\documentclass[11pt]{article} \usepackage{amsmath} %\usepackage{fullpage} %\usepackage{epic} %\usepackage{eepic} %\usepackage{psfig} %\newcommand{\proof}[1]{ %{\noindent {\it Proof.} {#1} \rule{2mm}{2mm} \vskip \belowdisplayskip} %} %\newtheorem{lemma}{Lemma}[section] %\newtheorem{theorem}[lemma]{Theorem} %\newtheorem{claim}[lemma]{Claim} %\newtheorem{definition}[lemma]{Definition} %\newtheorem{corollary}[lemma]{Corollary} %Theorems and likes \newtheorem{assumption}{Assumption}[section] \newtheorem{theorem}{Theorem}[section] \newtheorem{fact}{Fact}[section] \newtheorem{claim}{Claim}[section] \newtheorem{lemma}{Lemma}[section] \newtheorem{example}{Example}[section] \newtheorem{definition}{Definition}[section] \newtheorem{corollary}{Corollary}[section] \newtheorem{exercise}{Exercise}[section] \newtheorem{observation}{Observation}[section] \newcommand{\bproof}{\noindent{\it Proof}} %\newcommand{\eproof}{\hspace*{\fill}$\Box$~~~~~\bigskip} \newcommand{\eproof}{\hspace*{\fill}\rule{2mm}{2mm}~~~~~\bigskip} \newenvironment{proof}{\bproof: }{\eproof} % symbols and notation \newcommand{\defeq}{\stackrel{\rm def}{=}} \setlength{\oddsidemargin}{0in} \setlength{\topmargin}{0in} \setlength{\textwidth}{6in} \setlength{\textheight}{8in} \begin{document} \setlength{\fboxrule}{.5mm}\setlength{\fboxsep}{1.2mm} \newlength{\boxlength}\setlength{\boxlength}{\textwidth} \addtolength{\boxlength}{-4mm} \begin{center}\framebox{\parbox{\boxlength}{\bf CS 681: Computational Number Theory and Algebra \hfill Lecture 20 \\\\ Pollard's p-1 algorithm for factoring integers \\\\ Lecturer: Manindra Agrawal \hfill Scribe: Chandan Saha %\\ \begin{flushright} %date Septembor 22, 2005 \end{flushright} }}\end{center} \vspace{5mm} In the previous lecture we have proven the following theorem: \begin{theorem} If $\psi(x,y)= \mid \{m \leq x \mid \text{m is y-smooth} \} \mid$ then, for $y=\Omega(log^2x)$, $\psi(x,y)\sim \frac{x}{u^u}$, where $u=\frac{ln \hspace{0.02 in} x}{ln \hspace{0.02 in} y}$. \end{theorem} Let $y=ln^2x$ then $u = \frac{ln \hspace{0.02 in} x}{2lnln \hspace{0.02 in} x}$. Therefore, \begin{align*} \psi(x,y) & \sim \frac{x}{(\frac{ln \hspace{0.02in} x}{2lnln \hspace{0.02in} x})^{\frac{ln \hspace{0.02in} x}{2lnln \hspace{0.02in} x}}} \\ & \sim \frac{x}{e^{\frac{1}{2} ln \hspace{0.02in} x}} \cdot e^{\frac{ln \hspace{0.02in} x \cdot lnlnln \hspace {0.02in} x}{2lnln \hspace{0.02in} x}} \\ & \sim x^{\frac{1}{2}} \cdot x^{\frac{lnlnln \hspace{0.02in} x}{2lnln \hspace{0.02in} x}}\\ & \sim x^{\frac{1}{2} + o(1)} \end{align*} \emph{Problem:} Find the smallest value of $y$ such that $\psi(x,y) = \Omega(x).$ \section{Pollard's p-1 method for factoring} Let $n=pq$ be the number to be factored. Suppose $p-1$ be a $k$-smooth number. Let $K=(k!)^{lg \hspace{0.02in} p}$. By Fermat's Little Theorem, $a^K = 1 \hspace{0.04in}(mod \hspace{0.04in}p)$. Suppose that, $q-1$ is not $k$-smooth. Then, the claim is that $a^K = 1 \hspace{0.04in}(mod \hspace{0.04in}q)$ for `few' $a$'s. This is because, if $a^K = 1 \hspace{0.04in}(mod \hspace{0.04in}q)$ then, $a^{gcd(K,q-1)} = 1 \hspace{0.04in}(mod \hspace{0.04in}q)$. At most $gcd(K,q-1)$ of $a$'s can satisfy the equation $a^{gcd(K,q-1)} = 1 \hspace{0.04in}(mod \hspace{0.04in}q)$ and $gcd(K,q-1) \leq \frac{q-1}{2}$. This yields the following algorithm: \subsection{Algorithm} Input: Positive integer $n$. \\ Output: Either a proper divisor of $n$ or `failure'. \\ For $k = 2,3,4,\ldots $ do \begin{enumerate} \item Randomly select $a \in Z_n$. \item $K \leftarrow (k!)^{(lg \hspace{0.02in} n)}$. \item $b \leftarrow a^K \hspace{0.04in} (mod \hspace{0.04in} n)$. \item $d \leftarrow gcd (b-1,n)$. \item if $1 < d < n$ then return $d$ else return `failure'. \end{enumerate} For the correct choice of $k$ the above algorithm returns a proper divisor of $n$ with probability greater than $\frac{1}{2}$. Since $(k!)^{log \hspace{0.02in} n} = ((k-1)!)^{log \hspace{0.02in} n} \cdot k^{log \hspace{0.02in} n}$, Step 2 requires $\tilde{O}(klog \hspace{0.02in} n \cdot log \hspace{0.02in} k) $ bit operations per iteration. Step 3 requires $\tilde{O}(klog^2n \cdot log \hspace{0.02in} k)$ bit operations per iteration and Step 4 requires $\tilde{O}(log \hspace{0.02in} n)$ operations per iteration. Therefore time complexity of the above algorithm is $\tilde{O}(k^2log^2n \cdot log \hspace{0.02in} k)$ bit operations. \end{document}