# Notes on Factoring. MA 206 Kurt Bryan

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 The General Approach Notes on Factoring MA 26 Kurt Bryan Suppose I hand you n, a 2 digit integer and tell you that n is composite, with smallest prime factor around 5 digits. Finding a nontrivial factor of n will be extremely difficult. Now suppose I give you another number m, also 2 digits, and ask you to find a factor. Looks like I ve doubled your work. But if I tell you that m and n share a common factor, your task is almost trivial: just compute (m, n) with Euclid s Algorithm, which is very fast. If m and n share a divisor then (m, n) > and you ve got a proper divisor of n (unless n m). This is the idea of most factorization methods to find a factor of n we try to cook up a second number m such that (m, n) >. One common strategy for finding such a factor is to look for solutions to the congruence x 2 y 2 (mod n). () Suppose we find such a solution. Suppose also (as is likely see below) it turns out that x ±y (mod n). Then (x y, n) > and (x+y, n) >, and so we ve found a proper factor of n, for equation () really says that n (x 2 y 2 ), or equivalently n (x y)(x+y). But if x ±y (mod n) then n doesn t divide x y or x + y. Therefore n = n n where n (x y) and n (x + y). Clearly n, n >, and so (x y, n) n > and (x + y, n) n >. The methods for factoring described below all look for solutions to equation (). They don t specifically enforce x ±y (mod n), but rather hope that this is true so that (x y, n) and/or (x+y, n) will yield nontrivial factors of n. What are the odds that this will be true? Lemma: Let n be odd and composite, with at least two distinct prime factors. For any fixed y, at least /2 of the x which satisfy x 2 y 2 (mod n) for y also satisfy x ±y (mod n). Proof: We already essentially proved this, when we did coin flipping by telephone. But I ll give a quick recap. If n is odd and composite with at least two distinct prime factors then we can write n = n n where (n, n ) = and of course both are odd and

2 greater than. You can easily check that x 2 y 2 (mod n) x 2 y 2 (mod n ), x 2 y 2 (mod n ). (This doesn t rely on n being odd, just (n, n ) = ). Now consider the congruence x 2 y 2 (mod n ). This has AT LEAST two solutions for x, namely x ±y. Note that because n is odd, y and y must be distinct (mod n ), so this really is two solutions. There may be more. Let x y (mod n ). Similar remarks apply to x 2 y 2 (mod n ); let x 2 y (mod n ). Now choose integers r and s so that rn + sn =. Again, we re using (n, n ) =. Consider the four possible values of x defined by x = ±sn x ± rn x 2 (mod n) obtained by taking all possible ± combinations. You can easily check that all four values are distinct (mod n), and all satisfy both x 2 y 2 (mod n ) and x 2 y 2 (mod n ), and hence x 2 y 2 (mod n). We conclude that x 2 y 2 (mod n) has AT LEAST 4 solutions, only two of which are x ±y (mod n). This proves the assertion. In the case that n = pq you can check that there are exactly four solutions (this is exactly what we did in coin flipping by telephone). Kraitchik s Algorithm This is best done with an example. Let s factor n = 86. Define the polynomial Q(x) = x 2 n and let x = [ n]. In this case x = 36. Let x k = x +k and compute Q(x k ) for a few values of k. You obtain the following k x k Q(x k ) = (2 3 )(3)(7) = (443) = (2 4 )(3 2 )(5) = (3 3 )(37) = (2 8 )(5) Now notice that Q(39)Q(4) = = ( ) 2 = 96 2 is a perfect square. Put another way, (39 2 n)(4 2 n) =

3 Modulo n this is simply (39 4) and we have a solution to x 2 y 2 (mod n), with x (39)(4) (mod n) = 998 and y 96 (mod n) = 96. Now compute (86, ) = 979, (86, ) = 9 and we have nontrivial factors of n. The general procedure for Kraitchik s algorithm is this. Given an integer n to factor, we let Q(x) = x 2 n and x = [ n]. We then consider Q(x k ) with x k = x + k for k =, 2,.... We look for products of the Q(x k ) which form perfect squares. If we find that Q(x k )Q(x k2 ) Q(x km ) = y 2 then, noting that this is just (x 2 k n) (x 2 k m n), it follows that modulo n we have x 2 k x 2 k m y 2, so we have a solution to x 2 y 2 (mod n) with x = x k x km and y = Q(x k ) Q(x km ). We then compute (x ± y, n) and hope it provides a nontrivial factor of n. If it doesn t we look for another combination of the Q s that form a perfect square and try again. Note that there is nothing absolutely necessary about using x k = [ n]+k; any choice for integers x k can work, but this choice for x k has the advantage that Q(x k ) will be relatively small (compared to n) if k is small (think about it). As a result Q(x k ) is more likely to factor into smaller primes, making the task of combining the Q s to form perfect squares easier. The Morrison-Brillhart Algorithm I ll explain this in two steps. The first obvious difficulty for the above algorithm is that forming a perfect square from the Q s appears to be a trial and error method. For a computer program it would be nice to have a more systematic approach. Here is one such approach. Let us choose a factor base B consisting of small primes. As an example, for n = 86 we ll choose B = [2, 3, 5, 7, ], the first 5 primes. As before, we let x k = [ n] + k and we compute Q(x k ) for k =, 2,.... We find Q(37) = 68. Note that 68 factors over B, i.e., 68 can be expressed entirely in terms 3

4 of the primes in B, as 68 = (2 3 )(3)(7). However, Q(38) = 443 does not factor over B, so discard it. But Q(39) = 72 = (2 4 )(3 2 )(5) factors over B. Do this for a few values of k and collect the results in the table below, listing with each value of Q(x k ) that splits over B the corresponding power to which each prime appears in the factorization of Q(x k ): k x k Q(x k ) Now look for linear combinations of the rows of the table above which add up to even powers for each prime. For example, the k = 3 and k = 5 rows add to give the exponent vector [2 2 2 ], corresponding to a perfect square In fact, the table above encodes more information than needed to look for perfect squares. What we should really do is take the exponents modulo 2, so denotes an even exponent and and odd. In this case we have k x k Q(x k ) Now we re looking for linear combinations of the rows which add up to zero (we re doing all exponent arithmetic mod 2 now). Of course, the k = 3 and k = 5 row add to all zeros. You can also see that the k = 3 row is already a perfect square, for it is all zeros (and 36 is a perfect square). Are there other combinations of rows which add to all zeros mod 2? There s a better way to pose the problem of finding rows which sum to zero. To do so we re going to appeal to linear algebra. If you ve studied any linear or matrix algebra, what follows should look familiar. If you haven t, consider this a motivation to study some! From the more practical point of view, if you haven t done any linear algebra, you can simply accept the fact 4

5 that there are systematic ways to find all possible combinations of the rows in the table above which sum to zero mod 2. Let M denote the matrix corresponding to the exponent vectors in the table above, M =. We re looking for combinations of the rows which add to zero. In matrix notation, we want to find a row vector b = [b b 2 b 3 b 4 b 5 b 6 ] (mod 2, so all b j are zeros and ones) such that bm = where denotes the appropriate dimensional zero vector. If we take the transpose of the above equation, what we want to find is a column vector b so that M T b = where T is transpose. In linear algebra terms, we want to find vectors in the nullspace of M T. This is a standard linear algebra computation, and we won t go into it here. I ll simply mention that one can use something like Gaussian elimination to find all vectors in (or a basis for) the nullspace. For our matrix we can compute that the vectors, are a basis for the nullspace of M T, and so the corresponding products of the appropriate Q( k ) should be perfect squares. The first vector, for example, says that row 5 of the table above, corresponding to 36, provides a perfect square all by itself. The second vector corresponds to the product of the Q s in the second and third rows, and the last vector corresponds to the product 5,

6 of the first and last rows, Q(37)Q(5) = 756 = From this last combination we conclude that (37 5) (mod n) and so compute ( , n) = 29 to find a proper factor of n. Suppose we have m primes in our factor base. How many Q that split over the base do we need to accumulate before we can form a perfect square? In other words, how many rows do we need to accumulate in M (or columns in M T ) before M T is guaranteed to have a nonempty nullspace? It s a basic fact that this must happen once M has more rows than columns. In general, if M has k more rows than columns then we can expect a minimum of k vectors in the nullspace, and so we can form k different perfect squares. There are a few other issues to consider. We compute x 2 k n for various integers x k in the hopes that for some p in our factor base we have p (x 2 k n). This can be rephrased as n x 2 k (mod p) so that n is a quadratic residue mod p. This need not be true. For example, suppose that the last digit of n is a 3, and that p = 5. It is impossible to find any integer x such that 3 x 2 (mod 5), i.e., 3 is not a quadratic residue mod 5. In this case it would be pointless to use 5 in the factor base for n. More generally, the only primes worth including in the factor base are those for which n is a quadratic residue. Recall also that we have a simple test for quadratic residues: n is a quadratic residue mod p if and only if n (p )/2 (mod p). Thus we construct the factor base by choosing the smallest primes possible subject to this restriction. How large should the factor base be? The smaller it is, the fewer Q we need to accumulate before we re guaranteed that we can form perfect squares, but with a smaller factor base it is far less likely that Q(x k ) will split. On the other hand, a larger base gives more splits, but requires that we find more squares. A relatively straightforward analysis (that I won t give here) shows that a good choice on average is to choose the base to have about exp( log(n) log(log(n))) primes. Continued Fractions Recall that if we have a real number x expressed as a continued fraction, x = [a, a, s 2,...] 6

7 then the successive convergents are rational numbers p k /q k, where p k q k = [a, a,... a k ]. The numbers a k can be computed by setting a = [x ] and then defining x k+ = /(x k a k ), a k+ = [x k+ ]. If x = n for some number positive integer n which is not perfect square then it turns out that the x k are given by x k = P k + n Q k for integers P k and Q k, where P k+ = a k Q k P k, Q k+ = n P 2 k+ Q k. Most importantly, recall Proposition 2.8 on page 85 of Giblin: p 2 k nq 2 k = ( ) k+ Q k+. Let s define Q k = ( ) k Q k so that the proposition becomes p 2 k nq 2 k = Q k+. Here s how continued fractions work for factoring: Modulo n the last equation becomes p 2 k Q k+ (mod n). Now if we can find some subset of the p k such that Q k +Q k 2 + Q k m + is a perfect square, say y 2, then we ll have (p k p k2 p km ) 2 Q k +Q k 2 + Q k m + (mod n) or x 2 y 2 (mod n) where x = p k p k2 p km and y = Q k + Q k 2 + Q k. m+ We can then compute (x ± y, n) and hope it s greater than. In essence, the numbers p k are playing the role of the x k in Kraitchik s algorithm and the Q k+ are playing the role of Q(x k ). So why would we want to replace a simple quadratic polynomial like Q(x k ) with apparently more complicated continued fraction expansions? Because as was proved in class, Q k < 2 n for all k. Contrast this to Q(x k ), which rapidly exceeds n and grows large very quickly. Because the Q k in the continued fraction expansion stay (relatively) small, they are much more likely to split over the factor base, and so more rapidly provide us with the material we need to form perfect squares. 7

8 There are two additional details to consider before doing an example. It is the case that half of the numbers Q k will be negative. So, while 9 is a perfect square, 9 is not, and we can t just ignore the negative sign. So we don t we just try to form perfect squares and account for the negative sign in the obvious way perfect squares have to be positive and so any corresponding product of Q s must have an even number of negative signs. As you ll see below, this amounts to including as a prime in the factor base. Also, just as with Kraitchik s method, we need should not include in our factor base any primes for which n is not a quadratic residue. If a prime p divides Q k+ then from p 2 k nq 2 k = ( ) k+ Q k+ we have p 2 k nq 2 k (mod p). Now p cannot divide q k, for then we have p 2 k (mod p), implying p p k, i.e., p would divide both p k and q k, contradicting the fact that (p k, q k ) = (this is.3(b) on page 79, problem 6 on the test). Thus (q k, p) = and there exists r such that rq k (mod p). Multiply both sides of p 2 k nq 2 k (mod p) by r 2 to obtain (rp k ) 2 n (mod p), so n is a quadratic residue mod p. If n is not a quadratic residue mod p then there is no hope of p dividing Q k+. Let s factor 86 again as an example. We ll use a factor base consisting of B = [2, 3, 5, 7, ]. You can easily check that 86 is indeed a quadratic residue for each prime. Here s a table that summarizes the computation: k p k Q k Note that k = 6 is missing from the table, since Q 7 did not split over the factor base. Note also how small the Q k are compared to the Q(x k ) in Kraitchik s method. Amazingly, of the first 8 iterations all but one of the Q split over our base. If we now consider the table mod 2, and write it out as 8

9 a matrix M we find that M =. Computing a basis for the nullspace of M T gives vectors, The first vector says that the sixth row (k = 7) is itself a perfect square, which you can easily see, for Q 8 = 8. We then have x 2 y 2 (mod n) with x = 55 and y = 9. We find (55 + 9, n) =, a proper factor of n. For the second vector we obtain Q 2Q 3Q 5 = (25)( 28)( 4) = 64, = 8 2 as a perfect square. This also leads to a nontrivial factorization by computing (p p 2 p 4 + 8, n) =. Finally, the last vector gives Q 3Q 7 = 926 = 96 2, leading to (p 2 p , n) = 9, another factor of n. One problem that you might encounter in the continued fraction method for factoring is when the continued fraction expansion of n cycles very rapidly. For example, if n = d 2 + for some d then n = [d, 2d, 2d, 2d, ]. In this case you ll only get two distinct Q, probably not enough to form any squares. The solution here is to use Q s that come from the continued fraction expansion of λn, where λ is some suitable multiplier. Assuming we generate the Q k+, p k, and q k from λn, we then have, p 2 k λnq 2 k = ( ) k+ Q k+. If we look at this mod n then we still have p 2 k ( ) k+ Q k+ = Q k+ and can proceed exactly as before. 9

10 The Quadratic Sieve The quadratic sieve does not use continued fractions to generate solutions to x 2 y 2 (mod n), but rather returns to the polynomial Q(x) = x 2 n (or variations of it). If you look back a Kraitchik s method with the addition of the factor base idea, you see that we compute Q(x k ) for various x k and then attempt to split Q(x k ) over the factor base. The method for doing this is simply to try dividing Q(x k ) by the first prime in the base, then the second, then the third, etc. When we reach the last prime in the base, if Q(x k ) has been reduced to then we conclude that it factors over the base. For large values of n, however, very few of the Q(x k ) actually split and so we waste a great deal of time trial dividing Q(x k ) by primes only to discard all of our work when we reach the last prime in the base and find that Q(x k ) didn t split. It would be nice to find a means for more efficiently identifying those Q(x k ) which will split over our base. There is such method, and it s really a variation on the sieve of Eratosthenes. Here s how the traditional sieve of Eratosthenes works. Suppose we want to generate a list of all primes up to. One way is trial division. Take each integer k in turn and try dividing by all integers less than k (or all primes). This is analogous to what Kraitchik s algorithm with the factor base was doing, and it s a lot of work. The sieve of Eratosthenes is far more efficient and works as follows. Create a list or an array contained the integers from up to. Circle or mark 2 to indicate that it s prime. Then step through the array with a stepsize of 2, starting at 4, and strike those elements they re all multiples of 2, and so not prime. Return to the start and find the next element which has not been eliminated, in this case 3. Circle 3 and then strike every third element from 6 onward they re all multiples of 3. In general, after having struck all multiples of p k we return to p k and find the next element in the array this is p k. We circle p k and then strike every p k th element that follows. Notice that we don t do any trial division of the elements as we strike them. If an element appears in the 52nd position then it s a multiple of 3 automatically; we don t trial divide it by 3. Notice also that when we re done striking multiples of p = 3, our array contains only primes, for every composite less than has a prime factor less than, i.e., a prime factor of 3 or less, and so has been struck. Suppose instead of finding primes less than we want to find all

11 integers less than which split over the factor base B = [2, 3, 5], that is, integers with only 2 s, 3 s, and 5 s in their prime power factorization. Again, construct and array containing integers from to. We know that only elements with an even index are divisible by 2. Step through the array and consider each such element in turn. For each, remove from it (divide) the highest possible power of 2. Repeat this procedure for 3, dividing every 3rd element by the highest possible power of 3. Repeat for 5. At then end of this procedure any number with only 2, 3 and 5 in its factorization has been reduced to ; all other elements are greater than. The simple idea is that elements which are divisible by p appear at regular intervals in the array, so that we need not bother trial dividing any other elements to see if they are divisible by p. We sieve the array by p. This proves to save an enormous amount of work. This is the idea behind the quadratic sieve. It turns out that those values of Q(x k ) = x 2 k n which are divisible by a prime p in the factor base appear at regular intervals with respect to the index k. We can thus save a lot of work by forming an array of the Q(x k ) and sieving by the primes in the factor base. Consider an example, with n = Suppose that p = is a prime in the factor base. Of course, n is a quadratic residue mod p. In fact, n (mod ) = 5 and the equation x 2 5 (mod ) has two solutions, x 4 (mod ) and x 7 (mod ). Also, in this case m = [ n] = 239, so x k = k. Now if we re looking for values of x such that p Q(x), that is, x 2 n (mod p), we need only consider x such that x 4 (mod ) and x 7 (mod ). For x k = k this means we need only consider those values of k such that k 4 (mod ) and k 7 (mod ), which boil down to k 7 (mod ) and k (mod ). If we form an array, indexed from, of the form [Q(x ) Q(x 2 ) Q(x 3 ) Q(x 4 ) ] then we can divide each element Q(x k ) with k 7, (mod ) by the highest possible power of. Do the same for the other primes in the factor base. When you re done, those elements which equal are precisely those which split over the factor base. The procedure above requires us to solve the equation x 2 n (mod p) for each prime in the factor base. How do we do this? If p is of the form p = 4k+3 then we ve already done it. In the coin flipping by telephone material we

12 showed that in this case x = ±n k+ (mod p) solves x 2 n (mod p). If p is of the form p = 4k + then things are slightly more difficult. We ll talk about how to solve x 2 n (mod p) in this case in chapter. 2

### Integer Factorization using the Quadratic Sieve

Integer Factorization using the Quadratic Sieve Chad Seibert* Division of Science and Mathematics University of Minnesota, Morris Morris, MN 56567 seib0060@morris.umn.edu March 16, 2011 Abstract We give

### 3 1. Note that all cubes solve it; therefore, there are no more

Math 13 Problem set 5 Artin 11.4.7 Factor the following polynomials into irreducible factors in Q[x]: (a) x 3 3x (b) x 3 3x + (c) x 9 6x 6 + 9x 3 3 Solution: The first two polynomials are cubics, so if

### Factoring Algorithms

Factoring Algorithms The p 1 Method and Quadratic Sieve November 17, 2008 () Factoring Algorithms November 17, 2008 1 / 12 Fermat s factoring method Fermat made the observation that if n has two factors

### CONTINUED FRACTIONS AND FACTORING. Niels Lauritzen

CONTINUED FRACTIONS AND FACTORING Niels Lauritzen ii NIELS LAURITZEN DEPARTMENT OF MATHEMATICAL SCIENCES UNIVERSITY OF AARHUS, DENMARK EMAIL: niels@imf.au.dk URL: http://home.imf.au.dk/niels/ Contents

### Factoring. Factoring 1

Factoring Factoring 1 Factoring Security of RSA algorithm depends on (presumed) difficulty of factoring o Given N = pq, find p or q and RSA is broken o Rabin cipher also based on factoring Factoring like

### U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

### SUBGROUPS OF CYCLIC GROUPS. 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by

SUBGROUPS OF CYCLIC GROUPS KEITH CONRAD 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by g = {g k : k Z}. If G = g, then G itself is cyclic, with g as a generator. Examples

### Revised Version of Chapter 23. We learned long ago how to solve linear congruences. ax c (mod m)

Chapter 23 Squares Modulo p Revised Version of Chapter 23 We learned long ago how to solve linear congruences ax c (mod m) (see Chapter 8). It s now time to take the plunge and move on to quadratic equations.

### Primality - Factorization

Primality - Factorization Christophe Ritzenthaler November 9, 2009 1 Prime and factorization Definition 1.1. An integer p > 1 is called a prime number (nombre premier) if it has only 1 and p as divisors.

### Mathematics Course 111: Algebra I Part IV: Vector Spaces

Mathematics Course 111: Algebra I Part IV: Vector Spaces D. R. Wilkins Academic Year 1996-7 9 Vector Spaces A vector space over some field K is an algebraic structure consisting of a set V on which are

### Integer roots of quadratic and cubic polynomials with integer coefficients

Integer roots of quadratic and cubic polynomials with integer coefficients Konstantine Zelator Mathematics, Computer Science and Statistics 212 Ben Franklin Hall Bloomsburg University 400 East Second Street

### The last three chapters introduced three major proof techniques: direct,

CHAPTER 7 Proving Non-Conditional Statements The last three chapters introduced three major proof techniques: direct, contrapositive and contradiction. These three techniques are used to prove statements

### 11 Ideals. 11.1 Revisiting Z

11 Ideals The presentation here is somewhat different than the text. In particular, the sections do not match up. We have seen issues with the failure of unique factorization already, e.g., Z[ 5] = O Q(

### Continued Fractions and the Euclidean Algorithm

Continued Fractions and the Euclidean Algorithm Lecture notes prepared for MATH 326, Spring 997 Department of Mathematics and Statistics University at Albany William F Hammond Table of Contents Introduction

### Some Polynomial Theorems. John Kennedy Mathematics Department Santa Monica College 1900 Pico Blvd. Santa Monica, CA 90405 rkennedy@ix.netcom.

Some Polynomial Theorems by John Kennedy Mathematics Department Santa Monica College 1900 Pico Blvd. Santa Monica, CA 90405 rkennedy@ix.netcom.com This paper contains a collection of 31 theorems, lemmas,

### Homework 5 Solutions

Homework 5 Solutions 4.2: 2: a. 321 = 256 + 64 + 1 = (01000001) 2 b. 1023 = 512 + 256 + 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = (1111111111) 2. Note that this is 1 less than the next power of 2, 1024, which

### Elementary Number Theory We begin with a bit of elementary number theory, which is concerned

CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,

### An Innocent Investigation

An Innocent Investigation D. Joyce, Clark University January 2006 The beginning. Have you ever wondered why every number is either even or odd? I don t mean to ask if you ever wondered whether every number

### Consequently, for the remainder of this discussion we will assume that a is a quadratic residue mod p.

Computing square roots mod p We now have very effective ways to determine whether the quadratic congruence x a (mod p), p an odd prime, is solvable. What we need to complete this discussion is an effective

### 1. LINEAR EQUATIONS. A linear equation in n unknowns x 1, x 2,, x n is an equation of the form

1. LINEAR EQUATIONS A linear equation in n unknowns x 1, x 2,, x n is an equation of the form a 1 x 1 + a 2 x 2 + + a n x n = b, where a 1, a 2,..., a n, b are given real numbers. For example, with x and

### Factoring Algorithms

Institutionen för Informationsteknologi Lunds Tekniska Högskola Department of Information Technology Lund University Cryptology - Project 1 Factoring Algorithms The purpose of this project is to understand

### Fractions and Decimals

Fractions and Decimals Tom Davis tomrdavis@earthlink.net http://www.geometer.org/mathcircles December 1, 2005 1 Introduction If you divide 1 by 81, you will find that 1/81 =.012345679012345679... The first

### Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

### The finite field with 2 elements The simplest finite field is

The finite field with 2 elements The simplest finite field is GF (2) = F 2 = {0, 1} = Z/2 It has addition and multiplication + and defined to be 0 + 0 = 0 0 + 1 = 1 1 + 0 = 1 1 + 1 = 0 0 0 = 0 0 1 = 0

### Arithmetic algorithms for cryptology 5 October 2015, Paris. Sieves. Razvan Barbulescu CNRS and IMJ-PRG. R. Barbulescu Sieves 0 / 28

Arithmetic algorithms for cryptology 5 October 2015, Paris Sieves Razvan Barbulescu CNRS and IMJ-PRG R. Barbulescu Sieves 0 / 28 Starting point Notations q prime g a generator of (F q ) X a (secret) integer

### 8 Primes and Modular Arithmetic

8 Primes and Modular Arithmetic 8.1 Primes and Factors Over two millennia ago already, people all over the world were considering the properties of numbers. One of the simplest concepts is prime numbers.

### Homework until Test #2

MATH31: Number Theory Homework until Test # Philipp BRAUN Section 3.1 page 43, 1. It has been conjectured that there are infinitely many primes of the form n. Exhibit five such primes. Solution. Five such

### k, then n = p2α 1 1 pα k

Powers of Integers An integer n is a perfect square if n = m for some integer m. Taking into account the prime factorization, if m = p α 1 1 pα k k, then n = pα 1 1 p α k k. That is, n is a perfect square

### Pigeonhole Principle Solutions

Pigeonhole Principle Solutions 1. Show that if we take n + 1 numbers from the set {1, 2,..., 2n}, then some pair of numbers will have no factors in common. Solution: Note that consecutive numbers (such

### The Quadratic Sieve Factoring Algorithm

The Quadratic Sieve Factoring Algorithm Eric Landquist MATH 488: Cryptographic Algorithms December 14, 2001 1 Introduction Mathematicians have been attempting to find better and faster ways to factor composite

### MODULAR ARITHMETIC. a smallest member. It is equivalent to the Principle of Mathematical Induction.

MODULAR ARITHMETIC 1 Working With Integers The usual arithmetic operations of addition, subtraction and multiplication can be performed on integers, and the result is always another integer Division, on

### An Overview of Integer Factoring Algorithms. The Problem

An Overview of Integer Factoring Algorithms Manindra Agrawal IITK / NUS The Problem Given an integer n, find all its prime divisors as efficiently as possible. 1 A Difficult Problem No efficient algorithm

### The Dirichlet Unit Theorem

Chapter 6 The Dirichlet Unit Theorem As usual, we will be working in the ring B of algebraic integers of a number field L. Two factorizations of an element of B are regarded as essentially the same if

### (x + a) n = x n + a Z n [x]. Proof. If n is prime then the map

22. A quick primality test Prime numbers are one of the most basic objects in mathematics and one of the most basic questions is to decide which numbers are prime (a clearly related problem is to find

### Chapter 11 Number Theory

Chapter 11 Number Theory Number theory is one of the oldest branches of mathematics. For many years people who studied number theory delighted in its pure nature because there were few practical applications

### SOLVING POLYNOMIAL EQUATIONS

C SOLVING POLYNOMIAL EQUATIONS We will assume in this appendix that you know how to divide polynomials using long division and synthetic division. If you need to review those techniques, refer to an algebra

### Lecture 3: Finding integer solutions to systems of linear equations

Lecture 3: Finding integer solutions to systems of linear equations Algorithmic Number Theory (Fall 2014) Rutgers University Swastik Kopparty Scribe: Abhishek Bhrushundi 1 Overview The goal of this lecture

### The Ideal Class Group

Chapter 5 The Ideal Class Group We will use Minkowski theory, which belongs to the general area of geometry of numbers, to gain insight into the ideal class group of a number field. We have already mentioned

### it is easy to see that α = a

21. Polynomial rings Let us now turn out attention to determining the prime elements of a polynomial ring, where the coefficient ring is a field. We already know that such a polynomial ring is a UF. Therefore

### JUST THE MATHS UNIT NUMBER 1.8. ALGEBRA 8 (Polynomials) A.J.Hobson

JUST THE MATHS UNIT NUMBER 1.8 ALGEBRA 8 (Polynomials) by A.J.Hobson 1.8.1 The factor theorem 1.8.2 Application to quadratic and cubic expressions 1.8.3 Cubic equations 1.8.4 Long division of polynomials

### December 4, 2013 MATH 171 BASIC LINEAR ALGEBRA B. KITCHENS

December 4, 2013 MATH 171 BASIC LINEAR ALGEBRA B KITCHENS The equation 1 Lines in two-dimensional space (1) 2x y = 3 describes a line in two-dimensional space The coefficients of x and y in the equation

### The Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.

The Prime Numbers Before starting our study of primes, we record the following important lemma. Recall that integers a, b are said to be relatively prime if gcd(a, b) = 1. Lemma (Euclid s Lemma). If gcd(a,

### SOLUTIONS FOR PROBLEM SET 2

SOLUTIONS FOR PROBLEM SET 2 A: There exist primes p such that p+6k is also prime for k = 1,2 and 3. One such prime is p = 11. Another such prime is p = 41. Prove that there exists exactly one prime p such

### Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm. We begin by defining the ring of polynomials with coefficients in a ring R. After some preliminary results, we specialize

### Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem)

Some facts about polynomials modulo m (Full proof of the Fingerprinting Theorem) In order to understand the details of the Fingerprinting Theorem on fingerprints of different texts from Chapter 19 of the

### CS 103X: Discrete Structures Homework Assignment 3 Solutions

CS 103X: Discrete Structures Homework Assignment 3 s Exercise 1 (20 points). On well-ordering and induction: (a) Prove the induction principle from the well-ordering principle. (b) Prove the well-ordering

### Factorization Methods: Very Quick Overview

Factorization Methods: Very Quick Overview Yuval Filmus October 17, 2012 1 Introduction In this lecture we introduce modern factorization methods. We will assume several facts from analytic number theory.

### LINEAR ALGEBRA W W L CHEN

LINEAR ALGEBRA W W L CHEN c W W L Chen, 1997, 2008 This chapter is available free to all individuals, on understanding that it is not to be used for financial gain, and may be downloaded and/or photocopied,

### 1.2 Solving a System of Linear Equations

1.. SOLVING A SYSTEM OF LINEAR EQUATIONS 1. Solving a System of Linear Equations 1..1 Simple Systems - Basic De nitions As noticed above, the general form of a linear system of m equations in n variables

### Prime Numbers and Irreducible Polynomials

Prime Numbers and Irreducible Polynomials M. Ram Murty The similarity between prime numbers and irreducible polynomials has been a dominant theme in the development of number theory and algebraic geometry.

### Quotient Rings and Field Extensions

Chapter 5 Quotient Rings and Field Extensions In this chapter we describe a method for producing field extension of a given field. If F is a field, then a field extension is a field K that contains F.

### CONTINUED FRACTIONS AND PELL S EQUATION. Contents 1. Continued Fractions 1 2. Solution to Pell s Equation 9 References 12

CONTINUED FRACTIONS AND PELL S EQUATION SEUNG HYUN YANG Abstract. In this REU paper, I will use some important characteristics of continued fractions to give the complete set of solutions to Pell s equation.

### 12 Greatest Common Divisors. The Euclidean Algorithm

Arkansas Tech University MATH 4033: Elementary Modern Algebra Dr. Marcel B. Finan 12 Greatest Common Divisors. The Euclidean Algorithm As mentioned at the end of the previous section, we would like to

### Polynomials. Dr. philippe B. laval Kennesaw State University. April 3, 2005

Polynomials Dr. philippe B. laval Kennesaw State University April 3, 2005 Abstract Handout on polynomials. The following topics are covered: Polynomial Functions End behavior Extrema Polynomial Division

### The van Hoeij Algorithm for Factoring Polynomials

The van Hoeij Algorithm for Factoring Polynomials Jürgen Klüners Abstract In this survey we report about a new algorithm for factoring polynomials due to Mark van Hoeij. The main idea is that the combinatorial

### CHAPTER 3. Methods of Proofs. 1. Logical Arguments and Formal Proofs

CHAPTER 3 Methods of Proofs 1. Logical Arguments and Formal Proofs 1.1. Basic Terminology. An axiom is a statement that is given to be true. A rule of inference is a logical rule that is used to deduce

### Math Review. for the Quantitative Reasoning Measure of the GRE revised General Test

Math Review for the Quantitative Reasoning Measure of the GRE revised General Test www.ets.org Overview This Math Review will familiarize you with the mathematical skills and concepts that are important

### Mathematics of Cryptography

CHAPTER 2 Mathematics of Cryptography Part I: Modular Arithmetic, Congruence, and Matrices Objectives This chapter is intended to prepare the reader for the next few chapters in cryptography. The chapter

### CHAPTER 3 Numbers and Numeral Systems

CHAPTER 3 Numbers and Numeral Systems Numbers play an important role in almost all areas of mathematics, not least in calculus. Virtually all calculus books contain a thorough description of the natural,

### If A is divided by B the result is 2/3. If B is divided by C the result is 4/7. What is the result if A is divided by C?

Problem 3 If A is divided by B the result is 2/3. If B is divided by C the result is 4/7. What is the result if A is divided by C? Suggested Questions to ask students about Problem 3 The key to this question

### Copy in your notebook: Add an example of each term with the symbols used in algebra 2 if there are any.

Algebra 2 - Chapter Prerequisites Vocabulary Copy in your notebook: Add an example of each term with the symbols used in algebra 2 if there are any. P1 p. 1 1. counting(natural) numbers - {1,2,3,4,...}

### Inverses and powers: Rules of Matrix Arithmetic

Contents 1 Inverses and powers: Rules of Matrix Arithmetic 1.1 What about division of matrices? 1.2 Properties of the Inverse of a Matrix 1.2.1 Theorem (Uniqueness of Inverse) 1.2.2 Inverse Test 1.2.3

### MOP 2007 Black Group Integer Polynomials Yufei Zhao. Integer Polynomials. June 29, 2007 Yufei Zhao yufeiz@mit.edu

Integer Polynomials June 9, 007 Yufei Zhao yufeiz@mit.edu We will use Z[x] to denote the ring of polynomials with integer coefficients. We begin by summarizing some of the common approaches used in dealing

### Linear Codes. Chapter 3. 3.1 Basics

Chapter 3 Linear Codes In order to define codes that we can encode and decode efficiently, we add more structure to the codespace. We shall be mainly interested in linear codes. A linear code of length

### APPLICATIONS OF THE ORDER FUNCTION

APPLICATIONS OF THE ORDER FUNCTION LECTURE NOTES: MATH 432, CSUSM, SPRING 2009. PROF. WAYNE AITKEN In this lecture we will explore several applications of order functions including formulas for GCDs and

### CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY

January 10, 2010 CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY The set of polynomials over a field F is a ring, whose structure shares with the ring of integers many characteristics.

### MATH 4330/5330, Fourier Analysis Section 11, The Discrete Fourier Transform

MATH 433/533, Fourier Analysis Section 11, The Discrete Fourier Transform Now, instead of considering functions defined on a continuous domain, like the interval [, 1) or the whole real line R, we wish

### LECTURE 1 I. Inverse matrices We return now to the problem of solving linear equations. Recall that we are trying to find x such that IA = A

LECTURE I. Inverse matrices We return now to the problem of solving linear equations. Recall that we are trying to find such that A = y. Recall: there is a matri I such that for all R n. It follows that

### Mathematics of Cryptography Part I

CHAPTER 2 Mathematics of Cryptography Part I (Solution to Odd-Numbered Problems) Review Questions 1. The set of integers is Z. It contains all integral numbers from negative infinity to positive infinity.

### 7. Some irreducible polynomials

7. Some irreducible polynomials 7.1 Irreducibles over a finite field 7.2 Worked examples Linear factors x α of a polynomial P (x) with coefficients in a field k correspond precisely to roots α k [1] of

### 9.2 Summation Notation

9. Summation Notation 66 9. Summation Notation In the previous section, we introduced sequences and now we shall present notation and theorems concerning the sum of terms of a sequence. We begin with a

### Algebra 1 Course Title

Algebra 1 Course Title Course- wide 1. What patterns and methods are being used? Course- wide 1. Students will be adept at solving and graphing linear and quadratic equations 2. Students will be adept

### The Characteristic Polynomial

Physics 116A Winter 2011 The Characteristic Polynomial 1 Coefficients of the characteristic polynomial Consider the eigenvalue problem for an n n matrix A, A v = λ v, v 0 (1) The solution to this problem

### Just the Factors, Ma am

1 Introduction Just the Factors, Ma am The purpose of this note is to find and study a method for determining and counting all the positive integer divisors of a positive integer Let N be a given positive

### Problem Set 7 - Fall 2008 Due Tuesday, Oct. 28 at 1:00

18.781 Problem Set 7 - Fall 2008 Due Tuesday, Oct. 28 at 1:00 Throughout this assignment, f(x) always denotes a polynomial with integer coefficients. 1. (a) Show that e 32 (3) = 8, and write down a list

### The cyclotomic polynomials

The cyclotomic polynomials Notes by G.J.O. Jameson 1. The definition and general results We use the notation e(t) = e 2πit. Note that e(n) = 1 for integers n, e(s + t) = e(s)e(t) for all s, t. e( 1 ) =

### CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

CHAPTER 5 Number Theory 1. Integers and Division 1.1. Divisibility. Definition 1.1.1. Given two integers a and b we say a divides b if there is an integer c such that b = ac. If a divides b, we write a

### 3. Applications of Number Theory

3. APPLICATIONS OF NUMBER THEORY 163 3. Applications of Number Theory 3.1. Representation of Integers. Theorem 3.1.1. Given an integer b > 1, every positive integer n can be expresses uniquely as n = a

### Every Positive Integer is the Sum of Four Squares! (and other exciting problems)

Every Positive Integer is the Sum of Four Squares! (and other exciting problems) Sophex University of Texas at Austin October 18th, 00 Matilde N. Lalín 1. Lagrange s Theorem Theorem 1 Every positive integer

### Introduction to Diophantine Equations

Introduction to Diophantine Equations Tom Davis tomrdavis@earthlink.net http://www.geometer.org/mathcircles September, 2006 Abstract In this article we will only touch on a few tiny parts of the field

### Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2

CS 70 Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2 Proofs Intuitively, the concept of proof should already be familiar We all like to assert things, and few of us

### Factoring Polynomials

Factoring Polynomials Hoste, Miller, Murieka September 12, 2011 1 Factoring In the previous section, we discussed how to determine the product of two or more terms. Consider, for instance, the equations

### = 2 + 1 2 2 = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

Instructions. Answer each of the questions on your own paper, and be sure to show your work so that partial credit can be adequately assessed. Credit will not be given for answers (even correct ones) without

### I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

I GROUPS: BASIC DEFINITIONS AND EXAMPLES Definition 1: An operation on a set G is a function : G G G Definition 2: A group is a set G which is equipped with an operation and a special element e G, called

### Factorization Algorithms for Polynomials over Finite Fields

Degree Project Factorization Algorithms for Polynomials over Finite Fields Sajid Hanif, Muhammad Imran 2011-05-03 Subject: Mathematics Level: Master Course code: 4MA11E Abstract Integer factorization is

### Notes 11: List Decoding Folded Reed-Solomon Codes

Introduction to Coding Theory CMU: Spring 2010 Notes 11: List Decoding Folded Reed-Solomon Codes April 2010 Lecturer: Venkatesan Guruswami Scribe: Venkatesan Guruswami At the end of the previous notes,

### MATH10040 Chapter 2: Prime and relatively prime numbers

MATH10040 Chapter 2: Prime and relatively prime numbers Recall the basic definition: 1. Prime numbers Definition 1.1. Recall that a positive integer is said to be prime if it has precisely two positive

### MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES 2016 47 4. Diophantine Equations A Diophantine Equation is simply an equation in one or more variables for which integer (or sometimes rational) solutions

### Linear Codes. In the V[n,q] setting, the terms word and vector are interchangeable.

Linear Codes Linear Codes In the V[n,q] setting, an important class of codes are the linear codes, these codes are the ones whose code words form a sub-vector space of V[n,q]. If the subspace of V[n,q]

### Monogenic Fields and Power Bases Michael Decker 12/07/07

Monogenic Fields and Power Bases Michael Decker 12/07/07 1 Introduction Let K be a number field of degree k and O K its ring of integers Then considering O K as a Z-module, the nicest possible case is

PYTHAGOREAN TRIPLES KEITH CONRAD 1. Introduction A Pythagorean triple is a triple of positive integers (a, b, c) where a + b = c. Examples include (3, 4, 5), (5, 1, 13), and (8, 15, 17). Below is an ancient

### Solutions to Homework 6 Mathematics 503 Foundations of Mathematics Spring 2014

Solutions to Homework 6 Mathematics 503 Foundations of Mathematics Spring 2014 3.4: 1. If m is any integer, then m(m + 1) = m 2 + m is the product of m and its successor. That it to say, m 2 + m is the

### 6 EXTENDING ALGEBRA. 6.0 Introduction. 6.1 The cubic equation. Objectives

6 EXTENDING ALGEBRA Chapter 6 Extending Algebra Objectives After studying this chapter you should understand techniques whereby equations of cubic degree and higher can be solved; be able to factorise

### a 1 x + a 0 =0. (3) ax 2 + bx + c =0. (4)

ROOTS OF POLYNOMIAL EQUATIONS In this unit we discuss polynomial equations. A polynomial in x of degree n, where n 0 is an integer, is an expression of the form P n (x) =a n x n + a n 1 x n 1 + + a 1 x

### Notes on Orthogonal and Symmetric Matrices MENU, Winter 2013

Notes on Orthogonal and Symmetric Matrices MENU, Winter 201 These notes summarize the main properties and uses of orthogonal and symmetric matrices. We covered quite a bit of material regarding these topics,

### FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z DANIEL BIRMAJER, JUAN B GIL, AND MICHAEL WEINER Abstract We consider polynomials with integer coefficients and discuss their factorization

### March 29, 2011. 171S4.4 Theorems about Zeros of Polynomial Functions

MAT 171 Precalculus Algebra Dr. Claude Moore Cape Fear Community College CHAPTER 4: Polynomial and Rational Functions 4.1 Polynomial Functions and Models 4.2 Graphing Polynomial Functions 4.3 Polynomial