http://debianws.lexgopc.com/wiki143/index.php?action=history&feed=atom&title=Algebraic-group_factorisation_algorithmAlgebraic-group factorisation algorithm - Revision history2026-04-30T21:17:00ZRevision history for this page on the wikiMediaWiki 1.43.1http://debianws.lexgopc.com/wiki143/index.php?title=Algebraic-group_factorisation_algorithm&diff=5880229&oldid=previmported>Ixfd64: /* Methods corresponding to particular algebraic groups */ update dead link2024-02-04T20:21:05Z<p><span class="autocomment">Methods corresponding to particular algebraic groups: </span> update dead link</p>
<p><b>New page</b></p><div>{{unreferenced|date=January 2015}}<br />
'''Algebraic-group factorisation algorithms''' are algorithms for [[Integer factorization|factoring an integer]] ''N'' by working in an [[algebraic group]] defined [[modular arithmetic|modulo]] ''N'' whose group structure is the direct sum of the 'reduced groups' obtained by performing the equations defining the group arithmetic modulo the unknown prime factors ''p''<sub>1</sub>, ''p''<sub>2</sub>, ... By the [[Chinese remainder theorem]], arithmetic modulo ''N'' corresponds to arithmetic in all the reduced groups simultaneously.<br />
<br />
The aim is to find an element which is not the identity of the group modulo ''N'', but is the identity modulo one of the factors, so a method for recognising such ''one-sided identities'' is required. In general, one finds them by performing operations that move elements around and leave the identities in the reduced groups unchanged. Once the algorithm finds a one-sided identity all future terms will also be one-sided identities, so checking periodically suffices.<br />
<br />
Computation proceeds by picking an arbitrary element ''x'' of the group modulo ''N'' and computing a large and [[smooth number|smooth]] multiple ''Ax'' of it; if the order of at least one but not all of the reduced groups is a divisor of A, this yields a factorisation. It need not be a prime factorisation, as the element might be an identity in more than one of the reduced groups.<br />
<br />
Generally, A is taken as a product of the primes below some limit K, and ''Ax'' is computed by successive multiplication of ''x'' by these primes; after each multiplication, or every few multiplications, the check is made for a one-sided identity.<br />
<br />
== The two-step procedure ==<br />
It is often possible to multiply a group element by several small integers more quickly than by their product, generally by difference-based methods; one calculates differences between consecutive primes and adds consecutively by the <math>d_i r</math>. This means that a two-step procedure becomes sensible, first computing ''Ax'' by multiplying ''x'' by all the primes below a limit B1, and then examining ''p Ax'' for all the primes between B1 and a larger limit B2.<br />
<br />
== Methods corresponding to particular algebraic groups ==<br />
<br />
If the algebraic group is the [[multiplicative group]] mod ''N'', the one-sided identities are recognised by computing [[greatest common divisor]]s with ''N'', and the result is the [[Pollard's p-1 algorithm|''p''&nbsp;&minus;&nbsp;1 method]].<br />
<br />
If the algebraic group is the multiplicative group of a quadratic extension of ''N'', the result is the [[Williams' p + 1 algorithm|''p''&nbsp;+&nbsp;1 method]]; the calculation involves pairs of numbers modulo ''N''. It is not possible to tell whether <math>\mathbb Z/N\mathbb Z [ \sqrt t]</math> is actually a quadratic extension of <math>\mathbb Z/N\mathbb Z </math> without knowing the factorisation of ''N''. This requires knowing whether ''t'' is a [[quadratic residue]] modulo ''N'', and there are no known methods for doing this without knowledge of the factorisation. However, provided ''N'' does not have a very large number of factors, in which case another method should be used first, picking random ''t'' (or rather picking ''A'' with ''t'' = ''A''<sup>2</sup>&nbsp;&minus;&nbsp;4) will accidentally hit a quadratic non-residue fairly quickly. If ''t'' is a quadratic residue, the p+1 method degenerates to a slower form of the ''p''&nbsp;&minus;&nbsp;1 method.<br />
<br />
If the algebraic group is an [[elliptic curve]], the one-sided identities can be recognised by failure of [[inverse function|inversion]] in the elliptic-curve point addition procedure, and the result is the [[elliptic curve method]]; [[Hasse's theorem on elliptic curves|Hasse's theorem]] states that the number of points on an elliptic curve modulo ''p'' is always within <math>2 \sqrt p</math> of ''p''.<br />
<br />
All three of the above algebraic groups are used by the [https://gitlab.inria.fr/zimmerma/ecm GMP-ECM] package, which includes efficient implementations of the two-stage procedure, and an implementation of the PRAC group-exponentiation algorithm which is rather more efficient than the standard [[binary exponentiation]] approach.<br />
<br />
The use of other algebraic groups—higher-order extensions of ''N'' or groups corresponding to algebraic curves of higher genus—is occasionally proposed, but almost always impractical. These methods end up with smoothness constraints on numbers of the order of ''p''<sup>''d''</sup> for some ''d''&nbsp;>&nbsp;1, which are much less likely to be smooth than numbers of the order of ''p''.<br />
<br />
[[Category:Integer factorization algorithms]]</div>imported>Ixfd64