Download Integer Factorization

Integer Factorization
Lecture given at the Joh. Gutenberg-Universität,
Mainz, July 23, 1992
by
ÖYSTEIN J. RÖDSETH
University of Bergen, Department of Mathematics,
Allégt. 55, N-5007 Bergen, Norway
1
Introduction
The security of many cryptosystems relies on the assumption that factoring of
large composite integers is a computationally infeasible problem. The most famous example is the RSA public key crypto-system [40], whose security depends
on our inability to factor an integer n which is the product of two large primes.
So the study of integer factoring algorithms and the design of faster factoring
algorithms is a subject of great importance in cryptology. But Dickson’s “History” [14] shows that these problems have also attracted the interest of some
of the great mathematicians of the past such as Fermat, Euler, Legendre, and
Gauss.
In this short lecture I shall present some of the ideas behind the best factoring
algorithms currently in use on computing devices.
Most of the useful factoring algorithms fall into one of two classes. The first
class is known as “combination of congruences”. This class contains algorithms
such as
• Shank’s Square Forms Factorization (SQUFOF) [42],
• Morrison and Brillhart’s Continued Fraction Algorithm (CFRAC) [32],
• Pomerance’s Quadratic Sieve (QS) [37],
• Montgomery’s Multiple Polynomial Quadratic Sieve (MPQS) (see [37]),
• Pollard et. al.’s Number Field Sieve (NFS) [26]. (See also [1], [28], [38].)
1
The second class is “groups of smooth order”; cf. [38]. (An integer is “smooth”
if it has only small prime factors.) Among the members of this class are
• Pollard’s p − 1 method [35],
• Williams’ p + 1 method [50],
• Bach and Shallit’s Cyclotomic Polynomial Method [4],
• Schnorr and Lenstra’s Class Group Method [41],
• H. W. Lenstra’s Elliptic Curve Method (ECM) [3], [29], [30]. (See also [19],
[48].)
For the algorithms in the first class the run time depends mainly on the size of
n, the number being factored, and is not strongly dependent on the size of the
factor found. In the second class the run time depends mainly on the size of f ,
the factor found; cf. [7].
Suppose that we want to find a proper factor in a large integer n (having
perhaps 100 decimal digits); i.e. a factor f such that 1 < f < n. Usually we
begin by searching for small factors (perhaps up to 105 ) by trial division; see
[51] for some short cuts. If no such factor is found, we then make one or more
pseudoprime tests until we either discover that n is composite or are strongly
convinced that it must be prime. In the latter case we may perhaps wish to look
for a proof of primality. But let us here assume that we have the former case. We
can then run Pollard’s p − 1 method and Williams’ p + 1 method for a while (and
perhaps also the Pollard Rho [36]). If still no factor is found, we choose between
(MP)QS, ECM, and NFS.
Each of (MP)QS and ECM majorizes the other in certain situations. If the
number n is the product of two primes roughly equal in magnitude, then the
best method is MPQS. Otherwise ECM is the method of choice. If the number
n arose in some random or natural concept, then most likely it is not of the form
pq with p ≈ q. Therefore ECM should be tried first. If this method has been
tried fruitlessly for some time, we can try MPQS. If we are factoring n so as to
cryptoanalyze the RSA cryptosystem with modulus n, we might immediately go
to MPQS, skipping ECM completely.
The NFS is a quite new factoring method. It is remarkably fast for n of
special form; i. e. if n = F (m) for an integer m and some low degree polynomial
F (x) with small integer coefficients. There is also a version for general n, but this
version is slower than that for n of special form. Heuristic running time estimates
show, however, that the general NFS probably is faster than QS for large n, and
computations of Silverman [46] indicate that the crossover point is somewhere
between 140 and 150 decimal digits. But we don’t know for certain if the general
NFS in its current form(s) is of any practical value; cf. [1].
2
2
Combination of congruences
Fermat factored numbers n by representing them as
n = x2 − y 2 ,
x, y ∈ Z.
(1)
For if (1) holds, then n = ab for a = x − y and b = x + y. On the other hand,
if n is odd and n = ab for some a, b ∈ Z, then (1) holds with x√= (a + b)/2 and
y = (a − b)/2. This method works if n has a factor very close to n; for examples
see [8, p. 59], [39, p. 154].
Instead of searching for integers x, y satisfying (1), Kraitchik [20], [21], [22]
followed an idea of Legendre (cf. [39]) and tried to find nontrivial (i. e. x 6= ±y)
solutions to the congruence
x2 ≡ y 2
(mod n).
(2)
If such a pair x, y is found, then we compute d = gcd(x − y, n) by the Euclidean
algorithm (which is very fast; see [18]). Now, if n is composite, there should be a
fairly good chance that the prime divisors of n are distributed among the divisors
of both x − y and x + y, so that d is possibly a proper divisor of n.
For n composite and x, y a random solution to (2), suppose that we have at
least a 50% chance that d is a proper divisor of n. For 10 solutions we then have
a better than 99.9% chance that at least one of them will lead to a factorization
of n; cf. [38]. Of course, in practice we don’t find random solutions to (2), but
still this scheme should look very promising.
Next, consider the “factor base” {p0 , p1 , p2 , . . . , pk }, where p0 = −1 and the
other pi are primes ≤ some “smoothness bound” B. For integers r, let g(r) ≡ r2
(mod n). We wish to find integers r such that g(r) factors completely over the
factor base, and this is most likely to happen if |g(r)| is small. Therefore we
require that |g(r)| ≤ n/2.
Suppose that it is possible to find integers rj , j = 0, 1, . . . , k + 10, such that
g(rj ) factorizes completely over the factor base, i. e.
g(rj ) =
k
Y
aij
pi
for j = 0, 1, . . . , k + 10,
i=0
and where the aij are non-negative integers. (These identities are called “relations”.) We now consider the system Aε = 0 over the finite field F2 consisting
of the two elements 0 and 1, and where A denotes the (k + 1) × (k + 11) matrix
A = (aij mod 2) and ε is the column vector of the unknowns ε0 , ε1 , . . . , εk+10 . This
system of linear equations has at least 10 linearly independent solutions. (For the
solution of large linear systems over F2 , see [23].) Let ε0 , ε1 , . . . , εk+10 ∈ {0, 1}
be one of these solutions. Then we have
k+10
X
aij εj = 2ei ,
i = 0, 1, . . . , k,
j=0
3
for non-negative integers ei , and
k+10
Y
g(rj )εj =
j=0
We also have
k+10
k
Y Y
a εj
pi ij
=
j=0 i=0
k+10
Y
εj
g(rj ) ≡
k+10
Y
j=0
so that
x=
k
Y
2ei
pi .
i=0
2εj
rj
(mod n),
j=0
k
Y
ei
pi ,
y=
i=0
k+10
Y
ε
rj j
j=0
is a solution to (2). Also, if rj2 > n/2 for all j, then x 6= ±y.
There are many important tricks to enhance the performance of the algorithms
in this class. Among these are the use of a multiplier, the large and small prime
variations, and the double large prime variation. Let us here just look at the large
prime variation: For some r we are testing, suppose that g(r) factors over the
factor base except for some factor q, which is not divisible by any of the primes
in the factor base,
g(r) = q
k
Y
ai
pi .
i=0
If this happens with the same factor q for two different values of r, include q in
the factor base and proceed as before. (Note that if q ≤ p2 , where p is the largest
prime in the factor base and the factor base contains all the primes ≤ B, then q
is also a prime.)
2.1
The quadratic sieve
In the basic quadratic sieve algorithm we use the polynomial
g(r) = r2 − n.
Since we want |g(r)|
√ of r in a neighbourhood of
√ to be small, we consider values
one of the zeros ± n. Let us choose the zero + n, and consider
√
f (i) = g(r) for r = i + b nc and − M ≤ i ≤ M,
√
for some positive integer M . If also M < 0.22 n, then |g(r)| < n/2 < r2 .
Further, if an odd prime p divides f (i) = g(r) for some integer i and p 6 | n,
then n is a quadratic residue mod p. Hence we only include −1, 2, and odd
primes p satisfying (n/p) = 1 in our factor base. (This observation seems to be
due to Gauss, cf. [39, p. 160]. By quadratic resiprosity or Euler’s Criterion, it is
very fast to decide whether or not n is a quadratic residue mod a prime p. For a
100-decimal digit integer n a typical factor base would contain 50,000 elements.)
4
Next, we try to find integers i in the interval −M ≤ i ≤ M , such that f (i)
factors completely over our factor base (by trial division). But this is like looking
for needles in a haystack. So this is where we set up the sieve. Before we start
looking for the needles, we remove a lot of hay which at most contains only a few
needles.
We start with a vector (x−M , x−M +1 , . . . , xM ), where xi = log |f (i)| for all i.
(Only low precision calculations required.) For each of the odd primes in the
factor base we compute the solutions t1 , t2 to the congruence f (t) ≡ 0 (mod p).
(Fast probabilistic polynomial time algorithms for solving quadratic congruences
mod p are given in [2], [24], [34]; see also [43].) Then we subtract log p from the
coordinate xi whenever i ≡ t1 or t2 (mod p).
The prime 2 requires special treatment [12]. We may, for instance, assume
that n ≡ 1 (mod 8), which is no restriction since we can assume n odd, and
if necessary replace n by pn, for some
(large) prime p ≡ 3, 5, or, 7 (mod 8).
√
Then 8 divides f (i) whenever i + b n c is odd, and we subtract log 8 from all the
corresponding coordinates xi .
After this procedure, if i is one of of the needles we are searching for, and
f (i) is not divisible by a high power of some prime in the factor base, then the
corresponding coordinate xi should be close to 0. (The coordinate would be
exactly 0 if there were no round-off errors for our logs and if the special value
f (i) were not divisible by the square of an odd prime from the factor base, and
if also 8 divided f (i) exactly if f (i) were even.)
Thus after sieving, a scan of the vector and a report of any coordinate whose
value is below some preset threshold will point out to us (not all, but most of) the
special values of i we are searching for. There may also be a few “false reports”,
but with a proper choice of threshold, this is not a big problem; see [45].
2.2
The multiple polynomial quadratic sieve
An f (i) is most likely to factor over the factor base when |f (i)| is small; that is
when i is close to zero. The idea is now to take shorter intervals for i, but use
several different quadratic polynomials in i.
For integers a, b, c we look at
F (i) = ai2 + 2bi + c,
n = b2 − ac,
a 6= 0.
Then
aF (i) = (ai + b)2 − n,
and the rest goes as before. In particular we can use the same factor base as
above.
Some recommendations for the choice of a can be found in [38]. In particular,
it is best to use an odd a with known prime factorization. Then it is easy to
5
determine an integer b satisfying
a
|b| < ,
2
b2 ≡ n (mod a),
and we put c = (b2 − n)/a.
The parabola y = F (x) attains its minimum at the point x = −b/a, which
is now between −1/2 and 1/2. As before, we only want to consider values of i
for which |F (i)| is small. Once more we therefore let −M ≤ i ≤ M , and we
choose the “optimal” situation √
F (±M ) ≈ −F (−b/a). For a prescribed M , this
is accomplished by setting a ≈ 2n/M .
This scheme is of course excellent suited for parallelization. Run different
polynomials on different nodes to produce columns for the matrix A. Then solve
the system of linear equations mod 2 etc. on the host computer (perhaps a 16K
MasPar). But even with only one processor the multiple polynomial variation
of the QS algorithm works so well that we optimize performance by switching
polynomials as fast as possible; cf. [38].
2.3
The number field sieve
The main idea behind the NFS is roughly as follows. First choose a non-negative
integer d. If there are integers e, r, s such that n = re − s with r, e > 0 and r, |s|
small, let k = de/de, m = rk , c = srkd−e , and put F (x) = xd − c. Otherwise,
choose an integer m ≤ but close to n1/d . Write n as n = c0 + c1 m + · · · cd md ,
with non-negative integers ci < m, and put F (x) = c0 + c1 x + · · · + cd xd .
Since n|F (m), and also n = F (m) in the second case, a non-trivial factorization of the polynomial F (x) will probably give us a proper factor of n. So let us
assume that F (x) is irreducible in Z[x], and put K = Q(α) for some zero α of
F (x). A homomorphism φ : Z[α] → Z/nZ is defined by putting φ(α) = m and
letting the restriction of φ to Z be the natural homomorphism.
Next, put p0 = −1, and let p1 < p2 < · · · < pk be rational primes ≤ the
smoothness bound B. Also, let γ1 , γ2 , . . . , γM ∈ Z[α]. We now try to find pairs
of coprime rational integers aj , bj such that
aj + mbj =
k
Y
aij
pi ,
aj + αbj =
i=0
M
Y
ak+i,j
γi
, 0 ≤ aij ∈ Z,
j = 0, 1, . . . , L.
i=1
Suppose that L > k + M . As in Section 2, we then find i ∈ {0, 1}, not all
zero, such that
L
X
aij j = 2ei , 0 ≤ ei ∈ Z, i = 0, 1, . . . , k + M.
j=0
Now it is easily seen that
x=
k
Y
ei
pi ,
y=
i=0
M
Y
i=1
6
φ(γi )ek+i
is a solution to (2).
In applications, K has class number 1 and each γ has norm ±pi for some
i = 0, 1, . . . , k. Also, sieve methods corresponding to the one in Section 2.1 are
used to find pairs of coprime rational integers a, b such that both a + mb and the
norm of a + αb factor over our factor base {p0 , . . . , pk }; for details see [26].
3
Groups of smooth order
Also in this case we want to find an integer X such that X 6≡ 0 (mod n) and
X ≡ 0 (mod p) for some prime factor p of n. For then we have that gcd(X, n)
is a proper divisor of n. The method of using groups of smooth order for the
determination of candidates for X is best illustrated by the Pollard p − 1 method
below. Futher we shall also look at the elliptic curve method which can be
considered as obtained from the Pollard p − 1 by replacing the multiplicative
group F∗p by the group of points on a random elliptic curve over Fp .
3.1
The Pollard p − 1
Suppose that p−1|k! for some prime factor p|n and some preset choice of k. (Perhaps k = 105 or k = 106 . Instead of k! some people prefer to use lcm{1, 2, . . . , k}
or some slightly more complicated expression; also in the ECM below. In any
case, the success of the methods in this class also depends on a lucky choice of
k, which must be not too small and not too large; usually we have to try several
values of k.) Let a be an integer prime to n. From Fermat’s little theorem we
have
ap−1 ≡ 1 (mod p),
so that
ak! ≡ 1
(mod p).
Putting X = ak! − 1, we have p|d = gcd(X, n), so if X 6≡ 0 (mod n), then d is
a proper divisor of n.— Here it is, of course, important that d can be computed
without knowing p.
3.2
The elliptic curve method
Let F be a field of characteristic 6= 2, 3. For a, b ∈ F , put
∆ = −4a3 − 27b2 ,
and suppose that ∆ 6= 0. Then the set
Ea,b (F ) = {(x, y) ∈ F 2 | y 2 = x3 + ax + b} ∪ {O},
7
where O is the so-called “point at infinity”, is called an elliptic curve (on Weierstrass normal form) over F with parameters a and b. There is a well-known way
(the “chord and tangent method”; see [3], [17], [44], [47]) of defining a point
addition that makes Ea,b (F ) into an Abelian group with identity O.
To see how this is done, let us first consider the case F = R, the field of real
numbers. Then we have a mental picture of what the curve E = Ea,b (R) looks
like, and we think of O as lying infinitely far off in the direction of the y-axis.
Consider a line that meets E in two points P and Q. (If P = Q, we take the
tangent at the point P = Q.) Suppose that this line is not parallel to the y-axis.
Then it follows by simple algebra that this line meets E in a unique third point
R = (x, y). We then define P + Q = (x, −y). If the axiliary line is parallel to the
y-axis, then we put P + Q = O. Finally we put P + O = O + P = P for any
P ∈ E. Now, it is not hard to see that the elliptic curve E is an Abelian group
under this point addition.
So, the rules are as follows.
P + O = O + P = P for all P ∈ E,
and if P = (x1 , y1 ), Q = (x2 , y2 ), then
P + Q = O if x1 = x2 and y1 = −y2 ,
P + Q = (λ2 − x1 − x2 , −λ3 + λ(2x1 + x2 ) − y1 ) otherwise,
where λ is the slope of the line joining P and Q,







λ=





y1 − y2
x1 − x2
if x1 6= x2 ,
(3)
3x21
+a
if P = Q and y1 6= 0.
2y1
Now, let us return to the integer n we want to factor. Let a, b ∈ Z satisfy
gcd(6∆, n) = 1.
(4)
We then get an “elliptic curve mod n” Ea,b (n) by replacing the field F above by
the ring Z/nZ. We also use the formulas above to define a “pseudo-addition” on
Ea,b (n).
Now, equality means congruence mod n. Further, for the inverses of x1 − x2
and y1 to be defined in (3), the conditions x1 6= x2 and y1 6= 0 have to be replaced
by gcd(x1 − x2 , n) = 1 and gcd(y1 , n) = 1, respectively.
When n is composite, this does not make Ea,b (n) into a group, for the addition
is not defined for all pair of points. However, if we find two points P = (x1 , y1 ) and
Q = (x2 , y2 ) for which the sum is not defined, then gcd(X, n) > 1 for X = x1 − x2
or X = y1 , and we have a possible proper factor of n.
8
Hence we want to find two points in Ea,b (n) for which the sum is not defined.
Usually we start by choosing integers a, x, y in the interval (−n/2, n/2), and
determine b ∈ Z such that
b ≡ y 2 − x3 − ax (mod n), |b| < n/2.
Check if (4) holds. If (4) doesn’t hold, we have a possible proper factor of n. If
the gcd in (4) equals n, try a new set of values of a, x, y.
Now suppose that (4) holds. For R = (x, y) and some preset choice of k, we
then try to compute k!R = R + R + · · · + R (k! terms) by the “binary method”.
If this attempt fails, then we have probably discovered a proper divisor of n.
To see why the chances are good that the process fails for some choice of a, x, y,
we consider a prime factor p of n. So far we have performed our calculations mod
n. But then these calculations are also valid mod p.
The elliptic curve Ea,b (p) = Ea,b (Fp ) is a finite Abelian group (of rank 1 or 2;
cf. [10]). A celebrated theorem of Hasse [16] is that
√
√
p + 1 − 2 p < #Ea,b (p) < p + 1 + 2 p,
and by a theorem of Deuring [13] we have that every integer in this interval is
attained as #Ea,b (p) for some choice of a, b ∈ Fp with ∆ 6= 0.
√
Suppose that m | k! for some integer m in the interval p + 1 − 2 p < m <
√
p + 1 + 2 p. Then the idea is to randomly choose a, x, y until we find a curve
satisfying #Ea,b (p) = m. By Deuring’s theorem there is a possibility of of success,
and by results of Birch [5], Waterhouse [49] and others on the distribution of
the orders #Ea,b (p), the chances are particularly good if m lies in the interval
√
√
p − p < m < p + p. (Also in Pollard’s p − 1 we needed an m | k!, but then we
had only one possible choice for m, namely m = p − 1.)
So, let us assume that #Ea,b (p)|k!. Also suppose that we succeeded in computing k!R and that k!R 6= O in Ea,b (n). In this computation, let P + Q = k!R
be the last addition for which P = (x1 , y1 ) and Q = (x2 , y2 ) both are 6= O. Then
P + Q = k!R = O in Ea,b (p), and
x1 ≡ x2
∧
y1 ≡ −y2
(mod p),
so that
p | gcd(x1 − x2 , n)
∧
p | gcd(y1 + y2 , n).
Hence P + Q is not defined in Ea,b (n); a contradiction. Thus we either have
k!R = O in Ea,b (n), or our attempt to compute k!R in Ea,b (n) will eventually
lead us to two points for which the sum is not defined, and then we have probably
also found a proper factor of n.
In summary, the steps in the ECM are: Choose a and R = (x, y). Try to
compute k!R in Ea,b (n). If this doesn’t give a proper factor of n, we try other
points R. After many unsuccessful attempts, we try another a.— Here we also see
9
that the ECM can be distributed over any number of machines, since it consists of
a number of independent factorization trials. For an interesting implementation
of the ECM on a 16K MasPar, see [15].
There are, of course, various tricks to speed up the performance of the ECM.
We can use a different parametrization (instead of the Weierstrass form), we can
use homogeneous coordinates, and we have the so-called “second step”; cf. [31],
[38].
4
Running time
As usual, by “running time” we mean the number of bit operations required to
perform a task. The running time estimates for many factoring algorithms are not
rigorously proved, but relies usually on some (unproved but commonly accepted)
hypothesis concerning the distribution of divisors in integers. In particular, this
is so for the running time estimates given below for (MP)QS, NFS, and ECM.
A polynomial time algorithm for factoring n, is one which runs in time O((log n)c )
for some constant c. However, no such algorithm is known. The (MP)QS and
ECM run in time O(nσ ) for any σ > 0; cf. [7]. The heuristic expected run time
estimates are, however, better than this.
Put
Lx [r, c] = exp((c + )(log x)r (log log x)1−r ),
where → 0 as x → ∞. Note that for c and r fixed, then as x → ∞, Lx [r, c]
grows faster than any power of log x and more slowly than xσ for any σ > 0.
The expected run time of the (MP)QS to
√factor n is Ln [1/2, 1] (cf. [33], [37])
2
and that of the ECM is O((log n) Lp [1/2, 2]), where p is the smallest prime
factor of n; cf. [29]. Further, a suitable version of the NFS seems to factor
an n of special form in expected time Ln [1/3, c], where c = 2(2/3)2/3 ≈ 1.526,
while the general NFS also runs in time Ln [1/3, c], but with a bigger value for c
(c = 22/3 ≈ 2.08 [26], c ≈ 1.92 [1], c ≈ 1.90 [11]).
5
Numerical examples
“The Cunningham Project” [9] is the standard reference for explicit numerical
results of the various factorization algorithms. In particuler, CFRAC and Pollard’s p − 1 have factored hundreds of numbers in this project. Here we shall only
mention a few of the most recent results.
11
Brent [6] completed the factorization of the eleventh Fermat number 22 + 1.
Actually he factored the c606 = F11 /(319489 · 974849) as p21 p22 p564 . (We use ci to
denote a composite integer with i decimal digits, and pi now denotes a prime with
i decimal digits.) Here the p21 and the p22 were found using the ECM, and then
10
the remaining 564-decimal digit cofactor was proved prime. The factorization
took less than 2 hours on a Fujitsu VP 100 vector processor.
Using the MPQS and a worldwide distibuted network of work stations communicating with the host computer by electronic mail, Lenstra and Manasse [27]
have factored numbers having up to 106 decimal digits (a divisor c106 of 2353 + 1,
which it took them four months to factor); the last of the numbers factored was
c103 = (2361 + 1)/(3 · 174763), which factored as p43 p61 . Using an improved version of the MPQS and 80 Firefly stations (each with 5 processors), Lenstra and
Manasse [28] factored a c107 in 50 days, using a factor base of 65,000 elements.
Lenstra and Manasse [28] further used MPQS and their electronic mail network to factor two c111 using a factor base of 80,000 elements. One of the numbers
factored was c111 = (2484 + 1)/(p2 p3 p6 p10 p10 ), which factored as p50 p61 (in two
months). In the latter half of 1990, they increased the factorbase to 120,000 elements in an attempt to factor a c116 ; cf. [38]. It took 400 MIP years to complete
this job; cf. [25].
In the spring of 1990 Lenstra et. al. used their NFS [26] and the electronic
9
mail network to factorize the ninth Fermat number F9 = 22 + 1. Actually, they
factored the c148 = F9 /2424833, which factored as p49 p99 . In comparison, the
largest prime factors ever dicovered by the ECM is a p40 by Dixon and A. K.
Lenstra, and a p42 by Rusin; cf. [15]. Also, a c148 is far too big for the current
implementations of the MPQS.
Finally, RSA crytposystems are being used nowadays with keys of 512 bits;
that is, the modulus is a c155 . But factoring a c155 is not as impossible as many
people would like it to be; cf. [25], [27]. It is, however, recommended to use a
modulus pq, where each of the primes p and q has approximately 100 decimal
digits.
References
[1] L. Adleman, Factoring numbers using singular integers, Proc. 23rd Ann.
ACM Symp. on Theory of Computing, New Orleans 1991, pp. 64–71.
[2] L. Adleman, K. Manders and G. Miller, On taking square roots in finite
fields, Proc. 20th Ann. Symp. Foundations Comp. Sci. (1979), pp. 175–178.
[3] E. Bach, Lenstra’s algorithm for factoring with elliptic curves, Exposé,
Comp. Sci. Dept., Univ. Wisconsin, Madison 1985.
[4] E. Bach and J. Shallit, Factoring with cyclotomic polynomials, Math. Comp.
52 (1989) 201–219.
[5] B. J. Birch, How the number of points of an elliptic curve over a fixed prime
field varies, J. London Math. Soc. 43 (1968) 57–60.
11
[6] R. P. Brent, Factorization of the eleventh Fermat number, AMS Abstracts
10 (1989) 89T-11-73.
[7] R. P. Brent, Parallel algorithms for integer factorisation, in: J. H. Loxton
(ed.), Number Theory and Cryptography, London Math. Soc. Lecture Note
Series 154, Cambridge Univ. Press 1990, pp. 26–37.
[8] D. M. Bressoud, Factorization and Primality Testing, Springer-Verlag, New
York 1989.
[9] J. Brillhart, D. H. Lehmer, J. L. Selfridge, B. Tuckerman and S. S. Wagstaff,
Jr., Factorizations of bn ± 1 for b = 2, 3, 5, 6, 7, 11, 12 up to high powers,
second edition, Amer. Math. Soc., Providence 1988.
[10] J. W. S. Cassels, Diophantine equations with special reference to elliptic
curves, J. London Math. Soc. 41 (1966) 193–291.
[11] D. Coppersmith, Modifications to the number field sieve, IBM Research
Report #RC 16264, Nov. 1990, updated Mar. 1991.
[12] J. A. Davis, D. B. Holdrige and G. J. Simmons, Status report on factoring,
in: T. Beth, N. Cot and I. Ingemarsson (eds.), Advances in Cryptology—
EUROCRYPT ’84, Lecture Notes in Comput. Sci. vol. 209, Springer-Verlag
1985, pp. 183–215.
[13] M. Deuring, Die Typen der Multiplikatorenringe elliptischer Funktionenkörper, Abh. Math. Sem. Hansischen Univ. 14 (1941) 197–272.
[14] L. E. Dickson, History of the Theory of Numbers, vol. 1 (reprint), Chelsea,
New York 1952.
[15] B. Dixon and A. K. Lenstra, Massively parallel elliptic curve factoring, Extended Abstracts of EUROCRYPT ’92, Budapest 1992, pp. 169–179.
[16] H. Hasse, Abstrakte Begründung der komplexen Multiplikation und riemannsche Vermutung in Funktionenkörpern, Abh. Math. Sem. Hamburg 10
(1934) 325–348.
[17] K. Ireland and M. Rosen, A Clasical Introduction to Number Theory, 2nd
ed., Graduate Texts in Mathematics no. 84, Springer-Verlag, New York 1990.
[18] D. E. Knuth, The Art of Computer Programming, vol. 2, Seminumerical
Algorithms, Second ed., Addison-Wesley, Reading, MA 1981.
[19] N. Koblitz, A Course in Number Theory and Cryptography, Graduate Texts
In Mathematics no. 114, Springer-Verlag, New York 1987.
12
[20] M. Kraitchik, Théorie des Nombres, Gauthier-Villars, Paris 1922, pp. 132–
160.
[21] M. Kraitchik, Théorie des Nombres. Tome II, Gauthier-Villars, Paris 1926,
pp. 195–208.
[22] M. Kraitchik, Recherches sur la théorie des nombres. Tome II, Factorisation,
Gauthier-Villars, Paris 1929.
[23] B. A. LaMacchia and A. M. Odlyzko, Solving large sparse linear systems
over finite fields, in: A. J. Menezes and S. A. Vanstone (eds.), Advances in
Cryptology—CRYPTO ’90, Springer-Verlag, Berlin 1991, pp. 109–133.
[24] D. H. Lehmer, Computer technology applied to the theory of numbers, in:
W. J. LeVeque (ed.), Studies in Number Theory, Prentice-Hall Inc., N. J.
1969, 117–151.
[25] A. K. Lenstra, in: Public-Key Cryptography: State of the Art and Future Directions, E.I.S.S.-Workshop, Tagungsbericht 28a/1991, Math. Forschungsinstitut Oberwolfach 1991.
[26] A. K. Lenstra, H. W. Lenstra, Jr., M. S. Manasse and J. M. Pollard, The
number field sieve, Proc. 22nd Ann. ACM Symp. on Theory of Computing,
Baltimore 1990, pp. 564–572.
[27] A. K. Lenstra and M. S. Manasse, Factoring by electronic mail, in:
J.-J. Quisquater and J. Vandewalle (eds.), Advances in Cryptology—
EUROCRYPT ’89, Lecture Notes in Comput. Sci. vol. 434, Springer-Verlag,
Berlin 1990, pp. 355–371.
[28] A. K. Lenstra and M. S. Manasse, Factoring with two large primes, in: I. B.
Damgård (ed.), Advances in Cryptology—EUROCRYPT ’90, Lecture Notes
in Comput. Sci. vol. 473, Springer-Verlag, Berlin 1991, pp. 72–82.
[29] H. W. Lenstra, Jr., Factoring integers with elliptic curves, Ann. of Math.
126 (1987) 649–673.
[30] H. W. Lenstra, Jr., Elliptic curves and number-theoretic algorithms, in: A.
M. Gleason (ed.), Proc. Int’l. Cong. Math., vol. 1, Amer. Math. Soc. 1987,
pp. 99–120.
[31] P. L. Montgomery, Speeding up the Pollard and elliptic curve methods of
factorization, Math. Comp. 48 (1987) 243–264.
[32] M. A. Morrison and J. Brillhart, A method of factoring and the factorization
of F7 , Math. Comp. 29 (1975) 183–205.
13
[33] P. C. van Oorschot, A comparison of practical public key cryptosystems
based on integer factorization and discrete logarithms, in: G. J. Simmons
(ed.), Contemporary Cryptology, IEEE Press, New York 1992.
[34] R. C. Peralta, A simple and fast probabilistic algorithm for computing square
roots modulo a prime number, IEEE Trans. Inform. Theory 32 (1986) 846–
847.
[35] J. M. Pollard, Theorems on factorization and primality testing, Proc. Camb.
Phil. Soc. 76 (1974) 521–528.
[36] J. M. Pollard, A Monte Carlo method for factorization, BIT 15 (1975) 331–
334.
[37] C. Pomerance, Analysis and comparison of some integer factoring algorithms, in: H. W. Lenstra, Jr. and R. Tijdeman (eds.), Computational
Methods in Number Theory, Part I, Math. Centre Tract no. 154, Math.
Centrum, Amsterdam 1982.
[38] C. Pomerance, Factoring, in: C. Pomerance (ed.), Cryptology and Computational Number Theory, Proc. Symp. Applied Math., vol. 42, Amer. Math.
Soc. 1990, pp. 27–47.
[39] H. Riesel, Prime Numbers and Computer Methods for Factorization,
Birkhauser, Boston 1985.
[40] R. Rivest, A. Shamir and L. M. Adleman, A method for obtaining digital
signatures and public key cryptosystems, Comm. ACM 21 (1978) 120–128.
[41] C. P. Schnorr and H. W. Lenstra, Jr., A Monte Carlo factoring algorithm
with linear storage, Math. Comp. 43 (1984) 289–311.
[42] D. Shanks, Class number, a theory of factorization, and genera, Proc. Symp.
Pure Math., vol. 20, Amer. Math. Soc. 1971, pp. 415–440.
[43] R. Schoof, Elliptic curves over finite fields and the computation of square
roots mod p, Math. Comp. 44 (1985) 483–494.
[44] J. H. Silverman, The Arithmetic of Elliptic Curves, Graduate Texts in Mathematics no. 106, Springer-Verlag, New York 1986.
[45] R. D. Silverman, The multiple polynomial quadratic sieve, Math. Comp. 48
(1987) 329–339.
[46] R. D. Silverman, Computational experience with the general Number
Field Sieve, Tagungsbericht 29/1991 Computational Number Theory, Math.
Forschungsinstitut Oberwolfach 1991.
14
[47] J. T. Tate, The arithmetic of elliptic curves, Invent. Math. 23 (1974) 179–
206.
[48] S. S. Wagstaff, Jr. and J. W. Smith, Methods of factoring large integers, in:
D. V. Chudnovsky, G. V. Chudnovsky, H. Cohn and M. B. Nathanson (eds.),
Number Theory, Lecture Notes in Mathematics no. 1240, Springer-Verlag,
Berlin 1987, pp. 281–303.
[49] W. C. Waterhouse, Abelian varieties over finite fields, Ann. Sci. Ecole Norm.
Sup. (4) 2 (1969) 521–560.
[50] H. C. Williams, A p+1 method of factoring, Math. Comp. 39 (1982) 225–234.
[51] H. C. Williams, Factoring on a computer, Math. Intelligencer 6 (1984) 29–36.
15