A log-log speedup for exponent one-fifth deterministic integer factorisation

David Harvey School of Mathematics and Statistics, University of New South Wales, Sydney NSW 2052, Australia [email protected] and Markus Hittmeir SBA Research, Floragasse 7, A-1040 Vienna [email protected] Dedicated to Richard Brent on the occasion of his

(3\times 5^{2})

-th birthday

Abstract.

Building on techniques recently introduced by the second author, and further developed by the first author, we show that a positive integer $N$ may be rigorously and deterministically factored into primes in at most

O\left(\frac{N^{1/5}\log^{16/5}N}{(\log\log N)^{3/5}}\right)

bit operations. This improves on the previous best known result by a factor of $(\log\log N)^{3/5}$ .

2020 Mathematics Subject Classification:

Primary 11Y05

The first author was supported by the Australian Research Council (grant FT160100219).

SBA Research (SBA-K1) is a COMET Centre within the framework of COMET – Competence Centers for Excellent Technologies Programme and funded by BMK, BMDW, and the federal state of Vienna. The COMET Programme is managed by FFG

1. Introduction

The aim of this paper is to further refine a method for integer factorisation that was recently introduced by the second author [Hit20], and subsequently improved and simplified by the first author [Har20]. We insist that all algorithms under discussion be deterministic and that all complexity bounds be proved rigorously. Faster factoring algorithms are known if one allows randomisation, heuristic arguments or quantum computers; see [CP05, Len00, Wag13, Rie94].

We write $\operatorname{\mathsf{F}}(N)$ for the time required to compute the prime factorisation of an integer $N\geqslant 2$ , where “time” means “bit operations”, i.e., the number of steps performed by a deterministic Turing machine with a fixed, finite number of linear tapes [Pap94]. All integers are assumed to be encoded in the usual binary representation.

Prior to [Hit20], the best known asymptotic bounds for $\operatorname{\mathsf{F}}(N)$ were of the form $N^{1/4+o(1)}$ . These were achieved by methods going back to Pollard, Strassen and Coppersmith; for further references see [Har20]. The algorithm presented in [Hit20] was the first to break the $1/4$ barrier, achieving $\operatorname{\mathsf{F}}(N)=N^{2/9+o(1)}$ . Shortly afterwards the first author made further progress on the exponent [Har20], showing that $\operatorname{\mathsf{F}}(N)=O(N^{1/5}\log^{16/5}N)$ . The main result of the present paper is the following incremental improvement.

Theorem 1.1.

There is a deterministic integer factorisation algorithm achieving

\operatorname{\mathsf{F}}(N)=O\left(\frac{N^{1/5}\log^{16/5}N}{(\log\log N)^{3/5}}\right).

Note that if $N$ has three or more prime factors (counting repetitions), then at least one factor is bounded above by $N^{1/3}$ , and it is well known that such a factor may be found in time $N^{1/6+o(1)}$ (see for example [Har20, Prop. 2.5]). Using this observation one easily reduces the proof of Theorem 1.1 to the case that $N$ is either prime or semiprime, i.e., a product of two distinct primes. For details of the reduction, see the proof of [Har20, Thm. 1.1]. For the rest of the paper, we assume that $N$ is either prime or semiprime, say $N=pq$ where $p<q$ .

The strategy of [Har20] may be outlined as follows. Fix some integer $\alpha$ coprime to $N$ . Since $p\equiv 1\pmod{p-1}$ , Fermat’s little theorem implies that $\alpha^{aq+bp}\equiv\alpha^{aN+b}\pmod{p}$ for any $a,b\in\mathbb{Z}$ . If we can recover $aq+bp$ , for known coefficients $a,b\neq 0$ , then it is easy to deduce $p$ and $q$ , since we know the product $pq=N$ (see Lemma 2.4). Now, it was observed by Lehman [Leh74] (following ideas going back to Lawrence [Law95]) that if $a$ are $b$ are small integers, chosen so that $a/b$ is a good rational approximation to the unknown $p/q$ , then $aq+bp$ will be especially close to $(4abN)^{1/2}$ . This suggests rewriting the congruence as

\alpha^{aq+bp-\lfloor(4abN)^{1/2}\rfloor}\equiv\alpha^{aN+b-\lfloor(4abN)^{1/2}\rfloor}\pmod{p}.

When $a/b\approx p/q$ , the left hand side has the form $\alpha^{i}$ where $i$ is “small”. Consequently, to solve for $aq+bp$ , it suffices to find a collision modulo $p$ between the “giantsteps” $\alpha^{aN+b-\lfloor(4abN)^{1/2}\rfloor}\pmod{N}$ , where $a/b$ ranges over some sufficiently dense set of rational numbers, and the “babysteps” $\alpha^{i}\pmod{N}$ , where $i$ ranges over small integers. This collision-finding problem may be attacked using tools from fast polynomial arithmetic, and [Har20] shows that this strategy (after filling in many details left out in this rough sketch) leads to the bound $\operatorname{\mathsf{F}}(N)=O(N^{1/5}\log^{16/5}N)$ .

The new algorithm in this paper follows the same basic plan described above, but utilises the additional information that $p$ and $q$ cannot themselves be divisible by small primes. We modify the algorithm so that it restricts attention to candidates for $p$ that are coprime to $m\coloneqq 2\times 3\times 5\times\cdots\times p_{d}\ll N^{1/2}$ , i.e., $m$ is the product of the first $d$ primes for suitable $d$ . The number of possible values of $p$ modulo $m$ is $\phi(m)$ (the Euler totient function), and for suitable choice of $m=N^{O(1)}$ , Mertens’ theorem (see Lemma 2.6) implies that the ratio $\phi(m)/m$ decays like $1/\log\log N$ . This is the source of the log-log savings over [Har20]. Actually, for technical reasons we reorganise the algorithm considerably: instead of defining the giantsteps by taking all pairs $(a,b)$ in some range, as is done in [Har20], we use algorithms for finding short lattice vectors to compute suitable values for $a$ and $b$ for each giantstep.

Of course it is well known that sieving on small primes in this way often leads to $(\log\log N)$ -type speedups. For example, in the context of deterministic integer factorisation, this idea was used in [CH14] to improve the complexity of the factoring algorithm of [BGS07] by a factor of $(\log\log N)^{1/2}$ .

2. Preliminaries

For $n$ a positive integer, we define $\lg n\coloneqq\lfloor\log n/\log 2\rfloor+1$ . Observe that $\lg n\geqslant 1$ for all $n\geqslant 1$ , that $\lg n=\Theta(\log n)$ for $n\geqslant 2$ , and that $\lg n$ may be computed in time $O(\lg n)$ .

We recall several facts about integer arithmetic. All results stated here without specific references may be found in textbooks such as [vzGG13] or [BZ11].

Let $n\geqslant 1$ , and assume that we are given integers $x$ and $y$ such that $|x|,|y|\leqslant 2^{n}$ . We may compute $x+y$ and $x-y$ in time $O(n)$ . We write $\operatorname{\mathsf{M}}(n)$ for the cost of computing the product $xy$ ; it was shown recently that $\operatorname{\mathsf{M}}(n)=O(n\lg n)$ [HvdH21]. If $y>0$ , we may compute the quotients $\lfloor x/y\rfloor$ and $\lceil x/y\rceil$ , and therefore also the residue of $x$ modulo $y$ in the interval $[0,y)$ , in time $O(\operatorname{\mathsf{M}}(n))$ . More generally, for a fixed positive rational number $u/v$ , and assuming that $x,y>0$ , we may compute $\lfloor(x/y)^{u/v}\rfloor$ and $\lceil(x/y)^{u/v}\rceil$ in time $O(\operatorname{\mathsf{M}}(n))$ . We may compute $g\coloneqq\gcd(x,y)$ , and if desired find $u,v\in\mathbb{Z}$ such that $ux+vy=g$ (i.e., solve the extended GCD problem), in time $O(\operatorname{\mathsf{M}}(n)\lg n)=O(n\lg^{2}n)$ .

Next we consider modular arithmetic. Let $N\geqslant 2$ . We write $\mathbb{Z}_{N}$ for the ring $\mathbb{Z}/N\mathbb{Z}$ of integers modulo $N$ . Elements of $\mathbb{Z}_{N}$ will always be represented by their residues in the interval $[0,N)$ , so occupy $O(\lg N)$ bits of storage. We write $\mathbb{Z}_{N}^{*}$ for the group of units of $\mathbb{Z}_{N}$ , i.e., the subset of those $x\in\mathbb{Z}_{N}$ for which $\gcd(x,N)=1$ . Given $x,y\in\mathbb{Z}_{N}$ , we may compute $x\pm y\in\mathbb{Z}_{N}$ in time $O(\lg N)$ , and $xy\in\mathbb{Z}_{N}$ in time $O(\operatorname{\mathsf{M}}(\lg N))=O(\lg N\lg\lg N)$ . Given $x\in\mathbb{Z}_{N}$ and an integer $m\geqslant 1$ , we may compute $x^{m}\in\mathbb{Z}_{N}$ in time $O(\operatorname{\mathsf{M}}(\lg N)\lg m)$ , using the “repeated squaring” algorithm. We may test whether $x\in\mathbb{Z}_{N}^{*}$ , and if so compute $x^{-1}\in\mathbb{Z}_{N}^{*}$ , in time $O(\operatorname{\mathsf{M}}(\lg N)\lg\lg N)=O(\lg N(\lg\lg N)^{2})$ , by solving the extended GCD problem for $x$ and $N$ . If the gcd is not $1$ or $N$ , and if $N=pq$ is semiprime, then we immediately recover $p$ and $q$ in time $O(\operatorname{\mathsf{M}}(\lg N))$ .

The next few results are taken from the previous papers [Hit18] and [Har20].

Lemma 2.1.

Let $n\geqslant 1$ with $n=O(N)$ . Given as input $v_{1},\ldots,v_{n}\in\mathbb{Z}_{N}$ , we may compute the polynomial $f(x)=(x-v_{1})\cdots(x-v_{n})\in\mathbb{Z}_{N}[x]$ in time $O(n\lg^{3}N)$ .

Proof.

This is exactly [Har20, Lem. 2.3]; the proof depends on a standard application of a product tree. By “compute a polynomial” we mean compute a list of its coefficients. ∎

Remark 2.2.

In the above lemma, the hypothesis “ $n=O(N)$ ” means that for every constant $C>0$ , the lemma holds for all $n$ and $N$ in the region $n<CN$ , where the implied big- $O$ constant in the target bound $O(n\lg^{3}N)$ may depend on $C$ . For the rest of the paper, a similar remark applies whenever we use the big- $O$ notation in this way.

Lemma 2.3.

Given as input an element $\alpha\in\mathbb{Z}_{N}^{*}$ , positive integers $n,\kappa=O(N)$ , and $f\in\mathbb{Z}_{N}[x]$ of degree $n$ , we may compute $f(1),f(\alpha),\ldots,f(\alpha^{\kappa-1})\in\mathbb{Z}_{N}$ in time $O((n+\kappa)\lg^{2}N)$ .

Proof.

This is exactly [Har20, Lem. 2.4]. The proof relies on Bluestein’s algorithm [Blu70], which saves a logarithmic factor over a general multipoint evaluation. ∎

Lemma 2.4.

Given as input an integer $N\geqslant 2$ such that $N$ is either a prime or semiprime $pq$ , and integers $a,b,u$ with at most $O(\lg N)$ bits, we may test if $u$ is of the form $aq+bp$ , and if so recover $p$ and $q$ , in time $O(\lg N\lg\lg N)$ .

Proof.

This is a trivial modification of [Har20, Lem. 3.1]. The proof depends on observing that $aq$ and $bp$ must be roots of the polynomial $y^{2}-uy+abN$ . ∎

Lemma 2.5.

There is an algorithm with the following properties. It takes as input integers $N\geqslant 2$ and $D$ such that $N^{2/5}\leqslant D\leqslant N$ . It returns either some $\beta\in\mathbb{Z}_{N}^{*}$ with $\operatorname{ord}_{N}(\beta)>D$ , or a nontrivial factor of $N$ , or “ $N$ is prime”. Its runtime is bounded by

O\left(\frac{D^{1/2}\lg^{2}N}{(\lg\lg D)^{1/2}}\right).

Proof.

This is exactly [Hit18, Thm. 6.3]. Briefly, the idea is to attempt to compute orders of various $\alpha\in\mathbb{Z}_{N}^{*}$ via the standard babystep-giantstep procedure. If we fail to compute $\operatorname{ord}_{N}(\alpha)$ , then the order must be large and we are done. If we succeed in computing $k\coloneqq\operatorname{ord}_{N}(\alpha)$ , then we try to find a factor of $N$ via $\gcd(N,\alpha^{k/r}-1)$ for each prime divisor $r$ of $k$ . If this fails, then we know that $k\mid{p-1}$ for every prime divisor $p$ of $N$ . Repeating this process for various $\alpha$ , we either find an element of large order, or obtain enough information about the factorisation of $p-1$ for $p\mid N$ to make it feasible to factor $N$ directly. For details, see [Hit18]. ∎

We will need the following well-known results on the distribution of primes.

Lemma 2.6.

For $B\to\infty$ we have

\sum_{\begin{subarray}{c}2\leqslant r\leqslant B\\ \text{\rm$r$ prime}\end{subarray}}\log r=(1+o(1))B,\qquad\prod_{\begin{subarray}{c}2\leqslant r\leqslant B\\ \text{\rm$r$ prime}\end{subarray}}\frac{r-1}{r}=\Theta\Big{(}\frac{1}{\lg B}\Big{)}.

Proof.

See Theorem 6.9 and Theorem 2.7(e) in [MV07]. The first statement is a form of the Prime Number Theorem, and the second statement is one of Mertens’ theorems. ∎

Finally we recall that a list of $n\geqslant 1$ elements of bit size $\beta\geqslant 1$ may be sorted using the “merge sort” algorithm in time $O(n\beta\lg n)$ [Knu98]. Here we assume that the elements belong to some totally ordered set, and that we may compare a pair of elements in time $O(\beta)$ .

3. A variant of Lehman’s result

The crux of the algorithms of [Hit20] and [Har20] is the observation, going back to Lehman [Leh74], that if $N=pq$ is semiprime, then there exist “small” integers $a$ and $b$ such that $aq+bp$ is “close” to $(4abN)^{1/2}$ (see [Har20, Lem. 3.3], or the main theorem of [Leh74]). In this section we prove a variant of this result in which we impose an additional constraint on $a$ and $b$ of the form $aq-bp=0\pmod{m}$ , where $m$ is a positive integer. (In Section 4 we will specialise to the case that $m$ is a product of small primes.) Moreover, instead of just an existence statement, we actually want to compute the desired $a$ and $b$ .

We recall some basic facts about lattices in $\mathbb{R}^{2}$ . By a lattice we mean a subgroup of $\mathbb{R}^{2}$ generated by two linearly independent vectors $u,v\in\mathbb{R}^{2}$ , i.e., the subgroup $\langle u,v\rangle\coloneqq\{ru+sv:r,s\in\mathbb{Z}\}\subseteq\mathbb{R}^{2}$ . The determinant of a lattice $L$ is the area of the fundamental parallelogram associated to any basis for $L$ . In particular for $L=\langle u,v\rangle$ we have

\det L=\left|\det\begin{pmatrix}u_{1}&v_{1}\\ u_{2}&v_{2}\end{pmatrix}\right|.

For a vector $u\in\mathbb{R}^{2}$ we write $\lVert u\rVert\coloneqq(u_{1}^{2}+u_{2}^{2})^{1/2}$ for the usual Euclidean norm.

Lemma 3.1.

Let $B\geqslant 2$ , and suppose we are given as input linearly independent vectors $u,v\in\mathbb{Z}^{2}$ defining a lattice $L=\langle u,v\rangle$ , such that $\lVert u\rVert,\lVert v\rVert\leqslant B$ . Then in time $O(\log^{3}B)$ we may find a nonzero vector $w\in L$ such that $\lVert w\rVert\leqslant 2(\det L)^{1/2}$ .

Proof.

We may find a nonzero vector $w\in L$ of minimal norm by applying the classical Lagrange–Gauss reduction algorithm to the input basis (see [Gal12, Chap. 17]). According to [Gal12, Thm. 17.1.10], this runs in time $O(\log^{3}B)$ . (The reduction algorithm is essentially a special case of LLL: the basic idea is to repeatedly subtract a suitable integer multiple of the shorter vector from the longer vector, until no further progress can be made in reducing the norms.) This vector satisfies $\lVert w\rVert^{2}\leqslant\gamma_{2}\det L$ where $\gamma_{2}=2/\sqrt{3}$ is the Hermite constant for rank- $2$ lattices (see [Gal12, Defn. 16.2.7]). Since $\gamma_{2}^{1/2}=1.074\ldots<2$ we are done. ∎

Remark 3.2.

Lemma 3.1 can be improved slightly. Minkowski’s convex body theorem [Lan94, §V.3, Thm. 3] implies that there exists a nonzero vector $w\in L$ such that $|w_{1}|,|w_{2}|\leqslant(\det L)^{1/2}$ , and such a vector can be found efficiently by a more involved algorithm; see for example [KS96]. This leads to better constants later in the paper, but does not affect our main asymptotic results.

Proposition 3.3.

There exists an algorithm with the following properties.

It takes as input positive integers $N\geqslant 2$ , $m_{0}$ and $\sigma_{0}$ , a positive integer $m$ coprime to $N$ , and an integer $\sigma$ coprime to $m$ such that $1\leqslant\sigma\leqslant m$ .

Its output is a pair of integers $(a,b)\neq(0,0)$ , such that if $N=pq$ is a semiprime satisfying

\sigma_{0}\leqslant p<\left(1+\frac{1}{m_{0}}\right)\sigma_{0}

(3.1)

and

p\equiv\sigma\pmod{m},

(3.2)

then the linear combination $aq+bp$ satisfies

\displaystyle\left|aq+bp-\left(a\frac{N}{\sigma_{0}}+b\sigma_{0}\right)\right|\leqslant\frac{4N^{1/2}m^{1/2}}{m_{0}^{3/2}}

(3.3)

and

\displaystyle aq+bp\equiv a\frac{N}{\sigma}+b\sigma\pmod{m^{2}}.

(3.4)

Assuming that $m_{0},\sigma_{0},m=O(N)$ , the algorithm runs in $O(\lg^{3}N)$ bit operations, and moreover the output satisfies $|a|,|b|=O(N^{2})$ .

Proof.

Assume that the input parameters $N$ , $m_{0}$ , $\sigma_{0}$ , $m$ and $\sigma$ are as described above. Assume also that $N=pq$ is a semiprime satisfying (3.1) and (3.2).

Let $t_{0}\coloneqq p/\sigma_{0}-1$ so that $p=\sigma_{0}(1+t_{0})$ . Then $0\leqslant t_{0}<1/m_{0}\leqslant 1$ , so

q=\frac{N}{p}=\frac{N}{\sigma_{0}}(1+t_{0})^{-1}=\frac{N}{\sigma_{0}}(1-t_{0}+\delta t_{0}^{2})

for some $\delta\in[0,1)$ . For any pair of integers $(a,b)$ , it then follows that

aq+bp=\left(a\frac{N}{\sigma_{0}}+b\sigma_{0}\right)+t_{0}\left(-a\frac{N}{\sigma_{0}}+b\sigma_{0}\right)+t_{0}^{2}\left(\delta a\frac{N}{\sigma_{0}}\right).

(3.5)

Similarly, let $t\coloneqq p/\sigma-1$ , so that $p=\sigma(1+t)$ . Then $t$ is a rational number that is $m$ -integral (i.e., its denominator is coprime to $m$ ), and $t\equiv 0\pmod{m}$ . Thus

q=\frac{N}{p}=\frac{N}{\sigma}(1+t)^{-1}\equiv\frac{N}{\sigma}(1-t)\pmod{m^{2}},

and for any pair of integers $(a,b)$ we obtain

aq+bp\equiv\left(a\frac{N}{\sigma}+b\sigma\right)+t\left(-a\frac{N}{\sigma}+b\sigma\right)\pmod{m^{2}}.

This last congruence implies that (3.4) holds for any $(a,b)$ that satisfies

-a\frac{N}{\sigma}+b\sigma\equiv 0\pmod{m}.

(3.6)

If $(a,b)$ additionally satisfies the inequalities

\left|-a\frac{N}{\sigma_{0}}+b\sigma_{0}\right|\leqslant\frac{2N^{1/2}m^{1/2}}{m_{0}^{1/2}},\qquad\left|a\frac{N}{\sigma_{0}}\right|\leqslant 2N^{1/2}m^{1/2}m_{0}^{1/2},

(3.7)

then (3.5) implies that (3.3) holds. We are left with showing how to compute a pair $(a,b)\neq(0,0)$ satisfying both (3.6) and (3.7). (The point is that both of these conditions are independent of $p$ .)

The congruence (3.6) is equivalent to $b\equiv\gamma a\pmod{m}$ , where $\gamma$ is the unique integer in $[0,m)$ congruent to $N/\sigma^{2}$ modulo $m$ . Thus the solutions $(a,b)\in\mathbb{Z}^{2}$ to (3.6) form a lattice $L=\langle u,v\rangle$ , where $u\coloneqq(1,\gamma)$ and $v\coloneqq(0,m)$ . Our goal is to find a nonzero vector $(a,b)\in L$ that lies in the parallelogram defined by (3.7).

To achieve this, it is convenient to introduce the linear change of variables

c\coloneqq Na,\qquad d\coloneqq(-Nm_{0})a+(m_{0}\sigma_{0}^{2})b.

In the $(c,d)$ -coordinates the inequalities (3.7) become simply

|c|,|d|\leqslant 2N^{1/2}m^{1/2}m_{0}^{1/2}\sigma_{0},

(3.8)

i.e., the parallelogram becomes a square. Moreover, in the $(c,d)$ -coordinates the lattice $L$ gets mapped to the lattice $L^{\prime}\coloneqq\langle u^{\prime},v^{\prime}\rangle$ where

u^{\prime}\coloneqq\begin{pmatrix}N\\ -Nm_{0}+m_{0}\sigma_{0}^{2}\gamma\end{pmatrix},\qquad v^{\prime}\coloneqq\begin{pmatrix}0\\ m_{0}\sigma_{0}^{2}m\end{pmatrix}.

The determinant of $L^{\prime}$ is $Nmm_{0}\sigma_{0}^{2}$ . We may therefore apply Lemma 3.1 to the basis $u^{\prime},v^{\prime}$ to find a nonzero pair $(c,d)\in L^{\prime}$ satisfying (3.8).

The hypothesis $m_{0},\sigma_{0},m=O(N)$ implies that $\lVert u^{\prime}\rVert,\lVert v^{\prime}\rVert=O(N^{4})$ , so the cost of applying Lemma 3.1 is $O(\lg^{3}N)$ . The cost of the remaining arithmetic (computing $\gamma$ , $u^{\prime}$ and $v^{\prime}$ , and recovering $(a,b)$ from $(c,d)$ ) is bounded by $(\lg N)^{1+o(1)}$ . Finally, (3.7) implies that $|a|\leqslant 2N^{-1/2}m^{1/2}m_{0}^{1/2}=O(N^{1/2})$ and $|b|\leqslant 2N^{1/2}m^{1/2}+|a|N=O(N^{3/2})$ . ∎

Remark 3.4.

The special case $m=1$ of Proposition 3.3 is closely related to [Har20, Lem. 3.3] and the main theorem of [Leh74] (note that our parameter $m_{0}$ roughly corresponds to $r$ in those statements), and in fact it is possible to prove those results using a similar lattice-based approach.

4. The main algorithm

For the convenience of the reader, we recall the following algorithm from [Har20], which forms a key subroutine of the main search algorithm presented afterwards.

Algorithm 4.1 (Finding collisions modulo $p$ or $q$ ).

Input:

–

A positive integer $N$ , either prime or semiprime.
–

A positive integer $\kappa$ , and an element $\alpha\in\mathbb{Z}_{N}^{*}$ such that $\operatorname{ord}_{N}(\alpha)\geqslant\kappa$ .
–

Elements $v_{1}\ldots,v_{n}\in\mathbb{Z}_{N}$ for some positive integer $n$ , such that $v_{h}\neq\alpha^{i}$ for all $h\in\{1,\ldots,n\}$ and $i\in\{0,\ldots,\kappa-1\}$ .

Output:

–

If $N=pq$ is semiprime, and if there exists $h\in\{1,\ldots,n\}$ such that $v_{h}\equiv\alpha^{i}\pmod{p}$ or $v_{h}\equiv\alpha^{i}\pmod{q}$ for some $i\in\{0,\ldots,\kappa-1\}$ , returns $p$ and $q$ .
–

Otherwise returns “no factors found”.

1:Using Lemma 2.1 (product tree), compute the polynomial

f(x)\coloneqq(x-v_{1})\cdots(x-v_{n})\in\mathbb{Z}_{N}[x].

2:Using Lemma 2.3 (Bluestein’s algorithm), compute the values

f(\alpha^{i})\in\mathbb{Z}_{N}

for

i=0,\ldots,\kappa-1

3:for

i=0,\ldots,\kappa-1

4: Compute

\gamma_{i}\coloneqq\gcd(N,f(\alpha^{i}))

5: if

\gamma_{i}\notin\{1,N\}

then recover

p

and

q

and return.

6: if

\gamma_{i}=N

then

7: for

h=1,\ldots,n

8: if

\gcd(N,v_{h}-\alpha^{i})\neq 1

then recover

p

and

q

and return.

9:Return “no factors found”.

Proposition 4.2.

Algorithm 4.1 is correct. Assuming that $\kappa,n=O(N)$ , its running time is $O(n\lg^{3}N+\kappa\lg^{2}N)$ .

Proof.

This is exactly Proposition 4.1 in [Har20]. ∎

We now present the main search algorithm.

Algorithm 4.3 (The main search).

Input:

–

A positive integer $N\geqslant 2$ , either prime or semiprime.
–

Positive integers $m_{0}$ and $m$ such that $\gcd(m,N)=1$ .
–

An element $\beta\in\mathbb{Z}_{N}^{*}$ such that $\operatorname{ord}_{N}(\beta^{m^{2}})\geqslant 2\lambda+1$ where

$\lambda\coloneqq\left\lceil\frac{4N^{1/2}}{(m\cdot m_{0})^{3/2}}\right\rceil.$

Output: If $N=pq$ is semiprime, returns $p$ and $q$ . Otherwise returns “ $N$ is prime”.

1:for

i=0,\ldots,2\lambda

\triangleright

Computation of babysteps

2: Compute

\beta^{m^{2}i}\pmod{N}

3: if

\gcd(N,\beta^{m^{2}i}-1)\notin\{1,N\}

then recover

p

and

q

and return.

4:for

\sigma=1,\ldots,m

\triangleright

Computation of giantsteps

5: if

\gcd(\sigma,m)=1

then

6: Initialise

\sigma_{0}\coloneqq 1

7: while

\sigma_{0}<N^{1/2}

8: Apply Proposition 3.3 with input

N

m_{0}

\sigma_{0}

m

and

\sigma

, to obtain a pair

(a,b)=(a_{\sigma,\sigma_{0}},b_{\sigma,\sigma_{0}})

9: Compute

j_{\sigma,\sigma_{0}}\coloneqq m^{2}(\tau_{0}-\lambda)+\tau,

where

\tau_{0}\coloneqq\left\lfloor\left(a\frac{N}{\sigma_{0}}+b\sigma_{0}\right)\Big{/}m^{2}\right\rfloor,

and where

\tau

is the unique integer such that

\tau\equiv a\frac{N}{\sigma}+b\sigma\pmod{m^{2}},\qquad 0\leqslant\tau<m^{2}.

10: Compute

v_{\sigma,\sigma_{0}}\coloneqq\beta^{aN+b-j_{\sigma,\sigma_{0}}}\pmod{N}.

11: Update

\sigma_{0}\coloneqq\lceil(1+1/m_{0})\sigma_{0}\rceil

12:Applying a sort-and-match algorithm to the babysteps and giantsteps computed in Steps 2 and 10, find all

i\in\{0,\ldots,2\lambda\}

and all pairs

(\sigma,\sigma_{0})

such that

\beta^{m^{2}i}\equiv v_{\sigma,\sigma_{0}}\pmod{N}.

(4.1)

For each such match, apply Lemma 2.4 to the candidate

u\coloneqq m^{2}i+j_{\sigma,\sigma_{0}},

(4.2)

together with

a\coloneqq a_{\sigma,\sigma_{0}}

and

b\coloneqq b_{\sigma,\sigma_{0}}

. If

p

and

q

are found, return.

13:Let

v_{1},\ldots,v_{n}

be the list of giantsteps

v_{\sigma,\sigma_{0}}

computed in Step 10, skipping those that were discovered in Step 12 to be equal to one of the babysteps. Apply Algorithm 4.1 (finding collisions) with

N

\kappa\coloneqq 2\lambda+1

\alpha\coloneqq\beta^{m^{2}}\pmod{N}

and

v_{1},\ldots,v_{n}

as inputs. If Algorithm 4.1 succeeds, return

p

and

q

14:Return “

N

is prime”.

Proposition 4.4.

Algorithm 4.3 is correct. If $m,m_{0}=O(N)$ , then it runs in time

O\left(m\lg N(\lg\lg N)^{2}+\phi(m)m_{0}\lg^{4}N+\frac{N^{1/2}\lg^{2}N}{(m\cdot m_{0})^{3/2}}\right).

(4.3)

Proof.

We first prove correctness. Suppose that $N=pq$ is semiprime, with $p<q$ . We must show that in Steps 1–13 the algorithm succeeds in finding $p$ and $q$ .

Consider the loop in Steps 1–3. Since we have assumed that $\operatorname{ord}_{N}(\beta^{m^{2}})\geqslant 2\lambda+1$ , in this loop we either find a factor of $N$ , or prove that both $\operatorname{ord}_{p}(\beta^{m^{2}})\geqslant 2\lambda+1$ and $\operatorname{ord}_{q}(\beta^{m^{2}})\geqslant 2\lambda+1$ . For the remainder of the proof, we will assume the latter.

We next consider the giantsteps. The block in Steps 8–10 is executed for various pairs $(\sigma,\sigma_{0})$ . We claim that (3.2) holds for exactly one such $\sigma$ , and that (3.1) holds for exactly one such $\sigma_{0}$ . For (3.2) this is clear, as $p$ is coprime to $m$ by hypothesis, so there is exactly one $\sigma$ visited by the outer loop such that $\gcd(\sigma,m)=1$ and $p\equiv\sigma\pmod{m}$ . For the inner loop, observe that $\sigma_{0}$ strictly increases on each iteration (in Step 11), so the loop certainly terminates. For any $\sigma_{0}$ visited in the loop, write $\sigma^{\prime}_{0}\coloneqq\lceil(1+1/m_{0})\sigma_{0}\rceil$ for the value of $\sigma_{0}$ at the next iteration. Since $p<N^{1/2}$ , on some iteration we must have $\sigma_{0}\leqslant p<\sigma^{\prime}_{0}$ ; in fact, this occurs for precisely one value of $\sigma_{0}$ because the successive intervals $[\sigma_{0},\sigma^{\prime}_{0})$ are disjoint. Moreover, since $p$ is an integer, the condition $\sigma_{0}\leqslant p<\sigma^{\prime}_{0}$ is equivalent to $\sigma_{0}\leqslant p<(1+1/m_{0})\sigma_{0}$ , i.e., to (3.1). Therefore (3.1) holds for exactly one $\sigma_{0}$ as claimed.

Let $(\bar{\sigma},\bar{\sigma}_{0})$ be the pair for which (3.1) and (3.2) hold, and consider the corresponding coefficients $\bar{a}\coloneqq a_{\bar{\sigma},\bar{\sigma}_{0}}$ and $\bar{b}\coloneqq b_{\bar{\sigma},\bar{\sigma}_{0}}$ computed in Step 8. According to Proposition 3.3, the linear combination $\bar{a}q+\bar{b}p$ satisfies (3.3) and (3.4) for $(\bar{\sigma},\bar{\sigma}_{0})$ . Let $\tau$ and $\tau_{0}$ be as defined in Step 9. From (3.4) we find that

\bar{a}q+\bar{b}p=m^{2}\left\lfloor\frac{\bar{a}q+\bar{b}p}{m^{2}}\right\rfloor+\tau,

(4.4)

and (3.3) yields

\frac{\bar{a}N/\bar{\sigma}_{0}+\bar{b}\bar{\sigma}_{0}}{m^{2}}-\frac{4N^{1/2}}{(m\cdot m_{0})^{3/2}}\leqslant\frac{\bar{a}q+\bar{b}p}{m^{2}}\leqslant\frac{\bar{a}N/\bar{\sigma}_{0}+\bar{b}\bar{\sigma}_{0}}{m^{2}}+\frac{4N^{1/2}}{(m\cdot m_{0})^{3/2}},

\tau_{0}-\lambda\leqslant\frac{\bar{a}q+\bar{b}p}{m^{2}}<(\tau_{0}+1)+\lambda.

This implies that $\tau_{0}-\lambda\leqslant\lfloor(\bar{a}q+\bar{b}p)/m^{2}\rfloor\leqslant\tau_{0}+\lambda$ , i.e., that $\lfloor(\bar{a}q+\bar{b}p)/m^{2}\rfloor=\tau_{0}-\lambda+\bar{i}$ for some $0\leqslant\bar{i}\leqslant 2\lambda$ . Inserting this into (4.4), we find that

\bar{a}q+\bar{b}p=m^{2}\bar{i}+\bar{j},

where $\bar{j}\coloneqq j_{\bar{\sigma},\bar{\sigma}_{0}}$ is as defined in Step 9. Now, the congruence $p\equiv 1\pmod{p-1}$ implies that $\bar{a}q+\bar{b}p\equiv\bar{a}N+\bar{b}\pmod{p-1}$ , so Fermat’s little theorem yields

\beta^{\bar{a}q+\bar{b}p}\equiv\beta^{\bar{a}N+\bar{b}}\pmod{p}.

We conclude that there must be a collision modulo $p$ between the babysteps computed in Step 2 and the giantsteps computed in Step 10, namely

\beta^{m^{2}\bar{i}}\equiv v_{\bar{\sigma},\bar{\sigma}_{0}}\pmod{p}.

(4.5)

In Step 12, we attempt to find the solution $(\bar{i},\bar{\sigma},\bar{\sigma}_{0})$ to (4.5), by finding all solutions to the stronger congruence (4.1), which is a congruence modulo $N$ rather than modulo $p$ . Let $(i,\sigma,\sigma_{0})$ be one of the solutions found in Step 12. If it is equal to $(\bar{i},\bar{\sigma},\bar{\sigma}_{0})$ , then the corresponding $u$ defined in (4.2) will be equal to $m^{2}\bar{i}+\bar{j}=\bar{a}q+\bar{b}p$ , and the factors $p$ and $q$ will be found via Lemma 2.4. Now suppose instead that $(i,\sigma,\sigma_{0})\neq(\bar{i},\bar{\sigma},\bar{\sigma}_{0})$ . We claim then that $(\sigma,\sigma_{0})\neq(\bar{\sigma},\bar{\sigma}_{0})$ . Indeed, if $(\sigma,\sigma_{0})=(\bar{\sigma},\bar{\sigma}_{0})$ , then we would have

\beta^{m^{2}\bar{i}}\equiv v_{\bar{\sigma},\bar{\sigma}_{0}}=v_{\sigma,\sigma_{0}}\equiv\beta^{m^{2}i}\pmod{p},

which implies that $\bar{i}=i$ due to the fact that $0\leqslant i,\bar{i}\leqslant 2\lambda$ and $\operatorname{ord}_{p}(\beta^{m^{2}})\geqslant 2\lambda+1$ . This establishes the claim, and consequently the giantstep $v_{\bar{\sigma},\bar{\sigma}_{0}}$ remains among the candidates in the list $v_{1},\ldots,v_{n}$ constructed in Step 13.

Finally we consider Step 13. The procedure in Step 12 ensures that all preconditions for Algorithm 4.1 are met. In addition, we have seen in the last paragraph that one of $v_{1},\ldots,v_{n}$ is equal to $v_{\bar{\sigma},\bar{\sigma}_{0}}$ . Hence, Algorithm 4.1 will succeed in finding a nontrivial factor of $N$ .

If $N$ is prime, then Steps 1–13 will fail to find a nontrivial factor, and the algorithm will correctly return “ $N$ is prime” in Step 14.

We now analyse the runtime complexity. To prepare for the loop in Steps 1–3 we first compute $\beta^{m^{2}}\pmod{N}$ ; the cost of this step is

O(\lg m\lg N\lg\lg N).

The loop itself computes at most $\kappa\coloneqq 2\lambda+1$ products modulo $N$ and $\kappa$ GCDs of integers bounded by $N$ , whose total cost is

O(\kappa\lg N(\lg\lg N)^{2}).

In Step 5 we compute $m$ GCDs of integers bounded by $m=O(N)$ , which costs

O(m\lg N(\lg\lg N)^{2}).

Now consider the inner loop over $\sigma_{0}$ . The ratio between values of $\sigma_{0}$ on successive iterations is at least $1+1/m_{0}$ , so for each $\sigma$ the number of iterations of the inner loop over $\sigma_{0}$ is at most

\left\lceil\frac{\log(N^{1/2})}{\log(1+1/m_{0})}\right\rceil=O(m_{0}\lg N).

The number of $\sigma$ considered is $\phi(m)$ , so the block in Steps 8–11 executes altogether

O(\phi(m)m_{0}\lg N)

times. Let us estimate the cost of each iteration of this block. The cost of the invocation of Proposition 3.3 in Step 8 is $O(\lg^{3}N)$ . By hypothesis we have $\sigma,m,m_{0}=O(N)$ , certainly $\lambda,\sigma_{0}=O(N^{1/2})$ , and Proposition 3.3 ensures that $a,b=O(N^{2})$ , so all quantities appearing in Step 9 have $O(\lg N)$ bits. The cost of computing $\sigma^{-1}\pmod{m^{2}}$ is therefore $O(\lg N(\lg\lg N)^{2})$ , and all other arithmetic operations required to compute $\tau$ , $\tau_{0}$ and $j_{\sigma,\sigma_{0}}$ in Step 9 cost at most $O(\lg N\lg\lg N)$ bit operations. Similarly, the exponent $aN+b-j_{\sigma,\sigma_{0}}$ ( $=N^{O(1)}$ ) in Step 10 and the updated value of $\sigma_{0}$ in Step 11 are computed in time $O(\lg N\lg\lg N)$ . Finally, the modular exponentiation in Step 10 requires $O(\lg N)$ multiplications modulo $N$ , plus possibly one inversion modulo $N$ if the exponent is negative, so its cost is $O((\lg N)^{2}\lg\lg N+\lg N(\lg\lg N)^{2})$ . We conclude that the block in Steps 8–11 runs in time $O(\lg^{3}N)$ , and that the total over all iterations is

O(\phi(m)m_{0}\lg^{4}N).

In Step 12, we construct a list of pairs $(\beta^{m^{2}i},i)$ of length $\kappa$ , and a list of tuples $(v_{\sigma,\sigma_{0}},j_{\sigma,\sigma_{0}},a_{\sigma,\sigma_{0}},b_{\sigma,\sigma_{0}})$ of length $O(\phi(m)m_{0}\lg N)$ . From the bounds already mentioned, each item in these lists occupies $O(\lg N)$ bits. We then use merge-sort to sort the lists by the first component of each tuple, which requires

O((\kappa+\phi(m)m_{0}\lg N)\lg^{2}N)

bit operations. Each giantstep $v_{\sigma,\sigma_{0}}$ is equal to at most one babystep $\beta^{m^{2}i}$ , because our assumption $\operatorname{ord}_{N}(\beta^{m^{2}})\geqslant\kappa$ implies that the babysteps are all distinct. Matching the two sorted lists, we may hence find all matches in time

O((\kappa+\phi(m)m_{0}\lg N)\lg N).

Since there are at most $\kappa$ such matches, the total cost for applying Lemma 2.4 in Step 12 is bounded by

O(\kappa\lg N\lg\lg N).

Again, we note that the assumptions of Lemma 2.4 on the size of the candidates for $a$ , $b$ and $u$ are always satisfied. Finally, in Step 13 we apply Algorithm 4.1, whose complexity is

O(\phi(m)m_{0}\lg^{4}N+\kappa\lg^{2}N).

Combining the contributions from all steps, we obtain the overall bound

O(m\lg N(\lg\lg N)^{2}+\phi(m)m_{0}\lg^{4}N+\kappa\lg^{2}N).

The last term becomes

O\left(\left(\frac{N^{1/2}}{(m\cdot m_{0})^{3/2}}+1\right)\lg^{2}N\right)=O\left(\frac{N^{1/2}\lg^{2}N}{(m\cdot m_{0})^{3/2}}\right)+O(\lg^{2}N).

The final $\lg^{2}N$ term is dominated by $\phi(m)m_{0}\lg^{4}N$ , completing the proof. ∎

Remark 4.5.

The $\phi(m)m_{0}\lg^{4}N$ term in Proposition 4.4 arises from two sources: finding short lattice vectors in order to compute $a$ and $b$ (Lemma 3.1), and the collision-finding step (Algorithm 4.1). In fact, the collision-finding step is the real bottleneck; with some effort the $O(\lg^{3}N)$ cost of Lemma 3.1 can be improved to $(\lg N)^{1+o(1)}$ [NSV11].

Finally we present the main factoring routine. In this algorithm, $N_{0}$ is a constant that is chosen large enough to ensure that the proof of correctness works for all $N\geqslant N_{0}$ . In principle one could work out $N_{0}$ explicitly, but we will not do so.

Algorithm 4.6 (Factoring (semi)primes).

Input: A positive integer $N\geqslant N_{0}$ , either prime or semiprime.

Output: If $N=pq$ is semiprime, returns $p$ and $q$ . Otherwise returns “ $N$ is prime”.

1:Compute

B\coloneqq\left\lfloor\frac{\lg N}{30}\right\rfloor,\qquad m\coloneqq\prod_{\begin{subarray}{c}2\leqslant r\leqslant B\\ \text{$r$ prime}\end{subarray}}r,

and

m_{0}\coloneqq\left\lceil\left(\frac{N^{1/5}(\lg\lg N)^{2/5}}{(\lg N)^{4/5}}\right)\Big{/}m\right\rceil.

\gcd(N,m)\notin\{1,N\}

, recover

p

and

q

and return.

2:Apply Theorem 2.5 with

D\coloneqq\lceil N^{2/5}\rceil

. If any factors of

N

are found, or if

N

is proved to be prime, return. Otherwise, we obtain

\beta\in\mathbb{Z}_{N}^{*}

such that

\operatorname{ord}_{N}(\beta)>D

3:Run Algorithm 4.3 (the main search) with the given

N

\beta

m

and

m_{0}

. Return the factors found, or “

N

is prime”.

Proposition 4.7.

Algorithm 4.6 is correct (for suitable $N_{0}$ ), and it runs in time

O\left(\frac{N^{1/5}\lg^{16/5}N}{(\lg\lg N)^{3/5}}\right).

Proof.

We start by discussing the choice of $m$ in Step 1. By the Prime Number Theorem (see Lemma 2.6) we have $m=e^{(1+o(1))B}$ . Since

B=\frac{\log N}{30\log 2}+O(1)=\frac{\log N}{20.794\ldots}+O(1),

we find that for large $N$ ,

N^{1/21}<m<N^{1/20}.

(4.6)

We may compute $m$ by simply enumerating the primes up to $B$ and multiplying them together; this may be done in time $B^{O(1)}=(\lg N)^{O(1)}$ . The rest of Step 1 (computing $B$ , $m_{0}$ and $\gcd(N,m)$ ) may also be carried out in time $(\lg N)^{O(1)}$ .

Step 2 runs in time

O\left(\frac{N^{1/5}\lg^{2}N}{(\lg\lg N)^{1/2}}\right),

which is negligible. Assume that we do not find factors of $N$ or prove $N$ prime. We then obtain $\beta\in\mathbb{Z}_{N}^{*}$ such that $\operatorname{ord}_{N}(\beta)>N^{2/5}$ .

For the invocation of Algorithm 4.3 in Step 3, we must check the precondition $\operatorname{ord}_{N}(\beta^{m^{2}})\geqslant 2\lambda+1$ , where we recall that $\lambda=\lceil 4N^{1/2}/(m\cdot m_{0})^{3/2}\rceil$ . On one hand, (4.6) yields

\operatorname{ord}_{N}(\beta^{m^{2}})\geqslant\frac{\operatorname{ord}_{N}(\beta)}{m^{2}}>\frac{N^{2/5}}{(N^{1/20})^{2}}=N^{3/10}.

On the other hand, the definition of $m_{0}$ , together with (4.6), implies that

m_{0}\cdot m\asymp\frac{N^{1/5}(\lg\lg N)^{2/5}}{(\lg N)^{4/5}},

(4.7)

2\lambda+1=\frac{N^{1/2}}{(N^{1/5+o(1)})^{3/2}}=N^{1/5+o(1)}.

Therefore certainly $\operatorname{ord}_{N}(\beta^{m^{2}})\geqslant 2\lambda+1$ for large $N$ . We conclude that Step 3 succeeds in factoring $N$ or proving $N$ prime.

The hypotheses $m,m_{0}=O(N)$ of Proposition 4.4 are certainly satisfied, so the cost of Step 3 is given by (4.3). The first term of (4.3) is negligible thanks to (4.6). To estimate the second term, we note that Mertens’ theorem (Lemma 2.6) implies that

\frac{\phi(m)}{m}=\prod_{\begin{subarray}{c}2\leqslant r\leqslant B\\ \text{\rm$r$ prime}\end{subarray}}\frac{r-1}{r}=O\Big{(}\frac{1}{\log B}\Big{)}=O\Big{(}\frac{1}{\lg\lg N}\Big{)}.

Using this estimate together with (4.7), it is easy to check that the second and third terms in (4.3) simplify to the desired bound $O(N^{1/5}(\lg N)^{16/5}/(\lg\lg N)^{3/5})$ , and hence our choice for the size of $m\cdot m_{0}$ balances the asymptotic contribution from these two terms. Taking into account the discussion in Section 1, this also completes the proof of Theorem 1.1. ∎

References

[BGS07] A. Bostan, P. Gaudry, and É. Schost, Linear recurrences with polynomial coefficients and application to integer factorization and Cartier-Manin operator, SIAM J. Comput. 36 (2007), no. 6, 1777–1806. MR 2299425 (2008a:11156)
[Blu70] L. I. Bluestein, A linear filtering approach to the computation of discrete Fourier transform, IEEE Transactions on Audio and Electroacoustics 18 (1970), no. 4, 451–455.
[BZ11] R. P. Brent and P. Zimmermann, Modern Computer Arithmetic, Cambridge Monographs on Applied and Computational Mathematics, vol. 18, Cambridge University Press, Cambridge, 2011. MR 2760886
[CH14] E. Costa and D. Harvey, Faster deterministic integer factorization, Math. Comp. 83 (2014), no. 285, 339–345. MR 3120593
[CP05] R. Crandall and C. Pomerance, Prime Numbers: a Computational Perspective, second ed., Springer, New York, 2005. MR 2156291 (2006a:11005)
[Gal12] S. D. Galbraith, Mathematics of Public Key Cryptography, Cambridge University Press, Cambridge, 2012. MR 2931758
[Har20] D. Harvey, An exponent one-fifth algorithm for deterministic integer factorisation, to appear in Mathematics of Computation, arXiv preprint https://arxiv.org/abs/2010.05450, 2020.
[Hit18] M. Hittmeir, A babystep-giantstep method for faster deterministic integer factorization, Math. Comp. 87 (2018), no. 314, 2915–2935. MR 3834692
[Hit20] by same author, A time-space tradeoff for Lehman’s deterministic integer factorization method, to appear in Mathematics of Computation, arXiv preprint http://arxiv.org/abs/2006.16729v1, 2020.
[HvdH21] D. Harvey and J. van der Hoeven, Integer multiplication in time $O(n\log n)$ , Ann. of Math. (2) 193 (2021), no. 2, 563–617. MR 4224716
[Knu98] D. E. Knuth, The Art of Computer Programming. Vol. 3, Addison-Wesley, Reading, MA, 1998, Sorting and searching, Second edition [of MR0445948]. MR 3077154
[KS96] M. Kaib and C. P. Schnorr, The generalized Gauss reduction algorithm, J. Algorithms 21 (1996), no. 3, 565–578. MR 1417664
[Lan94] S. Lang, Algebraic Number Theory, second ed., Graduate Texts in Mathematics, vol. 110, Springer-Verlag, New York, 1994. MR 1282723
[Law95] F. W. Lawrence, Factorisation of numbers, Messenger of Math. 24 (1895), 100–109.
[Leh74] R. S. Lehman, Factoring large integers, Math. Comp. 28 (1974), 637–646. MR 340163
[Len00] A. K. Lenstra, Integer factoring, Des. Codes Cryptogr. 19 (2000), no. 2-3, 101–128, Towards a quarter-century of public key cryptography. MR 1758972
[MV07] H. L. Montgomery and R. C. Vaughan, Multiplicative Number Theory. I. Classical Theory, Cambridge Studies in Advanced Mathematics, vol. 97, Cambridge University Press, Cambridge, 2007. MR 2378655
[NSV11] A. Novocin, D. Stehlé, and G. Villard, An LLL-reduction algorithm with quasi-linear time complexity [extended abstract], STOC’11—Proceedings of the 43rd ACM Symposium on Theory of Computing, ACM, New York, 2011, pp. 403–412. MR 2931990
[Pap94] C. H. Papadimitriou, Computational Complexity, Addison-Wesley Publishing Company, Reading, MA, 1994. MR 1251285 (95f:68082)
[Rie94] H. Riesel, Prime Numbers and Computer Methods for Factorization, second ed., Progress in Mathematics, vol. 126, Birkhäuser Boston, Inc., Boston, MA, 1994. MR 1292250
[vzGG13] J. von zur Gathen and J. Gerhard, Modern Computer Algebra, 3rd ed., Cambridge University Press, Cambridge, 2013. MR 3087522
[Wag13] S. S. Wagstaff, Jr., The Joy of Factoring, Student Mathematical Library, vol. 68, American Mathematical Society, Providence, RI, 2013. MR 3135977

A log-log speedup for exponent one-fifth deterministic integer factorisation

Abstract.

2020 Mathematics Subject Classification:

1. Introduction

Theorem 1.1.

2. Preliminaries

Lemma 2.1.

Proof.

Remark 2.2.

Lemma 2.3.

Proof.

Lemma 2.4.

Proof.

Lemma 2.5.

Proof.

Lemma 2.6.

Proof.

3. A variant of Lehman’s result

Lemma 3.1.

Proof.

Remark 3.2.

Proposition 3.3.

Proof.

Remark 3.4.

4. The main algorithm

Algorithm 4.1 (Finding collisions modulo pp or qq).

Proposition 4.2.

Proof.

Algorithm 4.3 (The main search).

Proposition 4.4.

Proof.

Remark 4.5.

Algorithm 4.6 (Factoring (semi)primes).

Proposition 4.7.

Proof.

References

Algorithm 4.1 (Finding collisions modulo $p$ or $q$ ).