Download FACTORING WITH CONTINUED FRACTIONS, THE PELL

Fizikos ir matematikos fakulteto
Seminaro darbai,
’iauliu universitetas,
6, 2003, 120130
FACTORING WITH CONTINUED FRACTIONS,
THE PELL EQUATION, AND
WEIGHTED MEDIANTS
Jörn STEUDING, Rasa ’LEšEVIƒIENE
Johann Wolfgang Goethe-Universität Frankfurt,
Robert-Mayer-Str. 10, 60054 Frankfurt, Germany;
e-mail: [email protected]
’iauliai University, Vytauto 84, 5400 ’iauliai, Lithuania;
e-mail: [email protected]
Abstract. We investigate the Continued fraction method (CFRAC) for
factoring large integers N . This
√ method is based on the arithmetic properties of the convergents to N . Using the theory of the Pell equation,
we construct an innite family of explicit examples of composite numbers
for which CFRAC fails. We present a new
√ variant of CFRAC, based on
weighted mediants of the convergents to N , to overcome this problem.
Finally, we give an examples of a 45-digit number for which our strategy
succeeds.
Key words and phrases: continued fraction, factoring large integers, Pell
equation, weighted mediants.
Mathematics Subject Classication: 11A55, 11D09.
1. Introduction
It is easy to multiply integers but, conversely, it is rather dicult to nd
the prime factorization of a given large integer. This is the basis of many
cryptosystems in practice. It is conjectured that factoring is an NP-problem,
i.e., roughly speaking, there does not exist a fast factoring algorithm. One
of the rst modern factorization methods is the Continued fraction method
CFRAC due to Lehmer and Powers [5]. The rst implemention was realized
by Brillhart and Morrison [2] with which they factored at 13 September 1970
the 38-digit seventh Fermat number
7
F7 := 22 + 1 = 59649589127497217 · 5704689200685129054721;
J. Steuding, R. ’leºevi£ien
e
121
for the current knowledge on Fermat numbers we refer to www.prothsearch.
net/fermat.html#Prime. Soon after CFRAC became the main factoring
algorithm in practice; actually it was the rst algorithm of expected subexponential running time. Until the 1980s it was the method of choice for
factoring large integers but it has a limit at around 50 digits. CFRAC relies
on an old idea of Fermat and Legendre, respectively. Suppose that we are
interested in the prime factorization of a large integer N . If there are integers
X , Y for which
X 2 ≡ Y 2 mod N
and X 6≡ ±Y mod N,
then the greatest common divisor gcd(N, X + Y) is a non-trivial factor of
N . This follows immediately from the identity X 2 − Y 2 = (X − Y)(X +
Y). To look randomly for pairs of squares which satisfy these conditions
is hopeless. In 1929 Kraitchik proposed to search randomly for suciently
many squares which lie in the same residue class mod N , such that certain
combinations among them lead to non-trivial divisors of N . More precisely,
having suciently many congruences
ε
ε
ε
x2j ≡ (−1)ε0j `11j `22j · . . . · `mmj mod N,
where the `k are small prime numbers and the εkj are the related exponents,
by Gaussian elimination modulo 2 one may hope to nd a relation of the
form
X
δj (ε0j , . . . , εmj ) ≡ (0, . . . , 0) mod 2,
(1)
j 6n
where δj ∈ {0, 1}. Then, setting
Y δj
xj and Y = (−1)ν0 `ν11 `ν22 · . . .· `νmm ,
X =
(2)
j 6n
P
where j 6n δj (ε0j , . . . , εmj ) = 2(ν0 , ν1 , . . . , νm ), we get X 2 ≡ Y 2 mod N .
This splits N if X 6≡ ±Y mod N . The set of prime numbers ` which are
chosen to nd the congruences in addition with −1 is called factor basis.
Kraitchik proposed to generate the squares x2j by the nearest integers
√
to N . The much more powerful continued
fraction algorithm works with
√
the numerators of the convergents to N . These convergents are the best
rational approximations which make them to important objects in the theory
of diophantine approximations and equations. However, they are also very
useful for generating small squares modulo N as we shall see below. There
are composite integers that CFRAC cannot factorize. It is our aim to give
122
Factoring with continued fractions
an innite family of examples for such failures and to present a renement
to overcome this problem. Before we present CFRAC we recall some basic
facts from the theory of continued fractions.
2. Continued fractions
The powerful tool of continued fractions was rst systematically studied
by the dutch astronomer Huygens in the 17th century, motivated by technical
problems while constructing a mechanical model of our solar system. All
results given in this paragraph can be found in the classic [6].
For a0 ∈ Z and aj ∈ N with 1 6 j < N and aN > 1 the expression
1
a0 +
a1 +
1
a2 + . . .
1
+
aN +
1
aN
denes a nite simple continued fraction. The aj are called partial denominators. For abbreviation we write [a0 , a1 , a2 , . . . , aN ] for the continued fraction above. First, we shall consider [a0 , . . . , aN ] as a function in the variables a0 , . . . aN . For j 6 N we call [a0 , a1 , . . . , aj ] the j -th convergent to
[a0 , a1 , . . . , aN ] and dene
p−1 = 1 , p0 = a0 and pj = aj pj−1 + pj−2 ,
q−1 = 0 , q0 = 1 and qj = aj qj−1 + qj−2 .
(3)
The computation of the convergents is easily ruled by means of the identities
pj
= [a0 , a1 , . . . , aj ]
qj
(4)
pj qj−1 − pj−1 qj = (−1)j .
(5)
and
The continuous fraction expansion is not unique since
[a0 , a1 , a2 , . . . , aN ] = [a0 , a1 , a2 , . . . , aN − 1, 1].
By the Euclidean algorithm it is rather easy to expand a rational number into
a nite continued fraction [a0 , a1 , a2 , . . . , aN ], which is unique if 1 < aN ∈ N.
J. Steuding, R. ’leºevi£ien
e
123
More generally we can attach to any given real number α =: α0 a continued
fraction by the iteration
αj = bαj c +
1
αj+1
for j = 0, 1, . . . .
We put aj = bαj c, where bαj c denotes the greatest integer 6 αj . Obviously,
if α is rational, the iteration stops after nitely many steps, and otherwise,
if α is irrational, the iteration does not stop and we get by this procedure
(formally)
α = [a0 , a1 , a2 , . . .];
the right hand side is an innite continued fraction. The rst thing we have
to ask whether this innite process is convergent? By (4) and (5),
α−
pj
αj+1 pj + pj−1 pj
(−1)j
=
−
=
.
qj
αj+1 qj + qj−1
qj
qj (αj+1 qj + qj−1 )
(6)
Since the qj are strictly increasing for j > 2, we observe that
p2
p3
p1
p0
<
< ... < α < ... <
< .
q0
q2
q3
q1
It follows that if α is irrational, then
¯
¯
¯
¯
p
j
¯α − ¯ < 1 ;
¯
qj ¯ qj qj+1
(7)
this is Dirichlet's celebrated approximation theorem. Furthermore, the innite continued fraction exists and represents α:
α = lim
j→∞
pj
= [a0 , a1 , a2 , . . .].
qj
It is easily shown that the continued fraction expansion of any irrational
number is uniquely determined. In view of (6) it becomes visible what an
important role continued fractions play in the theory of Diophantine approximations. A continued fraction [a0 , a1 , . . .] is said to be periodic if there exists
an integer ` with aj+` = aj for all suciently large n. We write for short
[a0 , a1 , . . . , an , aj+1 , . . . , aj+` ]
= [a0 , a1 , . . . , an , aj+1 , . . . , aj+` , aj+1 , . . . , aj+` , . . .].
Here and in the sequel ` = `(α) denotes the minimal length of a period in the
continued fraction expansion of α. Lagrange's theorem gives a classication
124
Factoring with continued fractions
of quadratic irrationals, i.e., roots of irreducible quadratic polynomials with
integral coecients: an irrational number α is quadratic irrational if and only
if its continued fraction expansion is eventually periodic. In particular, the
partial denominators of quadratic irrationals are bounded. It can be shown
that if N is not a perfect square, then
h √
√
√ i
N = b N c, a1 , a2 , . . . , a2 , a1 , 2b N c ,
√
and all appearing ai satisfy ai < 2b N c. For instance, if n is a positive
integer, then
p
n2 + 2 = [n, n, 2n].
(8)
3. The Continued fraction factoring method
Lehmer and Powers [5] presented two slightly dierent factorization methods. One of them, the A method, is dealing
with the numerators pj of
√
the convergents of the continued fraction N whereas the other one, the P
method, is working with the denominators Qj in (10) below. They proved
that the only instance of the success of one method and the failure of the other
is that in which the A method succeeds, the P method fails, and a factor of
N appears among the P 0 s and Q0 s. We shall only consider the A method.
In what follows m mod N denotes the smallest residue of m modulo N
in absolute value. Then CFRAC has the following form:
For j = 0, 1, 2, . . . successively:
1. Compute the j th convergent
√
N.
pj
qj
of the continued fraction expansion to
2. Compute p2j mod N . After doing this for several j , look at the numbers
±p2j mod N which factor into a product of small primes. Dene your
factor base B to consist of −1, the primes which either occur in more
than one of the p2j mod N or which occur to an even power in just one
p2j mod N .
3. List all of the numbers p2j mod N which can be expressed as a product
of numbers in the factor base B . If possible, nd a subset of numbers
`'s of B for which the exponents ε according to the prime numbers
in B sum to zero modulo two as in (1), and dene X , Y by (2). If
X 6≡ ±Y mod N , then gcd(X + Y, N ) is a non-trivial factor of N . If
this is impossible, then compute more pj and p2j mod N , enlarging the
factor base B if necessary.
J. Steuding, R. ’leºevi£ien
e
125
Of course, to speed up the algorithm one can reduce mod N whenever it is
possible. Once the number of completely factored integers exceeds the size
of the factor base, we can nd a product of them which is a perfect square.
With a little luck this yields a non-trivial factor of our given number (by the
observations from the introduction). The crucial property of the values pj
is, as we shall show below, that their squares have small residues modulo N .
Otherwise, CFRAC would hinge on the problem of nding an appropriate
factor base B.
Theorem 1.
Let α > 1 be irrational. Then the convergents
the inequality
pj
qj
to α satisfy
|qj2 α2 − p2j | < 2α.
√
In particular, if α = N , where N ∈ N is√ not a perfect square, then the
residue p2j mod N is of modulus less than 2 N .
We sketch the proof since it is essential for the running time of CFRAC.
Proof. In view of (7)
¯
¯ ¯
¯
µ
¶
¯
qj2
pj ¯¯ ¯¯
pj ¯¯
1
2 2
2
2¯
|qj α − pj | = qj ¯α − ¯ · ¯α + ¯ <
2α +
.
qj
qj
qj qj+1
qj qj+1
Thus,
Ã
|qj2 α2
−
p2j |
− 2α < 2α −1 +
qj
qj+1
1
+
2
2αqj+1
!
µ
¶
qj + 1
< 2α −1 +
,
qj+1
which is less or equal to zero, and proves the rst assertion of the theorem.
The claim on p2j mod N is an immediate consequence.
√
Therefore, the sequence of the numerators of the convergents of N
provides a sequence of pj 's whose squares have small √residues mod N . If
the squares are generated by the nearest integers to N as proposed by
Kraitchik, one observes that |x√2 − N | grows
fairly quickly. More precisely,
√
it is approximately equal to 2 N |x − N |, which reduces the probability
that x2 − N splits completely using only primes from the factor basis. The
so-called Quadratic sieve overcomes this diculty by a sifting process (as in
the Sieve of Eratosthenes).
It is a well-known fact that CFRAC does not work for prime powers
N = pk with k > 2. This causes no diculties. It is quite easy to check
whether a given N is a prime power or not. However, there are other examples
for which CFRAC does not work. For concrete examples we study a certain
Diophantine equation.
126
Factoring with continued fractions
4. The Pell equation
The Pell equation is given by
X 2 − N Y 2 = 1,
(9)
where N is a positive integer. It should be noted that Pell was an English
mathematician who lived in the seventeenth century but he had nothing to
do with this equation. We are interested in integral solutions. Obviously,
x = 1 and y = 0 is always a solution. By symmetry it suces to look for
solutions in positive integers. If N is a perfect square, we can factor the lefthand side, and it turns out that (9) has no further solutions in integers. In
the sequel we assume that N is not a perfect square. Euler observed that
√ if
x, y ∈ N is a solution of (9), then the left-hand side of (9) splits over Q( N )
which leads to
¯
¯
¯√
¯
x
1
¯ N− ¯=
√
.
¯
¯
y
ry 2 ( N + xy )
√
In view of this excellent rational approximation to N it turns out that xy
√
is a convergent to N . The complete solution of the Pell equation is due to
Legendre and Lagrange. If we write
√
√
N = [b N c, a1 , . . . , aj , αj+1 ],
then there exist integers Pj and Qj > 1 such that
√
Pj + N
αj =
,
Qj
(10)
where Qj | (N − Pj2 ). Taking into account the periodicity of the continued
√
fraction expansion of N , it follows that the sequence of the Pj , Qj is periodic
as well. It can be shown that
2
p2j−1 − N qj−1
= (−1)j Qj .
(11)
Furthermore, if and only if j is a multiple of the minimal period `, then Qj =
pj−1
1, and the convergent qj−1
corresponds to a solution of the Pell equation.
Thus, all solutions of (9) are given by
½
(pk`−1 , qk`−1 ) if ` is even,
(xk , yk ) =
(p2k`−1 , q2k`−1 ) if ` is odd.
Note that all solutions can be found via
√
√
xk + yk N = ±(x1 + y1 N )±k ,
where k = 0, 1, 2, . . . .
J. Steuding, R. ’leºevi£ien
e
127
5. Explicit examples for failures
The chances for factoring N increase when we have many squares p2j mod
N . But with regard to (11) the sequence
√ of the denominators of the√convergents to the continued fraction of N is periodic of length 6 2`( N ).
Kraitchik [4] proved that the minimal period length satises
√
√
`( N ) 6 0.72 N log N,
where N is any integer greater than 7; it is conjectured that log N can be
replaced√by log log N . However, if the period of the continued fraction expansion of N is too short, then the algorithm can only produce a small factor
basis, which reduces the chances for factoring N . If for example N = n2 + 2,
then by (11)
2
(−1)j Qj = p2j−1 − (n2 + 2)qj−1
≡ p2j−1 mod (n2 + 2).
Alternatively, with regard to (3) and (8) we can compute directly
½
±n if j is even,
pj mod (n2 + 2) =
±1 if j is odd.
Anyway, it follows that p2j mod (n2 + 2) = 1 or = −2. This gives with the
notation used in the CFRAC algorithm X ≡ +Y or ≡ −Y mod N . CFRAC
does not work for numbers N = n2 + 2.
One strategy to overcome this problem is to replace N by some kN ,
where k is some
√ suitably chosen integer, hoping that the continued fraction
expansion of kN has better properties, see [1] for further details. In the
following section we shall present another renement of CFRAC.
6. Weighted mediants
For two distinct positive reduced fractions
with positive integral weights λ, µ by
a c
b, d
we dene their mediant
aλ + cµ
;
bλ + dµ
for λ = µ this is the so-called mediant of ab , dc which is of special interest
in the theory of Farey fractions. It is easily seen that the weighted mediant
lies in between ab and dc . One can show that each rational number in the
128
Factoring with continued fractions
interval with limits ab , dc is a mediant of the upper and lower bound for a
certain weight λ, µ.
In view of Dirichlet's approximation theorem (7) it makes sense to measure the order of approximation of a reduced fraction ab to a given irrational
α by their distance in terms of the denominator b. If we have two excellent
rational approximations ab and dc to an irrational α, then the weighted mediant of ab and dc is a good approximation if the weights are suciently small,
as we will show now. Firstly,
¯
¯ ¯
¯ ¯
¯ ¯¯
¯
¯
¯
¯
¯α − aλ + cµ ¯ 6 ¯¯α − a ¯¯ + ¯ a − aλ + cµ ¯ 6 ¯¯α − a ¯¯ + µ|bc − ad| . (12)
¯
¯ b bλ + dµ ¯
bλ + dµ ¯
b
b
b(bλ + dµ)
Now let ab , dc be two convergents to an irrational α > 1. By (12) we get,
similarly as in the proof of Theorem 1,
¯ ¯
¯
¯
¯
aλ + cµ ¯¯ ¯¯
aλ + cµ ¯¯
2 2
2
2¯
|(bλ + dµ) α − (aλ + cµ) | = (bλ + dµ) ¯α −
· α+
bλ + dµ ¯¯ ¯
bλ + dµ ¯
¯
¯
aλ + cµ ¯¯
6 (bλ + dµ)2 ¯¯α −
¯
bλ + dµ
¯
¯¶
µ
¯
aλ + cµ ¯¯
× 2α + ¯¯α −
¯
¶
µ¯ bλ + ¯dµ
a ¯ µ|bc − ad|
2 ¯
6 (bλ + dµ) ¯α − ¯ +
b
b(bλ + dµ)
µ
¶
¯
a ¯¯ µ|bc − ad|
¯
× 2α + ¯α − ¯ +
.
b
b(bλ + dµ)
In view of (7)
2 2
2
|(bλ +
|
µ dµ) α − (aλ + cµ)
¶¶
µ
2
d
d
d
2
2
< λ + 2λµ + µ 2 + µ|bc − ad| λ + µ
b
b
b
¶
µ
1
µ|bc − ad|
.
× 2α + 2 +
b
b(bλ + dµ)
Without loss of generality we may assume that d < b. By (5) we have
|bc − dy| = 1 for two consecutive convergents ab , dc . In this case we nd
|(bλ + dµ)2 α2 − (aλ + cµ)2 |
µ
¶
1
µ
< (λ2 + 2λµ + µ2 + µ(λ + µ)) 2α + 2 +
b
bd(λ + µ)
< (λ2 + 3λµ + 2µ2 )(2α + 2).
Thus we have proved the following statement.
J. Steuding, R. ’leºevi£ien
e
129
Let α > 1 be irrational. If ab , dc are two consecutive convergents
to α with d < b, then
Theorem 2.
|(bλ + dµ)2 α2 − (aλ + cµ)2 | < 2(λ2 + 3λµ + 2µ2 )(α + 1)
√
for any positive coprime integers λ, µ. In particular, if α = N , where
N ∈ N is not a perfect square, then
√
(aλ + cµ)2 mod N < 2(λ2 + 3λµ + 2µ2 )( N + 1).
Hence, the squares (aλ + cµ)2 mod N of numerators of weighted mediants to
consecutive convergents
with weights 1 6 λ, µ 6 C , where
√
√ C is any constant,
are bounded by N as the ordinary convergents to N . Consequently, we
can also use weighted mediants in the continued fraction factoring method;
the eort for factoring the squares into an appropriate factor base is approximately the same as if one works with convergents, only.
7. A renement and an example
Our√idea is rather simple. If the period of the continued fraction expansion of N is too short, i.e., if we cannot factor N by the congruences
coming
√
from the squares of the numerators of the convergents to N , then one can
work with weighted mediants of the convergents additionally. Thus we add
to the CFRAC algorithm of the Section 3 as fourth step: if√the full period did
not lead to a factorization of N , compute for 1 6 j 6 `( N ) and coprime
non-negative integers λ, µ the numbers pj (λ, µ) := λpj−1 + µpj mod N and
return to step 2 by replacing pj mod N with pj (λ, µ).
We shall give an example. In the case of numbers N = n2 + 2 these
weighted mediants are
λn + µ(n2 + 1)
λ + µn
and
λ(n2 + 1) + µ(2n3 + 3n)
.
λn + µ(2n2 + 1)
We need only the squares of the numerators modulo N which are
λn2 − 2λµn + µ2
and λ2 + 2λµn + µ2 n2 .
Varying the weights λ, µ = 0, 1, . . . gives a plenty of good candidates for
building up an appropriate factor base (note that the case λ = 1 and µ = 0
yields the old CFRAC algorithm). This algorithm was implemented on a
standard personal computer. For instance, we factored
N = 100 013012 + 2 = 10002 60216 92603 = 51193 · 19539 00371.
130
Factoring with continued fractions
It seems to be a good strategy to use also weighted mediants of weigthed
mediants (in fact, these are mediants to convergents with larger weights). If
there are small prime divisors, this algorithm is rather fast and splits quite
large integers. For instance, we found for the 45-digit number
N
= 123 45678 90123 45678 901232 + 2
= 15241 57875 32388 36750 49422 36884 72275 58009 55131
= 19 · 802 18835 54336 22986 86811 70362 35382 92526 81849.
References
[1] H. Riesel, Prime numbers and Computer methods for factorization, Basel,
Birkhäuser (1985).
[2] J. Brillhart, M. A. Morrison, A method of factoring and the factorization of
F7 , Math. Comp. 29, 183205 (1975).
[3] N. Koblitz, A course in Number theory and Cryptography, Berlin, Springer,
2nd ed. (1994).
[4] M. Kraitchik, Recherches sur la Théorie des Nombres, tome II, Paris,
Gauthier-Villars, 15 (1929).
[5] D. H. Lehmer, R. E. Powers, On factoring large numbers, Bull. Amer. Math.
Soc. 37, 770776 (1931).
[6] O. Perron, Die Lehre von den Kettenbrüchen. I, Leipzig, Teubner, 3rd ed.
(1954).
Faktorizavimas naudojant grandinines trupmenas, Pelio lygti ir
mediantes su svoriu
J. Steuding, R. ’leºevi£ien
e
Darbe nagrin
ejamas grandininiu trupmenu
√ metodas (CFRAC) dideliu sveikuju skai£iu N faktorizacijai. Jis remiasi N reduktu aritmetin
emis savyb
emis.
Naudojant Pelio lyg£iu teorij¡, pateikiama sud
etiniu skai£iu pavyzdºiu, kuriems
CFRAC metodas yra neveiksmingas (tokiu skai£iu yra be galo daug). Straipsnyje
√
pristatomas naujas CFRAC variantas ²ios problemos sprendimui. Jis remiasi N
reduktu mediant
emis su svoriu. Be to, yra pateikiamas 45 skaitmenu skai£ius, kuris
faktorizuotas naudojant straipsnyje apra²yt¡ strategij¡.
J. Steuding, R. ’leºevi£ien
e
131
Rankra²tis gautas
2003 10 06