P1. Number-Theoretic Algorithms Chapter 31, CLRS book.

p1.

Number-Theoretic Algorithms

Chapter 31, CLRS book

p2.

Modular Arithmetic

p3.

| : divides , is a divisor of .

gcd( , ): greatest common divisor of and .

Coprime or relatively prime: gcd( , ) 1.

Euclid's algorithm: compute gcd( , ).

Extented Eucli

Integers

a b a b a b

a b a b

a b

a b

d's algorithm: compute integers

and such that gcd( , ).x y ax by a b

p4.

Let 2 be an integer.

Def: is congruent to modulo , written

mod , if | ( ), i.e., and have the

same remainder when d

m

ivided by .

Note: dod an

Integers modulo

n

a b n

a b n n a b a b

n

a b n

n

are different.

Def: [ ] all integers congruent to modulo .

[ ] is called a residue class modulo , and is a

representati

mod

ve of that class.

n

n

a b

a a n

a n a

n

p5.

congruence m

There are exactly residue classes modulo :

[0], [1], [2], , [ 1].

Note: " " is an equivalence relation, whose

equivalence classes are the residue classes.

If [ ]

,

od n

n n

n

x a

K

[ ], then [ ] and [ ].

Define addition and multiplication for residue classes:

[ ] [ ] [ ]

[ ] [ ] [ ].

n

n

y b x y a b x y a b

a b a b

a b a b

p6.

A group, denoted by ( , ), is a set with a

binary operation : such that

1. , , (closure)

1. ( ) ( ) (associativity)

2. s.t id. , ( entity

Group

G G

G G G

x y G

e

x y G

x y z x y z

e G x G x x e x

)

3. , s.t. ( )

A group ( , ) is if , , .

Examples: ( , ), ( , ), ( \ {0}, ), ( , ),

inverse

abelian

( \ {0}, ).

x G y G x y y x

G x y G x y y x

Z Q Q R

R

e

p7.

Define [0], [1], ..., [ 1] .

Or, more conveniently, 0, 1, ..., 1 .

, forms an abelian additive group.

For , ,

( )mod . (Or, [ ] [ ] [ ] [ mod ].)

0 is th

n

n

n

n

Z n

Z n

Z

a b Z

a b a b n a b a b a b n

g

g

10

e identity element.

The inverse of , denoted by , is .

When doing addition/substraction in , just do the regular

addition/substraction and reduce the result modulo .

In , 5

n

a a n a

Z

n

Z

g

g 5 9 4 6 2 8 3 ?

p8.

1

1

1

, is not a group, because 0 does not exist.

Even if we exclude 0 and consider only \ {0},

, is not necessarily a group; some may not exist.

For , exists if and on

n

n n

n

n

Z

Z Z

Z a

a Z a

ly if gcd( , ) 1.a n

p9.

*

1

Let : gcd( , ) 1 .

, is an abelian multiplicative group.

mod .

mod .

1 is the identity elemen

t.

The inverse of , written , can be computated b

n n

n

Z a Z a n

Z

a b ab n

a b ab n

a a

*12

*

y the

Extended Euclidean Algorithm.

For example, 1,5,7

Q: How many

,11 . 5 7

eleme

35mod12 11.

nts are ther ? e in nZ

Z

p10.

*

1

Euler's totient function:

Fa

( )

= : 1 and gcd( , ) 1

1. ( ) ( 1) for prime

2. ( ) ( ) ( ) if gcd( ,

cts:

) 1

n

e e

n Z

a a n a n

p p p p

ab a b a b

p11.

Let be a (multiplicative) group.

The order of , ord( ), is the number of elements in .

The order of , written ord( ), is the smallest

positive integer such that .

f

( , i

inite

t

G

G G G

a G a

t e ea

ord( )

( ) 1

| |

*

dentity element.)

Corollary: For any

Lagrange's theorem: For any element , ord( ) | ord( ).

Fermat's little theorem:

If ( a prime), t

element , .

hen

G G

p pp

a G a

a G a G

a Z

a e

p a a

*

* ( ) *

1 in .

Euler's theorem:

If (for any 1), then 1 in .

p

nn n

Z

a Z n a Z

p12.

*15

*15

*15

( ) 8

= 1, 2, 4, 7, 8, 11, 13, 14

(15) (3) (5) 2 4 8

: 1 2 4 7 8 11 13 14

ord( ) : 1 4 2 4 4 2 4 2

1

Example: 15

n

Z

Z

a Z

a

a a

n

p13.

The Chinese Remainder Problem

• A problem described in an ancient Chinese arithmetic

book, Sun Tze Suan Ching, by Sun Tze (around 300AD,

author of The Art of War).

• Problem: We have a number of objects, but we do not

know exactly how many. If we count them by threes we

have two left over. If we count them by fives we have

three left over. If we count them by sevens we have two

left over. How many objects are there?Mathematically, if 2mod3, 3mod5, 2mod7,

wh

at is ?

x x x

x

p14.

1

1 1

2 2

1 2

If integers , , are pairwise coprime,

then the system of congruences

mod

mod

mod

has a unique solution modulo :

Chinese remainder theorem

k

k k

k

i

n n

x a n

x a n

x a n

N n n n

x a N

1

1 A fo

mod

where an rmula by Gausd mod ( s)

k

i ii

i i i i i

y N

N N n y N n

p15.

1 1 1

1 1 1

Suppose

1 mod 3

6 mod 7

8 mod 10

By the Chinese remainer theorem, the solution is:

1 70 (70 mod3) 6 30 (30 mod7) 8 21 (21 mod10)

1 70 (1 mod3) 6 30 (2 mod7) 8 21 (1 mod10)

x

x

x

x

1 70 1 6 30 4 8 21 1 mod 210

958 mod 210

118 mod 210

Example: Chinese remainder theorem

p16.

1

1 2

1

(the numbers are pairwise coprime)

There is a one-to-one correspondence :

, , , where and mod

( ) ( ) ( ).

( )

Another version of CRT

k

k i

N n n

k N i i

N n n n n

Z Z Z

a a a a Z a a n

x y x y

x y

( ) ( ).

For math students: is a ring isomorphism.

x y

p17.

1 2

1 2 1

1 2

Let , where , , are pairwise coprime.

Define a mapping

:

( mod , mod , , mod )

Then,

is bijective (one-to-one and on

Chinese remainder theorem

k

k k

N n n n

k

N n n n n n

Z Z Z Z

x x n x n x n

to).

( ) ( ) ( ).

( ) ( ) ( ).

x y x y

x y x y

p18.

1 2

1

1

1

Computations in can be done by performing

corresponding computations in , , , , and

then solve the CRP.

, , If

, ,

then

k

N

n n n

k

k

Z

Z Z Z

a a a

b b b

a b a

*

1

1

1 1

1 1

, ,

, ,

, , if

mod mo d mod

k k

k k

k k

k

N

b a b

a b a b a b

a b a b a b b Z

N n n

p19.

* * *15 3 5 15 3 5

8 8mod3, 8mod5 (2,3)

11 11mod3, 11mod5 (2,1)

Suppose we want to compute 8 11 mod15.

8 11mod15 (2 2mod3, 3 1mod5) (1,3).

(1,3) (

Example: Chinese remainder theoremZ Z Z Z Z Z

x

15which number corresponds to (1,3)?)

1mod3 Solve 13

3mod5

x Z

xx

x

p20.

Algorithms

1

3

gcd ,

mod

mod

Running time: log

k

a b

a n

a n

O n

p21.

0

1

1

1 1

Comment: compute gcd( , ), where 1.

:

:

for : 1, 2, until = 0

: mod

return ( )

Running time:

(log ) i t

Euclidean Algorithm

n

i i i

n

a b a b

r a

r b

i r

r r r

r

O a

2

3

erations; (log ) time for each mod.

Overall running time: (lo g )

O a

O a

p22.

Example: gcd(299,221) ?

299 221

Given 0, compute , such that gcd( , ) .

1 78

2 65

221 78

78 65

78 65

78 221 78

1 13

65 5 13 0

gcd(229,221) 13

( 2 ) 3

78 2 1

(

2

23

Extended Euclidean Algorithm

a b x y a b ax by

99 221) 221

299

1

23 2 14

p23.

1

1 *

1

Compute in .

exists if and only if gcd( , ) 1.

Use extended Euclidean algorithm to find ,

such that gcd( , ) 1 (in )

mod

[ ]

?How to compute

na Z

a a n

x y

ax ny a n

a n

Z

a

1

[ ] [ ][ ] [1]

[ ][ ] [1] (since [ ] [0])

[ ] [ ].

Note: may omit [ ], but reduce everything modulo .

x n y

a x n

a x

n

p24.

1 Compute 15 mod 47.

47 15 3 (divide 47 by 15; remainder 2)

15 2 7 (divide 15 by 2; remainder 1)

1 15 7 (mod 47)

1

2

1

2

5 ( ) 7 (mod 47)47 15 3

Example

1

1 *47

15 22 47 7 (mod 47)

15 22 (mod 47)

15 mod 47 22

That is, 15 22 in Z

p25.

1 0

2

Comment: compute mod , where in binary.

1

for downto 0 do

mod

if 1 then mod

Algorithm: Square-and-Multiply( , , )c

k k

i

x n c c c c

z

i k

z z n

c z z x n

x c n

...Note: At the end of iteration

re

, .

turn ( )

k ic ci x

z

z

p26.

2

2

2

2

3

2

23 10111

1

11 mod 187 11 (square and multiply)

mod 187 121 (square)

11 mod 187 44 (square and multiply)

11 mod 187 165 (square and

11 mod187

mu

Example:

b

z

z z

z z

z z

z z

2

ltiply)

11 mod 187 88 (square and multiply)z z

p27.

The RSA Cryptosystem

p28.

By ivest, hamir & dleman of MIT in 1977.

Best known and most widely used public-key scheme.

Based on the one-way property

of mo

R S

du

lar

powering:

A

assumed

The RSA Cryptosystem

1

: mod (easy)

: mod

In turn based on the hardness

(hard)

of integer factorization.

e

e

f x x n

f x x n

p29.

1

RSA

R

*

SA

*

Encryption (easy):

Decryption (hard):

Looking for a "trapdoor": ( ) .

If is a number such t

It works in group . Let be a mess g

t

a e

ha

.

Idea behind RSA

e

e

n

d

n

e

x x

x x

x x

Z

d

Z x

( ) 1 ( )

1mod ( ), then

( ) 1 for some , and

( ) 1 .ke ed n k nd

ed n

ed k n k

x x x x x x x

p30.

1

(a) Choose large primes and , and let : .

(b) Choose (1 ( )) coprime to ( ), and

compute : mod ( ). ( .)

(c) Public ke

Key generation:

1 mod ( )

RSA Cryptosystem

p q n pq

e e n n

d nn ede

*

*

y: . Secret key: .

( ) : mod , w

( , ) ( , )

here .

( ) : mod , where .

E

ncryption:

Decryptio

n:

epk n

dsk n

E x x n x Z

D y y n y

pk n e sk n d

Z

p31.

*

* * ( )

The setting of RSA is the group , :

In group , , for any , we have 1.

We have chosen , such that 1 mod ( ),

i.e., ( ) 1 for some o

p

Why RSA Works?

n

nn n

Z

Z x Z x

e d ed n

ed k n

* ( ) 1 ( )

sitive integer .

For , . d ke ed k n n

n

k

x Z x x x x x x

p32.

*

( ) 1 ( 1)( 1) 1

*

RSA still works, but .

gcd( , ) 1 | or | .

Say | . Then, 0 mod and mod . Also,

0 mod

mod

not secur

e

\

B

?What if

n

ed

n n

ed ed k n k p q

x Z x n p x q x

p x x p x x q

x p

x x q x x x

x Z Z

y CRT,

mod mod

)

(

ed edx x n

D E

x n

x x

x

p33.

Select two primes: 17, 11.

Compute the modulus 187.

Compute ( ) ( 1)( 1) 160.

Select between 0 and 160 such that gcd( ,160) 1.

Say 7.

Compute

RSA Example: Key Setup

p q

n pq

n p q

e e

e

d

1 1mod ( ) 7 mod160 23

(using extended Euclid's algorithm).

Public key: .

Secret ke

( ,

y:

) (7, 187)

( , ) (23 ., 7 18 )

pk e n

e

s n

n

k d

p34.

7

23

23

23

Suppose 88.

Encryption: mod 88 mod187 11.

Decryption: mod 11 mod187 88.

When computing 11 mod187, we first

compute 11 and

d

the

o

n

ot

n

RSA Example: Encryption & Decryption

e

d

m

c m n

m c n

reduce it modulo 187.

Rather, use , and reduce intermediate

results modulo 187 whenever they g

square-a

et bigge

nd-mult

r than

iply

187.

p35.

4 16

To speed up encryption, small values are usually

used for .

Popular choices are 3, 17 2 1, 65537 2 1.

These values have only two 1's in their binary

representation.

Encryption Key

e

e

There is an interesting attack on small .e

p36.

1/4

One may be tempted to use a small to speed up

decryption.

Unfortunately, that is risky.

Wiener's attack: If

and 2 ,3

then the decryption exponent c

Decryption Key

d

nd p q

d

p

d

an be computed

from ( , ).

CRT can be used to speed up decryption.

n e

p37.

3

1 2

o1

*

m d1

Decryption:

Time: ( ).

In

mod (i.e., compute in )

mstead of computing directly,

we compute

: mod , an

d : mod

:

od

Speeding up Decryption by CRTd

n

d

d

d

O n

c c p c c

c n c Z

c n

q

m c

( ) mod ( )2 2

1

2

1 2

mod , and : mod

mod recover the plaintext by solving

mod

Time: 1 4 of the direct computation.

If ... , will speed up even

m

ore.

p d q

t

p m c q

x m p

x m q

n p p p

p38.

Attacks on RSA

p39.

Four categories of attacks on RSA:

brute-force key search

infeasible given the large key space

mathem

atical attacks

timing attacks

chosen ciphe t r

Attacks on RSA

ext attacks

p40.

1

Then ( ) ( 1)( 1) and

mod ( ) can be calculated

Factor into .

Determine ( ) directly

easily.

Equivalent to factoring .

Knowing ( ) will enable us to f

.

Mathematical Attacks

n p q

d e n

n

n

n pq

n

Determine direc

actor by solving

( 1)( 1)

If is known, can be factored

tl

with high probability.

.

( )

y

n

pq

p

d

q

n

d

n

n

p41.

A difficult problem, assumed to be infeasible.

More and more efficient algorithms have been developed.

In 1977, RSA challenged researchers to decode a

ciphertext encrypt

Integer Factorization

ed with a key ( ) of 129 digits (428 bits).

Prize: $100. RSA thought it would take quadrillion years

to break the code using fastest algorithms and computers

of that time. Solved in 1994.

n

In 1991, RSA put forward more challenges, with prizes,

to encourage research on factorization.

p42.

Each RSA number is a semiprime. (A number is

semiprime if it is the product of two primes.)

There are two labeling schemes.

by the number of decimal digits:

RSA-100, .

RSA Numbers

.., RSA-500, RSA-617.

by the number of bits:

RSA-576, 640, 704, 768, 896, , 1536, 210 .24 048

p43.

RSA-100 ( bits), 1991, 7 MIPS-year, Quadratic Sieve.

RSA-110 ( bits), 1992, 75 MIPS-year, QS.

RSA-120

332

365

3 ( bits), 1993, 830 MIPS-year, QS.

RSA-129

98

4(

RSA Numbers which have been factored bits), 1994, 5000 MIPS-year, QS.

RSA-130 ( bits), 1996, 1000 MIPS-year, GNFS.

RSA-140 ( bits), 1999, 2000 MIPS-year, GNFS.

RSA-155 ( bits), 1999, 8000 MIPS-year, GNFS.

28

4

31

465

5

RSA-16

1

0 (

2

530

576

6

bits), 2003, Lattice Sieve.

RSA- (174 digits), 2003, Lattice Sieve.

RSA- (193 digits), 2005, Lattice Sieve.

RSA-200 ( bits), 2005, Lattice

40

663 Sieve.

p44.

RSA-200 =

27,997,833,911,221,327,870,829,467,638,

722,601,621,070,446,786,955,428,537,560,

009,929,326,128,400,107,609,345,671,052,

955,360,856,061,822,351,910,951,365,788,

637,105,954,482,006,576,775,098,580,557,

613,579,098,734,950,144,178,863,178,946,

295,187,237,869,221,823,983.

p45.

*

In light of current factorization technoligies,

RSA recommends 1024-2048 bits.

If a message \ ,

RSA works, but

Since gc

d( , ) 1, the sender can factor .

Sin

c

Remarks

n n

n

m Z Z

m n n

*

e gcd( , ) 1, the adversary can factor , too.

Question: how likely is \ ?

e

n n

m n n

m Z Z

p46.

Generating large primes

To set up an RSA cryptosystem,

we need two large primes p and q.

p47.

1 2

1 2

Infinitely many.

First proved by Euclid:

Assume only a finite number of primes , , , . 

Let 1.

is not a prime, bec

•

•

aus• e

How many prime numbers are there?

n

n

i

p p p

M p p p

M M p

, 1 .

So, is composite and has a prime factor for some

| |1 contradiction.

• i

i i

i n

M p i

p M p

p48.

*,

Let ( ) denote the number of primes . Then

( ) for lar

The Prime

ge .ln

For , let ( ) denote the num

Number Theorem:

Dirichlet' bes Theorem : r

Distribution of Prime Numbers

n n b

x x

xx x

x

b Z x

,

of primes such that and mod . Then,

1 ( ) for large .

ln ( )n b

y y x y b n

xx x

x n

p49.

Generate a random odd number of desired size.

Test if is prime.

If not, discard it and try a different number.

Q: How many numbers are expected to be

How to generate a large prime number?

n

n

tested before

a prime is found?

p50.

12

10.5

Can it be solved in polynomial time?

A long standing open problem until 2002.

AKS(Agrawal, Kayal, Saxena) :  log .

Later improved by others to log ,

Primality test : Is a prime?

O n

O n

n

6

3

and then

to log .

In practice, Miller-Rabin's probabilistic algorithm is still

the most popular --- much faster, log .

O n

O n

p51.

*

*

Looking for a characteristic property of prime numbers:

is prime

is prime , ( )

is

wha

pri

t?

me , ( )

Miller-Rabin primality test : Is a prime?

n

n

n

n a Z P a true

n a Z P a t

n

*

*

not prime elements , ( )

Check ( ) for random elements .

If ( ) all true, then return "prime"

else return "composite.

n

n

rue

a Z P a false

P a t a Z

P a

k

*

"

A "prime" answer may be incorrect with prob ( , ).

1 1 If

,

then ( , )

2

.2

n t

p k t

k Z p k t

p52.

*nZ

*If is prime, then for all , ( ) is true.nn a Z P a

( )P a true

p53.

*nZ

*

not prime strong witnessIf is , then there are

which are elements s.t

es,

( ) .n P a

n

ea Z fals

( )P a true

p54.

1

* 1

Looking for ( ) :

How about ( ) 1 mod ?

Fermat's little theorem:

If is prime , 1 mod .

If is not prime maybe no strong witnesses.

(

n

nn

P a

P a a n

n a Z a n

n

1 *

1

composite numbers

for which 1 mod .)

Need to refine

Ca

the conditio

rmichael number

n 1 mod .

s :

nn

n

n

a n a Z

a n

p55.

*

* 2

Fact: if 2 is prime, then 1 has exactly two square

roots in , namely 1.

Write 1 2 , where is odd.

If is prime

, 1 mod (Fermat's little theorem)

k

n

k

un

n

Z

n u u

n

a Z a n

2 1

2

*

2 2 2 2

1 mod ( )

1 mod for some ,

, ( ) , where

Why? Consider the sequence

, ,

, ,

0

o

1

1

,

ri

k k

n

u u u u u

u

u

a nP a

a n i i k

a Z P a true

a a a a a

p56.

*

If not prime do strong witnesses always exist

Loosely speaking, : if is an odd compo

at least one ha

site and not

a prime power, then of the elements

are strong witnesses

?

s

lf

ye

n

n

n

a Z

.

A composite number is a if for

some prime and

prime power

perfect pointeger 2. (A if

for some integer and 2.)

wer

e

e

n n p

p e

n k k e

p57.

*

If is an odd composite and not a prime power,

then of the elements are strong

witnesses.

Sketch of proof: The set of

at least o

-str

Th

on

eor

g witnesses

forms a p

ne hal

e

f

m:

n

n

a Z

A non

* *

* *

roper subgroup of . So, ord( ) ord( ) and

1 ord( ) | ord( ). So, ord( ) ord( ).

2

n n

n n

Z A Z

A Z A Z

p58.

Input: integer 2 and parameter

Output: a decision as to whether is prime or

if is even, return "composit

composite

1. e"

if is a per2

. fect

Algorithm: Miller-Rabin primality testn t

n

n

n

power, return "composite"

for : 1 to do

choose a random integer , 2 1

if gcd( , ) 1, return "composite"

if is a strong witness, ret

3

urn "com

. i t

a a n

a n

a

posite"

return ("pri4. me")

p59.

If the algorithm answers "composite", it is always correct.

If the algorithm answers "prime", it may or may not be correct.

The algorithm gives a wrong answ

Analysis: Miller-Rabin primality test

er if is composite but

the algorithm fails to find a strong witness in iterations.

This may happen with probability at most 2 .

Actually, at most 4 , by a more sophisticated analysis.

t

t

n

t

p60.

A is a probabilistic algorithm

which always gives an answer

but sometimes the answer may be inco

Mo

rr

nte

ect.

Carlo a

A

lgorithm

Monte Carlo algorithm for a decisi

Monte Carlo algorithms

g

g

on problem is

if its “yes” answer is always correct but a “no” answer may

be incorrect with some error probability.

A -iteration Miller-Rabin is a “composite”-biased Mon

yes-bias

te Carl

ed

o

t

algorithm with error probability at most 1 4 .t

p61.

A is a probabilistic algorithm

which may sometimes fail to give an answer

but never gives an incorrect

Las Ve

one

gas algori

A Las Vegas algorithm can be conver

thm

Las Vegas algorithms

g

g

ted into a

Monte Carlo algorithm.

p62.

Integer Factorization

Reference on quadratic sieve:

http

://blogs.msdn.com/b/devdev/archive/2006/06/19/637332.aspx

p63.

2 2

2 2

Difference of squares

To factor , find an such that is a square, say .

Then, ( )( ).

Search for starting from .

Example: Suppos

Fermat's Method

n a n a n b

n a b a b a b

a a n

g

g

g

2

2 2 2

2 2

2

e 5959. Then, 78.

is not a square for 78 and 79.

is a square for 80 : 80 5959 441 21 .

Hence 5959 80 21 (80 21)(80 21) 59 101.

Slow: a linear search for

n n

a n a

a n a

b

g

g

g

2 is a poor strategy.a n

p64.

2 2

Basic idea: a generation of Fermat's difference of squares.

To factor , find (mod ) such that (mod ).

Then, | ( )( ), but divides nei

Dixon's Random Squares Algorithm

n x y n x y n

n x y x y n

g

g

2 2

ther of .

Hence, gcd( , ) are nontrivial factors of .

Example: 32 10 mod77. gcd(32 10, 77) 7 and 11.

Question: how to produce

Factor

such and ?

a set of base: small primes,

x y

x y n n

x y

B

g

1 2

1 2

1 2 1 2

say, { , , }.

An integer is if it can be factored over mod , i.e.,

mod for some , , ,

smoo

0

h

.

tb

b

ee eb b

B p p p

z B n

z p p p n e e e

K

K

p65.

1 2

2

21 2

2

Our goals:

First, find a set of integers such that are smooth:

mod

Second, select a subset such that the product

has an ev

i i ib

i

i i

e e ei b

ix S

U x x

x p p p n

S U

x

g

g

1 2

1 2

22 221 2 1 2

1 2

2 2

en exponent for each , say,

mod for some , , , 0.

Let mod and mod , and

we have mod .

If mod , no luck, try a differen

b

i

b

i

i

ee ei b b

x S

ee ei b

x S

p

x p p p n e e e

X x n Y p p p n

X Y n

X Y n

K

t set of 's.ix

p66.

2

2

2

Suppose 15770708441 and {2,3,5,7,11,13}.

Consider the three congruences:

8340934156 3 7mod

12044942944 2 7 13mod

2773700011

Example (from Stinson's book on Cryptography)n B

n

n

2

2

2 2

2 3 13mod .

8340934156 12044942944 2773700011

2 3 7 13 mod .

Reducing by modulo yields 9503435785 546 mod .

A factor of : gcd 9503435785 546, 15770708441 115759.

n

n

n n

n

p67.

1 2

1 2

2

21 2

1

Suppose { , , }. Let .

Suppose we have a set of integers such that are

smooth: mod (1 ).

Let mod 2,

To achieve our second goal

i i ib

b

i i

e e ei b

i i

B p p p c b

U c x x

x p p p n i c

e e

K

2 mod 2, , mod 2 .

The vectors are linearly independent (because ),

and we can find a subset of 's that sum modulo 2 to

(0, 0, , 0).

Let mod be the product of the 's

i ib

i

i

i i

e e

c e c b

S e

X x n x

K

K

corresponding

to the 's in . ie S

p68.

2 21

2 22

2 23

1

2

3

We have 2,3,5,7,11,13 and

8340934156 3 7mod

12044942944 2 7 13mod

2773700011 2 3 13mod .

0,1,0,1,0,0

1,0,0,1,0,1

1,1,0,0,0,1

Example (cont.)B

x n

x n

x n

e

e

e

1 2 3

2 21 2 3

2

(0,0,0,0,0,0)mod 2.

Thus, we let ( ) mod and

(3 7)(2 7 13)(2 3 13)mod .

e e e

X x x x n

Y n

p69.

2

Random Squares Met

Dixon's strategy: choose at random, hence the name

.

Trick 1: try numbers of the form ,

0, 1, 2, , and 1, 2, . F

ho

or

d

Searching for smooth squares

i

ix

x

x j kn

j k

K K

2

2 such , mod tends

to be small and has a better chance than average to be smooth.

Trick 2: also try numbers of the form ,

0, 1, 2, , and 1, 2, . For such , is ao

m d

x x n

x kn j

j k x x n

K K2

2

little bit smaller than . Try to factor instead of

Trick 3: to play trick 2, we need to in

(

c

mod )

lude 1 in

mod

.

.

n

B

x n n

x n

p70.

2 21

Suppose 1829 and { 1,2,3,5,7,11,13}.

42.77, 2 60.48, 3 74.07, 4 85.53.

Thus we try 42, 43, 60, 61, 74, 75, 85, 86, and obtain

42

Example (from Stinson's book on Cryptography)n B

n n n n

x

x

12 2 2

2 22 2 2

3 32 2

4 42 2

5 52 2 4

6 6

65 ( 1) 5 13. 1,0,0,1,0,0,1

43 20 2 5. 0,0,0,1,0,0,0

61 63 3 7. 0,0,0,0,1,0,0

74 11 ( 1) 11. 1,0,0,0,0,1,0

85 91 ( 1) 7 13. 1,0,0,0,1,0,1

86 80 2 5. 0,0,0,

e

x e

x e

x e

x e

x e

1,0,0,0

p71.

2 6

22 3

2 2

2 2

1 2 3 5

2 2

0,0,0,0,0,0,0 , but does not yield a factorization of .

43 86 2 5 mod1829.

3698 40 mod1829.

40 40 mod1829.

0,0,0,0,0,0,0 .

42 43 61 85 1 2 3 5 7 13 mod1

e e n

e e e e

g

g

g

g

2 2

829.

1459 901 mod1829.

gcd 1459 901, 1829 31.

1829 31 59.

g

g

g

p72.

1 2

1 2

2

Consider the interval , around for some

suitable integers , .

Let ( ) . We want to find a set of integers

for which ( ) is smooth.

Recall the factor

Quadratic Sieve

M M n

M M

Q x x n U x

Q x

1 2

1 2

base , , , .

Recall Dixon's method (pick an , and test if ( ) is

smooth) and observe how the computing time is wasted.

Idea of QS: use each as a "sieve" and sieve it through

bB p p p

x M M Q x

p B

K

1 2

.

Notice that if , , , , and | ( ), then we have

| ( ) iff mod .

A

p B x y M M p Q x

p Q y x y p

p73.

21 2

1 2

1 2

1 2

1. Array .. . Initially, .

2. for each , , , do

find an .. such that | ( );

for each .. such that m

Sketch of the Quadratic Sieve Algorithm

b

QA M M QA i i n

p p p p B

i M M p Q i

j M M i j

K

g

g

1 2

od do

, where is the largest possible;

keep record of mod 2.

3. Let be the set of all .. such that 1.

// ( ) is smooth for each //

4.

iei

i

p

QA i QA i p e

e

U i M M QA i

Q i i S

Construct a subset as in Dixon's. S U