Dixons random squares method Last time we discuss Dixons random - - PowerPoint PPT Presentation

▶

Nov 30, 2022 17 likes •98 views

Dixons random squares method Last time we discuss Dixons random squares method to factorize a large integer N . The core is to find random squares a 1 , ..., a m such that a 2 i r i (mod N ) such that r i are k -smooth for some small k

SLIDE 1

Dixon’s random squares method

◮ Last time we discuss Dixon’s random squares method to factorize a large integer N. The core is to find random squares a1, ..., am such that a2

i ≡ ri (mod N) such that ri are k-smooth for some small k,

i.e. all prime divisors of ri are ≤ k. ◮ One then expect a high probability to find some product r1...rs = b2 that is a square. In that case we have (a1...as)2 ≡ r1...rs = b2 (mod N) So N|(a1...as + b)(a1...as − b), and it is hoped that gcd(N, a1...as + b) will be a proper divisor of N. ◮ For example, when N = 217, we have 152 ≡ 8 (mod 217) and 172 ≡ 72 (mod 217). Both 8 and 72 are 3-smooth. One sees that 8 × 72 = 242 is a square, so we have (15 × 17)2 ≡ 8 × 72 = 242 (mod 217) so 217|(15 × 17 + 24)(15 × 17 − 24). And indeed gcd(217, 15 × 17 + 24) = 31 is a factor of N.

SLIDE 2

Products to be squares

◮ Now comes the question: suppose we have a bunch of r1, r2, ...rm that are all k-smooth, i.e. having only prime factors among p1, ..., pn ≤ k. We can write r1 = pe11

1 pe12 2 ...pe1n n

r2 = pe21

1 pe22 2 ...pe2n n

... rm = pem1

1 pem2 2 ...pemn n

◮ Alright, so how do we find a product of the subset of them to be a square? ◮ One easily see that it depends on the quantities eij for 1 ≤ i ≤ m, 1 ≤ j ≤ n. ◮ The key observation, nevertheless, is that this depends only on the parity of eij, i.e. eij mod 2!

SLIDE 3

Products to be squares, II

r1 = pe11

1 pe12 2 ...pe1n n

r2 = pe21

1 pe22 2 ...pe2n n

... rm = pem1

1 pem2 2 ...pemn n

◮ Suppose we want to check if a subset S of r1, ..., rm has product being a square. Let us define a function fS : {1, 2, ..., m} → {0, 1} to be given by fS(i) = 1 if ri is chosen (i.e. ri ∈ S) and fS(i) = 0 if ri ∈ S. ◮ Then what is the product of all ri ∈ S? It can be expressed as

r fS(i)

=

 

peij

 

fS(i)

=

peijfS(i)

=

peijfS(i)

=

p

i=1 eijfS(i)

◮ When is such a product a square? Well something like 2a3b5c is a square iff all a, b, c are even. Likewise, the above is a square if

eijfS(i) is even, for every j = 1, 2, ..., n.

SLIDE 4

Linear algebra

◮ So our situation is: given integers eij ∈ Z≥0, we want to find fS(i) - let’s just abbreviate it as fi - which can be 0 or 1, such that

eijfi ≡ 0 (mod 2), for every j = 1, 2, ..., n. ◮ In other words, the problem becomes to find solutions to a system of linear congruence equations mod 2, with constants eij and variables fi. ◮ The condition that fi ∈ {0, 1} is no longer a problem at all, since mod 2 we only have two elements, represented by 0 and 1, anyway. ◮ So how do we solve system of linear congruence equations? ◮ High school situation: 3f + 2g = 7 6f + 5g = 16

SLIDE 5

Linear algebra mod 2

3f + 2g = 7 6f + 5g = 16

◮ We typically subtract a multiple of an equation from another so that some variable is killed (in the difference). For example, it looks tempting to subtract from second equation twice of the first. ◮ In other words, we look at the coefficients for a: they are 3 and 6. We subtract 6/3 times the first equation to cancel the a-part of the second. ◮ How do we do this mod 2? In fact, we can do the same mod p, because Fp is a field! We can divide things like in the rational or real

numbers. And thus all those procedures of solving linear systems

works the same mod p. ◮ When p = 2, it’s even better cause ... division in F2 is extremely

simple. The only possible divisor - the non-zero element - is 1, and

dividing by it does nothing.

SLIDE 6

Linear algebra mod 2, II

◮ Let us look at an example, suppose we have r1 = 30, r2 = 60, r3 = 10 and r4 = 24. We rewrite r1 = 21 · 31 · 51 r2 = 22 · 31 · 51 r3 = 21 · 30 · 51 r4 = 23 · 31 · 50 ◮ To find r f1

1 ...r f4 4 to be a square, that is to solve

f1 + 2f2 + f3 + 3f4 ≡ 0 (mod 2) f1 + f2 + f4 ≡ 0 (mod 2) f1 + f2 + f3 ≡ 0 (mod 2) ◮ For those of you familiar with matrices, we are looking at     1 1 1 2 1 1 1 1 3 1    

transpose

=   1 2 1 3 1 1 1 1 1 1   , solving   1 2 1 3 1 1 1 1 1 1       f1 f2 f3 f4     ≡ 0 (mod 2)

SLIDE 7

Linear algebra mod 2, III

f1 + 2f2 + f3 + 3f4 ≡ 0 (mod 2) f1 + f2 + f4 ≡ 0 (mod 2) f1 + f2 + f3 ≡ 0 (mod 2)

◮ Working mod 2, we can rewrite it mod 2 as f1 + f3 + f4 ≡ 0 (mod 2) f1 + f2 + f4 ≡ 0 (mod 2) f1 + f2 + f3 ≡ 0 (mod 2) ◮ Now suppose we want to cancel the coefficients for f1, we can subtract the first equation from the second and third. Noting that 1 − 1 = 0 and 0 − 1 ≡ 1 (mod 2), we have f1 + f3 + f4 ≡ 0 (mod 2) + f2 + f3 ≡ 0 (mod 2) + f2 + f4 ≡ 0 (mod 2) ◮ Analogously subtract second from the third we havee f1 + f3 + f4 ≡ 0 (mod 2) + f2 + f3 ≡ 0 (mod 2) + f3 + f4 ≡ 0 (mod 2)

SLIDE 8

Linear algebra mod 2, IV

f1 + f3 + f4 ≡ 0 (mod 2) + f2 + f3 ≡ 0 (mod 2) + f3 + f4 ≡ 0 (mod 2)

◮ Now we can plug in values: say f4 = 1. Then f3 ≡ 1 by the third

equation. And then f2 ≡ 1 by the second equation, and finally f1 ≡ 0

by the first. ◮ Hence for our original r1 = 30, r2 = 60, r3 = 10 and r4 = 24, we conclude that the product of the last three - excluding r1 - is a square. ◮ Indeed, 60 × 10 × 24 = 26 · 32 · 52 is a square. ◮ In the scenario above, the leading variables in each equation - f1, f2 and f3 - are called pivot variables. ◮ They are such that the pivot variable does not appear in latter equations. ◮ The rest non-pivot variables can be arbitrarily assigned values, after which each equation will impose a unique value for its pivot variable, therefore solving the equation. ◮ The same works over any field, in particular Fp, just that you need to compute things like 6/3 when canceling equations.