* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download FACTORING WITH CONTINUED FRACTIONS, THE PELL
Positional notation wikipedia , lookup
Georg Cantor's first set theory article wikipedia , lookup
Mathematics of radio engineering wikipedia , lookup
Wiles's proof of Fermat's Last Theorem wikipedia , lookup
Approximations of π wikipedia , lookup
Vincent's theorem wikipedia , lookup
System of polynomial equations wikipedia , lookup
List of important publications in mathematics wikipedia , lookup
List of prime numbers wikipedia , lookup
Fermat's Last Theorem wikipedia , lookup
Collatz conjecture wikipedia , lookup
Factorization of polynomials over finite fields wikipedia , lookup
Number theory wikipedia , lookup
Quadratic reciprocity wikipedia , lookup
Proofs of Fermat's little theorem wikipedia , lookup
Fizikos ir matematikos fakulteto Seminaro darbai, iauliu universitetas, 6, 2003, 120130 FACTORING WITH CONTINUED FRACTIONS, THE PELL EQUATION, AND WEIGHTED MEDIANTS Jörn STEUDING, Rasa LEEVIIENE Johann Wolfgang Goethe-Universität Frankfurt, Robert-Mayer-Str. 10, 60054 Frankfurt, Germany; e-mail: [email protected] iauliai University, Vytauto 84, 5400 iauliai, Lithuania; e-mail: [email protected] Abstract. We investigate the Continued fraction method (CFRAC) for factoring large integers N . This √ method is based on the arithmetic properties of the convergents to N . Using the theory of the Pell equation, we construct an innite family of explicit examples of composite numbers for which CFRAC fails. We present a new √ variant of CFRAC, based on weighted mediants of the convergents to N , to overcome this problem. Finally, we give an examples of a 45-digit number for which our strategy succeeds. Key words and phrases: continued fraction, factoring large integers, Pell equation, weighted mediants. Mathematics Subject Classication: 11A55, 11D09. 1. Introduction It is easy to multiply integers but, conversely, it is rather dicult to nd the prime factorization of a given large integer. This is the basis of many cryptosystems in practice. It is conjectured that factoring is an NP-problem, i.e., roughly speaking, there does not exist a fast factoring algorithm. One of the rst modern factorization methods is the Continued fraction method CFRAC due to Lehmer and Powers [5]. The rst implemention was realized by Brillhart and Morrison [2] with which they factored at 13 September 1970 the 38-digit seventh Fermat number 7 F7 := 22 + 1 = 59649589127497217 · 5704689200685129054721; J. Steuding, R. leºevi£ien e 121 for the current knowledge on Fermat numbers we refer to www.prothsearch. net/fermat.html#Prime. Soon after CFRAC became the main factoring algorithm in practice; actually it was the rst algorithm of expected subexponential running time. Until the 1980s it was the method of choice for factoring large integers but it has a limit at around 50 digits. CFRAC relies on an old idea of Fermat and Legendre, respectively. Suppose that we are interested in the prime factorization of a large integer N . If there are integers X , Y for which X 2 ≡ Y 2 mod N and X 6≡ ±Y mod N, then the greatest common divisor gcd(N, X + Y) is a non-trivial factor of N . This follows immediately from the identity X 2 − Y 2 = (X − Y)(X + Y). To look randomly for pairs of squares which satisfy these conditions is hopeless. In 1929 Kraitchik proposed to search randomly for suciently many squares which lie in the same residue class mod N , such that certain combinations among them lead to non-trivial divisors of N . More precisely, having suciently many congruences ε ε ε x2j ≡ (−1)ε0j `11j `22j · . . . · `mmj mod N, where the `k are small prime numbers and the εkj are the related exponents, by Gaussian elimination modulo 2 one may hope to nd a relation of the form X δj (ε0j , . . . , εmj ) ≡ (0, . . . , 0) mod 2, (1) j 6n where δj ∈ {0, 1}. Then, setting Y δj xj and Y = (−1)ν0 `ν11 `ν22 · . . .· `νmm , X = (2) j 6n P where j 6n δj (ε0j , . . . , εmj ) = 2(ν0 , ν1 , . . . , νm ), we get X 2 ≡ Y 2 mod N . This splits N if X 6≡ ±Y mod N . The set of prime numbers ` which are chosen to nd the congruences in addition with −1 is called factor basis. Kraitchik proposed to generate the squares x2j by the nearest integers √ to N . The much more powerful continued fraction algorithm works with √ the numerators of the convergents to N . These convergents are the best rational approximations which make them to important objects in the theory of diophantine approximations and equations. However, they are also very useful for generating small squares modulo N as we shall see below. There are composite integers that CFRAC cannot factorize. It is our aim to give 122 Factoring with continued fractions an innite family of examples for such failures and to present a renement to overcome this problem. Before we present CFRAC we recall some basic facts from the theory of continued fractions. 2. Continued fractions The powerful tool of continued fractions was rst systematically studied by the dutch astronomer Huygens in the 17th century, motivated by technical problems while constructing a mechanical model of our solar system. All results given in this paragraph can be found in the classic [6]. For a0 ∈ Z and aj ∈ N with 1 6 j < N and aN > 1 the expression 1 a0 + a1 + 1 a2 + . . . 1 + aN + 1 aN denes a nite simple continued fraction. The aj are called partial denominators. For abbreviation we write [a0 , a1 , a2 , . . . , aN ] for the continued fraction above. First, we shall consider [a0 , . . . , aN ] as a function in the variables a0 , . . . aN . For j 6 N we call [a0 , a1 , . . . , aj ] the j -th convergent to [a0 , a1 , . . . , aN ] and dene p−1 = 1 , p0 = a0 and pj = aj pj−1 + pj−2 , q−1 = 0 , q0 = 1 and qj = aj qj−1 + qj−2 . (3) The computation of the convergents is easily ruled by means of the identities pj = [a0 , a1 , . . . , aj ] qj (4) pj qj−1 − pj−1 qj = (−1)j . (5) and The continuous fraction expansion is not unique since [a0 , a1 , a2 , . . . , aN ] = [a0 , a1 , a2 , . . . , aN − 1, 1]. By the Euclidean algorithm it is rather easy to expand a rational number into a nite continued fraction [a0 , a1 , a2 , . . . , aN ], which is unique if 1 < aN ∈ N. J. Steuding, R. leºevi£ien e 123 More generally we can attach to any given real number α =: α0 a continued fraction by the iteration αj = bαj c + 1 αj+1 for j = 0, 1, . . . . We put aj = bαj c, where bαj c denotes the greatest integer 6 αj . Obviously, if α is rational, the iteration stops after nitely many steps, and otherwise, if α is irrational, the iteration does not stop and we get by this procedure (formally) α = [a0 , a1 , a2 , . . .]; the right hand side is an innite continued fraction. The rst thing we have to ask whether this innite process is convergent? By (4) and (5), α− pj αj+1 pj + pj−1 pj (−1)j = − = . qj αj+1 qj + qj−1 qj qj (αj+1 qj + qj−1 ) (6) Since the qj are strictly increasing for j > 2, we observe that p2 p3 p1 p0 < < ... < α < ... < < . q0 q2 q3 q1 It follows that if α is irrational, then ¯ ¯ ¯ ¯ p j ¯α − ¯ < 1 ; ¯ qj ¯ qj qj+1 (7) this is Dirichlet's celebrated approximation theorem. Furthermore, the innite continued fraction exists and represents α: α = lim j→∞ pj = [a0 , a1 , a2 , . . .]. qj It is easily shown that the continued fraction expansion of any irrational number is uniquely determined. In view of (6) it becomes visible what an important role continued fractions play in the theory of Diophantine approximations. A continued fraction [a0 , a1 , . . .] is said to be periodic if there exists an integer ` with aj+` = aj for all suciently large n. We write for short [a0 , a1 , . . . , an , aj+1 , . . . , aj+` ] = [a0 , a1 , . . . , an , aj+1 , . . . , aj+` , aj+1 , . . . , aj+` , . . .]. Here and in the sequel ` = `(α) denotes the minimal length of a period in the continued fraction expansion of α. Lagrange's theorem gives a classication 124 Factoring with continued fractions of quadratic irrationals, i.e., roots of irreducible quadratic polynomials with integral coecients: an irrational number α is quadratic irrational if and only if its continued fraction expansion is eventually periodic. In particular, the partial denominators of quadratic irrationals are bounded. It can be shown that if N is not a perfect square, then h √ √ √ i N = b N c, a1 , a2 , . . . , a2 , a1 , 2b N c , √ and all appearing ai satisfy ai < 2b N c. For instance, if n is a positive integer, then p n2 + 2 = [n, n, 2n]. (8) 3. The Continued fraction factoring method Lehmer and Powers [5] presented two slightly dierent factorization methods. One of them, the A method, is dealing with the numerators pj of √ the convergents of the continued fraction N whereas the other one, the P method, is working with the denominators Qj in (10) below. They proved that the only instance of the success of one method and the failure of the other is that in which the A method succeeds, the P method fails, and a factor of N appears among the P 0 s and Q0 s. We shall only consider the A method. In what follows m mod N denotes the smallest residue of m modulo N in absolute value. Then CFRAC has the following form: For j = 0, 1, 2, . . . successively: 1. Compute the j th convergent √ N. pj qj of the continued fraction expansion to 2. Compute p2j mod N . After doing this for several j , look at the numbers ±p2j mod N which factor into a product of small primes. Dene your factor base B to consist of −1, the primes which either occur in more than one of the p2j mod N or which occur to an even power in just one p2j mod N . 3. List all of the numbers p2j mod N which can be expressed as a product of numbers in the factor base B . If possible, nd a subset of numbers `'s of B for which the exponents ε according to the prime numbers in B sum to zero modulo two as in (1), and dene X , Y by (2). If X 6≡ ±Y mod N , then gcd(X + Y, N ) is a non-trivial factor of N . If this is impossible, then compute more pj and p2j mod N , enlarging the factor base B if necessary. J. Steuding, R. leºevi£ien e 125 Of course, to speed up the algorithm one can reduce mod N whenever it is possible. Once the number of completely factored integers exceeds the size of the factor base, we can nd a product of them which is a perfect square. With a little luck this yields a non-trivial factor of our given number (by the observations from the introduction). The crucial property of the values pj is, as we shall show below, that their squares have small residues modulo N . Otherwise, CFRAC would hinge on the problem of nding an appropriate factor base B. Theorem 1. Let α > 1 be irrational. Then the convergents the inequality pj qj to α satisfy |qj2 α2 − p2j | < 2α. √ In particular, if α = N , where N ∈ N is√ not a perfect square, then the residue p2j mod N is of modulus less than 2 N . We sketch the proof since it is essential for the running time of CFRAC. Proof. In view of (7) ¯ ¯ ¯ ¯ µ ¶ ¯ qj2 pj ¯¯ ¯¯ pj ¯¯ 1 2 2 2 2¯ |qj α − pj | = qj ¯α − ¯ · ¯α + ¯ < 2α + . qj qj qj qj+1 qj qj+1 Thus, à |qj2 α2 − p2j | − 2α < 2α −1 + qj qj+1 1 + 2 2αqj+1 ! µ ¶ qj + 1 < 2α −1 + , qj+1 which is less or equal to zero, and proves the rst assertion of the theorem. The claim on p2j mod N is an immediate consequence. √ Therefore, the sequence of the numerators of the convergents of N provides a sequence of pj 's whose squares have small √residues mod N . If the squares are generated by the nearest integers to N as proposed by Kraitchik, one observes that |x√2 − N | grows fairly quickly. More precisely, √ it is approximately equal to 2 N |x − N |, which reduces the probability that x2 − N splits completely using only primes from the factor basis. The so-called Quadratic sieve overcomes this diculty by a sifting process (as in the Sieve of Eratosthenes). It is a well-known fact that CFRAC does not work for prime powers N = pk with k > 2. This causes no diculties. It is quite easy to check whether a given N is a prime power or not. However, there are other examples for which CFRAC does not work. For concrete examples we study a certain Diophantine equation. 126 Factoring with continued fractions 4. The Pell equation The Pell equation is given by X 2 − N Y 2 = 1, (9) where N is a positive integer. It should be noted that Pell was an English mathematician who lived in the seventeenth century but he had nothing to do with this equation. We are interested in integral solutions. Obviously, x = 1 and y = 0 is always a solution. By symmetry it suces to look for solutions in positive integers. If N is a perfect square, we can factor the lefthand side, and it turns out that (9) has no further solutions in integers. In the sequel we assume that N is not a perfect square. Euler observed that √ if x, y ∈ N is a solution of (9), then the left-hand side of (9) splits over Q( N ) which leads to ¯ ¯ ¯√ ¯ x 1 ¯ N− ¯= √ . ¯ ¯ y ry 2 ( N + xy ) √ In view of this excellent rational approximation to N it turns out that xy √ is a convergent to N . The complete solution of the Pell equation is due to Legendre and Lagrange. If we write √ √ N = [b N c, a1 , . . . , aj , αj+1 ], then there exist integers Pj and Qj > 1 such that √ Pj + N αj = , Qj (10) where Qj | (N − Pj2 ). Taking into account the periodicity of the continued √ fraction expansion of N , it follows that the sequence of the Pj , Qj is periodic as well. It can be shown that 2 p2j−1 − N qj−1 = (−1)j Qj . (11) Furthermore, if and only if j is a multiple of the minimal period `, then Qj = pj−1 1, and the convergent qj−1 corresponds to a solution of the Pell equation. Thus, all solutions of (9) are given by ½ (pk`−1 , qk`−1 ) if ` is even, (xk , yk ) = (p2k`−1 , q2k`−1 ) if ` is odd. Note that all solutions can be found via √ √ xk + yk N = ±(x1 + y1 N )±k , where k = 0, 1, 2, . . . . J. Steuding, R. leºevi£ien e 127 5. Explicit examples for failures The chances for factoring N increase when we have many squares p2j mod N . But with regard to (11) the sequence √ of the denominators of the√convergents to the continued fraction of N is periodic of length 6 2`( N ). Kraitchik [4] proved that the minimal period length satises √ √ `( N ) 6 0.72 N log N, where N is any integer greater than 7; it is conjectured that log N can be replaced√by log log N . However, if the period of the continued fraction expansion of N is too short, then the algorithm can only produce a small factor basis, which reduces the chances for factoring N . If for example N = n2 + 2, then by (11) 2 (−1)j Qj = p2j−1 − (n2 + 2)qj−1 ≡ p2j−1 mod (n2 + 2). Alternatively, with regard to (3) and (8) we can compute directly ½ ±n if j is even, pj mod (n2 + 2) = ±1 if j is odd. Anyway, it follows that p2j mod (n2 + 2) = 1 or = −2. This gives with the notation used in the CFRAC algorithm X ≡ +Y or ≡ −Y mod N . CFRAC does not work for numbers N = n2 + 2. One strategy to overcome this problem is to replace N by some kN , where k is some √ suitably chosen integer, hoping that the continued fraction expansion of kN has better properties, see [1] for further details. In the following section we shall present another renement of CFRAC. 6. Weighted mediants For two distinct positive reduced fractions with positive integral weights λ, µ by a c b, d we dene their mediant aλ + cµ ; bλ + dµ for λ = µ this is the so-called mediant of ab , dc which is of special interest in the theory of Farey fractions. It is easily seen that the weighted mediant lies in between ab and dc . One can show that each rational number in the 128 Factoring with continued fractions interval with limits ab , dc is a mediant of the upper and lower bound for a certain weight λ, µ. In view of Dirichlet's approximation theorem (7) it makes sense to measure the order of approximation of a reduced fraction ab to a given irrational α by their distance in terms of the denominator b. If we have two excellent rational approximations ab and dc to an irrational α, then the weighted mediant of ab and dc is a good approximation if the weights are suciently small, as we will show now. Firstly, ¯ ¯ ¯ ¯ ¯ ¯ ¯¯ ¯ ¯ ¯ ¯ ¯α − aλ + cµ ¯ 6 ¯¯α − a ¯¯ + ¯ a − aλ + cµ ¯ 6 ¯¯α − a ¯¯ + µ|bc − ad| . (12) ¯ ¯ b bλ + dµ ¯ bλ + dµ ¯ b b b(bλ + dµ) Now let ab , dc be two convergents to an irrational α > 1. By (12) we get, similarly as in the proof of Theorem 1, ¯ ¯ ¯ ¯ ¯ aλ + cµ ¯¯ ¯¯ aλ + cµ ¯¯ 2 2 2 2¯ |(bλ + dµ) α − (aλ + cµ) | = (bλ + dµ) ¯α − · α+ bλ + dµ ¯¯ ¯ bλ + dµ ¯ ¯ ¯ aλ + cµ ¯¯ 6 (bλ + dµ)2 ¯¯α − ¯ bλ + dµ ¯ ¯¶ µ ¯ aλ + cµ ¯¯ × 2α + ¯¯α − ¯ ¶ µ¯ bλ + ¯dµ a ¯ µ|bc − ad| 2 ¯ 6 (bλ + dµ) ¯α − ¯ + b b(bλ + dµ) µ ¶ ¯ a ¯¯ µ|bc − ad| ¯ × 2α + ¯α − ¯ + . b b(bλ + dµ) In view of (7) 2 2 2 |(bλ + | µ dµ) α − (aλ + cµ) ¶¶ µ 2 d d d 2 2 < λ + 2λµ + µ 2 + µ|bc − ad| λ + µ b b b ¶ µ 1 µ|bc − ad| . × 2α + 2 + b b(bλ + dµ) Without loss of generality we may assume that d < b. By (5) we have |bc − dy| = 1 for two consecutive convergents ab , dc . In this case we nd |(bλ + dµ)2 α2 − (aλ + cµ)2 | µ ¶ 1 µ < (λ2 + 2λµ + µ2 + µ(λ + µ)) 2α + 2 + b bd(λ + µ) < (λ2 + 3λµ + 2µ2 )(2α + 2). Thus we have proved the following statement. J. Steuding, R. leºevi£ien e 129 Let α > 1 be irrational. If ab , dc are two consecutive convergents to α with d < b, then Theorem 2. |(bλ + dµ)2 α2 − (aλ + cµ)2 | < 2(λ2 + 3λµ + 2µ2 )(α + 1) √ for any positive coprime integers λ, µ. In particular, if α = N , where N ∈ N is not a perfect square, then √ (aλ + cµ)2 mod N < 2(λ2 + 3λµ + 2µ2 )( N + 1). Hence, the squares (aλ + cµ)2 mod N of numerators of weighted mediants to consecutive convergents with weights 1 6 λ, µ 6 C , where √ √ C is any constant, are bounded by N as the ordinary convergents to N . Consequently, we can also use weighted mediants in the continued fraction factoring method; the eort for factoring the squares into an appropriate factor base is approximately the same as if one works with convergents, only. 7. A renement and an example Our√idea is rather simple. If the period of the continued fraction expansion of N is too short, i.e., if we cannot factor N by the congruences coming √ from the squares of the numerators of the convergents to N , then one can work with weighted mediants of the convergents additionally. Thus we add to the CFRAC algorithm of the Section 3 as fourth step: if√the full period did not lead to a factorization of N , compute for 1 6 j 6 `( N ) and coprime non-negative integers λ, µ the numbers pj (λ, µ) := λpj−1 + µpj mod N and return to step 2 by replacing pj mod N with pj (λ, µ). We shall give an example. In the case of numbers N = n2 + 2 these weighted mediants are λn + µ(n2 + 1) λ + µn and λ(n2 + 1) + µ(2n3 + 3n) . λn + µ(2n2 + 1) We need only the squares of the numerators modulo N which are λn2 − 2λµn + µ2 and λ2 + 2λµn + µ2 n2 . Varying the weights λ, µ = 0, 1, . . . gives a plenty of good candidates for building up an appropriate factor base (note that the case λ = 1 and µ = 0 yields the old CFRAC algorithm). This algorithm was implemented on a standard personal computer. For instance, we factored N = 100 013012 + 2 = 10002 60216 92603 = 51193 · 19539 00371. 130 Factoring with continued fractions It seems to be a good strategy to use also weighted mediants of weigthed mediants (in fact, these are mediants to convergents with larger weights). If there are small prime divisors, this algorithm is rather fast and splits quite large integers. For instance, we found for the 45-digit number N = 123 45678 90123 45678 901232 + 2 = 15241 57875 32388 36750 49422 36884 72275 58009 55131 = 19 · 802 18835 54336 22986 86811 70362 35382 92526 81849. References [1] H. Riesel, Prime numbers and Computer methods for factorization, Basel, Birkhäuser (1985). [2] J. Brillhart, M. A. Morrison, A method of factoring and the factorization of F7 , Math. Comp. 29, 183205 (1975). [3] N. Koblitz, A course in Number theory and Cryptography, Berlin, Springer, 2nd ed. (1994). [4] M. Kraitchik, Recherches sur la Théorie des Nombres, tome II, Paris, Gauthier-Villars, 15 (1929). [5] D. H. Lehmer, R. E. Powers, On factoring large numbers, Bull. Amer. Math. Soc. 37, 770776 (1931). [6] O. Perron, Die Lehre von den Kettenbrüchen. I, Leipzig, Teubner, 3rd ed. (1954). Faktorizavimas naudojant grandinines trupmenas, Pelio lygti ir mediantes su svoriu J. Steuding, R. leºevi£ien e Darbe nagrin ejamas grandininiu trupmenu √ metodas (CFRAC) dideliu sveikuju skai£iu N faktorizacijai. Jis remiasi N reduktu aritmetin emis savyb emis. Naudojant Pelio lyg£iu teorij¡, pateikiama sud etiniu skai£iu pavyzdºiu, kuriems CFRAC metodas yra neveiksmingas (tokiu skai£iu yra be galo daug). Straipsnyje √ pristatomas naujas CFRAC variantas ²ios problemos sprendimui. Jis remiasi N reduktu mediant emis su svoriu. Be to, yra pateikiamas 45 skaitmenu skai£ius, kuris faktorizuotas naudojant straipsnyje apra²yt¡ strategij¡. J. Steuding, R. leºevi£ien e 131 Rankra²tis gautas 2003 10 06