Primality - Factorization

Transcription

1 Primality - Factorization Christophe Ritzenthaler February 8, Primality Definition 1.1. An integer p > 1 is called a prime number if it has only 1 and p as divisors. Example 1. There are infinitely many prime numbers. The biggest generic one has 29,271 decimal digits and the proof was built using fastecpp on several networks of workstations (Jan. 2015). The largest known prime (January 2016) is a 22 millions digits Mersenne prime (see tutorial). We will write P the set of prime numbers. The simplest algorithm to test primality is based on the following result. Proposition 1.1. n is a composite number if and only if it has a divisor d such that d n. Proof. Since n is composite, n = ab and either a or b is smaller than n. This leads to an exponential test in log n. polynomial tests. In the following we will explore some Remark 1. Adleman, Pomerance, Rumely, Cohen and Lenstra have given an algorithm (APRCL) which is not polynomial but is feasible on numbers of 1000 digits (it runs in O(log n C log log log n )). 1.1 Probabilistic compositeness tests Fermat test and Carmichael numbers By Fermat little theorem, one knows that if n is a prime number then a n 1 1 (mod n) for all a Z coprime with n. If the theorem was an equivalence, we would have an easy polynomial algorithm to test if a number is a prime. Unfortunately Example 2. Consider n = 341 = One has (mod 341). Such a number is called pseudo-prime in base 2. We can prove that there are infinitely many pseudo-primes in base 2 by showing that if 1

2 n is such a number then 2 n 1 also. Indeed because n is a pseudo-prime in base 2 one has n 2 n 1 1, i.e. there is c such that nc = 2 n 1 1. Now The last expression is divisible by 2 n 1 so 2 2n = 2 2(2n 1 1) 1 = 2 2nc n (mod 2 n 1). To finish the proof, one has to show that 2 n 1 is not a prime. Since n = ab, 2 n 1 is divisible by 2 a 1. An idea is then to change the value of a : for instance (mod 341). Unfortunately, there are numbers that are pseudo-prime in any base. Such numbers are called Carmichael numbers (for instance 561 = ). It has been shown by Alford, Granville and Pomerance in 1994 that there are infinitely many Carmichael numbers so Fermat test cannot be completely sure. Let us show some properties of these numbers. Proposition 1.2. An (odd) composite number n 3 is a Carmichael number if and only if it is square free and for each prime divisor p of n, p 1 divides n 1. Proof. First it is easy to see that a Carmichael number is odd : indeed ( 1) n 1 1 (mod n) if and only if n is odd. Let a be a Carmichael number, for any a prime to n one has a n 1 1 (mod n). Let p be a prime divisor of n. There exists a primitive element modulo p that is prime to n. Indeed, let a a primitive element modulo p and n = p r m with m coprime to p. There exists an element (still denoted a) in Z/p r Z lifting the initial a (because the morphism Z/p r Z Z/pZ est surjectif). We find s Z/mZ coprime to m and since Z/nZ Z/p r Z Z/mZ we construct the element a Z/nZ image of (a, s). Such an element satisfies the properties for a. Now, one has of course a n 1 1 (mod p) but as a is primitive p 1 divides n 1. Now suppose that n = p 2 m and write a = 1 + pm. One has a p 1 + p 2 m (mod n) So the order of a is p. But p does not divide n 1 (p n) so we get a contradiction. Conversely, let n be a square-free integer such that p 1 divides n 1 for all prime divisors p of n. Let a be prime to n one has and because n 1 is a multiple of p 1, a p 1 1 (mod p) a n 1 1 (mod p). Using the Chinese Remainder theorem for all the factors p, one gets a n 1 1 (mod n). 2

3 Corollary 1.1. Any Carmichael number is the product of at least 3 distinct odd primes. Proof. Because a Carmichael number is without square factor and is not prime it has at least two prime factors. Let us assume that n = pq with p < q. Then q 1 divides pq 1 = p(q 1) + p 1 so q 1 divides p 1. Absurd. Example 3. Show that if 6m + 1, 12m + 1 and 18m + 1 are primes then n = (6m + 1)(12m+1)(18m+1) is a Carmichael number. First by the Chinese Remainder theorem, one can see that if n = ab with a, b coprime then for any x prime to n one has x lcm(φ(a),φ(b)) 1 (mod n). Now lcm(φ(6m + 1), φ(12m + 1), φ(18m + 1)) = 36m and also 36m n 1. One can check that 1729 is such a number Lucas test Let n > 1 be an integer. We will show that if there exists an a such that a n 1 1 (mod n) and a q 1 (mod n) for all q n 1, q n 1, then n is prime. This is a very good test for Fermat numbers F m, i.e. numbers of the form n = 2 2m + 1 (For m = only the first five are prime. F 33 is so big that it may be many years before we can decide its nature). But obviously this test is not good for a generic prime since we must know the factorization of n 1. Let assume that such an a exists and let d be the order of a in (Z/nZ). Since a n 1 1 (mod n), d (n 1). More exactly as no proper divisor of n 1 is the order of a, one has d = n 1. Now n 1 = d φ(n). This is possible only if n is prime Rabin-Miller test Contrary to the Fermat test, the Miller-Rabin test can prove the compositeness of any composite number (i.e. there is no analog of Carmichael numbers for this test). But Rabin-Miller test is a Monte-Carlo algorithm : it always stops ; if it answers yes, the number is composite and if it answers no then the answer is correct with a probability greater than 3/4. Let n be an odd positive integer and s = max{r N, 2 r n 1}. Let d = (n 1)/2 s. Lemma 1.1 (Miller). If n is a prime and if a is an integer prime to n then we have either a d 1 (mod n) or there exists r {0,..., s 1} such that a 2rd 1 (mod n). Proof. The order of a is a divisor of n 1. It can be d and then a d 1 (mod n). If it is not then its order divides 2 r d for r {1,..., s} that we choose minimal. So a 2rd 1 (mod n) and a 2r 1d is a non-trivial square root of 1 so a 2r 1d 1 (mod n). If we find an a which is prime to n and that satisfies neither of the conditions, then n is composite. Such an integer a is called a witness for the compositeness of n. 3

4 Example 4. Let n = 561. a = 2 is a witness for n. Indeed here s = 4, d = 35 and (mod 561), (mod 561), (mod 561), (mod 561). For the efficiency of the Rabin-Miller test, it is important that there are sufficiently many witnesses for the compositeness of a composite number. Theorem 1.1 (Rabin). If n 3 is an odd composite number, then the set {1,..., n 1} contains at most (n 1)/4 numbers that are prime to n and not witnesses for the compositeness of n. Proof. Let k be the largest integer s 1 such that there exists at least one b (Z/nZ) with b 2k 1 (mod n) (such a k exists since b = 1 and k = 0 works). Let m = 2 k d and n = j i=1 pe j i be the prime factorization of n. Let J = {a (Z/nZ), a n 1 1 (mod n)} K = {a (Z/nZ), a m ±1 (mod p e i i ) for all i} L = {a (Z/nZ), a m ±1 (mod n)} M = {a (Z/nZ), a m 1 (mod n)}. We have M L K J (Z/nZ) as subgroups. Each a which is not a witness for the compositeness of n belongs to L. Indeed, if a d 1 (mod n) then a L and if a 2td 1 (mod n), then by the maximality of k, t k. We will prove that the index of L in (Z/nZ) is at least four. Let G = {a (Z/nZ), a ±1 (mod p e i i ) for all i}. Every element of G is a m-th power. Indeed, we have b m 1 (mod n). Hence, using the CRT, we can write each a G, component by component, either like b m or (b 2 ) m. It is well known also that #G = 2 j. Now let us consider the map ψ : (Z/nZ) (Z/nZ) (Z/nZ) /G where the first map φ is x x m and the second one is the projection. The kernel of ψ are the elements such that a m G which is K. We have ker φ ker ψ, hence ψ factors through ψ : (Z/nZ) / ker φ Im(φ) (Z/nZ) /G and ker ψ/ ker φ ker ψ = Im(φ) G = G because of what we proved. Therefore #K/#M = #G = 2 j. In a similar way (replacing G by {a (Z/nZ), a ±1 (mod n)} we prove that [L : M] = 2. Hence [K : L] = 2 j 1. If j > 2 we are done. If j = 2 (i.e. [L : K] = 2) then n has two prime divisors. It follows from Cor. 1.1 that n is not a Carmichael number. This implies that J is a proper subgroup of (Z/nZ) and the index of J in (Z/nZ) is at least 2. Therefore the index of L in (Z/nZ) is at least 4. Finally, let j = 1. Then n is a prime power, say n = p e with e > 1. But φ : (Z/nZ) Z/(p 1)Z Z/p e 1 Z is an isomorphism. As n 1 is prime to p a n 1 1 (mod n) if and only if φ(a) = (µ, 0). So [(Z/nZ) : J] = #Z/p e 1 Z = p e 1. This is bigger than 4 except for n = 9 which can be checked by hand. 4

5 To apply the Rabin-Miller test, we choose a random number a {2,..., n 1}. If gcd(a, n) > 1 then n is composite. Otherwise we compute a d, a 2d,..., a 2s 1d. If we find a witness for the compositeness of n, then we have proved that n is composite. By Th. 1.1, the probability that n is composite and that a is not a witness is less than 1/4. So if we repeat the test t times we can make this probability less than (1/4) t. For t = 10 this probability is less than Remark 2. Under the Generalized Riemann hypothesis (which is conjectural but believed true), it can be proved that there is always a witness for the compositeness of n in the Miller-Rabin with a O((log n) 2 ). 1.2 Absolute tests By absolute, I mean that we are sure that the number is prime (or not) at the end of the test. However the algorithm can be probabilistic : this is the case of ECPP whereas AKS is deterministic but not fast enough AKS For a very complete and elementary proof of AKS en Õ(log(n)10.5 ), see trigofacile.com/maths/curiosite/primarite/aks/index.htm. In the first version of the paper, the authors proved the asymptotic time complexity of the algorithm to be Õ(log12 (n)). However, the upper bound proved in the paper was rather loose; indeed, a widely held conjecture about the distribution of the Sophie Germain primes would, if true, immediately cut the worst case down to Õ(log6 (n)). In the months following the discovery, new variants appeared (Lenstra 2002, Pomerance 2002, Berrizbeitia 2003, Cheng 2003, Bernstein 2003a/b, Lenstra and Pomerance 2003), which improved the speed of computation by orders of magnitude. Due to the existence of the many variants, Crandall and Papadopoulos refer to the AKS-class of algorithms in their scientific paper On the implementation of AKS-class primality tests, published in March In response to some of these variants, and to other feedback, the paper PRIMES is in P was updated with a new formulation of the AKS algorithm and of its proof of correctness. (This version was eventually published in Annals of Mathematics.) While the basic idea remained the same, r was chosen in a new manner, and the proof of correctness was more coherently organized. While the previous proof had relied on many different methods, the new version relied almost exclusively on the behavior of cyclotomic polynomials over finite fields. The new version also allowed for an improved bound on the time complexity, which can now be shown by simple methods (as we have seen) to be Õ(log10.5 (n)). Using additional results from sieve theory, this can be further reduced to Õ(log7.5 (n)). In 2005, Carl Pomerance and H. W. Lenstra, Jr. demonstrated a variant of AKS that runs in Õ(log6 (n)) operations. Agrawal, Kayal and Saxena suggest a variant of their algorithm which would run in Õ(log 3 (n)) if a certain conjecture made by Bhattacharjee and Pandey in 2001 is true 5

6 (Agrawal s conjecture 1 ); however, a heuristic argument by Hendrik Lenstra and Carl Pomerance suggests that it is probably false ECPP Let n 0 be an integer coprime to 6. An elliptic curve over Z/nZ is a Weierstrass equation E : y 2 z = x 3 + axz 2 + bz 3, a, b Z/nZ, 4a b 2 (Z/nZ). This defines a non singular curve in P 2 (Z/nZ) = {(x : y : z} = {(x, y, z) (Z/nZ) 3, gcd(x, y, z, n) = 1}/ mult. by invertible elts. If n is a prime, then we know that E(Z/nZ) is a commutative group which has at most two cyclic components and Hasse s bound can be written as ( n 1) 2 < #E(Z/nZ) < ( n + 1) 2. If n is not prime then E(Z/nZ) is not a group but we may still try to add points applying the same formulae. The worst could be that we encounter d (Z/nZ) \ {0} which is not invertible. In this case gcd(d, n) is a non trivial factor and we are done anyway. So we can assume that all additions of points succeed. If p is a prime dividing n and π : Z/nZ Z/pZ the canonical projection, then it extends to a projection π for points on E(Z/nZ) to E(Z/pZ) and respect the addition law. Theorem 1.2. Let P E(Z/nZ) and m be an integer such that There exists a prime divisor q of m with q (n 1/4 + 1) 2, mp = O but (m/q)p = (x : y : z) with (z, n) = 1. Then n is prime. Proof. Assume n is composite and let p n be the smallest prime divisor of n. The order r of π(p ) divides m but not m/q and hence q r. On the other hand Hasse s bound hence q < (n 1/4 + 1) 2, a contradiction. r #E(Z/pZ) < (p 1/2 + 1) 2 (n 1/4 + 1) 2 It is natural to try m = #E(Z/nZ) and try random points on the curve. The biggest issue is to compute m. Using SEA, it is not possible to prove primality for digits numbers. Atkin s idea was to use complex multiplication to construct a curve with a given m. The other issue is to be sure that the factor q is really a prime. This can be achieved by using the algorithm recursively. FastECPP (Elliptic 1 Let n, r such that r is a prime which does not divide n and such that n 2 1 (mod r). If (X 1) n X n 1 (mod X r 1, n) then n is prime. 6

7 curve primality proving), which is the name of this algorithm, runs in randomized time Õ(log 4 n) conjecturally. It produces a certificate (E, m, q, P and a certificate for q) which allows to check that n is indeed prime. Adleman and Huang were able to do the same with higher genera curves, without any conjecture, but the algorithm is prohibitively slow in practice. 2 Factorization Now given an n that is known to be composite, how can we find its decomposition in prime factors? We are going to present algorithms to obtain a non-trivial factor. By repeating inductively the algorithm, we can then factorize the number. For a generic number, the current record (end of 2013) is RSA768 which has 232 digits. It was factored using a general number field sieve algorithm. The largest factor found by the elliptic curve method has 83 digits (2013). Using special number sieve (see tutorial), the record is 320 digits with factored in What is the factorization of a random number? If N = N 1 N r with N i prime and N i N i+1. We have r log 2 N and it can be proved that on average N 1 N 0.62, N 2 N 0.21 and N 3 N Hence a random integer has one large factor, a medium size one and a lot of small ones. We will use the sub-exponential notation 2.1 Basic methods Trial division L x (ν, λ) = exp(λ log ν x log log x 1 ν ). To find small prime factors of n, a precomputed table of all prime numbers below a fixed bound B is computed. This can be done using the sieve of Eratosthenes. A typical bound is B = Example 5. We want to factor n = Trial division with primes less than 50 yields the factors 2 2, 7 2, 43. If we divide n by those factors, we obtain m = Since 2 m (mod m), this number is still composite Pollard p 1 method This algorithm is efficient when n has a prime factor p such that p 1 has only small prime divisors. Indeed, by Fermat s little theorem, one has a k 1 (mod p) for all multiple k of p 1. If p 1 has only small prime divisors, one can try k = q e q P,q e B 7

8 where B is a given bound. Now if a k 1 is not divisible by n, then gcd(a k 1, n) is a non-trivial factor of n. Example 6. Let n = of the previous example. We set B = 13. Then k = and gcd(2 k 1, n) = 547. So n = which are both prime numbers. 2.2 Elliptic curve method: ECM This is from the wikipedia page. The Lenstra elliptic curve factorization or the elliptic curve factorization method (ECM) is a fast, sub-exponential running time algorithm for integer factorization which employs elliptic curves. For general purpose factoring, ECM is the third-fastest known factoring method. The second fastest is the multiple polynomial quadratic sieve and the fastest is the general number field sieve. The Lenstra elliptic curve factorization is named after Hendrik Lenstra. Practically speaking, ECM is considered a special purpose factoring algorithm as it is most suitable for finding small factors. Currently, it is still the best algorithm for divisors not greatly exceeding 20 to 25 digits (64 to 83 bits or so), as its running time is dominated by the size of the smallest factor p rather than by the size of the number n to be factored. Frequently, ECM is used to remove small factors from a very large integer with many factors; if the remaining integer is still composite, then it has only large factors and is factored using general purpose techniques. The largest factor found using ECM so far has 83 digits and was discovered on 7 September 2013 by R. Propper. The Lenstra elliptic curve factorization method to find a factor of the given natural number n works as follows: 1. Pick a random elliptic curve over Z/nZ, with equation of the form y 2 = x 3 +ax+b (mod n) together with a non-trivial point P (x 0, y 0 ) on it. This can be done by first picking random x 0, y 0, a Z/nZ, and then calculating b = y 2 0 x3 0 ax 0 (mod n). 2. Add points with the usual formulas. As for ECPP, if the addition is not well defined, we have found a factor. 3. Compute ep on the elliptic curve (mod n), where e is product of many small numbers: say, a product of small primes raised to small powers, as in the p 1 algorithm. 4. If we were able to finish all the calculations above without encountering noninvertible elements (mod n), then we need to try again with some other curve and starting point. 5. If at some stage we found kp = O (infinity on the elliptic curve), we should start over with a new curve and starting point, since this point O is the group identity element, so is unchanged under any further addition operations. 8

9 6. If we encountered a forbidden operation (i.e. an element that cannot be inverted) then we are done: it is a non-trivial factor of n. The time complexity depends on the size of the factor and can be represented by L p ( 1 2, 2 ) where p is the smallest factor of n. Why does it work? If p and q are two prime divisors of n, then y 2 = x 3 + ax + b (mod n) implies the same equation also modulo p and modulo q. These two smaller elliptic curves are now genuine groups. If these groups have N p and N q elements, respectively, then for any point P on the original curve, by Lagrange s theorem, k > 0 is minimal such that kp = O on the curve modulo p implies that k divides N p ; moreover, N p P = O. The analogous statement holds for the curve modulo q. When the elliptic curve is chosen randomly, then N p and N q are random numbers close to p + 1 and q + 1, respectively (see below). Hence it is unlikely that most of the prime factors of N p and N q are the same, and it is quite likely that while computing ep, we will encounter some kp that is O modulo p but not modulo q, or vice versa. When this is the case, kp does not exist on the original curve, and in the computations we found some a non-trivial factor of n. ECM is at its core an improvement of the older p 1 algorithm. However, the latter algorithm fails when p 1 has large prime factors. ECM gets around this obstacle by considering the group of a random elliptic curve over the finite field, rather than considering the multiplicative group of Z/pZ which always has order p 1. The order of the group of an elliptic curve over Z/pZ varies (quite randomly) between p p and p p by Hasse s theorem, and is likely to be smooth for some elliptic curves. Although there is no proof that a smooth group order will be found in the Hasse-interval, by using heuristic probabilistic methods, the Canfield-Erdös-Pomerance theorem 2.1 with suitably optimized parameter choices, we can expect to try L n (1/2, 2/2) curves before getting a smooth group order. This heuristic estimate is very reliable in practice. 2.3 Modern sieves The modern sieves find integers x, y such that and x 2 y 2 (mod n) x ±y (mod n). Then n is a divisor of x 2 y 2 = (x y)(x + y) but of neither x y or x + y. Hence g = gcd(x y, n) is a proper divisor of n. Example 7. Let n = 7429, x = 227, y = 210. Then x 2 y 2 = n, x y = 17 so 17 n. We are presenting three sieves below. The main difference between them is the way to generate the quadratic relations. 9

10 2.3.1 The linear sieve See tutorial Quadratic sieve See also tutorial for another example. Determination of x and y. The idea from the previous section is also used in other factoring algorithms, such as the number field sieve (NFS), but those algorithms have different ways of finding x, y. We describe how x, y are found in the quadratic sieve. Let m = n and f(x) = (X + m) 2 n. We first explain the procedure on an example. Example 8. Let n = Then m = 86. One has This implies f( 3) = = 540 = , f(1) = = 140 = , f(2) = = 315 = (mod 7429), (mod 7429), (mod 7429). If the last two congruences are multiplied then we obtain (87 88) 2 ( ) 2 (mod n). Therefore we can set x (mod n) 227 and y (mod n) 210. In the example we have presented number s for which the value f(s) has only small prime factors. Then we use the congruence (s + m) 2 f(s) (mod n). From those congruences, we select a subset whose products yields squares on the leftand the right-hand sides. The left-hand side of each congruence is a square anyway. Also we know the prime factorization of each right-hand side. The product of a number of right-hand sides is a square if the exponents 1 and all prime factors are even. In the next section, we explain how an appropriate subset of congruences is chosen. 10

11 Choosing appropriate congruences. The selection process is controlled by coefficients λ i {0, 1}. If λ i = 1 the congruence i is chosen; otherwise it is not. The product of the right hand sides of the chosen congruences is ( ) λ1 ( ) λ2 ( ) λ 3 = ( 1) λ1 2 2λ 1+2λ2 3 3λ 1+2λ3 5 λ 1+λ 2 +λ3 7 λ 2+λ 3. We want this number to be a square, so we have to solve the following linear system: λ 1 0 (mod 2) 2λ 1 + 2λ 2 0 (mod 2) 3λ 1 + 2λ 3 0 (mod 2) λ 1 + λ 2 + λ 3 0 (mod 2) λ 2 + λ 3 0 (mod 2). A solution is λ 1 = 0, λ 2 = λ 3 = 1. In general we choose a positive integer B. Then we look for integers s such that f(s) has only prime factors that belong to the factor base F (B) = {p P, p B} { 1}. Such values f(s) are called B-smooth. If we have found as many values for s as the factor base has elements, then we try to solve the corresponding linear system over Z/2Z. Sieving. It remains to be shown how the values of s are found for which f(s) is B-smooth. One possibility is to compute the value f(s) for s = 0, ±1, ±2,... and to test by trial division whether f(s) is B-smooth. Unfortunately, those values typically are not B-smooth. This is very inefficient as the factor base is large for large n (see Tab. 1). A more efficient method is to use sieving techniques, which are described as follows. We explain a simplified version that shows the main idea. We fix a sieving interval S = { C, C + 1,..., 0, 1,..., C}. We want to find all s S such that f(s) is B- smooth. To find out which of the values f(s) is divisible by a prime number p in the factor base, we start from the end. We fix a prime p. The equation f(s) 0 (mod p) has two solutions s i,p which can be computed quickly. Then we try to find values s i,p + kp S. After each step, we divide the corresponding f(s) by p. Prime powers can be treated similarly. Example 9. Let n = 7429, m = 86. The factor base is the set {2, 3, 5, 7} { 1}. As sieve interval, we use the set S = { 3,..., 3}. s (s + m) 2 n Sieve with Sieve with Sieve with Sieve with

12 Here for instance s 1,3 = 0, s 2,3 = 2, s 1,5 = 1, s 2,5 = 2, s 1,7 = 1, s 2,7 = 2. Remark 3. These are typical sizes for B anc C. However, there are very few non-zero Table 1: Factor base and sieving # decimal digits of n # factor base in thousand # sieving interval in million coefficients for each relation. For instance for RSA-129 (129 digits), one had to use a matrix of size of order 500, 000 but this matrix had only 47 non-zero coefficients on each line. To solve the linear algebra phase, one uses Wiedemann s algorithm (see DLP chapter) which for sparse matrices is quadratic in the size. Many other tricks are used in practice (Large primes, Multiple Polynomial Quadratic Sieve (MPQS), Self-initializing quadratic sieve (SIQS)). See the wikipedia pages Special number sieve See tutorial Complexity analysis Let us recall that L x (ν, λ) = exp(λ(log(x) ν (log log x) 1 ν )) is the notation for the subexponential function. For asymptotic estimates, we write that L x (ν, λ) = L x (ν, λ + o(1)) and we also denote L x (ν) = L x (ν, λ) for any λ 0. Note that we can then write L x (ν 1 )L x (ν 2 ) = L x (max(ν 1, ν 2 )) and L x (ν, λ 1 )L x (ν, λ 2 ) = L x (ν, λ 1 + λ 2 ). We need one important result (Candfield, Erdös, Pomerance). Theorem 2.1. Let 0 < ω < ν 1 and λ > 0, µ > 0. The probability that a number L x (ν, λ) is L x (ω, µ)-smooth is L x (ν ω, λ(ν ω)/µ + o(1)). Let us analyze the complexity of the quadratic sieve. Let n be an integer and B = L n (ω, µ) a bound for smoothness. We are looking at smooth numbers f(x) y 2 (mod n) with f(x) n = L n (1, 1/2). We want to find π(b) relations (where π(b) is the number of primes smaller than B which is equivalent to B/ log(b) and we identify it with B). 12

13 We first look for the value of ω. The probability for an integer L n (1) to be B-smooth is P = L n (1 ω). If we try r times we find one with probability 1 (1 P ) r rp hence we need to take r = P 1. As we want at least B relations (to have a square matrix for the linear system), we will need to try rb (which is the parameter C above) relations hence the complexity is T = P 1 B = L n (1 ω)l n (ω) = L n (max(1 ω, ω)). This is minimal for 1 ω = ω = 1/2. We now determine µ. The probability for an integer L n (1, 1/2) to be B-smooth is P = L n (1/2, 1/(4µ)). and we still need to find T 1 = B/P = L n (1/2, µ + 1/(4µ)) relations, which is also the time we are going to spend on this part of the algorithm. Now we need also to care about the linear algebra part of the algorithm. For sparse matrices, compute the inverse of a matrix of size B can be done in B 2 operations. So we have T 2 = B 2 = L n (1/2, 2µ). and we need to find µ to minimize T 1 + T 2 L n (1/2, max(µ + 1/(4µ), 2µ)). One sees that we can take µ = 1/2. We find that B = L n (1/2, 1/2) and that T = L n (1/2, 1). Remark 4. For NFS, the heuristic running time is L n (1/3, (64/9) 1/3 ). 13