3. Integer Factorization and Discrete Logarithms Of all the problems in the theory of numbers to which computers have been applied, probably none has been influenced more than of factoring. Hugh C. Williams [260] 3.1 Introduction The integer factorization problem (IFP) is to ¯nd a nontrivial factor f (not necessarily prime) of a composite integer n. That is, + ) Input : n 2 Z>1 (3.1) Output : f such that f j n: Clearly, if there is an algorithm to test whether or not an integer n is a prime, and an algorithm to ¯nd a nontrivial factor f of a composite integer n, then by recursively calling the primality testing algorithm and the integer factorization algorithm, it should be easy to ¯nd the prime factorization of ®1 ®2 ®k n = p1 p2 ¢ ¢ ¢ pk : In this chapter we shall mainly be concerned with the integer factoriza- tion algorithms (the primality testing algorithms have been discussed in the previous chapter). Generally speaking, the most useful factoring algorithms fall into one of the following two main classes (Brent [33]): (A) General purpose factoring algorithms: the running time depends mainly on the size of N, the number to be factored, and is not strongly dependent on the size of the factor p found. Examples are: (1) Lehman's¡ method¢ , which has a rigorous worst-case running time bound O n1=3+² . 210 3. Integer Factorization and Discrete Logarithms (2) Shanks' SQUare FOrm Factorization¡ ¢ method SQUFOF, which has expected running time O n1=4 . ¡ ¢ (3) Shanks' class group method, which has running time O n1=5+² . (4) Continued FRACtion (CFRAC) method, which under plausible as- sumptions has expected running time ³ ³ p ´´ ³ p ´ O exp c log n log log n = O nc log log n= log n ; where c is ap constant (depending on the details of the algorithm); usually c = 2 ¼ 1:414213562. (5) Multiple Polynomial Quadratic Sieve (MPQS), which under plausi- ble assumptions has expected running time ³ ³ p ´´ ³ p ´ O exp c log n log log n = O nc log log n= log n ; where c is a constant (depending on the details of the algorithm); 3 usually c = p ¼ 1:060660172. 2 2 (6) Number Field Sieve (NFS), which under plausible assumptions has the expected running time ³ ³ p p ´´ O exp c 3 log n 3 (log log n)2 ; where c = (64=9)1=3 ¼ 1:922999427 if GNFS (a general version of NFS) is used to factor an arbitrary integer n, whereas c = (32=9)1=3 ¼ 1:526285657 if SNFS (a special version of NFS) is used to factor a special integer n such as n = re § s, where r and s are small, r > 1 and e is large. This is substantially and asymptotically faster than any other currently known factoring method. (B) Special purpose factoring algorithms: The running time depends mainlyp on the size of p (the factor found) of n. (We can assume that p · n.) Examples are: ¡ ¢ (1) Trial division, which has running time O p(log n)2 . (2) Pollard's ½-method (also known as Pollard's \rho" algorithm), which¡ under plausible¢ assumptions has expected running time O p1=2(log n)2 . (3) Lenstra's Elliptic Curve Method (ECM), which under plausible as- sumptions has expected running time ³ ³ p ´ ´ O exp c log p log log p ¢ (log n)2 ; where c ¼ 2 is a constant (depending on the details of the algorithm). 3.1 Introduction 211 ¡ ¢ 2 The term O (log n) is for the cost of¡ performing¢ arithmetic operations 2 on numbers which are O(log n)¡ or O (log¢n) bits long; the second can be theoretically replaced by O (log n)1+² for any ² > 0. Note that there is a quantum factoring algorithm, original proposed by Shor, which can run in polynomial-time O((log n)2+²): However, this quantum algorithm requires to be run on a quantum computer, which is not available at present. In practice, algorithms in both categories are important. It is sometimes very di±cult to say whether one method is better than another, but it is gen- erally worth attempting to ¯nd small factors with algorithms in the second class before using the algorithms in the ¯rst class. That is, we could ¯rst try the trial division algorithm, then use some other method such as NFS. This fact shows that the trial division method is still useful for integer factoriza- tion, even though it is simple. In this chapter we shall introduce some most useful and widely used factoring algorithms. It is interesting to note that integer factorization is related to many other number theoretic problems, that is, if we can ¯nd an algorithm for integer factorization, then with some modi¯cations, this algorithm can always be used for some other problems, such as the discrete logarithms, the quadratic residuosity problem and the square root problem, etc. So, in this chapter, we shall also introduce some of the algorithms for these problems. Problems for Section 3.1 Problem 3.1.1. Explain why general purpose factoring algorithms are slower than special purpose factoring algorithms, or why the special num- bers are easy to factor than general numbers. Problem 3.1.2. Show that addition of two log n bit integers can be per- formed in O(log n) bit operations. Problem 3.1.3. Show that multiplication of two log n bit integers can be performed in O((log n)2) bit operations. Problem 3.1.4. Show that there is an algorithm which can multiply two log n bit integers in O(log n log log n log log log n) = O((log n)1+²) bit operations. Problem 3.1.5. Estimate the bit operations for computing n!. 212 3. Integer Factorization and Discrete Logarithms 3.2 Simple Factoring Methods The simplest factoring algorithm is the trial division method, which tries all the possible divisors of n to obtain its complete prime factorization: n = p1p2 ¢ ¢ ¢ pt; p1 · p2 · ¢ ¢ ¢ · pt: (3.2) The following is the algorithm: Algorithm 3.2.1 (Factoring by trial divisions). This algorithm tries to factor an integer n > 1 using trial divisions by all the possible divisors of n. [1] Input n and set t à 0, k à 2. [2] If n = 1, then go to Step [5]. [3] q à n=k and r à n (mod k). If r 6= 0, go to Step [4]. t à t + 1, pt à k, n à q, go to Step [2]. [4] If q > k, then k à k + 1, and go to Step [3]. t à t + 1; pt à n. [5] Exit: terminate the algorithm. Exercise 3.2.1. Use Algorithm 3.2.1 to factor n = 2759. An immediate improvement of Algorithm 3.2.1 is to make use of an aux- iliary sequence of trial divisors: 2 = d0 < d1 < d2 < d3 < ¢ ¢ ¢ (3.3) p which includes all primes · n (possibly somep composites as well if it is convenient to do so) and at least one value dk ¸ n. The algorithm can be described as follows: Algorithm 3.2.2 (Factoring by Trial Division). This algorithm tries to factor an integer n > 1 using trial divisions by an auxiliary sequence of trial divisors. [1] Input n and set t à 0, k à 0. [2] If n = 1, then go to Step [5]. [3] q à n=dk and r à n (mod dk). If r 6= 0, go to Step [4]. t à t + 1, pt à dk, n à q, go to Step [2]. [4] If q > dk, then k à k + 1, and go to Step [3]. t à t + 1; pt à n. 3.2 Simple Factoring Methods 213 [5] Exit: terminate the algorithm. Exercise 3.2.2. Use Algorithmp 3.2.2 to factor n = 2759; assumep that we have the list L of all primes · b 2759c = 52 and at least one ¸ n, that is, L = f2; 3; 5; 7; 11; 13; 17; 19; 23; 29; 31; 37; 41; 43; 47; 53g. Theorem 3.2.1. Algorithm 3.2.2 requires a running time in p O (max (pt¡1; pt )) : If a primality test between stepsµ [2] and¶ [3] were inserted, the running time pt¡1 would then be in O(pt¡1), or O if one does trial division only by ln pt¡1 primes, where pt¡1 is the second largest prime factor of n. The trial division test is very useful for removing small factors, but it should not be used for factoring completely, except when n is very small, say, for example, n < 108. Now suppose n is any odd integer (if n were even we could repeatedly divide by 2 until an odd integer is obtained). If n = pq, where p · q are 1 1 both odd, then by setting x = 2 (p + q) and y = 2 (q ¡ p) we ¯nd that n = x2 ¡ y2 = (x + y)(x ¡ y), or y2 = x2 ¡ n. The following algorithm tries to ¯nd n = pq using the above idea. Algorithm 3.2.3 (Fermat's factoring algorithm). Givenp an odd integer n > 1, then this algorithm determines the largest factor · n, of n. p [1] Input n and set k à b nc + 1, y à k ¢ k ¡ n, d à 1 p p [2] If b yc = y go to Step [4] else y à y + 2k + d and d à d + 2 p [3] If b yc < n=2 go to Step [2] else print \No Factor Found" and go to Step [5] p p [4] x à n + y, y à y, print x ¡ y and x + y, the nontrivial factors of n [5] Exit: terminate the algorithm.