Running Time Predictions for Factoring Algorithms

In 1994, Carl Pomerance proposed the following problem:Select integers a1, a2, . . . , aJ at random from the interval [1, x], stopping whensome (non-empty) subsequence, {ai : i ∈ I} where I ⊆ {1, 2, . . ., J}, has a squareproduct (that is Πi∈Iai ∈ Z2). What can we say about the possible stoppingtimes, J? A 1985 algorithm of Schroeppel can be used to show that this process stops afterselecting (1+Ɛ)J0(x) integers aj with probability 1-o(1) (where the functionJ0(x) is given explicitly in (1) below. Schroeppel's algorithm actually finds thesquare product, and this has subsequently been adopted, with relatively minormodifications, by all factorers. In 1994 Pomerance showed that, with probability1-o(1), the process will run through at least J0(x)1-o(1) integers aj, and askedfor a more precise estimate of the stopping time. We conjecture that there is a"sharp threshold" for this stopping time, that is, with probability 1-o(1) onewill first obtain a square product when (precisely) {e-γ + o(1)}J0(x) integershave been selected. Herein we will give a heuristic to justify our belief in thissharp transition. In our paper [4] we prove, with probability 1-o(1), that the first squareproduct appears in time [(π/4)(e-γ - o(1))J0(x), (e-γ + o(1))J0(x)],where γ = 0.577... is the Euler-Mascheroni constant, improving both Schroeppeland Pomerance's results. In this article we will prove a weak version of this theorem(though still improving on the results of both Schroeppel and Pomerance).We also confirm the well established belief that, typically, none of the integersin the square product have large prime factors. Our methods provide an appropriate combinatorial framework for studyingthe large prime variations associated with the quadratic sieve and other factoringalgorithms. This allows us to analyze what factorers have discovered in practice.

[1]  Robert D. Silverman The multiple polynomial quadratic sieve , 1987 .

[2]  Adolf Hildebrand,et al.  On integers free of large prime factors , 1986 .

[3]  Carl Pomerance,et al.  The Quadratic Sieve Factoring Algorithm , 1985, EUROCRYPT.

[4]  Irene A. Stegun,et al.  Handbook of Mathematical Functions. , 1966 .

[5]  Arjen K. Lenstra,et al.  NFS with Four Large Primes: An Explosive Experiment , 1995, CRYPTO.

[6]  Milton Abramowitz,et al.  Handbook of Mathematical Functions with Formulas, Graphs, and Mathematical Tables , 1964 .

[7]  Carl Pomerance,et al.  Smooth numbers and the quadratic sieve , 2008 .

[8]  Carl Pomerance,et al.  The Role of Smooth Numbers in Number Theoretic Algorithms , 1995 .

[9]  G. Tenenbaum Introduction to Analytic and Probabilistic Number Theory , 1995 .

[10]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[11]  Walter Gautschi,et al.  Mathematics of computation, 1943-1993 : a half-century of computational mathematics : Mathematics of Computation 50th Anniversary Symposium, August 9-13, 1993, Vancouver, British Columbia , 1994 .

[12]  Jeffrey Shallit,et al.  Algorithmic Number Theory , 1996, Lecture Notes in Computer Science.

[13]  Arjen K. Lenstra,et al.  Factoring With Two Large Primes , 1990, EUROCRYPT.

[14]  E. Friedgut,et al.  Sharp thresholds of graph properties, and the -sat problem , 1999 .

[15]  C. Pomerance,et al.  Prime Numbers: A Computational Perspective , 2002 .

[16]  Arjen K. Lenstra,et al.  MPQS with Three Large Primes , 2002, ANTS.

[17]  Andrew Granville,et al.  Large character sums , 1999, math/9903196.

[18]  J. Dixon Asymptotically fast factorization of integers , 1981 .

[19]  H. Lenstra,et al.  Factoring integers with the number field sieve , 1993 .

[20]  Pierre Leroux Enumerative Problems Inspired by Mayer's Theory of Cluster Integrals , 2004, Electron. J. Comb..

[21]  R. Pemantle,et al.  On sharp transitions in making squares , 2008, 0811.0372.

[22]  Arjen K. Lenstra,et al.  The number field sieve , 1990, STOC '90.

[23]  Willemien Ekkelkamp,et al.  Predicting the Sieving Effort for the Number Field Sieve , 2008, ANTS.