ıa y Seguridad de la Información, pp 9-21,ISBN 978-84-691-5158-7, Salamanca 2008. [3] M. Hittmeir, A Babystep-Giantstep Method for Faster Deterministic Integer Fac- torization, Mathematics of Computation, 87 (2018), no. 314, pp 2915-2935. [4] K. Ireland, M. Rosen, A Classical Introduction to Modern Number Theory, Springer, 1982. [5] V. Shoup, A Computational Introduction to Number Theory and Algebra, Cam- bridge University Press, Cambridge, 2005.