Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factoring and primality testing III
Pierre Arnoux
Dhulikel, July 30, 2010
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Looking for congruences
I
Let n be a composite number, and p a prime factor of n.
I
Suppose we find two numbers a, b such that:
I
a ≡ b mod p
I
But a 6≡ b mod n
I
Then GCD(a − b, n) is a strict divisor of n
I
This allows us to factor n.
How can we find such a pair?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Looking for congruences
I
Let n be a composite number, and p a prime factor of n.
I
Suppose we find two numbers a, b such that:
I
a ≡ b mod p
I
But a 6≡ b mod n
I
Then GCD(a − b, n) is a strict divisor of n
I
This allows us to factor n.
How can we find such a pair?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Looking for congruences
I
Let n be a composite number, and p a prime factor of n.
I
Suppose we find two numbers a, b such that:
I
a ≡ b mod p
I
But a 6≡ b mod n
I
Then GCD(a − b, n) is a strict divisor of n
I
This allows us to factor n.
How can we find such a pair?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Looking for congruences
I
Let n be a composite number, and p a prime factor of n.
I
Suppose we find two numbers a, b such that:
I
a ≡ b mod p
I
But a 6≡ b mod n
I
Then GCD(a − b, n) is a strict divisor of n
I
This allows us to factor n.
How can we find such a pair?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Looking for congruences
I
Let n be a composite number, and p a prime factor of n.
I
Suppose we find two numbers a, b such that:
I
a ≡ b mod p
I
But a 6≡ b mod n
I
Then GCD(a − b, n) is a strict divisor of n
I
This allows us to factor n.
How can we find such a pair?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Looking for congruences
I
Let n be a composite number, and p a prime factor of n.
I
Suppose we find two numbers a, b such that:
I
a ≡ b mod p
I
But a 6≡ b mod n
I
Then GCD(a − b, n) is a strict divisor of n
I
This allows us to factor n.
How can we find such a pair?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Looking for congruences
I
Let n be a composite number, and p a prime factor of n.
I
Suppose we find two numbers a, b such that:
I
a ≡ b mod p
I
But a 6≡ b mod n
I
Then GCD(a − b, n) is a strict divisor of n
I
This allows us to factor n.
How can we find such a pair?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
I
Let E be a finite set of size n.
I
Let f be a random function f : E → E
I
Let x0 be a random element of E .
I
We define a sequence by xn+1 = f (xn ).
I
This sequence is eventually periodic, of period at most n.
I
What period can we expect, for a random function?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
I
Let E be a finite set of size n.
I
Let f be a random function f : E → E
I
Let x0 be a random element of E .
I
We define a sequence by xn+1 = f (xn ).
I
This sequence is eventually periodic, of period at most n.
I
What period can we expect, for a random function?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
I
Let E be a finite set of size n.
I
Let f be a random function f : E → E
I
Let x0 be a random element of E .
I
We define a sequence by xn+1 = f (xn ).
I
This sequence is eventually periodic, of period at most n.
I
What period can we expect, for a random function?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
I
Let E be a finite set of size n.
I
Let f be a random function f : E → E
I
Let x0 be a random element of E .
I
We define a sequence by xn+1 = f (xn ).
I
This sequence is eventually periodic, of period at most n.
I
What period can we expect, for a random function?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
I
Let E be a finite set of size n.
I
Let f be a random function f : E → E
I
Let x0 be a random element of E .
I
We define a sequence by xn+1 = f (xn ).
I
This sequence is eventually periodic, of period at most n.
I
What period can we expect, for a random function?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
I
Let E be a finite set of size n.
I
Let f be a random function f : E → E
I
Let x0 be a random element of E .
I
We define a sequence by xn+1 = f (xn ).
I
This sequence is eventually periodic, of period at most n.
I
What period can we expect, for a random function?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
√
n.
I
The average period is not large; it is of the order of
I
More precisely:
I
Lemma
I
If the map is defined on Z/nZ, and goes to the quotient
mod p, we can expect that the period is much shorter
mod p.
I
For that, it suffices to take a polynomial of degree≥ 2 (and
hope it behaves like a random function!).
√
Let λ > 0, and l = 1 + [ 2λn]. The probability of (f , x0 )
such that x0 , x1 , . . . , xl are all distinct is less than e −λ .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
√
n.
I
The average period is not large; it is of the order of
I
More precisely:
I
Lemma
I
If the map is defined on Z/nZ, and goes to the quotient
mod p, we can expect that the period is much shorter
mod p.
I
For that, it suffices to take a polynomial of degree≥ 2 (and
hope it behaves like a random function!).
√
Let λ > 0, and l = 1 + [ 2λn]. The probability of (f , x0 )
such that x0 , x1 , . . . , xl are all distinct is less than e −λ .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
√
n.
I
The average period is not large; it is of the order of
I
More precisely:
I
Lemma
I
If the map is defined on Z/nZ, and goes to the quotient
mod p, we can expect that the period is much shorter
mod p.
I
For that, it suffices to take a polynomial of degree≥ 2 (and
hope it behaves like a random function!).
√
Let λ > 0, and l = 1 + [ 2λn]. The probability of (f , x0 )
such that x0 , x1 , . . . , xl are all distinct is less than e −λ .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
√
n.
I
The average period is not large; it is of the order of
I
More precisely:
I
Lemma
I
If the map is defined on Z/nZ, and goes to the quotient
mod p, we can expect that the period is much shorter
mod p.
I
For that, it suffices to take a polynomial of degree≥ 2 (and
hope it behaves like a random function!).
√
Let λ > 0, and l = 1 + [ 2λn]. The probability of (f , x0 )
such that x0 , x1 , . . . , xl are all distinct is less than e −λ .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
√
n.
I
The average period is not large; it is of the order of
I
More precisely:
I
Lemma
I
If the map is defined on Z/nZ, and goes to the quotient
mod p, we can expect that the period is much shorter
mod p.
I
For that, it suffices to take a polynomial of degree≥ 2 (and
hope it behaves like a random function!).
√
Let λ > 0, and l = 1 + [ 2λn]. The probability of (f , x0 )
such that x0 , x1 , . . . , xl are all distinct is less than e −λ .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
I
Proof of the lemma.
I
For f (x0 ), we have n − 1 possibility (out of n): if f (x0 ) = x0 ,
the period is 1.
I
For f (x1 ), we have n − 2 possibilities, and for f (xi ), we have
n − i − 1 possibilities.
I
Hence the probability
that the first l are distinct is:
Qi=l
(n−1)(n−2)...(n−l)
= i=1 (1 − ni )
nl
I
I
Take the neperian logarithm:
Q
Pi=l
Pi=l i
l(l+1)
i
i
log( i=l
i=1 (1 − n ) =
i=1 log(1 − n ) <
i=1 − n = − 2n
I
l
2λn
− l(l+1)
2n < − 2n < − 2n = −λ.
2
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
I
Proof of the lemma.
I
For f (x0 ), we have n − 1 possibility (out of n): if f (x0 ) = x0 ,
the period is 1.
I
For f (x1 ), we have n − 2 possibilities, and for f (xi ), we have
n − i − 1 possibilities.
I
Hence the probability
that the first l are distinct is:
Qi=l
(n−1)(n−2)...(n−l)
= i=1 (1 − ni )
nl
I
I
Take the neperian logarithm:
Q
Pi=l
Pi=l i
l(l+1)
i
i
log( i=l
i=1 (1 − n ) =
i=1 log(1 − n ) <
i=1 − n = − 2n
I
l
2λn
− l(l+1)
2n < − 2n < − 2n = −λ.
2
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
I
Proof of the lemma.
I
For f (x0 ), we have n − 1 possibility (out of n): if f (x0 ) = x0 ,
the period is 1.
I
For f (x1 ), we have n − 2 possibilities, and for f (xi ), we have
n − i − 1 possibilities.
I
Hence the probability
that the first l are distinct is:
Qi=l
(n−1)(n−2)...(n−l)
= i=1 (1 − ni )
nl
I
I
Take the neperian logarithm:
Q
Pi=l
Pi=l i
l(l+1)
i
i
log( i=l
i=1 (1 − n ) =
i=1 log(1 − n ) <
i=1 − n = − 2n
I
l
2λn
− l(l+1)
2n < − 2n < − 2n = −λ.
2
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
I
Proof of the lemma.
I
For f (x0 ), we have n − 1 possibility (out of n): if f (x0 ) = x0 ,
the period is 1.
I
For f (x1 ), we have n − 2 possibilities, and for f (xi ), we have
n − i − 1 possibilities.
I
Hence the probability
that the first l are distinct is:
Qi=l
(n−1)(n−2)...(n−l)
= i=1 (1 − ni )
nl
I
I
Take the neperian logarithm:
Q
Pi=l
Pi=l i
l(l+1)
i
i
log( i=l
i=1 (1 − n ) =
i=1 log(1 − n ) <
i=1 − n = − 2n
I
l
2λn
− l(l+1)
2n < − 2n < − 2n = −λ.
2
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
I
Proof of the lemma.
I
For f (x0 ), we have n − 1 possibility (out of n): if f (x0 ) = x0 ,
the period is 1.
I
For f (x1 ), we have n − 2 possibilities, and for f (xi ), we have
n − i − 1 possibilities.
I
Hence the probability
that the first l are distinct is:
Qi=l
(n−1)(n−2)...(n−l)
= i=1 (1 − ni )
nl
I
I
Take the neperian logarithm:
Q
Pi=l
Pi=l i
l(l+1)
i
i
log( i=l
i=1 (1 − n ) =
i=1 log(1 − n ) <
i=1 − n = − 2n
I
l
2λn
− l(l+1)
2n < − 2n < − 2n = −λ.
2
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
I
Proof of the lemma.
I
For f (x0 ), we have n − 1 possibility (out of n): if f (x0 ) = x0 ,
the period is 1.
I
For f (x1 ), we have n − 2 possibilities, and for f (xi ), we have
n − i − 1 possibilities.
I
Hence the probability
that the first l are distinct is:
Qi=l
(n−1)(n−2)...(n−l)
= i=1 (1 − ni )
nl
I
I
Take the neperian logarithm:
Q
Pi=l
Pi=l i
l(l+1)
i
i
log( i=l
i=1 (1 − n ) =
i=1 log(1 − n ) <
i=1 − n = − 2n
I
l
2λn
− l(l+1)
2n < − 2n < − 2n = −λ.
2
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
iterating random functions
I
Proof of the lemma.
I
For f (x0 ), we have n − 1 possibility (out of n): if f (x0 ) = x0 ,
the period is 1.
I
For f (x1 ), we have n − 2 possibilities, and for f (xi ), we have
n − i − 1 possibilities.
I
Hence the probability
that the first l are distinct is:
Qi=l
(n−1)(n−2)...(n−l)
= i=1 (1 − ni )
nl
I
I
Take the neperian logarithm:
Q
Pi=l
Pi=l i
l(l+1)
i
i
log( i=l
i=1 (1 − n ) =
i=1 log(1 − n ) <
i=1 − n = − 2n
I
l
2λn
− l(l+1)
2n < − 2n < − 2n = −λ.
2
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Looking for cycles
I
Do we have a cycle yet?
I
Compare the last xk to all the previous ones.
I
This is very costly!
I
Idea: compare only xk to the last x2j computed: x2 to x1 ;
x3 , x4 to x2 ; x5 , x6 , x7 , x8 to x4 ...
I
This might delay the discovery of the period, but it needs
much less computation.
All this gives us an algorithm
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Looking for cycles
I
Do we have a cycle yet?
I
Compare the last xk to all the previous ones.
I
This is very costly!
I
Idea: compare only xk to the last x2j computed: x2 to x1 ;
x3 , x4 to x2 ; x5 , x6 , x7 , x8 to x4 ...
I
This might delay the discovery of the period, but it needs
much less computation.
All this gives us an algorithm
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Looking for cycles
I
Do we have a cycle yet?
I
Compare the last xk to all the previous ones.
I
This is very costly!
I
Idea: compare only xk to the last x2j computed: x2 to x1 ;
x3 , x4 to x2 ; x5 , x6 , x7 , x8 to x4 ...
I
This might delay the discovery of the period, but it needs
much less computation.
All this gives us an algorithm
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Looking for cycles
I
Do we have a cycle yet?
I
Compare the last xk to all the previous ones.
I
This is very costly!
I
Idea: compare only xk to the last x2j computed: x2 to x1 ;
x3 , x4 to x2 ; x5 , x6 , x7 , x8 to x4 ...
I
This might delay the discovery of the period, but it needs
much less computation.
All this gives us an algorithm
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Looking for cycles
I
Do we have a cycle yet?
I
Compare the last xk to all the previous ones.
I
This is very costly!
I
Idea: compare only xk to the last x2j computed: x2 to x1 ;
x3 , x4 to x2 ; x5 , x6 , x7 , x8 to x4 ...
I
This might delay the discovery of the period, but it needs
much less computation.
All this gives us an algorithm
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Looking for cycles
I
Do we have a cycle yet?
I
Compare the last xk to all the previous ones.
I
This is very costly!
I
Idea: compare only xk to the last x2j computed: x2 to x1 ;
x3 , x4 to x2 ; x5 , x6 , x7 , x8 to x4 ...
I
This might delay the discovery of the period, but it needs
much less computation.
All this gives us an algorithm
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Pollard’s algorithm
I
Input: a composite integer n, and a ”random” polynomial P
(for example x 2 + 1).
Compute xk = P(xk−1 ).
If 2h = max{2i < k}, compute GCD(xk − x2h , n)
Continue till we get a nontrivial factor of n, or xk = x2h .
I
Proposition
I
I
I
I
√
Let n be composite, and let r be a factor of n with r < n. If
the polynomial P behaves like a random function, then
1
Pollard’s method will give r in O(n 4 log3 n) bit operations
with a high probability.
More precisely: there exists√C such that the probability of
1
failure of the method in C λn 4 log3 n steps is < e −λ .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Pollard’s algorithm
I
Input: a composite integer n, and a ”random” polynomial P
(for example x 2 + 1).
Compute xk = P(xk−1 ).
If 2h = max{2i < k}, compute GCD(xk − x2h , n)
Continue till we get a nontrivial factor of n, or xk = x2h .
I
Proposition
I
I
I
I
√
Let n be composite, and let r be a factor of n with r < n. If
the polynomial P behaves like a random function, then
1
Pollard’s method will give r in O(n 4 log3 n) bit operations
with a high probability.
More precisely: there exists√C such that the probability of
1
failure of the method in C λn 4 log3 n steps is < e −λ .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Pollard’s algorithm
I
Input: a composite integer n, and a ”random” polynomial P
(for example x 2 + 1).
Compute xk = P(xk−1 ).
If 2h = max{2i < k}, compute GCD(xk − x2h , n)
Continue till we get a nontrivial factor of n, or xk = x2h .
I
Proposition
I
I
I
I
√
Let n be composite, and let r be a factor of n with r < n. If
the polynomial P behaves like a random function, then
1
Pollard’s method will give r in O(n 4 log3 n) bit operations
with a high probability.
More precisely: there exists√C such that the probability of
1
failure of the method in C λn 4 log3 n steps is < e −λ .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Pollard’s algorithm
I
Input: a composite integer n, and a ”random” polynomial P
(for example x 2 + 1).
Compute xk = P(xk−1 ).
If 2h = max{2i < k}, compute GCD(xk − x2h , n)
Continue till we get a nontrivial factor of n, or xk = x2h .
I
Proposition
I
I
I
I
√
Let n be composite, and let r be a factor of n with r < n. If
the polynomial P behaves like a random function, then
1
Pollard’s method will give r in O(n 4 log3 n) bit operations
with a high probability.
More precisely: there exists√C such that the probability of
1
failure of the method in C λn 4 log3 n steps is < e −λ .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Pollard’s algorithm
I
Input: a composite integer n, and a ”random” polynomial P
(for example x 2 + 1).
Compute xk = P(xk−1 ).
If 2h = max{2i < k}, compute GCD(xk − x2h , n)
Continue till we get a nontrivial factor of n, or xk = x2h .
I
Proposition
I
I
I
I
√
Let n be composite, and let r be a factor of n with r < n. If
the polynomial P behaves like a random function, then
1
Pollard’s method will give r in O(n 4 log3 n) bit operations
with a high probability.
More precisely: there exists√C such that the probability of
1
failure of the method in C λn 4 log3 n steps is < e −λ .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
Pollard’s algorithm
I
Input: a composite integer n, and a ”random” polynomial P
(for example x 2 + 1).
Compute xk = P(xk−1 ).
If 2h = max{2i < k}, compute GCD(xk − x2h , n)
Continue till we get a nontrivial factor of n, or xk = x2h .
I
Proposition
I
I
I
I
√
Let n be composite, and let r be a factor of n with r < n. If
the polynomial P behaves like a random function, then
1
Pollard’s method will give r in O(n 4 log3 n) bit operations
with a high probability.
More precisely: there exists√C such that the probability of
1
failure of the method in C λn 4 log3 n steps is < e −λ .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
An exemple
I
n = 4171.
I
P(X ) = X 2 + 1, x0 = 2.
I
x1 = 5; x2 = 26; x3 = 677. GCD(x3 − x2 , n) = 1
I
x4 = 3691. GCD(x4 − x2 , n) = 1
I
x5 = 996. GCD(x5 − x4 , n) = 1
I
x6 = 3490. GCD(x6 − x4 , n) = 1
I
x7 = 781. GCD(x7 − x4 , n) = 97
Remark: x8 = 996 = x5 .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
An exemple
I
n = 4171.
I
P(X ) = X 2 + 1, x0 = 2.
I
x1 = 5; x2 = 26; x3 = 677. GCD(x3 − x2 , n) = 1
I
x4 = 3691. GCD(x4 − x2 , n) = 1
I
x5 = 996. GCD(x5 − x4 , n) = 1
I
x6 = 3490. GCD(x6 − x4 , n) = 1
I
x7 = 781. GCD(x7 − x4 , n) = 97
Remark: x8 = 996 = x5 .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
An exemple
I
n = 4171.
I
P(X ) = X 2 + 1, x0 = 2.
I
x1 = 5; x2 = 26; x3 = 677. GCD(x3 − x2 , n) = 1
I
x4 = 3691. GCD(x4 − x2 , n) = 1
I
x5 = 996. GCD(x5 − x4 , n) = 1
I
x6 = 3490. GCD(x6 − x4 , n) = 1
I
x7 = 781. GCD(x7 − x4 , n) = 97
Remark: x8 = 996 = x5 .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
An exemple
I
n = 4171.
I
P(X ) = X 2 + 1, x0 = 2.
I
x1 = 5; x2 = 26; x3 = 677. GCD(x3 − x2 , n) = 1
I
x4 = 3691. GCD(x4 − x2 , n) = 1
I
x5 = 996. GCD(x5 − x4 , n) = 1
I
x6 = 3490. GCD(x6 − x4 , n) = 1
I
x7 = 781. GCD(x7 − x4 , n) = 97
Remark: x8 = 996 = x5 .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
An exemple
I
n = 4171.
I
P(X ) = X 2 + 1, x0 = 2.
I
x1 = 5; x2 = 26; x3 = 677. GCD(x3 − x2 , n) = 1
I
x4 = 3691. GCD(x4 − x2 , n) = 1
I
x5 = 996. GCD(x5 − x4 , n) = 1
I
x6 = 3490. GCD(x6 − x4 , n) = 1
I
x7 = 781. GCD(x7 − x4 , n) = 97
Remark: x8 = 996 = x5 .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
An exemple
I
n = 4171.
I
P(X ) = X 2 + 1, x0 = 2.
I
x1 = 5; x2 = 26; x3 = 677. GCD(x3 − x2 , n) = 1
I
x4 = 3691. GCD(x4 − x2 , n) = 1
I
x5 = 996. GCD(x5 − x4 , n) = 1
I
x6 = 3490. GCD(x6 − x4 , n) = 1
I
x7 = 781. GCD(x7 − x4 , n) = 97
Remark: x8 = 996 = x5 .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
An exemple
I
n = 4171.
I
P(X ) = X 2 + 1, x0 = 2.
I
x1 = 5; x2 = 26; x3 = 677. GCD(x3 − x2 , n) = 1
I
x4 = 3691. GCD(x4 − x2 , n) = 1
I
x5 = 996. GCD(x5 − x4 , n) = 1
I
x6 = 3490. GCD(x6 − x4 , n) = 1
I
x7 = 781. GCD(x7 − x4 , n) = 97
Remark: x8 = 996 = x5 .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Random functions
The algorithm
An exemple
I
n = 4171.
I
P(X ) = X 2 + 1, x0 = 2.
I
x1 = 5; x2 = 26; x3 = 677. GCD(x3 − x2 , n) = 1
I
x4 = 3691. GCD(x4 − x2 , n) = 1
I
x5 = 996. GCD(x5 − x4 , n) = 1
I
x6 = 3490. GCD(x6 − x4 , n) = 1
I
x7 = 781. GCD(x7 − x4 , n) = 97
Remark: x8 = 996 = x5 .
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Fermat factorization
I
We now turn to a completely different method.
I
We look for congruences between squares.
I
The basic method is not very efficient,
I
But it is the basis for more elaborate algorithms.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Fermat factorization
I
We now turn to a completely different method.
I
We look for congruences between squares.
I
The basic method is not very efficient,
I
But it is the basis for more elaborate algorithms.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Fermat factorization
I
We now turn to a completely different method.
I
We look for congruences between squares.
I
The basic method is not very efficient,
I
But it is the basis for more elaborate algorithms.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Fermat factorization
I
We now turn to a completely different method.
I
We look for congruences between squares.
I
The basic method is not very efficient,
I
But it is the basis for more elaborate algorithms.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The basic method
I
Let n = pq, with p > q odd numbers.
I
Write a =
I
Hence p = a + b, q = a − b
I
n = (a + b)(a − b) = a2 − b 2
I
Every composite number is a difference of squares.
p+q
2 ,
b=
p−q
2
This is efficient if the 2 factors p, q are close.
√
Exemple: n = 200819. [ n] + 1 = 449. 4492 − n = 782, this is
not a square.
4502 − n = 1681 = 412 . Hence n = 4502 − 412 = 491.409
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The basic method
I
Let n = pq, with p > q odd numbers.
I
Write a =
I
Hence p = a + b, q = a − b
I
n = (a + b)(a − b) = a2 − b 2
I
Every composite number is a difference of squares.
p+q
2 ,
b=
p−q
2
This is efficient if the 2 factors p, q are close.
√
Exemple: n = 200819. [ n] + 1 = 449. 4492 − n = 782, this is
not a square.
4502 − n = 1681 = 412 . Hence n = 4502 − 412 = 491.409
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The basic method
I
Let n = pq, with p > q odd numbers.
I
Write a =
I
Hence p = a + b, q = a − b
I
n = (a + b)(a − b) = a2 − b 2
I
Every composite number is a difference of squares.
p+q
2 ,
b=
p−q
2
This is efficient if the 2 factors p, q are close.
√
Exemple: n = 200819. [ n] + 1 = 449. 4492 − n = 782, this is
not a square.
4502 − n = 1681 = 412 . Hence n = 4502 − 412 = 491.409
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The basic method
I
Let n = pq, with p > q odd numbers.
I
Write a =
I
Hence p = a + b, q = a − b
I
n = (a + b)(a − b) = a2 − b 2
I
Every composite number is a difference of squares.
p+q
2 ,
b=
p−q
2
This is efficient if the 2 factors p, q are close.
√
Exemple: n = 200819. [ n] + 1 = 449. 4492 − n = 782, this is
not a square.
4502 − n = 1681 = 412 . Hence n = 4502 − 412 = 491.409
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The basic method
I
Let n = pq, with p > q odd numbers.
I
Write a =
I
Hence p = a + b, q = a − b
I
n = (a + b)(a − b) = a2 − b 2
I
Every composite number is a difference of squares.
p+q
2 ,
b=
p−q
2
This is efficient if the 2 factors p, q are close.
√
Exemple: n = 200819. [ n] + 1 = 449. 4492 − n = 782, this is
not a square.
4502 − n = 1681 = 412 . Hence n = 4502 − 412 = 491.409
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The basic method
I
Let n = pq, with p > q odd numbers.
I
Write a =
I
Hence p = a + b, q = a − b
I
n = (a + b)(a − b) = a2 − b 2
I
Every composite number is a difference of squares.
p+q
2 ,
b=
p−q
2
This is efficient if the 2 factors p, q are close.
√
Exemple: n = 200819. [ n] + 1 = 449. 4492 − n = 782, this is
not a square.
4502 − n = 1681 = 412 . Hence n = 4502 − 412 = 491.409
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The basic method
I
Let n = pq, with p > q odd numbers.
I
Write a =
I
Hence p = a + b, q = a − b
I
n = (a + b)(a − b) = a2 − b 2
I
Every composite number is a difference of squares.
p+q
2 ,
b=
p−q
2
This is efficient if the 2 factors p, q are close.
√
Exemple: n = 200819. [ n] + 1 = 449. 4492 − n = 782, this is
not a square.
4502 − n = 1681 = 412 . Hence n = 4502 − 412 = 491.409
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The basic method
I
Let n = pq, with p > q odd numbers.
I
Write a =
I
Hence p = a + b, q = a − b
I
n = (a + b)(a − b) = a2 − b 2
I
Every composite number is a difference of squares.
p+q
2 ,
b=
p−q
2
This is efficient if the 2 factors p, q are close.
√
Exemple: n = 200819. [ n] + 1 = 449. 4492 − n = 782, this is
not a square.
4502 − n = 1681 = 412 . Hence n = 4502 − 412 = 491.409
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The basic method
I
This method is very efficient if p and q are close.
I
There are other efficient variants if p ' 2q, p ' 3q...
I
It is very dangerous to chose an RSA integer which is the
product of two close primes.
I
It is for this type of reasons that cryptographers should pay
attention to number theory.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The basic method
I
This method is very efficient if p and q are close.
I
There are other efficient variants if p ' 2q, p ' 3q...
I
It is very dangerous to chose an RSA integer which is the
product of two close primes.
I
It is for this type of reasons that cryptographers should pay
attention to number theory.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The basic method
I
This method is very efficient if p and q are close.
I
There are other efficient variants if p ' 2q, p ' 3q...
I
It is very dangerous to chose an RSA integer which is the
product of two close primes.
I
It is for this type of reasons that cryptographers should pay
attention to number theory.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The basic method
I
This method is very efficient if p and q are close.
I
There are other efficient variants if p ' 2q, p ' 3q...
I
It is very dangerous to chose an RSA integer which is the
product of two close primes.
I
It is for this type of reasons that cryptographers should pay
attention to number theory.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Congruences
I
More generally, if we can find a, b such that
I
a2 ≡ b 2 mod n
I
But a 6≡ ±b mod n
I
Then n divides a2 − b 2 = (a + b)(a − b), but not a + b and
a − b.
I
Hence GCD(a + b, n) is not trivial :
I
This gives us a factor of n.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Congruences
I
More generally, if we can find a, b such that
I
a2 ≡ b 2 mod n
I
But a 6≡ ±b mod n
I
Then n divides a2 − b 2 = (a + b)(a − b), but not a + b and
a − b.
I
Hence GCD(a + b, n) is not trivial :
I
This gives us a factor of n.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Congruences
I
More generally, if we can find a, b such that
I
a2 ≡ b 2 mod n
I
But a 6≡ ±b mod n
I
Then n divides a2 − b 2 = (a + b)(a − b), but not a + b and
a − b.
I
Hence GCD(a + b, n) is not trivial :
I
This gives us a factor of n.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Congruences
I
More generally, if we can find a, b such that
I
a2 ≡ b 2 mod n
I
But a 6≡ ±b mod n
I
Then n divides a2 − b 2 = (a + b)(a − b), but not a + b and
a − b.
I
Hence GCD(a + b, n) is not trivial :
I
This gives us a factor of n.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Congruences
I
More generally, if we can find a, b such that
I
a2 ≡ b 2 mod n
I
But a 6≡ ±b mod n
I
Then n divides a2 − b 2 = (a + b)(a − b), but not a + b and
a − b.
I
Hence GCD(a + b, n) is not trivial :
I
This gives us a factor of n.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Congruences
I
More generally, if we can find a, b such that
I
a2 ≡ b 2 mod n
I
But a 6≡ ±b mod n
I
Then n divides a2 − b 2 = (a + b)(a − b), but not a + b and
a − b.
I
Hence GCD(a + b, n) is not trivial :
I
This gives us a factor of n.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Congruences
I
n = 4633
I
1182 ≡ 25 = 52 mod n
I
But 118 6≡ ±5 mod n
I
GCD(118 + 5, n) = 41.
I
GCD(118 − 5, n) = 113
I
4633 = 41 × 113
How can we find such quadratic congruences?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Congruences
I
n = 4633
I
1182 ≡ 25 = 52 mod n
I
But 118 6≡ ±5 mod n
I
GCD(118 + 5, n) = 41.
I
GCD(118 − 5, n) = 113
I
4633 = 41 × 113
How can we find such quadratic congruences?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Congruences
I
n = 4633
I
1182 ≡ 25 = 52 mod n
I
But 118 6≡ ±5 mod n
I
GCD(118 + 5, n) = 41.
I
GCD(118 − 5, n) = 113
I
4633 = 41 × 113
How can we find such quadratic congruences?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Congruences
I
n = 4633
I
1182 ≡ 25 = 52 mod n
I
But 118 6≡ ±5 mod n
I
GCD(118 + 5, n) = 41.
I
GCD(118 − 5, n) = 113
I
4633 = 41 × 113
How can we find such quadratic congruences?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Congruences
I
n = 4633
I
1182 ≡ 25 = 52 mod n
I
But 118 6≡ ±5 mod n
I
GCD(118 + 5, n) = 41.
I
GCD(118 − 5, n) = 113
I
4633 = 41 × 113
How can we find such quadratic congruences?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Congruences
I
n = 4633
I
1182 ≡ 25 = 52 mod n
I
But 118 6≡ ±5 mod n
I
GCD(118 + 5, n) = 41.
I
GCD(118 − 5, n) = 113
I
4633 = 41 × 113
How can we find such quadratic congruences?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Congruences
I
n = 4633
I
1182 ≡ 25 = 52 mod n
I
But 118 6≡ ±5 mod n
I
GCD(118 + 5, n) = 41.
I
GCD(118 − 5, n) = 113
I
4633 = 41 × 113
How can we find such quadratic congruences?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Factor bases
I
We want to decompose squares on a set of prime numbers.
I
Definition
The least residue of a mod n is the unique number
− n2 < b ≤ n2 such that b ≡ a mod n.
I
Definition
A factor base B = {p1 , . . . , pk } is a set of distinct primes (and
we allow p1 = −1).
I
We want to decompose as many squares as possible on the
base B
I
This will allow us to realize quadratic congruences.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Factor bases
I
We want to decompose squares on a set of prime numbers.
I
Definition
The least residue of a mod n is the unique number
− n2 < b ≤ n2 such that b ≡ a mod n.
I
Definition
A factor base B = {p1 , . . . , pk } is a set of distinct primes (and
we allow p1 = −1).
I
We want to decompose as many squares as possible on the
base B
I
This will allow us to realize quadratic congruences.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Factor bases
I
We want to decompose squares on a set of prime numbers.
I
Definition
The least residue of a mod n is the unique number
− n2 < b ≤ n2 such that b ≡ a mod n.
I
Definition
A factor base B = {p1 , . . . , pk } is a set of distinct primes (and
we allow p1 = −1).
I
We want to decompose as many squares as possible on the
base B
I
This will allow us to realize quadratic congruences.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Factor bases
I
We want to decompose squares on a set of prime numbers.
I
Definition
The least residue of a mod n is the unique number
− n2 < b ≤ n2 such that b ≡ a mod n.
I
Definition
A factor base B = {p1 , . . . , pk } is a set of distinct primes (and
we allow p1 = −1).
I
We want to decompose as many squares as possible on the
base B
I
This will allow us to realize quadratic congruences.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Factor bases
I
We want to decompose squares on a set of prime numbers.
I
Definition
The least residue of a mod n is the unique number
− n2 < b ≤ n2 such that b ≡ a mod n.
I
Definition
A factor base B = {p1 , . . . , pk } is a set of distinct primes (and
we allow p1 = −1).
I
We want to decompose as many squares as possible on the
base B
I
This will allow us to realize quadratic congruences.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
B-numbers
I
I
I
I
I
I
Definition
A number a is a B-number if its least residue can be
decomposed as a product of elements of B.
Q
αi
To such a product i=k
i=1 pi , we associate the vector
(α1 , . . . , αk ).
We want to find squares: we are only interested in the parity
of αi .
We consider this vector mod 2, and we obtain a vector space
over Z/2Z.
By classical linear algebra, if we have k + 1 vectors over the
base B, we have a relation, and we can find a square.
The real problem will be to find many squares which are
B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
B-numbers
I
I
I
I
I
I
Definition
A number a is a B-number if its least residue can be
decomposed as a product of elements of B.
Q
αi
To such a product i=k
i=1 pi , we associate the vector
(α1 , . . . , αk ).
We want to find squares: we are only interested in the parity
of αi .
We consider this vector mod 2, and we obtain a vector space
over Z/2Z.
By classical linear algebra, if we have k + 1 vectors over the
base B, we have a relation, and we can find a square.
The real problem will be to find many squares which are
B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
B-numbers
I
I
I
I
I
I
Definition
A number a is a B-number if its least residue can be
decomposed as a product of elements of B.
Q
αi
To such a product i=k
i=1 pi , we associate the vector
(α1 , . . . , αk ).
We want to find squares: we are only interested in the parity
of αi .
We consider this vector mod 2, and we obtain a vector space
over Z/2Z.
By classical linear algebra, if we have k + 1 vectors over the
base B, we have a relation, and we can find a square.
The real problem will be to find many squares which are
B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
B-numbers
I
I
I
I
I
I
Definition
A number a is a B-number if its least residue can be
decomposed as a product of elements of B.
Q
αi
To such a product i=k
i=1 pi , we associate the vector
(α1 , . . . , αk ).
We want to find squares: we are only interested in the parity
of αi .
We consider this vector mod 2, and we obtain a vector space
over Z/2Z.
By classical linear algebra, if we have k + 1 vectors over the
base B, we have a relation, and we can find a square.
The real problem will be to find many squares which are
B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
B-numbers
I
I
I
I
I
I
Definition
A number a is a B-number if its least residue can be
decomposed as a product of elements of B.
Q
αi
To such a product i=k
i=1 pi , we associate the vector
(α1 , . . . , αk ).
We want to find squares: we are only interested in the parity
of αi .
We consider this vector mod 2, and we obtain a vector space
over Z/2Z.
By classical linear algebra, if we have k + 1 vectors over the
base B, we have a relation, and we can find a square.
The real problem will be to find many squares which are
B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
B-numbers
I
I
I
I
I
I
Definition
A number a is a B-number if its least residue can be
decomposed as a product of elements of B.
Q
αi
To such a product i=k
i=1 pi , we associate the vector
(α1 , . . . , αk ).
We want to find squares: we are only interested in the parity
of αi .
We consider this vector mod 2, and we obtain a vector space
over Z/2Z.
By classical linear algebra, if we have k + 1 vectors over the
base B, we have a relation, and we can find a square.
The real problem will be to find many squares which are
B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
B-numbers: example
I
n = 4633.
I
B = {−1, 2, 3}.
I
672 ≡ −144 mod n: vector (1, 0, 0).
I
682 ≡ −9 mod n: vector (1, 0, 0).
I
(67.68)2 ≡ 362 : vector (0, 0, 0)
I
GCD(67 × 68 + 36, n) = 41 which gives the factorisation.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
B-numbers: example
I
n = 4633.
I
B = {−1, 2, 3}.
I
672 ≡ −144 mod n: vector (1, 0, 0).
I
682 ≡ −9 mod n: vector (1, 0, 0).
I
(67.68)2 ≡ 362 : vector (0, 0, 0)
I
GCD(67 × 68 + 36, n) = 41 which gives the factorisation.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
B-numbers: example
I
n = 4633.
I
B = {−1, 2, 3}.
I
672 ≡ −144 mod n: vector (1, 0, 0).
I
682 ≡ −9 mod n: vector (1, 0, 0).
I
(67.68)2 ≡ 362 : vector (0, 0, 0)
I
GCD(67 × 68 + 36, n) = 41 which gives the factorisation.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
B-numbers: example
I
n = 4633.
I
B = {−1, 2, 3}.
I
672 ≡ −144 mod n: vector (1, 0, 0).
I
682 ≡ −9 mod n: vector (1, 0, 0).
I
(67.68)2 ≡ 362 : vector (0, 0, 0)
I
GCD(67 × 68 + 36, n) = 41 which gives the factorisation.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
B-numbers: example
I
n = 4633.
I
B = {−1, 2, 3}.
I
672 ≡ −144 mod n: vector (1, 0, 0).
I
682 ≡ −9 mod n: vector (1, 0, 0).
I
(67.68)2 ≡ 362 : vector (0, 0, 0)
I
GCD(67 × 68 + 36, n) = 41 which gives the factorisation.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
B-numbers: example
I
n = 4633.
I
B = {−1, 2, 3}.
I
672 ≡ −144 mod n: vector (1, 0, 0).
I
682 ≡ −9 mod n: vector (1, 0, 0).
I
(67.68)2 ≡ 362 : vector (0, 0, 0)
I
GCD(67 × 68 + 36, n) = 41 which gives the factorisation.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The factor base algorithm
I
Let n be a composite integer.
I
Chose a number y of intermediate size (y = 105 for example)
I
Let B be be the set of prime numbers less than y , B is of size
k = π(y ).
I
Choose random numbers bi , and check if their squares are
B-numbers
I
When you get more than k B-squares, find the dependency.
I
Use the relations to find a factor of n.
A good
√ way to find such numbers is to chose integers close to
some kn, for small k
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The factor base algorithm
I
Let n be a composite integer.
I
Chose a number y of intermediate size (y = 105 for example)
I
Let B be be the set of prime numbers less than y , B is of size
k = π(y ).
I
Choose random numbers bi , and check if their squares are
B-numbers
I
When you get more than k B-squares, find the dependency.
I
Use the relations to find a factor of n.
A good
√ way to find such numbers is to chose integers close to
some kn, for small k
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The factor base algorithm
I
Let n be a composite integer.
I
Chose a number y of intermediate size (y = 105 for example)
I
Let B be be the set of prime numbers less than y , B is of size
k = π(y ).
I
Choose random numbers bi , and check if their squares are
B-numbers
I
When you get more than k B-squares, find the dependency.
I
Use the relations to find a factor of n.
A good
√ way to find such numbers is to chose integers close to
some kn, for small k
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The factor base algorithm
I
Let n be a composite integer.
I
Chose a number y of intermediate size (y = 105 for example)
I
Let B be be the set of prime numbers less than y , B is of size
k = π(y ).
I
Choose random numbers bi , and check if their squares are
B-numbers
I
When you get more than k B-squares, find the dependency.
I
Use the relations to find a factor of n.
A good
√ way to find such numbers is to chose integers close to
some kn, for small k
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The factor base algorithm
I
Let n be a composite integer.
I
Chose a number y of intermediate size (y = 105 for example)
I
Let B be be the set of prime numbers less than y , B is of size
k = π(y ).
I
Choose random numbers bi , and check if their squares are
B-numbers
I
When you get more than k B-squares, find the dependency.
I
Use the relations to find a factor of n.
A good
√ way to find such numbers is to chose integers close to
some kn, for small k
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The factor base algorithm
I
Let n be a composite integer.
I
Chose a number y of intermediate size (y = 105 for example)
I
Let B be be the set of prime numbers less than y , B is of size
k = π(y ).
I
Choose random numbers bi , and check if their squares are
B-numbers
I
When you get more than k B-squares, find the dependency.
I
Use the relations to find a factor of n.
A good
√ way to find such numbers is to chose integers close to
some kn, for small k
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
The factor base algorithm
I
Let n be a composite integer.
I
Chose a number y of intermediate size (y = 105 for example)
I
Let B be be the set of prime numbers less than y , B is of size
k = π(y ).
I
Choose random numbers bi , and check if their squares are
B-numbers
I
When you get more than k B-squares, find the dependency.
I
Use the relations to find a factor of n.
A good
√ way to find such numbers is to chose integers close to
some kn, for small k
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Running time
I
The computation of running time is difficult.
I
A crucial fact is that the square of a random number has
small probability to be a B-number.
I
hence we must try many times to obtain a B-number.
I
Heuristic arguments show that the running time should be of
the form:
I
O(e C
√
log n log log n )
1
This is better than Pollard, which is in O(n 4 log3 n) ' O(e C log n )
But much worse than the primality algorithms, wich are polynomial
in log n, that is of the form O(e C log log n ).
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Running time
I
The computation of running time is difficult.
I
A crucial fact is that the square of a random number has
small probability to be a B-number.
I
hence we must try many times to obtain a B-number.
I
Heuristic arguments show that the running time should be of
the form:
I
O(e C
√
log n log log n )
1
This is better than Pollard, which is in O(n 4 log3 n) ' O(e C log n )
But much worse than the primality algorithms, wich are polynomial
in log n, that is of the form O(e C log log n ).
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Running time
I
The computation of running time is difficult.
I
A crucial fact is that the square of a random number has
small probability to be a B-number.
I
hence we must try many times to obtain a B-number.
I
Heuristic arguments show that the running time should be of
the form:
I
O(e C
√
log n log log n )
1
This is better than Pollard, which is in O(n 4 log3 n) ' O(e C log n )
But much worse than the primality algorithms, wich are polynomial
in log n, that is of the form O(e C log log n ).
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Running time
I
The computation of running time is difficult.
I
A crucial fact is that the square of a random number has
small probability to be a B-number.
I
hence we must try many times to obtain a B-number.
I
Heuristic arguments show that the running time should be of
the form:
I
O(e C
√
log n log log n )
1
This is better than Pollard, which is in O(n 4 log3 n) ' O(e C log n )
But much worse than the primality algorithms, wich are polynomial
in log n, that is of the form O(e C log log n ).
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Running time
I
The computation of running time is difficult.
I
A crucial fact is that the square of a random number has
small probability to be a B-number.
I
hence we must try many times to obtain a B-number.
I
Heuristic arguments show that the running time should be of
the form:
I
O(e C
√
log n log log n )
1
This is better than Pollard, which is in O(n 4 log3 n) ' O(e C log n )
But much worse than the primality algorithms, wich are polynomial
in log n, that is of the form O(e C log log n ).
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Running time
I
The computation of running time is difficult.
I
A crucial fact is that the square of a random number has
small probability to be a B-number.
I
hence we must try many times to obtain a B-number.
I
Heuristic arguments show that the running time should be of
the form:
I
O(e C
√
log n log log n )
1
This is better than Pollard, which is in O(n 4 log3 n) ' O(e C log n )
But much worse than the primality algorithms, wich are polynomial
in log n, that is of the form O(e C log log n ).
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic method
Factor bases
Factor base algorithm
Running time
I
The computation of running time is difficult.
I
A crucial fact is that the square of a random number has
small probability to be a B-number.
I
hence we must try many times to obtain a B-number.
I
Heuristic arguments show that the running time should be of
the form:
I
O(e C
√
log n log log n )
1
This is better than Pollard, which is in O(n 4 log3 n) ' O(e C log n )
But much worse than the primality algorithms, wich are polynomial
in log n, that is of the form O(e C log log n ).
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
The main problem of the factor base algorithm
I
To find B-numbers, we chose random numbers and we test
them .
I
These random numbers have a small probability to be
B-numbers.
I
A large part of the time is wasted.
I
It would be better to chose numbers whose square is small
mod n.
I
Can we manage to have bi2 small in a systematic way?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
The main problem of the factor base algorithm
I
To find B-numbers, we chose random numbers and we test
them .
I
These random numbers have a small probability to be
B-numbers.
I
A large part of the time is wasted.
I
It would be better to chose numbers whose square is small
mod n.
I
Can we manage to have bi2 small in a systematic way?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
The main problem of the factor base algorithm
I
To find B-numbers, we chose random numbers and we test
them .
I
These random numbers have a small probability to be
B-numbers.
I
A large part of the time is wasted.
I
It would be better to chose numbers whose square is small
mod n.
I
Can we manage to have bi2 small in a systematic way?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
The main problem of the factor base algorithm
I
To find B-numbers, we chose random numbers and we test
them .
I
These random numbers have a small probability to be
B-numbers.
I
A large part of the time is wasted.
I
It would be better to chose numbers whose square is small
mod n.
I
Can we manage to have bi2 small in a systematic way?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
The main problem of the factor base algorithm
I
To find B-numbers, we chose random numbers and we test
them .
I
These random numbers have a small probability to be
B-numbers.
I
A large part of the time is wasted.
I
It would be better to chose numbers whose square is small
mod n.
I
Can we manage to have bi2 small in a systematic way?
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Principle of the continued fraction algorithm
I
The problem of Fermat factorization is to find small quadratic
residues.
I
I
There is a well-known classical method for this.
√
It is to find good rational approximations of n.
I
And one knows how to find these good approximations.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Principle of the continued fraction algorithm
I
The problem of Fermat factorization is to find small quadratic
residues.
I
I
There is a well-known classical method for this.
√
It is to find good rational approximations of n.
I
And one knows how to find these good approximations.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Principle of the continued fraction algorithm
I
The problem of Fermat factorization is to find small quadratic
residues.
I
I
There is a well-known classical method for this.
√
It is to find good rational approximations of n.
I
And one knows how to find these good approximations.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Principle of the continued fraction algorithm
I
The problem of Fermat factorization is to find small quadratic
residues.
I
I
There is a well-known classical method for this.
√
It is to find good rational approximations of n.
I
And one knows how to find these good approximations.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Continued fractions and best approximations
Let x be an irrational number.
Then x can be written in a unique way:
1
I x = a0 +
1
a1 +
1
a2 +
a3 + . . .
I This is the continued fraction expansion of x
I If we stop at some step, we get a rational number pi which is
qi
a best approximation of x
I In particular, let n be an integer, and pi be the best
qi
√
approximations to n. Then the least residue of pi2 mod n is
√
less than 2 n.
We can find so good candidates for a decomposition in small
primes
I
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Continued fractions and best approximations
Let x be an irrational number.
Then x can be written in a unique way:
1
I x = a0 +
1
a1 +
1
a2 +
a3 + . . .
I This is the continued fraction expansion of x
I If we stop at some step, we get a rational number pi which is
qi
a best approximation of x
I In particular, let n be an integer, and pi be the best
qi
√
approximations to n. Then the least residue of pi2 mod n is
√
less than 2 n.
We can find so good candidates for a decomposition in small
primes
I
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Continued fractions and best approximations
Let x be an irrational number.
Then x can be written in a unique way:
1
I x = a0 +
1
a1 +
1
a2 +
a3 + . . .
I This is the continued fraction expansion of x
I If we stop at some step, we get a rational number pi which is
qi
a best approximation of x
I In particular, let n be an integer, and pi be the best
qi
√
approximations to n. Then the least residue of pi2 mod n is
√
less than 2 n.
We can find so good candidates for a decomposition in small
primes
I
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Continued fractions and best approximations
Let x be an irrational number.
Then x can be written in a unique way:
1
I x = a0 +
1
a1 +
1
a2 +
a3 + . . .
I This is the continued fraction expansion of x
I If we stop at some step, we get a rational number pi which is
qi
a best approximation of x
I In particular, let n be an integer, and pi be the best
qi
√
approximations to n. Then the least residue of pi2 mod n is
√
less than 2 n.
We can find so good candidates for a decomposition in small
primes
I
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Continued fractions and best approximations
Let x be an irrational number.
Then x can be written in a unique way:
1
I x = a0 +
1
a1 +
1
a2 +
a3 + . . .
I This is the continued fraction expansion of x
I If we stop at some step, we get a rational number pi which is
qi
a best approximation of x
I In particular, let n be an integer, and pi be the best
qi
√
approximations to n. Then the least residue of pi2 mod n is
√
less than 2 n.
We can find so good candidates for a decomposition in small
primes
I
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Continued fractions and best approximations
Let x be an irrational number.
Then x can be written in a unique way:
1
I x = a0 +
1
a1 +
1
a2 +
a3 + . . .
I This is the continued fraction expansion of x
I If we stop at some step, we get a rational number pi which is
qi
a best approximation of x
I In particular, let n be an integer, and pi be the best
qi
√
approximations to n. Then the least residue of pi2 mod n is
√
less than 2 n.
We can find so good candidates for a decomposition in small
primes
I
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Continued fractions and best approximations
Let x be an irrational number.
Then x can be written in a unique way:
1
I x = a0 +
1
a1 +
1
a2 +
a3 + . . .
I This is the continued fraction expansion of x
I If we stop at some step, we get a rational number pi which is
qi
a best approximation of x
I In particular, let n be an integer, and pi be the best
qi
√
approximations to n. Then the least residue of pi2 mod n is
√
less than 2 n.
We can find so good candidates for a decomposition in small
primes
I
I
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Continued fraction method
I
This is a refinement of the factor base method.
I
Take an integer n.
I
Compute the convergents
I
Compute the least residue of pi2 mod n, and try to factor it
on small primes.
I
Build in this way a factor base by taking the primes which
occur in at least 2 decompositions.
I
Continue till you get a non-trivial relation.
pi
qi
of
√
n.
This is essentially a variant of the previous method.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Continued fraction method
I
This is a refinement of the factor base method.
I
Take an integer n.
I
Compute the convergents
I
Compute the least residue of pi2 mod n, and try to factor it
on small primes.
I
Build in this way a factor base by taking the primes which
occur in at least 2 decompositions.
I
Continue till you get a non-trivial relation.
pi
qi
of
√
n.
This is essentially a variant of the previous method.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Continued fraction method
I
This is a refinement of the factor base method.
I
Take an integer n.
I
Compute the convergents
I
Compute the least residue of pi2 mod n, and try to factor it
on small primes.
I
Build in this way a factor base by taking the primes which
occur in at least 2 decompositions.
I
Continue till you get a non-trivial relation.
pi
qi
of
√
n.
This is essentially a variant of the previous method.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Continued fraction method
I
This is a refinement of the factor base method.
I
Take an integer n.
I
Compute the convergents
I
Compute the least residue of pi2 mod n, and try to factor it
on small primes.
I
Build in this way a factor base by taking the primes which
occur in at least 2 decompositions.
I
Continue till you get a non-trivial relation.
pi
qi
of
√
n.
This is essentially a variant of the previous method.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Continued fraction method
I
This is a refinement of the factor base method.
I
Take an integer n.
I
Compute the convergents
I
Compute the least residue of pi2 mod n, and try to factor it
on small primes.
I
Build in this way a factor base by taking the primes which
occur in at least 2 decompositions.
I
Continue till you get a non-trivial relation.
pi
qi
of
√
n.
This is essentially a variant of the previous method.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Continued fraction method
I
This is a refinement of the factor base method.
I
Take an integer n.
I
Compute the convergents
I
Compute the least residue of pi2 mod n, and try to factor it
on small primes.
I
Build in this way a factor base by taking the primes which
occur in at least 2 decompositions.
I
Continue till you get a non-trivial relation.
pi
qi
of
√
n.
This is essentially a variant of the previous method.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
Factor base algorithm
Continued fraction method
I
This is a refinement of the factor base method.
I
Take an integer n.
I
Compute the convergents
I
Compute the least residue of pi2 mod n, and try to factor it
on small primes.
I
Build in this way a factor base by taking the primes which
occur in at least 2 decompositions.
I
Continue till you get a non-trivial relation.
pi
qi
of
√
n.
This is essentially a variant of the previous method.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The basic idea
I
In all previous methods, we start with a family of numbers bi
I
And we try to find an adapted set B.
I
We turn the idea around :
I
We first choose a set B of prime numbers,
I
And we use it as a sieve to find B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The basic idea
I
In all previous methods, we start with a family of numbers bi
I
And we try to find an adapted set B.
I
We turn the idea around :
I
We first choose a set B of prime numbers,
I
And we use it as a sieve to find B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The basic idea
I
In all previous methods, we start with a family of numbers bi
I
And we try to find an adapted set B.
I
We turn the idea around :
I
We first choose a set B of prime numbers,
I
And we use it as a sieve to find B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The basic idea
I
In all previous methods, we start with a family of numbers bi
I
And we try to find an adapted set B.
I
We turn the idea around :
I
We first choose a set B of prime numbers,
I
And we use it as a sieve to find B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The basic idea
I
In all previous methods, we start with a family of numbers bi
I
And we try to find an adapted set B.
I
We turn the idea around :
I
We first choose a set B of prime numbers,
I
And we use it as a sieve to find B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve
I
This is a more systematic method;
I
It is useful for very large numbers,
I
But rather computation-intensive.
I
It is one of the best method.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve
I
This is a more systematic method;
I
It is useful for very large numbers,
I
But rather computation-intensive.
I
It is one of the best method.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve
I
This is a more systematic method;
I
It is useful for very large numbers,
I
But rather computation-intensive.
I
It is one of the best method.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve
I
This is a more systematic method;
I
It is useful for very large numbers,
I
But rather computation-intensive.
I
It is one of the best method.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
√
log n log log n .
I
Notation: L(n) = e
I
An integer n is given.
I
Chose P of size approximately L(n).
I
The set B will be the set of primes less than P such that
( pn ) = 1.
I
Chose A > P, also of size L(n).
I
√
List all numbers t 2 − n, for t = [ n] + i, i = 1 . . . A.
We look for all numbers in the list which are B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
√
log n log log n .
I
Notation: L(n) = e
I
An integer n is given.
I
Chose P of size approximately L(n).
I
The set B will be the set of primes less than P such that
( pn ) = 1.
I
Chose A > P, also of size L(n).
I
√
List all numbers t 2 − n, for t = [ n] + i, i = 1 . . . A.
We look for all numbers in the list which are B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
√
log n log log n .
I
Notation: L(n) = e
I
An integer n is given.
I
Chose P of size approximately L(n).
I
The set B will be the set of primes less than P such that
( pn ) = 1.
I
Chose A > P, also of size L(n).
I
√
List all numbers t 2 − n, for t = [ n] + i, i = 1 . . . A.
We look for all numbers in the list which are B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
√
log n log log n .
I
Notation: L(n) = e
I
An integer n is given.
I
Chose P of size approximately L(n).
I
The set B will be the set of primes less than P such that
( pn ) = 1.
I
Chose A > P, also of size L(n).
I
√
List all numbers t 2 − n, for t = [ n] + i, i = 1 . . . A.
We look for all numbers in the list which are B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
√
log n log log n .
I
Notation: L(n) = e
I
An integer n is given.
I
Chose P of size approximately L(n).
I
The set B will be the set of primes less than P such that
( pn ) = 1.
I
Chose A > P, also of size L(n).
I
√
List all numbers t 2 − n, for t = [ n] + i, i = 1 . . . A.
We look for all numbers in the list which are B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
√
log n log log n .
I
Notation: L(n) = e
I
An integer n is given.
I
Chose P of size approximately L(n).
I
The set B will be the set of primes less than P such that
( pn ) = 1.
I
Chose A > P, also of size L(n).
I
√
List all numbers t 2 − n, for t = [ n] + i, i = 1 . . . A.
We look for all numbers in the list which are B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
√
log n log log n .
I
Notation: L(n) = e
I
An integer n is given.
I
Chose P of size approximately L(n).
I
The set B will be the set of primes less than P such that
( pn ) = 1.
I
Chose A > P, also of size L(n).
I
√
List all numbers t 2 − n, for t = [ n] + i, i = 1 . . . A.
We look for all numbers in the list which are B-numbers.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
I
Now, for each prime p ∈ B:
I
Divide each number t 2 − n in the list by the highest possible
power of p
I
Keep this power in memory.
I
(A special case applies for p = 2)
I
When it is finished, throw out all numbers t 2 − n which have
not been reduced to 1; the other are B-numbers.
I
Use the array to find relations mod 2 between the vectors of
exponents
If we are lucky, these relations give us a factor of n
Otherwise, enlarge A
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
I
Now, for each prime p ∈ B:
I
Divide each number t 2 − n in the list by the highest possible
power of p
I
Keep this power in memory.
I
(A special case applies for p = 2)
I
When it is finished, throw out all numbers t 2 − n which have
not been reduced to 1; the other are B-numbers.
I
Use the array to find relations mod 2 between the vectors of
exponents
If we are lucky, these relations give us a factor of n
Otherwise, enlarge A
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
I
Now, for each prime p ∈ B:
I
Divide each number t 2 − n in the list by the highest possible
power of p
I
Keep this power in memory.
I
(A special case applies for p = 2)
I
When it is finished, throw out all numbers t 2 − n which have
not been reduced to 1; the other are B-numbers.
I
Use the array to find relations mod 2 between the vectors of
exponents
If we are lucky, these relations give us a factor of n
Otherwise, enlarge A
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
I
Now, for each prime p ∈ B:
I
Divide each number t 2 − n in the list by the highest possible
power of p
I
Keep this power in memory.
I
(A special case applies for p = 2)
I
When it is finished, throw out all numbers t 2 − n which have
not been reduced to 1; the other are B-numbers.
I
Use the array to find relations mod 2 between the vectors of
exponents
If we are lucky, these relations give us a factor of n
Otherwise, enlarge A
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
I
Now, for each prime p ∈ B:
I
Divide each number t 2 − n in the list by the highest possible
power of p
I
Keep this power in memory.
I
(A special case applies for p = 2)
I
When it is finished, throw out all numbers t 2 − n which have
not been reduced to 1; the other are B-numbers.
I
Use the array to find relations mod 2 between the vectors of
exponents
If we are lucky, these relations give us a factor of n
Otherwise, enlarge A
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
I
Now, for each prime p ∈ B:
I
Divide each number t 2 − n in the list by the highest possible
power of p
I
Keep this power in memory.
I
(A special case applies for p = 2)
I
When it is finished, throw out all numbers t 2 − n which have
not been reduced to 1; the other are B-numbers.
I
Use the array to find relations mod 2 between the vectors of
exponents
If we are lucky, these relations give us a factor of n
Otherwise, enlarge A
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
I
Now, for each prime p ∈ B:
I
Divide each number t 2 − n in the list by the highest possible
power of p
I
Keep this power in memory.
I
(A special case applies for p = 2)
I
When it is finished, throw out all numbers t 2 − n which have
not been reduced to 1; the other are B-numbers.
I
Use the array to find relations mod 2 between the vectors of
exponents
If we are lucky, these relations give us a factor of n
Otherwise, enlarge A
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
The quadratic sieve (simplified version)
I
Now, for each prime p ∈ B:
I
Divide each number t 2 − n in the list by the highest possible
power of p
I
Keep this power in memory.
I
(A special case applies for p = 2)
I
When it is finished, throw out all numbers t 2 − n which have
not been reduced to 1; the other are B-numbers.
I
Use the array to find relations mod 2 between the vectors of
exponents
If we are lucky, these relations give us a factor of n
Otherwise, enlarge A
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
Running time
I
The running time can be estimated.
I
Based on some reasonable conjecture, it should be of the type:
I
O(e (1+)
I
It is one of the most efficint algorithms,
I
but it is rather heavy to use
I
(not for working by hand!)
√
log n log log n )
In particular, we need here some efficient linear algebra to detect
linear relations.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
Running time
I
The running time can be estimated.
I
Based on some reasonable conjecture, it should be of the type:
I
O(e (1+)
I
It is one of the most efficint algorithms,
I
but it is rather heavy to use
I
(not for working by hand!)
√
log n log log n )
In particular, we need here some efficient linear algebra to detect
linear relations.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
Running time
I
The running time can be estimated.
I
Based on some reasonable conjecture, it should be of the type:
I
O(e (1+)
I
It is one of the most efficint algorithms,
I
but it is rather heavy to use
I
(not for working by hand!)
√
log n log log n )
In particular, we need here some efficient linear algebra to detect
linear relations.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
Running time
I
The running time can be estimated.
I
Based on some reasonable conjecture, it should be of the type:
I
O(e (1+)
I
It is one of the most efficint algorithms,
I
but it is rather heavy to use
I
(not for working by hand!)
√
log n log log n )
In particular, we need here some efficient linear algebra to detect
linear relations.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
Running time
I
The running time can be estimated.
I
Based on some reasonable conjecture, it should be of the type:
I
O(e (1+)
I
It is one of the most efficint algorithms,
I
but it is rather heavy to use
I
(not for working by hand!)
√
log n log log n )
In particular, we need here some efficient linear algebra to detect
linear relations.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
Running time
I
The running time can be estimated.
I
Based on some reasonable conjecture, it should be of the type:
I
O(e (1+)
I
It is one of the most efficint algorithms,
I
but it is rather heavy to use
I
(not for working by hand!)
√
log n log log n )
In particular, we need here some efficient linear algebra to detect
linear relations.
Pierre Arnoux
Factoring and primality testing III
Pollard’s rho method
Fermat Factorization
Continued fraction
The quadratic sieve
The basic Idea
The algorithm
Running time
Running time
I
The running time can be estimated.
I
Based on some reasonable conjecture, it should be of the type:
I
O(e (1+)
I
It is one of the most efficint algorithms,
I
but it is rather heavy to use
I
(not for working by hand!)
√
log n log log n )
In particular, we need here some efficient linear algebra to detect
linear relations.
Pierre Arnoux
Factoring and primality testing III