Number-Theoretic Algorithms

Chapter 31, CLRS book

p1.
Modular Arithmetic

p2.
Integers
• a | b: a divides b, a is a divisor of b.
• gcd( a, b): greatest common divisor of a and b.
• Coprime or relatively prime: gcd( a, b) =1.
• Euclid's algorithm: compute gcd( a, b).
• Extented Euclid's algorithm: compute integers
x and y such that ax + by =gcd( a, b).

p3.
Integers modulo n
• Let n ≥ 2 be an integer.
• Def: a is congruent to b modulo n, written
a ≡ b mod n, if n | (a − b), i.e., a and b have the
same remainder when divided by n.
• Note: a ≡ b mod n and a = b mod n are different.
• Def: [a ]n = {all integers congruent to a modulo n} .
• [a ]n is called a residue class modulo n, and a is a
representative of that class.
p4.
• There are exactly n residue classes modulo n :
[0], [1], [2], , [n − 1].
• Note: "congruence mod n" is an equivalence relation, whose
equivalence classes are the residue classes.
• If x ∈ [a ], y ∈ [b], then x + y ∈ [a + b] and x ⋅ y ∈ [a ⋅ b].
• Define addition and multiplication for residue classes:
[ a ] + n [b ] = [ a + b ]
[a ] ⋅n [b] = [a ⋅ b].

p5.
Group
• A group, denoted by (G , ∗), is a set G with a
binary operation ∗ : G × G → G such that
1. ∀x, y ∈ G , x ∗ y ∈ G (closure)
1. x ∗ ( y ∗ z ) = ( x ∗ y ) ∗ z (associativity)
2. ∃ e ∈ G s.t. ∀x ∈ G, e ∗ x = x ∗ e = x (identity)
3. ∀x ∈ G , ∃ y ∈ G s.t. x ∗ y = y ∗ x = e (inverse)

• A group (G , ∗) is abelian if ∀x, y ∈ G , x ∗ y = y ∗ x.

• Examples: ( Z , + ), (Q , + ), (Q \ {0}, ×), ( R, + ),

( R \ {0}, ×).

p6.
=
• Define Z n {[0], [1], ..., [n − 1]}.
• Or, more conveniently,
= Zn {0, 1, ..., n − 1}.
• ( Z n , + ) forms an abelian additive group.
• For a, b ∈ Z n ,
 a + b = ( a + b) mod n. (Or, [a ] + [b] = [a + b] = [a + b mod n ].)
 0 is the identity element.
 The inverse of a, denoted by − a, is n − a.
• When doing addition/substraction in Z n , just do the regular
addition/substraction and reduce the result modulo n.
 In Z10 , 5 + 5 + 9 + 4 + 6 + 2 + 8 + 3 = ?

p7.
• ( n )
Z , ∗ is not a group, because 0 −1
does not exist.

• Even if we exclude 0 and consider only Z n+ = Z n \ {0},

( n )
Z +
, ∗ is not necessarily a group; some a −1
may not exist.

• For a ∈ Z n , a −1 exists if and only if gcd( a, n ) = 1.

p8.
 {a ∈ Z n : gcd(a, n) =
• Let Z n* = 1}.
• ( Z n , ∗) is an abelian multiplicative group.
• a ∗b =ab mod n.
 a ∗b = ab mod n.
 1 is the identity element.
 The inverse of a, written a −1 , can be computated by the
Extended Euclidean Algorithm.
• For example,
= *
Z12 {1,5,7,11
= }. 5 ∗ 7 35mod12 = 11.

• Q: How many elements are there in Z n* ?

p9.
 • Euler's totient function:

ϕ ( n ) = Z n*

= {a : 1 ≤ a ≤ n and gcd( a, n ) =
1}

• Facts:
1. ϕ ( p ) = ( p − 1) p
e e −1
for prime p
=2. ϕ ( ab) ϕ=
( a ) ϕ (b) if gcd(a, b) 1

p10.
• Let G be a (multiplicative) finite group.
• The order of G , ord(G ), is the number of elements in G.
• The order of a ∈ G , written ord( a ), is the smallest
positive integer t such that a t = e. (e, identity element.)
• Lagrange's theorem: For any element a ∈ G, ord( a ) | ord(G ).
• Corollary: For any element a ∈ G, a ord(=
G)
a=
|G |
e.
• Fermat's little theorem:
If a ∈ Z *p ( p a prime), then aϕ ( p ) = a p −1 =
1 in Z *p .
• Euler's theorem:
If a ∈ Z n* (for any n > 1), then aϕ ( n ) =
1 in Z n* .

p11.
Example: n = 15
• Z15* = {1, 2, 4, 7, 8, 11, 13, 14}

• Z15* = ϕ (15) = ϕ (3) × ϕ (5) = 2 × 4 = 8

a ∈ Z15* : 1 2 4 7 8 11 13 14
•
ord(a) : 1 4 2 4 4 2 4 2

• aϕ ( n ) = a 8 = 1

p12.
The Chinese Remainder Problem

• A problem described in an ancient Chinese arithmetic

book, Sun Tze Suan Ching, by Sun Tze (around 300AD,
author of The Art of War).
• Problem: We have a number of objects, but we do not
know exactly how many. If we count them by threes we
have two left over. If we count them by fives we have
three left over. If we count them by sevens we have two
left over. How many objects are there?
 Mathematically, if x ≡ 2 mod 3, x ≡ 3mod 5, x ≡ 2 mod 7,
what is x ?

p13.
Chinese remainder theorem
If integers n1 ,, nk are pairwise coprime,
then the system of congruences
 x ≡ a1 mod n1
 x ≡ a mod n
 2 2

 
 x ≡ ak mod nk
has a unique solution modulo N = n1n2  nk :
k
x ≡ ∑ ai N i yi mod N
i =1

where N i ni and yi N i −1 mod ni (A formula by Gauss)

N=
p14.
Example: Chinese remainder theorem
Suppose
x ≡ 1 mod 3
x ≡ 6 mod 7
x ≡ 8 mod 10
By the Chinese remainer theorem, the solution is:
x ≡ 1 × 70 × (70−1 mod 3) + 6 × 30 × (30−1 mod 7) + 8 × 21 × (21−1 mod10)
≡ 1 × 70 × (1−1 mod 3) + 6 × 30 × (2−1 mod 7) + 8 × 21 × (1−1 mod10)
≡ 1 × 70 × 1 + 6 × 30 × 4 + 8 × 21 × 1 mod 210
≡ 958 mod 210
≡ 118 mod 210

p15.
Another version of CRT
•N=
n1n2  nk (the numbers ni are pairwise coprime)
• There is a one-to-one correspondence :
ZN ←
→ Z n1 ×  × Z nk
a ←
→ ( a1 , , ak ) , where a ∈ Z N and ai = a mod ni
• ψ ( x ⋅ y )= ψ ( x) ⋅ψ ( y ).
• ψ ( x + y) = ψ ( x) + ψ ( y ).

• For math students: ψ is a ring isomorphism.

p16.
Chinese remainder theorem
Let N = n1n2  nk , where n1 ,, nk are pairwise coprime.
Define a mapping

ψ : Z N → Zn × Zn × × Zn
1 2 k

x  ( x mod n1 , x mod n2 , , x mod nk )

Then,

• ψ is bijective (one-to-one and onto).

• ψ ( x ⋅ y )= ψ ( x) ⋅ψ ( y ).
• ψ ( x + y )= ψ ( x) + ψ ( y ).
p17.
• Computations in Z N can be done by performing
corresponding computations in Z n1 , Z n2 ,, Z nk , and
then solve the CRP.
a ↔ ( a1 , , ak )
• If 
b ↔ ( b1 , , bk )
then
a±b ↔ ( a1 ± b1 , , ak ± bk )
a×b ↔ ( a1 × b1 , , ak × bk )
a ÷b ↔ ( a1 ÷ b1 , , ak ÷ bk ) if b ∈ Z N*
↑ ↑ ↑
mod N mod n1 mod nk
p18.
Example: Chinese remainder theorem
• Z15 ↔ Z 3 × Z 5 ( 15 3 5 )
Z *
↔ Z *
× Z *

8 ↔ ( 8mod 3, 8mod 5 ) =
(2,3)
11 ↔ (11mod 3, 11mod 5 ) =
(2,1)
• Suppose we want to compute 8 × 11 mod15.
• 8 × 11mod15 ↔ (2 × 2 mod 3, 3 × 1mod 5) =(1,3).
• x ↔ (1,3) (which number x ∈ Z15 corresponds to (1,3)?)
 x ≡ 1mod 3
• Solve  ⇒x=
13
 x ≡ 3mod 5

p19.
Algorithms
• gcd ( a, b )
• a −1 mod n
• a mod n
k

• Running time: O ( log n )

3

p20.
Euclidean Algorithm
Comment: compute gcd(a, b), where a > b > 1.
r0 := a
r1 := b
for i := 1, 2,  until rn +1 = 0
ri +1 := ri −1 mod ri
return (rn )
Running time:
 O(log a ) iterations; O(log 2 a) time for each mod.
 Overall running time: O(log 3 a)

p21.
Extended Euclidean Algorithm
Given a > b > 0, compute x, y such that gcd( a, b) = ax + by.
Example: gcd(299, 221) = ?
299 =1 × 221 + 78
221 =2 × 78 + 65
78 =×
1 65 + 13
65 =5 ⋅ 13 + 0

= 13
gcd(229, 221) = 78 − 65
= 78 − (221 − 2 × 78) = 3 ⋅ 78 − 221
= 3 × (299 − 1 ⋅ 221) − 221
= 3 × 299 − 4 × 221
p22.
How to compute a −1 mod n ?
• Compute a −1 in Z n*.
−1
• a exists if and only if gcd(a, n) =
1.
• Use extended Euclidean algorithm to find x, y
such that ax =
+ ny gcd(= a, n) 1 (in Z )
⇒ [a ][ x] + [n][ y ] =
[1]
⇒
= [a ][ x] [1] =
(since [n] [0])
⇒ [a ]−1 =
[ x].
• Note: may omit [ ], but reduce everything modulo n.

p23.
Example
• Compute 15−1 mod 47.
47 = 15 × 3 + 2 (divide 47 by 15; remainder = 2)
15 = 2 × 7 + 1 (divide 15 by 2; remainder = 1)
1 = 15 − 2 × 7 ( mod 47)
= 15 − (47 − 15 × 3) × 7 ( mod 47)
= 15 × 22 − 47 × 7 ( mod 47)
= 15 × 22 ( mod 47)
15−1 mod 47 = 22
That is, 15−1 = 22 in Z 47
*

p24.
Algorithm: Square-and-Multiply(x, c, n)
Comment: compute x c mod n, where c = ck ck −1  c0 in binary.
z ←1
for i ← k downto 0 do
z ← z 2 mod n
=
if ci 1 then z ← ( z ⋅ x ) mod n
return (z )

Note: At the end of iteration i, z = x ck ...ci .

p25.
Example: 1123 mod187
23 = 10111b
z ←1
z ← z 2 ⋅ 11 mod 187 =
11 (square and multiply)
z ← z 2 mod 187 =
121 (square)
z ← z 2 ⋅ 11 mod 187 =
44 (square and multiply)
z ← z 2 ⋅ 11 mod 187 =
165 (square and multiply)
z ← z 2 ⋅ 11 mod 187 =
88 (square and multiply)

p26.
The RSA Cryptosystem

p27.
The RSA Cryptosystem
• By Rivest, Shamir & Adleman of MIT in 1977.
• Best known and most widely used public-key scheme.
• Based on the assumed one-way property of modular
powering:
f : x → x e mod n (easy)
f −1 : x e → x mod n (hard)

• In turn based on the hardness of integer factorization.

p28.
 Idea behind RSA
It works in group Z n* . Let x ∈ Z n* be a message.

Encryption (easy): x 

RSA
→ xe
RSA −1
Decryption (hard): x ←  x e

Looking for a "trapdoor": ( x ) = x. e d

If d is a number such that ed ≡ 1mod ϕ (n), then

ed kϕ (n) + 1 for some k , and
=
(x ) = x =x
e d ed ϕ ( n ) k +1
=( x )
ϕ (n) k
⋅ x =1 ⋅ x = x.

p29.
RSA Cryptosystem
• Key generation:
(a) Choose large primes p and q, and let n := pq.
(b) Choose e (1 < e < ϕ ( n )) coprime to ϕ ( n ), and
compute d := e −1 mod ϕ ( n ). ( ed ≡ 1 mod ϕ ( n ).)
(c) Public key: pk = ( n, e). Secret key: sk = ( n, d ).
• Encryption: E pk ( x ) := x e mod n, where x ∈ Z n* .
• Decryptio
= n: Dsk ( y ) : y d mod n, where y ∈ Z n* .

p30.
Why RSA Works?
• The setting of RSA is the group ( Z n* ,  ) :
 In group ( Z ,  ) , for any x ∈ Z , we have x
*
n
*
n
ϕ (n)
=
1.
 We have chosen e, d such that ed ≡ 1 mod ϕ ( n),
i.e., ed = kϕ (n) + 1 for some positive integer k .
 For x ∈ Z , ( x
*
n )
e d
=
x =
ed
x (x ) x =
= k ϕ ( n ) +1
x. ϕ (n) k

p31.
What if x ∈ Z n \ Z n* ?
• RSA still works, but not secure.

• x ∉ Z n* ⇒ gcd( x, n) ≠ 1 ⇒ p | x or q | x.

• Say p | x. Then, x ≡ 0 mod p and x ≡ x mod q. Also,

 x ed ≡ 0 mod p
 ed
 x ≡ x mod q ( x ed
=
x kϕ ( n ) +1
=
x k ( p −1)( q −1) +1
)
• By CRT,
x ed ≡ x mod n ⇒ x ed mod n =
x
⇒ D ( E ( x) ) =
x

p32.
RSA Example: Key Setup
• Select two primes:
= p 17, = q 11.
• Compute the modulus= n pq = 187.
• Compute ϕ (n= ) ( p − 1)(q − 1) =
160.
• Select e between 0 and 160 such that gcd(e,160) = 1.
Say e = 7.
mod ϕ (n) 7=
• Compute d = e −1= −1
mod160 23
(using extended Euclid's algorithm).
• Public key:=pk (=e, n) (7, 187).
• Secret key:
= sk (=d , n) (23, 187).

p33.
RSA Example: Encryption & Decryption
• Suppose m = 88.
=
• Encryption: c m=
e
mod n 887 =
mod187 11.
=
• Decryption: m c=
d
= 88.
mod n 1123 mod187
• When computing 1123 mod187, we do not first
compute 1123 and then reduce it modulo 187.
• Rather, use square-and-multiply, and reduce intermediate
results modulo 187 whenever they get bigger than 187.

p34.
Encryption Key e
• To speed up encryption, small values are usually
used for e.

• Popular choices are 3, 17 =

24 + 1, 65537 = 216 + 1.
These values have only two 1's in their binary
representation.

• There is an interesting attack on small e.

p35.
Decryption Key d
• One may be tempted to use a small d to speed up
decryption.
• Unfortunately, that is risky.

n1/4
• Wiener's attack: If d < and p < q < 2 p,
3
then the decryption exponent d can be computed
from (n, e).

• CRT can be used to speed up decryption.

p36.
Speeding up Decryption by CRT
• Decryption: c d mod n (i.e., compute c d in Z n* )
• Time: O( n ).
3

• Instead of computing c d mod n directly, we compute

 c1 : c=mod p, and c2 : c mod q
 m1 := c1d mod ϕ ( p ) mod p, and m2 := c2 d mod ϕ ( q ) mod q
 x ≡ m1 mod p
 recover the plaintext by solving 
 x ≡ m2 mod q
• Time: 1 4 of the direct computation.
• If n = p1 p2 ... pt , will speed up even more.
p37.
Attacks on RSA

p38.
Attacks on RSA
• Four categories of attacks on RSA:
 brute-force key search
( infeasible given the large key space )
 mathematical attacks
 timing attacks
 chosen ciphertext attacks

p39.
Mathematical Attacks
• Factor n into pq. Then ϕ (n) =( p − 1)(q − 1) and
d = e −1 mod ϕ (n) can be calculated easily.
• Determine ϕ (n) directly. Equivalent to factoring n.
Knowing ϕ (n) will enable us to factor n by solving
n = pq

ϕ (n) =( p − 1)(q − 1)
• Determine d directly. If d is known, n can be factored
with high probability.

p40.
Integer Factorization
• A difficult problem, assumed to be infeasible.

• More and more efficient algorithms have been developed.

• In 1977, RSA challenged researchers to decode a
ciphertext encrypted with a key (n) of 129 digits (428 bits).
Prize: $100. RSA thought it would take quadrillion years
to break the code using fastest algorithms and computers
of that time. Solved in 1994.

• In 1991, RSA put forward more challenges, with prizes,

to encourage research on factorization.

p41.
RSA Numbers
• Each RSA number is a semiprime. (A number is
semiprime if it is the product of two primes.)
• There are two labeling schemes.
 by the number of decimal digits:
RSA-100, ..., RSA-500, RSA-617.
 by the number of bits:
RSA-576, 640, 704, 768, 896, 1024, 1536, 2048.

p42.
RSA Numbers which have been factored
• RSA-100 (332 bits), 1991, 7 MIPS-year, Quadratic Sieve.
• RSA-110 (365 bits), 1992, 75 MIPS-year, QS.
• RSA-120 (398 bits), 1993, 830 MIPS-year, QS.
• RSA-129 (428 bits), 1994, 5000 MIPS-year, QS.
• RSA-130 (431 bits), 1996, 1000 MIPS-year, GNFS.
• RSA-140 (465 bits), 1999, 2000 MIPS-year, GNFS.
• RSA-155 (512 bits), 1999, 8000 MIPS-year, GNFS.
• RSA-160 (530 bits), 2003, Lattice Sieve.
• RSA-576 (174 digits), 2003, Lattice Sieve.
• RSA-640 (193 digits), 2005, Lattice Sieve.
• RSA-200 (663 bits), 2005, Lattice Sieve.
p43.
RSA-200 =
27,997,833,911,221,327,870,829,467,638,
722,601,621,070,446,786,955,428,537,560,
009,929,326,128,400,107,609,345,671,052,
955,360,856,061,822,351,910,951,365,788,
637,105,954,482,006,576,775,098,580,557,
613,579,098,734,950,144,178,863,178,946,
295,187,237,869,221,823,983.

p44.
Remarks
• In light of current factorization technoligies,
RSA recommends n = 1024-2048 bits.

• If a message m ∈ Z n \ Z n* ,

 RSA works, but

 Since gcd(m, n) > 1, the sender can factor n.
 Since gcd(me , n) > 1, the adversary can factor n, too.

• Question: how likely is m ∈ Z n \ Z n* ?

p45.
Generating large primes
To set up an RSA cryptosystem,
we need two large primes p and q.

p46.
How many prime numbers are there?
• Infinitely many.

• First proved by Euclid:

• Assume only a finite number of primes p1 , p2 , …, pn .
• Let M= p1 p2 … pn + 1.
• M is not a prime, because M ≠ pi , 1 ≤ i ≤ n.
• So, M is composite and has a prime factor pi for some i
⇒ pi | M ⇒ pi |1 ⇒⇐ contradiction.

p47.
Distribution of Prime Numbers
The Prime Number Theorem:
Let π ( x) denote the number of primes ≤ x. Then
x
π ( x) ≈ for large x.
ln x

Dirichlet's Theorem: For b ∈ Z n* , let π n ,b ( x) denote the number

of primes y such that y ≤ x and y ≡ b mod n. Then,
x 1
π n ,b ( x) ≈ ⋅ for large x.
ln x ϕ (n)

p48.
How to generate a large prime number ?
• Generate a random odd number n of desired size.
• Test if n is prime.

• If not, discard it and try a different number.

• Q: How many numbers are expected to be tested before

a prime is found?

p49.
Primality test : Is n a prime?
• Can it be solved in polynomial time?
• A long standing open problem until 2002.

(
• AKS(Agrawal, Kayal, Saxena) : O ( log n )
12 + ε
).
(
 Later improved by others to O ( log n )
10.5
) , and then
(
to O ( log n )
6+ε
).
• In practice, Miller-Rabin's probabilistic algorithm is still

(
the most popular --- much faster, O ( log n ) .
3
)
p50.
Miller-Rabin primality test : Is n a prime?
• Looking for a characteristic property of prime numbers:
 n is prime ⇔ what?
 n is prime ⇔ ∀a ∈ Z n* , P (a ) =true
 n is prime ⇒ ∀a ∈ Z n* , P (a ) =true
not prime ⇒ ∃ k elements a ∈ Z n* , P(a ) =
false

• Check P(a ) for t random elements a ∈ Z n*.

 If P (a ) all true, then return "prime"
else return "composite."
 A "prime" answer may be incorrect with prob p (k , t ).
1 * 1
 If k ≥ Z n , then p(k , t ) ≤ t .
2 2 p51.
 *
Z n
P (a ) = true

If n is prime, then for all a ∈ Z n* , P(a ) is true.

p52.
 *
Z n
P (a ) = true

If n is not prime, then there are strong witnesses,

which are elements a ∈ Z n* s.t P (a ) = false.

p53.
• Looking for P(a ) :
(a )  a n −1 ≡ 1 mod n  ?
 How about P=

 Fermat's little theorem:

If n is prime ⇒ ∀a ∈ Z n* , a n −1 ≡ 1 mod n.

 If n is not prime ⇒ maybe no strong witnesses.

(Carmichael numbers : composite numbers n

for which a n −1 ≡ 1 mod n ∀a ∈ Z n* .)

 Need to refine the condition  a n −1 ≡ 1 mod n  .

p54.
• Fact: if n ≠ 2 is prime, then 1 has exactly two square
roots in Z n* , namely ± 1.
• Write n − 1 = u 2k , where u is odd.
• If n is prime
⇒ ∀a ∈ Z , a
*
n
u 2k
≡ 1 mod n (Fermat's little theorem)
⇒ ∀a ∈ Z n* , P(a ) = true, where
a u ≡ 1 mod n or
P(a) =  i
 a u2
≡ −1 mod n for some i, 0 ≤ i ≤ k − 1
• Why? Consider the sequence
u 2k −1
u u2
a ,a ,a u 22
, , a ,a u 2k
=1
p55.
• If n not prime ⇒ do strong witnesses always exist ?

• Loosely speaking, yes: if n is an odd composite and not

a prime power, then at least one half of the elements a ∈ Z n*
are strong witnesses.
• A composite number n is a prime power if n = p e for
some prime p and integer e ≥ 2. (A perfect power if
n k e for some integer k and e ≥ 2.)

p56.
• Theorem: If n is an odd composite and not a prime power,
then at least one half of the elements a ∈ Z n* are strong
witnesses.

• Sketch of proof: The set A of non-strong witnesses

forms a proper subgroup of Z n* . So, ord(A) < ord(Z n* ) and
1
ord(A) | ord(Z ). So, ord(A) ≤ ord(Z n* ).
*
n
2

p57.
Algorithm: Miller-Rabin primality test
 Input: integer n > 2 and parameter t
 Output: a decision as to whether n is prime or composite
1. if n is even, return "composite"
2. if n is a perfect power, return "composite"
3. for i := 1 to t do
choose a random integer a, 2 ≤ a ≤ n − 1
if gcd(a, n) ≠ 1, return "composite"
if a is a strong witness, return "composite"
4. return ("prime")

p58.
Analysis: Miller-Rabin primality test
• If the algorithm answers "composite", it is always correct.

• If the algorithm answers "prime", it may or may not be correct.

• The algorithm gives a wrong answer if n is composite but

the algorithm fails to find a strong witness in t iterations.

• This may happen with probability at most 2 − t .

• Actually, at most 4 − t , by a more sophisticated analysis.

p59.
Monte Carlo algorithms
• A Monte Carlo algorithm is a probabilistic algorithm
 which always gives an answer
 but sometimes the answer may be incorrect.

• A Monte Carlo algorithm for a decision problem is yes-biased

if its “yes” answer is always correct but a “no” answer may
be incorrect with some error probability.

• A t -iteration Miller-Rabin is a “composite”-biased Monte Carlo

algorithm with error probability at most 1 4t .

p60.
Las Vegas algorithms
• A Las Vegas algorithm is a probabilistic algorithm
 which may sometimes fail to give an answer
 but never gives an incorrect one
• A Las Vegas algorithm can be converted into a
Monte Carlo algorithm.

p61.
 Integer Factorization

Reference on quadratic sieve:

http://blogs.msdn.com/b/devdev/archive/2006
/06/19/637332.aspx

p62.
Fermat's Method
• Difference of squares
 To factor n, find an a > n such that a 2 − n is a square, say b2 .
 Then, n = a 2 − b2 = ( a − b)( a + b).
 Search for a starting from a =  n  .

• Example:
= =
Suppose n 5959. Then,  n  78.
 a 2 − n is not a square for a =
78 and 79.
 a 2 − n is a square for a =80 : 802 − 5959 =441 =212.
 Hence 5959 =802 − 212 =(80 − 21)(80 + 21) =59 × 101.

• Slow: a linear search for b=

2
a 2 − n is a poor strategy.
p63.
Dixon's Random Squares Algorithm
• Basic idea: a generation of Fermat's difference of squares.
 To factor n, find x ≠ ± y (mod n ) such that x 2 ≡ y 2 (mod n ).
 Then, n | ( x − y )( x + y ), but n divides neither of x ± y.
 Hence, gcd( x ± y , n ) are nontrivial factors of n.

• Example: 322 ≡ 102 mod 77. gcd(32 ± 10, 77) =

7 and 11.
• Question: how to produce such x and y ?

• Factor base: a set B of small primes, say, B = { p1 , p2 , pb }.

• An integer z is smooth if it can be factored over B mod n, i.e.,

z ≡ p1e1 p2 e2 … pb eb mod n for some e1 , e2 ,, eb ≥ 0.
p64.
• Our goals:
 First, find a set U of integers xi such that xi2 are smooth:
xi2 ≡ p1ei1 p2 ei 2 … pb eib mod n
 Second, select a subset S ⊆ U such that the product
∏ i has an even exponent for each pi , say,
x 2

xi ∈S

∏ i 1 2
x 2

xi ∈S
≡ p 2 e1
p 2 e2
… pb
2 eb
mod n for some e1 , e2 ,, eb ≥ 0.

• Let
= X ∏ i
x mod
xi ∈S
n =
and Y p1
e1 e2
p2 … p eb
b mod n, and

we have X 2 ≡ Y 2 mod n.
• If X ≡ ±Y mod n, no luck, try a different set of xi 's.
p65.
Example (from Stinson's book on Cryptography)
• Suppose n 15770708441
= and B {2,3,5,7,11,13}.
• Consider the three congruences:
83409341562 ≡ 3 × 7 mod n
120449429442 ≡ 2 × 7 × 13mod n
27737000112 ≡ 2 × 3 × 13mod n.
• (8340934156 × 12044942944 × 2773700011)
2

≡ ( 2 × 3 × 7 × 13) mod n.
2

• Reducing by modulo n yields ( 9503435785) ≡ ( 546 ) mod n.

2 2

• A factor of n: gcd ( 9503435785 − 546, 15770708441) =115759.

p66.
To achieve our second goal
• Suppose B { p1 , p2 , pb }. Let c > b.

• Suppose we have a set U of c integers xi such that xi2 are

smooth: xi2 ≡ p1ei1 p2ei 2 … pbeib mod n (1 ≤ i ≤ c).

• Let ei = ( ei1 mod 2, ei 2 mod 2, , eib mod 2 ) .

• The c vectors ei are linearly independent (because c > b),

and we can find a subset S of ei 's that sum modulo 2 to
(0, 0, , 0).
• Let X = ∏ xi mod n be the product of the xi 's corresponding
to the ei 's in S .
p67.
 Example (cont.)
• We have B = {2,3,5,7,11,13} and
=x12 83409341562 ≡ 3 × 7 mod n
=x22 120449429442 ≡ 2 × 7 × 13mod n
=x32 27737000112 ≡ 2 × 3 × 13mod n.
• e1 = ( 0,1,0,1,0,0 )
e2 = (1,0,0,1,0,1)
e3 = (1,1,0,0,0,1)
• e1 + e2 + e3 ≡ (0,0,0,0,0,0) mod 2.
• Thus, we let X 2 = ( x1 x2 x3 ) 2 mod n and
Y 2 = (3 × 7)(2 × 7 × 13)(2 × 3 × 13) mod n.
p68.
Searching for smooth squares xi2
• Dixon's strategy: choose xi at random, hence the name
Random Squares Method.

• Trick 1: try numbers of the form x= j +  kn  ,

j = 0, 1, 2, , and k = 1, 2, . For such x, x 2 mod n tends
to be small and has a better chance than average to be smooth.

• Trick 2: also try numbers of the form

= x  kn  − j ,
j 0,= 1, 2, , and k 1, 2, . For such x, x 2 mod n is a
little bit smaller than n. Try to factor (x 2 mod n) − n instead of
x 2 mod n.
• Trick 3: to play trick 2, we need to include − 1 in B.
p69.
Example (from Stinson's book on Cryptography)
• Suppose n = 1829 and B = {−1,2,3,5,7,11,13}.
• =
n 42.77, =
2n 60.48, =
3n 74.07, 4n 85.53.
• Thus we try x = 42, 43, 60, 61, 74, 75, 85, 86, and obtain
x12 ≡ 422 ≡ −65 ≡ ( −1) × 5 × 13. e1 =(1,0,0,1,0,0,1)
x2 2 ≡ 432 ≡ 20 ≡ 22 × 5. e2 =( 0,0,0,1,0,0,0 )
x32 ≡ 612 ≡ 63 ≡ 32 × 7. e3 =( 0,0,0,0,1,0,0 )
x4 2 ≡ 742 ≡ −11 ≡ ( −1) × 11. e4 =(1,0,0,0,0,1,0 )
x52 ≡ 852 ≡ −91 ≡ ( −1) × 7 × 13. e5 =(1,0,0,0,1,0,1)
x6 2 ≡ 862 ≡ 80 ≡ 24 × 5. e6 =( 0,0,0,1,0,0,0 )

p70.
 ( 0,0,0,0,0,0,0 ) , but does not yield a factorization of n.
• e2 + e6 =

 ( 43 × 86 ) ≡ ( 2 × 5) mod1829.
2 3 2

 ( 3698 ) ≡ ( 40 ) mod1829.
2 2

 ( 40 ) ≡ ( 40 ) mod1829.
2 2

( 0,0,0,0,0,0,0 ) .
• e1 + e2 + e3 + e5 =
 ( 42 × 43 × 61 × 85) ≡ ( −1 × 2 × 3 × 5 × 7 × 13) mod1829.
2 2

 14592 ≡ 9012 mod1829.

 gcd (1459 − 901, 1829 ) =
31.
= 31 × 59.
 1829

p71.
Quadratic Sieve
• Consider the interval [ M 1 , M 2 ] around n for some
suitable integers M 1 , M 2 .

• Let Q ( x=
) x 2 − n. We want to find a set U of integers x
for which Q ( x ) is smooth.

• Recall the factor base B = { p1 , p2 , , pb }.

• Recall Dixon's method (pick an x ∈ [ M 1 , M 2 ] and test if Q ( x ) is

smooth) and observe how the computing time is wasted.
• Idea of QS: use each p ∈ B as a "sieve" and sieve it through A.

• Notice that if p ∈ B, x, y ∈ [ M 1 , M 2 ] , and p | Q ( x ), then we have

p | Q ( y ) iff x ≡ y mod p.
p72.
Sketch of the Quadratic Sieve Algorithm
1. Array QA[ M 1 ..M 2 ]. Initially, QA[i ] ← i 2 − n.

2. for each p ← p1 , p2 , , pb ∈ B do
 find an i ∈ [ M 1 ..M 2 ] such that p | Q (i );
 for each j ∈ [ M 1 ..M 2 ] such that i ≡ j mod p do
QA[i ] ← QA[i ] p ei , where ei is the largest possible;
keep record of ei mod 2.

3. Let U be the set of all i ∈ [ M 1 ..M 2 ] such that QA[i ] =

1.
// Q (i ) is smooth for each i ∈ S //
4. Construct a subset S ⊆ U as in Dixon's.
p73.