Public-key cryptography Q sieve Daniel J. Bernstein Sieving small - - PowerPoint PPT Presentation

1

Public-key cryptography Daniel J. Bernstein Tanja Lange Part II: Factorization 15 August 2017 Sage scripts for some algorithms, joint work with Heninger: facthacks.cr.yp.to

2

Q sieve Sieving small integers i > 0 using primes 2; 3; 5; 7:

1 2 2 3 3 4 2 2 5 5 6 2 3 7 7 8 2 2 2 9 3 3 10 2 5 11 12 2 2 3 13 14 2 7 15 3 5 16 2 2 2 2 17 18 2 3 3 19 20 2 2 5

etc.

1

Public-key cryptography Daniel J. Bernstein Tanja Lange Part II: Factorization 15 August 2017 Sage scripts for some algorithms, joint work with Heninger: facthacks.cr.yp.to

2

Q sieve Sieving i and 611 + i for small i using primes 2; 3; 5; 7:

1 2 2 3 3 4 2 2 5 5 6 2 3 7 7 8 2 2 2 9 3 3 10 2 5 11 12 2 2 3 13 14 2 7 15 3 5 16 2 2 2 2 17 18 2 3 3 19 20 2 2 5 612 2 2 3 3 613 614 2 615 3 5 616 2 2 2 7 617 618 2 3 619 620 2 2 5 621 3 3 3 622 2 623 7 624 2 2 2 2 3 625 5 5 5 5 626 2 627 3 628 2 2 629 630 2 3 3 5 7 631

etc.

1

Public-key cryptography

• J. Bernstein

Lange I: rization August 2017 scripts for some algorithms,

• rk with Heninger:

facthacks.cr.yp.to

2

Q sieve Sieving i and 611 + i for small i using primes 2; 3; 5; 7:

1 2 2 3 3 4 2 2 5 5 6 2 3 7 7 8 2 2 2 9 3 3 10 2 5 11 12 2 2 3 13 14 2 7 15 3 5 16 2 2 2 2 17 18 2 3 3 19 20 2 2 5 612 2 2 3 3 613 614 2 615 3 5 616 2 2 2 7 617 618 2 3 619 620 2 2 5 621 3 3 3 622 2 623 7 624 2 2 2 2 3 625 5 5 5 5 626 2 627 3 628 2 2 629 630 2 3 3 5 7 631

etc. Have complet the “congruences” for some 14 · 625 64 · 675 75 · 686 14 · 64 · 75 = 283458 gcd ˘ 611 = 47. 611 = 47

1

cryptography Bernstein some algorithms, Heninger: facthacks.cr.yp.to

2

Q sieve Sieving i and 611 + i for small i using primes 2; 3; 5; 7:

1 2 2 3 3 4 2 2 5 5 6 2 3 7 7 8 2 2 2 9 3 3 10 2 5 11 12 2 2 3 13 14 2 7 15 3 5 16 2 2 2 2 17 18 2 3 3 19 20 2 2 5 612 2 2 3 3 613 614 2 615 3 5 616 2 2 2 7 617 618 2 3 619 620 2 2 5 621 3 3 3 622 2 623 7 624 2 2 2 2 3 625 5 5 5 5 626 2 627 3 628 2 2 629 630 2 3 3 5 7 631

etc. Have complete facto the “congruences” for some i’s. 14 · 625 = 2130547 64 · 675 = 2633527 75 · 686 = 2131527 14 · 64 · 75 · 625 · 675 = 28345874 = (243 gcd ˘ 611; 14 · 64 · 75 = 47. 611 = 47 · 13.

1

rithms,

2

Q sieve Sieving i and 611 + i for small i using primes 2; 3; 5; 7:

1 2 2 3 3 4 2 2 5 5 6 2 3 7 7 8 2 2 2 9 3 3 10 2 5 11 12 2 2 3 13 14 2 7 15 3 5 16 2 2 2 2 17 18 2 3 3 19 20 2 2 5 612 2 2 3 3 613 614 2 615 3 5 616 2 2 2 7 617 618 2 3 619 620 2 2 5 621 3 3 3 622 2 623 7 624 2 2 2 2 3 625 5 5 5 5 626 2 627 3 628 2 2 629 630 2 3 3 5 7 631

etc. Have complete factorization the “congruences” i(611 + i for some i’s. 14 · 625 = 21305471. 64 · 675 = 26335270. 75 · 686 = 21315273. 14 · 64 · 75 · 625 · 675 · 686 = 28345874 = (24325472)2. gcd ˘ 611; 14 · 64 · 75 − 24325 = 47. 611 = 47 · 13.

2

Q sieve Sieving i and 611 + i for small i using primes 2; 3; 5; 7:

1 2 2 3 3 4 2 2 5 5 6 2 3 7 7 8 2 2 2 9 3 3 10 2 5 11 12 2 2 3 13 14 2 7 15 3 5 16 2 2 2 2 17 18 2 3 3 19 20 2 2 5 612 2 2 3 3 613 614 2 615 3 5 616 2 2 2 7 617 618 2 3 619 620 2 2 5 621 3 3 3 622 2 623 7 624 2 2 2 2 3 625 5 5 5 5 626 2 627 3 628 2 2 629 630 2 3 3 5 7 631

etc.

3

Have complete factorization of the “congruences” i(611 + i) for some i’s. 14 · 625 = 21305471. 64 · 675 = 26335270. 75 · 686 = 21315273. 14 · 64 · 75 · 625 · 675 · 686 = 28345874 = (24325472)2. gcd ˘ 611; 14 · 64 · 75 − 24325472¯ = 47. 611 = 47 · 13.

2

sieve Sieving i and 611 + i for small i primes 2; 3; 5; 7:

3 5 3 7 3 3 5 3 7 3 5 3 3 5 612 2 2 3 3 613 614 2 615 3 5 616 2 2 2 7 617 618 2 3 619 620 2 2 5 621 3 3 3 622 2 623 7 624 2 2 2 2 3 625 5 5 5 5 626 2 627 3 628 2 2 629 630 2 3 3 5 7 631 3

Have complete factorization of the “congruences” i(611 + i) for some i’s. 14 · 625 = 21305471. 64 · 675 = 26335270. 75 · 686 = 21315273. 14 · 64 · 75 · 625 · 675 · 686 = 28345874 = (24325472)2. gcd ˘ 611; 14 · 64 · 75 − 24325472¯ = 47. 611 = 47 · 13. Why did Was it just gcd{611;

2

611 + i for small i ; 5; 7:

2 2 3 3 2 3 5 2 2 2 7 2 3 2 2 5 3 3 3 2 7 2 2 2 2 3 5 5 5 5 2 3 2 2 2 3 3 5 7 3

Have complete factorization of the “congruences” i(611 + i) for some i’s. 14 · 625 = 21305471. 64 · 675 = 26335270. 75 · 686 = 21315273. 14 · 64 · 75 · 625 · 675 · 686 = 28345874 = (24325472)2. gcd ˘ 611; 14 · 64 · 75 − 24325472¯ = 47. 611 = 47 · 13. Why did this find a Was it just blind luck: gcd{611; random}

2

small i

5 7 5 7 5 5 5 5 5 7 3

Have complete factorization of the “congruences” i(611 + i) for some i’s. 14 · 625 = 21305471. 64 · 675 = 26335270. 75 · 686 = 21315273. 14 · 64 · 75 · 625 · 675 · 686 = 28345874 = (24325472)2. gcd ˘ 611; 14 · 64 · 75 − 24325472¯ = 47. 611 = 47 · 13. Why did this find a factor of Was it just blind luck: gcd{611; random} = 47?

3

Have complete factorization of the “congruences” i(611 + i) for some i’s. 14 · 625 = 21305471. 64 · 675 = 26335270. 75 · 686 = 21315273. 14 · 64 · 75 · 625 · 675 · 686 = 28345874 = (24325472)2. gcd ˘ 611; 14 · 64 · 75 − 24325472¯ = 47. 611 = 47 · 13.

4

Why did this find a factor of 611? Was it just blind luck: gcd{611; random} = 47?

3

Have complete factorization of the “congruences” i(611 + i) for some i’s. 14 · 625 = 21305471. 64 · 675 = 26335270. 75 · 686 = 21315273. 14 · 64 · 75 · 625 · 675 · 686 = 28345874 = (24325472)2. gcd ˘ 611; 14 · 64 · 75 − 24325472¯ = 47. 611 = 47 · 13.

4

Why did this find a factor of 611? Was it just blind luck: gcd{611; random} = 47? No. By construction 611 divides s2−t2 where s = 14 · 64 · 75 and t = 24325472. So each prime > 7 dividing 611 divides either s − t or s + t. Not terribly surprising (but not guaranteed in advance!) that one prime divided s − t and the other divided s + t.

3

complete factorization of “congruences” i(611 + i)

• me i’s.

625 = 21305471. 675 = 26335270. 686 = 21315273. · 75 · 625 · 675 · 686 5874 = (24325472)2. 611; 14 · 64 · 75 − 24325472¯ 47 · 13.

4

Why did this find a factor of 611? Was it just blind luck: gcd{611; random} = 47? No. By construction 611 divides s2−t2 where s = 14 · 64 · 75 and t = 24325472. So each prime > 7 dividing 611 divides either s − t or s + t. Not terribly surprising (but not guaranteed in advance!) that one prime divided s − t and the other divided s + t. Why did completely have squa Was it just

3

factorization of “congruences” i(611 + i)

471. 270. 273.

· 675 · 686 (24325472)2. · 75 − 24325472¯

4

Why did this find a factor of 611? Was it just blind luck: gcd{611; random} = 47? No. By construction 611 divides s2−t2 where s = 14 · 64 · 75 and t = 24325472. So each prime > 7 dividing 611 divides either s − t or s + t. Not terribly surprising (but not guaranteed in advance!) that one prime divided s − t and the other divided s + t. Why did the first three completely factored have square product? Was it just blind luck?

3

rization of i) .

25472¯

4

Why did this find a factor of 611? Was it just blind luck: gcd{611; random} = 47? No. By construction 611 divides s2−t2 where s = 14 · 64 · 75 and t = 24325472. So each prime > 7 dividing 611 divides either s − t or s + t. Not terribly surprising (but not guaranteed in advance!) that one prime divided s − t and the other divided s + t. Why did the first three completely factored congruences have square product? Was it just blind luck?

4

Why did this find a factor of 611? Was it just blind luck: gcd{611; random} = 47? No. By construction 611 divides s2−t2 where s = 14 · 64 · 75 and t = 24325472. So each prime > 7 dividing 611 divides either s − t or s + t. Not terribly surprising (but not guaranteed in advance!) that one prime divided s − t and the other divided s + t.

5

Why did the first three completely factored congruences have square product? Was it just blind luck?

4

Why did this find a factor of 611? Was it just blind luck: gcd{611; random} = 47? No. By construction 611 divides s2−t2 where s = 14 · 64 · 75 and t = 24325472. So each prime > 7 dividing 611 divides either s − t or s + t. Not terribly surprising (but not guaranteed in advance!) that one prime divided s − t and the other divided s + t.

5

Why did the first three completely factored congruences have square product? Was it just blind luck?

• Yes. The exponent vectors

(1; 0; 4; 1); (6; 3; 2; 0); (1; 1; 2; 3) happened to have sum 0 mod 2.

4

Why did this find a factor of 611? Was it just blind luck: gcd{611; random} = 47? No. By construction 611 divides s2−t2 where s = 14 · 64 · 75 and t = 24325472. So each prime > 7 dividing 611 divides either s − t or s + t. Not terribly surprising (but not guaranteed in advance!) that one prime divided s − t and the other divided s + t.

5

Why did the first three completely factored congruences have square product? Was it just blind luck?

• Yes. The exponent vectors

(1; 0; 4; 1); (6; 3; 2; 0); (1; 1; 2; 3) happened to have sum 0 mod 2. But we didn’t need this luck! Given long sequence of vectors, easily find nonempty subsequence with sum 0 mod 2.

4

did this find a factor of 611? just blind luck: 611; random} = 47? construction 611 divides s2−t2 s = 14 · 64 · 75 = 24325472. each prime > 7 dividing 611 either s − t or s + t. terribly surprising not guaranteed in advance!)

• ne prime divided s − t

the other divided s + t.

5

Why did the first three completely factored congruences have square product? Was it just blind luck?

• Yes. The exponent vectors

(1; 0; 4; 1); (6; 3; 2; 0); (1; 1; 2; 3) happened to have sum 0 mod 2. But we didn’t need this luck! Given long sequence of vectors, easily find nonempty subsequence with sum 0 mod 2. This is linea Guaranteed if number exceeds length e.g. for n 1(n + 4(n + 15(n + 15) 49(n + 49) 64(n + 64) F2-kernel gen by (0 e.g., 1(n is a squa

4

find a factor of 611? luck: } = 47? 611 divides s2−t2 64 · 75

2.

7 dividing 611 − t or s + t. rising ranteed in advance!) divided s − t divided s + t.

5

Why did the first three completely factored congruences have square product? Was it just blind luck?

• Yes. The exponent vectors

(1; 0; 4; 1); (6; 3; 2; 0); (1; 1; 2; 3) happened to have sum 0 mod 2. But we didn’t need this luck! Given long sequence of vectors, easily find nonempty subsequence with sum 0 mod 2. This is linear algeb Guaranteed to find if number of vecto exceeds length of each e.g. for n = 671: 1(n + 1) = 2531 4(n + 4) = 2233 15(n + 15) = 2131 49(n + 49) = 2432 64(n + 64) = 2631 F2-kernel of exponent gen by (0 1 0 1 1) e.g., 1(n +1)15(n is a square.

4

• f 611?

divides s2−t2 dividing 611 t. advance!) t t.

5

Why did the first three completely factored congruences have square product? Was it just blind luck?

• Yes. The exponent vectors

(1; 0; 4; 1); (6; 3; 2; 0); (1; 1; 2; 3) happened to have sum 0 mod 2. But we didn’t need this luck! Given long sequence of vectors, easily find nonempty subsequence with sum 0 mod 2. This is linear algebra over F2 Guaranteed to find subsequence if number of vectors exceeds length of each vecto e.g. for n = 671: 1(n + 1) = 25315071; 4(n + 4) = 22335270; 15(n + 15) = 21315173; 49(n + 49) = 24325172; 64(n + 64) = 26315172. F2-kernel of exponent matrix gen by (0 1 0 1 1) and (1 0 1 e.g., 1(n +1)15(n +15)49(n is a square.

5

Why did the first three completely factored congruences have square product? Was it just blind luck?

• Yes. The exponent vectors

(1; 0; 4; 1); (6; 3; 2; 0); (1; 1; 2; 3) happened to have sum 0 mod 2. But we didn’t need this luck! Given long sequence of vectors, easily find nonempty subsequence with sum 0 mod 2.

6

This is linear algebra over F2. Guaranteed to find subsequence if number of vectors exceeds length of each vector. e.g. for n = 671: 1(n + 1) = 25315071; 4(n + 4) = 22335270; 15(n + 15) = 21315173; 49(n + 49) = 24325172; 64(n + 64) = 26315172. F2-kernel of exponent matrix is gen by (0 1 0 1 1) and (1 0 1 1 0); e.g., 1(n +1)15(n +15)49(n +49) is a square.

5

did the first three completely factored congruences square product? just blind luck? The exponent vectors ; 1); (6; 3; 2; 0); (1; 1; 2; 3) ened to have sum 0 mod 2. e didn’t need this luck! long sequence of vectors, find nonempty subsequence sum 0 mod 2.

6

This is linear algebra over F2. Guaranteed to find subsequence if number of vectors exceeds length of each vector. e.g. for n = 671: 1(n + 1) = 25315071; 4(n + 4) = 22335270; 15(n + 15) = 21315173; 49(n + 49) = 24325172; 64(n + 64) = 26315172. F2-kernel of exponent matrix is gen by (0 1 0 1 1) and (1 0 1 1 0); e.g., 1(n +1)15(n +15)49(n +49) is a square. Plausible separate

• f any n

Given n Try to completely for i ∈ ˘ into products Look for with i(n and with Compute s = Q

i∈I

i

5

first three red congruences duct? luck?

• nent vectors

2; 0); (1; 1; 2; 3) have sum 0 mod 2. need this luck! sequence of vectors, nonempty subsequence 2.

6

This is linear algebra over F2. Guaranteed to find subsequence if number of vectors exceeds length of each vector. e.g. for n = 671: 1(n + 1) = 25315071; 4(n + 4) = 22335270; 15(n + 15) = 21315173; 49(n + 49) = 24325172; 64(n + 64) = 26315172. F2-kernel of exponent matrix is gen by (0 1 0 1 1) and (1 0 1 1 0); e.g., 1(n +1)15(n +15)49(n +49) is a square. Plausible conjecture: separate the odd p

• f any n, not just

Given n and parameter Try to completely for i ∈ ˘ 1; 2; 3; : : : into products of primes Look for nonempty with i(n + i) completely and with Q

i∈I

i(n + Compute gcd{n; s s = Q

i∈I

i and t = r

5

congruences rs ; 2; 3) mod 2. luck! vectors, subsequence

6

This is linear algebra over F2. Guaranteed to find subsequence if number of vectors exceeds length of each vector. e.g. for n = 671: 1(n + 1) = 25315071; 4(n + 4) = 22335270; 15(n + 15) = 21315173; 49(n + 49) = 24325172; 64(n + 64) = 26315172. F2-kernel of exponent matrix is gen by (0 1 0 1 1) and (1 0 1 1 0); e.g., 1(n +1)15(n +15)49(n +49) is a square. Plausible conjecture: Q sieve separate the odd prime diviso

• f any n, not just 611.

Given n and parameter y: Try to completely factor i(n for i ∈ ˘ 1; 2; 3; : : : ; y2¯ into products of primes ≤y. Look for nonempty set I of i with i(n + i) completely facto and with Q

i∈I

i(n + i) square. Compute gcd{n; s − t} where s = Q

i∈I

i and t = r Q

i∈I

i(n +

6

This is linear algebra over F2. Guaranteed to find subsequence if number of vectors exceeds length of each vector. e.g. for n = 671: 1(n + 1) = 25315071; 4(n + 4) = 22335270; 15(n + 15) = 21315173; 49(n + 49) = 24325172; 64(n + 64) = 26315172. F2-kernel of exponent matrix is gen by (0 1 0 1 1) and (1 0 1 1 0); e.g., 1(n +1)15(n +15)49(n +49) is a square.

7

Plausible conjecture: Q sieve can separate the odd prime divisors

• f any n, not just 611.

Given n and parameter y: Try to completely factor i(n + i) for i ∈ ˘ 1; 2; 3; : : : ; y2¯ into products of primes ≤y. Look for nonempty set I of i’s with i(n + i) completely factored and with Q

i∈I

i(n + i) square. Compute gcd{n; s − t} where s = Q

i∈I

i and t = r Q

i∈I

i(n + i).

6

linear algebra over F2. ranteed to find subsequence number of vectors exceeds length of each vector. r n = 671: 1) = 25315071; 4) = 22335270; 15) = 21315173; 49) = 24325172; 64) = 26315172. ernel of exponent matrix is (0 1 0 1 1) and (1 0 1 1 0); 1(n +1)15(n +15)49(n +49) square.

7

Plausible conjecture: Q sieve can separate the odd prime divisors

• f any n, not just 611.

Given n and parameter y: Try to completely factor i(n + i) for i ∈ ˘ 1; 2; 3; : : : ; y2¯ into products of primes ≤y. Look for nonempty set I of i’s with i(n + i) completely factored and with Q

i∈I

i(n + i) square. Compute gcd{n; s − t} where s = Q

i∈I

i and t = r Q

i∈I

i(n + i). How large for this to Uniform has n 1=u roughly u Plausible Q sieve succe with y = for all n here o(1)

6

algebra over F2. find subsequence vectors

• f each vector.

671: 315071; 335270; 315173; 325172; 315172.

• nent matrix is

1) and (1 0 1 1 0); n +15)49(n +49)

7

Plausible conjecture: Q sieve can separate the odd prime divisors

• f any n, not just 611.

Given n and parameter y: Try to completely factor i(n + i) for i ∈ ˘ 1; 2; 3; : : : ; y2¯ into products of primes ≤y. Look for nonempty set I of i’s with i(n + i) completely factored and with Q

i∈I

i(n + i) square. Compute gcd{n; s − t} where s = Q

i∈I

i and t = r Q

i∈I

i(n + i). How large does y have for this to find a squa Uniform random integer has n 1=u-smoothness roughly u−u. Plausible conjecture: Q sieve succeeds with y = ⌊n 1=u⌋ for all n ≥ u(1+o(1)) here o(1) is as u →

6

F2. subsequence vector. matrix is 0 1 1 0); 15)49(n +49)

7

Plausible conjecture: Q sieve can separate the odd prime divisors

• f any n, not just 611.

Given n and parameter y: Try to completely factor i(n + i) for i ∈ ˘ 1; 2; 3; : : : ; y2¯ into products of primes ≤y. Look for nonempty set I of i’s with i(n + i) completely factored and with Q

i∈I

i(n + i) square. Compute gcd{n; s − t} where s = Q

i∈I

i and t = r Q

i∈I

i(n + i). How large does y have to be for this to find a square? Uniform random integer in [1 has n 1=u-smoothness chance roughly u−u. Plausible conjecture: Q sieve succeeds with y = ⌊n 1=u⌋ for all n ≥ u(1+o(1))u2; here o(1) is as u → ∞.

7

Plausible conjecture: Q sieve can separate the odd prime divisors

• f any n, not just 611.

Given n and parameter y: Try to completely factor i(n + i) for i ∈ ˘ 1; 2; 3; : : : ; y2¯ into products of primes ≤y. Look for nonempty set I of i’s with i(n + i) completely factored and with Q

i∈I

i(n + i) square. Compute gcd{n; s − t} where s = Q

i∈I

i and t = r Q

i∈I

i(n + i).

8

How large does y have to be for this to find a square? Uniform random integer in [1; n] has n 1=u-smoothness chance roughly u−u. Plausible conjecture: Q sieve succeeds with y = ⌊n 1=u⌋ for all n ≥ u(1+o(1))u2; here o(1) is as u → ∞.

7

Plausible conjecture: Q sieve can rate the odd prime divisors n, not just 611. n and parameter y: completely factor i(n + i) ˘ 1; 2; 3; : : : ; y2¯ roducts of primes ≤y. for nonempty set I of i’s (n + i) completely factored with Q

i∈I

i(n + i) square. Compute gcd{n; s − t} where i and t = r Q

i∈I

i(n + i).

8

How large does y have to be for this to find a square? Uniform random integer in [1; n] has n 1=u-smoothness chance roughly u−u. Plausible conjecture: Q sieve succeeds with y = ⌊n 1=u⌋ for all n ≥ u(1+o(1))u2; here o(1) is as u → ∞. More generally exp q` 1

2

conjectured is 1=yc+o Find enough by changing replace y exp r“ ( Increasing increases reduces linea So linear when y is

7

conjecture: Q sieve can prime divisors just 611. rameter y: completely factor i(n + i) : : ; y2¯ primes ≤y. mpty set I of i’s completely factored + i) square. n; s − t} where r Q

i∈I

i(n + i).

8

How large does y have to be for this to find a square? Uniform random integer in [1; n] has n 1=u-smoothness chance roughly u−u. Plausible conjecture: Q sieve succeeds with y = ⌊n 1=u⌋ for all n ≥ u(1+o(1))u2; here o(1) is as u → ∞. More generally, if y exp q` 1

2c + o(1)

´ log conjectured y-smo is 1=yc+o(1). Find enough smooth by changing the range replace y2 with yc+1+ exp r“ (c+1)2+o(1)

2c

Increasing c past 1 increases number of reduces linear-algeb So linear algebra never when y is chosen p

7

sieve can divisors (n + i) y.

• f i’s

factored re. where + i).

8

How large does y have to be for this to find a square? Uniform random integer in [1; n] has n 1=u-smoothness chance roughly u−u. Plausible conjecture: Q sieve succeeds with y = ⌊n 1=u⌋ for all n ≥ u(1+o(1))u2; here o(1) is as u → ∞. More generally, if y ∈ exp q` 1

2c + o(1)

´ log n log log conjectured y-smoothness chance is 1=yc+o(1). Find enough smooth congruences by changing the range of i’s: replace y2 with yc+1+o(1) = exp r“ (c+1)2+o(1)

2c

” log n log Increasing c past 1 increases number of i’s but reduces linear-algebra cost. So linear algebra never domin when y is chosen properly.

8

How large does y have to be for this to find a square? Uniform random integer in [1; n] has n 1=u-smoothness chance roughly u−u. Plausible conjecture: Q sieve succeeds with y = ⌊n 1=u⌋ for all n ≥ u(1+o(1))u2; here o(1) is as u → ∞.

9

More generally, if y ∈ exp q` 1

2c + o(1)

´ log n log log n, conjectured y-smoothness chance is 1=yc+o(1). Find enough smooth congruences by changing the range of i’s: replace y2 with yc+1+o(1) = exp r“ (c+1)2+o(1)

2c

” log n log log n. Increasing c past 1 increases number of i’s but reduces linear-algebra cost. So linear algebra never dominates when y is chosen properly.

8

large does y have to be is to find a square? rm random integer in [1; n]

=u-smoothness chance

roughly u−u. Plausible conjecture: sieve succeeds = ⌊n 1=u⌋ n ≥ u(1+o(1))u2; (1) is as u → ∞.

9

More generally, if y ∈ exp q` 1

2c + o(1)

´ log n log log n, conjectured y-smoothness chance is 1=yc+o(1). Find enough smooth congruences by changing the range of i’s: replace y2 with yc+1+o(1) = exp r“ (c+1)2+o(1)

2c

” log n log log n. Increasing c past 1 increases number of i’s but reduces linear-algebra cost. So linear algebra never dominates when y is chosen properly. Improving Smoothness degrades Smaller fo Crude analysis: ≈ yn if i ≈ y2n if More careful n + i do i is alwa

• nly 30%

Can we select to avoid

8

y have to be square? integer in [1; n]

• thness chance

conjecture: eds ⌋

(1))u2;

→ ∞.

9

More generally, if y ∈ exp q` 1

2c + o(1)

´ log n log log n, conjectured y-smoothness chance is 1=yc+o(1). Find enough smooth congruences by changing the range of i’s: replace y2 with yc+1+o(1) = exp r“ (c+1)2+o(1)

2c

” log n log log n. Increasing c past 1 increases number of i’s but reduces linear-algebra cost. So linear algebra never dominates when y is chosen properly. Improving smoothness Smoothness chance degrades as i grows. Smaller for i ≈ y2 Crude analysis: i(n ≈ yn if i ≈ y; ≈ y2n if i ≈ y2. More careful analysis: n + i doesn’t degrade, i is always smooth

• nly 30% chance fo

Can we select congruences to avoid this degradation?

8

be [1; n] chance

9

More generally, if y ∈ exp q` 1

2c + o(1)

´ log n log log n, conjectured y-smoothness chance is 1=yc+o(1). Find enough smooth congruences by changing the range of i’s: replace y2 with yc+1+o(1) = exp r“ (c+1)2+o(1)

2c

” log n log log n. Increasing c past 1 increases number of i’s but reduces linear-algebra cost. So linear algebra never dominates when y is chosen properly. Improving smoothness chances Smoothness chance of i(n + degrades as i grows. Smaller for i ≈ y2 than for i Crude analysis: i(n + i) gro ≈ yn if i ≈ y; ≈ y2n if i ≈ y2. More careful analysis: n + i doesn’t degrade, but i is always smooth for i ≤ y

• nly 30% chance for i ≈ y2.

Can we select congruences to avoid this degradation?

9

More generally, if y ∈ exp q` 1

2c + o(1)

´ log n log log n, conjectured y-smoothness chance is 1=yc+o(1). Find enough smooth congruences by changing the range of i’s: replace y2 with yc+1+o(1) = exp r“ (c+1)2+o(1)

2c

” log n log log n. Increasing c past 1 increases number of i’s but reduces linear-algebra cost. So linear algebra never dominates when y is chosen properly.

10

Improving smoothness chances Smoothness chance of i(n + i) degrades as i grows. Smaller for i ≈ y2 than for i ≈ y. Crude analysis: i(n + i) grows. ≈ yn if i ≈ y; ≈ y2n if i ≈ y2. More careful analysis: n + i doesn’t degrade, but i is always smooth for i ≤ y,

• nly 30% chance for i ≈ y2.

Can we select congruences to avoid this degradation?

9

generally, if y ∈ ` 1

2c + o(1)

´ log n log log n, conjectured y-smoothness chance

+o(1).

enough smooth congruences changing the range of i’s: replace y2 with yc+1+o(1) = “ (c+1)2+o(1)

2c

” log n log log n. Increasing c past 1 increases number of i’s but reduces linear-algebra cost. linear algebra never dominates y is chosen properly.

10

Improving smoothness chances Smoothness chance of i(n + i) degrades as i grows. Smaller for i ≈ y2 than for i ≈ y. Crude analysis: i(n + i) grows. ≈ yn if i ≈ y; ≈ y2n if i ≈ y2. More careful analysis: n + i doesn’t degrade, but i is always smooth for i ≤ y,

• nly 30% chance for i ≈ y2.

Can we select congruences to avoid this degradation? Choose q Choose a arithmetic where q e.g. progression 2q − (n mo etc. Check smo generalized for i’s in e.g. check smooth fo Try many Rare for

9

if y ∈ (1) ´ log n log log n,

• smoothness chance

smooth congruences range of i’s: yc+1+o(1) =

(1)”

log n log log n. past 1 er of i’s but r-algebra cost. never dominates chosen properly.

10

Improving smoothness chances Smoothness chance of i(n + i) degrades as i grows. Smaller for i ≈ y2 than for i ≈ y. Crude analysis: i(n + i) grows. ≈ yn if i ≈ y; ≈ y2n if i ≈ y2. More careful analysis: n + i doesn’t degrade, but i is always smooth for i ≤ y,

• nly 30% chance for i ≈ y2.

Can we select congruences to avoid this degradation? Choose q, square of Choose a “q-sublattice” arithmetic progression where q divides each e.g. progression q 2q − (n mod q), 3q etc. Check smoothness generalized congruence for i’s in this sublattice. e.g. check whethe smooth for i = q − Try many large q’s. Rare for i’s to overlap.

9

log n, chance congruences ’s: = log log n. but cost.

• minates

.

10

Improving smoothness chances Smoothness chance of i(n + i) degrades as i grows. Smaller for i ≈ y2 than for i ≈ y. Crude analysis: i(n + i) grows. ≈ yn if i ≈ y; ≈ y2n if i ≈ y2. More careful analysis: n + i doesn’t degrade, but i is always smooth for i ≤ y,

• nly 30% chance for i ≈ y2.

Can we select congruences to avoid this degradation? Choose q, square of large prime. Choose a “q-sublattice” of i arithmetic progression of i’s where q divides each i(n + i e.g. progression q − (n mod 2q − (n mod q), 3q − (n mod etc. Check smoothness of generalized congruence i(n + for i’s in this sublattice. e.g. check whether i; (n +i) smooth for i = q − (n mod q Try many large q’s. Rare for i’s to overlap.

10

Improving smoothness chances Smoothness chance of i(n + i) degrades as i grows. Smaller for i ≈ y2 than for i ≈ y. Crude analysis: i(n + i) grows. ≈ yn if i ≈ y; ≈ y2n if i ≈ y2. More careful analysis: n + i doesn’t degrade, but i is always smooth for i ≤ y,

• nly 30% chance for i ≈ y2.

Can we select congruences to avoid this degradation?

11

Choose q, square of large prime. Choose a “q-sublattice” of i’s: arithmetic progression of i’s where q divides each i(n + i). e.g. progression q − (n mod q), 2q − (n mod q), 3q − (n mod q), etc. Check smoothness of generalized congruence i(n + i)=q for i’s in this sublattice. e.g. check whether i; (n +i)=q are smooth for i = q − (n mod q) etc. Try many large q’s. Rare for i’s to overlap.

10

roving smoothness chances

• thness chance of i(n + i)

degrades as i grows. Smaller for i ≈ y2 than for i ≈ y. analysis: i(n + i) grows. if i ≈ y; if i ≈ y2. careful analysis: doesn’t degrade, but ays smooth for i ≤ y, 30% chance for i ≈ y2. e select congruences avoid this degradation?

11

Choose q, square of large prime. Choose a “q-sublattice” of i’s: arithmetic progression of i’s where q divides each i(n + i). e.g. progression q − (n mod q), 2q − (n mod q), 3q − (n mod q), etc. Check smoothness of generalized congruence i(n + i)=q for i’s in this sublattice. e.g. check whether i; (n +i)=q are smooth for i = q − (n mod q) etc. Try many large q’s. Rare for i’s to overlap. e.g. n = Original i n 1 314159265358979324 2 314159265358979325 3 314159265358979326 Use 9972 i ∈ 802458 802458 1796467 2790476

10

• thness chances

chance of i(n + i) grows.

2 than for i ≈ y.

i(n + i) grows. . analysis: degrade, but

• th for i ≤ y,

chance for i ≈ y2. congruences degradation?

11

Choose q, square of large prime. Choose a “q-sublattice” of i’s: arithmetic progression of i’s where q divides each i(n + i). e.g. progression q − (n mod q), 2q − (n mod q), 3q − (n mod q), etc. Check smoothness of generalized congruence i(n + i)=q for i’s in this sublattice. e.g. check whether i; (n +i)=q are smooth for i = q − (n mod q) etc. Try many large q’s. Rare for i’s to overlap. e.g. n = 314159265358979323: Original Q sieve: i n + i 1 314159265358979324 2 314159265358979325 3 314159265358979326 Use 9972-sublattice, i ∈ 802458 + 994009 i (n + 802458 316052737309 1796467 316052737310 2790476 316052737311

10

chances + i) r i ≈ y. grows. but y,

2.

11

Choose q, square of large prime. Choose a “q-sublattice” of i’s: arithmetic progression of i’s where q divides each i(n + i). e.g. progression q − (n mod q), 2q − (n mod q), 3q − (n mod q), etc. Check smoothness of generalized congruence i(n + i)=q for i’s in this sublattice. e.g. check whether i; (n +i)=q are smooth for i = q − (n mod q) etc. Try many large q’s. Rare for i’s to overlap. e.g. n = 314159265358979323: Original Q sieve: i n + i 1 314159265358979324 2 314159265358979325 3 314159265358979326 Use 9972-sublattice, i ∈ 802458 + 994009Z: i (n + i)=9972 802458 316052737309 1796467 316052737310 2790476 316052737311

11

Choose q, square of large prime. Choose a “q-sublattice” of i’s: arithmetic progression of i’s where q divides each i(n + i). e.g. progression q − (n mod q), 2q − (n mod q), 3q − (n mod q), etc. Check smoothness of generalized congruence i(n + i)=q for i’s in this sublattice. e.g. check whether i; (n +i)=q are smooth for i = q − (n mod q) etc. Try many large q’s. Rare for i’s to overlap.

12

e.g. n = 314159265358979323: Original Q sieve: i n + i 1 314159265358979324 2 314159265358979325 3 314159265358979326 Use 9972-sublattice, i ∈ 802458 + 994009Z: i (n + i)=9972 802458 316052737309 1796467 316052737310 2790476 316052737311

11

• se q, square of large prime.
• se a “q-sublattice” of i’s:

rithmetic progression of i’s q divides each i(n + i). rogression q − (n mod q), n mod q), 3q − (n mod q), smoothness of generalized congruence i(n + i)=q in this sublattice. check whether i; (n +i)=q are

• th for i = q − (n mod q) etc.

many large q’s. for i’s to overlap.

12

e.g. n = 314159265358979323: Original Q sieve: i n + i 1 314159265358979324 2 314159265358979325 3 314159265358979326 Use 9972-sublattice, i ∈ 802458 + 994009Z: i (n + i)=9972 802458 316052737309 1796467 316052737310 2790476 316052737311 Crude analysis: eliminate Have practically

• f generalized

(q−(n mo between More careful are even For q ≈ n i ≈ (n + so smoothness (u=2)−u= 2u times

11

re of large prime.

• sublattice” of i’s:

rogression of i’s each i(n + i). q − (n mod q), 3q − (n mod q),

• thness of

congruence i(n + i)=q sublattice. her i; (n +i)=q are − (n mod q) etc. q’s.

• verlap.

12

e.g. n = 314159265358979323: Original Q sieve: i n + i 1 314159265358979324 2 314159265358979325 3 314159265358979326 Use 9972-sublattice, i ∈ 802458 + 994009Z: i (n + i)=9972 802458 316052737309 1796467 316052737310 2790476 316052737311 Crude analysis: Sublattices eliminate the growth Have practically unlimited

• f generalized congruences

(q−(n mod q))n+ between 0 and n. More careful analysis: are even better than For q ≈ n 1=2 have i ≈ (n + i)=q ≈ n so smoothness chance (u=2)−u=2(u=2)−u= 2u times larger than

11

prime.

• f i’s:

’s i). d q), mod q), + i)=q i)=q are d q) etc.

12

e.g. n = 314159265358979323: Original Q sieve: i n + i 1 314159265358979324 2 314159265358979325 3 314159265358979326 Use 9972-sublattice, i ∈ 802458 + 994009Z: i (n + i)=9972 802458 316052737309 1796467 316052737310 2790476 316052737311 Crude analysis: Sublattices eliminate the growth problem. Have practically unlimited supply

• f generalized congruences

(q−(n mod q))n+q−(n mod q between 0 and n. More careful analysis: Sublattices are even better than that! For q ≈ n 1=2 have i ≈ (n + i)=q ≈ n 1=2 ≈ yu=2 so smoothness chance is roughly (u=2)−u=2(u=2)−u=2 = 2u=u 2u times larger than before.

12

e.g. n = 314159265358979323: Original Q sieve: i n + i 1 314159265358979324 2 314159265358979325 3 314159265358979326 Use 9972-sublattice, i ∈ 802458 + 994009Z: i (n + i)=9972 802458 316052737309 1796467 316052737310 2790476 316052737311

13

Crude analysis: Sublattices eliminate the growth problem. Have practically unlimited supply

• f generalized congruences

(q−(n mod q))n+q−(n mod q) q between 0 and n. More careful analysis: Sublattices are even better than that! For q ≈ n 1=2 have i ≈ (n + i)=q ≈ n 1=2 ≈ yu=2 so smoothness chance is roughly (u=2)−u=2(u=2)−u=2 = 2u=uu, 2u times larger than before.

12

= 314159265358979323: Original Q sieve: n + i 314159265358979324 314159265358979325 314159265358979326 9972-sublattice, 802458 + 994009Z: i (n + i)=9972 802458 316052737309 1796467 316052737310 2790476 316052737311

13

Crude analysis: Sublattices eliminate the growth problem. Have practically unlimited supply

• f generalized congruences

(q−(n mod q))n+q−(n mod q) q between 0 and n. More careful analysis: Sublattices are even better than that! For q ≈ n 1=2 have i ≈ (n + i)=q ≈ n 1=2 ≈ yu=2 so smoothness chance is roughly (u=2)−u=2(u=2)−u=2 = 2u=uu, 2u times larger than before. Even larger from changing “Quadratic i 2 − n with have i 2 − much smaller

12

314159265358979323: sieve: 314159265358979324 314159265358979325 314159265358979326

• sublattice,

994009Z: + i)=9972 316052737309 316052737310 316052737311

13

Crude analysis: Sublattices eliminate the growth problem. Have practically unlimited supply

• f generalized congruences

(q−(n mod q))n+q−(n mod q) q between 0 and n. More careful analysis: Sublattices are even better than that! For q ≈ n 1=2 have i ≈ (n + i)=q ≈ n 1=2 ≈ yu=2 so smoothness chance is roughly (u=2)−u=2(u=2)−u=2 = 2u=uu, 2u times larger than before. Even larger improvements from changing polynomial “Quadratic sieve” i 2 − n with i ≈ √ have i 2 − n ≈ n 1= much smaller than

12

314159265358979323: 314159265358979324 314159265358979325 314159265358979326

2

316052737309 316052737310 316052737311

13

Crude analysis: Sublattices eliminate the growth problem. Have practically unlimited supply

• f generalized congruences

(q−(n mod q))n+q−(n mod q) q between 0 and n. More careful analysis: Sublattices are even better than that! For q ≈ n 1=2 have i ≈ (n + i)=q ≈ n 1=2 ≈ yu=2 so smoothness chance is roughly (u=2)−u=2(u=2)−u=2 = 2u=uu, 2u times larger than before. Even larger improvements from changing polynomial i( “Quadratic sieve” (QS) uses i 2 − n with i ≈ √n; have i 2 − n ≈ n 1=2+o(1), much smaller than n.

13

Crude analysis: Sublattices eliminate the growth problem. Have practically unlimited supply

• f generalized congruences

(q−(n mod q))n+q−(n mod q) q between 0 and n. More careful analysis: Sublattices are even better than that! For q ≈ n 1=2 have i ≈ (n + i)=q ≈ n 1=2 ≈ yu=2 so smoothness chance is roughly (u=2)−u=2(u=2)−u=2 = 2u=uu, 2u times larger than before.

14

Even larger improvements from changing polynomial i(n +i). “Quadratic sieve” (QS) uses i 2 − n with i ≈ √n; have i 2 − n ≈ n 1=2+o(1), much smaller than n.

13

Crude analysis: Sublattices eliminate the growth problem. Have practically unlimited supply

• f generalized congruences

(q−(n mod q))n+q−(n mod q) q between 0 and n. More careful analysis: Sublattices are even better than that! For q ≈ n 1=2 have i ≈ (n + i)=q ≈ n 1=2 ≈ yu=2 so smoothness chance is roughly (u=2)−u=2(u=2)−u=2 = 2u=uu, 2u times larger than before.

14

Even larger improvements from changing polynomial i(n +i). “Quadratic sieve” (QS) uses i 2 − n with i ≈ √n; have i 2 − n ≈ n 1=2+o(1), much smaller than n. “MPQS” improves o(1) using sublattices: (i 2 − n)=q. But still ≈ n 1=2.

13

Crude analysis: Sublattices eliminate the growth problem. Have practically unlimited supply

• f generalized congruences

(q−(n mod q))n+q−(n mod q) q between 0 and n. More careful analysis: Sublattices are even better than that! For q ≈ n 1=2 have i ≈ (n + i)=q ≈ n 1=2 ≈ yu=2 so smoothness chance is roughly (u=2)−u=2(u=2)−u=2 = 2u=uu, 2u times larger than before.

14

Even larger improvements from changing polynomial i(n +i). “Quadratic sieve” (QS) uses i 2 − n with i ≈ √n; have i 2 − n ≈ n 1=2+o(1), much smaller than n. “MPQS” improves o(1) using sublattices: (i 2 − n)=q. But still ≈ n 1=2. “Number-field sieve” (NFS) achieves n o(1).

13

analysis: Sublattices eliminate the growth problem. ractically unlimited supply generalized congruences mod q))n+q−(n mod q) q een 0 and n. careful analysis: Sublattices even better than that! ≈ n 1=2 have + i)=q ≈ n 1=2 ≈ yu=2

• thness chance is roughly

u=2(u=2)−u=2 = 2u=uu,

times larger than before.

14

Even larger improvements from changing polynomial i(n +i). “Quadratic sieve” (QS) uses i 2 − n with i ≈ √n; have i 2 − n ≈ n 1=2+o(1), much smaller than n. “MPQS” improves o(1) using sublattices: (i 2 − n)=q. But still ≈ n 1=2. “Number-field sieve” (NFS) achieves n o(1). Generalizing The Q sieve the numb Recall ho factors 611: Form a squa as product for several 14(625) = 4410000 gcd{611; = 47.

13

Sublattices growth problem. unlimited supply congruences +q−(n mod q) q . analysis: Sublattices than that! have n 1=2 ≈ yu=2 chance is roughly

−u=2 = 2u=uu,

than before.

14

Even larger improvements from changing polynomial i(n +i). “Quadratic sieve” (QS) uses i 2 − n with i ≈ √n; have i 2 − n ≈ n 1=2+o(1), much smaller than n. “MPQS” improves o(1) using sublattices: (i 2 − n)=q. But still ≈ n 1=2. “Number-field sieve” (NFS) achieves n o(1). Generalizing beyond The Q sieve is a sp the number-field sie Recall how the Q sieve factors 611: Form a square as product of i(i + for several pairs (i; 14(625) · 64(675) · = 44100002. gcd{611; 14 · 64 · 75 = 47.

13

Sublattices roblem. supply congruences mod q) Sublattices

u=2

roughly =uu, re.

14

Even larger improvements from changing polynomial i(n +i). “Quadratic sieve” (QS) uses i 2 − n with i ≈ √n; have i 2 − n ≈ n 1=2+o(1), much smaller than n. “MPQS” improves o(1) using sublattices: (i 2 − n)=q. But still ≈ n 1=2. “Number-field sieve” (NFS) achieves n o(1). Generalizing beyond Q The Q sieve is a special case the number-field sieve. Recall how the Q sieve factors 611: Form a square as product of i(i + 611j ) for several pairs (i; j ): 14(625) · 64(675) · 75(686) = 44100002. gcd{611; 14 · 64 · 75 − 4410000 = 47.

14

Even larger improvements from changing polynomial i(n +i). “Quadratic sieve” (QS) uses i 2 − n with i ≈ √n; have i 2 − n ≈ n 1=2+o(1), much smaller than n. “MPQS” improves o(1) using sublattices: (i 2 − n)=q. But still ≈ n 1=2. “Number-field sieve” (NFS) achieves n o(1).

15

Generalizing beyond Q The Q sieve is a special case of the number-field sieve. Recall how the Q sieve factors 611: Form a square as product of i(i + 611j ) for several pairs (i; j ): 14(625) · 64(675) · 75(686) = 44100002. gcd{611; 14 · 64 · 75 − 4410000} = 47.

14

larger improvements changing polynomial i(n +i). “Quadratic sieve” (QS) uses with i ≈ √n; − n ≈ n 1=2+o(1), smaller than n. “MPQS” improves o(1) sublattices: (i 2 − n)=q. still ≈ n 1=2. “Number-field sieve” (NFS) achieves n o(1).

15

Generalizing beyond Q The Q sieve is a special case of the number-field sieve. Recall how the Q sieve factors 611: Form a square as product of i(i + 611j ) for several pairs (i; j ): 14(625) · 64(675) · 75(686) = 44100002. gcd{611; 14 · 64 · 75 − 4410000} = 47. The Q( √ factors 611 Form a squa as product for several (−11 + 3 · (3 = (112 − Compute s = (−11 t = 112 − gcd{611;

14

rovements

• lynomial i(n +i).

sieve” (QS) uses √n;

1=2+o(1),

than n. roves o(1) sublattices: (i 2 − n)=q. . sieve” (NFS)

15

Generalizing beyond Q The Q sieve is a special case of the number-field sieve. Recall how the Q sieve factors 611: Form a square as product of i(i + 611j ) for several pairs (i; j ): 14(625) · 64(675) · 75(686) = 44100002. gcd{611; 14 · 64 · 75 − 4410000} = 47. The Q( √ 14) sieve factors 611 as follo Form a square as product of (i + for several pairs (i; (−11 + 3 · 25)(−11 · (3 + 25)(3 + = (112 − 16 √ 14)2 Compute s = (−11 + 3 · 25) t = 112 − 16 · 25, gcd{611; s − t} =

14

i(n +i). uses =q. (NFS)

15

Generalizing beyond Q The Q sieve is a special case of the number-field sieve. Recall how the Q sieve factors 611: Form a square as product of i(i + 611j ) for several pairs (i; j ): 14(625) · 64(675) · 75(686) = 44100002. gcd{611; 14 · 64 · 75 − 4410000} = 47. The Q( √ 14) sieve factors 611 as follows: Form a square as product of (i + 25j )(i + √ for several pairs (i; j ): (−11 + 3 · 25)(−11 + 3 √ 14) · (3 + 25)(3 + √ 14) = (112 − 16 √ 14)2. Compute s = (−11 + 3 · 25) · (3 + 25), t = 112 − 16 · 25, gcd{611; s − t} = 13.

15

Generalizing beyond Q The Q sieve is a special case of the number-field sieve. Recall how the Q sieve factors 611: Form a square as product of i(i + 611j ) for several pairs (i; j ): 14(625) · 64(675) · 75(686) = 44100002. gcd{611; 14 · 64 · 75 − 4410000} = 47.

16

The Q( √ 14) sieve factors 611 as follows: Form a square as product of (i + 25j )(i + √ 14j ) for several pairs (i; j ): (−11 + 3 · 25)(−11 + 3 √ 14) · (3 + 25)(3 + √ 14) = (112 − 16 √ 14)2. Compute s = (−11 + 3 · 25) · (3 + 25), t = 112 − 16 · 25, gcd{611; s − t} = 13.

15

Generalizing beyond Q sieve is a special case of number-field sieve. how the Q sieve 611: a square duct of i(i + 611j ) everal pairs (i; j ): 14(625) · 64(675) · 75(686) 44100002. 611; 14 · 64 · 75 − 4410000}

16

The Q( √ 14) sieve factors 611 as follows: Form a square as product of (i + 25j )(i + √ 14j ) for several pairs (i; j ): (−11 + 3 · 25)(−11 + 3 √ 14) · (3 + 25)(3 + √ 14) = (112 − 16 √ 14)2. Compute s = (−11 + 3 · 25) · (3 + 25), t = 112 − 16 · 25, gcd{611; s − t} = 13. Why does Answer: Z[ √ 14] → since 252 Apply ring (−11 + 3 · (3 = (112 − i.e. s2 = Unsurprising

15

• nd Q

special case of sieve. Q sieve i + 611j ) (i; j ): 64(675) · 75(686) · 75 − 4410000}

16

The Q( √ 14) sieve factors 611 as follows: Form a square as product of (i + 25j )(i + √ 14j ) for several pairs (i; j ): (−11 + 3 · 25)(−11 + 3 √ 14) · (3 + 25)(3 + √ 14) = (112 − 16 √ 14)2. Compute s = (−11 + 3 · 25) · (3 + 25), t = 112 − 16 · 25, gcd{611; s − t} = 13. Why does this work? Answer: Have ring Z[ √ 14] → Z=611, since 252 = 14 in Z Apply ring morphism (−11 + 3 · 25)(−11 · (3 + 25)(3 + = (112 − 16 · 25)2 i.e. s2 = t2 in Z=611. Unsurprising to find

15

case of 75(686) 4410000}

16

The Q( √ 14) sieve factors 611 as follows: Form a square as product of (i + 25j )(i + √ 14j ) for several pairs (i; j ): (−11 + 3 · 25)(−11 + 3 √ 14) · (3 + 25)(3 + √ 14) = (112 − 16 √ 14)2. Compute s = (−11 + 3 · 25) · (3 + 25), t = 112 − 16 · 25, gcd{611; s − t} = 13. Why does this work? Answer: Have ring morphism Z[ √ 14] → Z=611, √ 14 → 25, since 252 = 14 in Z=611. Apply ring morphism to squa (−11 + 3 · 25)(−11 + 3 · 25) · (3 + 25)(3 + 25) = (112 − 16 · 25)2 in Z=611. i.e. s2 = t2 in Z=611. Unsurprising to find factor.

16

The Q( √ 14) sieve factors 611 as follows: Form a square as product of (i + 25j )(i + √ 14j ) for several pairs (i; j ): (−11 + 3 · 25)(−11 + 3 √ 14) · (3 + 25)(3 + √ 14) = (112 − 16 √ 14)2. Compute s = (−11 + 3 · 25) · (3 + 25), t = 112 − 16 · 25, gcd{611; s − t} = 13.

17

Why does this work? Answer: Have ring morphism Z[ √ 14] → Z=611, √ 14 → 25, since 252 = 14 in Z=611. Apply ring morphism to square: (−11 + 3 · 25)(−11 + 3 · 25) · (3 + 25)(3 + 25) = (112 − 16 · 25)2 in Z=611. i.e. s2 = t2 in Z=611. Unsurprising to find factor.

16

( √ 14) sieve 611 as follows: a square duct of (i + 25j )(i + √ 14j ) everal pairs (i; j ): 3 · 25)(−11 + 3 √ 14) (3 + 25)(3 + √ 14) (112 − 16 √ 14)2. Compute 11 + 3 · 25) · (3 + 25), 112 − 16 · 25, 611; s − t} = 13.

17

Why does this work? Answer: Have ring morphism Z[ √ 14] → Z=611, √ 14 → 25, since 252 = 14 in Z=611. Apply ring morphism to square: (−11 + 3 · 25)(−11 + 3 · 25) · (3 + 25)(3 + 25) = (112 − 16 · 25)2 in Z=611. i.e. s2 = t2 in Z=611. Unsurprising to find factor. Generalize to (f ; m m ∈ Z, f Write d = f = f dxd Can take but larger better pa Pick ¸ ∈ Then f d¸ monic g Q(¸)←O

16

sieve follows: + 25j )(i + √ 14j ) (i; j ): 11 + 3 √ 14) 25)(3 + √ 14) 14)2. 25) · (3 + 25), 25, = 13.

17

Why does this work? Answer: Have ring morphism Z[ √ 14] → Z=611, √ 14 → 25, since 252 = 14 in Z=611. Apply ring morphism to square: (−11 + 3 · 25)(−11 + 3 · 25) · (3 + 25)(3 + 25) = (112 − 16 · 25)2 in Z=611. i.e. s2 = t2 in Z=611. Unsurprising to find factor. Generalize from (x to (f ; m) with irred m ∈ Z, f (m) ∈ nZ Write d = deg f , f = f dxd + · · · + f Can take f d = 1 fo but larger f d allows better parameter selection. Pick ¸ ∈ C, root of Then f d¸ is a root monic g = f d−1

d

f ( Q(¸)←O←Z[f d¸

16

√ 14j ) 14) 25),

17

Why does this work? Answer: Have ring morphism Z[ √ 14] → Z=611, √ 14 → 25, since 252 = 14 in Z=611. Apply ring morphism to square: (−11 + 3 · 25)(−11 + 3 · 25) · (3 + 25)(3 + 25) = (112 − 16 · 25)2 in Z=611. i.e. s2 = t2 in Z=611. Unsurprising to find factor. Generalize from (x2 − 14; 25) to (f ; m) with irred f ∈ Z[x m ∈ Z, f (m) ∈ nZ. Write d = deg f , f = f dxd + · · · + f 1x1 + f 0x Can take f d = 1 for simplicit but larger f d allows better parameter selection. Pick ¸ ∈ C, root of f . Then f d¸ is a root of monic g = f d−1

d

f (x=f d) ∈ Z Q(¸)←O←Z[f d¸]

f d¸→f dm

− − − − − − − →

17

Why does this work? Answer: Have ring morphism Z[ √ 14] → Z=611, √ 14 → 25, since 252 = 14 in Z=611. Apply ring morphism to square: (−11 + 3 · 25)(−11 + 3 · 25) · (3 + 25)(3 + 25) = (112 − 16 · 25)2 in Z=611. i.e. s2 = t2 in Z=611. Unsurprising to find factor.

18

Generalize from (x2 − 14; 25) to (f ; m) with irred f ∈ Z[x], m ∈ Z, f (m) ∈ nZ. Write d = deg f , f = f dxd + · · · + f 1x1 + f 0x0. Can take f d = 1 for simplicity, but larger f d allows better parameter selection. Pick ¸ ∈ C, root of f . Then f d¸ is a root of monic g = f d−1

d

f (x=f d) ∈ Z[x]. Q(¸)←O←Z[f d¸]

f d¸→f dm

− − − − − − − →Z=n

17

does this work? er: Have ring morphism 14] → Z=611, √ 14 → 25, 252 = 14 in Z=611. ring morphism to square: 3 · 25)(−11 + 3 · 25) (3 + 25)(3 + 25) (112 − 16 · 25)2 in Z=611. = t2 in Z=611. Unsurprising to find factor.

18

Generalize from (x2 − 14; 25) to (f ; m) with irred f ∈ Z[x], m ∈ Z, f (m) ∈ nZ. Write d = deg f , f = f dxd + · · · + f 1x1 + f 0x0. Can take f d = 1 for simplicity, but larger f d allows better parameter selection. Pick ¸ ∈ C, root of f . Then f d¸ is a root of monic g = f d−1

d

f (x=f d) ∈ Z[x]. Q(¸)←O←Z[f d¸]

f d¸→f dm

− − − − − − − →Z=n Build squa congruences with iZ + Could replace higher-deg quadratics for some But let’s Say we have Q

(i;j )∈S

in Q(¸);

17

• rk?

ring morphism 611, √ 14 → 25, in Z=611. rphism to square: 11 + 3 · 25) 25)(3 + 25) 25)2 in Z=611. =611. find factor.

18

Generalize from (x2 − 14; 25) to (f ; m) with irred f ∈ Z[x], m ∈ Z, f (m) ∈ nZ. Write d = deg f , f = f dxd + · · · + f 1x1 + f 0x0. Can take f d = 1 for simplicity, but larger f d allows better parameter selection. Pick ¸ ∈ C, root of f . Then f d¸ is a root of monic g = f d−1

d

f (x=f d) ∈ Z[x]. Q(¸)←O←Z[f d¸]

f d¸→f dm

− − − − − − − →Z=n Build square in Q( congruences (i − j with iZ + j Z = Z Could replace i − j higher-deg irred in quadratics seem fairly for some number fields. But let’s not bother. Say we have a squa Q

(i;j )∈S(i − j m)(

in Q(¸); now what?

17

rphism 25, square: 25) 611. r.

18

Generalize from (x2 − 14; 25) to (f ; m) with irred f ∈ Z[x], m ∈ Z, f (m) ∈ nZ. Write d = deg f , f = f dxd + · · · + f 1x1 + f 0x0. Can take f d = 1 for simplicity, but larger f d allows better parameter selection. Pick ¸ ∈ C, root of f . Then f d¸ is a root of monic g = f d−1

d

f (x=f d) ∈ Z[x]. Q(¸)←O←Z[f d¸]

f d¸→f dm

− − − − − − − →Z=n Build square in Q(¸) from congruences (i − j m)(i − j ¸ with iZ + j Z = Z and j > 0. Could replace i − j x by higher-deg irred in Z[x]; quadratics seem fairly small for some number fields. But let’s not bother. Say we have a square Q

(i;j )∈S(i − j m)(i − j ¸)

in Q(¸); now what?

18

Generalize from (x2 − 14; 25) to (f ; m) with irred f ∈ Z[x], m ∈ Z, f (m) ∈ nZ. Write d = deg f , f = f dxd + · · · + f 1x1 + f 0x0. Can take f d = 1 for simplicity, but larger f d allows better parameter selection. Pick ¸ ∈ C, root of f . Then f d¸ is a root of monic g = f d−1

d

f (x=f d) ∈ Z[x]. Q(¸)←O←Z[f d¸]

f d¸→f dm

− − − − − − − →Z=n

19

Build square in Q(¸) from congruences (i − j m)(i − j ¸) with iZ + j Z = Z and j > 0. Could replace i − j x by higher-deg irred in Z[x]; quadratics seem fairly small for some number fields. But let’s not bother. Say we have a square Q

(i;j )∈S(i − j m)(i − j ¸)

in Q(¸); now what?

18

Generalize from (x2 − 14; 25) m) with irred f ∈ Z[x], , f (m) ∈ nZ. d = deg f , xd + · · · + f 1x1 + f 0x0. take f d = 1 for simplicity, rger f d allows parameter selection. ∈ C, root of f . f d¸ is a root of g = f d−1

d

f (x=f d) ∈ Z[x]. ←O←Z[f d¸]

f d¸→f dm

− − − − − − − →Z=n

19

Build square in Q(¸) from congruences (i − j m)(i − j ¸) with iZ + j Z = Z and j > 0. Could replace i − j x by higher-deg irred in Z[x]; quadratics seem fairly small for some number fields. But let’s not bother. Say we have a square Q

(i;j )∈S(i − j m)(i − j ¸)

in Q(¸); now what? Q(i − j m is a squa ring of in Multiply putting squa compute Q(i − j m Then apply ’ : Z[f d¸ f d¸ to f ’(r ) − g In Z=n have g′(f dm)2

18

(x2 − 14; 25) irred f ∈ Z[x], nZ. , f 1x1 + f 0x0. for simplicity, allows rameter selection.

• t of f .
• t of

f (x=f d) ∈ Z[x]. ¸]

f d¸→f dm

− − − − − − − →Z=n

19

Build square in Q(¸) from congruences (i − j m)(i − j ¸) with iZ + j Z = Z and j > 0. Could replace i − j x by higher-deg irred in Z[x]; quadratics seem fairly small for some number fields. But let’s not bother. Say we have a square Q

(i;j )∈S(i − j m)(i − j ¸)

in Q(¸); now what? Q(i − j m)(i − j ¸ is a square in O, ring of integers of Multiply by g′(f d¸ putting square root compute r with r 2 Q(i − j m)(i − j ¸ Then apply the ring ’ : Z[f d¸] → Z=n f d¸ to f dm. Compute ’(r ) − g′(f dm) Q In Z=n have ’(r )2 g′(f dm)2 Q(i − j m

18

25) [x],

0x0.

implicity, selection. Z[x].

m

− →Z=n

19

Build square in Q(¸) from congruences (i − j m)(i − j ¸) with iZ + j Z = Z and j > 0. Could replace i − j x by higher-deg irred in Z[x]; quadratics seem fairly small for some number fields. But let’s not bother. Say we have a square Q

(i;j )∈S(i − j m)(i − j ¸)

in Q(¸); now what? Q(i − j m)(i − j ¸)f 2

d

is a square in O, ring of integers of Q(¸). Multiply by g′(f d¸)2, putting square root into Z[f d compute r with r 2 = g′(f d¸ Q(i − j m)(i − j ¸)f 2

d.

Then apply the ring morphism ’ : Z[f d¸] → Z=n taking f d¸ to f dm. Compute gcd{ ’(r ) − g′(f dm) Q(i − j m)f In Z=n have ’(r )2 = g′(f dm)2 Q(i − j m)2f 2

d.

19

Build square in Q(¸) from congruences (i − j m)(i − j ¸) with iZ + j Z = Z and j > 0. Could replace i − j x by higher-deg irred in Z[x]; quadratics seem fairly small for some number fields. But let’s not bother. Say we have a square Q

(i;j )∈S(i − j m)(i − j ¸)

in Q(¸); now what?

20

Q(i − j m)(i − j ¸)f 2

d

is a square in O, ring of integers of Q(¸). Multiply by g′(f d¸)2, putting square root into Z[f d¸]: compute r with r 2 = g′(f d¸)2· Q(i − j m)(i − j ¸)f 2

d.

Then apply the ring morphism ’ : Z[f d¸] → Z=n taking f d¸ to f dm. Compute gcd{n; ’(r ) − g′(f dm) Q(i − j m)f d}. In Z=n have ’(r )2 = g′(f dm)2 Q(i − j m)2f 2

d.

19

square in Q(¸) from congruences (i − j m)(i − j ¸) Z + j Z = Z and j > 0. replace i − j x by higher-deg irred in Z[x]; quadratics seem fairly small

• me number fields.

let’s not bother. e have a square

S(i − j m)(i − j ¸)

); now what?

20

Q(i − j m)(i − j ¸)f 2

d

is a square in O, ring of integers of Q(¸). Multiply by g′(f d¸)2, putting square root into Z[f d¸]: compute r with r 2 = g′(f d¸)2· Q(i − j m)(i − j ¸)f 2

d.

Then apply the ring morphism ’ : Z[f d¸] → Z=n taking f d¸ to f dm. Compute gcd{n; ’(r ) − g′(f dm) Q(i − j m)f d}. In Z=n have ’(r )2 = g′(f dm)2 Q(i − j m)2f 2

d.

How to find

• f congruences

Start with e.g., y2 pairs Look for y-smooth y-smooth f di d + · Here “y-smo “has no Find enough Perform exponent

19

Q(¸) from j m)(i − j ¸) Z and j > 0. − j x by in Z[x]; fairly small er fields.

• ther.

square )(i − j ¸) what?

20

Q(i − j m)(i − j ¸)f 2

d

is a square in O, ring of integers of Q(¸). Multiply by g′(f d¸)2, putting square root into Z[f d¸]: compute r with r 2 = g′(f d¸)2· Q(i − j m)(i − j ¸)f 2

d.

Then apply the ring morphism ’ : Z[f d¸] → Z=n taking f d¸ to f dm. Compute gcd{n; ’(r ) − g′(f dm) Q(i − j m)f d}. In Z=n have ’(r )2 = g′(f dm)2 Q(i − j m)2f 2

d.

How to find square

• f congruences (i −

Start with congruences e.g., y2 pairs (i; j ). Look for y-smooth y-smooth i − j m y-smooth f d norm( f di d + · · · + f 0j d = Here “y-smooth” means “has no prime diviso Find enough smooth Perform linear algeb exponent vectors mo

19

j ¸) 0. small

20

Q(i − j m)(i − j ¸)f 2

d

is a square in O, ring of integers of Q(¸). Multiply by g′(f d¸)2, putting square root into Z[f d¸]: compute r with r 2 = g′(f d¸)2· Q(i − j m)(i − j ¸)f 2

d.

Then apply the ring morphism ’ : Z[f d¸] → Z=n taking f d¸ to f dm. Compute gcd{n; ’(r ) − g′(f dm) Q(i − j m)f d}. In Z=n have ’(r )2 = g′(f dm)2 Q(i − j m)2f 2

d.

How to find square product

• f congruences (i − j m)(i −

Start with congruences for, e.g., y2 pairs (i; j ). Look for y-smooth congruences: y-smooth i − j m and y-smooth f d norm(i − j ¸) = f di d + · · · + f 0j d = j df (i=j Here “y-smooth” means “has no prime divisor > y.” Find enough smooth congruences. Perform linear algebra on exponent vectors mod 2.

20

Q(i − j m)(i − j ¸)f 2

d

is a square in O, ring of integers of Q(¸). Multiply by g′(f d¸)2, putting square root into Z[f d¸]: compute r with r 2 = g′(f d¸)2· Q(i − j m)(i − j ¸)f 2

d.

Then apply the ring morphism ’ : Z[f d¸] → Z=n taking f d¸ to f dm. Compute gcd{n; ’(r ) − g′(f dm) Q(i − j m)f d}. In Z=n have ’(r )2 = g′(f dm)2 Q(i − j m)2f 2

d.

21

How to find square product

• f congruences (i − j m)(i − j ¸)?

Start with congruences for, e.g., y2 pairs (i; j ). Look for y-smooth congruences: y-smooth i − j m and y-smooth f d norm(i − j ¸) = f di d + · · · + f 0j d = j df (i=j ). Here “y-smooth” means “has no prime divisor > y.” Find enough smooth congruences. Perform linear algebra on exponent vectors mod 2.

20

j m)(i − j ¸)f 2

d

square in O,

• f integers of Q(¸).

Multiply by g′(f d¸)2, putting square root into Z[f d¸]: compute r with r 2 = g′(f d¸)2· j m)(i − j ¸)f 2

d.

apply the ring morphism

d¸] → Z=n taking

f dm. Compute gcd{n; g′(f dm) Q(i − j m)f d}. have ’(r )2 = )2 Q(i − j m)2f 2

d.

21

How to find square product

• f congruences (i − j m)(i − j ¸)?

Start with congruences for, e.g., y2 pairs (i; j ). Look for y-smooth congruences: y-smooth i − j m and y-smooth f d norm(i − j ¸) = f di d + · · · + f 0j d = j df (i=j ). Here “y-smooth” means “has no prime divisor > y.” Find enough smooth congruences. Perform linear algebra on exponent vectors mod 2. Asymptotic Number in number-field with theo is L1:90::: exp((log What are Choose degree d=(log n) ∈ 1:40 : :

20

j ¸)f 2

d

,

• f Q(¸).

¸)2, root into Z[f d¸]: r 2 = g′(f d¸)2· j ¸)f 2

d.

ring morphism =n taking Compute gcd{n; Q(i − j m)f d}. )2 = j m)2f 2

d.

21

How to find square product

• f congruences (i − j m)(i − j ¸)?

Start with congruences for, e.g., y2 pairs (i; j ). Look for y-smooth congruences: y-smooth i − j m and y-smooth f d norm(i − j ¸) = f di d + · · · + f 0j d = j df (i=j ). Here “y-smooth” means “has no prime divisor > y.” Find enough smooth congruences. Perform linear algebra on exponent vectors mod 2. Asymptotic cost exp Number of bit operations in number-field sieve with theorists’ parameters, is L1:90:::+o(1) where exp((log n)1=3(log What are theorists’ Choose degree d with d=(log n)1=3(log log ∈ 1:40 : : : + o(1).

20

[f d¸]: ¸)2· rphism gcd{n; )f d}.

21

How to find square product

• f congruences (i − j m)(i − j ¸)?

Start with congruences for, e.g., y2 pairs (i; j ). Look for y-smooth congruences: y-smooth i − j m and y-smooth f d norm(i − j ¸) = f di d + · · · + f 0j d = j df (i=j ). Here “y-smooth” means “has no prime divisor > y.” Find enough smooth congruences. Perform linear algebra on exponent vectors mod 2. Asymptotic cost exponents Number of bit operations in number-field sieve, with theorists’ parameters, is L1:90:::+o(1) where L = exp((log n)1=3(log log n)2=3). What are theorists’ paramete Choose degree d with d=(log n)1=3(log log n)−1=3 ∈ 1:40 : : : + o(1).

21

How to find square product

• f congruences (i − j m)(i − j ¸)?

Start with congruences for, e.g., y2 pairs (i; j ). Look for y-smooth congruences: y-smooth i − j m and y-smooth f d norm(i − j ¸) = f di d + · · · + f 0j d = j df (i=j ). Here “y-smooth” means “has no prime divisor > y.” Find enough smooth congruences. Perform linear algebra on exponent vectors mod 2.

22

Asymptotic cost exponents Number of bit operations in number-field sieve, with theorists’ parameters, is L1:90:::+o(1) where L = exp((log n)1=3(log log n)2=3). What are theorists’ parameters? Choose degree d with d=(log n)1=3(log log n)−1=3 ∈ 1:40 : : : + o(1).

21

to find square product congruences (i − j m)(i − j ¸)? ith congruences for,

2 pairs (i; j ).

for y-smooth congruences:

• th i − j m and
• th f d norm(i − j ¸) =

· · · + f 0j d = j df (i=j ). y-smooth” means no prime divisor > y.” enough smooth congruences. rm linear algebra on

• nent vectors mod 2.

22

Asymptotic cost exponents Number of bit operations in number-field sieve, with theorists’ parameters, is L1:90:::+o(1) where L = exp((log n)1=3(log log n)2=3). What are theorists’ parameters? Choose degree d with d=(log n)1=3(log log n)−1=3 ∈ 1:40 : : : + o(1). Choose integer Write n m d + f d with each Choose f in case there Test smo for all cop with 1 ≤ using prime L1:90:::+o Conjecturally smooth values

21

square product i − j m)(i − j ¸)? congruences for, j ).

• th congruences:

and rm(i − j ¸) =

d = j df (i=j ).

• th” means

divisor > y.” smooth congruences. algebra on rs mod 2.

22

Asymptotic cost exponents Number of bit operations in number-field sieve, with theorists’ parameters, is L1:90:::+o(1) where L = exp((log n)1=3(log log n)2=3). What are theorists’ parameters? Choose degree d with d=(log n)1=3(log log n)−1=3 ∈ 1:40 : : : + o(1). Choose integer m Write n as m d + f d−1m d−1 + with each f k below Choose f with some in case there are b Test smoothness of for all coprime pairs with 1 ≤ i; j ≤ L0: using primes ≤L0:95 L1:90:::+o(1) pairs. Conjecturally L1:65 smooth values of i

21

duct − j ¸)? r, congruences: = i=j ). .” congruences.

22

Asymptotic cost exponents Number of bit operations in number-field sieve, with theorists’ parameters, is L1:90:::+o(1) where L = exp((log n)1=3(log log n)2=3). What are theorists’ parameters? Choose degree d with d=(log n)1=3(log log n)−1=3 ∈ 1:40 : : : + o(1). Choose integer m ≈ n 1=d. Write n as m d + f d−1m d−1 + · · · + f 1m with each f k below n (1+o(1)) Choose f with some randomness in case there are bad f ’s. Test smoothness of i − j m for all coprime pairs (i; j ) with 1 ≤ i; j ≤ L0:95:::+o(1), using primes ≤L0:95:::+o(1). L1:90:::+o(1) pairs. Conjecturally L1:65:::+o(1) smooth values of i − j m.

22

Asymptotic cost exponents Number of bit operations in number-field sieve, with theorists’ parameters, is L1:90:::+o(1) where L = exp((log n)1=3(log log n)2=3). What are theorists’ parameters? Choose degree d with d=(log n)1=3(log log n)−1=3 ∈ 1:40 : : : + o(1).

23

Choose integer m ≈ n 1=d. Write n as m d + f d−1m d−1 + · · · + f 1m + f 0 with each f k below n (1+o(1))=d. Choose f with some randomness in case there are bad f ’s. Test smoothness of i − j m for all coprime pairs (i; j ) with 1 ≤ i; j ≤ L0:95:::+o(1), using primes ≤L0:95:::+o(1). L1:90:::+o(1) pairs. Conjecturally L1:65:::+o(1) smooth values of i − j m.

22

Asymptotic cost exponents er of bit operations number-field sieve, theorists’ parameters,

:::+o(1) where L =

exp((log n)1=3(log log n)2=3). are theorists’ parameters?

• se degree d with

n)1=3(log log n)−1=3 : : : + o(1).

23

Choose integer m ≈ n 1=d. Write n as m d + f d−1m d−1 + · · · + f 1m + f 0 with each f k below n (1+o(1))=d. Choose f with some randomness in case there are bad f ’s. Test smoothness of i − j m for all coprime pairs (i; j ) with 1 ≤ i; j ≤ L0:95:::+o(1), using primes ≤L0:95:::+o(1). L1:90:::+o(1) pairs. Conjecturally L1:65:::+o(1) smooth values of i − j m. Use L0:12 For each with smo test smo and i − j using prime L1:77:::+o Each |j d Conjecturally smooth congruences. L0:95:::+o in the exp

22

exponents

• perations

sieve, parameters, where L = (log log n)2=3). rists’ parameters? with log n)−1=3 (1).

23

Choose integer m ≈ n 1=d. Write n as m d + f d−1m d−1 + · · · + f 1m + f 0 with each f k below n (1+o(1))=d. Choose f with some randomness in case there are bad f ’s. Test smoothness of i − j m for all coprime pairs (i; j ) with 1 ≤ i; j ≤ L0:95:::+o(1), using primes ≤L0:95:::+o(1). L1:90:::+o(1) pairs. Conjecturally L1:65:::+o(1) smooth values of i − j m. Use L0:12:::+o(1) numb For each (i; j ) with smooth i − j m test smoothness of and i − j ˛ and so using primes ≤L0:82 L1:77:::+o(1) tests. Each |j df (i=j )| ≤ Conjecturally L0:95 smooth congruences. L0:95:::+o(1) components in the exponent vecto

22

• nents

rameters,

3).

rameters?

23

Choose integer m ≈ n 1=d. Write n as m d + f d−1m d−1 + · · · + f 1m + f 0 with each f k below n (1+o(1))=d. Choose f with some randomness in case there are bad f ’s. Test smoothness of i − j m for all coprime pairs (i; j ) with 1 ≤ i; j ≤ L0:95:::+o(1), using primes ≤L0:95:::+o(1). L1:90:::+o(1) pairs. Conjecturally L1:65:::+o(1) smooth values of i − j m. Use L0:12:::+o(1) number fields. For each (i; j ) with smooth i − j m, test smoothness of i − j ¸ and i − j ˛ and so on, using primes ≤L0:82:::+o(1). L1:77:::+o(1) tests. Each |j df (i=j )| ≤ m 2:86:::+o Conjecturally L0:95:::+o(1) smooth congruences. L0:95:::+o(1) components in the exponent vectors.

23

Choose integer m ≈ n 1=d. Write n as m d + f d−1m d−1 + · · · + f 1m + f 0 with each f k below n (1+o(1))=d. Choose f with some randomness in case there are bad f ’s. Test smoothness of i − j m for all coprime pairs (i; j ) with 1 ≤ i; j ≤ L0:95:::+o(1), using primes ≤L0:95:::+o(1). L1:90:::+o(1) pairs. Conjecturally L1:65:::+o(1) smooth values of i − j m.

24

Use L0:12:::+o(1) number fields. For each (i; j ) with smooth i − j m, test smoothness of i − j ¸ and i − j ˛ and so on, using primes ≤L0:82:::+o(1). L1:77:::+o(1) tests. Each |j df (i=j )| ≤ m 2:86:::+o(1). Conjecturally L0:95:::+o(1) smooth congruences. L0:95:::+o(1) components in the exponent vectors.

23

• se integer m ≈ n 1=d.

n as f d−1m d−1 + · · · + f 1m + f 0 each f k below n (1+o(1))=d.

• se f with some randomness

there are bad f ’s. smoothness of i − j m coprime pairs (i; j ) ≤ i; j ≤ L0:95:::+o(1), primes ≤L0:95:::+o(1).

+o(1) pairs.

Conjecturally L1:65:::+o(1)

• th values of i − j m.

24

Use L0:12:::+o(1) number fields. For each (i; j ) with smooth i − j m, test smoothness of i − j ¸ and i − j ˛ and so on, using primes ≤L0:82:::+o(1). L1:77:::+o(1) tests. Each |j df (i=j )| ≤ m 2:86:::+o(1). Conjecturally L0:95:::+o(1) smooth congruences. L0:95:::+o(1) components in the exponent vectors. Three sizes (log n)1= y, i, j . (log n)2= m, i − j log n bits: Unavoidably usual smo forces (log balancing forces d log and d log

23

≈ n 1=d. + · · · + f 1m + f 0 elow n (1+o(1))=d. some randomness bad f ’s.

• f i − j m

pairs (i; j )

0:95:::+o(1), 0:95:::+o(1).

pairs.

65:::+o(1)

• f i − j m.

24

Use L0:12:::+o(1) number fields. For each (i; j ) with smooth i − j m, test smoothness of i − j ¸ and i − j ˛ and so on, using primes ≤L0:82:::+o(1). L1:77:::+o(1) tests. Each |j df (i=j )| ≤ m 2:86:::+o(1). Conjecturally L0:95:::+o(1) smooth congruences. L0:95:::+o(1) components in the exponent vectors. Three sizes of numb (log n)1=3(log log n y, i, j . (log n)2=3(log log n m, i − j m, j df (i=j log n bits: n. Unavoidably 1=3 in usual smoothness optim forces (log y)2 ≈ log balancing norms with forces d log y ≈ log and d log m ≈ log n

23

1m + f 0 (1))=d.

randomness

(1),

.

24

Use L0:12:::+o(1) number fields. For each (i; j ) with smooth i − j m, test smoothness of i − j ¸ and i − j ˛ and so on, using primes ≤L0:82:::+o(1). L1:77:::+o(1) tests. Each |j df (i=j )| ≤ m 2:86:::+o(1). Conjecturally L0:95:::+o(1) smooth congruences. L0:95:::+o(1) components in the exponent vectors. Three sizes of numbers here: (log n)1=3(log log n)2=3 bits: y, i, j . (log n)2=3(log log n)1=3 bits: m, i − j m, j df (i=j ). log n bits: n. Unavoidably 1=3 in exponent: usual smoothness optimization forces (log y)2 ≈ log m; balancing norms with m forces d log y ≈ log m; and d log m ≈ log n.

24

Use L0:12:::+o(1) number fields. For each (i; j ) with smooth i − j m, test smoothness of i − j ¸ and i − j ˛ and so on, using primes ≤L0:82:::+o(1). L1:77:::+o(1) tests. Each |j df (i=j )| ≤ m 2:86:::+o(1). Conjecturally L0:95:::+o(1) smooth congruences. L0:95:::+o(1) components in the exponent vectors.

25

Three sizes of numbers here: (log n)1=3(log log n)2=3 bits: y, i, j . (log n)2=3(log log n)1=3 bits: m, i − j m, j df (i=j ). log n bits: n. Unavoidably 1=3 in exponent: usual smoothness optimization forces (log y)2 ≈ log m; balancing norms with m forces d log y ≈ log m; and d log m ≈ log n.

24

:12:::+o(1) number fields.

each (i; j ) smooth i − j m,

• othness of i − j ¸

− j ˛ and so on, primes ≤L0:82:::+o(1).

+o(1) tests.

|j df (i=j )| ≤ m 2:86:::+o(1). Conjecturally L0:95:::+o(1)

• th congruences.

+o(1) components

exponent vectors.

25

Three sizes of numbers here: (log n)1=3(log log n)2=3 bits: y, i, j . (log n)2=3(log log n)1=3 bits: m, i − j m, j df (i=j ). log n bits: n. Unavoidably 1=3 in exponent: usual smoothness optimization forces (log y)2 ≈ log m; balancing norms with m forces d log y ≈ log m; and d log m ≈ log n. Batch NFS The numb L1:90:::+o finding smo L1:77:::+o finding smo Many n’s L1:90:::+o to find squa Oops, linea fix by reducing But still batch in factoring

24

number fields. j m,

• f i − j ¸

so on,

0:82:::+o(1).

tests. ≤ m 2:86:::+o(1).

95:::+o(1)

congruences. components vectors.

25

Three sizes of numbers here: (log n)1=3(log log n)2=3 bits: y, i, j . (log n)2=3(log log n)1=3 bits: m, i − j m, j df (i=j ). log n bits: n. Unavoidably 1=3 in exponent: usual smoothness optimization forces (log y)2 ≈ log m; balancing norms with m forces d log y ≈ log m; and d log m ≈ log n. Batch NFS The number-field sieve L1:90:::+o(1) bit operations finding smooth i − L1:77:::+o(1) bit operations finding smooth j df Many n’s can share L1:90:::+o(1) bit operations to find squares for Oops, linear algebra fix by reducing y. But still end up facto batch in much less factoring each n sepa

24

fields. .

+o(1).

25

Three sizes of numbers here: (log n)1=3(log log n)2=3 bits: y, i, j . (log n)2=3(log log n)1=3 bits: m, i − j m, j df (i=j ). log n bits: n. Unavoidably 1=3 in exponent: usual smoothness optimization forces (log y)2 ≈ log m; balancing norms with m forces d log y ≈ log m; and d log m ≈ log n. Batch NFS The number-field sieve used L1:90:::+o(1) bit operations finding smooth i − j m; only L1:77:::+o(1) bit operations finding smooth j df (i=j ). Many n’s can share one m; L1:90:::+o(1) bit operations to find squares for all n’s. Oops, linear algebra hurts; fix by reducing y. But still end up factoring batch in much less time than factoring each n separately.

25

Three sizes of numbers here: (log n)1=3(log log n)2=3 bits: y, i, j . (log n)2=3(log log n)1=3 bits: m, i − j m, j df (i=j ). log n bits: n. Unavoidably 1=3 in exponent: usual smoothness optimization forces (log y)2 ≈ log m; balancing norms with m forces d log y ≈ log m; and d log m ≈ log n.

26

Batch NFS The number-field sieve used L1:90:::+o(1) bit operations finding smooth i − j m; only L1:77:::+o(1) bit operations finding smooth j df (i=j ). Many n’s can share one m; L1:90:::+o(1) bit operations to find squares for all n’s. Oops, linear algebra hurts; fix by reducing y. But still end up factoring batch in much less time than factoring each n separately.

25

sizes of numbers here: )1=3(log log n)2=3 bits: . )2=3(log log n)1=3 bits: j m, j df (i=j ). bits: n. Unavoidably 1=3 in exponent: smoothness optimization (log y)2 ≈ log m; balancing norms with m d log y ≈ log m; log m ≈ log n.

26

Batch NFS The number-field sieve used L1:90:::+o(1) bit operations finding smooth i − j m; only L1:77:::+o(1) bit operations finding smooth j df (i=j ). Many n’s can share one m; L1:90:::+o(1) bit operations to find squares for all n’s. Oops, linear algebra hurts; fix by reducing y. But still end up factoring batch in much less time than factoring each n separately. Asymptotic parameters: d=(log n) ∈ 1:10 : : Primes ≤ 1 ≤ i; j ≤ Computation finds L1: smooth values L1:64:::+o for each

25

numbers here: log n)2=3 bits: log n)1=3 bits: (i=j ). in exponent:

• thness optimization

log m; with m log m; log n.

26

Batch NFS The number-field sieve used L1:90:::+o(1) bit operations finding smooth i − j m; only L1:77:::+o(1) bit operations finding smooth j df (i=j ). Many n’s can share one m; L1:90:::+o(1) bit operations to find squares for all n’s. Oops, linear algebra hurts; fix by reducing y. But still end up factoring batch in much less time than factoring each n separately. Asymptotic batch-NF parameters: d=(log n)1=3(log log ∈ 1:10 : : : + o(1). Primes ≤L0:82:::+o 1 ≤ i; j ≤ L1:00:::+ Computation indep finds L1:64:::+o(1) smooth values i − L1:64:::+o(1) operations for each target n.

25

here: bits: bits:

• nent:

tion

26

Batch NFS The number-field sieve used L1:90:::+o(1) bit operations finding smooth i − j m; only L1:77:::+o(1) bit operations finding smooth j df (i=j ). Many n’s can share one m; L1:90:::+o(1) bit operations to find squares for all n’s. Oops, linear algebra hurts; fix by reducing y. But still end up factoring batch in much less time than factoring each n separately. Asymptotic batch-NFS parameters: d=(log n)1=3(log log n)−1=3 ∈ 1:10 : : : + o(1). Primes ≤L0:82:::+o(1). 1 ≤ i; j ≤ L1:00:::+o(1). Computation independent of finds L1:64:::+o(1) smooth values i − j m. L1:64:::+o(1) operations for each target n.

26

Batch NFS The number-field sieve used L1:90:::+o(1) bit operations finding smooth i − j m; only L1:77:::+o(1) bit operations finding smooth j df (i=j ). Many n’s can share one m; L1:90:::+o(1) bit operations to find squares for all n’s. Oops, linear algebra hurts; fix by reducing y. But still end up factoring batch in much less time than factoring each n separately.

27

Asymptotic batch-NFS parameters: d=(log n)1=3(log log n)−1=3 ∈ 1:10 : : : + o(1). Primes ≤L0:82:::+o(1). 1 ≤ i; j ≤ L1:00:::+o(1). Computation independent of n finds L1:64:::+o(1) smooth values i − j m. L1:64:::+o(1) operations for each target n.

26

Batch NFS The number-field sieve used L1:90:::+o(1) bit operations finding smooth i − j m; only L1:77:::+o(1) bit operations finding smooth j df (i=j ). Many n’s can share one m; L1:90:::+o(1) bit operations to find squares for all n’s. Oops, linear algebra hurts; fix by reducing y. But still end up factoring batch in much less time than factoring each n separately.

27

Asymptotic batch-NFS parameters: d=(log n)1=3(log log n)−1=3 ∈ 1:10 : : : + o(1). Primes ≤L0:82:::+o(1). 1 ≤ i; j ≤ L1:00:::+o(1). Computation independent of n finds L1:64:::+o(1) smooth values i − j m. L1:64:::+o(1) operations for each target n. Wait: how do we recognize smooth integers so quickly?

26

NFS number-field sieve used

+o(1) bit operations

smooth i − j m; only

+o(1) bit operations

smooth j df (i=j ). n’s can share one m;

+o(1) bit operations

squares for all n’s. linear algebra hurts; reducing y. still end up factoring in much less time than ring each n separately.

27

Asymptotic batch-NFS parameters: d=(log n)1=3(log log n)−1=3 ∈ 1:10 : : : + o(1). Primes ≤L0:82:::+o(1). 1 ≤ i; j ≤ L1:00:::+o(1). Computation independent of n finds L1:64:::+o(1) smooth values i − j m. L1:64:::+o(1) operations for each target n. Wait: how do we recognize smooth integers so quickly? The rho Define  Every prime (1 − 2 · · · (3575 Also many Can compute ≈ 214 multiplications very little Compare for trial division

26

er-field sieve used

• perations

− j m; only

• perations

df (i=j ).

share one m;

• perations

for all n’s. algebra hurts; . factoring less time than separately.

27

Asymptotic batch-NFS parameters: d=(log n)1=3(log log n)−1=3 ∈ 1:10 : : : + o(1). Primes ≤L0:82:::+o(1). 1 ≤ i; j ≤ L1:00:::+o(1). Computation independent of n finds L1:64:::+o(1) smooth values i − j m. L1:64:::+o(1) operations for each target n. Wait: how do we recognize smooth integers so quickly? The rho method Define 0 = 0, k+1 Every prime ≤220 (1 − 2)(2 − 4)( · · · (3575 − 7150). Also many larger p Can compute gcd{ ≈ 214 multiplications very little memory. Compare to ≈ 216 for trial division up

26

used

• nly

; hurts; than rately.

27

Asymptotic batch-NFS parameters: d=(log n)1=3(log log n)−1=3 ∈ 1:10 : : : + o(1). Primes ≤L0:82:::+o(1). 1 ≤ i; j ≤ L1:00:::+o(1). Computation independent of n finds L1:64:::+o(1) smooth values i − j m. L1:64:::+o(1) operations for each target n. Wait: how do we recognize smooth integers so quickly? The rho method Define 0 = 0, k+1 = 2

k +

Every prime ≤220 divides S (1 − 2)(2 − 4)(3 − 6) · · · (3575 − 7150). Also many larger primes. Can compute gcd{c; S} using ≈ 214 multiplications mod c, very little memory. Compare to ≈ 216 divisions for trial division up to 220.

27

Asymptotic batch-NFS parameters: d=(log n)1=3(log log n)−1=3 ∈ 1:10 : : : + o(1). Primes ≤L0:82:::+o(1). 1 ≤ i; j ≤ L1:00:::+o(1). Computation independent of n finds L1:64:::+o(1) smooth values i − j m. L1:64:::+o(1) operations for each target n. Wait: how do we recognize smooth integers so quickly?

28

The rho method Define 0 = 0, k+1 = 2

k + 11.

Every prime ≤220 divides S = (1 − 2)(2 − 4)(3 − 6) · · · (3575 − 7150). Also many larger primes. Can compute gcd{c; S} using ≈ 214 multiplications mod c, very little memory. Compare to ≈ 216 divisions for trial division up to 220.

27

Asymptotic batch-NFS rameters: n)1=3(log log n)−1=3 : : : + o(1). Primes ≤L0:82:::+o(1). j ≤ L1:00:::+o(1). Computation independent of n

1:64:::+o(1)

• th values i − j m.

+o(1) operations

h target n. how do we recognize

• th integers so quickly?

28

The rho method Define 0 = 0, k+1 = 2

k + 11.

Every prime ≤220 divides S = (1 − 2)(2 − 4)(3 − 6) · · · (3575 − 7150). Also many larger primes. Can compute gcd{c; S} using ≈ 214 multiplications mod c, very little memory. Compare to ≈ 216 divisions for trial division up to 220. More generally: Compute (1 − 2 How big for all primes Plausible so y1=2+ Reason: 1 mod p; If i mod then k mo for k ∈ (

27

batch-NFS log n)−1=3 (1).

• (1).

:::+o(1).

independent of n − j m. erations . e recognize so quickly?

28

The rho method Define 0 = 0, k+1 = 2

k + 11.

Every prime ≤220 divides S = (1 − 2)(2 − 4)(3 − 6) · · · (3575 − 7150). Also many larger primes. Can compute gcd{c; S} using ≈ 214 multiplications mod c, very little memory. Compare to ≈ 216 divisions for trial division up to 220. More generally: Cho Compute gcd{c; S (1 − 2)(2 − 4) How big does z have for all primes ≤y to Plausible conjecture: so y1=2+o(1) mults Reason: Consider 1 mod p; 2 mod p; If i mod p = j mo then k mod p =  for k ∈ (j − i)Z ∩

27

• f n

recognize quickly?

28

The rho method Define 0 = 0, k+1 = 2

k + 11.

Every prime ≤220 divides S = (1 − 2)(2 − 4)(3 − 6) · · · (3575 − 7150). Also many larger primes. Can compute gcd{c; S} using ≈ 214 multiplications mod c, very little memory. Compare to ≈ 216 divisions for trial division up to 220. More generally: Choose z. Compute gcd{c; S} where S (1 − 2)(2 − 4) · · · (z − How big does z have to be for all primes ≤y to divide S Plausible conjecture: y1=2+o so y1=2+o(1) mults mod c. Reason: Consider first collision 1 mod p; 2 mod p; : : :. If i mod p = j mod p then k mod p = 2k mod p for k ∈ (j − i)Z ∩ [i; ∞] ∩ [j ;

28

The rho method Define 0 = 0, k+1 = 2

k + 11.

Every prime ≤220 divides S = (1 − 2)(2 − 4)(3 − 6) · · · (3575 − 7150). Also many larger primes. Can compute gcd{c; S} using ≈ 214 multiplications mod c, very little memory. Compare to ≈ 216 divisions for trial division up to 220.

29

More generally: Choose z. Compute gcd{c; S} where S = (1 − 2)(2 − 4) · · · (z − 2z). How big does z have to be for all primes ≤y to divide S? Plausible conjecture: y1=2+o(1); so y1=2+o(1) mults mod c. Reason: Consider first collision in 1 mod p; 2 mod p; : : :. If i mod p = j mod p then k mod p = 2k mod p for k ∈ (j − i)Z ∩ [i; ∞] ∩ [j ; ∞].

28

rho method 0 = 0, k+1 = 2

k + 11.

prime ≤220 divides S = 2)(2 − 4)(3 − 6)

3575 − 7150).

many larger primes. compute gcd{c; S} using multiplications mod c, little memory. Compare to ≈ 216 divisions ial division up to 220.

29

More generally: Choose z. Compute gcd{c; S} where S = (1 − 2)(2 − 4) · · · (z − 2z). How big does z have to be for all primes ≤y to divide S? Plausible conjecture: y1=2+o(1); so y1=2+o(1) mults mod c. Reason: Consider first collision in 1 mod p; 2 mod p; : : :. If i mod p = j mod p then k mod p = 2k mod p for k ∈ (j − i)Z ∩ [i; ∞] ∩ [j ; ∞]. The p − S1 = 2232792560 has prim 3, 5, 7, 11, 37, 41, 43, 89, 97, 103, 137, 151, These diviso 70 of the 156 of the 296 of the 470 of the etc.

28

k+1 = 2 k + 11. 20 divides S = 4)(3 − 6) 7150).

rger primes. gcd{c; S} using multiplications mod c, ry.

16 divisions

up to 220.

29

More generally: Choose z. Compute gcd{c; S} where S = (1 − 2)(2 − 4) · · · (z − 2z). How big does z have to be for all primes ≤y to divide S? Plausible conjecture: y1=2+o(1); so y1=2+o(1) mults mod c. Reason: Consider first collision in 1 mod p; 2 mod p; : : :. If i mod p = j mod p then k mod p = 2k mod p for k ∈ (j − i)Z ∩ [i; ∞] ∩ [j ; ∞]. The p − 1 method S1 = 2232792560 − has prime divisors 3, 5, 7, 11, 13, 17, 37, 41, 43, 53, 61, 89, 97, 103, 109, 113, 137, 151, 157, 181, These divisors include 70 of the 168 primes 156 of the 1229 primes 296 of the 9592 primes 470 of the 78498 p etc.

28

+ 11. S =

6)

using c, divisions .

29

More generally: Choose z. Compute gcd{c; S} where S = (1 − 2)(2 − 4) · · · (z − 2z). How big does z have to be for all primes ≤y to divide S? Plausible conjecture: y1=2+o(1); so y1=2+o(1) mults mod c. Reason: Consider first collision in 1 mod p; 2 mod p; : : :. If i mod p = j mod p then k mod p = 2k mod p for k ∈ (j − i)Z ∩ [i; ∞] ∩ [j ; ∞]. The p − 1 method S1 = 2232792560 − 1 has prime divisors 3, 5, 7, 11, 13, 17, 19, 23, 29, 37, 41, 43, 53, 61, 67, 71, 73, 89, 97, 103, 109, 113, 127, 131, 137, 151, 157, 181, 191, 199 These divisors include 70 of the 168 primes ≤103; 156 of the 1229 primes ≤104 296 of the 9592 primes ≤105 470 of the 78498 primes ≤10 etc.

29

More generally: Choose z. Compute gcd{c; S} where S = (1 − 2)(2 − 4) · · · (z − 2z). How big does z have to be for all primes ≤y to divide S? Plausible conjecture: y1=2+o(1); so y1=2+o(1) mults mod c. Reason: Consider first collision in 1 mod p; 2 mod p; : : :. If i mod p = j mod p then k mod p = 2k mod p for k ∈ (j − i)Z ∩ [i; ∞] ∩ [j ; ∞].

30

The p − 1 method S1 = 2232792560 − 1 has prime divisors 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 53, 61, 67, 71, 73, 79, 89, 97, 103, 109, 113, 127, 131, 137, 151, 157, 181, 191, 199 etc. These divisors include 70 of the 168 primes ≤103; 156 of the 1229 primes ≤104; 296 of the 9592 primes ≤105; 470 of the 78498 primes ≤106; etc.

29

generally: Choose z. Compute gcd{c; S} where S = 2)(2 − 4) · · · (z − 2z). big does z have to be primes ≤y to divide S? Plausible conjecture: y1=2+o(1);

2+o(1) mults mod c.

Reason: Consider first collision in d p; 2 mod p; : : :. mod p = j mod p

k mod p = 2k mod p

(j − i)Z ∩ [i; ∞] ∩ [j ; ∞].

30

The p − 1 method S1 = 2232792560 − 1 has prime divisors 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 53, 61, 67, 71, 73, 79, 89, 97, 103, 109, 113, 127, 131, 137, 151, 157, 181, 191, 199 etc. These divisors include 70 of the 168 primes ≤103; 156 of the 1229 primes ≤104; 296 of the 9592 primes ≤105; 470 of the 78498 primes ≤106; etc. An odd p divides 2 iff order multiplicative divides s Many wa 232792560 Why so many? Answer: = lcm{1 = 24 · 32

29

Choose z. S} where S =

4) · · · (z − 2z).

have to be to divide S? conjecture: y1=2+o(1); mults mod c. Consider first collision in p; : : :. mod p 2k mod p ∩ [i; ∞] ∩ [j ; ∞].

30

The p − 1 method S1 = 2232792560 − 1 has prime divisors 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 53, 61, 67, 71, 73, 79, 89, 97, 103, 109, 113, 127, 131, 137, 151, 157, 181, 191, 199 etc. These divisors include 70 of the 168 primes ≤103; 156 of the 1229 primes ≤104; 296 of the 9592 primes ≤105; 470 of the 78498 primes ≤106; etc. An odd prime p divides 2232792560 − iff order of 2 in the multiplicative group divides s = 232792560. Many ways for this 232792560 has 960 Why so many? Answer: s = 232792560 = lcm{1; 2; 3; 4; : : = 24 · 32 · 5 · 7 · 11

29

. S = − 2z). e S?

• (1);

collision in p [j ; ∞].

30

The p − 1 method S1 = 2232792560 − 1 has prime divisors 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 53, 61, 67, 71, 73, 79, 89, 97, 103, 109, 113, 127, 131, 137, 151, 157, 181, 191, 199 etc. These divisors include 70 of the 168 primes ≤103; 156 of the 1229 primes ≤104; 296 of the 9592 primes ≤105; 470 of the 78498 primes ≤106; etc. An odd prime p divides 2232792560 − 1 iff order of 2 in the multiplicative group F∗

p

divides s = 232792560. Many ways for this to happen: 232792560 has 960 divisors. Why so many? Answer: s = 232792560 = lcm{1; 2; 3; 4; : : : ; 20} = 24 · 32 · 5 · 7 · 11 · 13 · 17 ·

30

The p − 1 method S1 = 2232792560 − 1 has prime divisors 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 53, 61, 67, 71, 73, 79, 89, 97, 103, 109, 113, 127, 131, 137, 151, 157, 181, 191, 199 etc. These divisors include 70 of the 168 primes ≤103; 156 of the 1229 primes ≤104; 296 of the 9592 primes ≤105; 470 of the 78498 primes ≤106; etc.

31

An odd prime p divides 2232792560 − 1 iff order of 2 in the multiplicative group F∗

p

divides s = 232792560. Many ways for this to happen: 232792560 has 960 divisors. Why so many? Answer: s = 232792560 = lcm{1; 2; 3; 4; : : : ; 20} = 24 · 32 · 5 · 7 · 11 · 13 · 17 · 19.

30

− 1 method

232792560 − 1

rime divisors 7, 11, 13, 17, 19, 23, 29, 31, 41, 43, 53, 61, 67, 71, 73, 79, 97, 103, 109, 113, 127, 131, 151, 157, 181, 191, 199 etc. divisors include the 168 primes ≤103; the 1229 primes ≤104; the 9592 primes ≤105; the 78498 primes ≤106;

31

An odd prime p divides 2232792560 − 1 iff order of 2 in the multiplicative group F∗

p

divides s = 232792560. Many ways for this to happen: 232792560 has 960 divisors. Why so many? Answer: s = 232792560 = lcm{1; 2; 3; 4; : : : ; 20} = 24 · 32 · 5 · 7 · 11 · 13 · 17 · 19. Can compute using 41 (Side note: Ring operation: This computation: 22 = 2 · 2; 212 = 26· 255; 2110 23552; 27104 256834;2113668 2909345; 2 23637383; 214549535 2116396280

30

method − 1 rs 17, 19, 23, 29, 31, 61, 67, 71, 73, 79, 109, 113, 127, 131, 181, 191, 199 etc. include rimes ≤103; primes ≤104; primes ≤105; 78498 primes ≤106;

31

An odd prime p divides 2232792560 − 1 iff order of 2 in the multiplicative group F∗

p

divides s = 232792560. Many ways for this to happen: 232792560 has 960 divisors. Why so many? Answer: s = 232792560 = lcm{1; 2; 3; 4; : : : ; 20} = 24 · 32 · 5 · 7 · 11 · 13 · 17 · 19. Can compute 2232792560 using 41 ring operations. (Side note: 41 is not Ring operation: 0, This computation: 22 = 2 · 2; 23 = 22 212 = 26·26; 213 = 2 255; 2110; 2111; 2222 23552; 27104; 214208 256834;2113668;2227336 2909345; 21818690; 2 23637383; 27274766; 2 214549535; 229099070 2116396280; 2232792560

30

23, 29, 31, 73, 79, 127, 131, 199 etc. ; 104; 105; 106;

31

An odd prime p divides 2232792560 − 1 iff order of 2 in the multiplicative group F∗

p

divides s = 232792560. Many ways for this to happen: 232792560 has 960 divisors. Why so many? Answer: s = 232792560 = lcm{1; 2; 3; 4; : : : ; 20} = 24 · 32 · 5 · 7 · 11 · 13 · 17 · 19. Can compute 2232792560 − 1 using 41 ring operations. (Side note: 41 is not minimal.) Ring operation: 0, 1, +, −, This computation: 1; 2 = 1 22 = 2 · 2; 23 = 22 · 2; 26 = 2 212 = 26·26; 213 = 212·2; 226; 255; 2110; 2111; 2222; 2444; 2888 23552; 27104; 214208; 228416; 228417 256834;2113668;2227336;2454672 2909345; 21818690; 21818691; 23637382 23637383; 27274766; 27274767; 2 214549535; 229099070; 258198140 2116396280; 2232792560; 2232792560

31

An odd prime p divides 2232792560 − 1 iff order of 2 in the multiplicative group F∗

p

divides s = 232792560. Many ways for this to happen: 232792560 has 960 divisors. Why so many? Answer: s = 232792560 = lcm{1; 2; 3; 4; : : : ; 20} = 24 · 32 · 5 · 7 · 11 · 13 · 17 · 19.

32

Can compute 2232792560 − 1 using 41 ring operations. (Side note: 41 is not minimal.) Ring operation: 0, 1, +, −, ·. This computation: 1; 2 = 1 + 1; 22 = 2 · 2; 23 = 22 · 2; 26 = 23 · 23; 212 = 26·26; 213 = 212·2; 226; 227; 254; 255; 2110; 2111; 2222; 2444; 2888; 21776; 23552; 27104; 214208; 228416; 228417; 256834;2113668;2227336;2454672;2909344; 2909345; 21818690; 21818691; 23637382; 23637383; 27274766; 27274767; 214549534; 214549535; 229099070; 258198140; 2116396280; 2232792560; 2232792560−1.

31

dd prime p 2232792560 − 1 rder of 2 in the multiplicative group F∗

p

s = 232792560. ways for this to happen: 232792560 has 960 divisors. so many? er: s = 232792560 {1; 2; 3; 4; : : : ; 20} 32 · 5 · 7 · 11 · 13 · 17 · 19.

32

Can compute 2232792560 − 1 using 41 ring operations. (Side note: 41 is not minimal.) Ring operation: 0, 1, +, −, ·. This computation: 1; 2 = 1 + 1; 22 = 2 · 2; 23 = 22 · 2; 26 = 23 · 23; 212 = 26·26; 213 = 212·2; 226; 227; 254; 255; 2110; 2111; 2222; 2444; 2888; 21776; 23552; 27104; 214208; 228416; 228417; 256834;2113668;2227336;2454672;2909344; 2909345; 21818690; 21818691; 23637382; 23637383; 27274766; 27274767; 214549534; 214549535; 229099070; 258198140; 2116396280; 2232792560; 2232792560−1. Given positive can compute using 41 Notation: e.g. n = 227 mod 254 mod 255 mod 2110 mod 2232792560

31

232792560 − 1

the group F∗

p

232792560. this to happen: 960 divisors. 232792560 : : : ; 20} 11 · 13 · 17 · 19.

32

Can compute 2232792560 − 1 using 41 ring operations. (Side note: 41 is not minimal.) Ring operation: 0, 1, +, −, ·. This computation: 1; 2 = 1 + 1; 22 = 2 · 2; 23 = 22 · 2; 26 = 23 · 23; 212 = 26·26; 213 = 212·2; 226; 227; 254; 255; 2110; 2111; 2222; 2444; 2888; 21776; 23552; 27104; 214208; 228416; 228417; 256834;2113668;2227336;2454672;2909344; 2909345; 21818690; 21818691; 23637382; 23637383; 27274766; 27274767; 214549534; 214549535; 229099070; 258198140; 2116396280; 2232792560; 2232792560−1. Given positive intege can compute 2232792560 using 41 operations Notation: a mod b e.g. n = 8597231219: 227 mod n = 134217728; 254 mod n = 134217728 = 935663516; 255 mod n = 1871327032; 2110 mod n = 1871327032 = 1458876811; 2232792560−1 mod n

31

happen: rs. 17 · 19.

32

Can compute 2232792560 − 1 using 41 ring operations. (Side note: 41 is not minimal.) Ring operation: 0, 1, +, −, ·. This computation: 1; 2 = 1 + 1; 22 = 2 · 2; 23 = 22 · 2; 26 = 23 · 23; 212 = 26·26; 213 = 212·2; 226; 227; 254; 255; 2110; 2111; 2222; 2444; 2888; 21776; 23552; 27104; 214208; 228416; 228417; 256834;2113668;2227336;2454672;2909344; 2909345; 21818690; 21818691; 23637382; 23637383; 27274766; 27274767; 214549534; 214549535; 229099070; 258198140; 2116396280; 2232792560; 2232792560−1. Given positive integer n, can compute 2232792560 − 1 mo using 41 operations in Z=n. Notation: a mod b = a − b⌊a=b e.g. n = 8597231219: : : : 227 mod n = 134217728; 254 mod n = 1342177282 mo = 935663516; 255 mod n = 1871327032; 2110 mod n = 18713270322 mo = 1458876811; : 2232792560−1 mod n = 5626089344.

32

Can compute 2232792560 − 1 using 41 ring operations. (Side note: 41 is not minimal.) Ring operation: 0, 1, +, −, ·. This computation: 1; 2 = 1 + 1; 22 = 2 · 2; 23 = 22 · 2; 26 = 23 · 23; 212 = 26·26; 213 = 212·2; 226; 227; 254; 255; 2110; 2111; 2222; 2444; 2888; 21776; 23552; 27104; 214208; 228416; 228417; 256834;2113668;2227336;2454672;2909344; 2909345; 21818690; 21818691; 23637382; 23637383; 27274766; 27274767; 214549534; 214549535; 229099070; 258198140; 2116396280; 2232792560; 2232792560−1.

33

Given positive integer n, can compute 2232792560 − 1 mod n using 41 operations in Z=n. Notation: a mod b = a − b⌊a=b⌋. e.g. n = 8597231219: : : : 227 mod n = 134217728; 254 mod n = 1342177282 mod n = 935663516; 255 mod n = 1871327032; 2110 mod n = 18713270322 mod n = 1458876811; : : : ; 2232792560−1 mod n = 5626089344.

32

Can compute 2232792560 − 1 using 41 ring operations. (Side note: 41 is not minimal.) Ring operation: 0, 1, +, −, ·. This computation: 1; 2 = 1 + 1; 22 = 2 · 2; 23 = 22 · 2; 26 = 23 · 23; 212 = 26·26; 213 = 212·2; 226; 227; 254; 255; 2110; 2111; 2222; 2444; 2888; 21776; 23552; 27104; 214208; 228416; 228417; 256834;2113668;2227336;2454672;2909344; 2909345; 21818690; 21818691; 23637382; 23637383; 27274766; 27274767; 214549534; 214549535; 229099070; 258198140; 2116396280; 2232792560; 2232792560−1.

33

Given positive integer n, can compute 2232792560 − 1 mod n using 41 operations in Z=n. Notation: a mod b = a − b⌊a=b⌋. e.g. n = 8597231219: : : : 227 mod n = 134217728; 254 mod n = 1342177282 mod n = 935663516; 255 mod n = 1871327032; 2110 mod n = 18713270322 mod n = 1458876811; : : : ; 2232792560−1 mod n = 5626089344. Easy extra computation (Euclid): gcd{5626089344; n} = 991.

32

compute 2232792560 − 1 41 ring operations. note: 41 is not minimal.)

• peration: 0, 1, +, −, ·.

computation: 1; 2 = 1 + 1; · 2; 23 = 22 · 2; 26 = 23 · 23; 26·26; 213 = 212·2; 226; 227; 254;

110; 2111; 2222; 2444; 2888; 21776;

27104; 214208; 228416; 228417; ;2113668;2227336;2454672;2909344; ; 21818690; 21818691; 23637382;

3637383; 27274766; 27274767; 214549534; 14549535; 229099070; 258198140; 116396280; 2232792560; 2232792560−1.

33

Given positive integer n, can compute 2232792560 − 1 mod n using 41 operations in Z=n. Notation: a mod b = a − b⌊a=b⌋. e.g. n = 8597231219: : : : 227 mod n = 134217728; 254 mod n = 1342177282 mod n = 935663516; 255 mod n = 1871327032; 2110 mod n = 18713270322 mod n = 1458876811; : : : ; 2232792560−1 mod n = 5626089344. Easy extra computation (Euclid): gcd{5626089344; n} = 991. This p − quickly facto Main wo Could instead n’s divisibilit The 167th would ha Not clear Dividing is faster The p −

• nly 70 of

trial division

32

232792560 − 1

erations. is not minimal.) 0, 1, +, −, ·. computation: 1; 2 = 1 + 1; 22 · 2; 26 = 23 · 23; = 212·2; 226; 227; 254;

222; 2444; 2888; 21776; 14208; 228416; 228417; 227336;2454672;2909344;

; 21818691; 23637382; ; 27274767; 214549534;

29099070; 258198140; 232792560; 2232792560−1.

33

Given positive integer n, can compute 2232792560 − 1 mod n using 41 operations in Z=n. Notation: a mod b = a − b⌊a=b⌋. e.g. n = 8597231219: : : : 227 mod n = 134217728; 254 mod n = 1342177282 mod n = 935663516; 255 mod n = 1871327032; 2110 mod n = 18713270322 mod n = 1458876811; : : : ; 2232792560−1 mod n = 5626089344. Easy extra computation (Euclid): gcd{5626089344; n} = 991. This p − 1 method quickly factored n Main work: 27 squa Could instead have n’s divisibility by 2 The 167th trial division would have found Not clear which metho Dividing by small p is faster than squa The p − 1 method

• nly 70 of the primes

trial division finds

32

1 minimal.) , ·. 1 + 1; 23 · 23;

26; 227; 254; 888; 21776;

; 228417;

454672;2909344;

23637382; ; 214549534;

58198140; 232792560−1.

33

Given positive integer n, can compute 2232792560 − 1 mod n using 41 operations in Z=n. Notation: a mod b = a − b⌊a=b⌋. e.g. n = 8597231219: : : : 227 mod n = 134217728; 254 mod n = 1342177282 mod n = 935663516; 255 mod n = 1871327032; 2110 mod n = 18713270322 mod n = 1458876811; : : : ; 2232792560−1 mod n = 5626089344. Easy extra computation (Euclid): gcd{5626089344; n} = 991. This p − 1 method (1974 Polla quickly factored n = 8597231219. Main work: 27 squarings mo Could instead have checked n’s divisibility by 2; 3; 5; : : :. The 167th trial division would have found divisor 991. Not clear which method is b Dividing by small p is faster than squaring mod n The p − 1 method finds

• nly 70 of the primes ≤1000;

trial division finds all 168 pri

33

Given positive integer n, can compute 2232792560 − 1 mod n using 41 operations in Z=n. Notation: a mod b = a − b⌊a=b⌋. e.g. n = 8597231219: : : : 227 mod n = 134217728; 254 mod n = 1342177282 mod n = 935663516; 255 mod n = 1871327032; 2110 mod n = 18713270322 mod n = 1458876811; : : : ; 2232792560−1 mod n = 5626089344. Easy extra computation (Euclid): gcd{5626089344; n} = 991.

34

This p − 1 method (1974 Pollard) quickly factored n = 8597231219. Main work: 27 squarings mod n. Could instead have checked n’s divisibility by 2; 3; 5; : : :. The 167th trial division would have found divisor 991. Not clear which method is better. Dividing by small p is faster than squaring mod n. The p − 1 method finds

• nly 70 of the primes ≤1000;

trial division finds all 168 primes.

33

positive integer n, compute 2232792560 − 1 mod n 41 operations in Z=n. Notation: a mod b = a − b⌊a=b⌋. = 8597231219: : : : mod n = 134217728; mod n = 1342177282 mod n = 935663516; mod n = 1871327032; mod n = 18713270322 mod n = 1458876811; : : : ;

232792560−1 mod n = 5626089344.

extra computation (Euclid): 5626089344; n} = 991.

34

This p − 1 method (1974 Pollard) quickly factored n = 8597231219. Main work: 27 squarings mod n. Could instead have checked n’s divisibility by 2; 3; 5; : : :. The 167th trial division would have found divisor 991. Not clear which method is better. Dividing by small p is faster than squaring mod n. The p − 1 method finds

• nly 70 of the primes ≤1000;

trial division finds all 168 primes. Scale up s = lcm{ using 136 find 2317 Is a squa faster than Or s = lcm using 1438 find 180121 Is a squa faster than Extra benefit: no need

33

integer n,

232792560 − 1 mod n

erations in Z=n. b = a − b⌊a=b⌋. 8597231219: : : : 134217728; 1342177282 mod n 935663516; 1871327032; 18713270322 mod n 1458876811; : : : ; d n = 5626089344. computation (Euclid): ; n} = 991.

34

This p − 1 method (1974 Pollard) quickly factored n = 8597231219. Main work: 27 squarings mod n. Could instead have checked n’s divisibility by 2; 3; 5; : : :. The 167th trial division would have found divisor 991. Not clear which method is better. Dividing by small p is faster than squaring mod n. The p − 1 method finds

• nly 70 of the primes ≤1000;

trial division finds all 168 primes. Scale up to larger s = lcm{1; 2; 3; 4; : using 136 squarings find 2317 of the primes Is a squaring mod faster than 17 trial Or s = lcm{1; 2; 3; using 1438 squarings find 180121 of the Is a squaring mod faster than 125 trial Extra benefit: no need to store the

33

1 mod n . ⌊a=b⌋. mod n 1871327032; mod n 1458876811; : : : ; 5626089344. (Euclid): 991.

34

This p − 1 method (1974 Pollard) quickly factored n = 8597231219. Main work: 27 squarings mod n. Could instead have checked n’s divisibility by 2; 3; 5; : : :. The 167th trial division would have found divisor 991. Not clear which method is better. Dividing by small p is faster than squaring mod n. The p − 1 method finds

• nly 70 of the primes ≤1000;

trial division finds all 168 primes. Scale up to larger exponent s = lcm{1; 2; 3; 4; : : : ; 100}: using 136 squarings mod n find 2317 of the primes ≤10 Is a squaring mod n faster than 17 trial divisions? Or s = lcm{1; 2; 3; 4; : : : ; 1000 using 1438 squarings mod n find 180121 of the primes ≤ Is a squaring mod n faster than 125 trial divisions? Extra benefit: no need to store the primes.

34

This p − 1 method (1974 Pollard) quickly factored n = 8597231219. Main work: 27 squarings mod n. Could instead have checked n’s divisibility by 2; 3; 5; : : :. The 167th trial division would have found divisor 991. Not clear which method is better. Dividing by small p is faster than squaring mod n. The p − 1 method finds

• nly 70 of the primes ≤1000;

trial division finds all 168 primes.

35

Scale up to larger exponent s = lcm{1; 2; 3; 4; : : : ; 100}: using 136 squarings mod n find 2317 of the primes ≤105. Is a squaring mod n faster than 17 trial divisions? Or s = lcm{1; 2; 3; 4; : : : ; 1000}: using 1438 squarings mod n find 180121 of the primes ≤107. Is a squaring mod n faster than 125 trial divisions? Extra benefit: no need to store the primes.

34

− 1 method (1974 Pollard) quickly factored n = 8597231219. work: 27 squarings mod n. instead have checked divisibility by 2; 3; 5; : : :. 167th trial division have found divisor 991. clear which method is better. Dividing by small p faster than squaring mod n. − 1 method finds 70 of the primes ≤1000; division finds all 168 primes.

35

Scale up to larger exponent s = lcm{1; 2; 3; 4; : : : ; 100}: using 136 squarings mod n find 2317 of the primes ≤105. Is a squaring mod n faster than 17 trial divisions? Or s = lcm{1; 2; 3; 4; : : : ; 1000}: using 1438 squarings mod n find 180121 of the primes ≤107. Is a squaring mod n faster than 125 trial divisions? Extra benefit: no need to store the primes. Plausible exp q` 1

2

then p− for H=K Same if p

• rder of

So uniform divides 2 with prob (1:4 : : : + produce Similar time finds far

34

method (1974 Pollard) n = 8597231219. squarings mod n. ve checked 2; 3; 5; : : :. division found divisor 991. method is better. small p squaring mod n. method finds rimes ≤1000; s all 168 primes.

35

Scale up to larger exponent s = lcm{1; 2; 3; 4; : : : ; 100}: using 136 squarings mod n find 2317 of the primes ≤105. Is a squaring mod n faster than 17 trial divisions? Or s = lcm{1; 2; 3; 4; : : : ; 1000}: using 1438 squarings mod n find 180121 of the primes ≤107. Is a squaring mod n faster than 125 trial divisions? Extra benefit: no need to store the primes. Plausible conjecture: exp q` 1

2 + o(1)

´ log then p−1 divides lcm for H=K1+o(1) primes Same if p − 1 is replaced

• rder of 2 in F∗

p.

So uniform random divides 2lcm{1;2;:::;K with probability 1=K (1:4 : : : + o(1))K squa produce 2lcm{1;2;:::;K Similar time spent finds far fewer prime

34

Pollard) 8597231219. mod n. ed :. 991. better. d n. 1000; primes.

35

Scale up to larger exponent s = lcm{1; 2; 3; 4; : : : ; 100}: using 136 squarings mod n find 2317 of the primes ≤105. Is a squaring mod n faster than 17 trial divisions? Or s = lcm{1; 2; 3; 4; : : : ; 1000}: using 1438 squarings mod n find 180121 of the primes ≤107. Is a squaring mod n faster than 125 trial divisions? Extra benefit: no need to store the primes. Plausible conjecture: if K is exp q` 1

2 + o(1)

´ log H log log then p−1 divides lcm{1; 2; : : for H=K1+o(1) primes p ≤ H Same if p − 1 is replaced by

• rder of 2 in F∗

p.

So uniform random prime p divides 2lcm{1;2;:::;K} − 1 with probability 1=K1+o(1). (1:4 : : : + o(1))K squarings mo produce 2lcm{1;2;:::;K} − 1 mo Similar time spent on trial division finds far fewer primes for large

35

Scale up to larger exponent s = lcm{1; 2; 3; 4; : : : ; 100}: using 136 squarings mod n find 2317 of the primes ≤105. Is a squaring mod n faster than 17 trial divisions? Or s = lcm{1; 2; 3; 4; : : : ; 1000}: using 1438 squarings mod n find 180121 of the primes ≤107. Is a squaring mod n faster than 125 trial divisions? Extra benefit: no need to store the primes.

36

Plausible conjecture: if K is exp q` 1

2 + o(1)

´ log H log log H then p−1 divides lcm{1; 2; : : : ; K} for H=K1+o(1) primes p ≤ H. Same if p − 1 is replaced by

• rder of 2 in F∗

p.

So uniform random prime p ≤ H divides 2lcm{1;2;:::;K} − 1 with probability 1=K1+o(1). (1:4 : : : + o(1))K squarings mod n produce 2lcm{1;2;:::;K} − 1 mod n. Similar time spent on trial division finds far fewer primes for large H.

35

up to larger exponent lcm{1; 2; 3; 4; : : : ; 100}: 136 squarings mod n 2317 of the primes ≤105. squaring mod n than 17 trial divisions? lcm{1; 2; 3; 4; : : : ; 1000}: 1438 squarings mod n 180121 of the primes ≤107. squaring mod n than 125 trial divisions? benefit: need to store the primes.

36

Plausible conjecture: if K is exp q` 1

2 + o(1)

´ log H log log H then p−1 divides lcm{1; 2; : : : ; K} for H=K1+o(1) primes p ≤ H. Same if p − 1 is replaced by

• rder of 2 in F∗

p.

So uniform random prime p ≤ H divides 2lcm{1;2;:::;K} − 1 with probability 1=K1+o(1). (1:4 : : : + o(1))K squarings mod n produce 2lcm{1;2;:::;K} − 1 mod n. Similar time spent on trial division finds far fewer primes for large H. The p + (1982 Williams) Define (X 232792560th (3=5; 4=5) The integer is divisible 82 of the 223 of the 455 of the 720 of the etc.

35

rger exponent 4; : : : ; 100}: rings mod n primes ≤105. d n trial divisions? ; 3; 4; : : : ; 1000}: rings mod n the primes ≤107. d n trial divisions? the primes.

36

Plausible conjecture: if K is exp q` 1

2 + o(1)

´ log H log log H then p−1 divides lcm{1; 2; : : : ; K} for H=K1+o(1) primes p ≤ H. Same if p − 1 is replaced by

• rder of 2 in F∗

p.

So uniform random prime p ≤ H divides 2lcm{1;2;:::;K} − 1 with probability 1=K1+o(1). (1:4 : : : + o(1))K squarings mod n produce 2lcm{1;2;:::;K} − 1 mod n. Similar time spent on trial division finds far fewer primes for large H. The p + 1 factorization (1982 Williams) Define (X; Y ) ∈ Q 232792560th multiple (3=5; 4=5) in the group The integer S2 = 5 is divisible by 82 of the primes ≤ 223 of the primes 455 of the primes 720 of the primes etc.

35

• nent

}: 105. divisions? 1000}: n ≤107. divisions? rimes.

36

Plausible conjecture: if K is exp q` 1

2 + o(1)

´ log H log log H then p−1 divides lcm{1; 2; : : : ; K} for H=K1+o(1) primes p ≤ H. Same if p − 1 is replaced by

• rder of 2 in F∗

p.

So uniform random prime p ≤ H divides 2lcm{1;2;:::;K} − 1 with probability 1=K1+o(1). (1:4 : : : + o(1))K squarings mod n produce 2lcm{1;2;:::;K} − 1 mod n. Similar time spent on trial division finds far fewer primes for large H. The p + 1 factorization metho (1982 Williams) Define (X; Y ) ∈ Q × Q as the 232792560th multiple of (3=5; 4=5) in the group Clock( The integer S2 = 5232792560X is divisible by 82 of the primes ≤103; 223 of the primes ≤104; 455 of the primes ≤105; 720 of the primes ≤106; etc.

36

Plausible conjecture: if K is exp q` 1

2 + o(1)

´ log H log log H then p−1 divides lcm{1; 2; : : : ; K} for H=K1+o(1) primes p ≤ H. Same if p − 1 is replaced by

• rder of 2 in F∗

p.

So uniform random prime p ≤ H divides 2lcm{1;2;:::;K} − 1 with probability 1=K1+o(1). (1:4 : : : + o(1))K squarings mod n produce 2lcm{1;2;:::;K} − 1 mod n. Similar time spent on trial division finds far fewer primes for large H.

37

The p + 1 factorization method (1982 Williams) Define (X; Y ) ∈ Q × Q as the 232792560th multiple of (3=5; 4=5) in the group Clock(Q). The integer S2 = 5232792560X is divisible by 82 of the primes ≤103; 223 of the primes ≤104; 455 of the primes ≤105; 720 of the primes ≤106; etc.

36

Plausible conjecture: if K is ` 1

2 + o(1)

´ log H log log H −1 divides lcm{1; 2; : : : ; K} =K1+o(1) primes p ≤ H. if p − 1 is replaced by

• f 2 in F∗

p.

uniform random prime p ≤ H 2lcm{1;2;:::;K} − 1 robability 1=K1+o(1). : + o(1))K squarings mod n duce 2lcm{1;2;:::;K} − 1 mod n. r time spent on trial division far fewer primes for large H.

37

The p + 1 factorization method (1982 Williams) Define (X; Y ) ∈ Q × Q as the 232792560th multiple of (3=5; 4=5) in the group Clock(Q). The integer S2 = 5232792560X is divisible by 82 of the primes ≤103; 223 of the primes ≤104; 455 of the primes ≤105; 720 of the primes ≤106; etc. Given an compute and compute hoping to Many p’s are found If −1 is not and p + then 5232792560 Proof: p so (4=5 + so (p + 1)(3 in the group so 232792560(3

36

conjecture: if K is ´ log H log log H divides lcm{1; 2; : : : ; K} rimes p ≤ H. replaced by . random prime p ≤ H

;:::;K} − 1

1=K1+o(1). squarings mod n

;:::;K} − 1 mod n.

ent on trial division rimes for large H.

37

The p + 1 factorization method (1982 Williams) Define (X; Y ) ∈ Q × Q as the 232792560th multiple of (3=5; 4=5) in the group Clock(Q). The integer S2 = 5232792560X is divisible by 82 of the primes ≤103; 223 of the primes ≤104; 455 of the primes ≤105; 720 of the primes ≤106; etc. Given an integer n compute 5232792560 and compute gcd with hoping to factor n Many p’s not foun are found by Clock( If −1 is not a squa and p + 1 divides 232792560 then 5232792560X mo Proof: p ≡ 3 (mo so (4=5 + 3i=5)p = so (p + 1)(3=5; 4=5) in the group Clock( so 232792560(3=5;

36

is log H ; : : : ; K} H. by p ≤ H . rings mod n mod n. division large H.

37

The p + 1 factorization method (1982 Williams) Define (X; Y ) ∈ Q × Q as the 232792560th multiple of (3=5; 4=5) in the group Clock(Q). The integer S2 = 5232792560X is divisible by 82 of the primes ≤103; 223 of the primes ≤104; 455 of the primes ≤105; 720 of the primes ≤106; etc. Given an integer n, compute 5232792560X mod n and compute gcd with n, hoping to factor n. Many p’s not found by F∗

p

are found by Clock(Fp). If −1 is not a square mod p and p + 1 divides 232792560 then 5232792560X mod p = 0. Proof: p ≡ 3 (mod 4), so (4=5 + 3i=5)p = 4=5 − 3i= so (p + 1)(3=5; 4=5) = (0; 1) in the group Clock(Fp), so 232792560(3=5; 4=5) = (0

37

The p + 1 factorization method (1982 Williams) Define (X; Y ) ∈ Q × Q as the 232792560th multiple of (3=5; 4=5) in the group Clock(Q). The integer S2 = 5232792560X is divisible by 82 of the primes ≤103; 223 of the primes ≤104; 455 of the primes ≤105; 720 of the primes ≤106; etc.

38

Given an integer n, compute 5232792560X mod n and compute gcd with n, hoping to factor n. Many p’s not found by F∗

p

are found by Clock(Fp). If −1 is not a square mod p and p + 1 divides 232792560 then 5232792560X mod p = 0. Proof: p ≡ 3 (mod 4), so (4=5 + 3i=5)p = 4=5 − 3i=5, so (p + 1)(3=5; 4=5) = (0; 1) in the group Clock(Fp), so 232792560(3=5; 4=5) = (0; 1).

37

+ 1 factorization method Williams) (X; Y ) ∈ Q × Q as the 232792560th multiple of =5) in the group Clock(Q). integer S2 = 5232792560X divisible by the primes ≤103; the primes ≤104; the primes ≤105; the primes ≤106;

38

Given an integer n, compute 5232792560X mod n and compute gcd with n, hoping to factor n. Many p’s not found by F∗

p

are found by Clock(Fp). If −1 is not a square mod p and p + 1 divides 232792560 then 5232792560X mod p = 0. Proof: p ≡ 3 (mod 4), so (4=5 + 3i=5)p = 4=5 − 3i=5, so (p + 1)(3=5; 4=5) = (0; 1) in the group Clock(Fp), so 232792560(3=5; 4=5) = (0; 1). The elliptic-curve Replace a random Order of ∈ [p + 1 If a curve Good news All primes seem to reasonable Time sub

37

rization method Q × Q as the multiple of group Clock(Q). 5232792560X ≤103; rimes ≤104; rimes ≤105; rimes ≤106;

38

Given an integer n, compute 5232792560X mod n and compute gcd with n, hoping to factor n. Many p’s not found by F∗

p

are found by Clock(Fp). If −1 is not a square mod p and p + 1 divides 232792560 then 5232792560X mod p = 0. Proof: p ≡ 3 (mod 4), so (4=5 + 3i=5)p = 4=5 − 3i=5, so (p + 1)(3=5; 4=5) = (0; 1) in the group Clock(Fp), so 232792560(3=5; 4=5) = (0; 1). The elliptic-curve metho Replace clock group a random elliptic curve. Order of elliptic-curve ∈ [p + 1 − 2√p; p If a curve fails, try Good news (for the All primes ≤H seem to be found after reasonable number Time subexponential

37

method the Clock(Q).

232792560X

38

Given an integer n, compute 5232792560X mod n and compute gcd with n, hoping to factor n. Many p’s not found by F∗

p

are found by Clock(Fp). If −1 is not a square mod p and p + 1 divides 232792560 then 5232792560X mod p = 0. Proof: p ≡ 3 (mod 4), so (4=5 + 3i=5)p = 4=5 − 3i=5, so (p + 1)(3=5; 4=5) = (0; 1) in the group Clock(Fp), so 232792560(3=5; 4=5) = (0; 1). The elliptic-curve method Replace clock group with a random elliptic curve. Order of elliptic-curve group ∈ [p + 1 − 2√p; p + 1 + 2√p If a curve fails, try another. Good news (for the attacker): All primes ≤H seem to be found after a reasonable number of curves. Time subexponential in H.

38

Given an integer n, compute 5232792560X mod n and compute gcd with n, hoping to factor n. Many p’s not found by F∗

p

are found by Clock(Fp). If −1 is not a square mod p and p + 1 divides 232792560 then 5232792560X mod p = 0. Proof: p ≡ 3 (mod 4), so (4=5 + 3i=5)p = 4=5 − 3i=5, so (p + 1)(3=5; 4=5) = (0; 1) in the group Clock(Fp), so 232792560(3=5; 4=5) = (0; 1).

39

The elliptic-curve method Replace clock group with a random elliptic curve. Order of elliptic-curve group ∈ [p + 1 − 2√p; p + 1 + 2√p]. If a curve fails, try another. Good news (for the attacker): All primes ≤H seem to be found after a reasonable number of curves. Time subexponential in H.

38

an integer n, compute 5232792560X mod n compute gcd with n, to factor n. p’s not found by F∗

p

• und by Clock(Fp).

is not a square mod p + 1 divides 232792560

232792560X mod p = 0.

p ≡ 3 (mod 4), 5 + 3i=5)p = 4=5 − 3i=5, 1)(3=5; 4=5) = (0; 1) group Clock(Fp), 232792560(3=5; 4=5) = (0; 1).

39

The elliptic-curve method Replace clock group with a random elliptic curve. Order of elliptic-curve group ∈ [p + 1 − 2√p; p + 1 + 2√p]. If a curve fails, try another. Good news (for the attacker): All primes ≤H seem to be found after a reasonable number of curves. Time subexponential in H. More readin eecm.cr.yp.to cr.yp.to/papers.html#batchnfs smartfacts.cr.yp.to “Factorin certified Coppersmith eprint.iacr.org/2016/961 “A kilobit logarithm eprint.iacr.org/2017/142 “Computing application [lattice-based]

38

n,

232792560X mod n

gcd with n, n. found by F∗

p

ck(Fp). square mod p divides 232792560 mod p = 0. (mod 4), = 4=5 − 3i=5, =5) = (0; 1) ck(Fp), 5; 4=5) = (0; 1).

39

The elliptic-curve method Replace clock group with a random elliptic curve. Order of elliptic-curve group ∈ [p + 1 − 2√p; p + 1 + 2√p]. If a curve fails, try another. Good news (for the attacker): All primes ≤H seem to be found after a reasonable number of curves. Time subexponential in H. More reading eecm.cr.yp.to cr.yp.to/papers.html#batchnfs smartfacts.cr.yp.to “Factoring RSA keys certified smart cards: Coppersmith in the eprint.iacr.org/2016/961 “A kilobit hidden SNFS logarithm computation eprint.iacr.org/2017/142 “Computing generato application to crypta [lattice-based] FHE

38

n p 232792560 0. 3i=5, 1) (0; 1).

39

The elliptic-curve method Replace clock group with a random elliptic curve. Order of elliptic-curve group ∈ [p + 1 − 2√p; p + 1 + 2√p]. If a curve fails, try another. Good news (for the attacker): All primes ≤H seem to be found after a reasonable number of curves. Time subexponential in H. More reading eecm.cr.yp.to cr.yp.to/papers.html#batchnfs smartfacts.cr.yp.to “Factoring RSA keys from certified smart cards: Coppersmith in the wild” eprint.iacr.org/2016/961 “A kilobit hidden SNFS discrete logarithm computation” eprint.iacr.org/2017/142 “Computing generator : : : and application to cryptanalysis of [lattice-based] FHE scheme”

39

The elliptic-curve method Replace clock group with a random elliptic curve. Order of elliptic-curve group ∈ [p + 1 − 2√p; p + 1 + 2√p]. If a curve fails, try another. Good news (for the attacker): All primes ≤H seem to be found after a reasonable number of curves. Time subexponential in H.

40

More reading eecm.cr.yp.to cr.yp.to/papers.html#batchnfs smartfacts.cr.yp.to “Factoring RSA keys from certified smart cards: Coppersmith in the wild” eprint.iacr.org/2016/961 “A kilobit hidden SNFS discrete logarithm computation” eprint.iacr.org/2017/142 “Computing generator : : : and application to cryptanalysis of a [lattice-based] FHE scheme”